New York City Council has overwhelmingly voted to require cops to report their use of surveillance technology.

The Public Oversight of Surveillance Technology (POST) Act has been languishing in limbo for three years though was passed on Thursday with a veto-proof 44-6 vote. It, and five other bills aimed at curbing police budgets and methods also, made it through.

When the legislation was introduced in 2017, Mayor Bill de Blasio opposed making the NYPD – known for it unique approach to protecting and serving during protests – cough up “information on surveillance technologies such as the description and capabilities, rules, processes and guidelines, and any safeguards and security measures designed to protect the information collected.”

Now de Blasio says he’s OK with the rules, and will sign them off, not that he has much choice.

The law will require the New York City plod to provide the city government with annual reports on its use of surveillance equipment such as face scanning, Stinger cellphone trackers, and eavesdropping gear. The cops will also be audited once a year to make sure they are sticking to the letter of the law.

To be precise, the bill defines surveillance tech as “equipment, software, or systems capable of, or used or designed for, collecting, retaining, processing, or sharing audio, video, location, thermal, biometric, or similar information, that is operated by or at the direction of the department,” but not any internal communications gear (so it won’t apply to regular IT setups) nor cameras intended to keep city buildings from being vandalized.


NYC cops say they can’t reveal figures on cash seized from people – the database is too shoddy


All of this will be overseen by the NYPD’s Inspector General.

The NYPD could not be reached for immediate comment on the vote, though the department previously said that the bill “as currently proposed, would literally require the NYPD to advertise on its website the covert means and equipment used by undercover officers who risk their lives every day.”

The new legislation was part of a six bills passed by New York politicians. One banned the use of choke-holds by officers, and another to ensure that badge numbers are never covered over by police on public duty. The right to film police in public was also enshrined in law, as was the creation of a “disciplinary matrix” within the NYPD to identify officers who misbehave.

“Today’s package of police reform bills is a call to action in response to the deaths of Ahmaud Arbery, George Floyd, Breonna Taylor, and Tony McDade that ignited the start of a global movement,” council member Vanessa Gibson said of the POST Act and others.

“These bills are the floor and not the ceiling in ensuring transparency and oversight over the NYPD and that protections are in place for communities of color.”

While New York, New York, is the largest US city to date to pass surveillance reporting laws, the Big Apple is not the first. For example, San Francisco got its surveillance reporting ordinance [PDF] back in 2019 (along with a ban on facial recognition). Neighboring Oakland has had its surveillance reporting requirement in place since 2018. ®

Sponsored: Webcast: Ransomware has gone nuclear

Follow me for more information.

Dennis DaymanLatest Warningsmicrosoftmulti-factor authenticationSecurity Toolstwofactorauth.orgxbox

Hundreds of popular websites now offer some form of multi-factor authentication (MFA), which can help users safeguard access to accounts when their password is breached or stolen. But people who don’t take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control. Here’s the story of one such incident.

As a career chief privacy officer for different organizations, Dennis Dayman has tried to instill in his twin boys the importance of securing their online identities against account takeovers. Both are avid gamers on Microsoft’s Xbox platform, and for years their father managed their accounts via his own Microsoft account. But when the boys turned 18, they converted their child accounts to adult, effectively taking themselves out from under their dad’s control.

On a recent morning, one of Dayman’s sons found he could no longer access his Xbox account. The younger Dayman admitted to his dad that he’d reused his Xbox profile password elsewhere, and that he hadn’t enabled multi-factor authentication for the account.

When the two of them sat down to reset his password, the screen displayed a notice saying there was a new Gmail address tied to his Xbox account. When they went to turn on multi-factor authentication for his son’s Xbox profile — which was tied to a non-Microsoft email address — the Xbox service said it would send a notification of the change to unauthorized Gmail account in his profile.

Wary of alerting the hackers that they were wise to their intrusion, Dennis tried contacting Microsoft Xbox support, but found he couldn’t open a support ticket from a non-Microsoft account. Using his other son’s Outlook account, he filed a ticket about the incident with Microsoft.

