Each December, my familyand I face a new Tetris-like set of decisions to make about what games and gadgets the kids are requesting, what we feel is age-appropriate and what falls within our budget. And increasingly, as more of the devices marketed to our family include embedded cameras, microphones and internet connectivity, we also find ourselves weighing the privacy trade offs for each of the connected toys and devices we are considering bringing into our home. As you can imagine, it’s a real bummer for our kids. When Mom says “no” to adding the latest connected robot to the Christmas list, it feels like just the latest in a long line of roadblocks to fun. “What’s the big deal anyway, Mom?” The big deal, of course, is that our family’s personal data is increasingly collected by default and only protected through considerable effort. In a big data-driven economy where decisions about educational or employment opportunities for our kids can be influenced by social media data or other publicly available digital footprints, there’s a lot at stake. Without strong security protections or the ability to choose privacy settings that allow us to control when a camera is turned on or off, how long data is stored or who can access the data once the device is connected to the internet, the features of many new toys start to look more like bugs.

And although our kids often assume that our sensitivities stem from my professional experience as a researcher who studies privacy, our concerns are hardly unique. In fact, across a wide range of studies, including the most recent survey by the National Cyber Security Alliance (NCSA), both parents and teens consistently rank privacy-related risks among their top online safety concerns. Parents and teens may often have a different threat model in mind (with teens more concerned about creating privacy from the adults in their lives), but the basic idea of wanting control over personal data is the same and can be a helpful starting point for conversations about family members’ shared responsibility for online safety.

Thankfully, during this busy season, there are a variety of resources to turn to when weighing whether or not a gift meets your family’s privacy checklist. In addition to the many excellent tip sheets on the NCSA website (including one devoted entirely to connected home devices), companies like Mozilla have created a holiday buyer’s guide for connected toys and gifts that makes it easy to view basic features at a glance for some of this year’s most popular toys. At the same time, even the most privacy-attentive gift givers can be on the receiving end of gifts from grandparents or friends that may introduce more connectivity or surveillance capabilities than their families are comfortable with. In those instances, when we might worry about offending someone who made a generous gesture, it can be helpful to remember that while gifts can easily be returned, there’s no easy way to return personal data once it’s been shared online.

Facebook just loosened the leash a little on its facial-recognition algorithms. Starting Tuesday, any time someone uploads a photo that includes what Facebook thinks is your face, you’ll be notified even if you weren’t tagged. The new feature rolled out to most of Facebook’s more than 2 billion global users this morning. It applies only to newly posted photos, and only those with privacy settings that make an image visible to you. Facebook users in Canada and the European Union are excluded. The social network doesn’t use facial-recognition technology in those regions, due to wariness from privacy regulators.

Facebook has steadily expanded its use of facial recognition over the years. The company first offered the technology to users in late 2010, with a feature that suggests people to tag in photos. Backlash against the way users were automatically opted into that system is one reason Facebook’s algorithms are face blind in Canada and the EU today. Elsewhere, the company made new efforts to notify users, but left the feature essentially unchanged. In 2015, the company launched a photo-organization app called Moments that uses facial recognition to help you share photos with people in your snaps.

Facebook’s head of privacy, Rob Sherman, positions the new photo-notification feature as giving people more control over their image online. “We’ve thought about this as a really empowering feature,” he says. “There may be photos that exist that you don’t know about.” Informing you of their existence is also good for Facebook: more notifications flying around means more activity from users and more ad impressions. More people tagging themselves in photos adds more data to Facebook’s cache, helping to power the lucrative ad-targeting business that keeps the company afloat.

Once Facebook identifies you in a photo, it will display a notification that leads to a new Photo Review dialog. There you can choose to tag yourself in the image, message the user who posted an image, inform Facebook that the face isn’t you, or report an image for breaching the site’s rules.

As part of the new feature, Facebook will also notify users if someone else attempts to use their photo in a profile; Facebook says it’s trying to make it harder to impersonate other people. The company is also adding facial recognition to its service for visually impaired people that describes photos from friends in text.

