After being scammed into thinking her daughter was kidnapped, an Arizona woman testified in the US Senate about the dangers side of artificial intelligence technology when in the hands of criminals.

Jennifer DeStefano told the Senate judiciary committee about the fear she felt when she received an ominous phone call on a Friday last April.

Thinking the unknown number was a doctor’s office, she answered the phone just before 5pm on the final ring. On the other end of the line was her 15-year-old daughter – or at least what sounded exactly like her daughter’s voice.

“On the other end was our daughter Briana sobbing and crying saying ‘Mom’.”

Briana was on a ski trip when the incident took place so DeStefano assumed she injured herself and was calling let her know.

DeStefano heard the voice of her daughter and recreated the interaction for her audience: “‘Mom, I messed up’ with more crying and sobbing. Not thinking twice, I asked her again, ‘OK, what happened?’”

She continued: “Suddenly a man’s voice barked at her to ‘lay down and put your head back’.”

Panic immediately set in and DeStefano said she then demanded to know what was happening.

“Nothing could have prepared me for her response,” Defano said.

Defano said she heard her daughter say: “‘Mom these bad men have me. Help me! Help me!’ She begged and pleaded as the phone was taken from her.”

“Listen here, I have your daughter. You tell anyone, you call the cops, I am going to pump her stomach so full of drugs,” a man on the line then said to DeStefano.

The man then told DeStefano he “would have his way” with her daughter and drop her off in Mexico, and that she’d never see her again.

At the time of the phone call, DeStefano was at her other daughter Aubrey’s dance rehearsal. She put the phone on mute and screamed for help, which captured the attention of nearby parents who called 911 for her.

DeStefano negotiated with the fake kidnappers until police arrived. At first, they set the ransom at $1m and then lowered it to $50,000 when DeStefano told them such a high price was impossible.

She asked for a routing number and wiring instructions but the man refused that method because it could be “traced” and demanded cash instead.

DeStefano said she was told that she would be picked up in a white van with bag over her head so that she wouldn’t know where she was going.

She said he told her: “If I didn’t have all the money, then we were both going to be dead.”

But another parent with her informed her police were aware of AI scams like these. DeStefano then made contact with her actual daughter and husband, who confirmed repeatedly that they were fine.

“At that point, I hung up and collapsed to the floor in tears of relief,” DeStefano said.

When DeStefano tried to file a police report after the ordeal, she was dismissed and told this was a “prank call”.

A survey by McAfee, a computer security software company, found that 70% of people said they weren’t confident they could tell the difference between a cloned voice and the real thing. McAfee also said it takes only three seconds of audio to replicate a person’s voice.

DeStefano urged lawmakers to act in order prevent scams like these from hurting other people.

She said: “If left uncontrolled, unregulated, and we are left unprotected without consequence, it will rewrite our understanding and perception what is and what is not truth. It will erode our sense of ‘familiar’ as it corrodes our confidence in what is real and what is not.”

This news is “stunning” say many cybersecurity experts; it’s so bad that a patch can’t resolve it, companies have to completely stop using these (very expensive) machines and get new ones.

Clop seems to be on a roll, first with GoAnywhere and now with Moveit

An overview of the main areas companies need to pay attention to and the tools they can use to get their cybersecurity in better shape.

Register for the streamyard URL, no account needed.

r/cybersecurity

r/cybersecurity

cross-posted from: https://feddit.it/post/199745

r/cybersecurity

r/cybersecurity

r/cybersecurity

r/cybersecurity

The source code of this software is here: https://github.com/monarc-project/stats-service

Licensed under Affero GPL v3.

It is a decentralized service which can aggregate different kind stats about threats and vulnerabilities. Here is more information: https://www.monarc.lu/documentation/stats-service/master/architecture.html if you want to understand the details.

Can write blogs, discuss with each other and a lot more.

How do Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP) work?
Address Space Layout Randomisation (ASLR) is a technology used to help prevent shellcode from being successful. It does this by randomly offsetting the location of modules and certain in-memory structures. Data Execution Prevention (DEP) prevents certain memory sectors, e.g. the stack, from being executed. When combined it becomes exceedingly difficult to exploit vulnerabilities in applications using shellcode or return-oriented programming (ROP) techniques.

It started (in recent times) with the USA accusing TikTok and Huawei of being capable of spying (nothing was ever proven), and now with China responding in the same way about Tesla vehicles (laden with cameras, sensors and network connectivity).

