Just say “No!” – how to stop the DDE email attack [VIDEO]

Készült: 2017. október 23

You’ve probably heard of the DDE attack – a way of launching malware from a web download, an email attachment, or even directly from the body of an Outlook email message or calendar invite.

It sounds scary – no document macros, no tell-tale script files, no attachment to open…

…but once you know what to look for, stopping a DDE attack isn’t that hard.

Paul Ducklin tells you how the DDE attack works, what to look out for, and what to do.

(Can’t see the video directly above this line? Watch on Facebook instead.)

(You don’t need a Facebook account to watch the video, and if you do have an account you don’t need to be logged in. If you can’t hear the sound, try clicking on the speaker icon in the bottom right corner of the video player to unmute.)

PS. If you like the T-shirt in the video, you can buy one at https://shop.sophos.com/.

Source: Naked Security


Facebook security chief stands by “college campus” comments

Készült: 2017. október 23

In late July, Facebook security chief Alex Stamos told employees in a conference call that the company isn’t doing enough to respond to growing cyber threats: in fact, with Facebook’s “move fast” mantra, the vault that stores the keys to a billion lives is (deliberately) run like a college campus but has the threat profile of a defense contractor, he said.

So that’s security worry No. 1.

Security worry No. 2 is that somebody on the call—a Facebook employee, one assumes—taped him and leaked the clip to ZDNet, which published it on Thursday.

Here are Stamos’ remarks from the call, which was concerned with the challenges of protecting Facebook’s networks from the growing threat of nation-sponsored hackers:

The threats that we are facing have increased significantly, and the quality of the adversaries that we are facing. Both technically and from a cultural perspective, I don’t feel like we have caught up with our responsibility.

The way that I explain to [management] is that we have the threat profile of a Northrop Grumman or a Raytheon or another defense contractor, but we run our corporate network, for example, like a college campus, almost.

We have made intentional decisions to give access to data and systems to engineers to make them ‘move fast,’ but that creates other issues for us.

As Ars Technica points out, nation states are suspected of being behind attacks against Google, Yahoo, defense contractors, security companies and more. In March, federal prosecutors indicted Russian intelligence agency officers for a 2014 hack on Yahoo that compromised 500 million user accounts, for example, while Google said in 2010 that it had lost intellectual property in a highly targeted attack coming from China.

That’s the kind of thing that Facebook, and everybody else online, is facing. And Facebook is being run like a campus. OK. We don’t know exactly what that means, but it doesn’t sound good. It sounds sloppy. It sounds like a high-risk environment.

But before we grab our torches and burn down the frat houses, let’s take a look at what Stamos had to say when he took to Twitter to clarify the remarks on Thursday:

I was asked for comment today wrt some leaked audio from when I was speaking to my security team at Facebook. 1/11

Here it is: I’ve said this before, internally, to describe one of the basic challenges security teams face at companies like ours 2/11

Tech companies are famous for providing freedom for engineers to customize their environments & experiment with new tools 3/11

And also frameworks & development processes. Allowing for this freedom helps creativity and productivity 4/11

We have to weigh that against the fact that we have become a potential target advanced threat actors. 5/11

As a result, we can’t architect our security the same way a defense contractor can, with limited computing options and no freedom. 6/11

Keeping the company secure while allowing the culture to blossom is a challenge, but a motivating one, I’m happy to accept. 7/11

The “college campus” wording is just a figure of speech to make the point; 8/11

My team runs network security for the company. Of course we secure it thoroughly. 9/11

It would not be correct to read my quote as a criticism of management not caring about security; they care a great deal. 10/11

It’s not a criticism of anybody, just a statement of why our team needs to be creative in how we protect our corporate network. 11/11

Some are sympathizing with Facebook. Software developer Molly McG: “…it’s actually an incredible analogy for the challenges you face and I love it … The college campus is a perfect metaphor for an environment where you can experiment while protected by institutional safeguards.”

“I don’t even see how this statement of reality is even remotely controversial” said April King, head of website security at Mozilla. “That freedom, despite its subsequent challenges, lets you attract the kind of tech talent that you simply couldn’t get at a large corporation.”

Fair enough. But we’re talking about personal information belonging to millions of people. Hiring whiz kids is great for churning out creative new ideas, but if that creativity comes at the expense of security, whose interests does it serve? Do we want surgeons to learn how to use a scalpel on a live patient?

Then again, as he explained, Stamos didn’t mean inexperienced, or foolhardy, when he referred to a “college campus.”

From the outside it looks like Facebook takes security very seriously: ever seen a Equifax- or Yahoo-level data breach from Facebook? No? Neither have we.

One of many examples of what Facebook does right can be found in the way it locks users in a closet if the company finds that they’ve reused their passwords on other sites that have been breached.

Another commendable practice: Facebook has been using secure browsing by default since July 2013. Plus, Facebook issues transparency reports to let us all know which governments are making plays for our data and how many times. On top of all that, it doesn’t balk at paying out decent bug bounties.

