Science/Techno Babble Random, Random

All the other crazy stuff we talk about. Politics, Science, News, the Kitchen, other hobbies.
User avatar
ti-amie United States of America
Posts: 22996
Joined: Wed Dec 09, 2020 4:44 pm
Location: The Boogie Down, NY
Has thanked: 5304 times
Been thanked: 3292 times

Honorary_medal

Re: Science/Techno Babble Random, Random

#136

Post by ti-amie »




This Agency’s Computers Hold Secrets. Hackers Got In With One Password.
Hackers used one worker’s login information to penetrate the Law Department’s network after officials failed to implement a simple security measure.

By Ashley Southall, Benjamin Weiser and Dana Rubinstein
Published June 18, 2021
Updated July 9, 2021, 12:58 p.m. ET

New York City’s Law Department holds some of the city’s most closely guarded secrets: evidence of police misconduct, the identities of young children charged with serious crimes, plaintiffs’ medical records and personal data for thousands of city employees.

But all it took for a hacker to infiltrate the 1,000-lawyer agency’s network early this month was one worker’s pilfered email password, according to a city official briefed on the matter.

Officials have not said how the intruder obtained the worker’s credentials, nor have they determined the scope of the attack. But the hack was enabled by the Law Department’s failure to implement a basic safeguard, known as multifactor authentication, more than two years after the city began requiring it, according to four people with knowledge of the legal agency’s system and the incident.

(...)

The mayor’s warning to the agency heads comes 10 days after the city’s Cyber Command, created by Mr. de Blasio in 2017 to defend the city’s computer networks, detected unusual activity on the Law Department’s computer system.

The next afternoon, June 6, city officials have said, they removed the department’s computers from the city’s larger network. Many remain disconnected.

Mr. de Blasio, in public appearances last week, said that the hack was under investigation by the New York Police Department’s intelligence bureau and the F.B.I.’s cyber task force. He said officials were not aware of a ransom demand being made or of any information being compromised.

Officials also said there was no evidence that the attack had damaged the city’s computer systems, though the investigation was still in an early stage. Investigators are still trying to determine the identity of the perpetrator and the motive.

“We’ve identified the malware — we have seen it before,” John Miller, the Police Department’s deputy commissioner for intelligence and counterterrorism, said at a news conference.

“Is it someone looking to corral information, export it and then do a ransomware attack?” Mr. Miller said. “Is it another kind of actor looking to gather information for other strategic purposes?” Both were possibilities, Mr. Miller added.

A City Hall spokeswoman and a spokesman for the Law Department both declined to comment on Thursday.

Multifactor authentication, a measure familiar to many who work on computers at home and at the office, requires users logging into sensitive accounts to take at least one additional step to verify their identities, like entering a temporary numerical code sent to a user’s cellphone.

The tool has been widely adopted in recent years, cybersecurity experts say, as hackers increasingly target government, business, hospitals and infrastructure using stolen passwords and other credentials. This allows them to penetrate computer systems to disrupt operations or steal data, which can be used to demand a ransom.

A directive issued by New York’s Cyber Command in April 2019 required all city agencies to use multifactor authentication for access to restricted or sensitive information, according to a copy of the document obtained by The New York Times.

Geoff Brown, head of Cyber Command and New York’s chief information security officer, acknowledged at a news conference last week that the city had issued such a directive, but he refused to answer a question about whether the Law Department used the tool.

“At this time answering questions about the protection of city systems could give the attacker insight” into the city’s internet technology or the ongoing investigation, Mr. Brown said.

The Law Department’s servers ran on Microsoft software released in 2003, which the company stopped providing critical security updates for in 2015.

The failure to update software makes municipal systems a ripe target for hackers who simply scan the internet for unpatched software and exploit it. The Florida water treatment plant hacked last February also used a decade-old version of Microsoft Windows that had not been updated in years.

In his phone call on Tuesday with city agency heads, Mr. de Blasio cited multifactor authentication and up-to-date software as priorities that needed to be addressed immediately, according to the officials who participated in the call.

Katharine Rosenfeld, a lawyer who in one case represented a pregnant woman who sued the city after being handcuffed while she was in labor, said the security lapses revealed the Law Department was “scarily sloppy” in its handling of confidential information.

“Think of all the medical records that we give them of our clients, mental health treatment, settlement negotiations,” Ms. Rosenfeld said. “It just makes me very worried.”

