An anonymous reader shares a report: In the past 18 months, as the judicial system has increasingly used electronic monitoring instead of prisons to monitor inmates through the coronavirus pandemic, newly released data confirm what activists and advocates have long argued: Ankle monitors are onerous, and they often subject wearers to vague rules, like avoiding people of "disreputable character." The ankle monitoring business, the research found, is also dominated by four profit-seeking companies, and it ultimately could drive more people back to prison.

The new, comprehensive collection of hundreds of electronic monitoring-related rules, policies and contracts, obtained through public records requests across 44 states, demonstrates that four companies that make millions of dollars a year account for 64 percent of the contracts examined in the study. The companies -- Attenti, BI Inc., Satellite Tracking of People and Sentinel Offender Services LLC, according to the report -- also keep location data indefinitely, even after monitoring is completed, which is within the law. Governments also often require family members or employers to act as agents of the government and report potential violations, putting them in an awkward position in which they must be both supportive and supervisory.

Crucially, wearers must pay both one-time and ongoing fees for the monitors, which can be $25 to over $8,000 a year. The report argues that such costs "undermine financial security when it is needed most." By comparison, the Justice Department's Bureau of Prisons said in 2018 that it costs just under $100 per day to incarcerate a federal inmate, or over $36,000 a year. Put another way, wearers in Los Angeles and Sacramento counties in California, which impose the highest annual costs, according to the new findings, pay $22 a day -- still considerably less than what taxpayers would otherwise pay.

The Biden administration is considering invoking a Cold War-era national security law to force companies in the semiconductor supply chain to provide information on inventory and sales of chips, Commerce Secretary Gina Raimondo said Thursday. From a report: The goal is to alleviate bottlenecks that have idled U.S. car production and caused shortages of consumer electronics and to identify possible hoarding, she said in an interview. Her team for months has sought clarity into how companies allocate their semiconductor supply. But previous meetings that convened firms from different industrial sectors haven't led to increased transparency and many companies have refused to hand over business data to the government. The Commerce Department is now asking companies to fill out questionnaires within 45 days providing supply chain information. The request is voluntary but Raimondo said she warned industry representatives that she might invoke the Defense Production Act or other tools to force their hands if they don't respond.

A security researcher has published details about three iOS zero-day vulnerabilities, claiming that Apple has failed to patch the issues, which they first reported to the company earlier this year. From a report: Going by the pseudonym of Illusion of Chaos, the researcher has published their findings on Russian blogging platform Habr and has released proof-of-concept code for each vulnerability on GitHub. This includes:

1. A vulnerability in the Gamed daemon that can grant access to user data such as AppleID emails, names, auth token, and grant file system access.

2. A vulnerability in the nehelper daemon that can be used from within an app to learn what other apps are installed on a device.

3. An additional vulnerability in the nehelper daemon can also be used from within an app to gain access to a device's WiFi information.

China's central bank said on Friday that all cryptocurrency-related transactions are illegal in the country and they must be banned, citing concerns around national security and "safety of people's assets." From a report: The world's most populated nation also said that foreign exchanges are banned from providing services to users in the country. [...] The People's Bank of China separately ordered internet, financial and payment companies from facilitating cryptocurrency trading on their platforms. The central bank said cryptocurrencies cannot be circulated in the market as they are not fiat currency. Offenders, the central bank warned, will be "investigated for criminal liability in accordance with the law."

Suspected foreign government-backed hackers last month breached a computer network at one of the largest ports on the US Gulf Coast, but early detection of the incident meant the intruders weren't in a position to disrupt shipping operations, according to a Coast Guard analysis of the incident obtained by CNN and a public statement from a senior US cybersecurity official. CNN reports: The incident at the Port of Houston is an example of the interest that foreign spies have in surveilling key US maritime ports, and it comes as US officials are trying to fortify critical infrastructure from such intrusions. "If the compromise had not been detected, the attacker would have had unrestricted remote access to the [IT] network" by using stolen log-in credentials, reads the US Coast Guard Cyber Command's analysis of the report, which is unclassified and marked "For Official Use Only." "With this unrestricted access, the attacker would have had numerous options to deliver further effects that could impact port operations." The Port of Houston is a 25-mile-long complex through which 247 million tons of cargo move each year, according to its website.

