A confluence of factors is leading people in the nation to gravitate toward extremist views.

All across the country, there are signs of a more radicalized American populace. It’s become impossible to ignore over the past few years. The US has witnessed an insurrection, the rise of QAnon, increasing anti-Semitism, attacks on the LGBTQ community, and more. While radicalism has risen to some degree in many other Western nations, this trend has been exceptionally more pronounced in the United States. It is, therefore, necessary to determine the root causes of it and what makes America, well, exceptional. 

To better understand extremism in the US, it’s necessary to understand who is being radicalized. It’s primarily right-wing extremism, but right-wing extremism covers many different groups and types of people who engage with it. It’s not just the people who join militias like the Proud Boys or the Oath Keepers, it’s the seemingly ordinary people who latch onto QAnon or other conspiracy theories. 

The January 6, 2021, attack in Washington is a good case study on what kind of people have become radicalized in the US. There were members of militia groups there, but research has shown roughly 90 percent of the people who stormed the Capitol were not affiliated with militias or other far-right groups. Many were business owners or regular working people who became convinced over time that the 2020 election had been stolen from Donald Trump.

Conspiracy theories like those under the QAnon umbrella have infiltrated many groups of people one might not expect. They’ve found their way into yoga and parenting groups. A neighbor you regularly encounter at the grocery store and don’t think twice about could be in the process of being radicalized. People from all walks of life can be influenced by these conspiracy theories. 

All of that said, there are some notable psychological and social factors that could be causing Americans to become more prone to embrace extreme ideologies. One of the key factors appears to be a strong sense of uncertainty. The human brain doesn’t like uncertainty, and it can cause people to seek out a path to feeling more certain and assured by any means possible.

J. M. Berger, an author and researcher who focuses on extremism, says there have been many reasons for people to feel uncertain over the past decade or so. Rapid changes in technology, major shifts in the labor market and the economy, the Covid-19 pandemic, and more have caused many Americans to feel unanchored. This creates a situation where extremism can flourish.

“What you find is people are most vulnerable to authoritarianism and extremist impulses when they don’t know what they’re supposed to do,” Berger says. “They don’t know where they fit in the world.”

Arie Kruglanski, a professor of psychology at the University of Maryland, says that something that motivates people in uncertain times is a need to feel significant. 

“These things increase the motivation to reassert your significance. Once you have that, you’re vulnerable to narratives that promise you a restoration of your significance,” Kruglanski says. “Many of these conspiracy theories—most of them, I would think—do that.”

Extremist movements can make people feel significant, give them a sense of purpose, and provide them a narrative that explains why everything seems so screwed up. They also give them a sense of community and support. Kruglanski says the more you feel embraced by a network of people, the more you feel motivated to embrace their narrative, even if it’s extreme. Oftentimes, he says, people don’t realize how extreme the group they’re joining actually is until they’ve become invested in it.

Berger says social media has ramped up feelings of uncertainty. He says that’s partly due to the fact that ideas can now almost instantly be spread far and wide with little effort, which can be destabilizing.

“In the past, when transmission of ideas was slower, the ideas had a chance to evolve as they were being transmitted. This would sometimes create a sort of moderating influence,” Berger says. “With social media, ideas move so fast that there’s really no prospect for moderation. Even the most extreme ideas can spread incredibly quickly.”

Social media has also made it easier for people to become radicalized because they can easily find people who share any extreme views they may have and who will happily invite them into a movement. Someone who wouldn’t have met people who share their views in the small town they lived in years ago can easily find a community online and become further radicalized.

“Social media has radically changed how people communicate,” Berger says. “It’s radically changed the kinds of ideas people are exposed to.” 

Research has shown social media exacerbates political polarization, often pushes users to view more extreme content, and helps extremists organize and coordinate their efforts. Social media also has positive impacts in terms of helping organize activists and connecting people in beneficial ways, but its negative effects and uses are significant.

“The network support, the clandestine conspiracy narratives combined with the sense of uncertainty, sense of lost significance—these elements create a combustible mixture that can be lit and lead to radicalization and radical action,” Kruglanski says.

So, many people feel uncertain and insignificant, and social media is flooded with disinformation and groups of extremists who will invite them into a movement. That’s some of it. The more obvious aspect of this, but one that is important, is the role of political leaders in America and a Republican Party that has become more extreme itself. 

“We have people who are the top leaders of a right-wing party who are really just willing to come out and express and endorse positions that are much more radical than what used to be the norm in American politics,” Berger says. “They’re creating a permission structure for people to talk about racism and violence in ways that previously would have been outside of the realm of civil discourse.”

Thomas Zeitzoff, an associate professor in the School of Public Affairs at American University, says the Republican Party has embraced—and is now largely controlled by—extreme figures who would have been sidelined in the past.

“The people who used to gatekeep and keep out people like Pat Buchanan or kick out the John Birchers are not running the party,” Zeitzoff says. “I’m a big believer that parties have to be strong gatekeepers. You have to push people like Marjorie Taylor Greene and Lauren Boebert out. They have no business being in a mainstream party.”

