Security trends for 2015

3,110 Comments

1. August 11, 2015 at 6:43 am

   Tomi Engdahl says:

   Ron Amadeo / Ars Technica:
   OEMs and carriers make Android’s security update strategy ineffective at Android’s scale; a major attack on unpatched phones seems inevitable

   Waiting for Android’s inevitable security Armageddon
   Editorial: Android’s update strategy doesn’t scale, and that’s recipe for disaster.
   http://arstechnica.com/gadgets/2015/08/waiting-for-androids-inevitable-security-armageddon/

   We’re on day who-the-heck-knows of the Android Stagefright security vulnerability, and there’s really no point keeping track of the days because no one’s going to fix it. The Android ecosystem can’t deal with security, and it won’t change until it’s too late.

   Android was originally designed, above all else, to be widely adopted. Google was starting from scratch with zero percent market share, so it was happy to give up control and give everyone a seat at the table in exchange for adoption. The sales pitch was simple: “Apple locked you all out of the iPhone and with Microsoft you’re just a customer, but on Android, you’ll all have a say in the end product.” The open source nature of Android allowed anyone to adapt its code to their hardware, and OEMs and carriers could (theoretically) alter or fork it to their hearts’ content.

   Now, though, Android has around 75-80 percent of the worldwide smartphone market—making it not just the world’s most popular mobile operating system but arguably the most popular operating system, period. As such, security has become a big issue. Android still uses a software update chain-of-command designed back when the Android ecosystem had zero devices to update, and it just doesn’t work. There are just too many cooks in the kitchen: Google releases Android to OEMs, OEMs can change things and release code to carriers, carriers can change things and release code to consumers. It’s been broken for years.

   The Android ecosystem’s reaction to the “Stagefright” vulnerability is an example of how terrible things are. An estimated 95 percent of Android devices have a have a remote arbitrary code execution just by receiving malicious video MMS.

   Their “fix” is going to be to patch 2.6 percent of all active Android devices. Tops. That’s the percentage of Android devices that are running Android 5.1 today, nearly five months after the OS was released.

   Reply
2. August 11, 2015 at 6:45 am

   Tomi Engdahl says:

   Sophie Curtis / Telegraph:
   Facebook, Google, Microsoft, Twitter, Yahoo now use IWF hash list to identify and block child porn images

   Facebook, Google and Twitter block ‘hash list’ of child porn images
   Some of the world’s biggest internet companies are joining forces to crack down on the sharing of child abuse images
   http://www.telegraph.co.uk/technology/internet-security/11794180/Facebook-Google-and-Twitter-to-block-hash-list-of-child-porn-images.html

   Internet giants including Facebook, Google, Microsoft, Twitter and Yahoo are stepping up the fight against paedophiles, with a new system that automatically blocks images of child sexual abuse.

   The companies have started using a database of thousands of known child sex abuse images compiled by the Internet Watch Foundation (IWF), known as a “hash list”, to identify and block these images.

   Each of the images has been assessed by a highly-trained analyst and assigned a “digital fingerprint” (also known as a hash value) – a unique code created by running the image through an algorithm.

   Any copies of the file that are made will produce the same hash value when analysed, so if anyone tries to share the image on Facebook, Microsoft, Google, Twitter or Yahoo, these companies will automatically detect the hash value and block the image.

   The hashing technology that the tech companies will use to identify known child abuse images has been developed by Google, and is now being shared with the wider industry. The IWF said that all eligible members will soon be offered access to the hash list.

   A similar system is already used by Dropbox, Google and other companies to prevent users from sharing copyright-protected files with other users.

   “The IWF hash list could be a game-changer and really steps up the fight against child sexual abuse images online,” said Susie Hargreaves, chief executive of the Internet Watch Foundation.

   The digital fingerprinting system also only blocks child sex abuse images that have been identified by the Internet Watch Foundation and subsequently added the to database. It is also possible to change the hash value by altering the image in some way.

   “There is no quick technical fix that will protect victims – the most effective approaches use education, responsible parenting and more resources for enforcing the law,” he said.

   Reply
3. August 11, 2015 at 10:15 am

   Tomi Engdahl says:

   Bitdefender suffers data breach, customer records stolen
   A hacker is demanding $15,000 in payment or they plan to release customer details online.
   http://www.zdnet.com/article/bitdefender-suffers-data-breach-customer-records-stolen/

   Bitdefender has become the latest cybersecurity firm to be targeted by hackers.

   A cyberattacker has been able to extract customer login credentials for Bitdefender clients. An individual dubbed DetoxRansome extolled the data breach on Twitter over the weekend, taking responsibility for the attack and posting a message saying: “Guess what guys Bitdefender has been toppled by yours truly.”

   DetoxRansome has also demanded $15,000 from Bitdefender, threatening the leak of a customer database online unless the ransom demand is accepted.

   The hacker latest released login credentials for two Bitdefender employees and one customer as proof of the corporate data theft.

   In a blog post, security researchers Travis Doering and Dan McPeake say the hacker was willing to sell Bitdefender data including “access to all usernames and passwords persistently to their (Bitdefender) flagship products.”

   Antivirus Maker Bitdefender Hacked, Customer Data Being Sold In Shady Black Market Deals
   http://blog.hackerfilm.com/2015/07/antivirus-maker-bitdefender-hacked.html

   Bitdefender, the critical darling in internet security, appears to have been hacked and is now embroiled in a dangerous extortion plot that’s putting its over 400 million customers at risk.

   Friday July 24th 2015: A Hacker going by the handle DetoxRansome (DR) first attempted to blackmail the company via Twitter, writing “I want 15,000 us dollars or I leak your customer base”.

   Saturday July 25th 2015: DetoxRansome made his second attempt to monetize Bitdefender’s freshly stolen data, as well as the exploit with which he procured it. DR posted a listing on a pastee page detailing the private sale of what he later described in an email as “access to all usernames and passwords persistently to their (Bitdefender) flagship products”.

   Tuesday July 28th 2015: As he describes in the emails provided by our source, DR began exploiting the usernames and passwords to breach many of Bit Defenders clients. “this has the potential of being huge as I’m able to sniff all customer usernames and passes gov mil pharm etc this is big as i was able to hack posworks.com.au by using this” DetoxRansome writes.

   Reached by Travis Doering late Monday evening, Bitdefenders Marius Buterchi confirmed the
   hacking of accounts, and said the company was “Aware of the issue and have reset the passwords for the customers who’s credentials have been made public.”

   Reply
4. August 11, 2015 at 10:17 am

   Tomi Engdahl says:

   “Darkhotel” Cyberespionage Group Boosts Attacks with Exploit Leaked from Hacking Team
   http://www.kaspersky.com/about/news/virus/2015/Darkhotel-Cyberespionage-Group-Boosts-Attacks-with-Exploit-Leaked-from-Hacking-Team

   Following the public leak of files belonging to Hacking Team – the company known for selling “legal spyware” to some governments and law enforcement agencies – a number of cyberespionage groups have started using, for their own malicious purposes, the tools Hacking Team provided to its customers to carry out attacks. This includes several exploits targeting Adobe Flash Player and Windows OS. At least one of these has been re-purposed by the powerful cyberespionage actor, “Darkhotel”.

   Hacking Team zero-day used in new Darkhotel attacks
   http://www.wired.co.uk/news/archive/2015-08/10/darkhotel-hacking-team-cyber-espionage

   Exploits stolen from Hacking Team have been repurposed by a major cyber-espionage group responsible for attacks on corporate executives staying at luxury hotels.

   Known as “Darkhotel”, the group has been been targeting business executives for the past eight years using a variety of spearphishing techniques.

   The hackers behind the attack are now using a zero-day vulnerability in Adobe Flash Player that used to form part of Hacking Team’s spyware services. Using a compromised website they have been able to infect target computers using the critical flaw in Adobe’s software.

   Internet security firm Kaspersky, which has been tracking Darkhotel since 2014, said the group had started using the Hacking Team zero-day almost immediately after it was leaked online on 5 July. Darkhotel is not thought to be a client of Hacking Team, the Italian spyware contractor that suffered a major data breach last month.

   Darkhotel’s attacks, which initially targeted Asian business executives staying in luxury hotels, has since extended its reach to countries such as Germany and Mozambique. In order to be effective the group has invested in half a dozen or more zero-days targeting Adobe Flash Player.

   Reply
5. August 11, 2015 at 10:18 am

   Tomi Engdahl says:

   Android fingerprint readers may be easier to hack than Touch ID
   http://www.engadget.com/2015/08/05/android-fingerprint-readers-may-be-easier-to-hack-than-touch-id/?ncid=rss_semi

   There’s nothing like a Black Hat Security Conference to leave you feeling exposed and vulnerable. Today’s compromise? Fingerprint readers. Security researchers Tao Wei and Yulong Zhang have exposed some pretty significant flaws in the Android fingerprint framework. The duo outlined a couple of different attacks — including malware that can bypass fingerprint-authenticated payment systems and various backdoor attacks — but the biggest offender was a “fingerprint sensor spying attack” that could remotely lift prints from affected phones. Researchers found the attack viable on both the HTC One Max and the Samsung Galaxy S5, but not on iPhone or other Touch ID devices.

   The security discrepancy is pretty huge. Affected devices simply don’t do enough to lock down their fingerprint scanners, often leaving them at the mercy of higher level system privileges. Apple’s Touch ID, on the other hand, won’t give up fingerprint data without a crypto key, Zhang told ZDNet — even if an attacker has direct access to the fingerprint sensor.

   The exploit is particularly troubling in light of the kind of information at stake: passwords can be changed if your credentials are compromised, but you can’t change your fingerprints.

   Reply
6. August 11, 2015 at 10:20 am

   Tomi Engdahl says:

   HTC caught storing fingerprints AS WORLD-READABLE CLEARTEXT
   Android biometric banks more Fort Nope than Fort Knox.
   http://www.theregister.co.uk/2015/08/10/htc_caught_storing_fingerprints_as_worldreadable_cleartext/

   Four FireEye researchers have found a way to steal fingerprints from Android phones packing biometric sensors such as the Samsung Galaxy S5 and the HTC One Max.

