News in brief: few girls studying computing; new Galaxy Note battery issue; fine over parking data breach

Készült: 2017. augusztus 18
Nyomtatás

Your daily round-up of some of the other stories in the news

Concern at number of girls studying computing

There’s been a lot of focus on how to improve the representation of women in the tech industry in the wake of concerns about the culture at companies such as Uber, and many experts agree that it’s important to focus on the pipeline and to encourage girls and young women to choose relevant subjects at school.

So the news that of those taking the A-level computing studies exam at 18, just 9.8% of them are girls has sparked concern – while there was also concern about the low overall numbers taking the course, the BBC reported.

Bill Mitchell of BCS, the chartered institute for IT, said in response to the figures from the Joint Council for Qualifications: “Today’s announcement that nearly 7,600 students in England took A-level computing means it’s not going to be party time in the IT world for a long time to come,” and added: “At less than 10%, the numbers of girls taking computing A-level are seriously low.”

He went on: “We need to make sure that our young women are leaving education with the digital skills they need to secure a worthwhile job, an apprenticeship or go on to further study.”

Battery fears hit Samsung again

Remember the debacle over the Samsung Galaxy Note 7 and the overheating batteries? Now Samsung has been hit by another battery issue – some refurbished Galaxy Note 4 devices are having their batteries recalled.

However, this time it’s not Samsung’s fault: the 10,000-odd affected devices, according to the US Consumer Product Safety Commission, which issued the recall, are “batteries placed into refurbished AT&T Samsung Galaxy Note 4 cellphones by FedEx Supply chain and distributed as replacement phones through AT&T’s insurance program only”.

The affected batteries are apparently counterfeit, and are at risk of overheating. Although the Note 4 is three years old, the affected phones were sent out to customers fairly recently, between December 2016 and April this year as replacements via AT&T.

If you’ve got one of these devices, power down the phone and don’t use it – you’ll be hearing from FedEx.

Council fined over parking data breach

A local authority in London has been fined £70,000 after it exposed the personal information of 89,000 people via its parking ticket system, which allowed people to see CCTV images of their alleged parking offence.

The Information Commissioner’s Office, the UK’s data regulator, fined the council after a member of the public realised that by manipulating a URL on the council’s Ticket Viewer system they could access the information of other people including bank details, medical evidence and home addresses and phone numbers.

Sally Anne Poole, the ICO enforcement officer, said: “People have a right to expect their personal information is looked after. Local authorities handle lots of personal information, much of which is sensitive. If that information isn’t kept secure, it can have distressing consequences for all those involved.”

The ICO said that the council hadn’t tested the system either before it went live nor regularly after that.

Catch up with all of today’s stories on Naked Security


Source: Naked Security

 

How likely is a ‘digital Pearl Harbor’ attack on critical infrastructure?

Készült: 2017. augusztus 18
Nyomtatás

It’s coming on two decades now since the first warnings that US critical infrastructure is vulnerable to a catastrophic cyberattack. According to some experts, it is perhaps more vulnerable now than ever – the threats are worse and the security is no better.

But how likely is such an attack? There is still plenty of debate about that.

Richard A Clarke, who in 2000 was the US’s top counter-terrorism and cybersecurity chief, gets credit for coining the term “digital Pearl Harbor”. He said at the time that it was “improbable,” but added that “statistically improbable events can occur”.

There have been similar warnings since from top government officials – former defense secretary Leon Panetta paraphrased Clarke in 2012, warning of a “cyber Pearl Harbor” – a major cyberattack on industrial control systems (ICS) that could disable the nation’s power grid, transportation system, financial industry and government for months or longer.

Of course, nothing even close to that catastrophic level has happened – yet. And there are a number of experts who say such doomsday language is gross hyperbole, peddling nothing but FUD (fear, uncertainty and doubt). Marcus Sachs, CSO of the North American Electric Reliability Corporation (NERC), said at the 2015 RSA conference that squirrels and natural disasters were a more realistic threat of taking down the grid than a cyber attack.

But a couple of experts in ICS – the equipment used to operate the grid and other critical infrastructure – say they are increasingly troubled that security has not really improved since the warnings began.

Galina Antova, co-founder and chief business development officer at Claroty, recently referred in a blog to “The Lost Decade of Information Security”, saying:

“We are no better off today in terms of cybersecurity readiness than we were 10 years ago. The threat landscape is clearly growing more active and dangerous by the day. The theoretical is becoming reality and, unfortunately, we aren’t prepared to counter the threat just over the horizon.

She has some company in the person of Joe Weiss, managing partner at Applied Control Solutions, who has said for years that ICS security is dangerously lax. Writing on his “Unfettered” blog last week, Weiss said there is essentially no security in ICS process sensors, the tools to detect anomalies in the operation of ICSs – which means an attacker could get control of them relatively easily and create major physical damage.

Weiss cited a number of sensor “malfunctions” that illustrate the problem. One, he said, resulted in the release of 10m gallons of untreated wastewater. Another, he said, was the rupture of a pipeline in Bellingham, WA, which released 237,000 gallons of gasoline into a nearby creek causing it to catch fire, killed three people, caused an estimated $45m in property damage and led to the bankruptcy of the Olympic Pipeline Company.

“That happened in June, 1999,” Weiss said in an interview. “How can that be relevant today? It turns out every bit of it is, because the same flaws that existed then exist today.”

He said in most cases there is no way to know if what happened was an accident or a malicious attack, because of a lack of visibility into the networks. And he wondered on his blog: “How can this lack of security and authentication of process sensors be acceptable?”

What to do? That is where Weiss and Antova part company – just a bit. Antova said she agrees that the sensor flaws exist and, as she wrote, the threat of major ICS attacks “is real and just over the horizon”, But, in an interview, she also said she is “allergic” to describing the threat at either extreme – in relatively trivial terms (squirrels) or disaster (Pearl Harbor).

She said it is not simple or quick to fix flaws in sensors. “Engineers know it takes years to design,” she said, “and it can take 25 to 35 years to replace the architecture” of ICS equipment. She ought to know – she was formerly global head of industrial security services at Siemens, a leading manufacturer of power generation and transmission systems.