In the case of the Port of Houston, the unidentified hackers broke into a web server somewhere at the complex using a previously unidentified vulnerability in password management software at 2:38 p.m. UTC on August 19, according to the Coast Guard report. The intruders then planted malicious code on the server, which allowed further access to the IT system. Beginning about 90 minutes after the initial breach, the hackers stole all of the log-in credentials for a type of Microsoft software that organizations use to manage passwords and access to their networks, according to the report. Minutes later, cybersecurity staff at the port isolated the hacked server, "cutting off unauthorized access to the network," the advisory said.

It's unclear who was behind the breach, which appears to be part of a broader espionage campaign. When asked about the incident at a Senate hearing on Thursday, US Cybersecurity and Infrastructure Security Agency Director Jen Easterly said she believed a foreign government-backed hacking group was responsible. Attribution of cyberattacks "can always be complicated," Easterly told the Senate Homeland Security and Governmental Affairs Committee. "At this point in time, I would have to get back with my colleagues, but I do think it is a nation-state actor."

According to multiple databases, researchers, and cybersecurity companies who spoke to MIT Technology Review, 2021 has had the highest number of zero-day exploits on record. "At least 66 zero-days have been found in use this year, according to databases such as the 0-day tracking project -- almost double the total for 2020, and more than in any other year on record," the report says. From the report: One contributing factor in the higher rate of reported zero-days is the rapid global proliferation of hacking tools. Powerful groups are all pouring heaps of cash into zero-days to use for themselves -- and they're reaping the rewards. At the top of the food chain are the government-sponsored hackers. China alone is suspected to be responsible for nine zero-days this year, says Jared Semrau, a director of vulnerability and exploitation at the American cybersecurity firm FireEye Mandiant. The US and its allies clearly possess some of the most sophisticated hacking capabilities, and there is rising talk of using those tools more aggressively.

Attackers are exploiting the same types of software vulnerabilities over and over again, because companies often miss the forest for the trees. And cybercriminals, too, have used zero-day attacks to make money in recent years, finding flaws in software that allow them to run valuable ransomware schemes. "Financially motivated actors are more sophisticated than ever," Semrau says. "One-third of the zero-days we've tracked recently can be traced directly back to financially motivated actors. So they're playing a significant role in this increase which I don't think many people are giving credit for."

While there may be an increasing number of people developing or buying zero-days, the record number reported isn't necessarily a bad thing. In fact, some experts say it might be mostly good news. No one we spoke to believes that the total number of zero-day attacks more than doubled in such a short period of time -- just the number that have been caught. That suggests defenders are becoming better at catching hackers in the act. You can look at the data, such as Google's zero-day spreadsheet, which tracks nearly a decade of significant hacks that were caught in the wild. One change the trend may reflect is that there's more money available for defense, not least from larger bug bounties and rewards put forward by tech companies for the discovery of new zero-day vulnerabilities. But there are also better tools. Defenders have clearly gone from being able to catch only relatively simple attacks to detecting more complex hacks, says Mark Dowd, founder of Azimuth Security. "I think this denotes an escalation in the ability to detect more sophisticated attacks," he says. Further reading: Emergency Software Patches Are on the Rise

A stalkerware company that's designed to let customers spy on their spouses's, children's, or employees' devices is exposing victims' data, allowing anyone on the internet to see screenshots of phones simply by visiting a specific URL. From a report: The news highlights the continuing lax security practices that many stalkerware companies use; not only do these companies sometimes market their tools specifically for illegal surveillance, but the targets are re-victimized by these breaches. In recent years the Federal Trade Commission (FTC) has acted against stalkerware companies for exposing victim data. The stalkerware company, called pcTattleTale, offers the malware for Windows computers and Android phones. "Discover their secret online lives right from your phone or computer," a Facebook post from pcTattleTale reads. "pcTattletale is a popular keylogger and montoring [sic] app that you can use to see what you [sic] kids, spouse, or employees are doing online." Security researcher Jo Coscia showed Motherboard that pcTattleTale uploads victim data to an AWS server that requires no authentication to view specific images.