   The team found a forehead-slapping flaw in HTC One Max in which fingerprints are stored as an image file (dbgraw.bmp) in a open “world readable” folder.

   “Any unprivileged processes or apps can steal user’s fingerprints by reading this file,” the team says, adding that the images can be made into clear prints by adding some padding.

   It is one of four vulnerability scenarios in which biometric data normally secure in an Android phone’s TrustedZone can be pilfered.

   One such scenario shows how attackers can have money transfers authenticated by throwing a fake lock screen prompting a victim to scan their fingerprints to unlock a device.

   “To make the situation even worse, each time the fingerprint sensor is used for auth operation, the auth framework will refresh that fingerprint bitmap to reflect the latest wiped finger,” the team says.

   “So the attacker can sit in the background and collect the fingerprint image of every swipe of the victim.”

   The team say attackers with some remote code execution exploits in hand can harvest these fingerprints en masse.

   The researchers point out that this is a very serious mistake by citing research predicting that fingerprint scanners will exist in about half of all phones sold in 2019.

   Reply
7. August 11, 2015 at 10:23 am

   Tomi Engdahl says:

   CIOs vastly underestimate extent of shadow IT
   http://www.cio.com/article/2968281/cio-role/cios-vastly-underestimate-extent-of-shadow-it.html

   New study from Cisco reveals CIOs are operating in the dark, failing to meet end users’ needs for cloud applications and services.

   Most CIOs have an inkling that employees in their enterprise have snuck a few applications past the IT department, but a new study by Cisco indicates that they are vastly underestimating the extent that unauthorized apps and services have infiltrated the network.

   Consulting with CIOs and analyzing network traffic in a set of large enterprises in a variety of industries, Cisco determined that the typical firm has on the order of 15 to 22 times more cloud applications running in the workplace than have been authorized by the IT department.

   That level of pervasive shadow IT can create new security threats and introduce considerable waste into the enterprise, as employees in different business lines purchase duplicative services for common processes like storage and collaboration.

   “If they can’t see these cloud services being consumed, they can’t see the risk that’s being incurred,” says Bob Dimicco, global leader and founder of Cisco’s Cloud Consumption Service practice. “[If] you can’t see it, you really can’t manage it.”

   And by Cisco’s tally, there is quite a bit that CIOs aren’t seeing. On average, CIOs surveyed estimated that there were 51 cloud services running within their organization. According to Cisco’s analysis, the actual number is 730.

   The lion’s share of the unauthorized cloud applications that Cisco identified fall into the categories of Software-as-a-Service or Infrastructure-as-a-Service, with platform-level applications a distant third.

   And it cuts across sectors. Even in highly regulated industries such as healthcare and financial services, Cisco found between 17 and 20 times more cloud applications running than the IT department estimated.

   “The shock to the CIO was the magnitude and the pervasiveness,”

   Cisco points to a confluence of factors that have led to the rise of shadow IT, which Dimicco boils down to two overarching trends — “hyper-connectivity” and what he calls “hyper-distributed clouds,” where data can reside across an interconnected set of public and private deployments.

   So how is the CIO to respond to the surge in shadow IT? Dimicco outlines two broad options, and sees a clear choice.

   On the one hand, CIOs can turn a blind eye to the problem and continue to provision cloud services as they have been, which, it seems clear enough, is not meeting the needs of end users.

   Alternatively, he suggests that CIOs and other enterprise leaders rethink how their organizations approach IT on a fundamental level

   “Rather than trying to stop it, I’m going to look at it and say this represents hybrid IT,” he says.

   “It starts with discovering and identifying what’s being used,” Dimicco says, “and then taking that data and applying it to an informed cloud strategy so the IT organization can be a broker.”

   Reply
8. August 11, 2015 at 11:20 am

   Tomi Engdahl says:

   Tech Firm Ubiquiti Suffers $46M Cyberheist
   http://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/

   Networking firm Ubiquiti Networks Inc. disclosed this week that cyber thieves recently stole $46.7 million using an increasingly common scam in which crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international wire transfers.

   “This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties,” Ubiquiti wrote. “As soon as the Company became aware of this fraudulent activity it initiated contact with its Hong Kong subsidiary’s bank and promptly initiated legal proceedings in various foreign jurisdictions. As a result of these efforts, the Company has recovered $8.1 million of the amounts transferred.”

   Known variously as “CEO fraud,” and the “business email compromise,” the swindle that hit Ubiquiti is a sophisticated and increasingly common one targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.

   Ubiquiti didn’t disclose precisely how it was scammed, but CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name.

   The FBI’s advisory on these scams urges businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media, as attackers perpetrating these schemes often will try to discover information about when executives at the targeted organization will be traveling or otherwise out of the office.

   FORM 8-K
   https://www.sec.gov/Archives/edgar/data/1511737/000157104915006288/t1501817_8k.htm

   Business Fraud

   On June 5, 2015, the Company determined that it had been the victim of a criminal fraud. The incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.

   Reply
9. August 11, 2015 at 11:21 am

   Tomi Engdahl says:

   You’ll LITERALLY PAY for getting tricked into visiting these scam sites
   Invisible self-pushing zombie payment buttons alarm mobe security experts
   http://www.theregister.co.uk/2015/08/11/direct_to_bill_mobile_payment_scam/

   Cyber-crooks have latched on to online scams that exploit direct-to-bill payment options.

   Security firms Malwarebytes warns that crooks are tricking users into visiting mobile sites containing code that charges users via their mobile number. Victims are corralled through a complex series of pop-up adverts to a fly-by-night web address with a hidden payment button that charges a fee.

   Marks only discover they’ve been fleeced after receiving a text saying “you’ve paid £5 for one entry for visiting our website” or similar.

   Direct-to-bill online services have been around for some years, offering consumers a means to pay for services using their mobile phones without relying on a credit or debit card. The facility has numerous legitimate uses (charity donations, for example) but in cases highlighted by Malwarebytes, fraudsters have abused the system to suit their own nefarious purposes.

   Christopher Boyd, a malware intelligence analyst at Malwarebytes, said that the scam illustrates the hidden danger from pop-ups, adverts and mobile redirects.

   “In some cases, victims may be convinced they’ve not even interacted with the page in terms of clicking on buttons, filling in forms or signing up to something before receiving a text message stating they’ve been charged,” Boyd said.

   Sites related to rogue charges place paid advertising on ad networks.

   “Some of the thread posters will state that they did indeed click on things or download something, but the majority are firm in their belief that they didn’t interact with pages in any way, shape or form,”

   Reply
10. August 11, 2015 at 1:00 pm

    Tomi Engdahl says:

    Windows Server 2003 support has gone. Here’s how to survive
    Life after support
    http://www.theregister.co.uk/2015/08/11/win2k3_support_has_gone_heres_how_to_survive/

    Windows Server 2003 End of Support was on July 14th 2015 and we’ve got some very practical tips and advice to help you keep your implementations running safely.

    talk through the range of security and management challenges that End of Support can cause and show you how to develop an action plan to prevent them.

    http://whitepapers.theregister.co.uk/paper/view/3908/

    Reply
11. August 11, 2015 at 1:22 pm

    Tomi Engdahl says:

    IBM: High-severity vulnerability puts Android M devices at risk
    Underprivileged apps can be raised up by eager hackers
    http://www.theinquirer.net/inquirer/news/2421537/ibm-high-severity-vulnerability-puts-android-m-devices-at-risk

    ANDROID’S BAD SECURITY SUMMER ROLLS ON. IBM has thrown more drama at the operating system, claiming that a high-severity serialisation vulnerability has users doomed.

    We haven’t messed about. We went straight to Google for a response. We are waiting for it. We do not have to look hard, or wait long for the dirty details as IBM has blogged about it on its own security news pages.

    “In a nutshell, advanced attackers could exploit this arbitrary code execution vulnerability to give a malicious app with no privileges the ability to become a ‘super app’ and help the cyber criminals own the device,” IBM said.

    “In addition to this Android serialisation vulnerability, the team also found several vulnerable third-party Android SDKs which can help attackers own apps.”

    What we have here is something not unlike the methods used by the infamous Hacking Team, which employed a fake news app to grab elevated privileges on devices.

    One Class to Rule Them All: New Android Serialization Vulnerability Gives Underprivileged Apps Super Status
    https://securityintelligence.com/one-class-to-rule-them-all-new-android-serialization-vulnerability-gives-underprivileged-apps-super-status/#.Vcn21flLZ4D

    Over 55 percent of Android phones are at risk of a high-severity serialization vulnerability that IBM’s X-Force Application Security Research Team found in the Android platform. In a nutshell, advanced attackers could exploit this arbitrary code execution vulnerability to give a malicious app with no privileges the ability to become a “super app” and help the cybercriminals own the device. In addition to this Android serialization vulnerability, the team also found several vulnerable third-party Android software development kits (SDKs), which can help attackers own apps.

    We recently saw a similar attack technique exposed as part of the Hacking Team leak. That exploit used a fake news app called BeNews that was built to bypass Google Play’s filtering by requiring a benign set of privileges.

    For instance, an attacker can take over any application on the victim’s device by replacing the target app’s Android application package (APK). This can then allow the attacker to perform actions on behalf of the victim. In addition, we were able to run shell commands to exfiltrate data from all applications installed on the device by exploiting the Android Keychain app. We could also change the SELinux policy and, on some devices, also load malicious kernel modules.

    Once our malware is executed, it replaces a real app with a fake one, allowing the attacker to exfiltrate sensitive data from the app and/or create a perfect phishing attack.

