On Friday, America's Cybersecurity and Infrastructure Security Agency revealed that the "threat actor" behind the massive breach of U.S. networks through compromised SolarWinds software also used password guessing and password spraying attacks, according to ZDNet.

And they may still be breaching federal networks, reports GCN: "Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary's behavior is present, yet where impacted SolarWinds instances have not been identified," according to updated guidance published Jan 6. "CISA is continuing to work to confirm initial access vectors and identify any changes to the tactics, techniques, and procedures (TTPs)." SAML tokens having a 24-hour validity period or not containing multi-factor authentication details where expected are examples of these red flags.

As more about the SolarWinds Orion breach has surfaced, analysts and lawmakers have repeatedly commented on how difficult it will be to remove hackers from the government's networks because their access is probably no longer predicated on flaws in SolarWinds Orion, an IT management software. CISA's new guidance appears to confirm that suspicion, stating Microsoft, which is helping the federal government investigate the hack, reported the hackers are tampering with the trust protocols in Azure/Microsoft 365.

"Microsoft reported that the actor has added new federation trusts to existing on premises infrastructure," according to the agency's guidance. "Where this technique is used, it is possible that authentication can occur outside of an organization's known infrastructure and may not be visible to the legitimate system owner." In cases where administrative level credentials were compromised, organizations should conduct a "full reconstruction of identity and trust services," CISA said.

Microsoft published a query to help identify this type of activity.

Writing in the Atlantic, programmer/economics commentator Steve Randy Waldman explains "Why I changed my mind" about the Communication Decency Act's Section 230: In the United States, you are free to speak, but you are not free of responsibility for what you say. If your speech is defamatory, you can be sued. If you are a publisher, you can be sued for the speech you pass along. But online services such as Facebook and Twitter can pass along almost anything, with almost no legal accountability, thanks to a law known as Section 230.

President Donald Trump has been pressuring Congress to repeal the law, which he blames for allowing Twitter to put warning labels on his tweets. But the real problem with Section 230, which I used to strongly support, is the kind of internet it has enabled. The law lets large sites benefit from network effects (I'm on Facebook because my friends are on Facebook) while shifting the costs of scale, like shoddy moderation and homogenized communities, to users and society at large. That's a bad deal. Congress should revise Section 230 — just not for the reasons the president and his supporters have identified.

When the law was enacted in 1996, the possibility that monopolies could emerge on the internet seemed ludicrous. But the facts have changed, and now so must our minds... By creating the conditions under which we are all herded into the same virtual space, Section 230 helped turn the internet into a conformity machine. We regulate one another's speech through shame or abuse, but we have nowhere to go where our own expression might be more tolerable. And while Section 230 immunizes providers from legal liability, it turns those providers into agents of such concentrated influence that they are objects of constant political concern. When the Facebook founder Mark Zuckerberg and the Twitter founder Jack Dorsey are routinely (and justifiably!) browbeaten before Congress, it's hard to claim that Section 230 has insulated the public sphere from government interference...

If made liable for posts flagged as defamatory or unlawful, mass-market platforms including Facebook and Twitter would likely switch to a policy of taking down those posts automatically.... Vigorous argument and provocative content would migrate to sites where people take responsibility for their own speech, or to forums whose operators devote attention and judgment to the conversations they host. The result would be a higher-quality, less consolidated, and ultimately freer public square.

"Both local police and the FBI are seeking information about individuals who were 'actively instigating violence' in Washington, DC, on January 6," writes Ars Technica.

Then they speculate on which tools will be used to find them: While media organizations took thousands of photos police can use, they also have more advanced technologies at their disposal to identify participants, following what several other agencies have done in recent months... In November, The Washington Post reported that investigators from 14 local and federal agencies in the DC area have used a powerful facial recognition system more than 12,000 times since 2019.

Neither would an agency need actual photos or footage to track down any mob participant who was carrying a mobile phone. Law enforcement agencies have also developed a habit in recent years of using so-called geofence warrants to compel companies such as Google to provide lists of all mobile devices that appeared within a certain geographic area during a given time frame...

