STE WILLIAMS

SkyGoFree malware spies on your Android phone and your messages

Jan
18

Android threat-of-the-year so far in 2018, at least if you measure by media interest, is the curiously-named SkyGoFree malware.

(The name was apparently invented by researchers at Kaspersky, simply because they “found the word in one of the domains” used in one of the samples they looked at – the malware isn’t targeted at users of the telecommunications company Sky or its Sky Go TV product.)

In one word, SkyGoFree (or SkyFree as Sophos products detect it) is easily described: spyware.

A quick look in the decompiled Java code of the malware reveals the range of data it knows how to steal:

  . . .
  public static final String URL_UPLOAD_CAMERA = "upload_camera.php";
  public static final String URL_UPLOAD_CELL_INFO = "upload_cella.php";
  public static final String URL_UPLOAD_FILESYSTEM = "upload_filesystem.php";
  public static final String URL_UPLOAD_FILE_SEND = "upload_documents.php";
  public static final String URL_UPLOAD_HISTORY = "upload_history.php";
  public static final String URL_UPLOAD_INFO_TEL = "upload_info_tel.php";
  public static final String URL_UPLOAD_LISTAPP = "upload_listapp.php";
  public static final String URL_UPLOAD_REG_CALL = "upload_reg_call.php";
  public static final String URL_UPLOAD_RUBRICA = "upload_rubrica.php";
  public static final String URL_UPLOAD_SMS = "upload_sms.php";
  public static final String URL_UPLOAD_WHATSAPP_SMS = "upload_whatsapp_msg.php";
  . . .

RUBRICA, in case you are wondering, is Italian for ADDRESS BOOK. A lot of the code seems to have been written by Italian speakers – the lines above come from a source file called Costanti.java, which would be Constants.java in English.

There’s loads more treacherous functionality in the malware, including a function called StartReverse() that connects your phone up to a server run by the crooks to given them what’s called a reverse shell.

Normally, to logon into a command prompt (known in Unix and Linux as a shell) you need to initiate a connection to a device, which means getting through any firewalls and network address translation that’s in the way.

Many mobile networks, and almost all Wi-Fi networks, let you make outbound connections to other people, but don’t let others connect inbound directly to you – you’re supposed to be a data consumer (client) on the the network, not a data producer (server).

Hackers get around this with a reverse shell: a common intrusion trick that turns the logon process on its head.

Your device initiates the connection outwards to the crooks, but only to set the connection up; after that, your device acts as the server, with the crooks hooked up as clients, “logged in” with direct control over your phone.

SkyGoFree also includes a feature – if that is the right word – that it calls Social to let the crooks grab data from numerous other apps on your device.

Here’s an edited fragment of the code that tries to steal your social networking data (don’t worry if you don’t understand Java – this is just by way of illustration):

  . . .
  mMap.put("messenger", new Social("/data/data/com.facebook.orca/databases/", new String[] { "upload_facebook_chat.php" }));
  mMap.put("facebook", new Social("/data/data/com.facebook.katana/databases/", new String[] { "upload_facebook_search.php", "upload_facebook_contacts.php" }));
  mMap.put("whatsapp", new Social("/data/data/com.whatsapp/databases/", new String[] { "upload_whatsapp_msgstore.php", "upload_whatsapp_contacts.php" }));
  mMap.put("gmail", new Social("/data/data/com.google.android.gm/databases/", new String[] { "upload_email_gmail.php" }));
  mMap.put("mlite", new Social("/data/data/com.facebook.mlite/databases/", new String[] { "upload_messengerlite_chat.php" }));
  . . .

The good news is that on a regular Android phone, apps can’t blindly read each other’s data.

Unless you have rooted your device, or have an old or unpatched phone with a security hole that allows malware to root your phone automatically and secretly in the background, this part of the malware won’t work.

SkyGoFree also has a component that can call home to download and install additional modules – a sort-of plugin system for the malware. (When we investigated, the addon files that the malware was looking for were offline.)

