Hackers accessed documents related to authorized COVID-19 vaccines – CNET

[unable to retrieve full-text content]

The breach happened to the European Medicines Agency, which regulates vaccines including Pfizer and BioNTech's COVID-19 treatment.
Read More

FireEye hack: Cybersecurity firm says nation-state stole attacking tools – CNET


FireEye said the attack likely came from a nation-state.

Rafael Henrique/Getty Images

Major cybersecurity firm FireEye has been hit by a cyberattack, with hackers stealing the company's attack test tools in a targeted heist, FireEye said in a blog post Tuesday. CEO Kevin Mandia said the hack most likely came from a nation-state attacker. 

The hack hit one of the largest cybersecurity companies in the US. FireEye has investigated prominent cyberattacks including the Equifax breach and the Democratic National Committee hack. The hackers stole FireEye's "Red Team" tools, a collection of malware and exploits used to test customers' vulnerabilities. Mandia said none of the tools was a zero-day exploit (a vulnerability that doesn't have a fix). 

"Based on my 25 years in cyber security and responding to incidents, I've concluded we are witnessing an attack by a nation with top-tier offensive capabilities," Mandia said in his post. "This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye."

The firm said it's working with the FBI to determine how it was hacked, as well as with partners like Microsoft.

"The FBI is investigating the incident, and preliminary indications show an actor with a high level of sophistication consistent with a nation-state," said the FBI Cyber Division's assistant director, Matt Gorham.

Microsoft confirmed that it was assisting with the investigation and noted that the hackers used a rare combination of techniques to steal FireEye's tools. 

"This incident demonstrates why the security industry must work together to defend against and respond to threats posed by well-funded adversaries using novel and sophisticated attack techniques," Microsoft said in a statement. "We commend FireEye for their disclosure and collaboration, so that we can all be better prepared."

Mandia said FireEye hasn't seen any evidence that its stolen tools have been used, but the company will continue to monitor for any activity. FireEye has also released countermeasures for its own attacking tools on GitHub.

In a Securities and Exchange Commission filing, FireEye noted that the attacker's methods were highly sophisticated, using techniques that would cover tracks and make any forensics investigations difficult. The combination of techniques hadn't been seen before by the company, Mandia said. 

Cybersecurity companies aren't immune to hacks just because it's their job to defend against them. Firms like Symantec, Kaspersky and Trend Micro have all suffered attacks in the past. 

In 2017, a group of hackers stole cyberattack tools from the US National Security Agency, which allowed for rampant hacks like the WannaCry ransomware campaign

FireEye said it hasn't seen any evidence that the hackers stole data from the company or took any information about its customers.

"This news about FireEye is especially concerning because reportedly a nation-state actor made off with advanced tools that could help them mount future attacks," Rep. Adam Schiff, chairman of the House Select committee on Intelligence, said. "We have asked the relevant intelligence agencies to brief the Committee in the coming days about this attack, any vulnerabilities that may arise from it, and actions to mitigate the impacts."  

Sen. Mark Warner, a Democrat from Virginia and co-chair of the Senate Cybersecurity Caucus, commended FireEye for disclosing the attack, and urged other potential victims to do the same. 

"We have come to expect and demand that companies take real steps to secure their systems, but this case also shows the difficulty of stopping determined nation-state hackers," Warner said. "As we have with critical infrastructure, we have to rethink the kind of cyber assistance the government provides to American companies in key sectors on which we all rely."

Let's block ads! (Why?)

Read More

Huawei tested facial recognition that ID’d Uighur Muslims, set off alarm: report – CNET


Huawei reportedly tested a "Uighur Alarm" feature on its network of cameras, with Megvii's facial recognition technology.

Óscar Gutiérrez/CNET

The Chinese tech giant Huawei and artificial intelligence company Megvii developed and tested facial recognition software that triggered alerts whenever the technology detected Uighur Muslims, according to an internal document obtained by researcher IPVM and provided to The Washington Post.

The document dates back to January 2018, when Huawei tested Megvii's Face++ facial recognition on its network of cameras and gave a passing grade to its ability to recognize people's age, gender and ethnicity. The test report also highlighted a passing grade for a "Uyghur Alarm" -- an alert designed specifically to identify members of the oppressed minority population in China. 

The Chinese government has used surveillance technology including facial recognition in a myriad of ways to oppress Uighur Muslims. The government's actions against Uighur Muslims include what's been described by US lawmakers as "the largest mass incarceration of a minority population in the world today," with an estimated 1 million people detained by the Chinese government. 

Chinese tech companies are helping with this: facial recognition, surveillance cameras and voice recognition are all being used to track and identify Uighur Muslims in the country. In Oct. 2019, the US Commerce Department blacklisted eight Chinese companies for contributing to human rights abuses against the minority population.  

While you might recognize Huawei as the second-largest phone maker in the world, the company is also China's biggest tech company and supplies surveillance cameras both across the country and internationally.  

Megvii is among the eight blacklisted Chinese companies, and one of the largest facial recognition providers in the world. Its technology is used across China in connection with daily activities like getting on trains and entering offices.

