April 24, 2019
NYPD forgets to redact facial recognition docs, asks for them back
By Lisa Vaas
Inquiring privacy experts want to know, and they’ve wanted to know for a few years: what type of facial recognition technology is the New York City Police Department (NYPD) using?
What’s it purchased? What are its policies and procedures? How does it train cops on how to use it? What agreements does it have with other agencies that help it run the facial recognition program?
After three years of asking these questions, and filing over 100 requests for relevant documents – which the NYPD is required to hand over per New York State’s Freedom of Information Law (FOIL) – and after a year of being told that the department couldn’t find any such information, Georgetown University Law Center’s Center on Privacy & Technology (CPT) think tank finally managed to claw out 3,700 pages.
Some of which, three weeks after it coughed them up, the NYPD demanded that the CPT return.
A Manhattan judge has ordered the CPT to give back 20 pages of confidential, unredacted documents about the NYPD’s use of facial recognition that were handed over by mistake during the long-running legal case… Oops.
Mind you, the NYPD has already shared these documents. At least once, it’s done so publicly… or, rather, it’s shared one document with anybody who could cough up a conference fee to see it splashed on a screen in a PowerPoint presentation.
Read more at https://nakedsecurity.sophos.com/2019/04/24/nypd-forgets-to-redact-facial-recognition-docs-asks-for-them-back/
Gunpoint domain hijack turns out to have been a family affair
By Lisa Vaas
You might recall the epic, violent domain transfer #FAIL that involved pistol-whipping, tasering, and demanding, at gunpoint, the transfer of “doitforstate.com” – a site devoted to content concerned with the beer-guzzling and butt-ogling of college students.
The domain-demanding burglar, Sherman Hopkins, Jr., of Cedar Rapids, Iowa – who got shot multiple times in the chest when the rightful owner of doitforstate.com managed to wrestle Hopkins’ gun away from him – was sentenced to maximum prison time of 20 years last year.
But it turns out that the entrepreneurial yearning to possess the doitforstate.com site did not originate with Hopkins. In fact, Hopkins was hired by his cousin, who last week was convicted for planning the armed home invasion and hiring Hopkins to do it.
Rossi Lorathio Adams II, 26, also from Cedar Rapids, Iowa, was convicted of conspiracy to interfere with commerce by force, threats, and violence. The time it took the jury to convict: one hour.
‘State Snaps’ and its lust for ‘Do It For State’
As prosecutors described during the trial, Adams founded a social company called “State Snaps” while he was a student at Iowa State University in 2015. Similar to Do It For State, State Snaps – and its Snapchat, Instagram and Twitter feeds – showed great gusto for boob-, butt- beer-, setting-things-on-fire-, drug- and arrows-shot-into-the-groin-related content, as well as for at least one depiction of beer drinking a la butt.
Read more at https://nakedsecurity.sophos.com/2019/04/24/gunpoint-domain-hijack-turns-out-to-have-been-a-family-affair/
DNS over HTTPS is coming whether ISPs and governments like it or not
By John E Dunn
The penny has finally dropped inside ISPs and governments that a privacy technology called DNS over HTTPS (DoH), backed by Google, Mozilla and Cloudflare, is about to make web surveillance a lot more difficult.
In the UK, this matters because under the 2016 Investigatory Powers Act (IPA), ISPs are required to store a record of which websites citizens visit for the previous 12 months, which is done by noticing Domain Name System (DNS) requests, e.g. to xyz.com.
DNS over HTTPS (and its close relative DNS over TLS, or DoT) makes this impossible because it encrypts these requests – normally sent in the clear – hence the panic reported in a recent Sunday Times article (paywall).
For more detail on how DoH/DoT works, read our previous coverage on the topic. The takeaway, however, is that Britain’s National Cyber Security Centre (NCSC), and probably the US Government think its unexpectedly rapid evolution imperils the monitoring of terrorism and other illegal content.
Big ISPs also worry it will interfere with complex Content Delivery Network (CDN) traffic caching, make customer management through support and captive portals difficult, and leave them fielding calls from unhappy customers when the third-party DNS servers offering DoH fall over.
Confusingly, the Sunday Times story also says DoH will stymie the UK’s controversial porn block, which enforces age checks before adults can visit big porn sites, although it’s not clear how – encrypting DNS hides the domains people visit but not inherently the fact web requests are being made from UK ISPs (although it would stop ISPs from implementing their own domain filters).