Malware is often programmed so that it can update or extend itself, which makes the threat even more serious: neither you, nor researchers, can ever be sure in advance exactly what the crooks might decide to do with infected devices in the future.

What to look for

The sample we examined pretends to be a “System Update”, using a green Android icon:

If you launch the app, it starts running in the background but almost immediately removes its own icon to give you the impression that the “update” has finished.

Fortunately, the app still shows up on the System | Apps page, where you can stop it and uninstall it:

We haven’t received any reports of this malware from the wild, and it isn’t – and as far as we know, never was – in Google Play, so you’d have to go to the Settings | Security page and turn on the non-default option to Allow installation of apps from unknown sources to get infected:

Google Play is not the virus-free walled garden that you might have been led to believe, but it is still far safer than accepting apps from unknown sources such as alternative markets, unregulated Android forums or links sent to you by friends.

What to do?

  • Stick to Google Play. If you need to go off-market for a specific app, go back into Settings | Security after installing it and turn Allow unknown sources off again.
  • Use an Android anti-virus. Products like the free Sophos Mobile Security for Android will help you block malware and warn you about insecure settings on your device.
  • Don’t trust system updates offered by third parties. Be especially cautious of “updates” that claim to offer additional features or services not available officially.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/juVwgWg-4Dk/

BlackWallet cryptocurrency site loses users’ money after DNS hijack

Jan
18

Another site in the booming cryptocurrency wallet sector has been hacked after what looks like a DNS hijacking attack.

The victim this time is BlackWallet, whose users reportedly lost 670,000 of a currency called Stellar Lumens (XLMs) worth around $425,000 at the point they were stolen on the afternoon of 13 January.

News that something was amiss first emerged in a Reddit posting claiming to be from the site’s admin:

BlackWallet was compromised today, after someone accessed my hosting provider account. I am sincerely sorry about this and hope that we will get the funds back.

A security researcher who took a look at blackwallet.co before it was taken down tweeted:

The DNS hijack of Blackwallet injected code, if you had over 20 Lumens it pushes them to a different wallet.

The stolen XLMs were reportedly siphoned off to the Bittrex cryptocurrency exchange, before (most likely) being laundered into another cryptocurrency.

Once they have control over any domain, attackers clearly have a lot of power to manipulate, monitor or redirect users logging in, but the deeper question always comes down to how they got this far.

The person claiming to be BlackWallet’s admin mentions that the attacker accessed the site’s hosting provider account, which could have happened in one of two ways.

Either the attackers got hold of the credentials through some kind of remote compromise or had the account reset by tricking staff at the DNS hosting provider.

Wrote BlackWallet’s admin:

I am in talks with my hosting provider to get as much information about the hacker and will see what can be done with it. If you ever entered your key on blackwallet, you may want to move your funds to a new wallet using the stellar account viewer.

This hints that an account reset was to blame, although this will probably never be confirmed.

The defence against this is to identify people claiming to be account holders using a combination of multi-factor authentication and phone call checks to more than one registered number.

The lack of these checks – and other weaknesses in credential security – has led to a series of attacks on cryptocurrency wallets using DNS hosting as a convenient backdoor.

Just to give a flavour, before Christmas, currency exchange EtherDelta suffered a reported DNS takeover – the consequences of which are still not clear.

Similarly, last July Classic Ether Wallet users lost money to attackers who it was suggested had phoned up the German hosting company and passed themselves off as legitimate.

In 2016, blockchain.info’s domain was taken over for several hours, leaving wallets inaccessible.

Wallet companies are seen as having valuable cryptocurrency to steal and DNS is a simple way to get to it. Anyone in this sector has surely been well warned by now.

As of 18 January, BlackWallet is still unreachable.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/n0PwpRMLx14/

Hijackers DM @realDonaldTrump from former Fox News hosts’ accounts

Jan
18

The Twitter accounts of two former Fox News hosts were hijacked on Tuesday by somebody or somebodies who filled their feeds with propaganda supporting Turkey’s controversial president, Recep Tayyip Erdoğan.