Dennis soon learned the unauthorized Gmail address added to his son’s hacked Xbox account also had enabled MFA. Meaning, his son would be unable to reset the account’s password without approval from the person in control of the Gmail account.

Luckily for Dayman’s son, he hadn’t re-used the same password for the email address tied to his Xbox profile. Nevertheless, the thieves began abusing their access to purchase games on Xbox and third-party sites.

“During this period, we started realizing that his bank account was being drawn down through purchases of games from Xbox and [Electronic Arts],” Dayman the elder recalled. “I pulled the recovery codes for his Xbox account out of the safe, but because the hacker came in and turned on multi-factor, those codes were useless to us.”

Microsoft support sent Dayman and his son a list of 20 questions to answer about their account, such as the serial number on the Xbox console originally tied to the account when it was created. But despite answering all of those questions successfully, Microsoft refused to let them reset the password, Dayman said.

“They said their policy was not to turn over accounts to someone who couldn’t provide the second factor,” he said.

Dayman’s case was eventually escalated to Tier 3 Support at Microsoft, which was able to walk him through creating a new Microsoft account, enabling MFA on it, and then migrating his son’s Xbox profile over to the new account.

Microsoft told KrebsOnSecurity that while users currently are not prompted to enable two-step verification upon sign-up, they always have the option to enable the feature.

“Users are also prompted shortly after account creation to add additional security information if they have not yet done so, which enables the customer to receive security alerts and security promotions when they login to their account,” the company said in a written statement. “When we notice an unusual sign-in attempt from a new location or device, we help protect the account by challenging the login and send the user a notification. If a customer’s account is ever compromised, we will take the necessary steps to help them recover the account.”

Certainly, not enabling MFA when it is offered is far more of a risk for people in the habit of reusing or recycling passwords across multiple sites. But any service to which you entrust sensitive information can get hacked, and enabling multi-factor authentication is a good hedge against having leaked or stolen credentials used to plunder your account.

What’s more, a great many online sites and services that do support multi-factor authentication are completely automated and extremely difficult to reach for help when account takeovers occur. This is doubly so if the attackers also can modify and/or remove the original email address associated with the account.

KrebsOnSecurity has long steered readers to the site twofactorauth.org, which details the various MFA options offered by popular websites. Currently, twofactorauth.org lists nearly 900 sites that have some form of MFA available. These range from authentication options like one-time codes sent via email, phone calls, SMS or mobile app, to more robust, true “2-factor authentication” or 2FA options (something you have and something you know), such as security keys or push-based 2FA such as Duo Security (an advertiser on this site and a service I have used for years).

Email, SMS and app-based one-time codes are considered less robust from a security perspective because they can be undermined by a variety of well-established attack scenarios, from SIM-swapping to mobile-based malware. So it makes sense to secure your accounts with the strongest form of MFA available. But please bear in mind that if the only added authentication options offered by a site you frequent are SMS and/or phone calls, this is still better than simply relying on a password to secure your account.

Tags: , , , ,

Follow me for more information.


As Australia reels under sustained cyber attacks following increased Chinese diplomatic hostility, the country’s Lion brewery and dairy conglomerate has been hit for the second time.

The Sydney Morning Herald reported that Lion told its staff today “it had been hit by a second cyber attack that had further disrupted its IT systems.”

“The company is now focusing on defence efforts over restoration from the previous attack, its chief executive officer Stuart Irvine told employees during the briefing,” said the newspaper, citing a source who had listened to the call.

The second attack was “anticipated” and Lion’s IT security bods of choice, Accenture, are said to be dealing with it. Earlier today Prime Minister Scott Morrison declared that Australia’s public sector was under attack – and while he didn’t identify who was responsible, weeks of Chinese diplomatic belligerence means the world is already pointing fingers.

As we reported this morning, China “recently took offence at Australia’s call for an international inquiry into the source of the COVID-19 pandemic and appears to have retaliated with new trade disputes and advice that its citizens should not visit Australia as tourists or students,” in a tit-for-tat move.