In her blog post, she said called for implementing what is practical and feasible – the kind of “security hygiene” steps that would keep ICS from being the “low-hanging fruit” that it is now. Things like patches, really taking network segmentation seriously, and giving IT professionals visibility into the networks.

What has hampered that, she wrote, has been a failure to “bridge the gap” between IT and engineering staff, each of whom, “approach the world with different viewpoints, backgrounds and missions.” Engineers, she noted, focus on keeping things physically safe and running. Anything that impedes that, they reject.

She also said government regulatory frameworks and standards are, in many cases, not practical. One example she cited was the push for “air-gapped” networks. It sounded good, she said, but it interfered too much with efficiency and the needs of the business. “As a result, air gaps now have one thing in common with unicorns – they don’t exist,” she wrote.

But just doing security basics would help. “You have to start somewhere,” she said.

Weiss contends it is possible, and necessary, to be both more aggressive and creative. Part of the problem, he said, “is a failure of imagination. When you look at the bad guys, they really are bad guys. We need to think like bad guys.”

But the two agree that there needs to be better communication between operations and IT. “We’ve got to have engineering in the same room when IT comes in and says this is what I want to do,” Weiss said. “Every time there’s an important meeting in DC on cybersecurity, GE and Siemens aren’t there.”

And both agree that the risk of something really serious happening is growing. “We know these (ICS) networks are exposed,” Antova said. “They are resilient and have safety measures, but for a skilled hacker, it’s not that hard to fool safety equipment.”

The real menace, she is said, is that ransomware like WannaCry and Petya are not just in the hands of nation states, but, “in the hands of every crazy person. I don’t think people realize how poor the cyber hygiene is.”


Source: Naked Security

 

Drone firm says it’s stepping up security after US army ban

Készült: 2017. augusztus 18
Nyomtatás

Two weeks ago, the US Army told its troops that using drones from DJI – maker of the world’s best-selling drones – was henceforth verboten, given unspecified vulnerabilities discovered by its research lab and the US Navy.

While the army was keeping mum about those vulnerabilities, others haven’t been so circumspect. Rather, they’ve been talking for months about sensitive information having the potential to be scattered in the tailwinds.

In May, Kevin Pomaski, a chief pilot for one of the largest commercial UAS service providers in the US, wrote an article about highly sensitive information that can be revealed in conversations between unmanned aerial system (UAS) pilots and their clients: details that he said can include infrastructure, stadiums, military installations, construction sites, details about security, details about the drone itself, details about the drone operator, and more.

This sensitive data is vulnerable to interception, he said:

Critical infrastructure access and layouts are being captured every day. This information may be accessed by foreign actors that mean to harm the countries that these locations are in. The complete data record can be cataloged by pilot, region or location and a full report of the layout, security response, names of people will be revealed. Corporate espionage agents would love to have visual and audio details of that new system being captured by the drone in any industrial field of pursuit.

More recently, rumors have been flying about operators being told not to show up for work at US government agencies unless they bring American-made drones with them. According to sUAS News, the unspecified government agencies allegedly have security concerns about data being shared unwittingly.

If the allegations are true, it adds up to a ban on the Chinese-made DJI equipment. DJI is, after all, a Chinese company, governed by Chinese law, as Pomaski pointed out.

He dissected the privacy policy of DJI’s Go app and came up with a number of issues around sensitive data. For example, this passage from the privacy policy notes that personal information could be transferred to offshore servers:

The DJI Go App connects to servers hosted in the United States, China, and Hong Kong. If you choose to use the DJI Go App from the European Union or other regions of the world, then please note that you may be transferring your personal information outside of those regions for storage and processing. Also, we may transfer your data from the US, China, and Hong Kong to other countries or regions in connection with storage and processing of data, fulfilling your requests, and providing the services associated with the DJI Go App. By providing any information, including personal information, on or through the DJI Go App, you consent to such transfer, storage, and processing.

Now, two months after the army banned DJI drones, DJI has responded by adding a privacy mode to its equipment to prevent flight data being shared to the internet.

On Monday, DJI announced that it’s adding a local data mode that stops internet traffic to and from its flight control apps “in order to provide enhanced data privacy assurances for sensitive government and enterprise customers”.

The company says the privacy mode had been in the works for months, before the army ban. The new privacy mode, due out in future app versions expected in the coming weeks, entails a tradeoff: blocking all internet data means that DJI apps won’t…

  • update maps or geofencing information, meaning pilots could wind up flying in banned zones
  • notify pilots of newly issued flight restrictions or software updates
  • be able to upload to YouTube

On the plus side:

[Local data mode] will provide an enhanced level of data assurance for sensitive flights, such as those involving critical infrastructure, commercial trade secrets, governmental functions or other similar operations.

The army memo had told troops to “cease all use, uninstall all DJI applications, remove all batteries/storage media from devices, and secure equipment for follow on direction.”

However, the army has reportedly walked that ban back a bit, sUAS News reported on Monday. A second memo had reportedly gone out at the end of last week, to the effect that the army will grant exceptions to the ban once a DJI plugin has passed OPSEC (Operational Security) scrutiny.


Source: Naked Security

 

‘Pulse wave’ DDoS – another way of blasting sites offline

Készült: 2017. augusztus 18
Nyomtatás

After all the excitement over 2016’s Mirai Internet of Things (IoT) DDoS attack, you could be forgiven for thinking that the criminal pastime of overloading servers with lots of unwanted traffic has gone a bit quiet recently.

It’s been this way for years. DDoS attacks tend not to be noticed by anyone other than service providers unless they are particularly huge, hit well-known websites, or manifest nastiness such as the notorious DD4BC extortion gang attacks of 2015.

This happens infrequently even though below the surface of service providers fighting fires and commercial secrecy that obscures many unreported attacks, innovation rumbles on.

Now, mitigation company Incapsula has spotted an example of this behind-the-scenes evolution in the form of “pulse wave”, a new type of attack pattern which, from the off, had its experts intrigued.

DDoS attacks, which spew forth from botnets of one type or another, normally follow a format in which traffic increases before a peak is reached, after which comes either a gradual or sudden drop. The rise has to be gradual because bots take time to muster.