How good is Facebook’s facial-recognition technology? Among the best in the world. The hundreds of billions of photos stored on the company’s servers provide ample data to train machine-learning algorithms to distinguish different faces. Nipun Mathur, of Facebook’s applied-machine-learning group declines to provide any figures on the system’s accuracy. He said the system works even if it doesn’t have a full view of your face, although it can’t recognize people in 90-degree profile. In 2015, Facebook’s AI research group published a paper on a system that could recognize people even when their faces are not visible, using other cues such as clothing or body shape. Facebook says nothing from that work is in the new product.

If you don’t like the sound of all that, you may want to take advantage of a revamped privacy control Facebook also launched Tuesday. You could already opt out of Facebook’s facial-recognition-powered photo tag suggestions, but the setting’s description delicately avoided using the term facial recognition. A new version of the setting that allows you to turn off facial recognition altogether does use the phrase, perhaps making it easier for people to understand what they’re already allowing. If you opt-out of facial recognition, Facebook says it will delete the face template used to find you in photos.

Some privacy advocates say the system should require users to opt in, rather than force them to opt out. In 2015, nine organizations walked out of a Department of Commerce process intended to develop a code of conduct for commercial use of facial recognition, including at social-media companies. Jennifer Lynch, a senior staff attorney with the Electronic Frontier Foundation, says corporate refusals to make their technology opt-in was one reason she and others abandoned the process.

Lynch says there’s a lot of interest from retailers in using face recognition to track and target shoppers in stores, an area of business Facebook might conceivably be tempted by. A recently disclosed patent application envisions Facebook deploying face recognition for in-store payments. The social network already works with data brokers to link Facebook users’ online activity and profiles with offline behavior.

A Facebook spokesman said the company has no plans for facial-recognition products beyond the one announced Tuesday, and that the company often patents ideas never put into practice. He didn't answer a query about why Facebook didn't allow users to opt in to facial recognition.

Facebook’s stance on that may be tested in court before long. The company is fighting a suit in federal court brought by a user who says the company’s opt-out approach to facial recognition breaches an Illinois privacy law.

Source: Wired

Nowadays Trojanized Android apps are evolving rapidly in the Google Play store and are continuously targeting users. A new malware strain Trojan.AndroidOS.Loapi consists of modular architecture which is capable of performing multiple attacks. Security researchers from Kaspersky labs discovered the trojan dubbed “Loapi” which can physically damage the phone by downloading a Monero mining module which generates a constant load that damages the battery and phone cover.

How the Malicious files Distributed – Loapi

Loapi has not reached the Play Store. It is distributed through advertising campaigns. It hides behind some Antivirus, adult content apps, researchers found more than 20 sources that distribute Loapi. Users are redirected to the attacker’s malicious website and the file is downloaded from there.

Once installed, it checks for the root permission, but doesn’t use root privileges. The application attempts to get device administrator permissions.

Execution and Self-Protection

If Loapi obtains admin permissions, it performs various activities and won’t allow users to revoke the device manager permissions by using standard and forcing users to uninstall legitimate Antivirus by posing endless stream of popups.

Initially, it downloads the malicious app file and the second stage the DEX payload which sends the device information to the C&C servers, with the third stage the modules are downloaded and initialized.

Modules Installed

Advertisement module: Involved in the progress of aggressive ads displaying. SMS module: used in Sending requests to C&C Web crawling module: used in Hidden Javascript execution Proxy module: HTTP proxy server used to organize DDoS attacks Mining Monero: Used to perform to perform Monero (XMR) cryptocurrency mining

Researchers found Loapi connected with Trojan.AndroidOS.Podec they are having similar techniques with obfuscation, functionality and detecting root permissions for the device.

19 M California Voter Records Held for Ransom in MongoDB Attack. The records were first exposed in an unsecured MongoDB database, continuing a cyber-extortion trend.

Voter registration data for over 19.2 million California residents that was residing on an unsecured MongoDB database has been deleted and held for ransom by attackers, according to researchers at Kromtech, who discovered the incident.