Plenty of other internet platforms are also doing those security-proactive things besides Facebook, but it’s still worth noting that clearly not every single Facebook security or development engineer is swinging from the ceiling fan.

Of course a company like Facebook only has to fail once for everything we’ve shared with it to be spilled.

Storing vast amounts of user data, moving fast and structuring themselves like a campus rather than a defence contractor are all deliberate decisions on Facebook’s part. Nobody obliged the company to do that, or shoulder the risks and responsibilities that go along with making it all work.

When it comes to Facebook securing its network, Naked Security’s Mark Stockley thinks that overall, it’s pretty impressive (though it’s certainly got a problem with at least one employee who felt that it’s OK to tape a confidential call and release it to a major tech publication).

On the other hand, regardless of Stamos trying to put his comments into the context of fostering creativity, the fact is that the top security guy at the company said “I don’t feel like we have caught up with our responsibility”. That’s why Mark said you could quote him on this one:

These are Facebook’s choices and the challenges it faces are real but self-imposed so I sympathize, but not enough to forgive it if they’re breached.

Source: Naked Security


What the KRACK was that? [Chet Chat Podcast 264]

Készült: 2017. október 23

This episode of the Chet Chat podcast was recorded live at the BSides Calgary conference in Alberta, Canada.

Sophos expert Chester Wisniewski (he’s the Chet in the Chat) caught up with fellow security researcher and former colleague Michael Argast for a whirlwind tour of the big security issues of the past week.


(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)

In this episode

If you enjoy the podcast, please share it with other people interested in security and privacy and give us a vote on iTunes and other podcasting directories.

Source: Naked Security


Microsoft tears into Chrome security as patching feud continues

Készült: 2017. október 23

The ding-dong between Microsoft and Google vulnerability researchers is not yet an inter-generational conflict but it’s showing signs of turning into one.

After being embarrassed by Google’s Project Zero over a string of software flaws, Microsoft has fired back by publicising a critical Remote Code Execution (RCE) flaw its Offensive Security Research (OSR) team spotted after crashing Chrome’s open-source JavaScript engine, V8.

Identified as CVE-2017-5121, the flaw in the just-in-time compiler was patched by Google in September (Chrome 61.0.3163.100), which we now know was reported to the company by Microsoft because, the company’s blog reveals, its team were paid a $7,500 (£5,700) bug bounty by Google.

Normally, that would be that, except that Microsoft’s dissection swiftly turns into a launchpad for a broader critique of weaknesses in Chrome’s design. For example:

Chrome’s relative lack of RCE mitigations means the path from memory corruption bug to exploit can be a short one.

And, significantly:

Several security checks being done within the sandbox result in RCE exploits being able to, among other things, bypass Same Origin Policy (SOP), giving RCE-capable attackers access to victims’ online services (such as email, documents, and banking sessions) and saved credentials.

Bluntly, Microsoft seems to be saying, Chrome’s much-vaunted sandboxing (a feature that limits one web page or browser tab’s access to another) doesn’t always stop criminals from pwning the user.

The vulnerability was fixed weeks ago so why would Microsoft want to tear it apart in such detail?

Perhaps to make a point about throwing stones in glasshouses after a period in which the company has received a string of similar criticisms from Google’s Project Zero team.

Only days ago, Google’s Mateusz Jurczyk laid into Microsoft over its alleged prioritisation of Windows 10 patches over those for older versions of the OS.

In May his colleague Tavis Ormandy took to Twitter to talk up a “crazy bad” RCE vulnerability affecting Windows Defender which, as it happens, Microsoft fixed only days later.

Worst of all was February’s disclosure by Jurczyk of a vulnerability in Windows he felt the company was taking too long to patch but which, he said, Google had a responsibility to tell the world about under its 90-days disclosure policy.

The difference of opinion over what constitutes responsible disclosure has turned into a particular bone of contention. As Microsoft makes a point of saying:

We responsibly disclosed the vulnerability that we discovered along with a reliable RCE exploit to Google on September 14, 2017.

Rubbing salt in the wound, Microsoft’s used its new MSRD Azure “fuzzing” platform to find it, perhaps subtly mocking Google’s enthusiasm for spotting flaws using the same technique.

It seems unlikely that a truce will be called in this head-to-head any time soon. Google will continue hammering Microsoft for taking too long to fix flaws while Microsoft will shoot back that Google isn’t immune to security woes of its own.

For Microsoft and Google users, this is all good. Not that long ago, it seemed that the software industry lacked urgency when it came to acknowledging and fixing vulnerabilities. If that complacency is melting away, it does no harm for big companies to help the thaw by taking each other to task.

Source: Naked Security


Office DDE attack works in Outlook too – here’s what to do

Készült: 2017. október 22

In the last two weeks, Sophos researchers have kept an eye on a vulnerability in Microsoft’s Dynamic Data Exchange (DDE) protocol used to send messages and share data between applications.

Yesterday, new developments revealed an additional dimension to this attack.