The recent wave of pulse attacks during 2017 looked different, with massive peaks popping out of nowhere rapidly, often within seconds. Demonstrating that this was no one-off, successive waves followed the same pattern.

Says Incapsula:

This, coupled with the accurate persistence in which the pulses reoccurred, painted a picture of very skilled bad actors exhibiting a high measure of control over their attack resources.

Granted, but to what end?

The clue was in the gaps between the “pulses” of each attack. In fact, the botnet or botnets behind these attacks were not necessarily being switched off at all – the gaps were just the attackers pointing it at different targets, like turning a water cannon.  This explained the rapid surge in traffic on the commencement of each attack.

It’s likely not a coincidence, Incapsula claims, that this pattern causes problems for one DDoS defence, which is to use on-site equipment with fail-over to a cloud traffic “scrubbing” system in the event that an attack gets too big. Because traffic ramps almost instantly, that fail-over can’t happen smoothly, and indeed the network might find rapidly itself cut off.

If that’s true, organisations that have built their datacentres around sensible layered or “hybrid” DDoS defense will be in a pickle. Either they’ll have to beef up their in-house mitigation systems or convince their cloud provider to offer rapid fail-over. Incapsula, we humbly note, sells cloud-based mitigation.

All in all, it sounds like a small but important technical innovation that will be countered with the same. Given the impressive traffic these botnets seem able to summon at will – reportedly 300Gbps for starters – it would be unwise to dismiss it as just another day at the internet office.

Or perhaps the real innovation in DDoS criminality isn’t in the way traffic is pointed at victims so much as the tragic wealth of undefended servers and devices that can be hijacked to generate the load in the first place.

This was one of the surprising lessons of Mirai and perhaps it has yet to be learned: never underestimate the damage a motley collection of ignored and forgotten webcams and home routers can do to some of the internet’s biggest brands if given the chance.


Source: Naked Security

 

Phone location privacy – for armed robber – headed to Supreme Court

Készült: 2017. augusztus 18
Nyomtatás

Armed robbers are not sympathetic characters. Which means defending their right to privacy might not get much sympathy either.

But, as multiple privacy advocates note, it’s not just about them – it’s about the rest of us: if their privacy isn’t protected, neither is yours and neither is anyone’s.

That is at the heart of a case now headed to the US Supreme Court (SCOTUS). The legal issue is whether cell phone users “voluntarily” turn over cell tower location data to the carriers, which therefore means it is not private. It is a sure bet that almost nobody thinks that, since they don’t get to volunteer. If they want to use their phones, the carrier collects the data.

But the emotional/political issue is that it’s about a convicted criminal. Which recalls the words of HL Mencken, the iconic journalist and cultural critic, who famously saidL

The trouble with fighting for human freedom is that one spends most of one’s time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all.

The scoundrel in this case is Timothy Ivory Carpenter, convicted in 2013 of six robberies of cell phone stores in the Detroit area, and using a gun in five of them. He was sentenced to 116 years for his role in the crimes, committed with several others, including his half-brother, Timothy Michael Sanders.

But part of the evidence used to convict Carpenter was data from wireless carriers, which prosecutors said placed his phone within a half mile to two miles of the sites of the robberies when they were committed.

Carpenter and Sanders appealed, with the backing of the American Civil Liberties Union (ACLU) and other groups, arguing that the collection of that data without a warrant violated his Fourth Amendment protection against unreasonable search and seizure.

They failed at the Appeals Court level in April 2016, when the Sixth US Circuit Court of Appeals found that while personal communications are private, “the federal courts have long recognized (that) the information necessary to get those communications from point A to point B is not,” which includes the metadata from cell phone towers. The court added that such data

… are information that facilitate personal communications, rather than the content of those communications themselves. The government’s collection of business records containing these data therefore is not a search.

It also noted that access to the phone records had been granted by magistrate judges under the Stored Communications Act (SCA), which the FBI sought after one of the robbers confessed and then gave the agency his cellphone along with the numbers of other participants.

However, the FBI didn’t seek a warrant. And that prompted the appeal, which the Supreme Court is scheduled to hear in the term that begins in October, and which has prompted a small blizzard of amicus briefs from privacy advocates including the Electronic Frontier Foundation, (EFF), the Electronic Privacy Information Center (EPIC) and another from more than a dozen of the nation’s top tech companies including Airbnb, Apple, Cisco Systems, Dropbox, Evernote, Facebook, Google, Microsoft, Mozilla, Nest Labs, Snap, Twitter and Verizon.

One of their biggest objections to the Appeals Court decision is that it is based, as the court said, on “long recognized” precedent. Long, as in long ago, in the 1970s, when nobody had a cellphone. It holds that information voluntarily given to a third party as part of a business transaction doesn’t qualify for Fourth Amendment protection.

That, the advocates say, is vastly out of date – applying analog rules to a digital world – since just about everybody now carries a cellphone. There are now an estimated 396m mobile accounts in the US (more than the nation’s population), and the location data gathered by cell towers is becoming as precise as GPS tracking.

Even if location services is shut off on a phone, simply operating the phone means it connects to cell towers, generating data called cell site location information (CSLI). According to the EFF brief, “as the number of cell towers has increased and cell sites have become more concentrated, the geographic area covered by each cell sector has shrunk,” which makes it possible to determine where a phone is within 50 meters.

The tech companies’ brief also noted that the SCA, under which the FBI sought the phone metadata, was enacted in 1986, when, “few people used the internet, almost none had portable computers, and only around 500,000 Americans subscribed to basic cell phone service”.

Other reasons cited by privacy advocates for the Fourth Amendment applying to CSLI include:

  • Users don’t really “voluntarily” turn over that data to the wireless carriers, since they can’t use the phone without doing so. Alan Butler, senior counsel at EPIC, said the Supreme Court has already signaled that it understands that mobile devices “have become embedded into our daily lives. I think the notion that cell phone users necessarily ‘assume the risk’ or ‘consent’ to collection and disclosure of their location information is nonsense and flips privacy law entirely on its head.”