    Reply
12. August 11, 2015 at 1:24 pm

    Tomi Engdahl says:

    Jail incompetent council folk who leak our data, thunders furious BBW
    Internal slaps on the wrist are no punishment for endangering the public
    http://www.theregister.co.uk/2015/08/11/jail_data_leakers_big_brother_watch/

    A report published today by British privacy rights group Big Brother Watch (BBW) says the scale of private data being leaked is so great that those responsible should be jailed.

    Between April 2011 and April 2014, local councils experienced around four data breaches a day – a total of 4,236 instances – according to figures compiled by BBW.

    In the three years covered by the report (PDF), more than 400 devices, including 180 mobile phones, computers, tablets and USBs, were lost or stolen. In a further 600 cases information was inappropriately shared.

    BBW is annoyed that just one person has faced criminal sanctions, despite the huge number of breaches. Fifty were dismissed and another 39 resigned, but BBW says this does not go far enough, particularly as children’s information was involved in 658 occasions.

    “Current penalties for serious data breaches do not deter individuals who are seriously considering breaking the law,

    With “human error” being the main reason behind the vast number of breaches, BBW says data protection training should be mandatory for members of staff with access to personal information as well as mandatory reporting rules for breaches that concern members of the public.

    Reply
13. August 11, 2015 at 1:26 pm

    Tomi Engdahl says:

    IWF took down over 31,000 child sexual abuse URLs in 2014
    Watchdog hunts online networks
    http://www.theregister.co.uk/2015/04/15/iwf_annual_report_proactive_searching_increases_takedowns/

    Last year saw a 136 per cent increase in identified and subsequently removed child abuse imagery, according to a just-released report from the Internet Watch Foundation (IWF).

    In its Annual Report for 2014, the body revealed that its new ability to actively seek out criminal content has been effective in allowing it to identify more material than ever before.

    The IWF, an industry-funded charity and watchdog, has been the UK’s hotline for reporting child sexual abuse imagery online since 1996, and actively attempts to minimise the availability of child abuse images.

    Historically, it functioned by receiving reports of suspected child abuse images from the public and investigating the material itself, issuing a notice of takedown to the hosting company if IWF staff assessed the material as illegal.

    It also maintained a confidential blacklist for ISPs to sign up to.

    The IWF said it helped remove 31,266 URLs containing child sexual abuse material during 2014, compared with 13,182 in 2013, by actively searching for images and videos using intelligence-based tactics.

    The report noted: “Less than 0.3 per cent (95 URLs) of the imagery identified last year was hosted in the UK (while in 1996, 18 per cent was UK-hosted) and 95 per cent was removed within a day, often within two hours. Last year, most material was hosted in North America (56 per cent) and Europe, including Russia (41 per cent).”

    IWF shares ‘hash list’ with web giants to flush out child sex abuse images online
    UK org tracks illegal material with new tech, gov database
    http://www.theregister.co.uk/2015/08/11/iwf_child_abuse_hash_list_released/

    The UK’s telco-backed Internet Watch Foundation has distributed a hash list of child abuse images to the likes of Google, Facebook and Twitter – in an attempt to hasten the removal of such content across the globe.

    Microsoft’s PhotoDNA was one of the technologies used by the IWF to create the hashes, which serve as digital fingerprints of an image.

    The organisation, which – among other things – provides ISPs with a blocklist of child sexual abuse URLs of unlawful content that is hosted outside of the UK, added that it would also create MD5 and SHA-1 hashes “to meet the needs of the online industry.”

    IWF analysts, who have the gruelling task of sifting through photos and videos showing children being sexually exploited, will generate the hashes from images that they have assessed.

    However, for now, the IWF can only offer hashes of still images. It said it was working with one of its members to trial video hashing software. But no word yet on when this will be made available.

    Reply
14. August 11, 2015 at 1:29 pm

    Tomi Engdahl says:

    Want to download free AV software? Don’t have a Muslim name
    Reg reader struggles to gain Sophos protection thanks to export laws
    http://www.theregister.co.uk/2015/08/07/sophos_anti_muslim_name_filter

    Exclusive Software export controls are being applied to blacklisted people as well as countries: and these controls apply to routine security packages such as freebie antivirus scanning software, as well as more sensitive technologies, El Reg has concluded.

    We’ve come to this way of thinking after investigating why Reg reader Hasan Ali was blocked from downloading Sophos AV for Mac.

    In response, Sophos said the filter was based on the International Denied Persons List and its use was routine procedure that it needed to follow in order to comply with various international export laws.

    “Our policy, in accordance with the US Export Regulations and other similar EU and UK regulations, is to ask for additional information to check if it is a true match or if it is, as in almost all cases, a ‘false positive’ match.”

    Reply
15. August 11, 2015 at 1:54 pm

    Tomi Engdahl says:

    Stupid idea from Finnish politician??

    Finnish politician suggests people be embedded with a chip to prevent misuse of social welfare benefits abroad
    http://www.metropolitan.fi/entry/finnish-politician-suggests-people-be-embedded-with-a-chip-to-prevent-misuse-of-social-welfare-benefits-abroad

    In the last few days paying out social benefits to citizens living outside of Finland has been in discussions. A politician from the True Finns Party, Pasi Mäenranta, is also worried about the abuse of the benefits. He published a post on Facebook, where he suggests that all Finnish citizens leaving the country be embedded with an identification chip.

    Mäenranta feels that tagging and tracking citizens leaving the country could be a viable option for preventing abuse of the state social benefits

    He suggests that the system would be voluntary, but leaving the country without it would suspend payment of social welfare benefits. In addition it could be used for tracking people in natural catastrophes or other events.

    Reply
16. August 11, 2015 at 2:27 pm

    Tomi Engdahl says:

    Oracle pulls CSO’s BONKERS anti-bug bounty and infosec rant
    No. You. FSCKing. Can’t: Exec fires wild broadsides over heads of security community
    http://www.theregister.co.uk/2015/08/11/oracle_anti_security_research_rant/

    While other IT industry heavyweights have embraced bug bounties and working with security researchers more generally, Oracle has set its face in the opposite direction in a blog post likening reverse engineering to cheating on your spouse.

    Mary Ann Davidson, Oracle’s chief security officer (CSO), expressed corporate dislike from the software giant for both reverse engineers and bug bounties in a long blog post on Monday. The post was pulled on Tuesday lunchtime, but its contents remain available via the Internet Archive here.

    “Bug bounties are the new boy band (nicely alliterative, no?),” Davidson wrote. “Many companies are screaming, fainting and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87 per cent of security vulnerabilities ourselves, security researchers find about 3 per cent and the rest are found by customers.”

    “I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is “whack a code mole”) when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues, and so on.”

    This attitude is in marked contrast to the likes of Google, Microsoft and Facebook, who have all thrown their weight behind their corporate bug bounty programmes.

    Davidson goes on to bemoan users looking for vulnerabilities in its code, arguing that they are breaking licensing agreements and that third-party consultants are also bound by them by extension.

    It doesn’t matter that criminal hackers and intel agencies do reverse engineer Oracle’s code to look for vulnerabilities, according to Oracle. Customers and their suppliers still need to toe the line, whatever their motives, and stick by licensing agreements.

    Oracle’s essential line is that everyone should stop reversing its code, respect its licensing agreement and trust its infosec assurance programme to fix problems that crop up rather than kicking the wheels and looking underneath the bonnet themselves.

    Oracle has a long and fractious relationship with security researchers.

    “Oracle’s legal threats for security researchers who ‘reverse engineer’ their products is just part of a larger war on researchers,” said infosec researcher Rob Graham, the developer who created the BlackICE intrusion prevention tool.

    ‪”Oracle‬ cares more about protecting its intellectual property than their customers,” added Brian Honan, the independent security consultant who runs Ireland’s CERT – a sentiment echoed by other infosec experts.

    A few (very much the minority) expressed sympathy towards Oracle.

    Reply
17. August 11, 2015 at 3:05 pm

    Tomi Engdahl says:

    How (not) to build a secure mobile messaging platform
    https://mikkolehtisalo.wordpress.com/2015/07/12/how-not-to-build-a-secure-mobile-messaging-platform/

    Lately there has been noticeable efforts for secure mobile messaging platforms. There are simply too many already to event start listing them. Most of the nation states seem to be working to obtain one, with or without commercial partners. Products come and go. So far I have not seen one that touches the fundamental problem that there is a difference between mass surveillance and being actually targeted by a state level aggressor.

    The biggest issue with just taking some generic reference hardware and slapping a hardened Android on it is the architecture.

    The hardening is most usually focused around what is referred to as application processor that runs the main operating system. The communications processor is ignored, although it is significant for several reasons

    As a result, if you are using an encrypted VOIP service while someone has control of the communications processor, listening to the conversation is undetectable and possible via a side channel attack. This is not a theoretical threat either.

    Yes, it’s a Nokia 3310. A few models in that line had a network monitoring firmware. At least on those models you could command the application processor to power off independently. After that you could call that phone with special codes, the communications processor would answer the call and let you listen to everything. The phone looked completely dead to the user. Taking a device that has even a chance of functioning like that into any secure working area is a huge risk!

    The point here is, taking into account only hardening the application processor is a major issue. I am not saying that the most common phones nowadays have security vulnerabilities or backdoors in their communications processors. What is significant is that the hardware architecture of modern phones was never designed for security. Every single component is handled as being trustworthy. At least the ones facing the network should be sandboxed properly, but they are not!

    It should be noted that secure sourcing is hard.

    Let’s say the mobile device had a perfect encrypted VOIP solution. It was completely audited, and accredited for use. You could go into hostile network environments and communicate securely from there, without any fear of incidents.

    Then someone bought a cheap Bluetooth headset, paired it with the mobile device, staying within 500 meters or so eavesdropped the connection, and took a jab at the several magnitudes easier encryption scheme.

    Now, you would be running the risk of information leak. Also, you would have to audit and accredit the Bluetooth chip, with its settings and all, and the client devices. At an immense cost.

