- Iran has accessed $10b it received under sanctions waiver, US official JNS.org
- US Lawmakers Grill Administration On Iran’s Access To Funds ایران اینترنشنال
- House Oversight subcommittee holds hearing on Iranian funds, sanctions: Watch live AOL
- WATCH LIVE: House Financial Services hearing on Iranian support for terrorism Washington Examiner
- US Official Says Iran Used Money Released Under Sanctions Waiver ایران اینترنشنال
Tag Archives: Accessed
BJP Levels Fresh Allegations Against TMC’s Mahua Moitra Says Parliament Ids Accessed From Dubai – India Today
- BJP Levels Fresh Allegations Against TMC’s Mahua Moitra Says Parliament Ids Accessed From Dubai India Today
- “Will Not Say Anything”: Trinamool Distances Itself From Mahua Moitra Case NDTV
- Mahua Moitra News | Cash For Questions Scams: Did The TMC MP Violated Her Oath As MP? | News18 CNN-News18
- Opinion | Look Beyond the Stilettos and Gucci Bag. Allegations Against Mahua Moitra Cast a Shadow Over The Holiest Pact In A Democracy News18
- Why Parliament questions? RTI, PIL easier: Priyanka Chaturvedi amid Mahua Moitra Hindustan Times
- View Full Coverage on Google News
Anker’s Eufy admits unencrypted videos could be accessed, plans overhaul
Enlarge / Anker’s Eufy division has said its web portal was not designed for end-to-end encryption and could allow outside access with the right URL.
Eufy
After two months of arguing back and forth with critics about how so many aspects of its “No clouds” security cameras could be accessed online by security researchers, Anker smart home division Eufy has provided a lengthy explanation and promises to do better.
In multiple responses to The Verge, which has repeatedly called out Eufy for failing to address key aspects of its security model, Eufy has plainly stated that video streams produced by its cameras could be accessed, unencrypted, through the Eufy web portal, despite messaging and marketing that suggested otherwise. Eufy also stated it would bring in penetration testers, commission an independent security researcher’s report, create a bug bounty program, and better detail its security protocols.
Prior to late November 2022, Eufy had enjoyed a distinguished place among smart home security providers. For those willing to trust any company with video feeds and other home data, Eufy marketed itself as offering “No Clouds or Costs,” with encrypted feeds streamed only to local storage.
Then came the first of Eufy’s woeful revelations. Security consultant and researcher Paul Moore asked Eufy on Twitter about several discrepancies he discovered. Images from his doorbell camera, seemingly tagged with facial recognition data, were accessible from public URLs. Camera feeds, when activated, were seemingly accessible without authentication from VLC Media Player (something later confirmed by The Verge). Eufy issued a statement stating that, essentially, it hadn’t fully explained how it used cloud servers to provide mobile notifications and pledged to update its language. Moore went quiet after tweeting about “a lengthy discussion” with Eufy’s legal team.
Days later, a different security researcher confirmed that, given the URL from inside a Eufy user’s web portal, it could be streamed. The encryption scheme on the URLs also seemed to lack sophistication; as the same researcher told Ars, it took only 65,535 combinations to brute-force, “which a computer can run through pretty quick.” Anker later increased the number of random characters required to guess URL streams and said it had removed media players’ ability to play a user’s streams, even if they had the URL.
Eufy issued a statement to The Verge, Ars, and other publications at that time, noting it “adamantly” disagreed with “accusations levied against the company concerning the security of our products.” After continued pressure by The Verge, Anker issued a lengthy statement detailing its past errors and future plans.
Among Anker/Eufy’s notable statements:
- Its web portal now prohibits users from entering “debug mode.”
- Video stream content is encrypted and inaccessible outside the portal.
- While “only 0.1 percent” of current daily users access the portal, it “had some issues,” which have been resolved.
- Eufy is pushing WebRTC to all of its security devices as the end-to-end encrypted stream protocol.
- Facial recognition images were uploaded to the cloud to aid in replacing/resetting/adding doorbells with existing image sets, but has been discontinued. No recognition data was included with images sent to the cloud.
- Outside of the “recent issue with the web portal,” all other video uses end-to-end encryption.
- A “leading and well-known security expert” will produce a report about Eufy’s systems.