Read more at https://nakedsecurity.sophos.com/2019/04/24/dns-over-https-is-coming-whether-isps-and-governments-like-it-or-not/
Phone fingerprint scanner fooled by chewing gum packet
By Paul Ducklin
Nokia’s funky new phone, known as the Nokia 9 PureView, has some very cool features.
Five of them, in fact – five cameras, arranged on the back of the phone like a spider’s eye, capturing 12 megapixels each to make the device a snapper’s delight.
The Nokia 9 also includes a fingerprint scanner – a feature that Apple recently ditched from its smartphone range so that the screen could reach right to the edges of the device, as modern style dictates, but that several modern Android devices have retained by building the fingerprint detector into the screen itself.
That sounds like the best of both worlds: a good-looking screen plus convenient biometric security that is based on more than just a picture of your face.
Fingerprint scanners, however, aren’t perfect, with the result that we’ve written several stories over the years about the tricks that hackers have found to bypass them.
Positives and negatives
A fingerprint sensor bypass is what’s known in the jargon as a false positive, where an invalid fingerprint is incorrectly recognized as genuine, and the device is wrongly unlocked.
The opposite misbehavior is a false negative, where even the genuine owner of the device can’t get in because their own fingerprint is wrongly rejected.
Read more at https://nakedsecurity.sophos.com/2019/04/23/phone-fingerprint-scanner-fooled-by-chewing-gum-packet/
Hotspot finder app blabs 2 million Wi-Fi network passwords
By Lisa Vaas
This should come as no surprise, but it still sucks big-time: thousands of people who downloaded a random, very popular app called WiFi Finder found that it got handsy with users’ own home Wi-Fi, uploading their network passwords to a database full of 2 million passwords that was found exposed and unprotected online.
The leaked database was discovered by Sanyam Jain, a security researcher and a member of the GDI Foundation who reported his find to TechCrunch. Jain and TechCrunch’s Zack Whittaker spent more than two weeks fruitlessly trying to contact the developer, who they believe is based in China.
Receiving no reply, they instead turned to the host, DigitalOcean, which yanked the database within a day of their contact.
According to the app’s Google Play listing, it’s been installed more than 100,000 times.
The app does what it says it does: it searches for nearby hotspots, maps them, and enables users to upload all their stored Wi-Fi passwords. Unfortunately, in spite of what the app developer – Proofusion – claims, WiFi Finder doesn’t differentiate between public hotspots and what Whittaker says are the “countless” home Wi-Fi networks found by TechCrunch and Jain.
The exposed database didn’t give away contact information for any of the Wi-Fi network owners, but it did include geolocation data. The geolocations often corresponded to what look like wholly residential areas where there don’t appear to be any businesses, suggesting that the logins are for home networks.
Read more at https://nakedsecurity.sophos.com/2019/04/23/hotspot-finder-app-blabs-2-million-wi-fi-network-passwords/
Once again, it’s 123456: the password that says ‘I give up’
By Lisa Vaas
The essence of most people’s regard for cybersecurity: we’re DOOMED.
That’s one of the key takeaways from the UK’s National Cyber Security Centre (NCSC), which released the results of its first ever UK cyber survey on Sunday, along with a list of the most craptacular passwords found most often in breached databases.
The findings were released ahead of the NCSC’s CYBERUK 2019 conference in Glasgow this week.
Some of those doomy gloomy findings: 70% of the 1,350 Brits surveyed between November 2018 and January 2019 believe they’re going to be cyber-pounced on sometime in the next two years, and it will put on some hurt, aka a “big personal impact.”
Many people – 37% – think that getting mugged online for money or personal details is inevitable these days. Losing money is the biggest concern, with 42% feeling it’s likely to happen by 2021. That’s not keeping them from buying stuff online, though: 89% are using the internet to make online purchases, and 39% say they do so on a weekly basis.
Although 80% said that cybersecurity is a “high priority,” that doesn’t mean that the doomed plan to do anything about it. In fact, some of the groups most likely to say it’s a priority are the least likely to take protective action. For example, older people – those aged 55-64 – are the likeliest to say it’s a high priority, and 16-24 year-olds are least likely to prioritize it. However, the youngsters are more likely to say they’re capable when it comes to cybersecurity, and they’re more likely to flip the switch on some protection.
Read more at https://nakedsecurity.sophos.com/2019/04/23/once-again-its-123456-the-password-that-says-i-give-up/