    The users have hard time accepting disabling several expected features of a mobile phone, while the pointy haired bosses wish to keep the costs down. One way to meet in the middle might be allowing some devices while the user is not working with secured connections, and drop everything while a secure mode would be on.

    Now here’s the issue. The cryptographic algorithms are just one part of encryption. After the basics are laid out correctly the key management becomes more important, and the primary attack surface of the encryption.

    Reply
18. August 12, 2015 at 4:18 am

    Tomi Engdahl says:

    Oracle CSO to Customers: Leave the Vulnerabilities to Us
    http://hackaday.com/2015/08/11/oracle-cso-to-customers-leave-the-vulnerabilities-to-us/

    [Mary Ann Davidson], chief security officer of Oracle, is having a bad Tuesday. The internet has been alight these past few hours over a blog post published and quickly taken down from oracle’s servers.

    Reply
19. August 12, 2015 at 4:27 am

    Tomi Engdahl says:

    Joab Jackson / Computerworld:
    Oracle issues apology after retracting blog post written by its CSO that discouraged third party security research

    Oracle yanks blog post critical of security vendors, customers
    http://www.computerworld.com/article/2969378/security/oracle-yanks-blog-post-critical-of-security-vendors-customers.html

    Oracle published, then quickly deleted, a blog post criticizing third-party security consultants and the enterprise customers who use them.

    Authored by Oracle chief security officer Mary Ann Davidson, the post sharply admonished enterprise customers for reverse engineering, or hiring consultants to reverse engineer, the company’s proprietary software, with the aim of finding as of yet unfixed security vulnerabilities.
    Computerworld’s Best Places to Work in IT 2015: Company Listings
    The complete listings: Computerworld’s 100 Best Places to Work in IT for 2015

    A compact list of the 56 large, 18 midsize and 26 small organizations that ranked as Computerworld’s
    Read Now

    The missive, entitled “No, You Really Can’t,” was issued Monday on Davidson’s corporate blog, then pulled a few hours later. The Internet Archive captured a copy of the post.

    “We removed the post as it does not reflect our beliefs or our relationship with our customers,” wrote Edward Screven, Oracle executive vice president and chief corporate architect, in a statement emailed Tuesday.

    Reply
20. August 12, 2015 at 6:14 am

    Tomi Engdahl says:

    Corey Doctorow Rails Against the Effect of DRM and the DMCA
    http://hackaday.com/2015/08/08/corey-doctorow-rails-against-the-effect-of-drm-and-the-dmca/

    If you weren’t at [Cory Doctorow’s] DEF CON talk on Friday you missed out. Fighting Back in the War on General Purpose Computing was inspiring, informed, and incomparable. At the very lowest level his point was that it isn’t the devices gathering data about us that is the big problem, it’s the legislation that makes it illegal for us to make them secure. The good news is that all of the DEF CON talks are recorded and published freely. While you wait for that to happen, read on for a recap and to learn how you can help the EFF fix this mess.

    One of the best examples of this is sub-prime car lending. These types of agreements can include where you’re allowed to drive the vehicle, and if you go out of bounds an ignition interlock can remotely disable your car.

    Another example [Corey] cited was the John Deere tractor story we covered in May.

    The idea of DRM was codified in the 1998 Digital Millenium Copyright Act or DMCA. The key provision of this law is DMCA 1201 which deals with Anti-Circumvention. This makes it crime to break a lock that is protecting any copyrighted material, and the penalties are severe: 5 years in prison and $500,000. One of the key provisions of this bill is that it shifts the cost of enforcement onto the government; companies don’t have to pay to litigate against anyone who violates the DMCA.

    The penalties are a huge deterrent. But this has an unpleasant side-effect. There is no allowance for security research. Which means that if you find a vulnerability and disclose it you are breaking the law. Let me repeat that… if you disclose a security vulnerability (privately) to the company that makes the hardware you are breaking the law. This makes our system fundamentally insecure by strongly disincentivizing anyone other than criminals from finding — or at least reporting — security flaws.

    This is well-outlined in the Electronic Frontier Foundation’s report: Fifteen Years under the DMCA.

    We Can Solve This

    It is unlikely that the DMCA is going to be fixed in congress, so [Corey] and his colleagues at the EFF have a plan to fix this. They want to kill DRM worldwide in the next 10 years

    Unintended Consequences: Fifteen Years under the DMCA
    https://www.eff.org/pages/unintended-consequences-fifteen-years-under-dmca

    Reply
21. August 12, 2015 at 8:00 am

    Tomi Engdahl says:

    Andy Greenberg / Wired:
    Researchers hack a Corvette’s brakes via an insurance dongle used in many modern vehicles to monitor speed, location; affected systems are receiving OTA updates

    Hackers Cut a Corvette’s Brakes Via a Common Car Gadget
    http://www.wired.com/2015/08/hackers-cut-corvettes-brakes-via-common-car-gadget/

    Car hacking demos like last month’s over-the-internet hijacking of a Jeep have shown it’s possible for digital attackers to cross the gap between a car’s cellular-connected infotainment system and its steering and brakes. But a new piece of research suggests there may be an even easier way for hackers to wirelessly access those critical driving functions: Through an entire industry of potentially insecure, internet-enabled gadgets plugged directly into cars’ most sensitive guts.

    At the Usenix security conference today, a group of researchers from the University of California at San Diego plan to reveal a technique they could have used to wirelessly hack into any of thousands of vehicles through a tiny commercial device: A 2-inch-square gadget that’s designed to be plugged into cars’ and trucks’ dashboards and used by insurance firms and trucking fleets to monitor vehicles’ location, speed and efficiency. By sending carefully crafted SMS messages to one of those cheap dongles connected to the dashboard of a Corvette, the researchers were able to transmit commands to the car’s CAN bus—the internal network that controls its physical driving components—turning on the Corvette’s windshield wipers and even enabling or disabling its brakes.

    Reply
22. August 12, 2015 at 8:03 am

    Tomi Engdahl says:

    Marco Arment / Marco.org:
    The profusion of privacy-violating web trackers invalidates the already-shaky theory that ad-blocking violates an implied contract — The ethics of modern web ad-blocking — More than fifteen years ago, in response to decreasing ad rates and banner blindness, web advertisers and publishers adopted pop-up ads.

    The ethics of modern web ad-blocking
    http://www.marco.org/2015/08/11/ad-blocking-ethics

    More than fifteen years ago, in response to decreasing ad rates and banner blindness, web advertisers and publishers adopted pop-up ads.

    People hated pop-up ads. We tolerated in-page banners as an acceptable cost of browsing free websites, but pop-ups were over the line: they were too annoying and intrusive. Many website publishers claimed helplessness in serving them — the ads came from somewhere else that they had little control over, they said. They really needed the money from pop-ups to stay afloat, they said.

    The future didn’t work out well for pop-ups. Pop-up-blocking software boomed, and within a few years, every modern web browser blocked almost all pop-ups by default.

    A line had been crossed, and people fought back.

    People often argue that running ad-blocking software is violating an implied contract between the reader and the publisher: the publisher offers the page content to the reader for free, in exchange for the reader seeing the publisher’s ads. And that’s a nice, simple theory, but it’s a blurry line in reality.

    By that implied-contract theory, readers should not only permit their browsers to load the ads, but they should actually read each one, giving themselves a chance to develop an interest for the advertised product or service and maybe even click on it and make a purchase. That’s also a nice theory, but of course, it’s ridiculous to expect anyone to actually do that. Publishers are lucky if people even read the content with any real attention today, let alone the ads around it.

    Reply
23. August 12, 2015 at 8:06 am

    Tomi Engdahl says:

    New York Times:
    Nine charged in SEC insider trading case that alleges Business Wire, PR Newswire, others were hacked over a five year period, leaking over 150K press releases — Nine Charged in Insider Trading Case Tied to Hackers — Federal authorities announced on Tuesday that they had broken …

    Nine Charged in Insider Trading Case Tied to Hackers
    http://www.nytimes.com/2015/08/12/business/dealbook/insider-trading-sec-hacking-case.html?_r=0

    It was a symbiotic relationship that brought together the underbelly of Wall Street and the dark reaches of the online world.

    From their suburban homes in the United States, dozens of rogue stock traders would send overseas hackers a shopping list of corporate news releases they wanted to get a sneak peek at before they were made public. The hackers, working from Ukraine, would then deliver how-to videos by email with instructions for gaining access to the pilfered earnings releases.

    In all, 32 traders and hackers reaped more than $100 million in illegal proceeds in a sophisticated and brazen scheme that is the biggest to marry the wizardry of computer hacking to old-fashioned insider trading, according to court filings made public on Tuesday. One of the men, Vitaly Korchevsky, a hedge fund manager and former Morgan Stanley employee living in a Philadelphia suburb, made $17 million in illegal profits, the indictment said.

    In one indictment, federal prosecutors in New Jersey said five of the men broke into companies like Business Wire and PR Newswire over five years to steal more than 150,000 news releases being prepared by publicly traded corporations before the information was released to the public. Another company whose releases were stolen before they were made public was Marketwired.

    Mr. Fishman did not fault the wire services and said they had cooperated with the investigation.

    The authorities said the traders seeking an illegal edge provided “shopping lists” to hackers for the kinds of news releases they wanted and the companies they wanted to trade on. The men obtained information from more than 30 companies, including Bank of America, Clorox, Caterpillar and Honeywell, the authorities said.

    But the traders were also deliberate. The authorities said they traded ahead of the information contained in only about 800 of the hundreds of thousands of releases they got a sneak peek at — indicating a methodical and well-timed approach to concealing their activities.

    The authorities monitored some of the defendants for years, the indictment said.

    The authorities said tens of millions of illegal trading profits had been recovered from bank accounts maintained by the traders and hackers.

    The charges against the men demonstrate the various ways in which computer hackers can profit richly from illegally obtained information.