The document detailing Huawei and Megvii's tests was labeled as confidential, but IPVM discovered it publicly available on Huawei's European website. It's since been removed, after the Post reported on the discovery. 

"This report is simply a test and it has not seen real-world application. Huawei only supplies general-purpose products for this kind of testing. We do not provide custom algorithms or applications," Huawei said in a statement.

The Chinese tech giant didn't explain why it would need to test a technology designed to target an oppressed minority group. 

Megvii didn't respond to a request for comment but told IPVM that its technology is "not designed or customized to target or label ethnic groups," despite the test with Huawei involving just that. 

Huawei and Megvii aren't the only Chinese tech companies that've offered facial recognition capabilities to identify and track Uighur Muslims. Hikvision, the world's largest surveillance camera provider, also marketed its abilities to identify the population, according to a Nov. 2019 report by IPVM. 

The Chinese government has also used malware and phone hacking to target Uighur Muslims. In March, a group of 17 US senators called out China for using facial recognition technologies as "instruments of state power." 

Facial recognition tech raises privacy concerns because of its ability to track and identify people on a mass scale. Police in the US have used it to track and identify protesters, despite the United Nations' human rights chief calling for a moratorium against the practice.  

Let's block ads! (Why?)

Read More

Homeland Security overseer to examine agency’s use of phone location data – CNET


In its surveillance program, the Department of Homeland Security has been using phone location data bought from advertisers.

Jason Cipriani/CNET

Your phone can tell a lot about you: where you've been, where your home and workplace are, and where your favorite places are. Federal agents are taking advantage of location data siphoned from advertisers through seemingly innocuous apps that you download for weather updates or cheap gas prices, and now a government watchdog is investigating the surveillance program. 

In a letter dated Nov. 25, the Department of Homeland Security's inspector general, Joseph Cuffari, said his office would audit US Customs and Border Protection's use of commercial databases to track people by way of their phone locations. CBP is a branch of Homeland Security.

In a landmark case, the Supreme Court ruled in 2018 that law enforcement agents must get a warrant to track people via their phone location, but agencies have been circumventing the requirement by simply buying the data from businesses that maintain commercial databases. 

"The objective of our audit is to determine if the Department of Homeland Security (DHS) and its components have developed, updated, and adhered to policies related to cell-phone surveillance devices," Cuffari said in the letter.

Now playing: Watch this: Turn off Google location tracking for real


Apps request your permission for them to collect location data from your device so they can offer desired services -- such as when a weather app needs to know where you are so it can tell you if it's going to rain in your area.

But once the apps collect the data, they can also pass it on to data brokers, who provide it to advertisers for targeted commercials. Unless you're resetting your app permissions or your device advertising ID every day, the tracking can provide a long history of your whereabouts. 

The Wall Street Journal, which first reported the DHS' internal investigation on Wednesday, revealed in February that Customs and Border Protection was using phone location data for immigration enforcement. The data came from a company called Venntel, which collected information on millions of devices by way of gaming and weather apps.

In November, Motherboard also reported that the US military bought location data collected from apps like Muslim Pro, which requires location data because it tells users which direction to face in order to pray toward Mecca. 

The DHS' investigation comes after requests from a group of Senate Democrats in October, noting that the agency spent half a million dollars to access location data from Venntel.

"CBP is not above the law and refused to answer questions about purchasing people's mobile location history without a warrant  -- including from shady data brokers like Venntel," Sen. Elizabeth Warren, a Democrat from Massachusetts, said in a statement. "I'm glad that the Inspector General agreed to our request to investigate this potentially unconstitutional abuse of power by the CBP because we must protect the public's Fourth amendment rights to be free from warrantless searches."

Agencies like the Internal Revenue Service have also used Venntel to track people. The IRS is also opening its own investigation on how it uses people's location data without a warrant. 

Venntel didn't respond to a request for comment. 

Also on Wednesday, the American Civil Liberties Union announced it was suing the DHS to turn over all records related to the agency's purchase and use of phone location data. 

"If federal agencies are tracking American citizens without warrants, the public deserves answers and accountability," Sen. Ron Wyden, a Democrat from Oregon, said. "I won't accept anything less than a thorough and swift inspector general investigation that sheds light on CBP's phone location data surveillance program."

Let's block ads! (Why?)

Read More

Trump fires top cybersecurity official for debunking election fraud claims – CNET


Chris Krebs was fired by Donald Trump over disputing Trump's election fraud claims.

Tom Williams / Contributor / Getty Images

President Donald Trump has fired the director of the Cybersecurity and Infrastructure Security Agency, after the agency spent weeks debunking election fraud claims on its "Rumor Control" page. Chris Krebs led the agency as its first director after Trump nominated him for the role in February 2018. 

During that time, CISA had been responsible for coordinating election security among officials in all 50 states, focusing on improvements at the local and county level. That's included measures like installing sensors in election county networks to detect potential cyberattacks and hosting virtual rooms to share information about threats. 

The election security effort also meant fighting disinformation and debunking rumors that would often mirror the Trump administration's comments. CISA launched its Rumor Control page on Oct. 20 as part of its ongoing effort to debunk election fraud claims, which it continues to update well after the election was called for President-elect Joe Biden. 

