Social media monitoring used to be the elephant in the room when it came to the continuous vetting of employees working for the federal government. Security Executive Agent Directive 5 was signed in May 2016, paving the way for cyber vetting of cleared professionals. The policy came as the government was looking to advance its efforts to prevent insider threats following the 2013 “year of the insider,” when Aaron Alexis killed 12 people in a mass shooting at the Washington Navy Yard, and Edward Snowden conducted a massive data breach, revealing thousands of highly classified government documents.
Addressing insider threats became paramount, and the government considered how its security vetting process could help identify red flags before they became security risks. Enter SEAD 5 and cyber vetting: another tool in the government’s insider threat arsenal.
The policy was just that – a policy, not a procedure. In the years since, many security clearance applicants have been left wondering what – if anything – the government is considering in an online search of security clearance applicants. SEAD 5 created a framework for federal agencies to use as they implemented their own social media monitoring programs. And in many agencies the policy still hasn’t extended beyond pilots and possibilities.
“There is one time, one case, where we found it as a part of the adjudicative process where security officials on their own motion issued a denial of a clearance on the basis of social media monitoring,” said Sean Bigley, a security clearance attorney with the law firm Bigley Ranish.
That’s not to say social media couldn’t come up in the course of a background investigation, but in cases thus far, the social media aspect has generally been surfaced by human means versus mass monitoring – social posts get reported, and then disseminated to leadership, for instance.
What Could the Government Consider as a Part of the Cyber Vetting Process?
As those enrolled in the government’s continuous vetting program (which is 100% of all security clearance holders today) know – you shouldn’t expect a postcard from the government notifying you that you’ve been enrolled. With the same possibility around social media monitoring (while the government may not be widely doing it, individual agencies are, and more could in the future), what should security clearance holders be aware of?
First, it’s worth noting that the government’s definition of social media is broad – the cyber vetting possibilities may not be endless, but as the government considers the topic the term “publicly available information” is a better way to consider the websites that may be looked at, including:
* Social networks (Facebook, LinkedIn)
* Microblogging websites (Twitter)
* Blogging and Forums (WordPress, Tumbler)
* Picture and Video Sharing (Flickr and YouTube)
* Music Sharing (Spotify)
* Online Commerce Websites (eBay)
* Dating websites (Match.com)
* Geosocial network websites (TripAdvisor)
* News and media websites where people can comment
Security clearance holders should know that comments made publicly can be used against them in the security clearance process. The best step to take to ensure information doesn’t come back to bite is to keep your accounts locked down and private. The policy is clear that clearance holders will not be asked to share information like passwords. If you keep your accounts appropriately protected, you help keep your personal identity – and clearance eligibility – safe.
“The takeaway that I have from a legal perspective for that is to make yourself private,” advises Bigley. “That’s not to say everyone who makes their account private is trying to hide something, but if you don’t want the government prying on certain aspects of your private life — I think that is understandable for most of us.”
Justice has been hijacked by a handful of elite republican big money corrupt a-holes.
We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.
Miles Taylor ~ “In a monumental irony, both Julian Assange… and Edward Snowden… stand charged with the very same crimes that are likely to be brought against Mr. Trump. On both Mr. Assange and Mr. Snowden, Mr. Trump argued that they should be executed.”
What’s Life Like for the Content Moderator? How untenable is our current social media system “If the torture of its workers is an intrinsic part of the system, then it’s Facebook that has to die (or TikTok or YouTube—kill ’em all).
Broadcast Networks Pass On Carrying Joe Biden’s Primetime Speech — Update: ABC ran Press Your Luck, CBS went with a Young Sheldon rerun and NBC with a Law & Order replay. CNN and MSNBC carried the address, as did news division streaming channels, but Fox News stuck with Tucker Carlson and his critique of the speech as it was happening.
“And this is why the media is such a failed state. The president is supposed to be political. It’s the job.”
“Democracy cannot survive when one side believes there are only two outcomes to an election — either they win, or they were cheated,” Biden said. “Either they win, or they were cheated, and that’s where the MAGA Republicans are today.”
Cops wanted to keep mass surveillance app secret; privacy advocates refused “Tracked,” that investigates the power and consequences of decisions driven by algorithms on people’s everyday lives. Tech tool offers police ‘mass surveillance on a budget’ “U.S. police departments have used the “Fog Reveal” database to follow people’s movements based on hundreds of billions of records from 250 million devices. The data originates from common apps such as Starbucks and Waze, @AP’s reporting shows. Federal, state and local police agencies around the U.S. continue to use Fog with very little public accountability EFF RELEASE FOG MANUAL
“U.S. police departments have used the “Fog Reveal” database to follow people’s movements based on hundreds of billions of records from 250 million devices. The data originates from common apps such as Starbucks and Waze, @AP’s reporting shows.