The disabling of the Law Department's computer system after the attack has had an impact that has rippled through New York courts, slowing cases and forcing city lawyers to ask for extensions on deadlines.

(...)

In federal court in Manhattan, the attack fueled a dispute in a set of high-profile lawsuits accusing the Police Department of using excessive force and making unjustified mass arrests during the demonstrations in New York last year after the murder of George Floyd by a Minneapolis police officer.

Plaintiffs’ lawyers have complained that the Law Department, citing the hack, has refused to say when it will turn over critical documents that the lawyers say they need to investigate what they have called the city’s “brutal response” to the large-scale protests.

The Law Department has accused the plaintiffs’ lawyers of using the hack to “engage in gamesmanship” and of suddenly deciding that “now is a good time to inundate defendants with a barrage” of new document requests, a city lawyer, Dara L. Weiss, wrote to the court last week.

Ms. Weiss said that despite the “technological challenges,” the hack had not halted progress in the case.

“Defense counsel have not been sitting on their hands,” Ms. Weiss added.

Nicole Perlroth contributed reporting. Susan C. Beachy contributed research.

https://www.nytimes.com/2021/06/18/nyre ... -hack.html
“Do not grow old, no matter how long you live. Never cease to stand like curious children before the Great Mystery into which we were born.” Albert Einstein
User avatar
ti-amie United States of America
Posts: 22996
Joined: Wed Dec 09, 2020 4:44 pm
Location: The Boogie Down, NY
Has thanked: 5304 times
Been thanked: 3292 times

Honorary_medal

Re: Science/Techno Babble Random, Random

#137

Post by ti-amie »

These three responses to the article on the NYC Law Dept Hack stood out to me:
TomV
Florida
June 19
Securing computer systems is complex, expensive, and ... boring. Keeping servers properly patched is not glamorous work. Trying to get employees to not use stupid passwords or click on dodgy email attachments won't win IT employees any popularity contests and can really only be prevented by making it technically impossible. When you do make it technically difficult or impossible, people get up in arms about how user-unfriendly the "system" is.

It's easy to throw stones after the hacks occur, but sadly the only way to keep them from occurring is to commit the financial and technical resources needed to day-to-day data security. When your enterprise has been in operation for many years with no attacks, it's easy to believe it's just not a big deal. Until this happens...
mop
US
June 19
Unless your company is totally with it and acknowledges that cybersecurity is as critical to the health of the business as the bottom line, you may see that line go into the red - quickly.

There's one absolute with cyber - you can pay up now (preventive measures, offensive security, investment in the people/process/tech)... or you may well pay up in spades later.

Companies that fail to stare this in the face will be stabbed in the back.
I'm not sure how they'll do this but okay.

Michael Cooke
Bangkok
June 19
Regardless how up to date the Windows software might have been, I still can't fathom how any system that can be accessed conveniently from anywhere will be completely secure. For instance, suppose some organization were running encrypted communication with multifactor authentication for clients to access a central repository from home. In today's world, as I know it, the easy way into those systems is via the client's email or mobile device. If either of those are compromised, getting in is as simple as claiming to have forgotten a password. Until someone convinces me breaking into systems is no more difficult than phishing for email access, I'll keep critical transactions off the internet as much as possible.
“Do not grow old, no matter how long you live. Never cease to stand like curious children before the Great Mystery into which we were born.” Albert Einstein
User avatar
ponchi101 Venezuela
Site Admin
Posts: 14722
Joined: Mon Dec 07, 2020 4:40 pm
Location: New Macondo
Has thanked: 3857 times
Been thanked: 5567 times
Contact:

Re: Science/Techno Babble Random, Random

#138

Post by ponchi101 »

ti-amie wrote: Fri Jul 09, 2021 7:13 pm Until someone convinces me breaking into systems is no more difficult than phishing for email access, I'll keep critical transactions off the internet as much as possible.
This part. Ponchi101's motto.
Ego figere omnia et scio supellectilem
User avatar
Suliso Latvia
Posts: 4405
Joined: Fri Dec 11, 2020 2:30 pm
Location: Basel, Switzerland
Has thanked: 274 times
Been thanked: 1453 times

Re: Science/Techno Babble Random, Random

#139

Post by Suliso »

Great overview of the current commercial space race. Only it's moving so fast that a four month old video is already slightly outdated. For example, Starship prototype has already successfully landed after a high altitude hop and the company is now racing towards the first suborbital test.