Early on, we noted that attackers could exploit DDE to launch malware via tainted Office attachments, for example in Word and Excel files, but without using macros. 

On Friday, independent reports surfaced showing that it’s possible to run DDE attacks in Outlook using emails and calendar invites formatted using Microsoft Outlook Rich Text Format (RTF), not just by sending Office files attached to emails.

In the original attack users had to be coaxed into opening malicious attachments. By putting the code into the email message body itself, the attack comes one step closer, meaning that the social engineering needed to talk a recipient into falling for it becomes easier.

The good news is that whether a DDE attack comes via an attachment or directly in an email or a calendar invite, you can stop the attack easily:

Just say no

Attachments, emails and calendar invites pop up two giveway warning dialogs before triggering a DDEAUTO attack; if you say “No” at either dialog then you prevent the attack. (SophosLabs is not yet aware of any mechanism to bypass these dialog boxes.)

First, you’ll see a warning like this when DDE is used:

This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?

Clicking “No” will stop a DDE attack from running.

If you click “Yes” at the first dialog, you will see a second dialog warning that a command is about to be run (the text in parenthesis and the program names referenced at the end will vary):

The remote data (k powershell -w hidden -NoP -NoExit -) is not accessible. Do you want to start the application C:\windows\system32\cmd.exe?

Again, clicking “No” will stop the attack.

You can also neuter DDE attacks embedded directly in emails by viewing all your messages in plain text format, regardless of the format they were sent in.

Note, however, this will disable all formatting, colours and images in all messages, including those sent in the popular HTML email format. This will make some messages harder to read and may prevent you seeing content that the sender is expecting you to to see.

Please check the Microsoft Support website for details of how to view all emails in plain text format in Outlook.

Source: Naked Security


Hack-back bill would legalize companies hacking their attackers

Készült: 2017. október 20

A couple of years ago, a counterterrorism expert had an idea: let’s arm US companies with cyber weaponry so they can hack-back cyberattackers, suggested Juan Zarate, a former US deputy national security advisor for counterterrorism during the administration of US President George W. Bush.

Mike Rogers, a former Republican congressman from Michigan and former FBI agent, said at the time that given the plethora of attacks coming from other nations, many businesses would wind up in over their heads in an escalating conflict – a nasty can of worms to open.

Besides, Rogers argued, who says that a given company has the capacity to track down culprits behind an attack? It’s not like all companies are adept at the forensics needed. Sources can be spoofed.

Figuring out the origin of an attack can hinge on subtle clues: what inference should be drawn, for example, in the similarities between the code in the WannaCry ransomware worm and the malware created by Lazarus, a hacking group believed to be linked to North Korea?

Nor is it a given that companies can launch a counter-attack that doesn’t wind up harming a slew of innocents. For example, a hack-back at the vast array of Internet of Things (IoT) devices that got sucked into the Mirai botnet would have seen attacks on home users’ cameras, with the perpetrators left unharmed.

Would we really want to empower an Equifax or a Yahoo, giving them a “cyberwarrant” that would grant private companies license to protect their systems, “to go and destroy data that’s been stolen, or maybe even something more aggressive,” as Zarate suggested?

Their histories of protecting their assets, after all, don’t inspire confidence. Why would we believe they have the ability to competently attack hackers without causing harm?


Some can do it very, very well. Some don’t have a clue of how to do it, but that wouldn’t stop them from [responding] anyway. How do you contain that?

Well, here’s how two legislators have contained the hack-back suggestion: they want to make it the law of the land.

As CNN Money reports, H.R.4036 – formerly called the Active Cyber Defense Certainty (ACDC) Act and informally called the hack-back bill – was introduced as an amendment to the Computer Fraud and Abuse Act (CFAA) last week. Its backers are US Representatives Tom Graves, a Georgia Republican, and Kyrsten Sinema, an Arizona Democrat.

ACDC would give a company the go-ahead to take active defensive measures to access an attacker’s computer or network to identify hackers, as well as to find and destroy stolen information. It makes sense to introduce it as an amendment to the CFAA, given that the CFAA outlaws unauthorized access to somebody else’s computer: a big legal hammer that’s found many nails.

ACDC would give authorized individuals and companies the legal authority to leave their network to:

  1. Establish attribution of an attack.
  2. Disrupt cyberattacks without damaging others’ computers.
  3. Retrieve and destroy stolen files.
  4. Monitor the behavior of an attacker.
  5. Utilize beaconing technology.

Will this lead to cyber-vigilantism? Graves says no; he told CNN that the bill is not opening the door to the Wild Cyber West. The horse is already out of the barn: we’re already living in the Wild Cyber West:

We are already dealing with the Wild West and there’s a lot of outlaws out there but we don’t have a sheriff, we don’t have a deputy and all we were asking for is a neighborhood watch.

But just as they did when Zarate brought up the notion two years ago, security experts are warning that the bill could have dire unintended consequences. CNN quotes digital forensics expert Lesley Carhart on the difficulties of determining whether the source of an attack has been spoofed:

In cybercrime and in nation state attacks, there are often lots of attempts to mislead and confuse researchers analyzing the attack timeline or malware. A savvy bad guy could fairly easily emulate an innocent third party, and draw down the wrath of unskilled analysts on them.