Thousands of green cards are about to go to waste, leaving Google, Microsoft and other tech companies fuming -- and pushing the Biden administration to ensure it doesn't happen again. Axios: Tech workers have waited years for green cards that will grant them permanent legal status in the U.S. -- but because of pandemic-related processing delays, they will have to wait even longer. The U.S. makes a certain number of family-based and employment-based green cards available each fiscal year. [...] Google and Microsoft are among the companies that have been urging federal officials to find a way to save the roughly 80,000 remaining employment-based green cards set to expire Sept. 30. Google says only 13% of its candidate applications filed since last October have been approved.

"The idea that we will leave tens of thousands of these applications unfilled at a time when businesses around the country are having a hard time finding qualified workers seems illogical," Google senior vice president of global affairs Kent Walker told Axios. "So we're really trying to encourage people to come together to fix this issue." What they're saying: Google and Microsoft say they have thousands of employees and their families awaiting green cards. "We have congressionally authorized numbers available right now that can help a significant number of people trapped in the backlog move to permanent residence," Jack Chen, associate general counsel at Microsoft, told Axios. "But without a fix, those numbers go into the shredder at the end of the month. It's a huge missed opportunity." Meanwhile, Apple CEO Tim Cook last week wrote to Department of Homeland Security Secretary Alejandro Mayorkas on behalf of the Business Roundtable to press the issue.

At Google, a seemingly innocuous action can earn an employee the attention of the company's corporate security department. The Information: For example, when Google wants to find out who has been accessing or leaking sensitive corporate information, the company often homes in on employees who are thinking about leaving it. In the past, its security teams have flagged employees who search an internal website listing the cost of COBRA health insurance -- which gives workers a way to continue their coverage after leaving their employer -- for further investigation, according to a person with direct knowledge of its tactics. Employees who draft resignation letters or seek out internal checklists that help workers plan their departures from Google have also faced similar scrutiny, the person said. It has even looked at who has taken screenshots on work devices while running encrypted messaging services at the same time, according to current and former employees with knowledge of the practices. Bulk transfers of data onto USB storage devices and use of third-party online storage services can also raise eyebrows among Google's security staff.

One of the largest providers of HTTPS certificates, Let's Encrypt, will stop using an older root certificate next week -- meaning you might need to upgrade your devices to prevent them from breaking. From a report: Let's Encrypt, a free-to-use nonprofit, issues certificates that encrypt the connections between your devices and the wider internet, ensuring that nobody can intercept and steal your data in transit. Millions of websites alone rely on Let's Encrypt.

But, as warned by security researcher Scott Helme, the root certificate that Let's Encrypt currently uses -- the IdentTrust DST Root CA X3 -- will expire on September 30. After this, computers, devices and web clients -- such as browsers -- will no longer trust certificates that have been issued by this certificate authority. For the overwhelming majority of website users, there is nothing to worry about and September 30 will be business as usual. Older devices, however, could run into some trouble, much like they did when the AddTrust External CA Root expired back in May. Stripe, Red Hat and Roku all suffered outages as a result.

Lithuania's Defense Ministry recommended that consumers avoid buying Chinese mobile phones and advised people to throw away the ones they have now after a government report found the devices had built-in censorship capabilities. From a report: Flagship phones sold in Europe by China's smartphone giant Xiaomi have a built-in ability to detect and censor terms such as "Free Tibet", "Long live Taiwan independence" or "democracy movement", Lithuania's state-run cybersecurity body said on Tuesday. The capability in Xiaomi's Mi 10T 5G phone software had been turned off for the "European Union region", but can be turned on remotely at any time, the Defence Ministry's National Cyber Security Centre said in the report. "Our recommendation is to not buy new Chinese phones, and to get rid of those already purchased as fast as reasonably possible," Defence Deputy Minister Margiris Abukevicius told reporters in introducing the report.