    Reply
24. August 12, 2015 at 8:47 am

    Tomi Engdahl says:

    Emil Protalinski / VentureBeat:
    Firefox 40 arrives with Windows 10 support, expanded malware protection, and new Android navigation gestures
    http://venturebeat.com/2015/08/11/firefox-40-arrives-with-windows-10-support-expanded-malware-protection-and-new-android-navigation-gestures/

    Reply
25. August 12, 2015 at 8:48 am

    Tomi Engdahl says:

    Ben Lovejoy / 9to5Google:
    LastPass password manager now free on mobile devices, but syncing across platforms still costs $12/year

    LastPass password manager now free on mobile devices, but going cross-platform still costs
    http://9to5google.com/2015/08/11/lastpass-free-mobile/

    LastPass, which claims to be the world’s most popular password manager, now offers the choice of free usage on either mobile or desktop platforms. Previously, desktop use was free while use on a mobile device required a $12 annual subscription.

    You can now use for free on either platform – but still need to pay to get both mobile and desktop usage. LastPass told us that, seven years in, it was time to change its freemium pricing model …

    The new model could be good timing for Samsung Galaxy S6 owners, who got either three or six months LastPass Premium subscription with their smartphones.

    A password manager allows you to have strong, unique passwords for each website you use, without even having to know what they are.

    LastPass for Android is a free download from Google Play.
    http://api.viglink.com/api/click?format=go&jsonp=vglnk_143936933151914&key=c1c7d488bb2df8a8b659d5d41634d304&libId=id8jasn5010023dg000DAdhyf0njj&loc=http%3A%2F%2F9to5google.com%2F2015%2F08%2F11%2Flastpass-free-mobile%2F&v=1&out=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.lastpass.lpandroid%26hl%3Den&ref=http%3A%2F%2Fwww.techmeme.com%2F&title=LastPass%20password%20manager%20now%20free%20on%20mobile%20devices%2C%20but%20going%20cross-platform%20still%20costs%20%7C%209to5Google&txt=free%20download%20from%20Google%20Play

    Reply
26. August 12, 2015 at 9:11 am

    Tomi Engdahl says:

    Attackers actively exploit Windows bug that uses USB sticks to infect PCs
    In-the-wild exploit is reminiscent of those used to unleash Stuxnet worm.
    http://arstechnica.com/security/2015/08/attackers-actively-exploit-windows-bug-that-uses-usb-sticks-to-infect-pcs/

    Attackers are actively exploiting a vulnerability in all supported versions of Windows that allows them to execute malicious code when targets mount a booby-trapped USB on their computers, Microsoft warned Tuesday in a regularly scheduled bulletin that patches the flaw.

    The vulnerability is reminiscent of a critical flaw exploited around 2008 by an NSA-tied hacking group dubbed Equation Group and later by the creators of the Stuxnet computer worm that disrupted Iran’s nuclear program. The vulnerability—which resided in functions that process so-called .LNK files Windows uses to display icons when a USB stick is plugged in—allowed the attackers to unleash a powerful computer worm that spread from computer to computer each time they interacted with a malicious drive.

    When Microsoft patched the .LNK vulnerability in 2010 with MS10-046, company officials classified the vulnerability as “critical,” the company’s highest severity rating.

    In addition to fixing the bug, Microsoft is also releasing software that allows patched computers to log attempts to exploit the bug. That will make it easier for people to know if they were targeted by attackers.

    Defending against CVE-2015-1769: a logical issue exploited via a malicious USB stick
    http://blogs.technet.com/b/srd/archive/2015/08/11/defending-against-cve-2015-1769-a-logical-issue-exploited-via-a-malicious-usb-stick.aspx

    Reply
27. August 12, 2015 at 9:20 am

    Tomi Engdahl says:

    Apple and Google are KILLING KIDS with encryption, whine lawyers
    Ill-informed state PR campaign to kill encryption continues
    http://www.theregister.co.uk/2015/08/12/apple_google_encryption/

    Children are being raped, citizens murdered, and lost souls trafficked for sex and the police can’t do anything about it thanks to Apple and Google, senior government lawyers and a top cop have claimed.

    In an op-ed in The New York Times, Manhattan district attorney Cyrus Vance Jr; Adrian Leppard, commissioner of the City of London Police; Paris’ chief prosecutor François Molins; and Javier Zaragoza, chief prosecutor of the High Court of Spain, said that the current situation is unsupportable and legal changes are needed to keep the public safe.

    “The new encryption policies of Apple and Google have made it harder to protect people from crime,” they wrote.

    “We support the privacy rights of individuals. But in the absence of cooperation from Apple and Google, regulators and lawmakers in our nations must now find an appropriate balance between the marginal benefits of full-disk encryption and the need for local law enforcement to solve and prosecute crimes.”

    Criminals are getting wise to this they warned, citing (apparently without irony) a conversation between a prison inmate and a visitor that was listened to, where the convict was heard to say that “Apple and Google have these softwares” that lock up phones.

    But why let logic enter the debate – there are crypto wars to fight and we must all think of the children and let the government see whatever they want, when they want it. It’s the only way to stop killers stabbing you in your sleep.

    Reply
28. August 12, 2015 at 9:20 am

    Tomi Engdahl says:

    Blacklists miss 90% of malware blogged IP love
    Correlate all the things.
    http://www.theregister.co.uk/2015/08/12/two_shady_men_walk_into_a_bar_blacklist_report/

    Threat intelligence firm RecordedFuture says popular web blacklists are missing thousands of IP addresses linked to malware data theft.

    The Massachusetts company, which boasts it’s scored four out of five “top companies in the world” as clients, says correlating IP addresses to malware references yields between a thousand and tens of thousands of bad IP addresses that common blacklist sources miss.

    The company’s report on the matter (PDF) says that more than 90 percent of the 1521 notably nasty IP addresses linked to two pieces of malware and 67,563 associated with one malicious executable are unknown to net blacklists.

    Reply
29. August 12, 2015 at 9:22 am

    Tomi Engdahl says:

    Patching up a fragmented, Stagefrightened Android isn’t easy
    REM had the answer in 1992, Google
    http://www.theregister.co.uk/2015/08/12/android_patching_analysis_stagefright_google/

    Android users face a triple patching headache with the recent discovery of a collection of serious vulnerabilities affecting smartphones and tablets running Google’s mobile operating system.

    Security experts warn that the fragmented nature of Android devices will make patching more difficult than it would be in updating PCs.

    The Stagefright vulnerability, which could be used by an attacker to install a spyware app in a targets phone without their knowledge just by sending an MMS, was quickly followed up by the “Certifi-gate” vulnerability, which poses a similar risk.

    The Certifi-gate flaw was found within pre-installed plug-ins for mobile remote support tools (MRSTs) bundled with Android devices.

    Because of a security weakness hackers might be able to wrap seemingly innocuous apps with MRSTs, bypassing Android security restrictions in the process.

    This week another blockbuster security flaw in Android – this time hitting 55 per cent of mobiles – emerged. The latest (unnamed) privilege escalation hole allows normal apps to gain superuser rights to snoop on a device’s owner, smuggle in malware, and more.

    Curtain call

    Google has promised to patch Stagefright and Samsung and LG have committed to monthly fixes.

    Some security firms estimate Google has to do even more if it wants to avoid Android being seen as less secure than devices based on Apple’s iOS. In particular, it needs to push carriers to push over-the-air updates promptly after fixes become available.

    “However, my optimism is still very cautious, because while Google and the handset manufacturers are taking steps to improve security, I haven’t seen any similar commitments from the various carriers,” he added.

    “It’s still unclear if carriers have prioritised pushing out these patches in an over-the-air update, which means that Android users are still expected to seek out these patches and apply them themselves,” he said.

    “We’ve seen that automatic patch systems are vastly more effective than merely making patches available in pretty much every other hardware and software ecosystem, and I’m hopeful that the Android space will get there sooner rather than later,” Beardsley explained, adding that legacy smartphones pose a particular challenge.

    Reply
30. August 12, 2015 at 11:00 am

    Tomi Engdahl says:

    Privacy Visor’ Can Fool Face-Recognition Cameras
    http://yro.slashdot.org/story/15/08/12/0220230/privacy-visor-can-fool-face-recognition-cameras

    Dark shades aren’t enough to go incognito in the age of face recognition camera systems. For that you need the Privacy Visor developed at Japan’s National Institute of Informatics.

    How Japan’s Privacy Visor fools face-recognition cameras
    http://www.itworld.com/article/2969735/security/how-japans-privacy-visor-fools-facerecognition-cameras.html

    If you’re worried about Big Brother monitoring you from security cameras, Japan has developed eyewear that can keep you anonymous.

    The Privacy Visor consists of a lightweight, wraparound, semitransparent plastic sheet fitted over eyewear frames. It’s bulky and not exactly stylish, but it could have customized designs.
    no flash
    Tested: How Flash destroys your browser’s performance

    We tested the effects of browsing with and without Flash on several major browsers. Enabling Flash is,
    Read Now

    It’s meant to thwart face-recognition camera systems through a very simple trick. It reflects overhead light into the camera lens, causing the area around the eyes to appear much brighter than it normally does.

    That’s enough to trick standard face-recognition systems, such as the Viola-Jones object detection framework, according to the National Institute of Informatics (NII), which has been developing the visor for years.

    “This is a way to prevent privacy invasion through the many image sensors in smartphones and other devices that can unintentionally photograph people in the background,” said NII researcher Isao Echizen, who has been developing the visor through several prototypes. He cited facial recognition apps such as NameTag for Google Glass as an example of how the technology is spreading.

    A 2012 version, powered by a lithium-ion battery, included LED lights around the nose that shined near-infrared light toward cameras. Computer-vision systems were also fooled by the bright light, but the visor looked dorky and required a bulky power source.

    While the latest prototype doesn’t need power, it cuts incoming light by about 50 percent, but one’s surroundings are still easily visible.

