ctmagazin

Logitech keyboards and mice vulnerable to extensive cyber attacks

ctmagazin

Several Logitech keyboards, mice and wireless presenters suffer from security vulnerabilities, Not only can attackers eavesdrop on keystrokes, they can even infect the host system. c’t has established which products are affected and what you should do now.

A large range of Logitech wireless input devices is vulnerable to wireless attacks and can pose a security risk. That is the conclusion of security expert Marcus Mengs, with whom c’t has been in touch for quite some time. Mengs investigation of the wireless connections of several Logitech devices has uncovered numerous weaknesses. They affect keyboards and mice as well as remote controls known as wireless presenters.

The vulnerabilities allow an attacker to eavesdrop on keystrokes from wireless keyboards. Everything an affected user types, from e-mails to passwords, is readily available to the adversary. But it gets worse: An attacker can send any command to the victim’s computer if a vulnerable Logitech-device is installed. And that makes it easy to infect the computer with malicious code without the rightful owner taking notice.

Mengs demonstrates how to infect a system with a backdoor (remote shell) through which he can control the system remotely by radio. In a way, it’s an elegant hack, because he simply piggybacks on the wireless Logitech connection to infect the system and to communicate with the backdoor. That means even computers who are not online are ripe for the hack.

Full article

WIRED

How to Protect Our Kids’ Data and Privacy

WIRED

YouTube is currently under investigation by the Federal Trade Commission following complaints that the platform improperly collected data from young users. It’s unclear how much data this might be, but there’s reason to believe it could be a lot. For many kids, YouTube has replaced television; depending on how parents use online platforms, children could begin to amass data even before birth.

Full article

ZDNet

Mozilla: No plans to enable DNS-over-HTTPS by default in the UK

ZDNet

After the UK’s leading industry group of internet service providers named Mozilla an “Internet Villain” because of its intentions to support a new DNS security protocol named DNS-over-HTTPS (DoH) inside Firefox, the browser maker told ZDNet that such plans don’t currently exist.

“We have no current plans to enable DoH by default in the UK,” a spokesperson ZDNet last night.

Full article

ZDNet

Reports say China is installing surveillance apps on some visitors’ phones

ZDNet

It has been reported that China’s border guards are installing surveillance apps on the phones of some visitors as part of the government’s ever-increasing mass surveillance regime in the Xinjiang province.

According to an investigation by the Guardian, The New York Times, and Germany’s Süddeutsche Zeitung, the “secret” app allows for personal information to be downloaded. The app was discovered to be installed on the phones of visitors entering the country from Kyrgyzstan.

The report says people using the remote Irkeshtam border crossing into the country have routinely had their phones screened by guards. The Irkeshtam crossing is China’s most westerly border and is used by traders and tourists, some following the historic Silk Road.

The publication said specifically that the app extracts emails, text messages, contact information, as well as handset information. Visitors have not been informed this is happening.

Full article

WIRED

Ransomware Hits Georgia Courts As Municipal Attacks Spread

WIRED

Ransomware has no shortage of cautionary tales and wakeup calls from the past decade. But for local governments, this past year has been a particularly brutal reminder of the threat. Following a 2018 attack that paralyzed the City of Atlanta for weeks, more than half a dozen cities and public services across the country have fallen to ransomware so far in 2019, on a near-monthly basis; the Administrative Office of the Georgia Courts became the latest victim on Saturday, when an attack knocked its systems offline.

Full article

ZDNet

Germany to publish standard on modern secure browsers

ZDNet

Germany’s cyber-security agency is working on a set of minimum rules that modern web browsers must comply with in order to be considered secure.

The new guidelines are currently being drafted by the German Federal Office for Information Security (or the Bundesamt für Sicherheit in der Informationstechnik — BSI), and they’ll be used to advise government agencies and companies from the private sector on what browsers are safe to use.

A first version of this guideline was published in 2017, but a new standard is being put together to account for improved security measures added to modern browsers, such as HSTS, SRI, CSP 2.0, telemetry handling, and improved certificate handling mechanisms — all mentioned in a new draft released for public debate last week.

Full article

The Guardian

How to speak Silicon Valley: 53 essential tech-bro terms explained

The Guardian

Google (n) – The privacy-devouring tech company that does everything that Facebook does, but manages to get away with it, largely because its products are useful instead of just depressing. (v) – To make the bare minimum effort to inform oneself about something. What a tech bro did before he insisted on explaining your area of expertise to you.

privacy (n) – Archaic. The concept of maintaining control over one’s personal information.

Twitter (n) – A mid-sized business with outsized importance due to its three primary users: Donald Trump, Elon Musk and journalists. A useful tool for journalists to gauge public opinion by talking to other journalists, and for Elon Musk to provoke lawsuits and federal investigations into security fraud.

Full article

EFF

A Major Police Body Camera Maker Hits Pause on Face Surveillance

Electronic Frontier Foundation

Communities and lawmakers across the country are waking up to the fact that using face recognition for government surveillance is a troubling trend, particularly when used with cameras that police officers wear. On Thursday, Axon—a major police body-worn camera maker—added its voice to calls to press the pause button on this type of face surveillance, saying it will no longer be “commercializing face matching products on our body cameras at this time.”

Axon’s decision follows strong opposition to government use of face surveillance. San Francisco in May banned city use of face surveillance. This month, Oakland, California and Somerville, Massachusetts have both taken crucial steps toward adopting similar bans, with both measures now headed for full city council votes.

Full article

WIRED

A Likely Chinese Hacker Crew Targeted 10 Phone Carriers to Steal Metadata

WIRED

For anyone who’s worried that their phone might be hacked to track their location, who they call and when, and other metadata that describes the intimate details of their life, one cyberespionage group has provided a reminder that hackers don’t necessarily even need to reach out to your device to gain that access. It may be far easier and more efficient for sophisticated stalkers to penetrate a mobile provider, and use its data to surveil whichever customers they please.

Full article

ZDNet

NASA hacked because of unauthorized Raspberry Pi connected to its network

ZDNet

A report published this week by the NASA Office of Inspector General reveals that in April 2018 hackers breached the agency’s network and stole approximately 500 MB of data related to Mars missions.

The point of entry was a Raspberry Pi device that was connected to the IT network of the NASA Jet Propulsion Laboratory (JPL) without authorization or going through the proper security review.

Full article