ニフティ、同社をかたるフィッシングメールに注意喚起

3 days 17 hours ago
headless 曰く、ニフティが同社をかたるフィッシングメールに注意喚起している (ニフティのお知らせ)。 ニフティをかたるフィッシングメールは主にメールの使用状況や支払い方法変更を促すもので、明らかに言葉遣いが不自然なものから、本物のニフティのメールをコピーしたものまで様々だ。本物の見分け方としては、ウェブメールで差出人名の先頭にニフティのマークがあれば本物だと紹介されている。ただし、このようなフィッシングメールはニフティのシステムを通過してユーザーに届いているので、ユーザーに注意喚起する前にもう少し対策できないものかと思う。 たとえば差出人名が「Nifty ○○」で、プロバイダー他社のドメインの電子メールアドレスから送信されたメールは迷惑メールに振り分けられることもなく、当然のように受信トレイに配信される。個人的にはニフティユーザーでメールを Gmail と Outlook に転送して利用しているが、こういったメッセージを転送先の受信トレイで目にすることはない。 スラドの皆さんはプロバイダーのメールを使用しているだろうか。プロバイダー側のフィッシング対策はいかがだろう。

すべて読む | ITセクション | セキュリティ | spam | ボットネット |

関連ストーリー:
8/10/16進数でIPアドレス表記したフィッシングメール報告、フィルター回避が目的か 2023年11月17日
AI検出ツールではフィッシングメールの4分の3近くを検証できない 2023年10月08日
ChatGPTでランサムウエアを作成できる方法が存在する 2023年04月25日
ソニー銀行などのフィッシングメール増加。バンダイチャンネルのメールがフィッシングを疑われる 2023年02月17日

nagazou

ニフティ、同社をかたるフィッシングメールに注意喚起

3 days 17 hours ago
headless 曰く、ニフティが同社をかたるフィッシングメールに注意喚起している (ニフティのお知らせ)。 ニフティをかたるフィッシングメールは主にメールの使用状況や支払い方法変更を促すもので、明らかに言葉遣いが不自然なものから、本物のニフティのメールをコピーしたものまで様々だ。本物の見分け方としては、ウェブメールで差出人名の先頭にニフティのマークがあれば本物だと紹介されている。ただし、このようなフィッシングメールはニフティのシステムを通過してユーザーに届いているので、ユーザーに注意喚起する前にもう少し対策できないものかと思う。 たとえば差出人名が「Nifty ○○」で、プロバイダー他社のドメインの電子メールアドレスから送信されたメールは迷惑メールに振り分けられることもなく、当然のように受信トレイに配信される。個人的にはニフティユーザーでメールを Gmail と Outlook に転送して利用しているが、こういったメッセージを転送先の受信トレイで目にすることはない。 スラドの皆さんはプロバイダーのメールを使用しているだろうか。プロバイダー側のフィッシング対策はいかがだろう。

すべて読む | ITセクション | セキュリティ | spam | ボットネット |

関連ストーリー:
8/10/16進数でIPアドレス表記したフィッシングメール報告、フィルター回避が目的か 2023年11月17日
AI検出ツールではフィッシングメールの4分の3近くを検証できない 2023年10月08日
ChatGPTでランサムウエアを作成できる方法が存在する 2023年04月25日
ソニー銀行などのフィッシングメール増加。バンダイチャンネルのメールがフィッシングを疑われる 2023年02月17日

nagazou

The Intelligence Committees’ Proposals for a 702 Reauthorization Bill are Beyond Bad

3 days 18 hours ago

Both congressional intelligence committees have now released proposals for reauthorizing the government's Section 702 spying powers, largely as-is, and in the face of repeated abuse. 

The House Permanent Select Committee on Intelligence (HPSCI) in the U.S. House of Representatives released a Nov. 16 report calling for reauthorization, which includes an outline of the legislation to do so. According to the report, the bill would renew the mass surveillance authority Section 702 and, in the process, invokes a litany of old boogeymen to justify why the program should continue to collect U.S. persons’ communications when they talk with people abroad.

As a reminder, the program was intended to collect communications of people outside of the United States, but because we live in an increasingly globalized world, the government intercepts and retains a massive trove of communications between Americans and people overseas. Increasingly, it’s this U.S. side of digital conversations that domestic law enforcement agencies trawl through—all without a warrant.

Private communications are the cornerstone of a free society.

It’s an old tactic. People in the intelligence community chafe against any proposals that would cut back on their “collect it all” mentality. This leads them to make a habit of finding the most current threat to public safety in order scare the public into pushing for much needed reforms, with terrorism serving as the most consistent justification for mass surveillance. In this document, HPSCI mentions that Section 702 could be the key to fighting: ISIS, Al-Qaeda, MS-13, and fentanyl trafficking. They hope that one, or all, of these threats will resonate with people enough to make them forget that the government has an obligation to honor the privacy of Americans communications and prevent them from being collected and hoarded by spy agencies and law enforcement.

The House Report

While we are still waiting for the official text, this House report proposes that Section 702 authorities be expanded to include “new provisions that make our nation more secure.” For example, the proposal may authorize the use of this unaccountable and out-of-control mass surveillance program as a new way of vetting asylum seekers by, presumably, sifting through their digital communications. According to a newly released Foreign Intelligence Surveillance Court (FISC) opinion, the government has sought some version of this authority for years, was repeatedly rejected, and received court approval for the first time this year. Because the court opinion is so heavily redacted, it is impossible to know the current scope of immigration- and visa-related querying, or what broader proposal the intelligence agencies originally sought. It’s possible the forthcoming proposal seeks to undo even the modest limitations that the FISC imposes on the government.