- “Several new security consulting, certification, and penetration testing” firms will be brought in for risk assessment.
- A “Eufy Security bounty program” will be established.
- The company promises to “provide more timely updates in our community (and to the media!).”
Federal investigators have accessed emails of Rep. Scott Perry and Trump allies in 2020 efforts
CNN
—
Federal investigators have obtained access to several email accounts, a draft autobiography and other writings in which Republican Rep. Scott Perry, Donald Trump elections attorney John Eastman, and former Justice Department officials Jeffrey Clark and Ken Klukowski discussed the 2020 election, according to a newly released order in the DC District Court.
The order unsealed Thursday indicates how broad a net federal prosecutors have cast for information from top Trump backers as part of the sprawling criminal investigation into January 6, 2021, and efforts to impede the transfer of presidential power.
Chief Judge Beryl Howell of the DC District Court allowed federal investigators to access email messages sent to and from Perry, who pushed false election fraud claims after the 2020 election and worked with Eastman, Clark and Klukowski as they tried to overturn Trump’s election loss.
The searches obtained more than 130,000 documents and a book outline Clark was writing about himself and his experience in 2020 and early 2021.
Among the documents were 331 drafts of Clark’s autobiography outline, which he had saved in his Google account, according to a court filing.
The order discloses several rounds of investigative steps by the Justice Department in May, June and again in September.
Court filings also show how carefully investigators treaded around attorney communications that could have been considered confidential – and how they used a filter team to catalogue what they collected in the searches, then ultimately went through the federal court to obtain access to some documents.
Earlier this year, Clark declined to answer questions to several investigative teams, citing his Fifth Amendment rights, and had marked on his autobiography drafts that they were attorney work-product, implying he wanted them to remain confidential.
However, the judge wrote, the Justice Department prosecutors told a judge, “Clark penned the autobiography outline in an atmosphere charged with news that congressional committees’ investigations into the January 6, 2021 Capitol attack and other efforts to overturn the 2020 election were increasingly focusing on his role,” one filing said. Six chapters were about the 2020 election, Howell’s opinion added.
The court order cited a snippet from Clark’s prologue that said after the 2000 election, he “never thought [he’d] have a bird’s eye view of a second deeply contested presidential election” but he’d “be wrong.”
In the Perry email cache, investigators found Eastman, Klukowski and Clark were in communication with the congressman a few dozen times after the election. A handful of email exchanges and attached documents were initially filtered out by the DOJ’s filter team, and Howell then allowed prosecutors to access the 37 records.
Among those records, about a week after the 2020 election, Klukowski acknowledges in an email that he and Perry spoke, then attaches a document about state legislatures being able to determine the presidential election.
Three emails showed Eastman discussing a phone call with Perry in mid-December 2021. “John, this is congressman Scott Perry from PA. Can you contact me ASAP?” one said around December 11.
Other emails from Clark’s account, from after the Trump administration ended in 2021, included him sending Perry his resume, a forwarded excerpt of a Vaclav Havel essay, a discussion of a Roger Stone interview and a comment about Pennsylvania’s voting system.
Eastman, Perry, Clark and Klukowski have been known to be subjects of the DOJ criminal investigation around January 6 since earlier this year, when federal investigators conducted searches of each man’s cell phones. CNN reported earlier this week the DOJ had a dispute with Perry over accessing the data on his phone because of constitutional protections around members of Congress, but it’s unclear if that has been resolved.
None of the four men have been charged criminally.
This story has been updated with additional details.
Betting sites urge caution after accounts accessed, funds withdrawn
Online sports betting operators on Monday were encouraging customers to take steps to protect their accounts after multiple companies saw fraudulent activity in recent weeks.
DraftKings said Monday that a “small number” of betting accounts were accessed by unauthorized users, leading to approximately $300,000 in customer funds being withdrawn in an attack the company believes was caused by login information being stolen from third-party sites.
Sports betting media site The Action Network reported that at least one customer was locked out of their DraftKings account Sunday and had money withdrawn from the bank account that was used to make deposits with the sportsbook.
“DraftKings is aware that some customers are experiencing irregular activity with their accounts. We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information,” Paul Liberman, DraftKings co-founder, said in a statement. “We have seen no evidence that DraftKings’ systems were breached to obtain this information. We have identified less than $300,000 of customer funds that were affected, and we intend to make whole any customer that was impacted.