User avatar
Suliso Latvia
Posts: 4405
Joined: Fri Dec 11, 2020 2:30 pm
Location: Basel, Switzerland
Has thanked: 274 times
Been thanked: 1453 times

Re: Science/Techno Babble Random, Random

#140

Post by Suliso »

In related news Richard Branson is about to take off in his suborbital space plane meant for space tourism in about half an hour or so.

User avatar
MJ2004
Posts: 417
Joined: Wed Dec 09, 2020 3:18 pm
Location: Boston
Has thanked: 116 times
Been thanked: 300 times

Re: Science/Techno Babble Random, Random

#141

Post by MJ2004 »

This also belongs in World News, but due to the detailed nature of the article I'm posting it here.

Revealed: leak uncovers global abuse of cyber-surveillance weapon
Spyware sold to authoritarian regimes used to target activists, politicians and journalists, data suggests

Human rights activists, journalists and lawyers across the world have been targeted by authoritarian governments using hacking software sold by the Israeli surveillance company NSO Group, according to an investigation into a massive data leak.

The investigation by the Guardian and 16 other media outlets suggests widespread and continuing abuse of NSO’s hacking spyware, Pegasus, which the company insists is only intended for use against criminals and terrorists.

Pegasus is a malware that infects iPhones and Android devices to enable operators of the tool to extract messages, photos and emails, record calls and secretly activate microphones.

The leak contains a list of more than 50,000 phone numbers that, it is believed, have been identified as those of people of interest by clients of NSO since 2016.

Forbidden Stories, a Paris-based media nonprofit, and Amnesty International initially had access to the leaked list and shared access with media partners as part of the Pegasus project, a reporting consortium.

The presence of a phone number in the data does not reveal whether a device was infected with Pegasus or subject to an attempted hack. However, the consortium believes the data is indicative of the potential targets NSO’s government clients identified in advance of possible surveillance attempts.

Forensics analysis of a small number of phones whose numbers appeared on the leaked list also showed more than half had traces of the Pegasus spyware.

The Guardian and its media partners will be revealing the identities of people whose number appeared on the list in the coming days. They include hundreds of business executives, religious figures, academics, NGO employees, union officials and government officials, including cabinet ministers, presidents and prime ministers.

The list also contains the numbers of close family members of one country’s ruler, suggesting the ruler may have instructed their intelligence agencies to explore the possibility of monitoring their own relatives.

The disclosures begin on Sunday, with the revelation that the numbers of more than 180 journalists are listed in the data, including reporters, editors and executives at the Financial Times, CNN, the New York Times, France 24, the Economist, Associated Press and Reuters.

The phone number of a freelance Mexican reporter, Cecilio Pineda Birto, was found in the list, apparently of interest to a Mexican client in the weeks leading up to his murder, when his killers were able to locate him at a car wash. His phone has never been found – so no forensic analysis has been possible to establish if it was infected.

NSO said that even if Pineda’s phone had been targeted, it did not mean data collected from his phone contributed in any way to his death, stressing governments could have discovered his location by other means. He was among at least 25 Mexican journalists apparently selected as candidates for surveillance over a two-year period.

Without forensic examination of mobile devices, it is impossible to say whether phones were subjected to an attempted or successful hack using Pegasus.

NSO has always maintained it does “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets”.

In statements issued through its lawyers, NSO denied “false claims” made about the activities of its clients, but said that it would “continue to investigate all credible claims of misuse and take appropriate action”.

It said the list cannot be a list of numbers “targeted by governments using Pegasus”, and described the 50,000 figure as “exaggerated”.

The company sells only to military, law enforcement and intelligence agencies in 40 unnamed countries, and says it rigorously vets its customers’ human rights records before allowing them to use its spy tools.

The Israeli minister of defence closely regulates NSO, granting individual export licences before its surveillance technology can be sold to a new country.

Last month, NSO released a transparency report in which it claimed to have an industry-leading approach to human rights, and published excerpts from it contracts with customers stipulating they must only use its products for criminal and national security investigations.

There is nothing to suggest that NSO’s customers did not also use Pegasus in terrorism and crime investigations, and the consortium also found numbers in the data belonging to suspected criminals.

However the broad array of numbers in the list belonging to people who seemingly have no connection to criminality suggests some of NSO clients are breaching their contracts with the company, spying on pro-democracy activists and journalists investigating corruption, as well as political opponents and government critics.

That thesis is supported by forensic analysis on the phones of a small sample of journalists, human rights activists and lawyers whose numbers appeared on the leaked list.