    Reply
31. August 12, 2015 at 11:02 am

    Tomi Engdahl says:

    Mozilla flings glove at Microsoft’s feet: Firefox 40 will PWN Edge
    This week’s edition tightens screw on dodgy add-ons – and Windows 10
    http://www.theregister.co.uk/2015/08/12/firefox_40_targets_windows_10_tightens_screw_on_dodgy_addons/

    Mozilla has released Firefox 40, featuring a new look for Windows 10, better protection against uncertified add-ons, and an attempt to resist Microsoft’s effort to make Edge the default browser.

    Pages known to contain what Google considers to be deceptive software are flagged with a warning. This joins a feature included in Firefox 39 which checks downloads against the Google service.

    These features are on by default, so if you would rather not inform Google of your browsing and download activity, you should disable them.

    Another security effort concerns add-ons. Some Firefox add-ons change homepage and search settings, or even inject malicious scripts into web pages.

    “We’re responsible for our add-ons ecosystem and we can’t sit idle as our users suffer due to bad add-ons,” said Mozilla’s Jorge Villalobos. The solution is that all add-ons will have to conform to guidelines and be signed with a security certificate. This is being rolled out gradually.

    In Firefox 40, unsigned add-ons raise a warning prompt. In Firefox 41, there will be an option to disable unsigned add-ons, while Firefox 42 will not allow unsigned extensions to run, with no override.

    Reply
32. August 12, 2015 at 11:02 am

    Tomi Engdahl says:

    Kali Linux 2.0 Released
    http://linux.slashdot.org/story/15/08/11/2323252/kali-linux-20-released

    “If Kali 1.0 was focused on building a solid infrastructure then Kali 2.0 is focused on overhauling the user experience and maintaining updated packages and tool repositories.”

    Kali Linux 2.0 Released
    August 11, 2015 muts
    Kali Linux Releases
    Our Next Generation Penetration Testing Platform
    https://www.kali.org/releases/kali-linux-20-released/

    Reply
33. August 12, 2015 at 11:09 am

    Tomi Engdahl says:

    OpenSSH 7.0 Released
    http://it.slashdot.org/story/15/08/11/2340247/openssh-70-released

    Today the OpenSSH project maintainers announced the release of version 7.0. This release is focusing on deprecating weak and unsafe cryptographic methods, though some of the work won’t be complete until 7.1. This release removes support for the following: the legacy SSH v1 protocol, the 1024-bit diffie-hellman-group1-sha1 key exchange, ssh-dss, ssh-dss-cert-* host and user keys, and legacy v00 cert format. There were also several bug fixes, security tweaks, and new features.

    In the next release, they plan to retire more legacy cryptography. This includes refusing RSA keys smaller than 1024 bits, disabling MD5-based HMAC algorithms, and disabling these ciphers: blowfish-cbc, cast128-cbc, all arcfour variants and the rijndael-cbc aliases for AES.

    Announce: OpenSSH 7.0 released
    https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-August/034289.html

    Reply
34. August 12, 2015 at 11:17 am

    Tomi Engdahl says:

    Lenovo used a hidden Windows feature to ensure its software could not be deleted
    http://thenextweb.com/insider/2015/08/12/lenovo-used-a-hidden-windows-feature-to-ensure-its-software-could-not-be-deleted/

    A recently uncovered feature – which had been swept under the rug – allowed new Lenovo laptops to use new Windows features to install the company’s software and tools even if the computer was wiped.

    The oddity was first noted by Ars Technica forum user ‘ge814‘ and corroborated by Hacker News user ‘chuckup.’

    The users discovered the issue in May when using a new Lenovo laptop that automatically and covertly overwrote a system file on every boot, which downloaded a Lenovo updater and installed software automatically, even if Windows was reinstalled from a DVD.

    The only problem is that nobody actually asked for this software, and it persisted between clean installs of Windows. Lenovo was essentially exploiting a rootkit on its own laptops to ensure its software persists if wiped.

    The mechanism triggering this is called the Lenovo Service Engine, which downloads a program called OneKey Optimizer used for “enhancing PC performance by updating firmware, drivers and pre-installed apps as well as “scanning junk files and find factors that influence system performance.”

    It also sends “system data to a Lenovo server to help us understand how customers use our products” but the company claims it’s not “personally identifiable information.” The problem is, users have no idea this is going on and it was very hard to get rid of.

    If Windows 7 or 8 is installed, the BIOS of the laptop checks ‘C:\Windows\system32\autochk.exe’ to see if it’s a Microsoft file or a Lenovo-signed one, then overwrites the file with its own.

    Then, when the modified autochk file is executed on boot, another two files LenovoUpdate.exe and LenovoCheck.exe are created, which set up a service and download files when connected to the internet.

    Here’s the kicker: the mechanism Lenovo was using is actually a Microsoft sanctioned technique, called the “Windows Platform Binary Table” first introduced in November 2011 and updated for the first time in July of this year.

    Reply
35. August 12, 2015 at 1:06 pm

    Tomi Engdahl says:

    Rise up against Oracle class stupidity and join the infosec strike
    Why aren’t you, personally, stopping the moronocalypse?
    http://www.theregister.co.uk/2015/08/12/rise_up_against_oracle_class_stupidity/

    Information security and privacy are important. Stop being Oracle-class short-termist assholes. Stop waffling, dodging and procrastinating. Get your heads out of your asses and start doing something to improve things for everyone.

    You. Yes, you there reading this article. I don’t care who you are, you have the power to be part of the solution.

    Our leaders, be they executives of multinational corporations or politicians, are apathetic dunces regarding information security because we allow them to be.

    Oh, collectively we’re all about “security” when it means murdering brown people to steal their oil. That’s all fine and good. But public support is thin on the ground when rich white men don’t stand to get richer.

    Hundreds of millions of people in first world nations have had their personally identifiable information stolen this year alone! Tens – perhaps hundreds – of millions have had their credit cards stolen this year.

    The depth of information pillaged from government and corporate servers through events like the OPM and Sony hacks can and inevitably will be used to ruin lives. Yet we sit around, gazing at our navels and collectively doing fuck all about it.

    Where are the people working the system to get laws in place to hold executives accountable for Oracle-class infosec stupidity? Where are the boycotts of companies that refuse to invest in proper information security?

    Hell, when was the last time you, the information technology experts reading this article, bothered to check if you could update your home routers? These devices are a massive security flaw waiting to happen that many of us can actually do something about.

    Information security isn’t just an abstraction

    Let me ask you this: if the company you worked for made dog food and they were knowingly allowing toxins into their dog food that would inevitably kill millions of people’s pets, would you speak up? If the company refused to listen to you, would you quit in protest? Would you leak the information to the press?

    Now, I ask you, why won’t you take a stand on information security issues? Why do our collective ethics and morality end so sharply? Real people’s lives are affected by information security stupidity. In some cases to some very extreme and disturbing degrees.

    The lies we tell ourselves aren’t true. Insurance doesn’t cover everyone. Plenty of banks and other institutions make people live with tens, even hundreds, of thousands of dollars of fraud committed in their names. People are put on “no fly” lists, their professional lives ruined for things they didn’t do.

    The consequences of information security stupidity are very, very real.

    Unfortunately, these issues will never get solved unless we make them a very real problem for the companies and governments we work for.

    Practical steps

    There are things we can do. We can refuse to work on projects that, based on our professional opinions and experience are security problems waiting to happen.

    Systems administrators can refuse to install hardware and software that they know can’t be defended. IT managers can refuse to use services that we know are flawed. Developers can refuse to work on projects where adequate time has not been allocated for QA testing or where no security testing is being discussed or built in.

    We can do these things. We should do these things. Even if they cost us our jobs.

    Sadly, we also need to agitate for legislation. The market has completely and utterly failed to address the issue. People in positions of decision-making power need to be held accountable for security issues. Even if that means piercing the corporate veil.

    Reply
36. August 12, 2015 at 1:22 pm

    Tomi Engdahl says:

    Symantec’s dismal results show need for Veritas sale
    Security firm needs to Caesar the opportunity to grow the business
    http://www.theregister.co.uk/2015/08/12/symantecs_dismal_results_show_need_for_veritas_sale/

    Symantec’s latest results, published on the day of the Veritas sell-off announcement, show a 14 per cent revenue decline and 49 per cent profit fall on the annual compare.

    Revenues of $1.5bn produced profits of $117m, compared with $1.74bn and $236m respectively a year ago.

    Selling Veritas is the get-out-of-jail card, enabling Brown and his execs to concentrate on Symantec’s security business and get it growing.

    Reply
37. August 12, 2015 at 1:23 pm

    Tomi Engdahl says:

    Want to harvest Facebook data? Get a mobile number and off you go
    ‘EVERYTHING FINE’ insists Zuck’s ad empire
    http://www.theregister.co.uk/2015/08/12/facebook_privacy_flap_data_phone_number/

    Hackers and other miscreants are able to access names, telephone numbers, images and location data in bulk from Facebook, using only a mobile phone number.

    The loophole in what privacy conscious users might expect from the social network was revealed by software engineer Reza Moaiandin.

    Moaiandin, technical director at UK-based tech firm Salt.agency, exploited a little-known privacy setting in a feature called “Who can find me?” that is set to “Everyone/public” by default even in cases where a user has decided not to expose their mobile number via their public profile.

    The upshot was that Moaiandin could not only find a Facebook user by typing their phone number into the social network, but also obtain their names, profile pictures and locations. This process can be scripted and automated to work through Facebook’s API.

    The information harvested is publicly available. Facebook’s error comes from a failure to make it “as difficult as possible” for third parties to vacuum up publicly shared information

    “Assume that everything you post online will be available to the worst possible entities to cause you maximum grief,” he said.

    Facebook can easily block the automated harvesting of data using the technique exposed by Moaiandin, according to Lieberman. “There is data throttling in the Facebook API that limits the rate and amount of data that can be brought back,” Lieberman explained. “Large or bulk exports are flagged at Facebook for human review.”

