San Francisco police use driverless cars for surveillance

Plus: Tech giants commit $30m to open-source security, miscreants breach DEA portal, and US signs cybercrime treaty


In brief San Francisco police have been using driverless cars for surveillance to assist in law enforcement investigations.

According to an SFPD training document obtained by Motherboard [PDF]: "Autonomous vehicles are recording their surroundings continuously and have the potential to help with investigative leads."

It indicates that police officers will receive additional information about how to access this evidence, and added: "Investigations have already done this several times."

The document, obtained via a public records request, specifically names Alphabet's Waymo and General Motors' Cruise, both of which obtained permits in August 2021 to offer rides to passengers in their self-driving vehicles. 

However, nine autonomous vehicle companies are testing driverless tech in California alone, according to the California Public Utilities Commission, which could spell more trouble for privacy advocates.

A Waymo spokesperson told the site that it doesn't collect data "to identify individuals" and that it "requires law enforcement agencies who seek information and data from Waymo to follow valid legal processes in making such requests (e.g. secure and present a valid warrant, etc). Our policy is to challenge, limit or reject requests that do not have a valid legal basis or are overly broad." 

Cruise, for its part, told the publication: "We work closely with law enforcement on our common goal of making our roads safer. We share footage and other information when we are served with a valid warrant or subpoena, and we may voluntarily share information if public safety is at risk."

Big tech commits $30m+ for open-source security

A handful of tech giants have pledged more than $30 million to implement a plan to improve open-source and software supply chain security.

The multimillion-dollar pledge follows a meeting at the White House this week, led by the National Security Council, that brought together public and private-sector experts to discuss ways to improve the security of open-source software. This included execs from 37 private companies and government officials from the NSC, CISA, NIST, the Office of the National Cyber Director, the Department of Energy and the Office of Management and Budget.

This was the second such meeting since President Joe Biden issued an Executive Order on Improving the Nation's Cybersecurity. 

Following the Thursday meeting, the Linux Foundation and its Open Source Software Security Foundation (OpenSSF) released a plan that outlines about $150 million of needed funding over two years to help solve 10 open-source security problems. 

Five OpenSSF member organizations — Amazon, Ericsson, Google, Intel, Microsoft, and VMware — collectively pledged an initial $30 million-plus towards implementation of the plan with Amazon committing to $10 million of that. 

"We believe this investment will help improve the security of open source software," wrote Mark Ryland, director of the Office of the CISO for AWS, in a blog. "In addition, we will continue and increase our existing commitments of direct engineering contributions to critical open source projects."

In addition to the funding, Google announced its "Open Source Maintenance Crew." This dedicated staff of Google engineers will work with upstream maintainers to improve the security of open-source projects. 

Miscreants reportedly breach DEA portal

The US Drug Enforcement Administration (DEA) is reportedly investigating a breach that gave attackers unauthorized access to an agency portal that connects to 16 different federal law enforcement databases. 

The breach, reported by infosec journalist Brian Krebs, is allegedly linked to a cybercrime group that impersonates cops and government officials to steal the personal data of their targets.

Krebs says he received a tip that the criminals had somehow obtained credentials for an authorized user of the Law Enforcement Inquiry and Alerts (LEIA) system, which is managed by the DEA.

LEIA "provides federated search capabilities for both EPIC and external database repositories," including data that's classified as "law enforcement sensitive" and "mission sensitive," according to the Justice Department.

Krebs says he shared the information he received about the stolen username and password with the DEA, the FBI, and the Justice Department. 

The DEA issued this statement in response: "DEA takes cyber security and information of intrusions seriously and investigates all such reports to the fullest extent."

The agency did not respond to The Register's request for additional comment.

Where have all the printer vulns gone?

A critical sandbox breakout vulnerability that affected "hundreds of thousands" of Konica Minolta bizhub MFP printers could be exploited with physical access to give a miscreant full read and write access to the printer's OS.

Don't worry, it has since been patched. SEC Consult Vulnerability Lab identified the software nasty at the end of 2019, and Konica Minolta promptly fixed the bug in early 2020. 

However, because of the sheer number of affected devices, along with the need to apply firmware updates manually, the process took a long time — and don't forget this was during the COVID-19 pandemic lockdowns, which prohibited service techies from going onsite to make the fixes.

But now that the printers appear to be in the clear, SEC Consult Vulnerability Lab has published an analysis of the vulnerabilities and patches along with an example of the attack — so we all can learn from not-to-distant history.

A technical security advisory has been published that lists affected models and fixed firmware versions. 

The interesting thing about this exploit, according to the security researchers, is that it's not due to a vuln in the networking features and protocols exposed by the printer, its software and drivers, or web apps running on the printer.

Instead, it was due to flaws in the printer's terminal. SEC Consult identified three vulnerabilities: 

  • Sandbox escape on the physical printer touch screen terminal (CVE-2022-29586)
  • Terminal UI/Chromium running as root (CVE-2022-29587)
  • Passwords stored in clear text on the file system (CVE-2022-29588)

After opening certain applications and settings via the terminals, they noticed changes in the look and feel of the user interface. They then determined that this was due to context change, "meaning that the applications running are not solely based on the proprietary application only."

Some application parts were running an ordinary Chromium browser in kiosk mode, which the researchers noted can be escaped easily.

"This allows an attacker to get full access to the underlying printer's operating and file system, including configuration files, passwords in clear text, proprietary scripts and many more," they wrote. "Access to all those files was easily possible as chrome was running as root."

US signs cybercrime law enforcement treaty

The US government this week signed an international treaty that aims to help signatory nations fight cybercrime by sharing electronic evidence. 

The so-called Second Additional Protocol to the Budapest Convention cybercrime treaty is designed to help law enforcement authorities obtain access to electronic evidence stored in different jurisdictions.

It does this via direct cooperation with service providers and registrars, expedited means to obtain subscriber information and traffic data associated with criminal activity, and expedited cooperation in obtaining stored computer data in emergencies.

The original Budapest Convention on Cybercrime agreement was put into effect by the Council of Europe in 2004. To date, it has 66 signatories and Russia is notably absent from the list.

However, the Kremlin has long been lobbying for a new treaty to replace the Budapest Convention, and in March a United Nations committee began hearings on a Russia-backed proposal. The alternate cybercrime treaty has been heavily criticized by the US, the European Union, and other Western countries. ®


Other stories you might like

  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Google recasts Anthos with hitch to AWS Outposts
    If at first you don't succeed, change names and try again

    Google Cloud's Anthos on-prem platform is getting a new home under the search giant’s recently announced Google Distributed Cloud (GDC) portfolio, where it will live on as a software-based competitor to AWS Outposts and Microsoft Azure Stack.

    Introduced last fall, GDC enables customers to deploy managed servers and software in private datacenters and at communication service provider or on the edge.

    Its latest update sees Google reposition Anthos on-prem, introduced back in 2020, as the bring-your-own-server edition of GDC. Using the service, customers can extend Google Cloud-style management and services to applications running on-prem.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading

Biting the hand that feeds IT © 1998–2022