Butler, who also authored a recent post on SCOTUSblog about the Carpenter case, noted that the Supreme Court in 2012 unanimously threw out a conviction for drug trafficking because of evidence gathered by law enforcement putting a GPS tracker on the defendant’s car.

Carrying a phone, he and others have noted, amounts to a GPS tracker monitoring not just where your car goes, but where you go, all the time.

  • If precedent stands, Big Brother can track just about anybody without a warrant. EFF noted that “AT&T alone received 70,528 requests for CSLI in 2016 and 76,340 requests in 2015. Verizon received 53,532 requests in 2016 and 50,066 requests in 2015.” The majority of them warrantless.
  • The location tracking of people extends far beyond real time, unlike human surveillance. It can go back months, or even years, creating a highly detailed record of everywhere a person has been.
  • Given the necessity of cell phones, people now have a “reasonable expectation” that their location information is private.

The lobbying for the Carpenter conviction to be overturned is not unanimous, however. Orin Kerr, a research professor at the George Washington University Law School, in a post on SCOTUSblog, argued that what is really at issue is “what you might call the eyewitness rule: the government can always talk to eyewitnesses”.

In this case, he said, the wireless carrier is an eyewitness. “Customers use their services and hire the companies to place calls for them,” he wrote, which means the business record of what they did for customers doesn’t have Fourth Amendment protection.

The right question for the court, he contended, is not Carpenter’s “expectation” of privacy, but whether he should “have a right to stop others from telling the government about what they saw [him] do”.

Of course, this is about billions of digital “eyes”, not people on the street.

Which calls to mind a talk by Christopher Soghoian late last year, when he was chief technologist at the ACLU, titled “Stopping Law Enforcement Hacking” at the Chaos Communication Congress (CCC).  He said:

Many of the court cases that define our basic privacy rights come from cases involving drug dealers, people smuggling alcohol, and paedophiles. So it can be very unpleasant for people to engage in these cases.

But if you wait until the government is using its powers against journalists and freedom fighters, by that point the case law is settled.


 

Source: Naked Security

 

News in brief: new Bitcoin fork; HBO hacked; China cracks down

Készült: 2017. augusztus 17
Nyomtatás

Your daily round-up of some of the other stories in the news

Bitcoin fork to become a trident

Just when you think you’ve got your head around the recent fork in Bitcoin, which produced another variant of the cryptocurrency called Bitcoin Cash, the news comes along that it will fork again, in November.

This latest move has its roots in the ongoing 1MB-per-block issue, which – broadly – means that Bitcoin transactions take a long time to process. Each transaction is written to a single block on the blockchain, and each block can, under the original Bitcoin protocol, be only 1MB in size.

The new version of the blockchain software underpinning Bitcoin, which created Bitcoin Cash, can take blocks of up to 8MB, which should speed up processing time substantially. However, that version of the protocol excludes the segregated witness process.

Now there’s a third version of the software in the works, which takes the standards set out in the New York Agreement of May. This version of Bitcoin will set the block size at 2MB and will include segregated witness – and the new version of Bitcoin will be known as Segwit2x.

If all this seems arcane, in many ways it is. But the arcane stuff translates into the real world, where there’s a lot of both hype and concern about the wild west, unregulated nature of Bitcoin, with some flagging up similarities between the cryptocurrency and the unregulated explosion of shadow banking that eventually led to the financial crash.

HBO social media accounts attacked

HBO is in the wars again, with a hacker group calling itself OurMine attacking and taking over several of its social media accounts, apparently to “raise awareness” about lax security at the media giant, Rolling Stone reported on Thursday.

OurMine posted messages on HBO’s accounts on Twitter and Facebook, including corporate accounts and those for HBO hits shows such as Game of Thrones and Silicon Valley, saying “Hi, OurMine are here, we are just testing your security, HBO team please contact us to upgrade the security.”

This is just the latest in a string of attacks on the company, with others led by “Mr Smith” asking for huge sums of money, which thus far HBO has declined to pay. Back in May, HBO told GoT cast members and crew to implement 2FA on their email and other accounts, and meanwhile stolen episodes have been leaked online.

China orders stores to cease selling VPN tools

China has further stepped up its efforts to restrict its citizens’ access to the internet beyond the Great Wall by warning e-commerce platforms over the sale of illegal VPNs.

Shopping giant Alibaba is one of five platforms told to carry out “immediate self-examination and correction”, Reuters reported on Thursday. The instruction came in a notice posted by the Zhejiang provincial branch of China’s cyberspace regulator, the Cyberspace Administration of China.

Tools that allow Chinese residents to bypass what’s known as the Great Firewall of China are now banned, with the CAC saying it has “ordered these five sites to immediately carry out a comprehensive clean-up of harmful information [and] close corresponding illegal accounts”.

As well as Alibaba’s Taobao site, social shopping site Mogujie and entertainment platforms Xiami and Peiyinxiu were ordered to remove VPN tools.

Catch up with all of today’s stories on Naked Security


 

 

 

Source: Naked Security

 

Woman targeted with 120 images on public transport via AirDrop

Készült: 2017. augusztus 17
Nyomtatás

On pretty much any given day, you’d rather spend your morning on the subway reading the newspaper, drinking your coffee, or catching up on Instagram than have photos of a stranger’s genitals up on your iPhone.

Unfortunately, the return of an ancient fad known as bluejacking has meant that the air in subway cars has increasingly been polluted by inflicted “dick pics”.

As you may or may not recall, bluejacking first popped up in 2003. It allowed pranksters to exploit mobile phones’ Bluetooth technology, which lets devices communicate with each other up to a range of about 30 feet. When Bluetooth is activated, it automatically seeks out other Bluetooth devices in the vicinity, and that lets people send anonymous messages – or, say, pictures of their junk, as goes the modern rendition – to each other.

As Sophos technical support reported many moons ago, getting anonymous messages panicked some users into thinking they might be under attack from a mobile phone virus.

That’s exactly what bluejackers were after: that shocked look on a recipient’s face as they blasted out unexpected junk.