A U.S. government committee is reviewing Zoom's agreement to acquire cloud contact center software company Five9 for $14.7 billion on national-security grounds. CNBC reports: According to a letter dated Aug. 27, the Federal Communications Commission was asked to refer the case to the Committee for the Assessment of Foreign Participation in the United States Telecommunications Service Sector. Attorney General Merrick Garland is chair of the committee. Zoom announced the deal with Five9 in July, marking the video-chat company's first billion-dollar-plus acquisition. Zoom ballooned in value during the pandemic and, with Five9's technology, is trying to expand into adjacent markets.

Zoom is based in San Jose, California, and founder and CEO Eric Yuan, a native of China, is a U.S. citizen. The company has a significant research and development hub in China, and last year House Speaker Nancy Pelosi of California referred to Zoom as "a Chinese entity" during an MSNBC interview. "USDOJ believes that such risk may be raised by the foreign participation (including the foreign relationships and ownership) associated with the application, and a review by the Committee is necessary to assess and make an appropriate recommendation as to how the Commission should adjudicate this application," David Plotinsky of the Justice Department wrote in the letter to the FCC. Zoom still expects the acquisition to close in the first half of 2022, a company spokesperson told CNBC in an email. "We have made filings with the various applicable regulatory agencies, and these approval processes are proceeding as expected," the representative said.

An anonymous reader quotes a report from The Washington Post: The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials. The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs. But the FBI held on to the key, with the agreement of other agencies, in part because it was planning to carry out an operation to disrupt the hackers, a group known as REvil, and the bureau did not want to tip them off. Also, a government assessment found the harm was not as severe as initially feared. The planned takedown never occurred because in mid-July REvil's platform went offline -- without U.S. government intervention -- and the hackers disappeared before the FBI had a chance to execute its plan, according to the current and former officials. The previously unreported episode highlights the trade-offs law enforcement officials face between trying to damage cyber criminal networks and promptly helping the victims of ransomware -- malware that encrypts data on computers, rendering them unusable.

The Biden administration plans a fresh campaign against ransomware attacks through sanctions to cut off criminals' cryptocurrency pipelines, and it urged companies to report extortion attempts and better protect themselves from them. From a report: Deputy Treasury Secretary Wally Adeyemo told reporters that the sanctions would be imposed on Suex, a cryptocurrency transferring service that's registered in the Czech Republic. He said Suex had "facilitated transactions involving illicit proceeds for at least eight ransomware variants. He said "exchanges like Suex are critical to attackers' ability to extract profits," pointing out that this was the first such action by the Office of Foreign Assets Control against a virtual currency exchange. Both Adeyemo and Deputy National Security Adviser Anne Neuberger, who also briefed reporters in a conference call on Monday evening, underscored the importance of ransomware victims coming forward and vulnerable businesses and organizations taking steps to bolster their security. Adeyemo announced new Treasury Department guidance that makes "an express statement that the U.S. government strongly discourages the payment of cyber ransoms or extortion demands."

On the day Apple released iOS 15, a Spanish security researcher disclosed an iPhone lock screen bypass that can be exploited to grant attackers access to a user's notes. From a report: In an interview with The Record, Jose Rodriguez said he published details about the lock screen bypass after Apple downplayed similar lock screen bypass issues he reported to the company earlier this year. "Apple values reports of issues like this with up to $25,000 but for reporting a more serious issue, I was awarded with $5,000," the researcher wrote on Twitter last week. [...] Because of the unprofessional way Apple handled his bug report, the researcher published today a variation of the same bypass, but this time one that uses the Apple Siri and VoiceOver services to access the Notes app from behind the screen lock. Further reading: Apple Pays Hackers Six Figures To Find Bugs in Its Software. Then It Sits On their Findings.

Canonical has announced that it is extending the life of Ubuntu 14.04 and 16.04 to a decade. BetaNews: In other words, Ubuntu 14.04 and 16.04 are getting longer Extended Security Maintenance (ESM) periods as Canonical pushes back their End of Life (EoL) dates. The former will now get security updates until 2024, while the latter will receive them until 2026. "This lifecycle extension enables organizations to balance their infrastructure upgrade costs, by giving them additional time to implement their upgrade plan. The prolonged Extended Security Maintenance (ESM) phase of Ubuntu 14.04 LTS and 16.04 LTS enables a secure and low-maintenance infrastructure with security updates and kernel livepatches provided by Canonical. The announcement represents a significant opportunity for the organizations currently implementing their transition to new applications and technologies," says Canonical.

