Happy 14th Birthday, KrebsOnSecurity!

Read Time:3 Minute, 25 Second

KrebsOnSecurity celebrates its 14th year of existence today! I promised myself this post wouldn’t devolve into yet another Cybersecurity Year in Review. Nor do I wish to hold forth about whatever cyber horrors may await us in 2024. But I do want to thank you all for your continued readership, encouragement and support, without which I could not do what I do.

As of this birthday, I’ve officially been an independent investigative journalist for longer than I was a reporter for The Washington Post (1995-2009). Of course, not if you count the many years I worked as a paperboy schlepping The Washington Post to dozens of homes in Springfield, Va. (as a young teen, I inherited a largish paper route handed down from my elder siblings).

True story: At the time I was hired as a lowly copy aide by The Washington Post, all new hires — everyone from the mailroom and janitors on up to the executives — were invited to a formal dinner in the Executive Suite with the publisher Don Graham. On the evening of my new hires dinner, I was feeling underdressed, undershowered and out of place. After wolfing down some food, I tried to slink away to the elevator with another copy aide, but was pulled aside by the guy who hired me. “Hey Brian, not so fast! Come over and meet Don!”

I was 23 years old, and I had no clue what to say except to tell him that paper route story, and that I’d already been working for him for half my life. Mr. Graham laughed and told me that was the best thing he’d heard all day. Which of course made my week, and made me feel more at ease among the suits.

I remain grateful to WaPo for instilling many skills, such as how to distill technobabble into plain English for a general audience. And how to make people the focus of highly technical stories. Because people — and their eternal struggles — are imminently relatable, regardless of whether one has a full grasp of the technical details.

Words fail me when trying to describe how grateful I am that this whole independent reporter thing still works, financially and otherwise. I mostly just keep my head down researching stuff and sharing what I find, and somehow loads of people keep coming back to the site. As I like to say, I hope they let me keep doing this, because I’m certainly unqualified to do much else!

Another milestone of sorts: We’ve now amassed more than 52,000 subscribers to our email newsletter, which is a fancy term for a plain text email that goes out immediately whenever a new story is published here. Subscribing is free, we never share anyone’s email address, and we don’t send emails other than new story notifications (2-3 per week).

A friendly reminder that while you may see ads (or spaces where ads otherwise would be) at the top of this website, all two-dozen or so ad creatives we run are vetted by me and served in-house. Nor does this website host any third-party content. If you regularly browse the web with an ad blocker turned on, please consider adding an exception for KrebsOnSecurity.com. Our advertising partners are how we keep the lights on over here.

And in case you missed any of them, here are some of the most-read stories published by KrebsOnSecurity in 2023. Happy 2024 everyone!

Ten Years Later, New Clues in the Target Breach
It’s Still Easy for Anyone to Become You at Experian
Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach
Why is .US Being Used to Phish So Many of US?
Few Fortune 100 Firms List Security Pros in Their Executive Ranks
Who’s Behind the Domain Networks Snail Mail Scam?
Phishing Domains Tanked After Meta Sued Freenom
Many Public Salesforce Sites are Leaking Private Data
Hackers Claim They Breached T-Mobile More Than 100 Times in 2022
Identity Thieves Bypassed Experian Security to View Credit Reports

Read More

AI Is Scarily Good at Guessing the Location of Random Photos

Read Time:56 Second

Wow:

To test PIGEON’s performance, I gave it five personal photos from a trip I took across America years ago, none of which have been published online. Some photos were snapped in cities, but a few were taken in places nowhere near roads or other easily recognizable landmarks.

That didn’t seem to matter much.

It guessed a campsite in Yellowstone to within around 35 miles of the actual location. The program placed another photo, taken on a street in San Francisco, to within a few city blocks.

Not every photo was an easy match: The program mistakenly linked one photo taken on the front range of Wyoming to a spot along the front range of Colorado, more than a hundred miles away. And it guessed that a picture of the Snake River Canyon in Idaho was of the Kawarau Gorge in New Zealand (in fairness, the two landscapes look remarkably similar).