Ironically enough, the idea for bluejacking was originally that of a woman, and the first victim was a man, though there are other origin stories about it having been first carried out by a Malaysian IT consultant who used his phone to advertise Sony Ericsson. At any rate, as the BBC tells it, a woman going by the name of Ellie had said that the “priceless” expression on the face of her first victim as he tried to work out what was going on had turned her into a regular bluejacker.

She reportedly put up a tutorial on a message board that, back then, was a favorite among owners of SonyEricsson phones, explaining that …

[The victim’s expression], mixed with not knowing whether the victim will react in an amused/confused or negative way gives me an adrenaline rush.

Fourteen years after adrenaline junkies were getting high on bluejacking, we now have AirDrop: an iPhone file-sharing app that enables users to send photos, videos and documents instantly over a wireless connection.

Nowadays, many people have AirDrop on by default, given that it’s used for NFC payments. That means there are plenty of phones that are beaming out come-hither signs over the airwaves, and there are plenty of perverts ready to freely spew their pixels on to them.

And that’s exactly what’s happening. The reference to 120 penis portraits wasn’t an exaggeration: Sophie Gallagher, a writer for Huffington Post UK, on Tuesday posted a story about having been cyber-flashed with a flock of more than 100 down-the-pants images via AirDrop while traveling on the London Underground.

That’s 120 images, to be exact, she later reported in a post that took people to task for blaming the victim.

“Stop telling me to turn my AirDrop off,” she said, in spite of the fact that, well, shutting your Wi-Fi up would in fact stop the weiner parade:

Yes, turning it off stops me from receiving the pictures, it makes it harder for the perverts to contact you when you have the nerve to leave the house in the morning.

But it doesn’t stop the offender from sending them to someone else, from believing that they can hide behind their phone screen and cause harm and distress to unsuspecting people around them.

And quite honestly it is insulting to men to suggest that the only way they can resist making sex offenders of themselves is to block their methods of communication.

Insulting? Well, it might be more like “pragmatic”. Dr Justin Lehmiller, a Harvard University psychology professor, has suggested (in the absence of much research on the topic) that the (extremely) common phenomenon of sending unwanted penis pictures to women could be attributed to cognitive biases that have evolved to help with reproduction.

I suspect that the most likely explanation is that men are simply misperceiving women’s interest in receiving photos of their junk. There’s a large body of research indicating that men aren’t very good at determining how interested women are in sex.

In fact, research has shown that men often mistake friendliness for flirting. Basically, women have to club them with eggplants – did you know that the eggplant emoji is a stand-in for “penis?” – to get across the idea that they don’t want to get a closeup of their zucchinis.

How should one react when one receives images of a stranger’s floppy flesh? Some suggest aggressively:

While others point out that this could escalate the situation to the point of stalking or other threatening behavior.

It’s advisable to report the matter to police. As the HuffPo has reported, few women do so, and London police, at least, seem to think that there’s no epidemic going on. (New York police seem to know better.)

It’s well worth reporting incidents to the police, both to get them up to speed with the frequency of unsolicited dick pics and to get the senders caught.

Because yes, it’s a crime. In England, sending indecent images is classified under section 66 of the Sexual Offences Act (2003), given that it’s the same as exposing genitals and intending that the recipient “see them and be caused alarm or distress”. The penalty for breaking the law is a prison term of up to two years.

Detective chief inspector Kate Forsyth from the British Transport Police told HuffPost UK:

My message to offenders is clear, while you might think you can hide behind modern technology in order to carry out abuse, you leave a digital footprint and stand a very good chance of being caught, arrested and ending up on the sex offenders’ register.

And that might be a lot of offenders finding their way on to the register: a survey of more than 5,500 American singles found last year that 53% of the women they asked had been on the unwilling receiving end of an unsolicited dick pic. People, just don’t send photos of your junk to someone else unless you know it will be welcome – and by “know it will be welcome”, we mean “that you’ve got explicit consent to send”.


Source: Naked Security

 

Uber faces privacy audits every two years until 2037, rules FTC

Készült: 2017. augusztus 17
Nyomtatás

Surely someone inside Uber had doubts about the riskiness of the company’s internal software program today infamously known to the world as “God View”.

If the name “God view” doesn’t sound dystopian enough, the description of what it was for – monitoring the location of customers taking rides in real time – should have made management think hard about the potential for it to be misused.

Including by them, it turns out: in 2014, it emerged a senior vice-president had used the system to monitor a journalist said to be hostile to the company as she moved around New York as a way of, allegedly, spying on her.

Last year, a former employee claimed that this was no one-off with God View being used to track:

High-profile politicians, celebrities and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses.

That’s a lot of intrusive God Viewing for one company, although it’s fair to say that the concept of big internet companies having access to the intimate details of their users’ lives doesn’t only apply to Uber.

In the event, in November 2014 the company responded by re-stating its privacy policy, including that it had deployed an automated tool to monitor employee access to God View as a way of deterring abuse.

The US FTC later discovered that tool was in use for less than a year, abandoned for reasons that still aren’t clear. Separately, around the same time, the New York Times also discovered that Uber started using a tool called Greyball to track officials investigating the company’s operations in a number of cities.

Compounding all this, the company had failed to encrypt driver data stolen during a 2014 data breach said at the time to affect 50,000 but since upped to 100,000.

This week the FTC ruled on this catalogue of data privacy problems and bad behaviour. Summarised FTC acting chairman Maureen K Ohlhausen:

Uber failed consumers in two key ways: first by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data.

Among a series of undertakings, Uber has six months to undertake an independent audit of its privacy controls, which will have to be repeated every two years until 2037.

That sounds like a big deal until you realise that in 2011 the FTC handed the same 20-year privacy undertaking to Facebook and Google, and in 2014 to Snapchat.  This kind of privacy case in the EU could perhaps have resulted in a fine large enough to, at the very least, seriously annoy investors. In the US, companies end up with extra admin.

But damage has still been done, not only to Uber’s image but also the fast-sinking notion that Silicon Valley shows how technology and society can work together in a mutually beneficial way.

To a growing band of sceptics, Uber’s God View is just the latest example of the tech industry’s irresistible temptation to become unhinged by its own importance in pursuit of objectives it refuses to be honest about.