With all of that said, however, the DC Metropolitan Police and the FBI will probably need to look no further than a cursory Google search to identify many of the leaders of Wednesday's insurrection, as many of them took to social media both before and after the event to brag about it in detail. In short: you don't need fancy facial recognition tools to identify people who livestream their crimes.
Friday the Washington Post also cited "the countless hours of video — much of it taken by the rioters themselves and uploaded to social media" as a useful input for facial recognition software.

But in addition, they note that "The Capitol, more than most buildings, has a vast cellular and wireless data infrastructure of its own to make communications efficient in a building made largely of stone and that extends deep underground and has pockets of shielded areas. Such infrastructure, such as individual cell towers, can turn any connected phone into its own tracking device.

"Phone records make determining the owners of these devices trivially easy..."

A laptop was stolen from the office of U.S. House of Representatives Speaker Nancy Pelosi during the storming of the U.S. Capitol on Wednesday, one of her aides said on Friday. From a report: Drew Hammill, an aide to Democrat Pelosi, said on Twitter that the laptop belonged to a conference room and was used for presentations. He declined to offer further details. The theft of electronic devices from congressional offices has been a persistent worry following the invasion by pro-Trump followers. They were encouraged by Republican President Donald Trump at a rally beforehand to march to the Capitol while Congress was certifying Democrat Joe Biden's Nov. 3 election win. Senator Jeff Merkley, a Democrat, said on Twitter on Thursday that a laptop was taken from his office.

An anonymous reader quotes a report from Krebs On Security: The ongoing breach affecting thousands of organizations that relied on backdoored products by network software firm SolarWinds may have jeopardized the privacy of countless sealed court documents on file with the U.S. federal court system, according to a memo released Wednesday by the Administrative Office (AO) of the U.S. Courts. The judicial branch agency said it will be deploying more stringent controls for receiving and storing sensitive documents filed with the federal courts, following a discovery that its own systems were compromised as part of the SolarWinds supply chain attack. That intrusion involved malicious code being surreptitiously inserted into updates shipped by SolarWinds for some 18,000 users of its Orion network management software as far back as March 2020.

"The AO is working with the Department of Homeland Security on a security audit relating to vulnerabilities in the Judiciary's Case Management/Electronic Case Files system (CM/ECF) that greatly risk compromising highly sensitive non-public documents stored on CM/ECF, particularly sealed filings," the agency said in a statement published Jan. 6. "An apparent compromise of the confidentiality of the CM/ECF system due to these discovered vulnerabilities currently is under investigation," the statement continues. "Due to the nature of the attacks, the review of this matter and its impact is ongoing."

The AO declined to comment on specific questions about their breach disclosure. But a source close to the investigation told KrebsOnSecurity that the federal court document system was "hit hard," by the SolarWinds attackers, which multiple U.S. intelligence and law enforcement agencies have attributed as "likely Russian in origin." The source said the intruders behind the SolarWinds compromise seeded the AO's network with a second stage "Teardrop" malware that went beyond the "Sunburst" malicious software update that was opportunistically pushed out to all 18,000 customers using the compromised Orion software. This suggests the attackers were targeting the agency for deeper access to its networks and communications. The report notes that AO's court document system "may contain highly sensitive information, including intellectual property and trade secrets, or even the identities of confidential informants."

While it doesn't hold documents that are classified for national security reasons, "the system is full of sensitive sealed filings -- such as subpoenas for email records and so-called 'trap and trace' requests that law enforcement officials use to determine with whom a suspect is communicating via phone, when and for how long."

phalse phace shares a report from The Wall Street Journal: Boeing Co. will pay $2.5 billion to resolve a Justice Department investigation and admit employees misled aviation about safety issues linked to two deadly crashes of its 737 MAX jet, U.S. authorities said. Federal prosecutors had been investigating the role of two Boeing employees who interacted with the Federal Aviation Administration about the design of the 737 MAX and how much pilot training would be required for the new model.