This continues a series of cyber-extortion attacks that exploit the MongoDB database management system. Similar to others, in this instance, the attacker scanned the internet for unsecured MongoDB databases, found the one containing the voter data, wiped the data and left a ransom request for 0.2 Bitcoin (around $3,500 US today), Bleeping Computer reports.

The Kromtech researchers state they have not been able to identify the owner of the database. They "believe that this could have been a political action committee or a specific campaign based on the unofficial title of the repository ('cool_db'), but this is only a suspicion."

For specific details on the attack please see here.

Traffic for Google, Apple, Facebook, Microsoft and other tech giants routed through Russia, experts believe it was an intentional BGP Hijacking. Last week a suspicious event routed traffic for major tech companies (i.e. Google, Facebook, Apple, and Microsoft) through a previously unknown Russian Internet provider. The event occurred on Wednesday, researchers who investigated it believe the traffic was intentionally hijacked.

The incident involved the Internet’s Border Gateway Protocol that is used to route traffic among Internet backbones, ISPs, and other large networks.

https://twitter.com/bgpmon/status/940724787311022080

A similar incident occurred eight months when a huge amount of traffic belonging to MasterCard, Visa, and more than two dozen other financial services was briefly routed through a telecom operator controlled by the Russian Government.

“Early this morning (UTC) our systems detected a suspicious event where many prefixes for high profile destinations were being announced by an unused Russian Autonomous System.  Starting at 04:43 (UTC) 80 prefixes normally announced by organizations such Google, Apple, Facebook, Microsoft, Twitch, NTT Communications and Riot Games were now detected in the global BGP routing tables with an Origin AS of 39523 (DV-LINK-AS), out of Russia.” states a  blog post published by Internet monitoring service BGPMon. “Looking at timeline we can see two event windows of about three minutes each. The first one started at 04:43 UTC and ended at around 04:46 UTC. The second event started 07:07 UTC and finished at 07:10 UTC.  Even though these events were relatively short lived, they were significant because it was picked up by a large number of peers and because of several new more specific prefixes that are not normally seen on the Internet. So let’s dig a little deeper. “

BGPMon observed two distinct events for a total of six minutes that affected 80 separate address blocks.

Another monitoring service, Qrator Labs, stated the event lasted for two hours during which the number of hijacked address blocks varied from 40 to 80.

BGPMon experts consider the incident as suspicious for the following reasons:

• The rerouted traffic belonged to big tech companies.
• Hijacked IP addresses belong to small and specific blocks that aren’t’ normally seen on the Internet.

“What makes this incident suspicious is the prefixes that were affected are all high profile destinations, as well as several more specific prefixes that aren’t normally seen on the Internet. This means that this isn’t a simple leak, but someone is intentionally inserting these more specific prefixes, possibly with the intent the attract traffic.” continues the analysis from BGPMon.

The BGP hijacking was caused by an autonomous system located in Russia that added entries to BGP tables claiming it was the legitimate origin of the 80 affected prefixes. This assertion caused large amounts of traffic sent to and received by the affected companies to pass through the Russian AS 39523 before being routed to its final destination.

Below the list of ISPs that picked up the new route:

• xx 6939 31133 39523 (path via Hurricane Electric)
• xx 6461 31133 39523 (path via Zayo)
• xx 2603 31133 39523 (path via Nordunet)
• xx 4637 31133 39523 (path via Telstra)

AS39523 is a previously unused autonomous system that hasn’t been active in years, but he made the headlines in August when it was involved in another BGP incident that involved Google.

“Whatever caused the incident today, it’s another clear example of how easy it is to re-route traffic for 3rd parties, intentionally or by accident. It also is a good reminder for every major ISP to filter customers. ” concluded BGPMon.

“This hijack highlights a common problem that arises due to lack of route filtering. We can blame AS39523 for the accident, but without proper filters at the intermediate transit providers boundaries we are doomed to see similar incidents again and again. We’d like to encourage all networks involved in this incident to review their route filtering strategy, and at the very least implement prefix-based BGP filters on all interconnections towards their customers.” concluded Qrator Labs.