This kind of thing will likely get better. And even if it is not perfect, it has some pretty profound privacy implications (but so did geolocation in the EXIF data that accompanies digital photos).

Read More

Friday Squid Blogging: Sqids

Read Time:27 Second

They’re short unique strings:

Sqids (pronounced “squids”) is an open-source library that lets you generate YouTube-looking IDs from numbers. These IDs are short, can be generated from a custom alphabet and are guaranteed to be collision-free.

I haven’t dug into the details enough to know how they can be guaranteed to be collision-free.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Read More

AI and Lossy Bottlenecks

Read Time:6 Minute, 15 Second

Artificial intelligence is poised to upend much of society, removing human limitations inherent in many systems. One such limitation is information and logistical bottlenecks in decision-making.

Traditionally, people have been forced to reduce complex choices to a small handful of options that don’t do justice to their true desires. Artificial intelligence has the potential to remove that limitation. And it has the potential to drastically change how democracy functions.

AI researcher Tantum Collins and I, a public-interest technology scholar, call this AI overcoming “lossy bottlenecks.” Lossy is a term from information theory that refers to imperfect communications channels—that is, channels that lose information.

Multiple-choice practicality

Imagine your next sit-down dinner and being able to have a long conversation with a chef about your meal. You could end up with a bespoke dinner based on your desires, the chef’s abilities and the available ingredients. This is possible if you are cooking at home or hosted by accommodating friends.

But it is infeasible at your average restaurant: The limitations of the kitchen, the way supplies have to be ordered and the realities of restaurant cooking make this kind of rich interaction between diner and chef impossible. You get a menu of a few dozen standardized options, with the possibility of some modifications around the edges.

That’s a lossy bottleneck. Your wants and desires are rich and multifaceted. The array of culinary outcomes are equally rich and multifaceted. But there’s no scalable way to connect the two. People are forced to use multiple-choice systems like menus to simplify decision-making, and they lose so much information in the process.

People are so used to these bottlenecks that we don’t even notice them. And when we do, we tend to assume they are the inevitable cost of scale and efficiency. And they are. Or, at least, they were.

The possibilities

Artificial intelligence has the potential to overcome this limitation. By storing rich representations of people’s preferences and histories on the demand side, along with equally rich representations of capabilities, costs and creative possibilities on the supply side, AI systems enable complex customization at scale and low cost. Imagine walking into a restaurant and knowing that the kitchen has already started work on a meal optimized for your tastes, or being presented with a personalized list of choices.

There have been some early attempts at this. People have used ChatGPT to design meals based on dietary restrictions and what they have in the fridge. It’s still early days for these technologies, but once they get working, the possibilities are nearly endless. Lossy bottlenecks are everywhere.

Take labor markets. Employers look to grades, diplomas and certifications to gauge candidates’ suitability for roles. These are a very coarse representation of a job candidate’s abilities. An AI system with access to, for example, a student’s coursework, exams and teacher feedback as well as detailed information about possible jobs could provide much richer assessments of which employment matches do and don’t make sense.

Or apparel. People with money for tailors and time for fittings can get clothes made from scratch, but most of us are limited to mass-produced options. AI could hugely reduce the costs of customization by learning your style, taking measurements based on photos, generating designs that match your taste and using available materials. It would then convert your selections into a series of production instructions and place an order to an AI-enabled robotic production line.

Or software. Today’s computer programs typically use one-size-fits-all interfaces, with only minor room for modification, but individuals have widely varying needs and working styles. AI systems that observe each user’s interaction styles and know what that person wants out of a given piece of software could take this personalization far deeper, completely redesigning interfaces to suit individual needs.

Removing democracy’s bottleneck

These examples are all transformative, but the lossy bottleneck that has the largest effect on society is in politics. It’s the same problem as the restaurant. As a complicated citizen, your policy positions are probably nuanced, trading off between different options and their effects. You care about some issues more than others and some implementations more than others.

If you had the knowledge and time, you could engage in the deliberative process and help create better laws than exist today. But you don’t. And, anyway, society can’t hold policy debates involving hundreds of millions of people. So you go to the ballot box and choose between two—or if you are lucky, four or five—individual representatives or political parties.