The accounts, which belong to Eric Bolling and Greta Van Susteren, were restored within a few hours, but not before alert Twitter users grabbed screen captures.

As one Twitter user pointed out, the connection between the two journalists is that they’re two of only 45 accounts followed by US President Donald Trump. This tweet captures direct messages the hackers sent to @realDonaldTrump from Van Susteren’s account:

This direct message sent from Van Susteren’s account asks Trump to share a propaganda video from his personal account:

The Huffington Post translated one of the propaganda posts that was written in Turkish. It read:

You are hacked by the Turkish cyber army Ayyildiz Tim! We got your DM correspondence! We will show you the power of the Turk!

Another, written in English, from the hijacked Van Susteren account:

We love the Turks and Muslims in the world. We condemn those who persecute them, especially in the United States, and we share their suffering . We love turkish soldiers, we love Erdogan, we love Turkey.

While they still had control of the accounts, the hackers also posted a screenshot of what appeared to be Bolling’s direct messages.

The two had their accounts back by Tuesday night:

Make sure you’re not next

Mr. Bolling, Ms. Van Susteren, I’m sure it won’t be much consolation, but you’ve just joined the who’s who of hijacked Twitter accounts. We’ve printed it before, but here’s an updated list that includes these big names:

As we’ve noted in the past, there are plenty of ways to have your Twitter account hijacked:

  • Getting phished.
  • Using feeble passwords, such as your pet’s name, or simply handing over your password to strangers.
  • Poor password hygiene, such as using the same password on multiple sites – here’s how to pick unique, strong passwords.

Of course, Twitter accounts of high-visibility targets – businesses, celebrities or big brands such as Fox News – are particularly tempting to hijackers. Most particularly when they’re on the small list of 45 people who can direct message the POTUS!

Twitter has attempted to make it safer to have one of those tempting, highly targeted accounts.

In 2015, the company introduced a feature called TweetDeck Teams that lets users share Twitter accounts without having to share passwords. Twitter added the feature to TweetDeck, the account managing software it picked up in 2011.

The tool also makes it possible for anyone sharing an account to use Twitter’s two-factor authentication (2FA), or what it calls “login verification”.

That will send a one-time login code to a user’s phone that they need to enter in addition to a username and password. It’s another layer of protection against would-be account hijackers, since they’d need not only your login credentials but also your phone to take over your feed.

There have been multiple high-profile hijacking victims who’ve admitted that 2FA might have helped them avoid the nightmare of having their accounts taken over, their data wiped and/or vicious content posted on their Twitter accounts: technology reporter Mat Honan said as much after he had all of the data wiped from his iPhone, iPad and MacBook and had his Gmail and Twitter accounts hijacked.

But it’s worth noting that 2FA hasn’t been enough to stop some determined attackers. Naoki Hiroshima, a software developer and the rightful owner of the valuable @N Twitter handle, credits 2FA with probably preventing an attacker from logging into his PayPal account. But 2FA didn’t keep the attacker from socially engineering and extorting his @N handle away.

Nor did it help DeRay Mckesson, whose account was whisked out from under him by somebody using just his name and the last four digits of his taxpayer ID.

Protect yourself

While there are a few exceptions like those above, there are heaven knows how many more hijackings that have been stopped by 2FA, so turn it on whenever and wherever you can.

All accounts should be secured with passwords that are tough as nails, be they for celebs, politicians, Twitter execs, or plain old civilians. Here’s our short, sweet video on how to hammer out a good set of nails for your accounts:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/t8qTmloDes8/

Yes, Hawaii emergency management stuck a password on a sticky note

Jan
18

A false alarm about a ballistic missile; a panic-stricken populace running for cover; the governor and the FCC chief dissing your agency’s lack of safeguards or process controls; and just to add a dash of ludicrous to the unsavory dish that is this week, a conspiracy theory about how these “accidental” missile alerts aren’t really accidents at all.

