Boston bans government use of facial recognition

By Lisa Vaas

It’s simple: Boston doesn’t want to use crappy technology.

Boston Police Department (BPD) Commissioner William Gross said last month that abysmal error rates – errors that mean it screws up most particularly with Asian, dark or female skin – make Boston’s recently enacted ban on facial recognition use by city government a no-brainer:

Until this technology is 100%, I’m not interested in it. I didn’t forget that I’m African American and I can be misidentified as well.

Thus did the city become the second-largest in the world, after San Francisco, to ban use of the infamously lousy, hard-baked racist/sexist technology. The city council voted unanimously on the bill on 24 Jun – here’s the full text, and here’s a video of the 3.5-hour meeting that preceded the vote – and Mayor Marty Walsh signed it into law last week.

The Boston Police Department (BPD) isn’t losing anything. It doesn’t even use the technology. Why? Because it doesn’t work. Make that it doesn’t work well. The “iffy” factor matters most particularly if you’re Native American, black, asian or female, given high error rates with all but the mostly white males who created the algorithms it runs on.

According to a landmark federal study released by the National Institute of Standards of Technology in December 2019, Asian and black people are up to 100 times more likely to be misidentified than white men, depending on the particular algorithm and type of search. Commercial facial analysis systems vary widely in their accuracy, but overall, Native Americans had the highest false-positive rate of all ethnicities.

Read more at https://nakedsecurity.sophos.com/2020/07/06/boston-bans-government-use-of-facial-recognition/

Facebook hoaxes back in the spotlight – what to tell your friends

By Paul Ducklin

At the risk of giving you a feeling of déjà vu all over again…

…it’s time to talk about Facebook hoaxes once more.

Looking at the Naked Security articles that people have not only searched for but also read in large numbers over the past few days tells us that we’re in what you might call a “market uptick” for hoaxes at the moment.

The top two resurgent hoaxes in the past week have been the Instant bank fraud “warning” and the How to post to more than 25 friends “advice”.

Loosely speaking, most Facebook hoaxes – by which we really mean “posts that get shared virally despite being useless and inaccurate, yet that aren’t actually scams or phishing tricks” – take one of three forms:

1. Warnings to watch out for something supposedly dangerous that isn’t going to happen, and wouldn’t be particularly dangerous even it it did.
2. Instructions to copy a specific paragraph of bogus information exactly and repost it under your own name.
3. Advice on how to check your cybersecurity settings that achieves nothing except giving you a false sense of security.

Read more at https://nakedsecurity.sophos.com/2020/07/03/facebook-hoaxes-back-in-the-spotlight-what-to-tell-your-friends/

Google buys AR smart-glasses company North

By Lisa Vaas

Google announced on Tuesday that it’s purchased a smart-glasses company called North and, notwithstanding its failure to bring Google Glass wearables to the masses, still plans to caress our vision with the vast tentacles of its helpfulness.

From the announcement, which was posted by Rick Osterloh, Senior Vice President, Devices & Services:

From 10 blue links on a PC, to Maps on your mobile phone, to Google Nest Hub sharing a recipe in the kitchen, Google has always strived to be helpful to people in their daily lives. We’re building towards a future where helpfulness is all around you, where all your devices just work together and technology fades into the background. We call this ambient computing.

Credit where credit’s due – “ambient computing” sounds friendlier than, say, “pervasive privacy-threatening creepster surveillance spectacles.” Privacy concerns contributed to the sinking of Google Glass. In January 2016, after years of development, Google shuttered its Glass social media accounts.

A year prior, Google had ended its Explorer program and stopped selling Glass. But a few months after that, Google executive chairman Eric Schmidt said that the move wasn’t meant to imply that Google was sticking a fork in its internet-connected eyeglasses.

No, Schmidt said, Google Glass wasn’t dead. It was just being fine-tuned for the masses. Google then focused work on a Glass spinoff for the enterprise.

Details of the North purchase, including how much Google’s paying for the Canadian company, weren’t disclosed.

Read more at https://nakedsecurity.sophos.com/2020/07/03/google-buys-ar-smart-glasses-company-north/

MongoDB ransom threats step up from blackmail to full-on wiping

By Paul Ducklin

Have you left a cloud database exposed online?

According to Dutch security researcher Victor Gevers of the Dutch Institute for Vulnerability Disclosure, who’s been hunting down insecure databases for years, thousands of MongoDB users have done just that – or, to be more precise, many tens of thousands of databases have shown up where they shouldn’t.

And that’s just this year.

A significant proportion of exposed databases have been modified by hackers in recent months to include a blackmail demand database in broken English that says:

There’s a pseudo-anonymous email address that you can use to contact the extortionist, and a Bitcoin wallet for the money.

(We suspect that some victims will have exposed several different databases at the same time, given that a security blunder that’s easy to make once is just as easy to repeat.)

Note that when the extortion note says that “your data is backed up,” the crooks aren’t congratulating you on having a backup of your own.

What they mean is that, whether you have a backup or not, they have one, or so they say, and their leverage is that they’ll dump your data for the world to see, and tell the regulator, if you don’t cough up the money.

Read more at https://nakedsecurity.sophos.com/2020/07/02/mongodb-ransom-threats-step-up-from-blackmail-to-full-on-wiping/

133m records for sale as fruits of data breach spree keep raining down

By Lisa Vaas

A data breach broker has flooded a hacker forum with a whopping total of 132,957,579 user records.

Bleeping Computer is in touch with the data breach broker: a “known and reputable” broker who’s selling databases, all of which contain different data types but all of which include usernames and hashed passwords.

The companies whose databases are allegedly being peddled include game sites, food delivery services, Soccer streaming, online fashion and loans. Out of the 14, only four are known to have been breached: Home Chef, Minted, Tokopedia and Zoosk.

Home Chef, a meal delivery service, confirmed a data breach two weeks after a hacker group named Shiny Hunters listed a database of 8 million customer records on a dark web marketplace. Shiny Hunters was the same group that claimed to be selling Zoosk’s records – along with nine other companies’ records, for a total of 73 million user records – in May.

For its part, Minted, a marketplace for independent artists, in late May confirmed that it had suffered a data breach earlier that month – confirmation that came after a hacker sold a database containing 5 million user records on a dark web marketplace. The name of the broker? Shiny Hunters.

Also in May, data breach monitoring and cybersecurity intelligence firm Under the Breach discovered that a hacker was offering the account information for 15 million users of Tokopedia – which is Indonesia’s largest online store – on a hacker forum for as little as USD $5,000. The broker? Shiny Hunters.

In sum: as Wired notes, during the first few weeks of May, the hacking group went on a data breach spree, hawking close to 200 million stolen records from over a dozen companies.

Bleeping Computer didn’t name the data breach broker it’s been in contact with, but it’s highly possible its initials turn out to be SH. The broker told the news outlet that the 14 databases they’re selling can be had for as little as $100, on up to $1,100.

Read more at https://nakedsecurity.sophos.com/2020/07/02/133m-records-for-sale-as-fruits-of-data-breach-spree-keep-raining-down/