Bringing the US back to a more stable place and countering extremism isn’t an easy thing to do when extremism has become this rampant, but there may be some solutions. Kruglanski says those who oppose this extremism need to find positive ways to offer people significance, dignity, and a sense of certainty. Berger proposed a similar remedy.

“If there is a solution, I think it’s to pursue policies that give people some sense of security and understanding of where they are and how they’re supposed to interact with the world,” Berger says.

There will always be conspiracy theorists. Social media isn’t going anywhere. And political leaders will forever use fear and lies to influence people. But America will have to deal with these conditions that are making extremism more likely if it’s going to continue to function politically. A house built on dynamite is a dangerous place to live.

Why Are People in the US Becoming Radicalized?

Intel Data Center Manager's endpoint at "/DcmConsole/DataAccessServlet?action=getRoomRackData" is vulnerable to an authenticated, blind SQL injection attack when user-supplied input to the HTTP POST parameter "dataName" is processed by the web application. Versions 4.1 and below are affected.

    RCE Security Advisoryhttps://www.rcesecurity.com1. ADVISORY INFORMATION=======================Product:        Intel Data Center ManagerVendor URL:     https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.htmlType:           SQL Injection [CWE-89]Date found:     2022-01-21Date published: 2022-12-01CVSSv3 Score:   9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)CVE:            CVE-2022-212252. CREDITS==========This vulnerability was discovered and researched by Julien Ahrens fromRCE Security.3. VERSIONS AFFECTED====================Intel Data Center Manager 4.1 and below4. INTRODUCTION===============Energy costs are the fastest rising expense for today’s data centers. Intel® DataCenter Manager (Intel® DCM) provides real-time power and thermal consumption data,giving you the clarity you need to lower power usage, increase rack density, andprolong operation during outages.(from the vendor's homepage)5. VULNERABILITY DETAILS========================Intel DCM's endpoint at "/DcmConsole/DataAccessServlet?action=getRoomRackData" isvulnerable to an authenticated, blind SQL Injection when user-supplied input tothe HTTP POST parameter "dataName" is processed by the web application.Since the application does not properly validate and sanitize this parameter, anattacker can inject arbitrary SQL commands against the PostgreSQL backenddatabase server of the web application.Successful exploits can allow an authenticated attacker (the lowest possibleauthorization level "Guest" is sufficient) to read and modify database contentsand execute any system commands on the underlying operating system. This way,the attacker can compromise the system's entire confidentiality, integrity, andavailability.6. PROOF OF CONCEPT===================POST /DcmConsole/DataAccessServlet?action=getRoomRackData HTTP/1.1Host: [ip-address]Cookie: JSESSIONID=[session-id]Content-Length: 153Accept: application/json, text/plain, */*Content-Type: text/plainUser-Agent: Mozilla/5.0Accept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Connection: close{"antiCSRFId":"[your-anti-csrf-id]","requestObj":{"snapshotId":1,"roomId":1,"dataName":"test');SELECT PG_SLEEP(5)--"}}(see the referenced blog post for more details)7. SOLUTION===========Update at least to version 5.0.0.46307.8. REPORT TIMELINE==================2022-01-21: Discovery of the vulnerability2022-01-21: Reported to vendor via their bug bounty program2022-01-21: Vendor response: Sent to "appropriate reviewers"2022-02-08: Vendor acknowledges the vulnerability with a severity of "medium" without sharing their CVSS calculation2022-02-15: Endless back-and-forth discussions about the rating. Vendor proposes a rating of 6.82022-02-16: I don't accept the rating because the vendor downplayed it2022-02-25: After discussions, vendor rates issue as CVSS 9.0 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)2022-02-25: Apparently AV:A is still wrong, but I don't have more energy to fight them. However this advisory contains the proper CVSS rating.2022-xx-xx: Vendor releases version 5.0.0.46307 which includes the fix2022-08-09: Vendor releases advisory INTEL-SA-006622022-12-01: Public disclosure9. REFERENCES==============https://www.rcesecurity.com/2022/12/from-zero-to-hero-part-2-intel-dcm-sql-injection-to-rce-cve-2022-21225/https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00662.htmlhttps://github.com/MrTuxracer/advisories

Intel Data Center Manager 4.1 SQL Injection

The latest version (5.1) and all prior versions of Intel's Data Center Manager are vulnerable to a local privileges escalation vulnerability using the application user "dcm" used to run the web application and the rest interface. An attacker who gained remote code execution using this dcm user (i.e., through Log4j) is then able to escalate their privileges to root by abusing a weak sudo configuration for the "dcm" user.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        Intel Data Center Manager  
Vendor URL:     https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html  
Type:           Incorrect Use of Privileged APIs [CWE-648]  
Date found:     2022-07-16  
Date published: 2022-12-07  
CVSSv3 Score:   7.4 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)  
CVE:            -

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
Intel Data Center Manager 5.1 (latest) and below

4. INTRODUCTION  
===============  
Energy costs are the fastest rising expense for today’s data centers. Intel® Data  
Center Manager (Intel® DCM) provides real-time power and thermal consumption data,  
giving you the clarity you need to lower power usage, increase rack density, and  
prolong operation during outages.