Imagine a system where AI removes this lossy bottleneck. Instead of trying to cram your preferences to fit into the available options, imagine conveying your political preferences in detail to an AI system that would directly advocate for specific policies on your behalf. This could revolutionize democracy.

Ballots are bottlenecks that funnel a voter’s diverse views into a few options. AI representations of individual voters’ desires overcome this bottleneck, promising enacted policies that better align with voters’ wishes.
Tantum Collins, CC BY-ND

One way is by enhancing voter representation. By capturing the nuances of each individual’s political preferences in a way that traditional voting systems can’t, this system could lead to policies that better reflect the desires of the electorate. For example, you could have an AI device in your pocket—your future phone, for instance—that knows your views and wishes and continually votes in your name on an otherwise overwhelming number of issues large and small.

Combined with AI systems that personalize political education, it could encourage more people to participate in the democratic process and increase political engagement. And it could eliminate the problems stemming from elected representatives who reflect only the views of the majority that elected them—and sometimes not even them.

On the other hand, the privacy concerns resulting from allowing an AI such intimate access to personal data are considerable. And it’s important to avoid the pitfall of just allowing the AIs to figure out what to do: Human deliberation is crucial to a functioning democracy.

Also, there is no clear transition path from the representative democracies of today to these AI-enhanced direct democracies of tomorrow. And, of course, this is still science fiction.

First steps

These technologies are likely to be used first in other, less politically charged, domains. Recommendation systems for digital media have steadily reduced their reliance on traditional intermediaries. Radio stations are like menu items: Regardless of how nuanced your taste in music is, you have to pick from a handful of options. Early digital platforms were only a little better: “This person likes jazz, so we’ll suggest more jazz.”

Today’s streaming platforms use listener histories and a broad set of features describing each track to provide each user with personalized music recommendations. Similar systems suggest academic papers with far greater granularity than a subscription to a given journal, and movies based on more nuanced analysis than simply deferring to genres.

A world without artificial bottlenecks comes with risks—loss of jobs in the bottlenecks, for example—but it also has the potential to free people from the straitjackets that have long constrained large-scale human decision-making. In some cases—restaurants, for example—the impact on most people might be minor. But in others, like politics and hiring, the effects could be profound.

Read More

Safeguarding your online experience: A guide to blocking unsolicited ads with adblockers

Read Time:4 Minute, 30 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The internet is a vast realm of information and entertainment. However, it’s also riddled with a persistent nuisance: unsolicited ads. These intrusive advertisements not only disrupt your online experience but also pose significant security risks. In this comprehensive guide, we’ll explore the intricate world of adblockers and their pivotal role in enhancing your cybersecurity by effectively blocking unsolicited ads.

Understanding the ad landscape

Before we delve into the realm of adblockers, it’s essential to comprehend the complex ecosystem of online advertisements:

Display ads: These are the most common ads you encounter on websites. They can be static images, animated banners, or even video ads.

Pop-up ads: Pop-up ads appear in separate windows or tabs, often triggered when you visit a specific page or perform an action on a website.

Video ads: These ads play within videos or before you can access certain content. They vary from short pre-roll ads to longer mid-roll ads.

Social media ads: Popular social platforms often serve ads in your feed or as sponsored posts.

Native ads: These advertisements seamlessly blend with the content around them, making them appear less intrusive.

The intrusive nature of unsolicited ads

Unsolicited ads, commonly referred to as “adware,” are notorious for their disruptive and intrusive characteristics. They can:

Slow down your web browsing experience by consuming bandwidth.
Track your online behavior and collect personal information.
Expose you to potentially malicious content and scams.
Affect website aesthetics and distract from the content you want to view.

The role of adblockers

Adblockers are the digital shields that protect your online experience by eliminating or minimizing the impact of unsolicited ads. Let’s explore three popular adblockers and their features:

Adblock Plus (ABP): Adblock Plus is a widely used and highly customizable adblocker. It allows you to create your filters and tailor your ad-blocking preferences.

uBlock Origin: uBlock Origin is a lightweight yet potent adblocker. It’s known for its efficiency in blocking ads and its minimal impact on system resources.