"Chris Krebs should be commended for his service in protecting our elections, not fired for telling the truth," the Biden campaign team said in a statement. "Bipartisan election officials in the administration itself -- and around the country -- have made clear that Donald Trump's claims of widespread voter fraud are categorically false and Trump's embarrassing refusal to accept that reality lays bare how baseless and desperate his flailing is." 

Trump hasn't accepted the results of the election and continues to claim that the results were due to fraud, throwing out various theories like votes being cast by dead people and the voting tally being hacked.   

The president announced Krebs' firing in a tweet on Tuesday.

On Twitter, Krebs responded to the news and wrote, "Honored to serve. We did it right." 

CISA didn't respond to a request for comment. Jack Cable, a security researcher and an election security technical advisor at CISA, said on Twitter that it was an honor to work under Krebs.

"Election security is not political," Cable said. "Director Krebs should be commended for his nonpartisan approach to protecting democracy and ensuring a secure 2020 election." 

The Rumor Control page has been directly contradicting many of Trump's claims, and while Krebs hasn't directly challenged the president's remarks, he has debunked the election fraud hoaxes that the president supports.  

White House officials had asked for edits to the Rumors Control page, and CISA refused to do so, Reuters reported on Nov. 12 The White House was specifically frustrated by the debunk of the "Hammer and Scorecard" conspiracy theory, which claimed Democrats were using a supercomputer and software to steal the election. 

Krebs' termination leaves a void at the US's agency responsible for election security, which many officials credit for a smooth Election Day free from cyberattacks

The firing has led lawmakers to speak out against Trump's decision, praising Krebs' work on election security and CISA's refusal to change its Rumor Controls page.

House Speaker Nancy Pelosi called Krebs a "deeply respected cybersecurity expert" and said Trump's actions undermines US democracy. 

"Director Krebs is a deeply respected cybersecurity expert who worked diligently to safeguard our elections, support state and local election officials and dispel dangerous misinformation," Pelosi said. "Yet, instead of rewarding this patriotic service, the president has fired Director Krebs for speaking truth to power and rejecting Trump's constant campaign of election falsehoods."

The House Homeland Security committee's chairs also said Trump's firing of Krebs "makes America less safe." 

"Chris Krebs has done a great job protecting our elections," Sen. Mark Warner, a ranking member on the Senate Intelligence committee, said in a tweet on Nov. 12. "He is one of the few people in this administration respected by everyone on both sides of the aisle. There is no possible justification to remove him from office." 

He followed up on Tuesday after Trump's announcement, raising concerns about destabilizing the US government during a presidential transition period. 

"Chris Krebs is an extraordinary public servant and exactly the person Americans want protecting the security of our elections,"  Warner said in a statement on Tuesday. "It speaks volumes that the president chose to fire him simply for telling the truth."

On Monday, Sen. Ron Wyden, a Democrat from Oregon, criticized Trump for his remarks about election infrastructure security, pointing out that the president didn't pay attention to the issue until after he lost.

After Trump announced Krebs' firing, House Intelligence Committee Chairman Adam Schiff commended the CISA director's role in election security, noting that the agency provided vital support to state and local election officials. 

"Instead of rewarding this great service, President Trump is retaliating against Director Krebs and other officials who did their duty. It's pathetic, but sadly predictable that upholding and protecting our democratic processes would be cause for firing," Schiff said in a statement. 

The agency also coordinated with social networks like Facebook, Twitter and YouTube on election misinformation leading up to the election. Nathaniel Gleicher, Facebook's head of cybersecurity policy, thanked Krebs for his work after Trump announced the termination. 

"It has been an honor to work with you and your team -- you're the best in the business, and we are all in your debt," Gleicher said in a tweet

Let's block ads! (Why?)

Read More

Why Trump’s claims of massive voting machine fraud don’t have merit – CNET


Trump has falsely pointed at vulnerabilities disclosed about voting machines as a sign of a rigged election.  

Tasos Katopodis/Getty Images
This story is part of Elections 2020, CNET's coverage of the voting in November and its aftermath.

For years, the security researchers behind Defcon's Voting Machine Hacking Village have been trying to get lawmakers' attention on vulnerabilities with outdated election infrastructure. Hackers regularly showed how easy it was to change ballots with full access to voting machines, with warnings that these security vulnerabilities could shake the confidence of elections if there are no paper backups. 

Three years after it kicked off at the hacking conference in Las Vegas, the group finally got the attention of the highest office in the US. It only took losing the 2020 election by an estimated 5 million votes for President Donald Trump to get there. 

On Nov. 14, Trump tweeted an NBC News segment from the hacking village in 2019 without any context -- only showing the parts where hackers were able to break into voting machines from Dominion Voting Systems. 

On Monday, he followed up and wrote, "Dominion is running our Election. Rigged!"  

Trump's claims come from a series of false conspiracy theories about the voting machines switching votes to advantage President-elect Joe Biden, part of a broader push by Trump to undermine confidence in the election system and its results. They come after the Cybersecurity and Infrastructure Security Agency, the National Association of Secretaries of State, the National Association of State Election Directors and members of the Election Infrastructure Sector Coordinating Council filed a joint statement calling 2020's election the "most secure in American history." 