Wow. Could things possibly get any worse for the people over at the Hawaii Emergency Management Agency (HI-EMA)?

Why, yes! The worsitude comes in the flimsiest but all too familiar of forms: a yellow sticky note, spotted in an Associated Press photo from July, at the agency’s headquarters at Diamond Head, bearing a password and stuck to a computer screen. While there’s a press photographer in the room, obviously.

Richard Rapoza,a spokesman for HI-EMA, told Hawaii News Now that the password is authentic and was actually used for an “internal application.”

Rapoza wouldn’t say what application the password would unlock, but he doesn’t think it’s in use any more, and heck, although leaving passwords in plain sight isn’t the best approach to security, it wasn’t a big-deal piece of software, he said:

It wasn’t for any major piece of software.

Rapoza has a lot on his plate, particularly when it comes to questions about the retro user interface that’s getting the blame for the “oops!” missile alert click. For those of us who are curious about the continuing angst over the interface, the EMA released a photo of it on Monday, showing that there was no wrong button pushed. It was just a wrong line on a screen, two lines up from the right line, differentiated only by altitude and the word “Drill.”

…and then on Tuesday, the EMA said no, no, no, that image was sent in error. That’s not it at all. It’s a false-alarm image. But no, sorry, we can’t provide you with an actual photo of the actual interface, though we can tell you it includes a drop-down menu.

Well, it’s nice to hear that somebody decided not to send an image of the actual interface.

But honestly, a sticky note photo blunder? Really? Are we going to have to send Prince William over to have a talk with you, HI-EMA?

Wills does, after all, have experience with credentials posted in the background. It happened when he was a search and rescue helicopter pilot for the Royal Air Force (RAF) and journalists did a “day in the life of” in 2012.

If the prince is busy, maybe we could send over Owen Smith, the UK Labour Party politician. He might have some good advice: in September 2016, login details for his campaign’s phone bank were tweeted out to thousands with yet another “helloooooooo, what’s that in the background?” photo.

Or hey, how about Luiz Dorea, head of security at the 2014 World Cup? There was a lovely photo taken of Dorea in the state-of-the-art security center for the games, with its giant video wall and staff hard at work, and the Wi-Fi SSID and password showing up loud and proud on the big screen behind him… Right underneath the secret internal email address used to communicate with a Brazilian government agency.

If none of these sticky-note experts can spare the time to fly to Hawaii, that’s OK. We can guess what advice they’d have to offer, anyway. It’s actually pretty simple: Don’t write down passwords in public places. Don’t put them on sticky notes, don’t write them on white boards, and you can just skip right on over the skywriting.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/JlpiGiGmmQE/

Mozilla edict: ‘Web-accessible’ features need ‘secure contexts’

Jan
18

Mozilla has decided to further locking down the Internet with the announcement that developers can only access new Firefox features from what it calls “secure contexts”.

The decision means that sites wanting to fingerprint or snoop on users with Web features will still be able to, but only over HTTPS. Outside snoops will therefore be excluded.

The announcement landed a couple of days ago in this blog post by Mozilla developer Anne van Kesteren.

While HTTPS has become a near-default for serious web sites, developers sometimes leave “bells-and-whistles” features on HTTP; even migrating all the images a site pulls from a separate server can be challenging.

Mozilla, however, has a long-standing drive to get rid of HTTP wherever possible, so “all new features that are web-exposed are to be restricted to secure contexts”.

The edict means that in the Mozilla environment, a bunch of W3C APIs can’t be accessed over an insecure connection. According to Sophos, the features and APIs include geolocation (restricted since last year), Bluetooth, HTTP/2, Web notifications, Webcam and microphone access, Google’s Brotli compression and Accelerated Mobile Pages, encrypted media extensions, the payment request API, and various “service workers” used in background sync and notification.