    Reply
38. August 13, 2015 at 6:16 am

    Tomi Engdahl says:

    Allison Pohle / Boston.com:
    Facebook rescinded Harvard student’s internship after he revealed privacy flaw, created Chrome extension to map people’s locations when they used Messenger — Harvard student loses Facebook internship after pointing out privacy flaws — Three months ago, Harvard student Aran Khanna …

    Harvard student loses Facebook internship after pointing out privacy flaws
    http://www.boston.com/news/nation/2015/08/12/harvard-student-loses-facebook-internship-after-pointing-out-privacy-flaws/zASZFdUjn6PoliUiR9kVHJ/story.html

    Three months ago, Harvard student Aran Khanna was preparing to start a coveted internship at Facebook when he launched a browser application from his dorm room that angered the social media behemoth.

    His application, called Marauder’s Map — a clever name that Harry Potter fans will appreciate — was a Chrome extension that used data from Facebook Messenger to map where users were when they sent messages. The app also showed the locations, which were accurate to within three feet, in a group chat with people he barely knew. That meant complete strangers could hypothetically see that he had messaged them from a Starbucks around the corner, while he could see that they had messaged from their dorms.

    The app capitalized on a privacy flaw that Facebook had been aware of for about three years: the Facebook Messenger app automatically shared users’ locations with anyone who they messaged.

    Within three days, Facebook asked Khanna to disable the app. The company also deactivated location sharing from desktops, which meant Khanna’s app wouldn’t work even if he hadn’t taken it down. And the company that Mark Zuckerberg famously launched from his Harvard dorm room withdrew its internship offer from this Harvard student, who apparently made the mistake of…launching an app from his dorm room.

    Before it was disabled, the extension was downloaded more than 85,000 times, Khanna said.

    About a week later, Facebook released a Messenger app update trumpeted as follows in a news release: “With this update, you have full control over when and how you share your location information.”

    The description didn’t mention the previous default settings. Nor did it point out that users who didn’t activate the update would continue to share their locations by default unless they manually altered their privacy settings.

    Reply
39. August 13, 2015 at 6:29 am

    Tomi Engdahl says:

    Russell Brandom / The Verge:
    Dropbox will now let you use a USB key for two-factor login — Today, Dropbox took a big step toward stronger account security. The company announced today it’s enabling USB security keys for two-factor login, allowing users to supplement the traditional password login with a physical device

    Dropbox will now let you use a USB key for two-factor login
    http://www.theverge.com/2015/8/12/9142297/dropbox-two-factor-login-usb-security-key

    Today, Dropbox took a big step toward stronger account security. The company announced today it’s enabling USB security keys for two-factor login, allowing users to supplement the traditional password login with a physical device, rather than the typical six-digit authentication code delivered over SMS. The keys are significantly more secure than SMS codes or even authentication apps, since they can’t be intercepted by attackers and can’t be copied by conventional means.

    They’re the same security keys that Google enabled for its own two-factor accounts back in October, designed to be interoperable under the FIDO spec. While the open specification means any company can make the keys, the best known version of the key is made by Yubico, available for $18.

    The plot to kill the password
    The world’s most powerful companies want you to log in with fingerprints and eyescans
    http://www.theverge.com/2014/4/15/5613704/the-plot-to-kill-the-password

    Reply
40. August 13, 2015 at 6:45 am

    Tomi Engdahl says:

    How would you describe today’s consumer?
    http://returnpath.com/wp-content/uploads/2015/07/the-path-to-data-enlightenment.pdf?sfdc=701000000006Zh7

    Reaching consumers has never been easier than it is today… and at
    the same time, it has never been more difficult.

    The average consumer is exposed to hundreds of marketing
    messages through dozens of channels each day. Information
    overload is a fact of life, and nowhere is this more evident than
    in the inbox. According to our research, the average consumer
    receives more than 500 marketing messages in a given month and
    opens fewer than one in fifteen.

    This overwhelming volume also makes it challenging for consumers
    to distinguish legitimate marketing email from phishing messages.
    A recent study shows that 23 percent of recipients will open a
    phishing message, and 11 percent will open attachments contained
    in the phishing messages.

    Reply
41. August 13, 2015 at 7:56 am

    Tomi Engdahl says:

    New Docker crypto locker is a blocker for Docker image mockers
    Verison 1.8 adds container signing to prevent man-in-middle attacks
    http://www.theregister.co.uk/2015/08/13/docker_content_trust/

    Docker has tackled the problem of secure application container distribution with a new system that supports signing container images using public key cryptography.

    The new feature, known as Docker Content Trust, is the main attraction of Docker 1.8, the latest version of the tool suite that was announced on Wednesday.

    “Before a publisher pushes an image to a remote registry, Docker Engine signs the image locally with the publisher’s private key,” Docker security boss Diogo Mónica said in a blog post outlining the process. “When you later pull this image, Docker Engine uses the publisher’s public key to verify that the image you are about to run is exactly what the publisher created, has not been tampered with and is up to date.”

    Docker is basing its code-signing capabilities on Notary, a standalone piece of software that it first unveiled at the DockerCon 2015 conference in June. Notary, in turn, is based on The Update Framework (TUF), a project that offers both a specification and a code library for generic software update systems.

    At DockerCon, Docker CTO Solomon Hykes explained that he likes the TUF design because it not only offers protection against content forgery and various forms of man-in-the-middle attacks, but it also offers what the TUF project calls “survivable key compromise.”

    “Basically it means if one of the keys in the system gets lost or stolen, you’re in trouble, but you’re not completely, impossibly screwed,” Hykes said. “It means you can apply regular policies to deal with the issue, depending on the magnitude, instead of going out of business.”

    Reply
42. August 13, 2015 at 8:41 am

    Tomi Engdahl says:

    SCADA cyber security
    http://www.controleng.com/single-article/scada-cyber-security/ee4876b21950bd5c2571191e53f8c1d8.html

    Securing control systems with supervisory control and data acquisition (SCADA): SCADA software, part of many industrial control systems, can use the U.S. National Institute of Standards and Technology (NIST) framework for cyber security.

    To meet cyber security concerns, software and hardware vendors, system integrators, and other stakeholders need to work with end users to achieve a secure supervisory control and data acquisition (SCADA) solution. The U.S. National Institute of Standards and Technology (NIST) offers the Cybersecurity Framework (“the Framework”) for systematically identifying the critical assets of the organization, identifying threats, and securing these critical assets. The Framework opens the door to partnerships that are more effective with cyber security prioritized so that the needs of the end user are fully met.

    Cyber financial attacks such as the 83 million household and small-business records stolen from JPMorgan Chase Bank (Reuters, 2014) contribute to the 78% increase in financial impact of cybercrime in the past four years. In this same period, 40% of cyberattacks have been directed against energy companies (Siegel, Josh; Motorola Solutions, 2014). The U.S. government is focusing on the threat to the nation’s critical infrastructure such as our electric grid, oil and gas pipelines, water and wastewater treatment facilities, and transportation infrastructure like tunnels and bridges.

    Reply
43. August 13, 2015 at 8:46 am

    Tomi Engdahl says:

    Cyber security in process plants: Recognizing risks, addressing current threats
    http://www.controleng.com/single-article/cyber-security-in-process-plants-recognizing-risks-addressing-current-threats/74983c90bcae14539d2def26798cf7f3.html

    As attacks on industrial control systems (ICSs) become more frequent and increasingly sophisticated, defensive strategies must evolve to keep up. Fortunately, the tools are getting better. See related video.

    Process industries are no place for uncertainty and risk. Companies in the oil and gas, refining, petrochemical, and power-generation industries, among others, must prevent and mitigate cyber security threats that jeopardize their production operations, including risks to plant infrastructure, assets, personnel, and the environment.

    Industrial firms should need to take certain steps to protect critical facilities. Taking those steps is easier with an understanding of current and future cyber security risks, past incidents in process sectors, and knowledge of ever-changing security challenges.

    In recent years, industrial cyber security threats have grown from the esoteric practice of a few specialists to a problem of general concern. All stakeholders now have a new responsibility in promoting the safety, reliability, and stability of critical industrial infrastructure.

    Taking steps to address ICS cyber security should also improve the control system’s resilience to other adverse incidents, reducing unplanned downtime and facilitating a more rapid return to “business as usual” following an incident.

    For industrial sites, vulnerabilities to cyber threats include:

    Lack of security policies and procedures
    Communications between the Internet to the corporation
    Communications between the business LAN (local area network) and process-control network
    Insufficient or out-of-date cyber security controls, such as anti-malware software
    Obsolete or missing security patches
    Inadequate security configurations
    Incomplete or infrequent backups.

    Reply
44. August 13, 2015 at 9:08 am

    Tomi Engdahl says:

    MasterCard and Nymi say they’ve completed the first heartbeat-authenticated mobile payment in the wild
    http://venturebeat.com/2015/08/12/mastercard-and-nymi-say-theyve-completed-the-first-heartbeat-authenticated-mobile-payment-in-the-wild/

    The Canadian biometrics company Nymi, working with TD Bank Group and MasterCard, says it’s completed the first wearable credit card transaction authenticated by the user’s heartbeat.

    Nymi’s dedicated payments authentication wristband executes a payment when held up to a point of sale terminal that accepts MasterCard. The band contains an NXP near field communication (NFC) chip to communicate with any terminal that supports contactless Tap & Go technology. To prove that the wearer is indeed the MasterCard account holder, the band reads the wearer’s unique heartbeat pattern.

    Reply
45. August 13, 2015 at 11:42 am

    Tomi Engdahl says:

    Dropbox Refuses to Explain Its Mysterious Child Porn Detection Software
    http://gizmodo.com/dropbox-refuses-to-explain-its-mysterious-child-porn-de-1722573363

    Recently a US Army reservist was arrested for sharing child pornography. Here’s what makes his story different from dozens of others: He’d been turned in by Dropbox.

