New Facebook AI fool’s facial recognition

By Lisa Vaas

Facebook is both embroiled in privacy struggles over its use of facial recognition, working to spread it far and wide, and coming up with ways to flummox the technology so it can’t match an image of a person to one stored in image databases.

On Sunday, Facebook Research published a paper proposing a method for using a machine learning system for de-identification of individuals in videos by subtly distorting face images so they’re still recognizable to humans, but not to machines.

Other companies have done similar things with still images, but this is the first technology that works on video to thwart state-of-the-art facial recognition systems.

Here it is in action, with before and after videos of celebrity faces that many of us will recognize but that automatic facial recognition (AFR) systems can’t identify.

This, from the holder of the world’s biggest face database?

Why would Facebook do this, when it’s been so keen to push facial recognition throughout its products, from photo tag suggestions on to patent filings that describe things like recognizing people in the grocery store checkout lines so the platform can automatically send a receipt?

Read more at https://nakedsecurity.sophos.com/2019/10/29/new-facebook-ai-fools-facial-recognition/

Adobe database exposes 7.5 million Creative Cloud users

By John E Dunn

Adobe has become the latest company to be caught leaving an Elasticsearch database full of customer data exposed on the internet.

Discovered on 19 October by data hunter Bob Diachenko and security company Comparitech, the unsecured database contained the email addresses of nearly 7.5 million customers of Adobe’s Creative Cloud, plus the following:

• Account creation date
• Adobe products used
• Subscription status
• Whether the user is an Adobe employee
• Member IDs
• Country
• Time since last login
• Payment status

That’s the email addresses of around half of Creative Cloud’s customer base although not, importantly, any of their passwords or payment information. Nevertheless, said Comparitech, spelling out the risk of phishing attacks:

Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.

Judging from clues in the data, Diachenko believes it might have been exposed for around a week. It’s not possible to tell whether anyone else accessed the data during this time.

Read more at https://nakedsecurity.sophos.com/2019/10/28/adobe-database-exposes-7-5-million-creative-cloud-users/

Ransomware with a difference as hackers threaten to release city data

By Danny Bradbury

Johannesburg spent the weekend struggling to recover from its second cyberattack this year as it took key services systems offline.

The city first alerted users of the attack via Twitter on Thursday 24 October.

The cyberattack came from a group calling itself the Shadow Kill Hackers. Some media outlets are reporting it as a ransomware attack, but according to a note reportedly sent to city employees and shared on Twitter, the hackers didn’t encrypt data. Instead, they stole it and threatened to upload it to the internet if the City didn’t pay up. The note read:

All your servers and data have been hacked. We have dozens of back doors inside your city. We have control of everything in your city. We also compromised all passwords and sensitive data such as finance and personal population information.

The group reportedly demanded a payment of four bitcoins (£30,347) by 5pm today, Monday 28 October, or they will release the compromised data.

The attack also affected City Power, a city-owned utility providing pre-paid electrical power to residents. It said that it was experiencing call center problems due to the incident, and urged people to use its mobile app to log power problems instead. It also said that billing systems had been affected.

Read more at https://nakedsecurity.sophos.com/2019/10/28/johannesburg-hit-by-second-malware-attack/

TikTok says no, senators, we’re not under China’s thumb

By Lisa Vaas

TikTok – the Chinese-owned, massively popular, kid-addicting, fine-accruing, short-and-jokey video-sharing platform – is a potential threat to national security, US lawmakers said last week.

Senators Tom Cotton and Chuck Schumer on Wednesday sent a letter to Acting Director of National Intelligence Joseph Maguire, asking that the intelligence community please look into what national security risks TikTok and other China-owned apps may pose.

TikTok’s parent company, Bytedance, is a private startup based in Beijing that was valued at $75 billion as of July. Most of that is thanks to TikTok and its Chinese equivalent, Douyin.

The senators pointed out that TikTok has been downloaded in the US more than 110 million times. At least one Chinese doctor specializing in addiction has warned that young people are so hooked on social media approval that they’ve been risking their lives to garner likes with their 15-second Douyin clips, which have featured things like dancing in front of a moving bus or trying to flip a child 180 degrees …and then dropping her.

The day after the letter was published, TikTok defended itself in a company blog post in which it reiterated what it’s repeatedly claimed – that Chinese law doesn’t influence TikTok, given that its data is stored on servers in the US:

We store all TikTok US user data in the United States, with backup redundancy in Singapore. Our data centers are located entirely outside of China, and none of our data is subject to Chinese law. Further, we have a dedicated technical team focused on adhering to robust cybersecurity policies, and data privacy and security practices.

Read more at https://nakedsecurity.sophos.com/2019/10/28/tiktok-says-no-senators-were-not-under-chinas-thumb/

New BBC ‘dark web’ Tor mirror site aims to beat censorship

By John E Dunn

A mirror copy of the BBC’s international news website is now available to users on the so-called dark web.

The site is the result of a collaboration between the BBC and Alec Muffett who in 2017 launched something called the Enterprise Onion Toolkit (EOTK) to make it easier to create dark web mirror sites. Muffett tweeted:

I should probably admit: this has been a 2 year project, though it could only have been brought to fruition with the partner/involvement of both @OpenTechFund & the BBC.

As well as English, versions for the BBC’s Arabic, Persian and Russian services will also be available.

The Corporation isn’t the first news organization to do this with EOTK – Facebook and The New York Times mirrored their sites in 2014 and 2017 – but it’s still a big advert for what remains a largely mysterious part of the internet.

But what is the ‘dark web’ and why might the BBC and others want to mirror themselves on it when you can already access the standard site using Tor?

Not so dark

The dark web gets its name the fact users must access it unconventionally using a browser designed to connect via dedicated privacy-preserving routing networks, principally Tor. Because of its private nature, it has a reputation for hiding shady websites (child abuse imagery, drugs, weapons, etc.).

While it’s true that the dark web is used for criminality, it could just as easily be used to preserve privacy and anonymity for positive reasons too.

Read more at https://nakedsecurity.sophos.com/2019/10/28/new-bbc-dark-web-tor-mirror-site-aims-to-beat-censorship/

Crypto Capital boss arrested over money laundering

By Lisa Vaas

Polish police have arrested the president of cryptocurrency exchange Crypto Capital on charges of money laundering.

According to reports from the Polish news outlets W Polityce and RMF24, Ivan Manuel Molina Lee was arrested in Greece in March 2019 and extradited to Warsaw on Thursday.

Molina Lee was wanted in Poland for allegedly laundering up to 1.5 billion zloty – about US $390m or £303m – that came from “illegal sources.” Specifically, prosecutors believe he’s a member of a Colombian cartel who laundered drug money through Crypto Capital.

They also believe that the cryptocurrency exchange Bitfinex has similarly laundered illegal proceeds through a Polish bank. Prosecutors say that Crypto Capital held accounts in Bank Spóldzielczy in the town of Skierniewice.

Both Bitfinex and Crypto Capital are already tangled in legal trouble. In April, New York Attorney General Letitia James accused Bitfinex and the cryptocurrency Tether – which calls itself a stablecoin – of an $850m fraud. That’s how much she says Bitfinex transferred to Crypto Capital, all without a written contract, and all of which Crypto Capital has refused to remit.

The extradition of Molina Lee to Poland comes within days of Bitfinex having filed a request to subpoena an ex-banking exec as it tries to get back that money.

Read more at https://nakedsecurity.sophos.com/2019/10/28/crypto-capital-boss-arrested-over-money-laundering/