The settlement includes a $243 million fine as well as $2.2 billion in compensation to airline customers and families of the 346 people who perished in two MAX crashes. The plane maker was charged with one count of conspiracy to defraud the U.S., but will avoid prosecution on that charge as long as it avoids legal trouble for a period of three years. The deal also calls for Boeing to comply with any ongoing investigations, including probes by foreign law-enforcement and regulatory authorities, and to beef up compliance programs, according to its agreement with prosecutors.

Japan's NEC Corp. says face marks aren't an obstacle to its facial recognition tech. Mashable reports: The Japanese company claims its new facial recognition system can identify people with face masks in less than one second, with an accuracy rate higher than 99.9 percent. The system works by closely examining the parts of a person's face not covered by a mask, such as the eyes and surrounding areas. It does require the person to submit a photo in advance, though.

The idea is for the system to be used at security checkpoints in office buildings, airports, etc., so mask-wearers can go through without removing their masks. NEC is also testing the technology out for automated payments at an unmanned convenience store in the company's headquarters in Tokyo. The company has sold the system to Lufthansa and Swiss International Airlines.

Shopify has removed stores affiliated with President Trump from its platform, citing a violation of its policies that prohibit users from promoting or supporting organizations that foment violence. CNET reports: "Shopify does not tolerate actions that incite violence," a spokesperson said in a statement. "Based on recent events, we have determined that the actions by President Donald J. Trump violate our Acceptable Use Policy, which prohibits promotion or support of organizations, platforms or people that threaten or condone violence to further a cause." Earlier today, Facebook blocked Trump's account indefinitely.

Twitter, Snapchat, and Twitch also disabled Trump's accounts.

Chinese internet companies have been violating customers' rights by misusing personal data and "bullying" people into purchases and promotions, a government-backed consumer association said on Thursday. From a report: The statement from the China Consumers Association (CCA) did not name any companies, but comes as Beijing has ramped up scrutiny of technology giants, reversing a once laissez-faire approach towards its vast internet space. "Consumers are being squeezed by data algorithms and becoming the targets of technical bullying," the association said. Companies must stop using systems to scan through consumers' personal data and offer them different prices for goods based on that information, the association said. Algorithms that checked people's internet use and other data, then sent them targeted ads and promotions, deprived customers of choice, it added. Some of the products and services promoted by these automated systems "violated the law and public order and good customs" it said, without going into further detail. Consumers' "values and moral concepts may even be distorted by algorithms and become 'playthings' in the hands of platform operators," the CCA's statement said.

An anonymous reader quotes a report from ZDNet: President-elect Joe Biden's transition team announced that David Recordon, one of OpenId and oAuth's developers, has been named the White House Director of Technology. Recordon most recently was the VP of infrastructure and security at the non-profit Chan Zuckerberg Initiative Foundation. Before that, Recordon was Facebook's engineer director. There, he had led Facebook's open-source initiatives and projects. Among other programs, this included Phabricator, a suite of code review web apps, which Facebook used for its own development. He also led efforts on Cassandra, the Apache open-source distributed database management system; HipHop, a PHP to C++ source code translator; and Apache Thrift, a software framework, for scalable cross-language services development. In short, he's both a programmer and manager who knows open-source from the inside out.

Recordon learned to program at a public elementary school. According to the Biden-Harris transition team, he's spent his almost two-decade career working at the intersection of technology, security, open-source software, public service, and philanthropy. Looking forward to the challenges Recordon faces in his new position, he wrote on LinkedIn: "The pandemic and ongoing cybersecurity attacks present new challenges for the entire Executive Office of the President, but ones I know that these teams can conquer in a safe and secure manner together." The report notes that Recordon served as the first Director of White House Information Technology during President Barack Obama's term of office, working on IT modernization and cybersecurity issues. He's also served as the Biden-Harris transition team's deputy CTO.