"When states have close elections, many will recount ballots. All of the states with close results in the 2020 presidential race have paper records of each vote, allowing the ability to go back and count each ballot if necessary," the joint statement said. "There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised." 

Several election officials have debunked the Dominion claims, including Michigan's secretary of state, Joceyln Benson, who released a statement noting that though one county's machines had flaws because of human mistakes, the problem was quickly fixed and wouldn't have affected the election's outcome. 

Dominion Voting Systems has also rebuked Trump's claims, with a Setting the Record Straight page pointing out that the votes its machines tallied are completely auditable. 

"No credible reports or evidence of any software issues exist," Dominion Voting Systems said in its statement. "Human errors related to reporting tabulated results have arisen in a few counties, including some using Dominion equipment, but appropriate procedural actions were made by the county to address these errors prior to the canvass process." 

On Monday, a group of 59 election security experts signed a letter saying they've found no credible evidence of computer fraud with the 2020 election's outcome, calling claims of a "rigged" election "simply speculation." 

The researchers, including Defcon Voting Hacking Village co-founders Harri Hursti, Matt Blaze and Maggie MacAlpine, point out that the existence of vulnerabilities doesn't mean an attack happened or altered the election's outcome. 

"In every case of which we are aware, these claims either have been unsubstantiated or are technically incoherent," the letter said. "To our collective knowledge, no credible evidence has been put forth that supports a conclusion that the 2020 election outcome in any state has been altered through technical compromise."

Paper trails 

The election officials are confident in the security and results of the election because of paper audits of the votes. Though votes could be digitally altered if a hacker had full access to the machines, the paper ballots themselves would be much more difficult to change.

The Voting Machine Hacking Village at Defcon has helped point out the many flaws with trusting technology completely, and its organizers have called on Congress for years to pass legislation that would improve this paper trail.

Trump had never tweeted about Dominion's voting machines or the flaws with voting technology until after he lost the election. Lawmakers gave Trump plenty of opportunities to improve election security during his presidency.

In 2018, Sen. Ron Wyden, a Democrat from Oregon who's also on the Senate intelligence committee, proposed an election security bill that would require paper ballots. It had been blocked by Senate Majority Leader Mitch McConnell, who later supported a $250 million election security funding bill that didn't mandate paper ballots.

"Donald Trump is grasping for any possible excuse to avoid admitting he lost the election," Wyden said. "If Trump really cared about securing our elections, he would have embraced paper ballots and voting by mail, instead of spending months lying to the American people about them. I wrote, and the House passed, the toughest election security bill ever produced, which Mitch McConnell killed when it reached the Senate, and Trump didn't lift a finger to save it."

When Defcon first started looking at election infrastructure, in 2017, election officials and voting machine makers weren't quick to embrace the approach. Voting machine manufacturers historically closed off access to their hardware, preventing security researchers from being able to test it for flaws. 

The National Association of Secretaries of State also criticized how the village operated, noting that the researchers have unlimited access to voting machines, unlike during an actual election where poll workers would be watching for tampering and paper audits would detect abnormalities. 

But the village gave important insight involving switching to paper ballots. Virginia's election officials changed the state's systems to paper ballots in 2017 after hackers from Defcon demonstrated flaws with machines used in the state. 

The village has also led the voting machine manufacturers to change their attitudes toward security researchers. Dominion Voting Systems established its own vulnerability disclosure policy in 2019, allowing, for the first time, security researchers to tamper with its machines and report flaws. 

At the Black Hat hacker conference in August, Election Systems & Software, the largest maker of voting machines in the US, also announced its own vulnerability disclosure policy

In October, Iowa's election officials launched the state's own vulnerability disclosure policy through Bugcrowd, a bug bounty platform that lets hackers get paid for finding security flaws. Casey Ellis, Bugcrowd's founder, said these programs served as "neighborhood watch for voting technology" and created transparency with election technology issues.

The same way that an unlocked door doesn't mean you've been robbed, vulnerabilities in software don't mean votes have been hacked. The point of the vulnerability disclosure programs is so companies can fix these issues, and use secure measures such as paper audits. 

"Election security experts are in an excellent position to explain that there is a very big difference between a vulnerability in an individual system, and vulnerabilities being covertly exploited at scale in order to rig an election," Ellis said. "It's easy for the public to see footage of voting machines being torn apart and draw equivalency with the integrity of the election itself. This isn't the case, and we're the ones who are in the most objective position to explain this."

Let's block ads! (Why?)

Read More

Election Day was hack free, but cybersecurity officials are still bracing for attacks – CNET


Election Day 2020 was free from cyberattacks, according to the US government. Concerns now focus on what comes next.

Michael Ciaglo/Stringer/Getty Images

Misconfigured voting machines. An unexpected swell of voter turnout. Too much hand sanitizer. These are among the reasons that voters in states like Georgia, Ohio and Iowa experienced delays on Election Day. But rest assured, cyberattacks weren't among the problems, US officials declared Tuesday night. 