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The latest version (5.1) and all prior versions of Intel's DCM are vulnerable to a  
local privileges escalation vulnerability using the application user "dcm" used to  
run the web application and the rest interface. An attacker who gained RCE using  
this dcm user (i.e., through Log4j) is then able to escalate their privileges to  
root by abusing a weak Sudo configuration for the "dcm" user:

dcm ALL=(ALL) NOPASSWD:/usr/local/bin/SDPTool  
dcm ALL=(ALL) NOPASSWD:/usr/bin/cp  
dcm ALL=(ALL) NOPASSWD:/usr/bin/chmod

The Intel Server Debug and Provisioning Tool (SDP Tool) must be installed for the  
Data Center Manager to be vulnerable. Successful exploits can allow an authenticated  
attacker to execute commands as root. In this way, the attacker can compromise the  
victim system's entire confidentiality, integrity, and availability, thereby allowing  
to persist within the attached network.

6. PROOF OF CONCEPT  
===================  
Just one way of exploitation is by replacing the current sudoers configuration:

1.Create a new sudoers configuration file using the compromised "dcm" user in i.e. /tmp/  
2.sudo chmod 440 /tmp/sudoers  
3.sudo cp sudoers /etc/sudoers  
4.sudo /bin/bash

7. SOLUTION  
===========  
None. Intel thinks that this is not a vulnerability and therefore does also not assign  
a CVE for it.

8. REPORT TIMELINE  
==================  
2022-07-16: Discovery of the vulnerability  
2022-07-16: Reported to vendor via their bug bounty program  
2022-07-18: Vendor response: Sent to "appropriate reviewers"  
2022-07-26: Vendor states that the vulnerability "depends on something that does not exist (eg; RCE)."  
2022-07-26: Sent a clarification that a compromise of the "dcm" account is indeed necessary, but there have been RCEs in the past (i.e. through Log4j)  
2022-09-22: Vendor has troubles to reproduce the bug and asks for another PoC  
2022-09-22: Sent a clarification about the PoC  
2022-09-22: Vendor states that the report "does not clearly demonstrate a vulnerability in DCM" and the report will be closed.  
2022-09-23: Provided the vendor with a PoC utilizing Log4shell (CVE-2021-44228) in a former version of DCM  
2022-10-10: Vendor asks whether the Log4shell bug is still reproducible in the latest version of DCM  
2022-10-10: Made clear that Log4shell is not the point about the report  
2022-10-11: Vendor states "We do not clearly see a a vulnerability demonstrated in DCM"  
2022-10-12: [Back and forth about the provided PoCs]  
2022-10-12: I'm giving up.  
2022-12-07: Public disclosure

9. REFERENCES  
==============  
https://github.com/MrTuxracer/advisories

Intel Data Center Manager 5.1 Local Privilege Escalation

Planet eStream versions prior to 6.72.10.07 suffer from shell upload, account takeover, broken access control, SQL injection, both persistent and reflective cross site scripting, path traversal, and information disclosure vulnerabilities.

Planet eStream Code Execution / SQL Injection / XSS / Broken Control

The UK's use of technology to enforce its hard-line immigration policy brings the border into every facet of migrants' lives.

In 2019, Anna moved from Poland to the UK with her partner and three children. Soon after they settled into their home and new life, he became violent. Anna attempted to leave, taking their children with her. But when she contacted her local council’s social services, they asked her about her immigration status. There was a problem.

Anna—a pseudonym, for privacy and safety reasons—had a valid visa under the EU Settlement Scheme (EUSS), which required European citizens to register with the British immigration authorities after Britain voted to leave the EU in 2017. But when she tried to prove it, she couldn’t. She had never received a text message or a physical letter saying that she had settled status. Anna went back into the household with her children and her abuser, with nowhere else to go.

When Anna got in touch with the immigration authorities, they put her through to a technical team that, she says, rarely called her back and seemed to constantly be too busy, with long waiting times. Once she got through to the helpline, they confirmed that she had made a valid application (and that her children had settled status, so they had the right to remain in the UK). But they couldn’t give her access to her account. Without it, she couldn’t generate a sharecode—digital proof of her immigration status that would allow her to access social services, get a job, or rent an apartment.

After another serious incident, the police finally gave her abuser an injunction. Anna left the house, but she lost a job offer because she couldn’t prove her immigration status. She couldn’t apply for benefits because she didn’t have proof that she was also actively working. In March 2022, she received confirmation through a charity that was helping her that she had presettled status. But she still hasn’t been contacted by the UK’s Home Office directly—and still has no access to her sharecode.

Anna’s story is shocking. But as the UK’s immigration and policing agency, the Home Office, emphasizes a “digital-by-default” approach to border management, these stories are becoming increasingly common. Earlier this year, the Home Office released its “New Plan for Immigration,” which laid out the increasing digitization of the UK’s immigration system. “We will have a seamless, fully digital, end-to end journey for customers interacting with the immigration system by 2025,” the Home Office said in its plan. 