Source: Naked Security

 

Got an iPhone? Here’s what we think about the security of iOS11

Készült: 2017. augusztus 17
Nyomtatás

We’re due for an update to Apple’s iOS pretty soon, as the current stable release, iOS 10, is nearly a year old and iOS 11’s beta is rumored to be near completion and ready to launch soon.

Exactly when we don’t quite know – Apple isn’t forthcoming about details of its roadmaps, and simply says it’ll be “this fall”. (For reference, iOS 10 came out in early September 2016, just in case we’re looking at a yearly schedule.) As we’re counting down the last days of summer in the northern hemisphere, the iOS 11 official launch is likely not long away.

So it seemed a good time to take the beta for a whirl on my old iPhone 6 to see what changes coming might be of interest to the security-minded. (You can read the very shiny list of major updates on the official iOS preview page from Apple; not everything I cover below actually appears on the preview.)

A lot of the changes touted by the official pronouncements are about usability, design, and accessibility changes — all well and good, of course — but I want to kick the tires a bit with the security and privacy settings.

The lock screen: more talk-y, less lock-y

Setting up a passcode on your mobile devices is one of the most basic privacy measures you can, and should, take. We’ve covered before that you also should disable Siri access on your lockscreen, as Siri has been an attack vector in the past to bypass basic security measures and gain access to your private phone data (like stored photos) even when the phone is locked.

And yet, even with Siri disabled and a passcode enabled, the iOS 11 update negates a lot of the purpose of the lockscreen altogether. Even with iOS 10, Apple lets us know that more and more of our phone app notifications can be shown on the lockscreen without needing a passcode to see them — so you can act on them quickly, of course — and it seems with iOS 11 that trend continues.

iOS 11 adds viewing the Control Center (the menu that you can pull up from the bottom of the screen) and returning missed calls to options that work despite the lockscreen, in addition to features that were already available on iOS 10. All of these options are turned on by default.

Is this necessarily a problem? Of course not. However, it could be problematic if your phone is in the wrong hands. A passcode should mitigate the risk to you if your phone is stolen or misplaced; ideally the passcode should help render your phone all but useless to the person who now has it.

But by default now you can still access several features while the phone is still technically locked; personally, if my phone were stolen I wouldn’t want anyone to be able to access my Wallet credit cards (especially since many transactions don’t ask for a PIN), read my app notifications, or see what was on my day’s agenda. While I can see the utility in being able to respond to phone calls or messages from a lock screen — assuming the person who now has my phone is a good Samaritan — in general, if my phone is in the wrong hands, I want my phone to be completely useless to them.

Ultimately this is a matter of your comfort and risk tolerance — if the convenience of these features is worth it for you, then you can leave them all enabled.

But if you’d rather keep your lockscreen, well, lock-y, you’ll be able to disable any lockscreen notifications you prefer under Settings > Touch ID & Passcode > and scroll down to the “Allow Access When Locked” area.

More of iCloud keychain

For those that already use Apple products and Keychain, you may be happy to find out that the iCloud Keychain is even more integrated into iOS 11 than previous iterations, with greater management and visibility within iOS. Under the Settings area, there’s a new section called “Accounts & Passwords” where you can both manually add credentials (which I imagine might be quite tedious) or, when iOS detects a credential set, it may prompt you to save the credentials.

The credentials above are ones I entered and saved on my iPhone 6 with the iOS 11 beta, and these credentials also appeared on my Macbook’s Keychain under “iCloud” (hence iCloud Keychain), but the credentials already saved on my Macbook’s iCloud Keychain didn’t also sync back up to my iPhone’s “App & Website Passwords” area.

Right now, or at least how I seem to have things configured, it seems like credential sharing could be one-way — iDevices to the greater Keychain account only — but it’s entirely possible I didn’t set things up correctly.

Nonetheless, this makes password management more streamlined and accessible for people who might not want to use a standalone password manager. I already use a password manager across my devices that I don’t intend on abandoning, but if I didn’t have that option I might consider going with this instead.

A bit more granularity over location sharing

This one’s a minor change, but a nice one: all apps that use any kind of location services are required to have three options for location access: Always, While Using, and Never.  While most apps in iOS 10 already used these three options, it was not hitherto required to have “While Using”, so if an app needed any kind of location access, it’d ask to have this access in perpetuity and not just when it needed it. (Uber was a rather notorious example of this.)

Of course, the master switch for location services is still right up at the top of the Location Services settings page, and you can simply turn the whole thing off.

If you want to play along at home and give the iOS 11 beta a shot, it’s pretty simple to do. Keep in mind that beta means things could be potentially wonky, and ultimately there is some, albeit minute, risk; so back up all your files before trying the beta and, better yet, try it out on a device that isn’t one you rely on day-to-day.

Ready to take the plunge? Follow Apple’s instructions here (it will prompt you to log in with Apple credentials) and NB you’ll have a much easier time if you’re installing via Safari.


Source: Naked Security

 

It’s baaaack: Locky ransomware is on the rise again

Készült: 2017. augusztus 17
Nyomtatás

Thanks to Dorka Palotay of SophosLabs for her behind-the-scenes work on this article.

Locky was once among the most dominant strains of ransomware. Over time, it receded from view, replaced by ransomware such as Cerber and Spora. But in the last couple of weeks, Locky has returned.

Last week it sported a new extension: .diablo6. This week researchers are seeing more new variants, now with a .lukitus extension. SophosLabs researcher Dorka Palotay said the new variants perform the usual Locky behavior:

It is spread by spam email and comes with a .zip attachment with a .js file inside (e.g. 20170816436073213.js). It downloads the actual payload, which then encrypts the files. 

Email characteristics, payloads

The .lukitus variant comes with email subject lines like “PAYMENT” and the following body content:

The Diablo variant used the body content “Files attached. Thanks” and the sender’s email address had the same domain as the recipient’s. The emails came with the .zip attachment “E 2017-08-09 (957).zip”, which contained a VBScript downloader called “E 2017-08-09 (972).vbs”.  The script would then download the Locky payload from an address ending with /y872ff2f. 