While the results of the US presidential election remain unclear, officials from the Cybersecurity and Infrastructure Security Agency and the National Security Agency had a more definitive outcome across all 50 states: Cyberattacks didn't affect Americans on their last day to vote. 

Hackers from Russia, Iran and China made multiple attempts in the months leading up to the election, including a last-minute voter intimidation email campaign from Iran. But officials from CISA and the NSA found that the cyberattack efforts on Election Day 2020 were much quieter compared with 2016 and 2018. 

"What we've seen today is just another Tuesday on the internet," a senior CISA official said on Election Day. "For the most part today, it's been a little boring. And honestly, that's a good thing."

Throughout the day, cybersecurity officials remained on guard for attacks. They cautiously noted at several press briefings that there was still plenty of time for a hack to hit. Indeed, officials are still wary of disinformation campaigns or attacks on social media designed to undermine the credibility of the system even as the votes continue to be counted. 

"We will remain vigilant for any attempts by foreign actors to target or disrupt the ongoing vote counting and final certification of results. The American people are the last line of defense against foreign influence efforts and we encourage continued patience in the coming days and weeks," CISA Director Chris Krebs said in a statement on Wednesday.

Now playing: Watch this: Trump's top cybersecurity official: Mail-in ballots are...


Election security has been a major concern since Russian cyberattacks interfered with the US presidential race in 2016. Hackers stole voter registration data in two Florida counties and accessed Democratic National Committee's emails, but they weren't able to affect the vote count. 

Still, as security researchers demonstrated how easy it is to hack voting machines and because the 2016 election showed a jarring vulnerability to democracy, the Department of Homeland Security established CISA in 2018, with a focus on securing election infrastructure.

That's meant building relationships with election officials across all 50 states over the last few years. Compared with almost no communications in 2016, nearly 500 election officials on Tuesday were connected through CISA, sharing insights on any hacking attempts or technical issues affecting voters. 

"We've had four years to get ready for this one. I think the state and local officials deserve a lot of credit for improving their systems," CISA officials said Tuesday. 

Midnight shift 

While it remained quiet on Election Day, protecting the presidential race from foreign influence could become more difficult in the days after polls close. 

Both CISA and the FBI have already warned about disinformation campaigns following Election Day, which could come through hacks on election results websites or as propaganda on social media. 

"The attack surface is shifting from the actual voting process itself into the counting, canvassing, auditing and through the certification over the next several days and weeks," a senior CISA official said. 

The day after Election Day, NSA Director Paul Nakasone said the agency would be continuing to watch for hacking attempts while votes are being counted. 

Millions of mail-in ballots still need to be counted in several states, and the uncertainty around the results leaves a window of opportunity to sow doubt in the outcome. While CISA is able to monitor cybersecurity through sensors and reports from local election officials, containing disinformation is a different matter. 

Along with election officials, CISA is working with social networks like Facebook, Twitter and Google that have their own policies for handling disinformation. The agency also established its own "Rumor Control" page to dispel false election information. 

Krebs asked American voters for patience with voting machines at the start of Election Day. By the end of it, the agency echoed the call, this time about posting on social media. 

"Be skeptical, and don't share things that aren't verified," a senior CISA official said at the agency's last press briefing on Tuesday night. "That's kind of the landscape as we see it over the next several days, and even in the next week."

Technical difficulties

The concern for the coming days comes after a quiet Election Day from a cybersecurity front, where most of the problems stemmed from technology malfunctions across the US.

Voters in Spalding County, Georgia, and Franklin County, Ohio, were among the first to report issues from electronic pollbooks, causing hours of delay for voters on Tuesday morning. 

Franklin County's technology malfunctioned because an unexpected rise in voter turnout created too much data to upload, while Spalding County's outage happened because of an unapproved, last-minute update that caused a glitch, according to Politico

But not all voting machine flaws came from software glitches. At a polling site in Des Moines, Iowa, ballot counts were briefly delayed after hand sanitizer from voters left residue on the ballots and jammed a tabulator, according to Kevin Hall, the communications director for Iowa's Secretary of State. 

These delays didn't impact the overall vote tally, and the counties also had paper backup plans in place. The constant communication with CISA among election officials helped the agencies quickly identify if issues were coming from unexpected errors or a malicious cyberattack. 

"Technology is used to increase access and improve accuracy of the voting process, but also technology is not a single point of failure and there are resilience measures in place that you can switch over to," a senior CISA official said Tuesday. "We're seeing early indications of resilience of voting in action." 

At the start of Election Day, Krebs said that such issues happen every election and urged Americans to be patient and resist jumping to the conclusion that their vote was hacked. 

By day's end, the agency was confident that voters had heeded Krebs' warning, pointing at the high voter turnout as evidence of trust in election security. 

Even though the glitches happen every election, they can still be fuel for disinformation campaigns, as Russian propaganda efforts used a video of a malfunctioning machine to claim that the 2016 election was rigged. Now election officials are looking to lower the number of technical issues with voting machines to help extinguish future disinformation efforts. 

"There will be a lessons-learned process that every state's going to go through," a CISA official said. "We here at CISA and working with the Election Assistance Commission and state partners will continue to go through some of the things that we're seeing out there, and there'll be plenty of feedback."

Let's block ads! (Why?)