Currently, migrants and people applying for new visas in the UK are encouraged to use an app to submit their biometrics, including scans of their face; to fill out forms online; and to prove their immigration status with sharecodes. Technology is playing a larger role in immigration systems around the world, affecting the ways borders can be enforced in a physical space and borders and immigration status are maintained once people enter a country. For migrants, this increasing digitization of the immigration system makes it possible for the border to be anywhere and everywhere, spreading into all corners of their lives. 

A Hostile Environment

Public interest in migration is significant in the UK, with more than 50 percent of Britons polled saying it was one of the most important issues facing the union. The Home Office has made multiple justifications for its move to digital status: that it will be better for older people who won’t have to keep track of a piece of paper, that it could enhance security for vulnerable people who might otherwise have their documents taken away by nefarious actors (for example, traffickers or exploitative employers), and that there will be sufficient time for people to fully transition to digital status. But campaigners, organizations, and lawyers working with migrant communities around the UK say these digital systems are already rife with problems, many of which will only get worse.

“Do we have an immigration system that treats people as full humans, that is responsive to people’s circumstances and is based on common sense?” asks Mary Atkinson of the Joint Council for the Welfare of Immigrants, a UK-based nonprofit. “A digital system might work to make the system that it’s implementing quicker, but there will always be problems, glitches that cause anguish and real pain.” 

In 2012, then-home secretary Theresa May announced that the UK’s immigration policy would be geared toward making the UK a “hostile environment” for immigrants. If you didn’t have regularized immigration status (such as a visa or a settlement route), the UK would become such a difficult place to live that you would leave of your own volition. As part of this plan, more and more people were tasked with checking immigration status—from landlords to bank clerks, teachers, university lecturers, and doctors—to ensure that people could access services.

These types of checks have played a role in a host of problems, including the Windrush scandal.  Academics and activists have noted that it has become relatively easy for people to slip through the cracks of legal status, making them vulnerable to removal or detention. Since May, there have been five home secretaries, all of whom have repeatedly emphasized their desire to reduce immigration to the UK (even when these plans draw condemnation from the UN and other international bodies). The most recent, Suella Braverman (who was in the post for 40 days, fired for a security breach, and then reinstated a week later), courted controversy for saying that it was her dream to see refugees to the UK deported to Rwanda. Those in the sector say Braverman is just as hard-line as her predecessor, Priti Patel—if not more so. 

What this means in practice is that people’s information and proof of immigration status are kept on databases owned and operated by the Home Office. The first example of this was the EUSS, but other visa routes are going the same way—such as the Graduate Route visa, which was introduced last year and which people apply for with an app, and the Ukraine Family Scheme, which was introduced earlier in 2022 for people fleeing the conflict in Ukraine. If you’re approved to remain under these conditions, when you apply for a job or try to open a bank account, you will be asked to generate a sharecode that your employer or a bank employee or a police officer can input into their end of the Home Office database to verify your status. 

“We’re at the beginning of a widespread conversation about data collection, and we see that the Home Office has no accountability,” says Andreea Dimitrsou, who works at the 3million, a campaign group in the UK that advocates for the rights of EU citizens living in the UK.

People working in the sector, particularly with migrant communities, have countless stories of the way that digital-by-default systems are affecting their clients. “We have real concerns about the digital hostile environment,” says Julia Tinsley-Kent of Migrants Rights Network, an NGO. “If people are buying data packages to prove their visa status—that’s a worry, especially with the cost of living. There are risks of harm that haven’t been properly investigated—security issues, people being able to see other people’s statuses erroneously, system failures.”

In 2019, the Home Office announced the Status Checking Project, a centralized database that made it possible for migrants to prove their status. Immigrant rights campaigners and members of parliament at the time called it “seriously concerning,” both because of the scale of data collected and the seeming lack of safeguards in place. As a result of the nature of the UK’s immigration system, where people who aren’t border guards are tasked with checking immigration status, the digitization of these services has wide-reaching impacts.

“It’s a good idea for the government to be thinking about this, and the government should be taking initiative around digitization,” says Joe Tomlinson, a lecturer at the University of York who has carried out extensive research into automation in the UK’s immigration system. “My concern is that they’re not doing it very well.” Tomlinson and fellow researcher Jed Meers recently released a paper after surveying 200 landlords about their willingness to use a digital immigration checking service when renting to prospective tenants. They found that an applicant whose name didn’t sound “British” but who had a British passport had an 87 percent chance of being accepted as a tenant. However, if this prospective tenant only had digital proof of immigration status, they had a 13 percent chance of being accepted as a tenant—with the digital status taking precedence over factors like employment, age, and gender.

The EUSS has increasingly become a testing ground for some of these issues. “You bake problems into the way that systems are built,” says Tomlinson. “You can have something that looks like it’s producing outcomes, but the procedural systemic flaws happen, and you get situations like what’s happening with the EUSS.” As of June 2022, more than 5.83 million people had applied to the EUSS, with 5.4 million of those granted status. (The Home Office told WIRED in a statement that the total number of people granted status is now 5.9 million.)  But since the program opened in June 2020, the number of people waiting more than 18 months for a decision has grown too, and data breaches are reported frequently.