The .lukitus version connected to its command-and-control server via these addresses:

  • hxxp://185[.]80[.]148[.]137/imageload.cgi
  • hxxp://91[.]228[.]239[.]216/imageload.cgi
  • hxxp://31[.]202[.]128[.]249/imageload.cgi

The diablo6 version connected to its command-and-control server via these addresses:

  • 83.217.8.61/checkupdate
  • 31.202.130.9/checkupdate
  • 91.234.35.106/checkupdate

Defensive measures: malicious attachments

Sophos is protecting customers from the latest Locky campaigns. But it helps to keep the following advice top of mind:

  • If you receive an attachment of any kind by email and don’t know the person who sent it, DON’T OPEN IT.
  • Configure Windows to show file extensions. This gives you a better chance of spotting files that aren’t what they seem.
  • Use an anti-virus with an on-access scanner (also known as real-time protection). This can help you block malware of this type in a multi-layered defense, for example, by stopping an initial booby-trapped PDF or HTA file.
  • Consider stricter email gateway settings. Some staff are more exposed to malware-sending crooks than others (such as the order processing department), and may benefit from more stringent precautions, rather than being inconvenienced by them.

Defensive measures: ransomware

The best defense against ransomware is not to get infected in the first place, so we’ve published a guide entitled How to stay protected against ransomware that we think you’ll find useful:


You can also listen to our Techknow podcast Dealing with Ransomware:

LISTEN NOW

(Audio player above not working? Listen on Soundcloud or access via iTunes.)


Source: Naked Security

 

News in brief: micro robots heal mice; Scottish Parliament hacked; Google Allo on desktops

Készült: 2017. augusztus 16
Nyomtatás

Your daily round-up of some of the other stories in the news

Micro robots heal infections in mice

Micro robots could soon be used to administer drugs to fight diseases.

Researchers at the University of California San Diego have been using micromotors, the width of a human hair, to treat stomach infections in mice.

For five days the team used bubbles to drive doses of antibiotics into the stomach walls. They discovered that the method was more successful than regular doses, which can be demolished by the body before they can treat the disease.

The minute robot comprises of a spherical core of magnesium, covered in several layers for protection, treatment and to allow it to stick to the stomach walls. Once a robot is swallowed, the magnesium and stomach acids react to create hydrogen bubbles that force the motors around.

The process encourages acidity levels to be temporarily reduced. The micromotor responds to the surrounding acidity, releasing the antibiotics when the levels lower.

Just 24 hours after, acidity levels were back to normal and the robots dissolved in the stomachs of the mice.

Scottish Parliament hit by “brute force” attack

The Scottish Parliament’s IT systems have been hit by a “brute force” cyberattack, reports The Guardian.

In an internal statement, Chief executive Sir Paul Grice confirmed that the attack “from external sources” was similar to the email attacks on Westminster back in June.

Mr Grice warned that “Symptoms of the attack include account lockouts or failed log-ins” and urged parliamentary staff to be cautious and secure their accounts with stronger passwords. And, as an additional security measure, the parliament’s IT department would “force a change to weak passwords”.

He wrote:

The parliament’s robust cybersecurity measures identified this attack at an early stage and the additional security measures which we have in readiness for such situations have already been invoked. Our IT systems remain fully operational.

Google Allo now on desktops, but only for some

A year since its release, Google Allo is no longer confined to just iPhone and Android devices.

Google’s messenger service is now available on desktops via a web browser, reports Ars Technica. But, it’s currently only available for Android users, with iPhone support marked as “coming soon”, and it’s only supported by Google Chrome.

The setup for accessing Allo on a desktop requires users to scan a QR code, using the Allo mobile app, to link it to the web client. Once this is completed the web version acts like a mirror of the mobile device.

With its slow development, Google taking a step back on its privacy promise and fierce competition from the likes of Whatsapp and Facebook messenger will this feature be enough to give Allo the boost it needs to win over users?

Catch up with all of today’s stories on Naked Security

Source: Naked Security

 

Judge orders LinkedIn to stop blocking third-party use of your data

Készült: 2017. augusztus 16
Nyomtatás

A San Francisco judge has rebuffed LinkedIn’s attempts to stop a third-party data-analytics startup from using the publicly available data of its users. According to legal experts, the case could wind up in the Supreme Court, given the important constitutional and economic issues it raises.

As we reported in July, HiQ, a San Francisco startup, has been marketing two products, both of which depend on whatever data LinkedIn’s 500m members have made public: Keeper, which identifies employees who might be ripe for being recruited away, and Skills Mapper, which summarizes an employee’s skills.

To reiterate: HiQ isn’t hacking anything away – it’s just grabbing the kind of stuff you or I could get on LinkedIn without having to log in. All you need is a browser and a search engine to find the data HiQ’s sucking up, digesting and selling.

LinkedIn has tolerated this for years. Then, for whatever reason, it told HiQ to stop. Bad news for the start-up – without a steady stream of data from LinkedIn, HiQ cannot function.

HiQ CEO Mark Weidick was a bit surprised. It’s not as if LinkedIn suddenly discovered what the company was up to. Its employees had attended a conference HiQ put on, he told the San Francisco Chronicle:

I thought we were on good terms. They knew perfectly well what we are doing. We were doing it in the broad light of day.

Nonetheless, in May, LinkedIn sent a cease-and-desist order to HiQ, alleging that the startup was violating the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), and unfair business practices under California state law. In the letter to HiQ, LinkedIn noted that it had used technology to block HiQ from accessing its data.

HiQ filed for relief in early June, asking for a temporary injunction and recommending that the parties take 30 days to discuss the matter and, hopefully, to come up with an amicable solution.

On Monday, the San Francisco judge sided with HiQ, saying that the “balance of hardships tips sharply in HiQ’s favor” and that LinkedIn’s argument about HiQ having violated the CFAA is pretty dubious. The law wasn’t put in place to gum up access to publicly available data, the judge said in a court order granting HiQ’s motion for a preliminary injunction.

Indeed. The CFAA, which prohibits accessing a computer without authorization, has been used in many criminal cases, such as to prosecute ex-employees who hack their former employers. It was also used, infamously, to prosecute internet activist Aaron Swartz. Rights groups have called the act “infamously problematic“.