Encrypted app Signal just hired one of Big Tech’s sharpest critics. Meredith Whittaker, the former Google manager, is Signal’s first president. She is out to convince users to pay for the free app. Signal hypothetical use case becomes practical since cellular providers have started censoring private text messages. Re Signal:
If only Signal wasn’t actually recording all our contacts permanently in their servers (under their mandatory PIN requirement), then Signal might be a useful tool for encrypted messaging. But somebody apparently got to them to undermine their users’ privacy.
Normally this would not be a problem with free software — users could just rip out the offending code. But Signal’s interpretation is that the license doesn’t allow you to rip out the spyware part of the code, while still using their back-end servers to let your improved version talk to any other Signal users.
Georgia election server wiped after suit filed
A computer server crucial to a lawsuit against Georgia election officials was quietly wiped clean by its custodians just after the suit was filed, T
This new offensive is tentatively slated to begin with the launch of iOS 15—almost certainly in mid-September—with the devices of its US user-base designated as the initial targets. We’re told that other countries will be spared, but not for long.
You might have noticed that I haven’t mentioned which problem it is that Apple is purporting to solve. Why? Because it doesn’t matter.
Having read thousands upon thousands of remarks on this growing scandal, it has become clear to me that many understand it doesn’t matter, but few if any have been willing to actually say it. Speaking candidly, if that’s still allowed, that’s the way it always goes when someone of institutional significance launches a campaign to defend an indefensible intrusion into our private spaces. They make a mad dash to the supposed high ground, from which they speak in low, solemn tones about their moral mission before fervently invoking the dread spectre of the Four Horsemen of the Infopocalypse, warning that only a dubious amulet—or suspicious software update—can save us from the most threatening members of our species. <snip>
Existing internet protocols leak sensitive data that can be used without users knowledge — Nym is developing the infrastructure to prevent this data leakage by protecting every packet’s metadata at the network and application layers.
Run Nym Nodes
Early 90’s Philip Agre reviewed my site, giving it a thumbs up and encouraged my work. This was published on the Educational CyberPlayGround, Inc. http://www.edu-cyberpg.com
#T-Mobile, #Apple, #Blackberry are disgusting surveillance tools
Engadget: T-Mobile confirms data breach affects over 47 million people.
As part of its ongoing data breach investigation, T-Mobile has confirmed the enormity of the stolen information. Roughly 47.8 million current and former or prospective customers have been affected by the cyberattack on its systems, the carrier confirmed on Wednesday. Of that number, about 7.8 million are current T-Mobile postpaid accounts and the rest are prior or potential users who had applied for credit, the company added in a press release. https://www.engadget.com/t-mobile-data-breach-affected-people-103104868.html
Researchers fooled AI into ignoring stop signs using a cheap projector. “A trio of researchers at Purdue today published pre-print research demonstrating a novel adversarial attack against computer vision systems that can make an AI see – or not see – whatever the attacker wants. https://thenextweb.com/news/researchers-tricked-ai-ignoring-stop-signs-using-cheap-projector
Apple stunned the tech industry on Thursday by announcing that the next version of iOS and macOS will contain a neural network to scan photos for sex abuse. Each photo will get an encrypted ‘safety voucher’ saying whether or not it’s suspect, and if more than about ten suspect photos are backed up to iCloud, then a clever cryptographic scheme will unlock the keys used to encrypt them. Apple staff or contractors can then look at the suspect photos and report them.
Apple is now scanning your phone before anything gets to their server. It does not matter if you put it in the Icloud they also do this without internet using meshnet.
iPhone Neural Hash – SHOCKING AI Tech
We built a system like Apple’s to flag child sexual abuse material — and concluded the tech was dangerous
Our research project <https://www.usenix.org/conference/usenixsecurity21/presentation/kulshrestha> began two years ago, as an experimental system to identify CSAM in end-to-end-encrypted online services. As security researchers, we know the value of end-to-end encryption, which protects data from third-party access. But we’re also horrified that CSAM is proliferating on encrypted platforms. And we worry online services are reluctant to use encryption without additional tools to combat CSAM.
We sought to explore a possible middle ground, where online services could identify harmful content while otherwise preserving end-to-end encryption. The concept was straightforward: If someone shared material that matched a database of known harmful content, the service would be alerted. If a person shared innocent content, the service would learn nothing. People couldn’t read the database or learn whether content matched, since that information could reveal law enforcement methods and help criminals evade detection.
Our system could be easily repurposed for surveillance and censorship. The design wasn’t restricted to a specific category of content; a service could simply swap in any content-matching database, and the person using that service would be none the wiser.