Vivian, a researcher at a higher education institution who asked not to be identified for privacy reasons, says that knowing she would only have digital proof of her immigration status under the EUSS made her worried. “When my partner and I were renewing our mortgage, the bank really scrutinized our digital immigration status. They realized that my name had been recorded properly, with my first name and then my last name, and then my partner’s was recorded with his last name first. So they blocked our mortgage application,” she says “We faced a wall in trying to solve this problem, and we kept getting through to people on the Home Office helpline who said, ‘Look, we’ve taken notice of this but we can’t do anything.’”

Their frustration grew, and instability in the British economy caused Vivian and her partner even more stress. Eventually, they were able to solve the issue by writing a letter to the bank and emphasizing that they were both in full-time employment by large institutions. But Vivian says that she knows they got lucky. ”Essentially, someone at the bank decided to let it go. But what if our status had been harder to read? Or if we were self-employed?”

In a statement, the Home Office defended EUSS as an “overwhelming success” and said it has measures in place when its technology fails to function.

 “Our digital services are rigorously tested and designed to be highly resilient and, as with any major digital program, we have contingency measures in place should issues occur,” the Home Office said. “If individuals experience technical issues, they are still able to evidence their rights by gaining support from our resolution center, available seven days a week.”

Even within migrant communities, there are differences in access. The 3million submits reports to the Independent Monitoring Authority, which monitors the post-Brexit rights of EU and EEA citizens, who theoretically are able to use this information in stakeholder consultations. For non-EU migrants, there are precious few other avenues or bodies that can advocate for them, except for individual charities and NGOs, many of which are already overstretched.

Right-to-work checks for migrants have been in place since 1996—on the Home Office website, it still says that you can check people’s original documents if they don’t have a sharecode. People with pending visas can work on the basis of their previous work conditions, but few employers seem to understand this, and many worry they’ll be penalized. Elisa, who is Polish and has settled status, has been waiting to take up employment for a month because she can’t access her sharecode. Her job is with the National Health Service, and while her employer is understanding, she’s worried about how much longer this will go on. 

“The digital systems are a total failure,” says Ake Achi, who cofounded Migrants at Work, an organization challenging right-to-work checks in the UK. “People are falling into these gaps because there’s nothing to protect us.”

Paper Thin

In 2019, the Home Office set up its Digital, Data & Technology team—its 2024 strategy emphasized that the digitization of the immigration system was already significantly underway—for example, the “Person Centric Data Platform” provides “a single view of individuals to around 700 services, and this single view is crucial to the protection of our borders.” In 2021, it was revealed the Home Office was “hoarding data” on 650 million people, with very few safeguards. Even more recently, the Home Office was told to stop using an automated decision-making algorithm for short-term visas after a legal challenge, which seemed to indirectly discriminate against people from certain nationalities—such as Pakistan or Nigeria—by labeling these countries as “riskier.” 

For people whose immigration status is not as cut and dry—for example, asylum seekers—these digital systems pose challenges too. For a while, Border Force officials and Home Office staff who were monitoring the arrival of asylum seekers to the UK via the Channel were illegally seizing their phones and extracting data from it. Privacy International, which is mounting a legal challenge over this policy, said that the policy was “in line with this government’s (and many others’) efforts to criminalize migration and rob migrants of their basic human rights.” 

People who are on immigration bail and classified as high risk have to wear GPS ankle monitors, which track where they are 24/7. Those who are classified as low risk may soon have to start wearing “smartwatches” with “facial recognition capabilities,” although it’s unclear whether this technology already exists.

“They have the right to use the data accrued from GPS monitoring—to look at that data anonymously, to understand the impact, looking where people have been frequenting and using that to carry out enforcement activity,” says Rudy Schulkind of Bail for Immigration Detainees. “It’s quite a stigmatizing and degrading thing to put people through, and we don’t know where that data is going to go. It’s got incredibly worrying implications for allowing this kind of technology to be normalized.”

Campaigners and organizers in the sector point out some immediate potential fixes to the digitization of the UK’s hostile environment. “Digitization follows substantive policy priorities,” says Tomlinson. “But just because policy is digital-first doesn’t mean it has to be digital-only. Giving people the option to also have a paper record would make some kind of difference.” Organizations like JCWI have campaigned for people to be given paper records of their visa status. Others have emphasized that the Home Office should put up a data firewall between immigration enforcement authorities and police in cases where a victim is vulnerable—currently, the police refer 204 victims per month to immigration enforcement, including victims of human trafficking and labor exploitation.

In the US, digital systems are a significant part of how Immigration and Customs Enforcement (ICE) teams carry out raids on communities. In Canada, a new automated decision-making tool is increasingly being tested on asylum and immigration applications. In the EU, a massive biometric database—which will be used for migration purposes, among others—is set to become the largest police biometrics database in the world, despite concerns from rights advocates and organizations. Digital-by-default immigration systems are slowly becoming the norm. But in many senses, they exacerbate existing issues with the systems that they work within. 