Read More

Police are using facial recognition for minor crimes because they can – CNET

Peter Cade/Getty Images

Cities all across the US have passed bans on facial recognition, with variations in how strong the regulations are. Though Portland, Oregon, banned facial recognition from all government and commercial use, others are only limiting it from police use

Some cities, like Detroit, have enacted lighter measures, such as allowing facial recognition to be used only when investigating violent crimes, while police in New York have been able to use the technology for crimes like shoplifting. 

On Oct. 9, a New York judge decided in a package-theft case that facial recognition identification could be submitted as evidence in the trial, but he noted that lawmakers should set limits on how the technology could be used. 

The judge cited concerns about free speech, noting that facial recognition could be used to identify and track protesters -- which both the NYPD and the Miami police did in August. 

Those sorts of issues, and the intrusiveness of facial recognition generally, have prompted widespread calls for regulation, but there's debate among technology companies, lawmakers and civil rights groups on where to draw the line.

The US has no federal regulations on facial recognition, leaving thousands of police departments to determine their own limits. Advocates say that's a concern for civil liberties. While some members of Congress propose an indefinite nationwide ban on police use, other bills suggest it could still be allowed with a warrant, or they prevent only businesses from using it.

Now playing: Watch this: Facial recognition: Get to know the tech that gets to...


Police often frame facial recognition as a necessary tool to solve the most heinous crimes, like terrorist attacks and violent assaults, but researchers have found that the technology is more frequently used for low-level offenses.

In a recent court filing, the NYPD noted that it's turned to facial recognition in more than 22,000 cases in the last three years. 

"Even though the NYPD claims facial recognition is only used for serious crimes, the numbers tell a different story," said Albert Fox Cahn, the executive director of the Surveillance Technology Oversight Project. "As facial recognition continues to grow, it's being routinely deployed for everything from shoplifting to graffiti." 

Asked for comment, an NYPD spokeswoman pointed to a 2019 opinion article by police commissioner James O'Neill titled "How Facial Recognition Makes You Safer." In the piece, O'Neill talked about how facial recognition had been used to make arrests in murder, robbery and rape cases, but he didn't disclose how often it was used for low-level crimes. 

The department's facial recognition policy, established in March, allows the technology to be used for any crime, no matter the severity. Without any limits, police have more frequently used the technology for petty thefts than the dangerous crimes, privacy advocates say.  

Before Amazon put a moratorium on police use of its Rekognition face-identifying software, the program was used in a $12 shoplifting case in Oregon in 2018. Those cases aren't highlighted in Amazon's marketing material, which plays up how the technology is used to find leads on the victims of human trafficking.

At The Wall Street Journal's Tech Live virtual conference on Oct. 20, Hoan Ton-That, CEO of facial recognition startup Clearview AI, said it isn't the company's responsibility to make sure its technology is being properly used by its thousands of police partners. 

Though the company has its own guidelines, Ton-That said Clearview AI wouldn't be enforcing them, saying that "it's not our job to set the policy as a tech company."

Facial recognition without limits 

Before Detroit established its facial recognition policy, the technology led to the wrongful arrests of at least two Black men in the city -- both falsely accused of being involved in theft cases. 

Robert Williams was arrested in January and accused of stealing about $3,800 worth of watches after Detroit's facial recognition falsely matched surveillance footage to his driver's license photo. In May 2019, the same facial recognition program wrongly identified Michael Oliver in a larceny case. 

Facial recognition is known to have a record of racial bias, with researchers finding that the artificial intelligence frequently misidentifies people of color and women. 

When it's able to be used without limits by police departments, the technology increases the chances of mistakes and threatens privacy, said Andrew Guthrie Ferguson, author of The Rise of Big Data Policing and a law professor at the University of the District of Columbia. 

"Facial recognition should never be used for misdemeanor or low-level felony cases," Ferguson said. "Technology that can destroy privacy in public should be used sparingly and under strict controls."

Without any limits, police can use facial recognition however they please, and in many cases, arrested suspects don't even know that the flawed technology was used. 

Williams didn't know that Detroit police used facial recognition to find him, until an investigator mentioned the detail during their conversation. Attorneys representing protesters in Miami didn't know that police used facial recognition in their arrests, according to an NBC Miami report. Police used facial recognition software in a $50 drug dealing case in Florida in 2016 but made no mention of it in the arrest report.

In a paper published in October 2019, Ferguson recommended limiting facial recognition to serious felonies, similar to how police restrict the use of wiretapping. He said it's dangerous to assume police should be allowed to use technology as they wish, saying it could damage people's privacy in the long run. 

"That assumption is based on valuing the cost of crime higher than the cost to privacy, security and a growing imbalance of police power," Ferguson said. "Prosecuting low-level crimes at the expense of creating an extensive surveillance system may not be the balance society needs." 

A full ban 

Limits would be a welcome start, but privacy advocates argue they're not enough. 

Activists in Detroit are still working to get facial recognition banned in the city after the City Council voted to renew its contract in September. The police department's limits on reserving facial recognition for violent crimes came only after months of protests, said Tawana Petty, director of the Data Justice Program for the Detroit Community Technology Project. 