“We strongly encourage customers to use unique passwords for DraftKings and all other sites, and we strongly recommend that customers do not share their passwords with anyone, including third party sites for the purposes of tracking betting information on DraftKings and other betting apps.”
Ryan Butler, a journalist who covers the game industry, wrote on Twitter on Monday that his DraftKings account was hacked and that FanDuel emailed him that there was an attempt to gain access to his FanDuel account.
FanDuel reported increased activity from unauthorized actors attempting to gain access to accounts, but “thus far customers have not been impacted,” a company spokesperson said Monday afternoon. Caesars Sportsbook also said Monday that it had not been impacted.
The unauthorized access at DraftKings came just weeks after multiple professional poker players reported having unauthorized betting accounts being set up in their names with BetMGM and used to withdraw money from personal checking accounts. Todd Witteles, a well-known poker pro from California, said someone set up a sports betting account with his name in late October in West Virginia, deposited $10,000 out of his checking account to the sports betting account and withdrew $7,500 to a Venmo debit card on the same day. Witteles estimates upward of 50 poker players experienced a similar issue at BetMGM that mostly occurred in late October and early November. BetMGM said it is actively investigating the situation.
“The security of our patrons’ accounts is of the utmost importance to us,” a BetMGM spokesperson said in a statement to ESPN on Friday. “We encourage any impacted patrons to contact our customer service department directly.”
It is not known whether the incidents at DraftKings and BetMGM are connected.
PS5: Hidden menu in Debug settings can be accessed with button combo (video)
Zecoxao reports that PS5s can access additional debug options with the press of a button combination. Your PS5 will need to be hacked (and have the Debug Settings enabled) in order to run this trick. This additional menu could contain options that can typically be found on TestKit consoles, but it seems pretty empty on retail consoles.
What’s the PS5 Debug Settings Hidden Menu about?
Pressing Start + L3 on the PS5 (in any place) while the Debug Settings are enabled, will pop up that hidden menu, which is unfortunately very empty right now.
People who have tested it seem to report it does a whole lot of nothing. Specifically, pressing the button combo will open a Debug Menu : Cex menu, itself with a “launch settings” option. Clicking that option apparently just takes you to the regular settings menu, as shown in the video below by @Ifaicompa.
It can be opened in any interface pic.twitter.com/ztYHej40Db
— ナイスなすさん🍆 (@Ifaicompa) November 6, 2022
(By the way L3 means clicking the analog stick, if you didn’t know)
TestKit options on Retail PS5 – Current Status and limitations
It’s worth keeping in mind that most Debug Settings options are broken on retail consoles. Just because we have the ability to show the GUI (in this case, the menu) of a given TestKit option, doesn’t mean the option will work (or that the underlying app is present) on a retail unit.
Zecoxao believes that this option could unlock additional functionality (such as UART logs) if the PS5 was hacked further, for example if a Hypervisor hack could be developed.
How to access the Hidden Debug Menu on your PS5
You will need a hackable PS5 to run this.
- Run the PS5 Kernel exploit with Debug settings enabled (they are enabled by default on all exploit variations afaik)
- Anywhere in the PS5 interface, hitting START + L3 will show the menu.
The PS5 Dev wiki has additional button combos for you to try if you want. (But Do. not. Enter. IDU. Mode!!!)
TikTok Confirms US User Data Can Be Accessed in China
TikTok confirmed that China-based employees of its Chinese parent company, ByteDance, have access to US user data under certain circumstances in a letter obtained by The New York Times responding to nine Republican senators’ inquiries about the matter.
“Employees outside the US, including China-based employees, can have access to TikTok US user data subject to a series of robust cybersecurity controls and authorization approval protocols overseen by our US-based security team,” TikTok’s CEO Shou Zi Chew wrote in the letter.
“TikTok has an internal data classification system and approval process in place that assigns levels of access based on the data’s classification and requires approvals for access to US user data,” Chew added. “The level of approval required is based on the sensitivity of the data according to the classification system.”
Sal Rodriguez, who is currently a reporter for The Wall Street Journal, first reported for CNBC last year that ByteDance had access to US data and was closely involved in making decisions for TikTok.