AdNauseam: AdNauseam is an intriguing adblocker that takes a unique approach. It not only blocks ads but also clicks on them, making it harder for advertisers to track your online behavior.

Blocking unsolicited ads with Adblock Plus

Adblock Plus is a robust and versatile adblocker that offers comprehensive ad-blocking capabilities. Here’s how you can use it to block unsolicited ads:

Install Adblock Plus:

Visit the Adblock Plus website and download the extension for your preferred browser. It’s available for Chrome, Firefox, Edge, and more.

Install the Adblock Plus filter:

Adblock Plus employs filters to block ads. Upon installation, it provides a default filter list to get you started. However, you can enhance your ad-blocking by adding additional filters, such as EasyList, which covers a wide range of ads.

Customize your filters:

Adblock Plus offers user-friendly settings for customizing your ad-blocking preferences. You can allow or block specific ads on individual websites, granting you fine control.

Blocking unsolicited ads with uBlock Origin

uBlock Origin is renowned for its efficiency and resource-friendliness. Here’s how you can use it to block unsolicited ads:

Install uBlock Origin:

Visit the uBlock Origin website and download the extension for your browser. It’s available for various browsers, including Chrome, Firefox, and Edge.

Configure filters:

Upon installation, uBlock Origin provides default filter lists that effectively block ads. To further enhance your ad-blocking capabilities, you can add more filters, such as EasyList and Peter Lowe’s Ad and tracking server list.

Fine-tune your settings:

uBlock Origin allows you to fine-tune your settings, from choosing what types of ads to block to specifying exceptions for particular websites, giving you granular control.

Blocking unsolicited ads with AdNauseam

AdNauseam takes a unique approach to ad-blocking by clicking on ads to disrupt advertisers’ tracking. Here’s how you can use it:

Install AdNauseam:

Visit the AdNauseam website and download the extension for your compatible browser.

Generate noise:

Once installed, AdNauseam generates “noise” by automatically clicking on ads. This confuses tracking mechanisms and safeguards your privacy.

View blocked ads:

AdNauseam provides a log of blocked ads, allowing you to see which ads it has interacted with on your behalf.

The cybersecurity perspective

Blocking unsolicited ads with adblockers is not only about enhancing your online experience but also about bolstering your cybersecurity. Here’s how adblockers contribute to your online security:

Malware prevention: Adblockers can prevent the display of malicious ads that might attempt to deliver malware to your device.

Reduced tracking: Adblockers thwart ad tracking and profiling, preserving your online privacy.

Enhanced page load speed: By blocking ads, web pages load faster, reducing the risk of falling victim to attacks during extended page loading times.

Mitigating phishing: Adblockers help to reduce exposure to phishing scams that can be embedded within ads.

Conclusion

Adblockers are formidable tools in the fight against unsolicited ads. They not only enhance your online experience by eliminating distractions but also contribute to your cybersecurity by mitigating potential threats. Leveraging adblockers like Adblock Plus, uBlock Origin, and AdNauseam empowers you to regain control over your online environment while maintaining a more secure digital presence. Remember to use adblockers responsibly, supporting legitimate content creators while safeguarding your online interests.

Read More

DSA-5591-1 libssh – security update

Read Time:46 Second

Several vulnerabilities were discovered in libssh, a tiny C SSH library.

CVE-2023-6004

It was reported that using the ProxyCommand or the ProxyJump feature
may allow an attacker to inject malicious code through specially
crafted hostnames.

CVE-2023-6918

Jack Weinstein reported that missing checks for return values for
digests may result in denial of service (application crashes) or
usage of uninitialized memory.

CVE-2023-48795

Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that
the SSH protocol is prone to a prefix truncation attack, known as
the “Terrapin attack”. This attack allows a MITM attacker to effect
a limited break of the integrity of the early encrypted SSH
transport protocol by sending extra messages prior to the
commencement of encryption, and deleting an equal number of
consecutive messages immediately after encryption starts.

Details can be found at https://terrapin-attack.com/

https://security-tracker.debian.org/tracker/DSA-5591-1

Read More