Because of the technology's track record for mistakes, she said, any use of it, even under the strictest regulations, leaves the potential for false arrests.

In a City Council meeting in June, Detroit's police chief, James Craig, said the facial recognition software misidentified people 96% of the time without human intervention. By Oct. 12, the police had used facial recognition on Black people about 97% of the time, according to the department's weekly report.

"My stance is that there is potential to lock people up for violent crimes they didn't commit," Petty said. "The technology is a dangerous assault on the civil liberties and privacy rights we all deserve to have protected."

Let's block ads! (Why?)

Read More

How tech platforms are preparing for a potential October hack-and-leak – CNET


Social networks say they have policies to prevent hack and leak operations from breaking out in October.

Angela Lang/CNET
This story is part of Elections 2020, CNET's coverage of the run-up to voting in November.

With less than a month before Election Day, cybersecurity officials and social networks are on the lookout for a disinformation tactic that throws politics into chaos at the last minute: hack-and-leak operations. 

The tactic was used four years ago on Oct. 7, 2016, when Russian hackers released stolen emails from Democratic nominee Hillary Clinton's campaign chair, John Podesta, and amplified it on WikiLeaks.    

The Russian hackers had stolen thousands of Podesta's emails in a phishing attack conducted six months earlier. But they waited until October to dump the contents, leading to conspiracy theories that were behind the rise of the QAnon conspiracy theory

US officials have warned about a flurry of online disinformation and hacking efforts, while Facebook continues to take down networks linked to political interference by foreign countries. No significant hack-and-leak operations that could affect the 2020 US presidential election have been reported. Still, there's plenty of time for a late October surprise.

Hackers from Russia, China and other countries are constantly trying to break into political campaigns. They have an explicit goal: meddling in the US presidential election. 

Campaigns and election officials have ramped up security measures to prevent hacks. Social networks have policies against disinformation campaigns and falsehoods and believe they're better prepared today than they were four years ago. 

Now playing: Watch this: CISA director: Paper record key to keeping 2020 election...


Nathaniel Gleicher,  Facebook's cybersecurity policy chief, says the social network can now better recognize the signs of a disinformation campaign. It's been active cutting them out before they can grow an audience. In September, for example, Facebook took down fake accounts tied to Russia's Internet Research Agency, the organization that tried to meddle in the 2016 election.

"We have not seen the networks we removed in September engage in hack-and-leaks, but they are linked to actors who engaged in hack-and-leak operations in the past, and we know law enforcement agencies have been vocal publicly about being ready," Gleicher said at a press briefing on Thursday. "We anticipate that operations like what we saw last month could attempt to pivot at any time."

Social networks also have a better understanding of how these leaked posts go viral. It often starts with a vulnerability that tech platforms can't control: newsrooms. 

Plugging the leak

Hackers can steal sensitive documents, but they won't have much political influence if there's no way to spread the information. To do that, hackers rely on social media and tricking journalists into giving the hacked material enough oxygen to catch fire. 

The Mueller report and an investigation by the US Senate Select Committee on Intelligence detailed how Russian hackers succeeded by using a multitude of fake personas to hide their intent. 

It's unlikely the American public would trust stolen emails published by Russian hackers. But the hackers can launder the material if they pose as a news outlet or influence reporters to cover the documents. 

In June 2016, Russian operatives launched "DCLeaks," an online persona that posed as American hacktivists who had obtained documents from the Democratic National Committee and wanted to "tell the truth" about decision-making in the U.S.

The DCLeaks website received more than 1 million page views before it was shut down in March 2017, according to the Senate committee's investigation. 


Russia's hack-and-leak campaign used a fake persona called DCLeaks, pretending to be American activists.

Senate Select Committee on Intelligence

The outreach to journalists took place on Twitter and Facebook under a DCLeaks account falsely registered under a US IP address.

Russian operatives also created a fake "Guccifer 2.0" persona, named after a Romanian hacker who stole documents information from the Bush family. This fake persona released thousands of documents obtained by Russian hackers and relied heavily on Twitter to contact journalists and the Trump campaign to do this. 

Journalists were eager to publish the material and didn't question the source, according to the Senate committee's investigation. 

In one exchange on Twitter between a Florida politics blogger and Guccifer 2.0, the reporter wrote: "Holy fuck man I don't think you realize what you gave me. I'm still going through that stuff and I find buried deep the turnout model for the Democrats' entire presidential campaign. This is probably worth millions of dollars. I'm going to post it tomorrow."

Four years later, tricking American journalists to post disinformation through social media is still a popular tactic for Russian operatives. 

Facebook's September takedown showed the Russians are shaking up the script. The affected accounts posed as news editors who tricked freelance reporters into writing news articles for a propaganda site about US politics. 

A Forbes report found that these reporters were recruited through Twitter messages, similar to the way DCLeaks and Guccifer 2.0 worked.

Without a legitimate news source to process the hacked material, leaks often fizzle out, researchers found. The 2017 hack-and-leak campaign against the French presidential election happened right before polls opened, but the material never spread after the electoral commission ordered media not to publish its content.   