WhatsApp's latest terms and privacy policy allows the popular messaging app to share a significant amount of user data with Facebook. From a report: WhatsApp users are today receiving an in-app notice informing them about the app's updated terms of service and privacy policy. The notice gives an overview of the main three updates, covering how WhatsApp processes user data, how businesses can use Facebook-hosted services to store and manage their WhatsApp chats, and how WhatsApp will soon partner with Facebook to offer deeper integrations across all of the parent company's products. The changes, which are set to take effect on February 8, 2021, are mandatory and users will not be able to continue using WhatsApp unless they accept the terms.

Telegram has no plans to fix a vulnerability that makes it easy for hackers to find your precise location. The problem stems from a feature called People Nearby, which is disabled by default, but allows users who are geographically close to you to connect. Ars Technica reports: Independent researcher Ahmed Hassan, however, has shown how the feature can be abused to divulge exactly where you are. Using readily available software and a rooted Android device, he's able to spoof the location his device reports to Telegram servers. By using just three different locations and measuring the corresponding distance reported by People Nearby, he is able to pinpoint a user's precise location. Telegram lets users create local groups within a geographical area. Hassan said that scammers often spoof their location to crash such groups and then peddle fake bitcoin investments, hacking tools, stolen social security numbers, and other scams.

Telegram lets users create local groups within a geographical area. Hassan said that scammers often spoof their location to crash such groups and then peddle fake bitcoin investments, hacking tools, stolen social security numbers, and other scams. A proof-of-concept video the researcher sent to Telegram showed how he could discern the address of a People Nearby user when he used a free GPS spoofing app to make his phone report just three different locations. He then drew a circle around each of the three locations with a radius of the distance reported by Telegram. The user's precise location was where all three intersected.

In a blog post, Hassan included an email from Telegram in response to the report he had sent them. It noted that People Nearby isn't enabled by default and that "it's expected that determining the exact location is possible under certain conditions." People Nearby poses the biggest threat to people using Android devices, since they report a user's location with enough granularity to make Hassan's attack work. The recently released iOS 14, by contrast, allows users to divulge only a rough approximation of their location. People who use this feature aren't as exposed. Fixing the problem -- or at least making it much harder to exploit it -- wouldn't be hard from a technical perspective. Rounding locations to the nearest mile and adding some random bits generally suffices. When the Tinder app had a similar disclosure vulnerability, developers used this kind of technique to fix it.

Top national security agencies in a rare joint statement Tuesday confirmed that Russia was likely responsible for a massive hack of U.S. government departments and corporations, rejecting President Donald Trump's claim that China might be to blame. The Associated Press reports: The statement represented the U.S. government's first formal attempt to assign responsibility for the breaches at multiple agencies and to assign a possible motive for the operation. It said the hacks appeared to be part of an "intelligence-gathering," suggesting the evidence so far pointed to a Russian spying effort rather than an attempt to damage or disrupt U.S. government operations. "This is a serious compromise that will require a sustained and dedicated effort to remediate," said the statement, distributed by a cyber working group comprised of the FBI and other investigative agencies. Russia has denied involvement in the hack.

Last July, GitHub prevented users in Iran and several other nations from accessing portions of the service due to U.S. sanction laws. Today, the world's largest host of source code announced that it has secured a license from the U.S. government to operate in Iran. It's also working to secure similar licenses for developers in Crimea and Syria as well. MSPoweruser reports: "Over the course of two years, we were able to demonstrate how developer use of GitHub advances human progress, international communication, and the enduring U.S. foreign policy of promoting free speech and the free flow of information. We are grateful to OFAC for the engagement which has led to this great result for developers. We are in the process of rolling back all restrictions on developers in Iran, and reinstating full access to affected accounts," wrote Nat Friedman, CEO of GitHub. GitHub is also working with the U.S. government to secure similar licenses for developers in Crimea and Syria as well.