Cryptocurrency exchange Coinbase has canceled plans to launch Lend, a product designed to deliver high-interest returns on USDC stablecoin holdings. From a report: A Coinbase representative confirmed the news to Decrypt this morning, referring us to a quietly updated recent blog post about the planned initiative, which was first announced in June but put on hold following the threat of legal action from the U.S. Securities and Exchange Commission (SEC) "Our goal is to create great products for our customers and to advance our mission to increase economic freedom in the world," the update reads. "As we continue our work to seek regulatory clarity for the crypto industry as a whole, we've made the difficult decision not to launch the USDC APY program announced below." Coinbase wrote that it had hundreds of thousands of people signed up to its waitlist, which has now been discontinued. "We will not stop looking for ways to bring innovative, trusted programs and products to our customers," the update concludes. Further reading: Is Lending Your Bitcoins a Security?

Iowa-based grain cooperative New Cooperative was struck by ransomware in recent days and has shut down its computer systems as it tries to mitigate the attack. From a report: The attack occurred on or around Friday, according to Allan Liska, senior threat analyst at the cybersecurity firm Recorded Future. The ransomware gang, which goes by the name BlackMatter, is demanding a $5.9 million ransom, Liska said. New Cooperative confirmed that they had been attacked and said they had contacted law enforcement and were working with data security experts to investigate and remediate the situation.

"New Cooperative recently identified a cybersecurity incident that is impacting some of our company's devices and systems," according to a statement from the cooperative. "Out of an abundance of caution, we have proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained." New Cooperative has communicated with its feed customers and is working to create workarounds to get feed to animals while its systems are down, a person familiar with the matter said.

A nation-state cyber-espionage group has gained access to the IT network of the Alaska Department of Health and Social Service (DHSS), the agency said last week. From a report: The attack, which is still being investigated, was discovered on May 2, earlier this year, by a security firm, which notified the agency. While the DHSS made the incident public on May 18 and published two updates in June and August, the agency did not reveal any details about the intrusion until last week, when it officially dispelled the rumor that this was a ransomware attack. Instead, the agency described the intruders as a "nation-state sponsored attacker" and "a highly sophisticated group known to conduct complex cyberattacks against organizations that include state governments and health care entities."

An anonymous reader quotes the Record: An Irish man who ran a cheap dark web hosting service has been sentenced today to 27 years in prison for turning a blind eye to customers hosting child sex abuse material. Eric Eoin Marques, 36, from Dublin, operated the Freedom Hosting service between July 2008 and July 2013, when he was arrested following an FBI investigation.

"The investigation revealed that the hosting service contained over 200 child exploitation websites that housed millions of images of child exploitation material," the US Department of Justice said today, announcing Marques' sentencing. "Over 1.97 million of these images and/or videos were not previously known by law enforcement," officials said.
Flashback to 2013: [T]he FBI yesterday acknowledged that it secretly took control of Freedom Hosting last July, days before the servers of the largest provider of ultra-anonymous hosting were found to be serving custom malware designed to identify visitors. Freedom Hosting's operator, Eric Eoin Marques, had rented the servers from an unnamed commercial hosting provider in France, and paid for them from a bank account in Las Vegas.

It's not clear how the FBI took over the servers in late July, but the bureau was temporarily thwarted when Marques somehow regained access and changed the passwords, briefly locking out the FBI until it gained back control. The new details emerged in local press reports from a Thursday bail hearing in Dublin, Ireland, where Marques, 28, is fighting extradition to America on charges that Freedom Hosting facilitated child pornography on a massive scale...

Security researchers dissected the code and found it exploited a security hole in Firefox to identify users of the Tor Browser Bundle, reporting back to a mysterious server in Northern Virginia. The FBI was the obvious suspect, but declined to comment on the incident. The FBI also didn't respond to inquiries from WIRED today. But FBI Supervisory Special Agent Brooke Donahue was more forthcoming when he appeared in the Irish court yesterday to bolster the case for keeping Marque behind bars."