We spotted other shortcomings. The content-matching process could have false positives, and malicious users could game the system to subject innocent users to scrutiny.
We were so disturbed that we took a step we hadn’t seen before in computer science literature: We warned against our own system design, urging further research on how to mitigate the serious downsides. We’d planned to discuss paths forward at an academic conference this month.
“It’s something we believe is too dangerous to do,” Apple explained <https://www.apple.com/customer-letter/answers/>. “The only way to guarantee that such a powerful tool isn’t abused … is to never create it.” That worry is just as applicable to Apple’s new system.
Apple has also dodged on the problems of false positives and malicious gaming, sharing few details about how its content matching works.
Apple could implement stronger technical protections, providing public proof that its content-matching database originated with child-safety groups. We’ve already designed a protocol <https://twitter.com/jonathanmayer/status/1426540534517182464> it could deploy. Our conclusion, though, is that many downside risks probably don’t have technical solutions.
Apple is making a bet that it can limit its system to certain content in certain countries, despite immense government pressures. We hope it succeeds in both protecting children and affirming incentives for broader adoption of encryption. But make no mistake that Apple is gambling with security, privacy and free speech worldwide.
Apple settled its federal lawsuit Tuesday against Corellium, the maker of tools that allow security researchers to find software flaws in iPhones, according to court records.
BlackBerry resisted announcing major flaw in software powering cars, hospital equipment
BlackBerry resisted announcing major flaw in software powering cars, hospital equipment
The former smartphone maker turned software firm resisted announcing a major vulnerability until after federal officials stepped in.
By BETSY WOODRUFF SWAN and ERIC GELLER
08/17/2021 02:42 PM EDT
A flaw in software made by BlackBerry has left two hundred million cars, along with critical hospital and factory equipment, vulnerable to hackers — and the company opted to keep it secret for months.
On Tuesday, BlackBerry announced that old but still widely used versions of one of its flagship products, an operating system called QNX, contain a vulnerability that could let hackers cripple devices that use it. But other companies affected by the same flaw, dubbed BadAlloc, went public with that news in May.
Two people familiar with discussions between BlackBerry and federal cybersecurity officials, including one government employee, say the company initially denied that BadAlloc impacted its products at all and later resisted making a public announcement, even though it couldn’t identify all of the customers using the software.
The back-and-forth between BlackBerry and the government highlights a major difficulty in fending off cyberattacks on increasingly internet-connected devices ranging from robotic vacuum cleaners to wastewater-plant management systems. When companies such as BlackBerry sell their software to equipment manufacturers, they rarely provide detailed records of the code that goes into the software — leaving hardware makers, their customers and the government in the dark about where the biggest risks lie.
BlackBerry may be best known for making old-school smartphones beloved for their manual keyboards, but in recent years it has become a major supplier of software for industrial equipment, including QNX, which powers everything from factory machinery and medical devices to rail equipment and components on the International Space Station. BadAlloc could give hackers a backdoor into many of these devices, allowing bad actors to commandeer them or disrupt their operations.
Microsoft security researchers announced in April that they’d discovered the vulnerability and found it in a number of companies’ operating systems and software. In May, many of those companies worked with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to publicly reveal the flaws and urge users to patch their devices.
BlackBerry wasn’t among them.
Privately, BlackBerry representatives told CISA earlier this year that they didn’t believe BadAlloc had impacted their products, even though CISA had concluded that it did, according to the two people, both of whom spoke anonymously because they were not authorized to discuss the matter publicly. Over the last few months, CISA pushed BlackBerry to accept the bad news, eventually getting them to acknowledge the vulnerability existed.
Then BlackBerry said it didn’t intend to go public to deal with the problem. The company told CISA it planned to reach out privately to its direct customers and warn them about the QNX issue.
Technology companies sometimes prefer private vulnerability disclosures because doing so doesn’t tip off hackers that patching is underway — but also because it limits (or at least delays) any resulting public backlash and financial losses.
But that outreach would only cover a fraction of the affected companies, because BlackBerry also told CISA that it couldn’t identify everyone using its software in order to warn them.
That’s because BlackBerry licenses QNX to “original equipment manufacturers,” which in turn use it to build products and devices for their customers, just as Microsoft sells its Windows operating system to HP, Dell and other computer makers. BlackBerry told the government it doesn’t know where its software ends up, and the people using it don’t know where it came from. Its known customers are a comparatively small group.
“Their initial thought was that they were going to do a private advisory,” said a CISA employee. Over time, though, BlackBerry “realized that there was more benefit to being public.”