An anonymous reader quotes a report from Torrent Freak: On December 21, 2020, Elsevier, Wiley, and American Chemical Society, filed a lawsuit hoping to have the court compel Indian ISPs to block both Sci-Hub and Libgen. Accusing the platforms of blatantly infringing their rights on a massive scale, the publishers said that due to the defiant nature of the platforms, ISP blocking is the only effective solution to hand. The massive complaint, which runs to 2,169 pages, was received by Sci-Hub with little time to review its contents. This not-insignificant issue was quickly pointed out to the Court, with counsel for Sci-Hub asking for an extension. After Sci-Hub assured the Court (pdf) that "no new articles or publications, in which the plaintiffs have copyright" would be uploaded to the site in advance of the next hearing, more time was granted to respond.

The case is set for a hearing tomorrow but in advance of that, interested parties are attempting to put the government under pressure to intervene by preventing a blockade that, according to them, would cause damage to education and society in India. Speaking on behalf of thousands of scientists, academics, teachers and students, the Breakthrough Science Society (BSS) is expressing dismay at the publishers' efforts to prevent the "free flow of information" between those who produce it and those who seek it. [...] Instead of demonizing Sci-Hub founder Alexandra Elbakyan, the group describes her work as an effective solution to make research papers available to all for the benefit of humanity. As a result, the Breakthrough Science Society says it actually supports the work of Sci-Hub and Libgen, arguing that their work is not illegal and should continue unhindered.

In an effort to pressure the Indian government to intervene on behalf of the people, the Breakthrough Science Society has launched a petition, calling on everyone from scientists and academics to teachers and students, to declare that knowledge should be accessible to all, not just those who can afford to pay the publishers' rates. Dr. Ashwani Mahajan, an Associate Professor at the University of Delhi, who among other things describes himself as a policy interventionist, says that if the ISPs are compelled to block Sci-Hub and Libgen, Indian researchers' access to information will be seriously undermined. While acknowledging that the government spends large sums of money to subscribe to journals, Mahajan says that researchers and students are heavily reliant on Sci-Hub and Libgen for information that the publishing industry itself does not pay for.

Not a single one of Google's iOS apps have been updated in almost a month -- an unusually long period for a tech behemoth not to release, at the very least, even a minor bug fix or stability update for one of its dozens of insanely popular iPhone and iPad apps. From a report: And after reviewing the latest release dates for all of Google's iOS apps, one reason for this lack of updates seems more likely than others: It could be related to Apple's new App Store privacy labels. The last time any Google iOS app was updated was on December 7. This includes updates to major Google apps like Google Drive, YouTube, Google Docs, Google Sheets, YouTube Music, Google Duo, Google Authenticator, and Gboard. Why is December 7 a significant date? Because starting on December 8, Apple mandated that any new apps or app updates submitted to the App Store would require the developer to fill out the privacy label information for the app it was submitting. This privacy label reveals exactly what data the app is collecting about the user and how that user data is being used. The label can then be viewed on an app's App Store listing page. The feature is part of Apple's push to make developers be more transparent in the ways they collect and use user data, so users can make more informed choices about the apps they choose to download.

An anonymous reader quotes a report from CoinDesk: Ukraine's government has chosen the Stellar blockchain network as a platform to build a central bank digital currency (CBDC). Announced Monday, the Ministry of Digital Transformation of Ukraine and the Stellar Development Foundation (SDF) signed a Memorandum of Understanding to build out a "virtual assets ecosystem and national digital currency of Ukraine." The National Bank of Ukraine has been researching the possibility of CBDC implementation since 2017, and the Stellar partnership will now be the basis of its virtual currency development, according to Digital Transformation and IT Deputy Minister Oleksandr Bornyakov.

"The Ministry of Digital Transformation is working on creating the legal environment for the development of virtual assets in Ukraine," Bornyakov said in a statement. "We believe our cooperation with the Stellar Development Foundation will contribute to development of the virtual asset industry and its integration into the global financial ecosystem." Stellar Development Foundation CEO Denelle Dixon said the partnership with Ukraine's government and other stakeholders to digitize the hryvnia will officially launch this month. "We've been in conversations with governments and institutions all over the world about the key considerations for issuing CBDCs. It's important to remember many, if not all, of these organizations weren't designed to be technology companies and that they have many audiences that they are supporting," Dixon said via an email. "That makes a public-private partnership so essential to getting this right."