And if an attack were in fact coming from, say, North Korea, the ACDC wouldn’t be worth much. That’s because it limits hack-back actions to within the US. It also requires companies to report to the FBI-led National Cyber Investigative Joint Task Force before taking active-defense measures: a measure that “will help federal law enforcement ensure defenders use these tools responsibly.”

OK… so, why not just entrust cyber investigations and countermeasures with the FBI and the Department of Justice (DOJ) to begin with? According to a news release (PDF) from Graves, we can’t – they’re swamped.

While DOJ and the FBI do great work, the number of cyberattacks far exceeds the government’s ability to respond, identify and prosecute criminals.

At any rate, Graves told CNN, whether we like it or not, companies are already hacking back:

Word on the street is many companies are already doing some of these things. They know, you know, and I know that what they are doing is illegal. What we would be doing is bringing clarity to what some might already be doing and what tools might be successful.

In fact, he’s hoping that if the bill passes, it could spark the creation of new tools to protect against hackers.

One security expert likened the bill to the old Biblical law about retaliation: an eye for an eye, a tooth for a tooth. That dates back to Hammurabi, King of Babylon from 1792-1750BC.

Wise he may have been, but Hammurabi didn’t have to deal with (and nor could he have foreseen) the complex issue of figuring out who hacked who.

Source: Naked Security


What’s coming next in the world of malware? [VIDEO]

Készült: 2017. október 20

If you want to know where the world of malware is heading…

…ask an expert!

So that’s exactly what we did – we spoke to Fraser Howard of SophosLabs, live on Facebook.

Fraser is one of the world’s leading threat researchers, with knowledge that is deep as well as broad.

He’s well worth listening to, and here’s what he told us:

(Can’t see the video directly above this line? Watch on Facebook instead.)

(You don’t need a Facebook account to watch the video, and if you do have an account you don’t need to be logged in. If you can’t hear the sound, try clicking on the speaker icon in the bottom right corner of the video player to unmute.)

PS. If you like the T-shirt in the video, you can buy one at https://shop.sophos.com/.

Source: Naked Security


Google’s Advanced Protection Program: extra security at a cost

Készült: 2017. október 20

Are you a high-risk user whose Google account hackers might want to target? If you are, how much hassle would you put up with to make your account more secure?

These are questions Google is inviting its users to ask themselves with the announcement of the Advanced Protection Program (APP), a reassuring but also potentially awkward way to add extra layers of security to Google accounts.

Available from this week, it’s free to all consumer Google account holders, but before you rush off to sign up let’s dig a little deeper into what is on offer because the downsides won’t be for everyone.

First, APP’s target user base, which includes:

Campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety.

But also:

Human rights defenders, environment campaigners and civil society activists working on any number of sensitive issues.

To that could be added high net-worth individuals, VIPs and perhaps politicians and company management using a Google account in a personal capacity (see the infamous attack on the DNC’s John Podesta in 2016).

It first dawned on Google that some users faced a higher risk than others in 2010 when it went public on the aggressive Aurora attacks conducted on its Chinese users by an unnamed nation state that everybody twigged must be China itself.

Google has tried to contain targeted attacks by introducing security protections such as two-step and multi-factor authentication, and HTTPS connections by default, as well as gradually limiting attachment behaviour in Gmail.

Google thinks this is no longer enough and has launched APP with three new protections.


The first is mandating that users authenticate themselves using a hardware token such as the FIDO U2F YubiKey. Other authentication methods (including backup codes and SMS) will no longer work.

These cost a reasonable $18 (£15), but users will also have to buy an additional Bluetooth token (another $25 perhaps) to authenticate from smartphones lacking a USB port. That’s two keys to look after and you can’t lose either without incurring a temporary loss of account access.

It’s not clear whether these will be needed for every authentication, but if they are that will mean users can’t allowlist access from a regularly-used device and will have to plug in a key for every login, from every device.

The extra security of using a token means that attackers who successfully steal your user name and password can’t access your account, even if they also steal the device you normally use to access that account.

Limiting app access

APP’s second defence is to constrain access to accounts from third-party apps, by which it means anything not made by Google. The risk these pose:

By giving permission, you might introduce vulnerabilities that could be used to access your personal data. For example, an app you trust could be exploited or impersonated.

Third-party apps will never be able to access Gmail, Google Drive or Google Photos, and using Chrome to access Google services will become mandatory. Anyone using iOS will have to use Google’s apps to access services.

This feature sounds straightforward enough but this will nix any website or service that either uses a Google account for authentication (or which needs access to it), for example WhatsApp, Dropbox, or the New York Times.

It’s not clear whether users will still be able to forward email to third-party accounts. In principle, there’s no reason why not although whether that’s a good idea for secure email is another matter.