The research, conducted by Amnesty’s Security Lab, a technical partner on the Pegasus project, found traces of Pegasus activity on 37 out of the 67 phones examined.

The analysis also uncovered some sequential correlations between the time and date a number was entered into the list and the onset of Pegasus activity on the device, which in some cases occurred just a few seconds later.

Amnesty shared its forensic work on four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed they showed signs of Pegasus infection. Citizen Lab also conducted a peer-review of Amnesty’s forensic methods, and found them to be sound.

The consortium’s analysis of the leaked data identified at least 10 governments believed to be NSO customers who were entering numbers into a system: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates (UAE).

Analysis of the data suggests the NSO client country that selected the most numbers – more than 15,000 – was Mexico, where multiple different government agencies are known to have bought Pegasus. Both Morocco and the UAE selected more than 10,000 numbers, according to the analysis suggested.

The phone numbers which were selected, possibly ahead of a surveillance attack, spanned more than 45 countries across four continents. There were more than 1,000 numbers in European countries that, the analysis indicated, were selected by NSO clients.

The presence of a number in the data does not mean there was an attempt to infect the phone. NSO says there were other possible purposes for numbers being recorded on the list.

Rwanda, Morocco, India and Hungary denied having used Pegasus to hack the phones of the individuals named in the list. The governments of Azerbaijan, Bahrain, Kazkhstan, Saudi Arabia, Mexico, the United Arab Emirates and Dubai did not respond to invitations to comment.

The Pegasus project is likely to spur debates over government surveillance in several countries suspected of using the technology. The investigation suggests the Hungarian government of Viktor Orbán appears to have deployed NSO’s technology as part of his so-called war on the media, targeting investigative journalists in the country as well as the close circle of one of Hungary’s few independent media executives.

The leaked data and forensic analyses also suggest NSO’s spy tool was used by Saudi Arabia and its close ally, UAE, to target the phones of close associates of the murdered Washington Post journalist Jamal Khashoggi in the months after his death. The Turkish prosecutor investigating his death was also a candidate for targeting, the data leak suggests.

Claudio Guarnieri, who runs Amnesty International’s Security Lab, said that once a phone was infected with Pegasus, a client of NSO could in effect take control of a phone, enabling them to extract a person’s messages, calls, photos and emails, secretly activate cameras or microphones, and read the contents of encrypted messaging apps such as WhatsApp, Telegram and Signal.

By accessing GPS and hardware sensors in the phone, he added, NSO’s clients could also secure a log of a person’s past movements and track their location in real time with pinpoint accuracy, for example by establishing the direction and speed a car was travelling in.

The latest advances in NSO’s technology enable it to penetrate phones with “zero-click” attacks, meaning a user does not even need to click on a malicious link for their phone to be infected.

Guarnieri has identified evidence NSO has been exploiting vulnerabilities associated with iMessage, which comes installed on all iPhones, and has been able to penetrate even the most up-to-date iPhone running the latest version of iOS. His team’s forensic analysis discovered successful and attempted Pegasus infections of phones as recently as this month.

Apple said: “Security researchers agree iPhone is the safest, most secure consumer mobile device on the market.”

NSO declined to give specific details about its customers and the people they target.

However, a source familiar with the matter said the average number of annual targets per customer was 112. The source said the company has 45 customers for its Pegasus spyware.

- The Guardian
User avatar
ponchi101 Venezuela
Site Admin
Posts: 14722
Joined: Mon Dec 07, 2020 4:40 pm
Location: New Macondo
Has thanked: 3857 times
Been thanked: 5567 times
Contact:

Re: Science/Techno Babble Random, Random

#142

Post by ponchi101 »

MJ2004 wrote: Sun Jul 18, 2021 4:10 pm "The company sells only to military, law enforcement and intelligence agencies in 40 unnamed countries, and says it rigorously vets its customers’ human rights records before allowing them to use its spy tools."
Oh, well, then there is nothing wrong with that, is there? You sell spying software, but only to the good guys.
God bless these little angels.
Ego figere omnia et scio supellectilem
User avatar
Suliso Latvia
Posts: 4405
Joined: Fri Dec 11, 2020 2:30 pm
Location: Basel, Switzerland
Has thanked: 274 times
Been thanked: 1453 times

Re: Science/Techno Babble Random, Random

#143

Post by Suliso »