The agency produced a PowerPoint presentation, which POLITICO reviewed, stressing that many BlackBerry customers wouldn’t know about the danger unless the federal government or the original equipment manufacturers told them. CISA even cited potential risks to national security and noted that the Defense Department had been involved in finding an acceptable timing for BlackBerry’s announcement.
CISA argued that BlackBerry’s planned approach would leave out many users who could be in real danger. A few weeks ago, BlackBerry agreed to issue a public announcement. On Tuesday, the company published an alert about the vulnerability and urged customers to upgrade their devices to the latest QNX version. CISA issued its own alert as well.
In a statement to POLITICO, BlackBerry did not deny that it initially resisted a public announcement. The company said it maintains “lists of our customers and have actively communicated to those customers regarding this issue.”
“Software patching communications occur directly to our customers,” the company said. “However, we will make adjustments to this process in order to best serve our customers.”
QNX “is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly-sensitive systems,” Eric Goldstein, the head of CISA’s cyber division, said. “While we are not aware of any active exploitation, we encourage users of QNX to review the advisory BlackBerry put out today and implement mitigation measures, including patching systems as quickly as possible.”
Goldstein declined to address CISA’s conversations with BlackBerry but said the agency “works regularly with companies and researchers to disclose vulnerabilities in a timely and responsible manner so that users can take steps to protect their systems.”
Asked about whether the company originally believed QNX was unaffected, Blackberry said its initial investigation into affected software “identified several versions that were affected, but that list of impacted software was incomplete.”
BlackBerry is hardly the first company to disclose a bug in widely used industrial software, and cybersecurity experts say such flaws are to be expected occasionally in highly complex systems. But resolving the QNX problem will be a major task for BlackBerry and the government.
In a June announcement about QNX’s integration into 195 million vehicles, BlackBerry called the operating system “key to the future of the automotive industry” because it provides “a safe, reliable, and secure foundation” for autonomous vehicles. BlackBerry bragged that QNX was the embedded software of choice of 23 of the top 25 electric vehicle makers.
The QNX vulnerability also has the Biden administration scrambling to prevent major fallout. Vulnerabilities in this code could have significant ripple effects across industries — from automotive to health care — that rely heavily on the software. In some cases, upgrading this software will require taking affected devices offline, which could jeopardize business operations.
“By compromising one critical system, [hackers] can potentially hit thousands of actors down that line globally,” said William Loomis, an assistant director at the Atlantic Council’s Cyber Statecraft Initiative. “This is a really clear example of a good return on investment for those actors, which is what makes these attacks so valuable for them.”
After analyzing the industries where QNX was most prevalent, CISA worked with those industries’ regulators to understand the “major players” and warn them to patch the vulnerability, the agency employee said.
Goldstein confirmed that CISA “coordinated with federal agencies overseeing the highest risk sectors to understand the significance of this vulnerability and the importance of remediating it.”
CISA also planned to brief foreign governments about the risks, according to the PowerPoint presentation.
BlackBerry is far from unique in knowing little about what happens to its products after it sells them to its customers, but for industrial software like QNX, that supply-chain blindness can create national security risks.
“Software supply chain security is one of America’s greatest vulnerabilities,” said Andy Keiser, a former top House Intelligence Committee staffer. “As one of the most connected societies on the planet, we remain one of the most vulnerable.”
But rather than expecting vendors to identify all of their customers, security experts say, companies should publish lists of the types of the code included in their software, so customers can check to see if they’re using code that has been found to be vulnerable.
“BlackBerry cannot possibly fully understand the impact of a vulnerability in all cases,” said David Wheeler, a George Mason University computer science professor and director of open source supply chain security at the Linux Foundation, the group that supports the development of the Linux operating system. “We need to focus on helping people understand the software components within their systems, and help them update in a more timely way.”
For years, the Commerce Department’s National Telecommunications and Information Administration has been convening industry representatives to develop the foundation for this kind of digital ingredient list, known as a “software bill of materials.” In July, NTIA published guidance on the minimum elements needed for an SBOM, following a directive from President Joe Biden’s cybersecurity executive order.
Armed with an SBOM, a car maker or medical device manufacturer that learned of a software issue such as the QNX breach could quickly check to see if any of its products were affected.
SBOMs wouldn’t prevent hackers from discovering and exploiting vulnerabilities, and the lists alone cannot tell companies whether a particular flaw actually poses a risk to their particular systems. But these ingredient labels can dramatically speed up the process of patching flaws, especially for companies that have no idea what software undergirds their products.
“Buying software is only the start of the transaction. It is not the end,” said Trey Herr, director of the Atlantic Council’s Cyber Statecraft Initiative.
“It’s not a new problem,” Herr added. “It’s not a problem that’s going away, and what we are doing right now is insufficient for the scale of that problem.”
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.AcceptRejectRead More
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.