Account verification

Attackers sometimes try to gain access to an account by initiating a reset after pretending they’ve been locked out. As researchers have noted, this can happen in a number of ways. Under APP, additional checks will become necessary although it hasn’t yet specified what these will be.

The company has said “these added verification requirements will take a few days to restore access to your account,” which makes clear that users resetting credentials could be left without access for some time (including if they lose their tokens – see above).

The extra inconvenience APP adds to using a Google account will be more than worth it for some users. The lingering question is whether, in time, all regular Google users might end up being part of this group given the industrial scale of sophisticated attacks.

That said, users can already opt for a sort of halfway house between standard account security and what APP offers simply by turning on multi-factor verification, either using the Google Authenticator app or, better still, by enrolling a YubiKey. For most people, this might be the place to start dialling up security before tangling with the APP.

Source: Naked Security


5 ways to do 15 minutes of cybersecurity without a computer

Készült: 2017. október 20

If there’s one cybersecurity practice that absolutely everybody can do, that absolutely everybody should do, that should be as much a part of your day as brushing your teeth, making the first cup of coffee and correcting people who are wrong on Reddit, it’s this:

Keep your software up to date.

There’s an army of criminal hackers out there using computer programs to scour the internet for devices with out of date software. When they find a bug they’re looking for they can use it like a crowbar to prize open your electronic life.

They can steal your photos; spy on you through your camera; sniff out your banking password; exhaust your battery by mining cryptocoins; sell access to your Facebook account or wrap up all your stuff with encryption and demand a ransom.

Regularly updating your software is the single best, most efficient, most easy-as-falling-off-a-log thing you can do to shut them out.

That’s why we were delighted to hear about the UK government’s new Cyber Aware campaign.

Cyber Aware is encouraging you to take time to update your software with the inducement of giving yourself 15 minutes away from your screen while your tech feeds and waters itself (a #techfree15 minutes, if you will).

Just think what you can do with an extra 15 minutes.

Wait… what? 15 minutes?

Clearly these guys haven’t done a major Windows or MacOS update recently. To be fair to them I guess #techfreeForAnythingUpToAnHourMaybeEvenLongerIt’sHardToSay is a hard sell.

Cyber Aware suggest you spend your 15ish minutes doing sensible things like taking a walk in your local park, talking to other humans or having a 15 minute tech-free rest before bed.

A rest.

Don’t they know you’ve got other people’s computers to protect too? Moreover, don’t they know you’ve already drunk seven cans of Monster today.

Rest. Meh. There’s no rest for the wicked and not having a computer is no excuse for giving up the cyberfight. Here’s five things you can do without a computer to make everyone else’s computers more secure while you’re taking your #techfree15:

1. Make friends with your IT team

  • Duration: 5 mins
  • Difficulty: 3/5

If you already work in IT, skip to #3. Actually don’t. Go and speak to a colleague you don’t know. If you work with Windows go and speak to somebody wearing a heavy metal t-shirt. If you work with *nix go and speak to somebody wearing a shirt.

If you don’t work in IT, go and say hi. You’re going to need them one day so don’t wait for a crisis before you introduce yourself.

Not only is “Hello” a better greeting than “is the network down?”, but if the network is down then they’ll be too busy to talk to you anyway because the network’s down and it isn’t going to fix itself.

And while we’re on the subject, there is nothing more annoying than trying to fix a network and being constantly  interrupted by people who want to tell you the thing they’ve just stopped you from fixing isn’t working. If the network isn’t down and they still don’t want to talk to you, well, let’s just say it’s not them, it’s you, and it’s time to brush up on what you sound like to a sysadmin.

2. Put up some posters

  • Duration: 15 mins
  • Difficulty: 1/5

Get some security posters and stick them up around your office to remind other people who’ve torn themselves away from their computers to go back to them. They need to stop making coffee and sort out those awful passwords.

If you don’t want to make your own posters, you can find some snazzy posters in the Sophos Anti-Ransomware toolkit (you’ll have to do a little data capture tap dance to get it).

Pro tip: don’t put posters where people can walk past them. Put them at eye height where people don’t move much and don’t have anything to read. Yes, that’s right, I’m telling you to put them above the urinals and on the back of the toilet stall doors. Seriously.

3. Write a risk register

  • Duration: never ending
  • Difficulty: 162/5

Risk registers: everybody needs one, nobody wants to write it. Well, guess what, you’ve got at least 15 minutes to spare so get writing. Be careful though, risk registers can get quite long and you’ll have to write it by hand so don’t forget to add writer’s cramp and carpal tunnel syndrome to the register. Oh and if it’s as lengthy and comprehensive as your project manager’s PRINCE2 trainer would like it to be, be careful not to break your foot if you drop it.

4. Clean, wipe, shred

  • Duration: 15
  • Difficulty: 1/5

Lift your head up from your computer and look around you: you’re leaking data. The pay slip in the unlocked drawer; the password on a post-it stuck to your monitor; the bound conference notes you’re never going to read; the work of art on the whiteboard behind you.