“There’s a reality in which somewhere up to a million of our fellow citizens are too scared to rent a safe home or to seek help from the police when they’re facing domestic abuse, to get a Covid vaccine, and that’s a big result of the hostile environment, whether it’s digital or not,” says Atkinson. “The ‘Papers, please’ society which this has created exists whether it’s on an app that you’re showing to your landlord or on a piece of paper.”

The Dangerous Digital Creep of Britain's ‘Hostile Environment’

Plus: ICE accidentally doxes asylum seekers, Google fails to uphold a post-Roe promise, and LastPass suffers the second breach this year.

It was another busy week in security that saw big news about protests, surveillance, spyware, data breaches, and more. In the US, recent court filings detail how the FBI’s use of a controversial warrant yielded a trove of Google’s location data from thousands of devices in and around the Capitol on January 6. Meanwhile, in Iran, videos of antigovernment protests shared on social media highlight the importance of Twitter’s role in documenting human rights abuses and the consequences if the social media platform breaks.

On November 30, Google’s Threat Analysis Group moved to block a Spanish hacking framework that targets desktop computers. The exploitation framework, dubbed Heliconia, came to Google’s attention after a series of anonymous submissions to the Chrome bug reporting program. While Google, Microsoft, and Mozilla have all patched the Heliconia vulnerabilities, it’s a good reminder to keep your devices updated. ​​Here’s what you need to know about all the important security updates released in the past month.

Google researchers also found this week that the encryption keys phone-makers use to verify software on their devices are genuine—including the Android operating system itself—were stolen and used in malware.

Finally, we published part six of WIRED reporter Andy Greenberg’s series, “The Hunt for the Dark Web’s Biggest Kingpin,” which chronicles the downfall of AlphaBay, the world’s largest dark-web marketplace. Read the final installment here, and check out the full book from which the series was excerpted, _Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency_, available now from wherever you buy books.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. 

A deadly fire in an apartment building sparked massive demonstrations in China where thousands of protestors in major cities have taken to the streets in defiance of the nation’s zero-Covid policy. The current wave of protests—the scale of which has not been seen in the country since the deadly 1989 Tiananmen Square protests—has been met with the massive surveillance and censorship apparatus that the state has been refining for decades. Authorities are using facial recognition, phone searches, and informants to identify, intimidate, and detain those who attended protests. 

The protests are stress-testing China’s sophisticated censorship apparatus, and experts say that the sheer volume of video clips has likely overwhelmed China’s armies of censors. Leaked documents from China’s Cyberspace Administration called the protests a “Level I Internet Emergency Response,” and authorities ordered ecommerce platforms to limit the availability of VPNs and firewall-circumventing routers. On Sunday, Chinese-language Twitter accounts spammed the service with links to escort services alongside city names where protests were occurring to drown out information about the protests. 

US Immigration and Customs Enforcement is in hot water after the agency mistakenly posted confidential data about thousands of asylum seekers during a routine update to their website. The data—which included the names, birthdates, nationalities, and detention locations of more than 6,000 individuals—was public for five hours before being taken down by the agency. The data disclosure could expose the immigrants affected by the breach to retaliation from the gangs and governments they had fled. 

The agency’s tech negligence comes as the Biden administration is dramatically expanding the use of technology to monitor immigrants during conditional release through smartphone apps and ankle monitors.

“The US government has an obligation to hold asylum seekers’ names and information in confidence so they don’t face retaliation,” a lawyer at Human Rights First, the organization that discovered the leak, told the _Los Angeles Times_. “ICE’s publication of confidential data is illegal and ethically unconscionable, a mistake that must never be repeated.”

New research shows that Google continues to retain sensitive location data from individuals seeking abortions in spite of promises the company made in July to purge this kind of data from its systems. Researchers with Accountable Tech, an advocacy group, conducted various experiments to analyze the data that Google stores about individuals looking for abortions online. They found that searches for directions to abortion clinics on Google Maps, as well as the routes taken to visit Planned Parenthood locations, were stored by Google for weeks. Google spokesperson Winnie King told the _Guardian_ that users “can turn Web & App Activity off at any time, delete all or part of their data manually, or choose to automatically delete the data on a rolling basis.”

Their findings contradict the pledges Google made after the US Supreme Court overturned _Roe v Wade_. “If our systems identify that someone has visited one of these places, we will delete these entries from Location History soon after they visit,” the company said in July. Five months later, Google appears to have not implemented this change.

LastPass, a popular password manager, is investigating a security incident after its systems were compromised for the second time this year. In a blog post about the incident, chief executive Karim Toubba said that an attacker gained access to their customers’ information using data stolen from LastPass’ systems in August, but did not specify what specific customer information was taken—although he stipulated that users’ stored passwords remained protected by the company’s encryption scheme. “We are working to understand the scope of the incident and identify what specific information has been accessed,” Toubba says. “In the meantime, we can confirm that LastPass products and services remain fully functional.”