Van Kesteren wrote that the test for which features and APIs needed secure contexts is that they’re Web-exposed: “Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc. A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR.

“In contrast, a new CSS colour keyword would likely not be restricted to secure contexts.”

El Reg notes that some of the interfaces present risks even if they’re only used on encrypted links. The Bluetooth API has been criticised as invasive, and last year privacy researcher Lukasz Olejnik identified worrying information leaks in the Web Payments API. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/18/mozilla_secure_contexts_edict/

VTech fondleslabs for kids ‘still vulnerable’ despite sanctions

Jan
18

New InnoTab child learning devices still have the same security flaw first found by researchers at Pen Test Partners two years ago.

The issues persist even after manufacturer VTech was fined $650,000 by US watchdogs at the Federal Trade Commission (FTC) via a ruling published earlier this week. The settlement deal came after the FTC scolded the children’s toymaker for both unnecessarily collecting kids’ personal information and (worse) failing to protect this sensitive data before a massive breach in November 2015.

As well as paying the fine, VTech agreed to apply privacy and security requirements so that it complied with the Children’s Online Privacy Protection Act (COPPA) and the FTC Act, as previously reported.

The 2015 hack on VTech’s online services led to the theft of sensitive customer information about millions of children and parents.

Tests by UK security consultancy Pen Test Partners at the time found it was possible to lift data from its InnoTab tablet, as El Reg reported at the time.

The same tests on a newly purchased InnoTab reveal that the same hack is still possible and nothing had been done to address the problem, according to Pen Test Partners’ Ken Munro.

The FTC settlement resulted in VTech promising to improve its security. More specifically the deal means that VTech is “required to implement a comprehensive data security program, which will be subject to independent audits for 20 years” as well as “misrepresenting its security and privacy practices”.

In response to queries from El Reg, VTech said it was working hard to fulfil its security obligations. It said that the “criminal cyber attack on VTech databases should not be compared with the physical dismantling of one of our products” since they are “fundamentally different acts” before stating that it takes security in general seriously.

While it is not appropriate to share the details, we updated our data security policy and adopted rigorous measures to strengthen the protection of our customers’ data following the cyber attack in 2015.

We can assure you that we take the commitment on cyber security we gave the FTC last week very seriously indeed. VTech is committed to and will progressively execute data security improvements so that customers of VTech products and services can rest assured the data they entrust with VTech is well protected.

Munro wasn’t impressed by what he described as a “carefully caged non-answer”. “It doesn’t deal with the hardware security issues we raised,” he added. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/18/innotab_kid_tech_still_vulnerable/

Industrial systems scrambling to catch up with Meltdown, Spectre

Jan
18

Vendors of industrial systems have joined the long list of vendors responding responses to the Meltdown and Spectre processor vulnerabilities.

So far, a dozen vendors have told ICS-CERT they use vulnerable processors, and The Register imagines there will be plenty more to come.

Gold stars go to just two vendors: Smiths Medical, which has determined that none of its products are vulnerable; and OSISoft, whose PI System is vulnerable, and whose advisory includes anticipated performance impacts.

Emerson Process and General Electric treat their responses as customer information only, and keep them hidden behind a regwall. So does Rockwell, for what it’s worth, but the latter company at least spoke to The Register about the impact on its systems).

Another seven vendors in the market said they are “investigating” the impact – ABB, Abbott, Johnson Johnson (added points for giving the advisory a 2017 timestamp), Philips, Schneider Electric, and Siemens.

As readers know, the bugs arose out of how processors implement speculative execution. Patches are a giant headache for vendors and users alike, causing both performance and stability issues. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/18/ics_cert_meltdown_responses/

North Korea’s finest spent 2017 distributing RATs, wipers, and phish

Jan
18

North Korea’s black hats launched at least six extensive malware campaigns mostly against South Korean targets during 2017.