An anonymous reader quotes a report from ZDNet: Singapore has confirmed its law enforcers will be able to access the country's COVID-19 contact tracing data to aid in their criminal investigations. To date, more than 4.2 million residents or 78% of the local population have adopted the TraceTogether contact tracing app and wearable token, which is one of the world's highest penetration rates. [...] In its efforts to ease privacy concerns, the Singapore government had stressed repeatedly that COVID-19 data would "never be accessed unless the user tests positive" for the virus and was contacted by the contact tracing team. Personal data such as unique identification number and mobile number also would be substituted by a random permanent ID and stored on a secured server.

However, the Singapore government now has confirmed local law enforcement will be able to access the data for criminal investigations. Under the Criminal Procedure Code, the Singapore Police Force can obtain any data and this includes TraceTogether data, according to Minister of State for Home Affairs, Desmond Tan. He was responding to a question posed during parliament Monday on whether the TraceTogether data would be used for criminal probes and the safeguards governing the use of such data. Tan said the Singapore government was the "custodian" of the contact tracing data and "stringent measures" had been established to safeguard the personal data. "Examples of these measures include only allowing authorized officers to access the data, using such data only for authorized purposes, and storing the data on a secured data platform," he said. He added that public officers who knowingly disclose the data without authorization or misuse the data may be fined up to SG$5,000 or jailed up to two years, or both.

Asked if police use of the data violated the TraceTogether privacy pledge, Tan said: "We do not preclude the use of TraceTogether data in circumstances where citizens' safety and security is or has been affected, and this applies to all other data as well." He noted that "authorized police officers" may invoke the Criminal Procedure Code to access TraceTogether data for such purposes as well as for criminal investigation, but this data would, otherwise, be used only for contact tracing and to combat the spread of COVID-19.

Wikileaks founder Julian Assange cannot be extradited to the United States, a court in London has ruled. The BBC reports: The judge blocked the request because of concerns over Mr Assange's mental health and risk of suicide in the U.S. Mr Assange, who is wanted over the publication of thousands of classified documents in 2010 and 2011, says the case is politically motivated. Expressing disappointment at the ruling, the U.S. justice department noted that its legal arguments had prevailed. Its position is that the leaks broke the law and endangered lives.

"While we are extremely disappointed in the court's ultimate decision, we are gratified that the United States prevailed on every point of law raised," the justice department said. The U.S. authorities have 14 days in which to lodge an appeal and are expected to do so. Mr Assange will now be taken back to Belmarsh Prison -- where he is being held -- and a full application for his bail will be made on Wednesday. His lawyer Ed Fitzgerald QC told the court there would be evidence to show Mr Assange would not abscond. [...]

If convicted in the U.S., Mr Assange faces a possible penalty of up to 175 years in jail, his lawyers have said. However the U.S. government said the sentence was more likely to be between four and six years. Mr Assange faces an 18-count indictment from the U.S. government, accusing him of conspiring to hack into U.S. military databases to acquire sensitive secret information relating to the Afghanistan and Iraq wars, which was then published on the Wikileaks website. He says the information exposed abuses by the U.S. military. But U.S. prosecutors say the leaks of classified material endangered lives, and so the U.S. sought his extradition from the UK.

CNET reveals 2020's most popular show among video pirates: It probably won't come as a surprise that Disney Plus smash hit series The Mandalorian has won the (unfortunate) title of most-pirated TV show of 2020 — using popular torrenting site BitTorrent. According to analysis from TorrentFreak (via IndieWire), Game of Thrones was the most-pirated TV show seven years running. But the HBO series ended in 2019, leaving The Mandalorian to improve its ranking from third to No. 1.
The rest of the list, from IndieWire: Prime Video's irreverent superhero series "The Boys" is at number two, HBO's "Westworld" is number three, Prime Video's "Vikings" is number four, CBS' "Star Trek: Picard" is five, followed by Adult Swim's "Rick and Morty," AMC's "The Walking Dead," HBO's "The Outsider," CW's "The Arrow," and CW's "The Flash."