China’s Police State Targets Zero-Covid Protesters

Intel Data Center Manager versions 4.1.1.45749 and below suffer from an authentication bypass vulnerability via spoofing.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        Intel Data Center Manager  
Vendor URL:     https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html  
Type:           Authentication Bypass by Spoofing [CWE-290]  
Date found:     2022-06-01  
Date published: 2022-11-23  
CVSSv3 Score:   10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)  
CVE:            CVE-2022-33942

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
Intel Data Center Manager 4.1.1.45749 and below

4. INTRODUCTION  
===============  
Energy costs are the fastest rising expense for today’s data centers. Intel® Data  
Center Manager (Intel® DCM) provides real-time power and thermal consumption data,  
giving you the clarity you need to lower power usage, increase rack density, and  
prolong operation during outages.

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The application allows configuring authentication via Active Directory groups. While  
this by itself isn't an issue, it becomes one as soon as an Active Directory group  
with a well-known SID (such as "S-1-5-32-544" or "S-1-5-32-546") is configured to  
allow authentication to DCM. This is because Intel's DCM only relies on the group's  
SID to allow authentication but doesn't verify the authenticating domain, which the  
user can give during the authentication process against the DCM Console and its REST  
interface.

Since the DCM will send all Kerberos and LDAP (authentication) requests against the  
given domain, it is trivially easy to spoof the authentication responses by using an  
arbitrary Kerberos and LDAP server and replying with the SID of one of the configured  
Active Directory groups.

This allows an attacker to bypass the authentication schema by using any domain  
with any user/password combination without actually being part of any Active Directory  
groups.

6. PROOF OF CONCEPT  
===================  
See the referenced blog post for a full exploit.

7. SOLUTION  
===========  
Update to Intel DCM 5.0 or later

8. REPORT TIMELINE  
==================  
2022-06-01: Discovery of the vulnerability  
2022-06-28: Sent notification to Intel via their PSIRT  
2022-06-28: Vendor response: Sent to appropriate reviewers.  
2022-06-29: Vendor acknowledges the vulnerability and asks for coordinated disclosure on Nov. 8, 2022  
2022-06-30: Rejected the disclosure date, due to my own policy, which makes it: August 13, 2022  
2022-07-08: After a vendor call, I've submitted the issue through Intel's bug bounty program  
2022-xx-xx: Vendor releases version 5.0 without any notification which fixes this vulnerability  
2022-11-08: Vendor (responsible CNA) assigns CVE-2022-33942  
2022-11-08: Vendor publishes security advisory INTEL-SA-00713  
2022-11-23: Public disclosure

9. REFERENCES  
=============  
https://www.rcesecurity.com/2022/11/from-zero-to-hero-part-1-bypassing-intel-dcms-authentication-by-spoofing-kerberos-and-ldap-responses-cve-2022-33942  
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00713.html  
https://github.com/MrTuxracer/advisories

Intel Data Center Manager 4.1.1.45749 Authentication Bypass / Spoofing

By Deeba Ahmed
ESET assigned the vulnerability a CVSS score of 8.1 and tracked it as CVE-2022-4020.
This is a post from HackRead.com Read the original post: Acer Laptop Vulnerability Allows Malware Infection During Secure Boot

Cybersecurity firm ESET’s researchers have identified a vulnerability affecting Acer laptops. The bug isn’t new, as ESET already discovered it affecting Lenovo models, whereas this time, it is impacting several models of **Acer laptops**.

Lenovo fixed the issue and **published** a technical advisory. However, the bug allows attackers to install malware on the device by letting them disable Secure Boot and bypass security mechanisms.

**Vulnerability Details**

ESET assigned the vulnerability a CVSS score of 8.1 and tracked it as **CVE-2022-4020**. It was discovered in the HQSwSmiDxe DXE driver that checks the ‘BootOrderSecureBootDisable’ NVRAM variable for deactivating UEFI (Unified Extensible Firmware Interface) Secure Boot.

> In addition to #Lenovo vulnerabilities we disclosed earlier this month, we discovered another similar vulnerability in #Acer laptops. Same as in Lenovo case, it allows deactivating UEFI Secure Boot by creating NVRAM variable directly from OS. @smolar\_mhttps://t.co/zsDjKGIAjQ 1/3
> 
> — ESET research (@ESETresearch) November 28, 2022

Disabling this feature lets the attacker load their “own unsigned malicious bootloader” so as to gain complete control over the OS loading procedure. Moreover, they can bypass or disable protections to discreetly install malicious payloads, ESET **advisory** read.

“Vulnerability in the HQSwSmiDxe DXE driver on some consumer Acer Notebook devices may allow an attacker with elevated privileges to modify UEFI Secure Boot settings by modifying an NVRAM variable,” researchers explained. NVRAM refers to non-volatile random-access memory variables.

**Acer’s Explanation**

For your information, UEFI is responsible for kickstarting a computer’s hardware while the OS loads. The Secure Boot process has to ensure that malicious code doesn’t get loaded when the device is booting.

On November 23rd, 2022, Acer **explained** that the bug lets the attacker tamper with this mechanism’s settings by creating NVRAM variables. This happens because the firmware driver just checks for the variables’ presence and not their actual value.

At least five models of Acer computers are impacted by this bug, including A315-22, A115-21, A315-22G, Extensa EX215-21, and EX215-21G. Acer is currently trying to resolve the issue with a BIOS update, which will be posted on its **Support site** soon and will be included as a **Critical Windows Update**. The company recommends users update to the latest BIOS version.