Newsrooms like The Washington Post have established policies against covering hacked material

"When you look at the spread of operations, there are different factors that make or break the viral success of these leaks," said Camille Francois, chief innovation officer of the network analysis company Graphika. "The ability for the media to amplify really makes a campaign. If you are able to hit the right notes at the right time, you can have a successful dissemination very quickly." 

She noted that in campaigns where disinformation actors tried to spread the leaks on social networks alone, they often quickly fizzled out before gaining traction. 

Hack prevention

Another reason why hack-and-leak campaigns have been harder to prevent this election cycle is that campaigns have gotten better at preventing cyberattacks in the first place. Initiatives like Google's Advanced Protection program and Microsoft's Defending Democracy program are securing accounts for politicians, while Twitter and Facebook also ramped up security measures for prominent figures. 

There haven't been any successful breaches against campaigns, and intelligence officials said they haven't seen any successful attacks against election infrastructure, but the extra security measures haven't stopped hackers from trying. 

The attempted hacks never stopped. The Russian hacking group behind the DNC leaks in 2016 have targeted staff tied to Democratic nominee Joe Biden's campaign, while hackers from China and Iran are also attempting to breach their networks.

Even when there aren't successful hacks, disinformation campaigns have forged documents in faked leaks. In 2019, trade talks between the US and the UK "leaked" right before the general election. 

Researchers found that a Russian disinformation group forged thousands of documents when hackers couldn't steal any legitimate information. It helped that the forgeries were so low quality that most people could tell they were fake before sharing it on social media.

"You see different actors competing against the same targets, but they are equipped differently, and not everybody has the abilities to go and grab the hacked material," Francois said.  

'A whole-of-society effort'

Even with the increased security measures and experience with hacked materials from newsrooms, election security officials and tech companies are still vigilant about hack-and-leak operations.

Gleicher said Facebook frequently works with law enforcement agencies to investigate disinformation campaigns. A source familiar with the partnership said that law enforcement agencies often monitor for cyberattacks and warn Facebook about potential material that could be used as part of a hack-and-leak campaign.  

"The information that we get from law enforcement are based on assets that these actors may be using that are not on our platforms but are on others," Gleicher said. "We have a pretty long history of getting information from law enforcement agencies that we can use to launch our own investigations." 

It's meant finding and shutting down disinformation campaigns when they only have a couple of hundred followers instead of when they have hundreds of thousands, as the Russians did in 2016. 

Russia's hack-and-leak campaign in October 2016 gave rise to the QAnon conspiracy group that Facebook recently banned. There haven't been any significant campaigns since, but everyone needs to play their cards perfectly to keep it that way, experts say. 

"It has to be a whole-of-society effort," Francois said. "You see Facebook revisiting the infrastructure that was used in 2016 and making sure there's no accounts that are still surviving. Google is doing great work protecting people's emails. That actually really matters in this hack-and-leak scenario." 

Let's block ads! (Why?)

Read More

Facebook removed hundreds of fake accounts tied to right-wing groups – CNET


The accounts posed as real people in support of the Trump administration. 

Image by Pixabay/Illustration by CNET

If you saw a comment on an article about mail-in voting in a swing state, there's a chance it came from one of the 200 fake accounts Facebook removed in October. On Thursday, the social network released its monthly coordinated inauthentic behavior report, including a takedown on a US campaign in favor of the Trump administration. 

The disinformation campaign came from Rally Forge, a US marketing firm working on behalf of the conservative group Turning Point USA, Nathaniel Gleicher, Facebook's head of cybersecurity policy, said. 

Rally Forge created 200 fake Facebook accounts, 76 Instagram accounts and 55 pages on Facebook starting in 2018, and posted comments on political topics posing as real people while using stock photos, Gleicher said. 

Topics included the 2020 presidential election, COVID-19 and praise of President Trump. They also posted comments in support of trophy hunting in Kenya. In one example comment, a fake persona attacked the integrity of mail-in voting -- echoing disinformation campaigns from foreign actors

Now playing: Watch this: Trump's top cybersecurity official: Mail-in ballots are...


"Mail-in ballots are such a horrible idea. A dangerous amount of ballots will be lost or won't arrive in time. The smartest thing to do is to vote in person," the fake personality said in a Facebook comment on an article about mail-in voting in Iowa. 

Rally Forge didn't respond to a request for comment.

"Turning Point Action works hard to operate within social platforms' [Terms of Services] on all of its projects and communications and we hope to work closely with [Facebook] to rectify any misunderstanding," Turning Point USA said in a statement. 

Rally Forge has since been banned from Facebook, but Turning Point USA is still active on the social network. 


A comment from a fake personality claiming mail-in voting will lead to fraud.


Their pages had about 373,000 followers on Facebook and 22,000 followers on Instagram, and spent about $973,000 on ads before the takedown. 

Gleicher said that many of these accounts had already been automatically removed by Facebook's detection system, but would pop back up with slight variations of the names.

Other takedowns noted in Facebook's report on Thursday include campaigns in Myanmar where the nation's military incited a genocide on the social network, and in Azerbaijan, where the ruling political party used fake accounts to harass its opposition. 

Let's block ads! (Why?)

Read More
Page 1 of 712345»...Last »