Everyone can see them. They’ve got to go.

For your confidential paper waste that means a trip to Mordor the shredder. Unfortunately shredders, like their stablemates photocopiers and faxes, aren’t governed by the normal rules of physics nor any kind of recognisable logic. They are emotional, moody and vindictive machines that hate the taste of paper and hate you for feeding it to them. Luckily for you, you only have 15 minutes so there’s only have enough time to jam the shredder twenty seven times.

5. Make a tinfoil hat

  • Duration: 2 minutes
  • Difficulty: 2/5

If you don’t have a tinfoil hat already you clearly don’t understand the seriousness of the situation. You live in a surveillance state, your identity is toast, your phone is lying to you about being off and in a few years time you’ll consider yourself lucky if you’re kept around as a pet by some post-singularity AI.

You’re going to need a tinfoil hat.

I said it takes two minutes to make a tinfoil hat at the top of this section, but that’s not quite right. It takes a second to Google “how to make a tinfoil hat” and (bizarrely) 2:45 to watch the the YouTube video How to make a tin foil hat in less than two minutes. But you can’t use them because you’re having a tech free 15ish minutes, remember?

You don’t have Google, YouTube, iFixit, WikiHow or Stack Overflow. You’re on your own with some scissors and a roll of aluminium foil.

You’ll be lucky if you get out of this with ten fingers…

Best check if your updates have finished.

Source: Naked Security


Teen hacker sentenced for serious disruption of Phoenix 911 system

Készült: 2017. október 20

If you’re a teen computer whiz trying to create an “annoying but harmless” online prank that will impress your friends and the “hacker community,” probably best not to aim it at anything having to do with real-life emergency services.

Hopefully Meetkumar Hiteshbhai Desai, 19, had learned at least that much by the time he was sentenced last week to three years probation for creating a bug a year ago that, between 24 and 26 October, almost shut down 911 services throughout Maricopa County, Arizona and beyond.

Law enforcement officials were definitely impressed, but not in a good way. According to the state Attorney General’s Office, Desai’s bug caused more than 300 hang-up calls – 100 of them within minutes on 25 October 2017 – in the county’s 911 operating systems, which include Phoenix, Scottsdale, Glendale and Mesa.

The Maricopa County Sheriff’s Office (MCSO) said the bug affected call centers in Avondale, Chandler, Surprise and the MCSO.

Desai pleaded guilty to one count of computer tampering. The sentencing agreement allows law enforcement to monitor his computer during the probation period.

Ars Technica reported that at the time of his arrest, authorities referred to Desai as an “iPhone app developer.” Which was a major stretch. But in a press release following the arrest, the MSCO said Desai (who they referred to as “Meet” since the web page that linked to the bug was called “Meet Desai”) told detectives that he was indeed hoping to impress the computer giant:

He was interested in programs, bugs, and viruses which he could manipulate and change to later inform Apple about (how) to fix their bug issues for further iOS updates. He claimed that Apple would pay for information about bugs and viruses and provide that particular programmer with credit for the discovery.

No word on whether Apple was impressed.

According to the MSCO, Desai told them that an online friend had shared a bug with him that they thought they could modify. He said he discovered that he could:

… add annoying pop ups, commands to open email, and activate the telephone dialing feature on iOS cell phones by utilizing a java script code that he created.

His intent, he told them, was just to create a, “non-harmful but annoying bug that he believed was ‘funny.’”

However, his project went from prank to crime when he modified the bug to include the 1+911 phone number for emergency services and – by mistake, he told detectives – pushed it out to the public.

Meet stated that although he did add that feature to the bug he had no intention of pushing it out to the public, because he knew it was illegal and people would “freak out”.

Probably not the kind of mistake someone looking to impress Apple would make. But Desai was right about the reaction – people indeed freaked out.

On the night of 25 October 2016, the MCSO heard from a surprised Surprise Police Department that their communications division had received more than 100 911 hang-up calls which, as the MSCO put it, put their Cyber Crimes Unit into, “full force after a serious disruption into the emergency 911 system for the entire Phoenix metro area and possibly even other states.”

Detectives tracked the 911-dialing code to the “Meet Desai” web page, hosted out of San Francisco. They were able to shut it down, “to stop the potential immediate threat to the 911 emergency systems, which could possibly have been compromised if enough users had clicked on the link.”

But by that time the link, which had been posted to the YouTube channel “TheHackSpot” and several Twitter accounts, had been clicked 1,849 times. When people clicked on it, it launched continuous calls to 911 and wouldn’t let the caller hang up.

According to the Arizona AG, Desai will not serve any jail time because he, “cooperated with authorities, expressed remorse and had never been in trouble before.”

But the incident demonstrates that the security of 911 services has a significant soft spot. This was a localized version of what sounds like a phone DDoS attack that could disrupt emergency services over a much wider area – possibly the entire nation. As Ars Technica noted at the time of Desai’s arrest last year:

According to recently released research reported in the Washington Post (paywall) by journalist Kim Zetter, a proof-of-concept attack devised by researchers in Israel required just 6,000 infected smartphones in a geographical area to tamper with the 911 system for the entire state of North Carolina. The researchers estimated 200,000 infected phones distributed across the US could significantly disrupt 911 services for the entire country.