Matt Lawrence, director of detection and response at threat intel biz F-Secure, opined in a canned comment that blaming China is unwise without further evidence: “Some are pointing the finger at China for these cyber attacks and, while we have seen some Chinese APT groups ramping up their attacks, we wait to see if evidence is released publicly that confirms they are directly targeting Australia. Although it’s reasonable to assume that such a country is being targeted by a range of cyber criminals and state-sponsored threat actors, it’s dangerous to speculate further without appropriate evidence and threat intelligence.”

Last week, ransomware criminals (which El Reg can confirm were the REvil gang) targeted Lion, causing chaos for the entire company.

At the time a company spokeswoman said: “Our IT teams and expert cyber advisors are working around the clock, investigating the issue and assessing how long the impacts will continue. Our focus is on bringing systems back online safely so we can resume our business as usual manufacturing, and customer services. This is taking some time, but it is necessary that we work through this properly.”

The firm refused to comment on reports of an $800,000 equivalent ransomware demand, made in the Monero cryptocurrency. ®

Sponsored: Webcast: Simplify data protection on AWS

Follow me for more information.

2FAData lossdropboxGuest blogLaw & order

58-year-old Danielle Bulley may not look like your typical cybercriminal, but the act of revenge she committed against a company had just as much impact as a conventional hacker breaking into a business’s servers and causing havoc.

As North Yorkshire police report, Bulley has been successfully prosecuted under the UK’s Computer Misuse Act after deleting thousands of important files from a company that went on to collapse.

Once upon a time, Bulley was a director of a business called Property Press that produced a weekly property newspaper focused on south east Devon.

At some point things turned sour, and Bulley resigned her position at the firm in 2018 before the company went into liquidation. However, fellow director Alan Marriott started a new business venture – without Bulley’s involvement – using the assets of the old firm.

Things clearly didn’t sit well with Bulley after her departure from the business, and several months after her resignation she managed to gain unauthorised access to the new company’s Dropbox account.

More than 5,000 documents were permanently erased, and the company claimed that the damage to business was so great that it could no longer operate, with people losing their jobs and a loss of almost £100,000.

Unable to continue to operate, the business was forced to close down.

When specialist police from North Yorkshire Police’s Cyber Crime Unit investigated, they discovered that the Dropbox account had been remotely accessed from an IP address associated with Danielle Bulley.

Under questioning, Bulley admitted that she had deleted the files, claiming that she believed she was entitled to do so, but knowing that it would cause chaos the business.

Detective Constable Steven Harris of the Cyber Crime Unit warned other companies of the threat which can be posed by former employees:

“Bulley’s actions had dire consequences for people’s livelihood. During our investigation, it became clear that Bulley had left the original company on a bad note, but the deletion of thousands of files containing vital information was catastrophic for the victim. It dealt the new business a blow from which it never recovered.”

“Ex-employees can pose a serious risk to a business because they are familiar with the company’s IT infrastructure and procedures. This can make it easier for them to carry out cyber crimes against their former organisation.”

Sentencing Bulley to an 18-month community order with 80 hours’ unpaid work, Judge Simon Hickey said: “It was done in revenge. She was a respectable woman, but had lost her good character.”

If someone is leaving your company, especially if they are quitting your firm under something of a cloud, you would be wise to check that they don’t know your business’s passwords or have retained access to sensitive information.

Passwords should be changed, and additional authentication methods should be in place to prevent unauthorised access. Dropbox, for instance, provides a two-step verification feature which all users would be wise to enable.

And if you believe you have been wronged by a former employer do not make the mistake of thinking your anger should be directed towards them through some criminal action. You may feel that you have not been fairly treated, but you will feel much worse if you end up with a criminal conviction.

Follow me for more information.

2FAaustraliaBlaze Angel RobertsHacked celebritiesInstagramPhishingsurfer

Aussie surfer's hacked Instagram sent sexually explicit images to her 40,000 followers

Aussie surfer's hacked Instagram sent sexually explicit images to her 40,000 followers

18-year-old Blaze Angel Roberts is a talented surfer.