A new light was shined on the privacy and security concerns after BuzzFeed News recently reported, based on audio of internal meetings it obtained, that ByteDance employees had repeatedly accessed US user data over at least a four-month period, and that US-based employees did not have permission to access it.
In a statement to BuzzFeed News for its report, a TikTok spokesperson said, in part: “We know we’re among the most scrutinized platforms from a security standpoint, and we aim to remove any doubt about the security of US user data.”
On the same day BuzzFeed News published its story, TikTok announced that “100% of US user traffic is being routed to Oracle Cloud Infrastructure,” rather than being stored in its own data centers in the US and Singapore.
In the letter, Chew wrote that the BuzzFeed News report “contains allegations and insinuations that are incorrect and are not supported by facts.”
After BuzzFeed News published its report, FCC commissioner Brendan Carr called on Apple and Google to remove TikTok from their app stores.
TikTok moves to ease fears amid report workers in China accessed US users’ data | TikTok
TikTok has said that Oracle will store all the data from its US users, in a bid to allay fears about its safety in the hands of a platform owned by the Chinese company ByteDance.
The move comes as a report from BuzzFeed news, citing leaked audio from TikTok in-house meetings, said ByteDance employees in China have repeatedly accessed private information about US TikTok users.
The popular video snippet sharing service has fended off concerns about the ability of engineers in China to access information about US users that isn’t public. It is common for some engineers at internet firms to be granted access to data, and TikTok told AFP it is trying to minimize that kind of system privilege.
“Similar to industry peers, we will continue to drive our goal of limiting the number of employees who have access to user data and the scenarios where data access is enabled,” said Roland Cloutier, the TikTok chief information security officer, in a blog post highlighted by the company.
“Our goal is to minimize data access across regions so that, for example, employees in the (Asia Pacific) region, including China, would have very minimal access to user data from the EU and US.”
TikTok has been adamant that it has never given US user data to Chinese officials and that it would refuse if asked to do so.
“We’ve brought in world class internal and external security experts to help us strengthen our data security efforts,” a TikTok spokesperson told AFP.
TikTok will continue to use its own datacenters in Virginia and Singapore to backup information as it works to “fully pivot” to relying on Oracle in the United States, it said in a post.
“We know we are among the most scrutinized platforms from a security standpoint, and we aim to remove any doubt about the security of US user data,” said Albert Calamug, who handles US security public policy at TikTok.
Joe Biden last year revoked executive orders from his predecessor Donald Trump seeking to ban Chinese-owned apps TikTok and WeChat from US markets on national security concerns.
Trump had given his blessing to a plan that would have given TikTok to US tech giant Oracle with investments from retail powerhouse Walmart, but that deal failed to win approval in Beijing.
Biden’s new executive order nixed the unimplemented ban and called for “an evidence-based analysis to address the risks” from internet applications controlled by foreign entities.
WeChat, part of Chinese tech giant Tencent, is a “super app” which includes social networking, messaging, e-commerce and more.
TikTok revealed late last year that it had a billion users worldwide.
“Today, 100% of US user traffic is being routed to Oracle Cloud Infrastructure,” Calamug said.
“In addition, we’re working closely with Oracle to develop data management protocols that Oracle will audit and manage to give users even more peace of mind.”
Nintendo’s Wii Shop Channel Can’t Be Accessed Right Now
If you’ve tried accessing the Wii Shop Channel over the past few days, you might not have had much luck. According to Nintendo Everything, the digital store has been “experiencing major issues”.
It’s supposedly impossible to access the storefront at all – and you’ll instead be presented with a “blank screen” on startup which eventually follows with an error code. Nintendo’s online maintenance page does not mention any issues, either (thanks, GoNintendo).
GameXplain has also taken a look – noting how team members located outside of the US, in regions such as Europe, have encountered the same problem.
Although Nintendo stopped game sales on the Wii Shop Channel in 2019, the current error means anyone who wants to access existing downloads and purchases is unable to right now. Nintendo previously said it would stop downloads on the Wii “at some point”, but never specified exactly when users would no longer be able to re-download games.
More recently, Nintendo announced it would be closing down the 3DS eShop and Wii U eShop by March 2023. While users will no longer be able to buy games, they’ll still be able to download previous purchases.
Have you had any luck accessing the Wii Shop Channel lately? Leave a comment below.