All valid concerns, and we do already know for a fact that allies are spying on allies, so they are not groundless concerns, but where does that leave electronic devices that are getting smarter and smarter? It's a concerning future because even if the manufacturer is not overtly assisting with spying, they could be infiltrated and have their information exposed (remember SolarWinds?). In fact, who knows if data from Tesla's in use at US military institutions, have not had their data exposed already in this way to any other foreign power?

Interesting times we live in, and to think our own military was banning all smartphones from their meetings years ago... now it will be smart watches, smart cars, and let's just hope we don't get smart clothing!

See https://mashable.com/article/elon-musk-tesla-china-sharing-data/

#technology #security #spying #Tesla

This is a technique I've come up with, intended to be an improvement on the norm, and on multifactor authentication. It is both more secure and more convenient.

Features:

• Every password is one-use-only - a hacker can never impersonate a service to steal credentials and immediately use them to impersonate the user.
• Passwords are necessarily unique to each service - so password breaches are not so useful to hackers
• The service must also prove its identity to the user - to avoid phishing
• Does not use biometrics - because they are easy to steal, and difficult for the owner to change once stolen
• Does not require revealing anything personal like an address or state-issued ID, that could then be used to impersonate the owner
• Does not rely on having possession of a particular object/device - this device can be lost, stolen, damaged, causing the owner to lose all his accounts.
• There is no need to store passwords somewhere like a password manager - avoiding several extra security risks.
• Master-passwords don’t need to be very long or high entropy. There are only a couple of easy-to-remember ones which are shared across the user’s digital life. All transmitted data, all logins, are nonetheless high entropy.
• It can be done as a browser plugin - this way it is at least as convenient as a conventional login. It can also be done using an air-gapped memoryless calculator - this way you never have to enter your passwords into any computer, or write them down anywhere but that device.
• There is necessarily a standardised waiting time after a failed login, to avoid brute-force attacks.
• Any attack (phishing or otherwise) is identified immediately and an alert can be sent. It can be figured out what information the attacker knew.

So this system has many features no existing system I’ve heard of has. In combination they make it perfectly secure.

How it works:

Cryptography usually uses some kind of hashing function, where it is easy to perform the calculation but difficult to reverse it. The analogy is mixing paint. Given two paint colours, it’s easy to figure out what colour is produced by mixing them. But given the mixed colour, it’s difficult to find out either component colour. I’ll use notation AxB=C for the forward function, where multiplication is easy, but the reverse function - given C find A or B - is difficult.

Here the user has two master passwords, PA and PB, which are the same for all services. He also has a device which performs the calculation AxB, to generate new temporary passwords. The calculator can be built into the browser, the OS, on the command-line, or on an air-gapped device.

Signing up to a service: The user provides the service a username and his two login passwords: PA x serviceID, PB x serviceID.

Login process:

1. The user provides his username
2. The service provides: PA x serviceID x date.
3. The user checks this against his own calculation of PA x serviceID x date
4. If correct, the user provides PB x serviceID x date
5. The service checks this is correct. Then the login is complete.

This is as convenient as a conventional login process - assuming the calculator is built into the browser. Just enter your master passwrods and the browser will do the rest. But if the calculator is air-gapped, this technique has perfect security.

More details:

So the “something you have” and “something you are” are not required. If you’re a fan of two or three factor authentication you can incorporate them into this system. The login process can also be tweaked to force the user to check that the service's login is valid.

serviceID can be just the company name, or some other word which is the same for every user of the service, and shown on the login form. It can also be unique unique to each user, defined by either the user or the service (the service can remind the user of his serviceID)

The date could also be any unique or pseudo-random number. It could be displayed on the login form, to avoid timezone problems. Anyway the same date (and therefore the same login) can never be reused. Probably the date is rounded to 5min intervals, to the user has to wait 5min after each failed login attempt.

The user's passwords can be quite simple. High entropy is added to the login during the calculation. And if somehow hacked the passwords are easily changed.

This technique is easy to implement. A single browser or OS, and a single website/service could unilaterally start using this system. Or the details could be strictly defined as an internet standard.

There is no obstacle, political or technical. We could have perfect security, married with perfect convenience, today.

MOSP is a platform for creating, editing and sharing validated JSON objects of any type.

The goal is to gather security related JSON objects, in the first place aimed to be used with MONARC.

You can use any available JSON schemas in order to create new JSON objects via a web form dynamically generated and based on the selected schema. It is possible to interact with MOSP programmatically thanks to its API (OpenAPI specification).

You can export MOSP objects for MISP (MISP galaxy). See the this video as example.