So good in fact that the Sydney-based surfing star has managed to collect 40,000 followers on her Instagram account.

Unfortunately, her popularity also seems to have drawn the unwanted attention of hackers, who successfully tricked her into clicking on a phishing link, and handing over the password to her email account.

Roberts told Nine Network’s “A Current Affair” TV show that the hackers used the compromised email account as a springboard to hijack her Instagram account:

When Ms Roberts regained access to her email, she found photos of the hackers in her sent messages.

When an account has been hacked, Instagram asks users to verify their identity by sending their security team a photo of themselves holding a piece of paper with a handwritten code that they have provided.

In Ms Roberts outbox she could see the hackers following this process. One photo shows a bearded man in a grey t-shirt, the other a strawberry blonde female.

“For some reason Instagram didn’t think it was concerning that three people had sent them different photos,” Ms Roberts told A Current Affair.

Attempts by the young surfer to regain control of her Instagram account have so far fallen on deaf ears at Instagram:

“I kept messaging Instagram with screenshots and photos to try and send them the proof and they kept saying they didn’t have enough proof and they didn’t know what I was talking about.”

We’ve spoken before about the problems hacked Instagram users have faced in their attempts to regain control of their Instagram accounts.

All too often it seems Instagram is unable or unwilling to assist, and hacked users find their only remaining option to be to set up a new Instagram account from scratch. That’s what Blaze Angel Roberts has done, effectively waving goodbye to the 40,000 followers she has earned in recent years.

New instagram account

New instagram account

Hopefully the publicity generated by her case will help some of those fans find her new account.

Why did the hackers target a popular Instagram account? They probably wanted to exploit its large following – maybe they had plans to scam followers into handing over personal information, or perhaps they had plans to hold it for ransom.

Certainly the posting sexually explicit images is the kind of thing which a social media influencer would be keen to stop quickly before they lost followers and damaged relationships with any potential sponsors.



Sign up to our newsletter
Security news, advice, and tips.

What’s clear is that all of us, whether social media influencers or not, need to ensure we are doing everything we can to to reduce the chances of having our accounts hacked.

That includes using different, strong, unique passwords for every online account, and enabling two-factor authentication where available.

If Blaze Angel Robert’s email account was hacked en route to the Instagram takeover, one wonders what other online accounts of hers could have potentially been compromised, or what information the hackers might have been able to access from her email archive.

Oh, and Instagram – maybe you can put a little more thought into strengthening your account recovery process to make sure that you’re not the ones handing over the keys to an account to hackers?

As we discussed on a past episode of the “Smashing Security” podcast, enabling two-factor authentication and using a password manager can help prevent your accounts from being phished.

Read more about two-factor authentication and two-step verification:

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.


The Mozilla Foundation has announced it will soon launch its VPN.

The organisation’s announcement is rather vague, as it says the product will debut “in the next few weeks” and protect up to five devices for $4.99 a month. But that price will be offered “for a limited time” without word of when it will change or what it will change to.

There’s also uncertainty around when the product where and when it will become available. Mozilla says “We are working hard to make the official product, the Mozilla VPN, available in selected regions this year.”

The definite info in the announcement is that: “The VPN will exit Beta phase in the next few weeks, move out of the Firefox Private Network brand, and become a stand-alone product, Mozilla VPN, to serve a larger audience.”

We also know the VPN works on Windows 10, Android, iOS and Chromebooks, with MacOS and Linux support planned. Other certainties are that the VPN tech comes from Swedish outfit Mullvad and uses the WireGuard protocol.

Oh and Mozilla promises that the VPN just does its job and doesn’t sniff anything you do online.

For now the service remains available to US users only, but the beta is now open to all and a waitlist has been established for users in other nations. ®

Sponsored: Webcast: Simplify data protection on AWS

Follow me for more information.

Product categories


June 2020