Source: Naked Security


IRS chief: assume your identity has been stolen

Készült: 2017. október 19

You’ve been told privacy is dead? It’s actually worse than that. Your identity has been reanimated as a zombie and it could be roaming about trying to do things without your consent.

That’s according to Internal Revenue Service (IRS) Commissioner John Koskinen at a recent briefing to reporters: If you are an American, you should assume that any number of cyber criminals have enough information about you to pose as you.

Koskinen was speaking Tuesday ahead of the agency’s annual Security Summit, about the IRS’s data security efforts heading into the 2018 tax season and, inevitably, was asked if the mammoth, catastrophic breach of big-three credit reporting agency Equifax would have an effect on tax fraud.

Not even enough to notice, was the response, reported in The Hill. “We actually think that it won’t make any significantly or noticeable difference,” he said.

Why? “Our estimate is a significant percent of those taxpayers already had their information in the hands of criminals,” he said.

Here are the numbers that matter:

There are about 250 million Americans 18 and older.

An estimated 145.5 million people were affected by the Equifax breach where hackers had access to names and addresses and other personally identifiable information (PII) – including information that’s difficult or impossible to change like Social Security numbers and dates of birth.

Meanwhile the official IRS estimate is that more than 100 million Americans have had their PII stolen by hackers.

There’s wiggle room in both figures but the difference between them is as much as 45 million people, more than the individual populations of the large majority of European countries – almost as much as Spain; more than four times that of Greece, Portugal and Sweden; nearly 10 times that of Norway, Ireland and numerous others.

So, according to Koskinen, the reality could be much worse than the official estimate. He advised all Americans to “assume their data is already in the hands of criminals and ‘act accordingly.’”

He’s not the first one to say so, of course. Star security blogger Brian Krebs said essentially the same thing in more than one of the multiple posts he filed on the Equifax breach. But it came across, at least to some privacy experts, as not only a casual dismissal of one of the most damaging breaches of the year, but also uninformed, as if it were at the same level as a credit card breach.

Rebecca Herold, CEO of The Privacy Professor, called it, “simplistic and naïve.”

He apparently doesn’t realize that Equifax, and the other two major US credit reporting agencies (CRAs), possess an amount of data far beyond the other types that have been breached elsewhere – such things as job histories and associated salaries, home addresses, medical information, schools attended, and so much more.

To try and minimize a breach of this magnitude is disappointing, to say the least, from him.

Koskinen, in prepared remarks, said the agency does take tax fraud very seriously, and is having some very serious success in reducing it. The Security Summit – a joint project of the IRS, state tax agencies and the private sector launched in 2015 – is a major reason for that he said. Those improvements are in the fraud statistics, he said:

We’ve seen the number of identity theft-related tax returns fall by about two-thirds since 2015. Over the past two years, fewer false returns have entered the system, fewer fraudulent refunds have been issued and fewer taxpayers have reported to the IRS that they were victims of identity theft.

In the “identity theft” category, Koskinen said the number of reported victims in 2016 was 376,000 – 46% down from 2015. And this year, through August, the number is 189,000, a drop of about 40% from the same time last year.

Kay Bell, self-described “tax geek” and author of the blog Don’t Mess With Taxes, complimented the IRS on 37 relatively new data filters created in conjunction with the Security Summit that she said would easily stop a criminal even if he had a name, address and SSN. The filters, she said, make sure, “the meat of the return would be a guessing game.”

Koskinen, in his statement, said other methods of catching fraudulent returns and refunds include:

  • Stronger password protocols.
  • Working with financial institutions to flag questionable refunds.
  • A pilot program that adds a verification code to W-2 forms.

Of course, Koskinen didn’t go into much detail about what individual citizens can do to “act accordingly” in response to assuming that their PII is already in criminal hands. That may be because, other than putting a credit freeze in place with all the credit bureaus and monitoring their own finances, there isn’t a whole lot they can do.

As Herold put it:

All those people whose personal life data was breached at Equifax did not directly do business with Equifax, as is most often the case with those other breaches he references. There was no way the impacted individuals could have done anything to ensure Equifax had appropriate security controls in place for their associated data – they had no choice.

Source: Naked Security


Kids’ smartwatches harbouring major security flaws

Készült: 2017. október 19

Has Santa Claus, the Tooth Fairy or the agnostic Birthday Gnome ever gifted your tot a smartwatch?

Toss it. All those wrist wraps are Internet-of-Things (IoT) security car wrecks, according to a new report (PDF) from the Norwegian Consumer Council (NCC).

The main point of smartwatches is to geolocate your offspring, but some models also allow parents to call or text their kids. After all, it’s cheaper than a full-fledged smartphone, and somewhat less likely to be buried in a sandbox.