That’s the conclusion of Cisco’s Talos Warren Mercer and Paul Rascagneres (with contributions from Jungsoo An), who spent the year watching goings-on on the Korean peninsula.

The researchers focussed on one North Korean organisation, which they dub Group 123, and its continuing campaigns against the South.

Remote Access Trojans – RATs – are Group 123’s favourite approach, with three phishing campaigns (“Golden Time”, “Evil New Year” and “North Korean Human Rights”) working to deliver ROKRAT to targets.

At least two of those campaigns were published by Talos at the time, but without a firm attribution to North Korea.

The three campaigns tried to get users to infect themselves with a payload in the Hancom Hangul Office Suite, South Korea’s market leader, exploiting vulnerabilities such as the CVE-2013-0808 EPS viewer bug to pull down the RAT.

That’s a rather old vulnerability, so when CVE-2017-0199 (arbitrary code execution from a crafted file) landed, the Norks hackers got to work. In less than a month, Talos said, Group 123 launched the FreeMilk campaign against financial institutions from beyond the Korean peninsula.

A binary called Freenki (sometimes called by another binary, PoohMilk) then hauled down a ROKRAT-like trojan.

Finally, the “Are You Happy” campaign [surely you didn’t really fall for that in the e-mail subject line? – Ed] was simply destructive: it deployed a module from ROKRAT to wipe the first sectors of the victim’s hard drive.

Oh, and happy 2018: on January 2 this year, Group 123 ushered in the new year with a redux of its Evil New Year campaign. This time, the Talos post noted, the malware-slingers are trying to evade detection with a fileless version of ROKRAT. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/18/north_korean_2017_hacking_campaign/

HTML5 may as well stand for Hey, Track Me Longtime 5. Ads can use it to fingerprint netizens

Jan
18

Usenix Enigma HTML5 is a boon for unscrupulous web advertising networks, which can use the markup language’s features to build up detailed fingerprints of individual netizens without their knowledge or consent.

In a presentation at Usenix’s Enigma 2018 conference in California this week, Arvind Narayanan, an assistant professor of computer science at Princeton, showed how some of the advanced features of HTML5 – such as audio playback – can be used to identify individual browser types and follow them around online to get an idea of what they’re into.

For example, different browsers process sound files in slightly different ways, and allowing an ad network – or any website – to potentially work out which version of a browser is being used on which operating system. Couple this with other details – such as the battery level and WebRTC – and you can start to form a fingerprint for an individual user.

Of course, your browser typically reveals its version number and the underlying operating system’s details to web servers when fetching pages and other materials. However, from what Narayanan is saying, it is possible for ad networks and webmasters to bypass any attempts to suppress that information by probing the browser with HTML5 for traceable details. It also means that dumping JavaScript and cookies, and relying on purely HTML5, won’t mean you’re completely free from online tracking by advertisers.

“HTML5 browsers use a library to do audio processing, but different software stacks produce a unique fingerprint in combination with other data,” he explained. “Similar techniques also work on the battery and WebRTC functions.”

audio

Fingerprint … Each browser type has its own way of processing audio that makes it easy to track, according to this slide by Arvind Narayanan

Narayanan and his team have been monitoring the behavior of ad trackers for years. In 2014, they discovered 5,000 of the world’s top 100,000 most-visited websites were, in one way or another, using a canvas fingerprinting technique to identify and follow netizens around the internet, as they moved from page to page, site to site, without their knowledge.

Further research last year found that ad networks were using session replay scripts, which he described as “analytics on steroids,” to stalk people online. Narayanan said he and his team found ad trackers on 8,000 websites leaking visitors’ information in this way – including code on the website of American pharmacy chain Walgreens, which apparently handed confidential patient records to advertisers via forms, as well as the Gradescope assignment-grading software used by Princeton.

“This [session replay technique] left website owners and users pissed off,” he said. “Once we detailed the technique, the largest ad tracking providers stopped doing it. It seems sunlight is a great disinfectant.”