This new authority might give immigration services the ability to audit entire communication histories before deciding whether an immigrant can enter the country. This is a particularly problematic situation that could cost someone entrance to the United States based on, for instance, their own or a friend’s political opinions—as happened to a Palestinian Harvard student when his social media account was reviewed when coming to the U.S. to start his semester.

The House report’s bill outline also includes a call “to define Electronic Communication Service Provider to include equipment.” A 2023 FISC of Review opinion refused the intelligence community’s request for a novel interpretation of whether an entity was “an electronic communication service provider,” but that opinion is so heavily redacted that we don’t know what was so controversial. This crucial definition determines who may be compelled to turn over users’ personal information to the government so changes would likely have far-reaching impacts.

The Senate Bill

Not wanting to be outdone, this week the Senate Select Committee on Intelligence proposed a bill that would renew the surveillance power for 12 years—until 2035. Congress has previously insisted on sunsets of post-9/11 surveillance authorities every four to six years. These sunsets drive oversight and public discussion, forcing transparency that might not otherwise exist. And over the last two decades, periodic reauthorizations represent the only times that any statutory limitations have been put on FISA and similar authorities. Despite the veil of secrecy around Section 702, intelligence agencies are reliably caught breaking the law every couple of years, so a 12-year extension is simply a non-starter.

The SSCI bill also fails to include a warrant requirement for US person queries of 702 data—something that has been endorsed by dozens of nonprofit organizations and independent oversight bodies like the Privacy and Civil Liberties Oversight Board. Something that everyone outside of the intelligence community considers common sense should be table stakes for any legislation.

Private communications are the cornerstone of a free society. That’s why EFF and a coalition of other civil right, civil liberties, and racial justice organizations have been fighting to seriously reform Section 702 otherwise let it expire when it sunsets at the end of 2023. One hopeful alternative has emerged: the Government Surveillance Reform Act, a bill that would make some much needed changes to Section 702 and which has earned our endorsement. Unlike either of these proposals, the GSRA would require court approval of government queries for Americans’ communications in Section 702 databases, allows Americans who have suffered injuries from Section 702 surveillance to use the evidentiary provisions FISA sets forth, and strengthens the government’s duties to provide notice when using data resulting from Section 702 surveillance in criminal prosecutions must serve as priorities for Congress as it considers reauthorizing Section 702.

Matthew Guariglia

The Government Shouldn’t Prosecute People With Unreliable “Black Box” Technology

3 days 21 hours ago

On Tuesday, EFF urged the Massachusetts Supreme Judicial Court, the highest court in that state, to affirm that a witness who has no knowledge of the proprietary algorithm used in black box technology is not qualified to testify to its reliability. We filed this amicus brief in Commonwealth v. Arrington together with the American Civil Liberties Union, the American Civil Liberties Union of Massachusetts, the National Association of Criminal Defense Lawyers, and the Massachusetts Association of Criminal Defense Lawyers. 

At issue is the iPhone’s “frequent location history” (FLH), a location estimate generated by Apple’s proprietary algorithm that has never been used in Massachusetts courts before. Generally, for information generated by a new technology to be used as evidence in a case, there must be a finding that the technology is sufficiently reliable.  

In this case, the government presented a witness who had only looked at 23 mobile devices, and there was no indication that any of them involved FLH. The witness also stated he had no idea how the FLH algorithm worked, and he had no access to Apple’s proprietary technology. The lower court correctly found that this witness was not qualified to testify on the reliability of FLH, and that the government had failed to demonstrate FLH had met the standard to be used as evidence against the defendant. 

The Massachusetts Supreme Judicial Court should affirm this ruling. Courts serve a “gatekeeper” function by determining the type of evidence that can appear before a jury at trial. Only evidence that is sufficiently reliable to be relevant should be admissible. If the government wants to present information that is derived from new technology, they need to prove that it’s reliable. When they can’t, courts shouldn’t let them use the output of black box tech to prosecute you. 

The use of these tools raises many concerns, including defendants’ constitutional rights to access the evidence against them, as well as the reliability of the underlying technology in the first place. As we’ve repeatedly pointed out before, many new technologies sought to be used by prosecutors have been plagued with serious flaws. These flaws can especially disadvantage members of marginalized communities. Robust standards for technology used in criminal cases are necessary, as they can result in decades of imprisonment—or even the death penalty. 

EFF continues to fight against governmental use of secret software and opaque technology in criminal cases. We hope that the Supreme Judicial Court will follow other jurisdictions in upholding requirements that favor disclosure and access to information regarding proprietary technology used in the criminal justice system.   

Hannah Zhao

Europol löscht NoBorder-Initiativen aus Terrorbericht

3 days 22 hours ago

"Der TE-SAT-Bericht belegt jedes Jahr, wie die Mitgliedstaaten die Definition von Terrorismus missbrauchen und Aktivisten als Bedrohung für die nationale Sicherheit bezeichnen«, sagt Romain Lanneau von Statewatch zu dem nach seiner Ansicht einmaligen Vorgang einer Löschung. Die britische Bürgerrechtsorganisation gehört zu den Trägern einer Kampagne zu Auskunftsersuchen bei Europol. Mutmaßlich Betroffene sollen bei der Polizeiagentur anfragen, welche Daten dort über sie gespeichert sind und etwaige »Treffer« den Organisatoren zurückmelden."

Full story here.

Statewatch