US government has managed to destroy Huawei's cellphone business - down from a global market leader in 2020 to outside the top 5 and falling so far this year. However, another Chinese company Xiaomi is now #2 only behind Samsung and ahead of Apple.
User avatar
ti-amie United States of America
Posts: 22996
Joined: Wed Dec 09, 2020 4:44 pm
Location: The Boogie Down, NY
Has thanked: 5304 times
Been thanked: 3292 times

Honorary_medal

Re: Science/Techno Babble Random, Random

#144

Post by ti-amie »

Have you guys heard about the "Freedom Phone" scam?
“Do not grow old, no matter how long you live. Never cease to stand like curious children before the Great Mystery into which we were born.” Albert Einstein
User avatar
JazzNU United States of America
Posts: 6655
Joined: Sun Jan 03, 2021 6:57 pm
Location: Pennsylvania
Has thanked: 2786 times
Been thanked: 2374 times

Re: Science/Techno Babble Random, Random

#145

Post by JazzNU »

ti-amie wrote: Mon Jul 19, 2021 12:52 am Have you guys heard about the "Freedom Phone" scam?
Do I even want to know? I can guess and I'm not surprised. Sending money totaling hundreds of millions to a "billionaire" for an election that was already over and done with and repeatedly reinforced in like 30 lawsuits was a proof concept that they were a ripe audience to be scammed.
User avatar
ti-amie United States of America
Posts: 22996
Joined: Wed Dec 09, 2020 4:44 pm
Location: The Boogie Down, NY
Has thanked: 5304 times
Been thanked: 3292 times

Honorary_medal

Re: Science/Techno Babble Random, Random

#146

Post by ti-amie »

Freedom Phones involve selling the gullible a phone that blocks all kinds of gubmint spying for $500. In reality it's a phone made by a Chinese company that retails for about $120. I'm sure TFG gets a cut.
“Do not grow old, no matter how long you live. Never cease to stand like curious children before the Great Mystery into which we were born.” Albert Einstein
User avatar
ponchi101 Venezuela
Site Admin
Posts: 14722
Joined: Mon Dec 07, 2020 4:40 pm
Location: New Macondo
Has thanked: 3857 times
Been thanked: 5567 times
Contact:

Re: Science/Techno Babble Random, Random

#147

Post by ponchi101 »

I hate to do this, but: I own a Xiaomi. It is a very good phone. Aluminum case, Android 7 (it is 2 years old), good camera. Cost me $150, it is open so I can go to any country, buy a SIM card and I am up and running.
I plan to switch back to Samsung for my next phone, because I cannot get a Freedom Phone here in Colombia.
(Yes Samsung, joke Freedom Phone).
Ego figere omnia et scio supellectilem
User avatar
JazzNU United States of America
Posts: 6655
Joined: Sun Jan 03, 2021 6:57 pm
Location: Pennsylvania
Has thanked: 2786 times
Been thanked: 2374 times

Re: Science/Techno Babble Random, Random

#148

Post by JazzNU »

@ponchi, might want to look at the OnePlus too. Very competitive with Samsung on features, but almost always less expensive. People love their phones.
User avatar
ponchi101 Venezuela
Site Admin
Posts: 14722
Joined: Mon Dec 07, 2020 4:40 pm
Location: New Macondo
Has thanked: 3857 times
Been thanked: 5567 times
Contact:

Re: Science/Techno Babble Random, Random

#149

Post by ponchi101 »

The way things are looking, I will be buying a Nokia c212, again. ;)
Thanks. Will keep that in mind :thumbsup:
Ego figere omnia et scio supellectilem
User avatar
ponchi101 Venezuela
Site Admin
Posts: 14722
Joined: Mon Dec 07, 2020 4:40 pm
Location: New Macondo
Has thanked: 3857 times
Been thanked: 5567 times
Contact:

Re: Science/Techno Babble Random, Random

#150

Post by ponchi101 »

So Bezos made it to space, too.
Now you have three companies that can take you up. Obviously, Space X is the most developed, being able to reach the ISS. Virgin Galactic seems to be the less, with a barely sub orbital capability.
What will they be able to offer? Musk insists that he will die in Mars, which I say is a possibility (he is young). What will Bezos do with Blue Origin is something I don't know. Branson's plane is the simplest but I don't see too many people paying $200K just to go up and be weightless. It can be simulated by the Vomit Comet easily.
If nobody sets up a Space Statin for tourists, will this be all for the next decades? Small, short flights above the atmosphere?
Ego figere omnia et scio supellectilem
Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 4 guests