But this scrutiny only works up to a point, he warned. Netizen-tracking firms aren’t going to stop following people around the ‘net and working out what interests them so they can be served targeted adverts and special offers. Narayanan was one of the team overseeing the now-imploded Do Not Track browser feature, and the ad industry was adamant: if 15 per cent or more of internet users turned tracking off, the banner networks would refuse to play ball and track them anyway.

Technical workarounds by ad blockers, such as Privacy Badger and Ghostery, are of some use, he said. But they are usually playing catch up with ad trackers, not blocking them from the start.

The only way this is going to stop is if web browser programmers step up and build in measures to curb the ability to stalk users. But Narayanan said browser makers don’t want to get involved.

“Historically, web browsers consider it’s not their problem. Vendors are attempting to be neutral on this, and leave it to users to sort out,” he said. “To users that’s like an email provider saying that they are neutral on spam. Protection of privacy is a core reason for user choice.”

There have been some encouraging moves. The Brave browser has been developed specifically to neuter naughty advertising trackers, and both Firefox and Safari are making more of an effort in this area, he said. Chrome is also, we note, making noises in that direction.

But what’s needed is a fundamental rethink, with features that ensure tracking-free browsing, just as private browsing doesn’t record session data on a local workstation. Some kind of warning, similar to the HTTPS icon, would also be useful.

It’s important that these anti-surveillance techniques are implemented, he said, because privacy is vital to society – and there’s plenty of evidence showing a lack of privacy stifles debate. “Privacy is a lubricant that allows for social adaptability,” Narayanan opined. “If we move to a state of pervasive surveillance we lose that mobility.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/17/html5_online_tracking/

Who’s using 2FA? Sweet FA. Less than 1 in 10 Gmail users enable two-factor authentication

Jan
18

Usenix Enigma It has been nearly seven years since Google introduced two-factor authentication for Gmail accounts, but virtually no one is using it.

In a presentation at Usenix’s Enigma 2018 security conference in California, Google software engineer Grzegorz Milka today revealed that, right now, less than 10 per cent of active Google accounts use two-step authentication to lock down their services. He also said only about 12 per cent of Americans have a password manager to protect their accounts, according to a 2016 Pew study.

We polled El Reg readers on Twitter just before we published this piece, asking: “What percentage, rounded to nearest integer, of Gmail users do you think use two-factor authentication?” Out of 838 followers who responded within the hour, 82 per cent correctly selected less than 10 per cent. The rest picked more than 10 per cent.

Two-step auth stats

Shameful … Milka’s stats at Engima

The Register asked Milka why Google didn’t just make two-factor mandatory across all accounts, and the response was telling. “The answer is usability,” he replied. “It’s about how many people would we drive out if we force them to use additional security.”

Please, if you haven’t already done so, just enable two-step authentication. This means when you or someone else tries to log into your account, they need not only your password but authorization from another device, such as your phone. So, simply stealing your password isn’t enough – they need your unlocked phone, or similar, to to get in.

Google has tried to make the whole process easier to use, but it seems netizens just can’t handle it. More than 10 per cent of those trying to use the defense mechanism had problems just inputting an access code sent via SMS.

What if you don’t have two-step authentication, and someone hijacks your account? Well, Google is on the look out for that, too.

Stages of an attack

Anatomy of a hack … An account hijacker’s actions

To spot criminals and other miscreants commandeering a victim’s webmail inbox, the Chocolate Factory has increased its use of heuristics to detect dodgy behavior. A typical attacker has a typical routine – once they manage to get into an account, they shut down notification to the owner, ransack the inbox for immediately valuable stuff like Bitcoin wallet stuff or intimate photos, copy the contacts lists, and then install a filter to mask their action from the owner.

By looking out for and alerting folks to these shenanigans, Google hopes to make account hijackings less commonplace. But, given netizens’ lack of interest in security, warnings about suspicious activity are unlikely to get people moving to protect their information. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/17/no_one_uses_two_factor_authentication/