    Dropbox has a habit of turning in pedophiles, as it turns out. The why of turning in people who share and hoard abusive images that exploit children is obvious, but I started wondering about how the company sniffed out the abusive images.

    The Dropbox detail struck me as strange not because there’s something objectionable about companies trying to stop pedophiles exploiting children (I’m not a complete crazy asshole), but because I wondered what else Dropbox could proactively search my files for: Could it look for pirated movies? Could it look for evidence of drug dealing, illegal sex work, illegal gambling? Short answer: Yep!

    Looking at its Terms of Service, Dropbox states that it can search through your files to see if they comply with its ToS and Acceptable Use Policy.

    This doesn’t explain how Dropbox foils pedophiles exploiting children without outside tips. But I have a strong suspicion of how they do it: I think the company uses PhotoDNA, a software Microsoft developed in 2009 with Dartmouth College, to help companies sniff out child porn on their servers, or something very similar. Microsoft donated use of this technology to the NCMEC, and uses it with Bing and One Drive.

    PhotoDNA takes known child abuse images from the National Center for Missing & Exploited Children and creates a numerical value for each known image using hashing, a technique that creates a “digital fingerprint” for each known image. The horror trove of exploitation porn that serves as the source library for PhotoDNA is compiled from images previously reported to the NCMEC’s Cyber Tip Line, as well as images found by the companies who do the reporting.

    The PhotoDNA software takes each image in the database and divides it into a grid, giving each portion of the grid a computational value, in a process called “hashing.” It does the same thing for every single photo that gets uploaded to the services that use it, assigning numerical values to each portion of a photo, as well as a unique identifier for the entire photo. So every time someone uploads a photo, it gets compared against every single image of exploitation in the database.

    It’s a system for hunting the world’s most taboo, upsetting, and obscene images with freakish accuracy. False positives are extremely rare, only “one in ten billion,” according to Shehan.

    Companies that use PhotoDNA scan all of the images uploaded to their services against this database of numerical values. If they get a hit, they review and remove the photos, and report the user to the NCMEC.

    By law, companies using PhotoDNA are required to make a report if they find a match. But the NCMEC isn’t a law enforcement agency—it acts as a clearinghouse for these reports, sending them on to the appropriate local or federal law enforcement agencies so they can investigate. From there, arrests like that of the US reservist/pedophile are made.

    Reply
46. August 13, 2015 at 12:16 pm

    Tomi Engdahl says:

    Police investigate ‘first cyber flashing’ case
    http://www.bbc.com/news/technology-33889225

    Police are investigating a “new” crime of cyber-flashing after a commuter received an indecent image on her phone as she travelled to work.

    The victim received two pictures of an unknown man’s penis on her phone via Apple’s Airdrop sharing function.

    Ms Crighton-Smith, who was travelling on a train in south London, told the BBC’s Victoria Derbyshire programme: “I had Airdrop switched on because I had been using it previously to send photos to another iPhone user – and a picture appeared on the screen of a man’s penis, which I was quite shocked by.

    Ms Crighton-Smith called the British Transport Police as she said she was worried about the motives of the perpetrator.

    The BTP has investigated the incident, but said because Ms Crighton-Smith did not “accept” the photograph there was no technological evidence for them to work with and recorded it as intelligence.

    Airdrop is specific to iOS device and Apple Macs. It uses wi-fi and Bluetooth to talk over a short range to other devices, like other iPhones.

    Its default setting is for “contacts only”, which means only people you know can see you.

    But if you want to share your information or your contacts with other people, you may make a change to the settings and change it to “everyone”.

    “This means that typically in a train carriage, or tube carriage, you can see other devices,”

    Reply
47. August 13, 2015 at 12:24 pm

    Tomi Engdahl says:

    It’s not just antivirus downloads that have export control screening
    Yet blocking common tech is ‘crazy’ says infosec bod
    http://www.theregister.co.uk/2015/08/13/export_control_screening_analysis/

    Export control screening for individuals hoping to purchase everyday consumer technologies extends beyond just antivirus software downloads, according to several sources contacted by The Register.

    Those who share the name of someone on a blacklist have to go through secondary screening (a bureaucratic process generally involving handing over passport ID, dates of birth or other information).

    These controls apply even for something as routine as the purchase of audio plugs in cases where they share the name of individuals on a US-run blacklist. Export controls seemingly apply to goods ordered online even if they are delivered by a US firm to a US address.

    Last week we wrote about export control screening for security software downloads based on the experience of someone who had difficulty downloading Sophos AV for Mac.

    Compliance vs security

    Sophos said it was complying with the export laws and regulations of the US and EU by using a third party to screen download requests against the US government denied persons list.

    The information held on the denied parties list is variable but will usually include name and country, and in some cases date of birth or passport number. Sophos said it delivers millions of software downloads and that its “business export validation alert rate is below 0.05 per cent.”

    The US “denied persons” list is available online here. A search tool can be found here.

    Sophos added that it used both UK and EU lists, adding that it is investigating how to deliver “leaner and smoother compliance checks”.

    None of F-Secure’s services should be considered “controlled technologies” in 2015, according to Sullivan.

    Travis Witteveen, chief exec of Avira, one of the Big Four free-to-consumer and non-commercial use antivirus software firms, said that beyond respecting trade embargoes it tries to make its software as widely available as possible.

    Reply
48. August 13, 2015 at 12:27 pm

    Tomi Engdahl says:

    Misconfigured Big Data apps are leaking data like sieves
    Bank and health info included in more than a petabyte of files left lying around
    http://www.theregister.co.uk/2015/08/13/big_data_apps_expose_data/

    More than a petabyte of data lies exposed online because of weak default settings and other configuration problems involving enterprise technologies.

    Swiss security firm BinaryEdge found that numerous instances of Redis cache and store archives can be accessed without authentication. Data on more than 39,000 MongoDB NoSQL databases is similarly exposed.

    More than 118,000 instances of the Memcached general-purpose distributed memory caching system are also exposed to the web and leaking data, according to Binary Edge. Finally, 8,000-plus instances of Elasticsearch servers responded to probes.

    BinaryEdge concludes that it found close to 1,175 terabytes (or 1.1 petabytes) of data exposed online, after looking into just four technologies as part of an online scan.

    “Versions installed are quite often old and not updated, which means that, in some cases, not only is data exposed but even servers can be compromised,” Binary Edge concludes in a blog post on its research. “Companies are still figuring out how to use these technologies and by default they are not secure.”

    Misconfigured installations were discovered in a wide range of organisations, ranging from small businesses to large top-500 companies.

    “There are also a lot of usernames and passwords and also session tokens which could be used to take over active sessions.”

    In another case, a firm in the robotics industry had left files on its database such as “blueprints” and the names of projects exposed.

    “We are going to warn companies for free when we do this type of publication. Business is important, but so is the safety of this data,” Henriques said. “After we give them this warning, we will then offer them an optional service that we are developing called Timelines, where they can use our platform to scan and continuously monitor their perimeters.”

    Reply
49. August 13, 2015 at 1:53 pm

    Tomi Engdahl says:

    Security Flaws Common on Most Popular Smartwatches
    http://blog.trendmicro.co.uk/security-flaws-common-on-most-popular-smartwatches/

    According to a new piece of research we conducted with First Base Technologies, the security features on some of the market’s most popular smartwatches have been found to be poor.

    Our study, which revealed security flaws in all six of big brand smartwatches on the market, stress-tested devices on physical protection, data connections and information stored to provide definitive results on which ones pose the biggest risk to consumers.

    Android-based devices in the study included the Motorola 360, LG G Watch, Sony Smartwatch, Samsung Gear Live and the Asus Zen Watch; as well as the Apple Watch and the Pebble wearable – which run on their own operating system. All devices were upgraded with the latest OS version at the time of testing and paired to the iPhone 5, Motorola X and Nexus 5.

    Physical device protection across all smartwatches was found to be poor, with no authentication via passwords or other means being enabled by default. This would enable free access if the wearable was stolen. All devices apart from Apple Watch, failed to contain a timeout function, meaning that passwords had to be activated by manually clicking a button.

    Despite having better security features than its Android or Pebble rivals, the Apple Watch contained the largest volume of sensitive data. All of the tested smartwatches saved local copies of data, which could be accessed through the watch interface when taken out of range of the paired smartphone.

    Across all of the smartwatches that were tested, it is clear that manufacturers have opted for convenience at the expense of security.

    Reply
50. August 14, 2015 at 7:06 am

    Tomi Engdahl says:

    Toronto woman’s webcam hacked while watching Netflix
    http://globalnews.ca/news/2156291/toronto-womans-webcam-hacked-while-watching-netflix/?sc_ref=twitter

    Police are investigating after a Toronto woman who was sent intimate photos of herself and her boyfriend watching Netflix from the previous night via Facebook. Toronto Police say it will be tough to investigate because of a number of issues but they’re looking into it.

    TORONTO — Police are raising alarms about online privacy after they say a hacker sent a 27-year-old Toronto woman intimate photos of herself and her boyfriend watching Netflix from the previous night.

    “What a terrifying notion. It was a really bizarre thing to receive those messages and it really took a second to be like, ‘Oh my God, that’s what this means, that’s the implication of receiving this message is someone was just watching us,’” Chelsea Clark told Newstalk1010.

    Davis Carr, a Ryerson media student, said her friends cover their webcams with a piece of tape for fear someone could be watching.

    the incident was more than just a privacy issue.

    “Not only is it a major invasion of privacy, but it’s also a very significant violation of property rights,”

    “This couple’s property, their computer, was basically accessed completely inappropriately in an unauthorized manner and then to add insult to injury, the webcam was used to capture them in very intimate moments within their home where privacy is sacrosanct. So this is completely unacceptable, law enforcement should be completely all over this.”

    “The best thing you can do is close your laptop after you’ve used it.”

    “Definitely more awareness could help, it’s definitely possible that your webcam can get hacked, so you need to be aware of that but I don’t think it’s time to hit the panic button or anything like that.”

    Reply