But to use the CFAA to prosecute a company for scraping publicly available data? Um, no, that’s not a thing, the judge said on Monday:

The broad interpretation of the CFAA advocated by LinkedIn, if adopted, could profoundly impact open access to the internet, a result that Congress could not have intended when it enacted the CFAA over three decades ago.

The motion ordered LinkedIn to dismantle any technical roadblocks it put in place to fend off bots that scrape its members’ data. The BBC reports that LinkedIn is considering an appeal.

HiQ is far from the first company to spin a business model out of whatever it can siphon off another service. You can think of social media platforms – say, LinkedIn, Twitter, and Facebook – as trees. They’ve got an ecosystem of epiphytes, sucking up their data to package and sell in some form.

Sometimes, that parasitic relationship can carry on for years. Take, for example, Geofeedia’s use of the APIs of Twitter, Facebook and Instagram.

For five years, Geofeedia used their data streams to create real-time maps of social media activity in protest areas. As was made clear in a report from the American Civil Liberties Union (ACLU) about police monitoring of activists and protesters via social media data, police have used the maps to identify, and in some cases arrest, protesters shortly after their posts became public.

Following that report, the three social media giants cut off the data streams they were feeding Geofeedia.

The metadata – including images, geolocation data, and screen names available on Instagram’s public feed – on Geofeedia’s map of Ferguson protests was all publicly available. But the scale at which police were identifying and retaining data on protesters was beyond what any individual could achieve without special access to social media platforms’ APIs.

LinkedIn is rationalizing its opposition to HiQ not in terms of scale but rather in terms of user privacy and HiQ’s ability to retain user data. It’s pointing to what it says are more than 50m LinkedIn members who’ve used a “Do Not Broadcast” feature that prevents the site from notifying other users when a member makes profile changes, even when a profile is set to Public.

LinkedIn says it’s also received user complaints about the use of data by third parties. In particular, two users complained that information that they had previously featured on their profiles, but subsequently removed, remained visible to third parties (other than HiQ).

LinkedIn maintains that even though HiQ wants to collect data that’s publicly viewable, it could use profile tweaks – even those listed as Do Not Broadcast – to label an employee as being at high risk of leaving under its Keeper product. It could also retain and make available data that LinkedIn users have deleted – including entire profiles.

OK, those arguments have some merit, the judge wrote. But is data privacy seriously at risk? Out of 50m users who turned on “Do Not Broadcast”, LinkedIn only managed to scare up a measly three complaints about data privacy related to third-party data collection. And none of those three mentioned HiQ or the Do Not Broadcast option.

LinkedIn is even willing to sell profile change data to third parties, if they subscribe to its Recruiter product, according to marketing materials HiQ presented to the court. What’s sauce for the goose is definitely not good for the gander in LinkedIn’s opinion: for years, it’s charged recruiters, salespeople and job hunters for higher levels of access to profile data, but now it’s telling HiQ to keep its hands off.

Where does this leave LinkedIn and its users? It’s a question with obvious relevance to anybody who’s looking for a new job but would like to keep the search on the QT, not served up on a platter to their current boss. Sure, we want our professional information to be public. How else would potential employers find us? But does that leave third parties free to romp, able to do whatever they like with our data, without our say-so?

We’ve seen multiple social platforms fight against the data-sucking epiphytes, for good reason: the bots have scraped publicly available data for a host of privacy-challenging and/or unsavory purposes. For example, last year, without users’ permission, Danish researchers publicly released data scraped from 70,000 OkCupid profiles, including their usernames, age, gender, location, what kind of relationship (or sex) they’re interested in, personality traits, and answers to thousands of profiling questions used by the site.

But the LinkedIn/HiQ case could have far wider implications than just that of a scuffle between two companies. The constitutional scholar and Harvard law professor Laurence Tribe is weighing in to advise HiQ in the case, due to what he told the San Francisco Chronicle are its important constitutional and economic issues.

For a long time, this has been a central concern for me. Today, social media is the new equivalent of the public square. [LinkedIn’s actions present] a serious challenge to free expression in the modern world.

Freedom of speech is not just about flag-burning. It’s about how you use information in the digital economy. Data is the new form of capital in creating products and services.

If it does reach the Supreme Court, we’ll be sure to keep following the case.


Source: Naked Security

 

1. oldal / 713

<< Első < Előző 1 2 3 4 5 6 7 8 9 10 Következő > Utolsó >>

Hozzászólások

Hacktivity 2014

Események

Nincs esemény létrehozva még.

mySec talk #7 (ITBN)

Letartóztatások kommentek miatt

Az offenzív online kommentek miatti letartóztatások száma gyors emelkedést mutat az Egyesült Királyságban. Csak 2009-b

Vállalatok számítógépeit figyelnék Kínában

Külföldi, köztük amerikai cégeket, vegyes vállalatokat is köteleznének Kínában arra, hogy vásároljanak meg és helyezz

SE-2012-01

Az Adam Gowdiak nevével fémjelzett Security Explorations nyilvánosságra hozta az ún. SE-2012-01 projekt eredményeit.

Ipari irányítók

Az utóbbi napokban kisebb pánikot okozott bizonyos körökben, hogy egy eddig kevéssé ismert máltai cég, a ReVuln egy 0-da

Unalmas a Facebook alapszíne? Változtasd meg!

A Google Chrome Web Store-ban elhelyezett kártékony alkalmazás azt hirdeti magáról, hogy képes megváltoztatni a Faceboo

Alig egy hét múlva Hacktivity

Október 21–22-én, immáron 13. alkalommal gyűlnek össze az etikus

Az Index.hu újságírója lett az „Év információbiztonsági újságírója”

A Hétpecsét Információbiztonsági Egyesület 2006-ban alap&iac

Boldog Új Évet Kívánunk! - 2016.

Az Antivirus.blog nevében Minden Kedves Olvasónknak Egészségben, siker

Ez történt 2015-ben

Nem volt eseménytelen esztendő a 2015. - sem. A legizgalmasabb incidense

mySec Információ

Cron Job Starts