Acer Laptop Vulnerability Allows Malware Infection During Secure Boot

A lack of federal regulatory legislation leaves US privacy concerns to battle for attention with other business priorities.

Over the past 15 years, several events have reshaped how we think about data — what it means from a business perspective and what rights individuals have regarding how their personal information is used. Data security governance undoubtedly will play a large role in the future; however, conversations are still in relatively early stages. 

In 2016, when European regulators created the General Data Protection Regulation (GDPR) as a legislative framework that clearly mandates rules and fines, a fundamental shift occurred that elevated privacy to a board-level discussion. This resulted in CEOs taking part in the conversation while empowering the C-suite to make more decisions. 

Next, the data culture quickly evolved from one of implicit trust (where organizations freely used data without much restriction) to limiting risk (controlling data access based on regulations and customer feedback). While the data protection industry in Europe has made great strides since GDPR came into existence, we still have a long way to go because, for decades, technology solutions were built without privacy in mind. 

In the United States, the picture is quite different, as the lack of federal regulatory legislation leaves privacy concerns to battle for attention with other business priorities. Let's dig deeper into what the future of data privacy looks like across the pond. 

**Beyond Cookies: Delving Beneath the Data Veneer**

Marketplaces built around selling data need to pivot, because the future is about protecting individual data rights and that change goes far beyond a website pop-up asking to approve the use of cookies. Historically, data brokers have cashed in on users' data, which precipitated state laws in Vermont and California that aim to protect consumers by identifying the brokers and determining how they use the information. 

Tech giants like Apple and Google have also increased privacy protections with app-tracking transparency and plans to phase out third-party cookies. These titans of industry are pioneering an important movement that other companies need to follow. There's hope that legislation may spark further change, especially with privacy receiving bipartisan support.

If the American Data Privacy and Protection Act (ADPPA) takes effect in the United States, the biggest win would be a common standard for how to handle data. States like California have already established stricter standards for data privacy through the California Consumer Privacy Act (CCPA). Compliance requirements and hefty fines would be important accelerators in protecting consumer data. 

**Privacy Needs Security **

A comprehensive data security strategy is essential and a prerequisite to an overall privacy-centric posture for data-driven organizations. It's imperative to implement scalable, fine-grained access controls so policies can keep the data safe in the first place.

As the pendulum shifts toward implementing broader and complete data security strategies, companies need to adjust. The work of chief information security officers (CISOs), chief data officers (CDOs), and chief information officers (CIOs) alongside their actions is more critical than ever, because they are responsible for implementing tools and processes that help align companies toward their privacy-related goals. The increased focus on a complete data security strategy applies to data-driven organizations of any size. 

A Cisco study cites that 92% of organizations claim privacy to be integral to their culture, but it comes with a technical challenge. Oftentimes, CISOs and CIOs are confronted with data spread across their organization and they need to gain visibility into all their siloed, heterogeneous data to understand who controls, maintains, processes, and accesses which parts of the data. 

This challenge is exacerbated by the need to modernize with cloud-native technologies so companies have a better understanding of how data is used and that it is used in accordance with privacy guidelines, principles, and any governing legislation. 

**A Look into the Future**

None of this happened by accident. Consumers didn't like data collection practices and they spoke up. Legislators heard from their constituents and started creating regulations like the ADPPA. Companies started serving consumers differently and taking data privacy seriously.

Consumer awareness of how data is collected and used is becoming mainstream. According to HubSpot's "2022 State of U.S. Consumer Trends Report," 80% of consumers consider data privacy a human right and believe individuals should have complete control over how companies use their data. As a result of these growing trends, more businesses should leverage privacy as a differentiator. 

There is still a gap between companies' intent to satisfy data privacy concerns and the action that protects that information. As consumers become better educated about how their data is used, and legislation inches closer to reality, it becomes even more critical. Making the right investments in data security provides visibility, access control, and insights into your data while ensuring compliance, and can help make all the difference.

Why the Culture Shift on Privacy and Security Means Today's Data Looks Different

Acer has released a firmware update to address a security vulnerability that could be potentially weaponized to turn off UEFI Secure Boot on affected machines.

Tracked as **CVE-2022-4020**, the high-severity vulnerability affects five different models that consist of Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G.

The PC maker described the vulnerability as an issue that "may allow changes to Secure Boot settings by creating NVRAM variables." Credited with discovering the flaw is ESET researcher Martin Smolár, who previously disclosed similar bugs in Lenovo computers.

Disabling Secure Boot, an integrity mechanism that guarantees that only trusted software is loaded during system startup, enables a malicious actor to tamper with boot loaders, leading to severe consequences.

This includes granting the attacker complete control over the operating system loading process as well as "disable or bypass protections to silently deploy their own payloads with the system privileges."

Per the Slovak cybersecurity company, the flaw resides in a DXE driver called HQSwSmiDxe.

The BIOS update is expected to be released as part of a critical Windows update. Alternatively, users can download the fixes from Acer's Support portal.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#acer