Much like drone makers do to their aircraft, some parents also use the GPS-connected smartwatches to geofence their kids: some models send out an alert when a child leaves a designated area. Some smartwatches have an SOS feature that allows a kid to send an emergency message to a caregiver.

That’s great, except when it’s not. NCC researchers looked at four smartwatch models and found that they can give parents a false sense of security. Some features, such as the SOS and the geofencing alerts, didn’t work reliably.

And, most worrying of all, through simple steps, strangers can take control of the smartwatches. Given the lack of security in the devices, eavesdroppers can listen in on a child, talk to them behind their parent’s back, use the watch’s camera to take pictures, track the child’s movements, or give the impression that the child is somewhere other than where they really are.

Researchers found that several of the watches also transmit personal data to servers located in North America and East Asia, in some cases without using encryption. One of the watches also functions as a listening device, allowing the parent or a stranger with some technical knowledge to audio monitor the surroundings of the child without any clear indication on the physical watch that eavesdropping is going on.

It not only challenges a child’s right to privacy, says Finn Myrstad, director of digital policy for the NCC – “It also threatens their safety,” he says.

Until these issues have been resolved, these watches should be in no stores, even less so on a child’s arm.

In one watch, knowing a user’s phone number “gives an attacker full access to the device,” the report found. In another watch, the researchers “inadvertently came across sensitive personal data belonging to other users, including location data, names and phone numbers.”

One of the watches allowed the researchers to pair an existing gadget with a completely new account, enabling them to see user data, including the watch’s current location and location history and contact phone numbers in the account, all without notifying the watch user.

CBS News quotes Myrstad:

This data can be abused for so many different things – finding out where kids have been means getting extremely sensitive data around where they live, where they go to school. It’s far, far away from any basic standard of security.

According to The Telegraph, the UK retailer John Lewis has already responded to the NCC’s report by withdrawing one of the smartwatch models – the Gator 2 – that the researchers analyzed.

They also tested Viksfjord and Xplora smartwatches. A fourth model, the Tinitell, lacked major security flaws, but it also lacked clear privacy protections, according to the report. According to CBS News, all of the watch models except for Xplora are on sale in the US.

So, another crop of IoT things is insecure. Quelle surprise.

Santa, Tooth Fairy, Agnostic Birthday Gnome, et al., I’m beginning to suspect one of two things:

  1. You’re all NSA agents. That would explain Hello, Barbie, the joke-telling, story-swapping, interactive game-playing, eavesdropping doll that spawned the Hell No Barbie campaign from privacy groups. It would also explain her Hell-spawn sister, My Friend Cayla, which was fitted with a camera and an artificial intelligence (AI) chip for interpreting children’s emotions… and which Germany’s privacy watchdog declared was an “illegal espionage apparatus” that parents should destroy. Given all that, you’re either creeps, government spies, or then again…
    2. You really need help with securing the IoT.

I suspect it’s No. 2. But you’re not alone: we all need help with securing the IoT.

Here are some security tips on how to get that done – ideally before Christmas!

Source: Naked Security


1. oldal / 730

<< Első < Előző 1 2 3 4 5 6 7 8 9 10 Következő > Utolsó >>


Hacktivity 2014


Nincs esemény létrehozva még.

mySec talk #7 (ITBN)

A frissítés nélkül hagyott szoftverek magas aránya még mindig aggodalomra ad okot

A Secunia biztonsági cég jelentése azt mutatja, hogy az Egyesült Államokban rengeteg frissítés nélküli szoftver

Új titkosítási szabvány kerül bevezetésre az Apple-nél és a Google-nél

Az Apple azon bejelentésének nyomán, miszerint egy olyan fejlesztést eszközölnek az iOS8 operációs rendszerükön,

Önmegsemmisítő Facebook- és Twitter-üzeneteket és fotókat kínál a Dstrux

Egy cég, amely az üzleti dokumentumok biztonságba helyezésével foglalkozik, egy „Mission: Impossible” jellegű ö

Az FBI igazgatója szerint az Anonymous veszélyesebb, mint az al-Kaida

Múlt héten rendezték meg San Franciscóban az RSA biztonsági konferenciát, ahol az FBI jelenlegi igazgatója, Robert Mueller

CEO vs. CISO, avagy a biztonság két szemüvegen keresztül

A vállalatok igazgatói továbbra is nagyon eltérően tekintenek a kockázatokra és a védelmi teendőkre, mint a biztonsági v

Alig egy hét múlva Hacktivity

Október 21–22-én, immáron 13. alkalommal gyűlnek össze az etikus

Az Index.hu újságírója lett az „Év információbiztonsági újságírója”

A Hétpecsét Információbiztonsági Egyesület 2006-ban alap&iac

Boldog Új Évet Kívánunk! - 2016.

Az Antivirus.blog nevében Minden Kedves Olvasónknak Egészségben, siker

Ez történt 2015-ben

Nem volt eseménytelen esztendő a 2015. - sem. A legizgalmasabb incidense

mySec Információ