Clearview AI won’t sell vast faceprint collection to private companies

By Lisa Vaas

Clearview AI – the web-scraping, faceprint-amassing biometrics company that’s being sued over collecting biometrics without informed consent – says it’s no longer going to sell access to its program to a) private entities or b) any entity whatsoever that’s located in Illinois.

Clearview’s artificial intelligence (AI) program can identify someone by matching photos of unknown people to their online photos and the sites where they were posted. Clearview AI founder and CEO Hoan Ton-That has claimed that the results are 99.6% accurate.

The company’s change of heart was revealed in court documents submitted during the course of a class action suit against Clearview that was filed in Illinois in January. It’s just one of multiple suits: Clearview’s also up against similar lawsuits in Vermont, New York and California.

The Illinois suit charges the company with breaking the nation’s strictest biometrics privacy law – Illinois’s Biometric Information Privacy Act (BIPA) – by scraping some 3 billion faceprints from the web to sell to law enforcement and to what’s turned out to be a motley collection of private entities, including Macy’s, Walmart, Bank of America, Target, and Major League Baseball team The Chicago Cubs.

From a court declaration made by Clearview legal counsel Thomas Mulclaire and filed on Wednesday:

Clearview is in the process of cancelling the accounts of every remaining user who was not either a law enforcement body or other federal, state, or local government department, office or agency. At the same time, Clearview is in the process of cancelling all user accounts belonging to any entity located in Illinois.

The suit contends that Clearview violated BIPA by using biometric data for commercial purposes and is seeking a temporary injunction that would prevent the company from using the information of current and past Illinois residents for its facial recognition program.

Read more at https://nakedsecurity.sophos.com/2020/05/11/clearview-ai-wont-sell-vast-faceprint-collection-to-private-companies/

Microsoft opens IoT bug bounty program

By Danny Bradbury

Microsoft really wants to secure the Internet of Things (IoT), and it’s enlisting citizen hackers’ help to do it. The company has launched a $100,000 bug bounty for people who can break into Azure Sphere, its security system for IoT devices.

Microsoft first announced Sphere at the RSA conference in April 2018. It’s an IoT ecosystem encompassing both connected devices and the cloud service that controls them.

In August the following year, it launched the Azure Security Lab, which offers resources to ethical hackers and runs regular security research challenges. The latest, the Sphere Security Research Challenge, lets bug hunters talk directly to Microsoft’s technical team as they try to break into Sphere.

Read more at https://nakedsecurity.sophos.com/2020/05/11/microsoft-opens-iot-bug-bounty-program/

More crypto-stealing Chrome extensions swatted by Google

By Danny Bradbury

Malicious extensions for the Chrome browser continue to spring up just as quickly as the search giant cuts them down. This month, another batch appeared.

Google deleted 49 malicious Chrome extensions from the Chrome Web Store in mid-April after security researcher Harry Denley found them phishing cryptocurrency users. The extensions impersonate Chrome extensions for legitimate cryptocurrency wallets, but when installed they pilfer the users’ private keys and other secrets used to access digital wallets so that their authors can steal victims’ funds. Now Denley has found more.

Talking to Naked Security, Denley explained that he finds new ones each day. He pointed us to this Pastebin entry showing the original 49 he reported in April, along with another 22. The new ones impersonated the Ledger, KeepKey, MetaMask, and Jaxx wallets. The IDs on the left are extension IDs, which show up at the end of an extension’s URL when viewed in the Chrome store.

Google had already taken down most of the offending wallets at the time of writing, and has been generally pretty responsive, according to Denley, who said:

Yeah, they have been, for the majority. Actioned my reports within 24 hours.

New rules

Google has acknowledged a general problem with malicious extensions and has announced new rules for the Chrome Web Store. It said:

We want to ensure that the path of a user discovering an extension from the Chrome Web Store is clear and informative and not muddled with copycats, misleading functionalities or fake reviews and ratings.

The rules forbid developers from publishing multiple extensions that do the same thing, and prohibits misleading metadata, including anonymous user testimonials in app descriptions. Developers can’t upload extensions that exist solely to launch another app or extension, and they shouldn’t send spam notifications, the company added.

Read more at https://nakedsecurity.sophos.com/2020/05/08/more-crypto-stealing-chrome-extensions-swatted-by-google/

Police nab InfinityBlack hackers

By Danny Bradbury

Five alleged members of hacking group InfinityBlack got some unexpected visitors last week when Polish law enforcement arrested them.

InfinityBlack was a hacking group that specialized in stealing and distributing sets of online credentials known as combos, especially for loyalty rewards points accounts. It would sell them to other gangs who would then exchange the points for products, said a Europol press release announcing the arrests.

The hackers ran the operation like a business, with different teams handling individual functions. The whole thing was fronted by an online service selling subscriptions to access stolen data. The development team created tools to test the quality of the stolen data, and a testing team analyzed its suitability for distribution, said Europol. A project management team handled the business end, distributing subscriptions for cryptocurrency payments and converting the data into digital cash.

Read more at https://nakedsecurity.sophos.com/2020/05/07/police-nab-infinityblack-hackers/

Air gap security beaten by turning PC capacitors into speakers

By John E Dunn

Researchers have poked another small hole in air gapped security by showing how the electronics inside computer power supply units (PSUs) can be turned into covert data transmission devices.

Normally, if a computer is physically isolated from other computers it is seen as being more secure because there is no channel for data to be transmitted in or out of the device.

Used for decades by the military, today the concept is now often used to secure computers used for secure tasks such as internal bank transfers, or to isolate medical equipment controlled by software such as MRI scanners.

However, the famous Stuxnet attack on Iran in 2010 showed how air gapping could be beaten using infected USB sticks, since when researchers have started exploring more unusual methods to achieve the same end.

Read more at https://nakedsecurity.sophos.com/2020/05/06/air-gap-security-beaten-by-turning-pc-capacitors-into-speakers/