September 5, 2018
Google releases free AI tool to stamp out child sexual abuse material
By Lisa Vaas
Since 2008, the National Center for Missing & Exploited Children (NCMEC) has made available a list of hash values for known child sexual abuse images. Provided by ISPs, these hash values (which are like a digital fingerprint) enable companies to check large volumes of files for matches without those companies themselves having to keep copies of offending images or to actually pry open people’s private messages.
More recently, in 2015, the Internet Watch Foundation (IWF) announced that it would share hashes of such vile imagery with the online industry in a bid to speed up its identification and removal, working with web giants Google, Facebook, Twitter, Microsoft and Yahoo to remove child sexual abuse material (CSAM) from the web.
It’s been worthy work, but it’s had one problem: you can only get a hash of an image after you’ve identified it. That means that a lot of human analysts have to analyze a lot of content – onerous work for reviewers, and also an approach that doesn’t scale well when it comes to keeping up with the scourge.
On Monday, Google announced that it’s releasing a free artificial intelligence (AI) tool to address that problem: technology that can identify, and report, online CSAM at scale, easing the need for human analysts to do all the work of catching new material that hasn’t yet been hashed.
Google Engineering Lead Nikola Todorovic and Product Manager Abhi Chaudhuri said in the post that the AI “significantly advances” Google’s existing technologies to “dramatically improve how service providers, NGOs, and other technology companies review violative content at scale.”
Read more at https://nakedsecurity.sophos.com/2018/09/05/google-releases-free-ai-tool-to-stamp-out-child-sexual-abuse-material/
Credit card gobbling malware found piggybacking on ecommerce sites
By Paul Ducklin
Thanks to Mark Stockley, our resident JavaScript, PHP and jQuery expert, for his help with this article.
Dutch security researcher Willem de Groot, who’s particularly interested in security problems on online payment sites, recently wrote about a long-running Magento malware campaign.
Magento is to ecommerce what WordPress is to blogging – you can run the open source version on your own servers; you can use an ecommerce partner who’ll run a Magento instance for you; or you can sign up for Magento’s own cloud platform.
Thousands of sites still run their own Magento servers, even in the modern cloud-centric era, for example because they’ve already got a customized warehousing and shipping system with which their ecommerce servers need to integrate.
Unfortunately, de Groot found that many of these sites – more than 7000 in total, he claims – have been infiltrated by cybercrooks in the past six months.
Worse still, de Groot estimates that nearly 1500 of them may have been infected for the entire six-month period.
We’re not sure how sites are getting infected, but we suspect that the crooks behind this campaign are using multiple ways to break in.
Read more at https://nakedsecurity.sophos.com/2018/09/04/credit-card-gobbling-code-found-piggybacking-on-ecommerce-sites/
How refusing to give police your Facebook password can lead to prison
By Lisa Vaas
A 24-year-old murder suspect was sentenced to 14 months in prison on Friday for refusing to hand over his Facebook account password to detectives who are investigating the death of 13-year-old schoolgirl Lucy McHugh.
As The BBC reports, Lucy had been missing for two days last month before her body was found in the woods near a sports center in Southampton, UK. She was stabbed to death.
Stephen Nicholson, a friend of the family who’d been staying with them, was allegedly in contact with Lucy the morning of her disappearance. Police took him into custody and asked him – twice – for his password so they could check out the alleged conversation and whatever other content might help the investigation.
Nicholson has been jailed not for the murder, but for his refusal to cooperate with the detectives and let them into his account.
On Friday, he pleaded guilty to failing to disclose access codes to an electronic device under the Regulation of Investigatory Powers Act 2000 (RIPA).
According to the Independent, Nicholson argued that giving police access to his private Facebook messages could expose information relating to cannabis.
The judge scoffed, describing the excuse as “wholly inadequate”, considering the severity of the case.
Part 3 of RIPA empowers UK authorities to compel the disclosure of encryption keys or decryption of data. Refusal to comply can result in a maximum sentence of two years’ imprisonment, or five years in cases involving national security or child indecency.
Read more at https://nakedsecurity.sophos.com/2018/09/04/how-refusing-to-give-police-your-facebook-password-can-lead-to-prison/
Governments demand companies allow access to data, or else
By Danny Bradbury
A decades-old alliance of national intelligence partners promised to get at encrypted data last week, whether tech companies helped them or not.
Australia, Canada, New Zealand, the United Kingdom and the United States released a joint statement calling on tech companies to help them access data when authorized by the courts – or else.
The alliance of countries is known as the Five Eyes, and it was formed after the Second World War as a collaborative effort to share intelligence information. The group released an Official Communiqué at a meeting last week, outlining several broad goals. One of these goals involved increasing government powers to target encrypted data when the courts authorized it (a concept known as ‘lawful access’).
The group went into more depth in its Statement of Principles on Access to Evidence and Encryption, released at the same time. The document starts off conciliatory enough, arguing that encryption is necessary:
Encryption is vital to the digital economy and a secure cyberspace, and to the protection of personal, commercial and government information.
Then came the common refrain: You can have too much of a good thing.
However, the increasing use and sophistication of certain encryption designs present challenges for nations in combatting serious crimes and threats to national and global security.
The same encryption that protects legitimate information is also protecting criminals, the statement said, adding that while privacy laws are important, the authorities need a way to access communications when a court has allowed it. The countries’ reasoning here is that the same principles have applied to searches of homes and other physical spaces for years. They want the same warrant principles to apply in cyberspace.
Read more at https://nakedsecurity.sophos.com/2018/09/04/governments-demand-companies-allow-access-to-data-or-else/