STE WILLIAMS

‘Troubling’ incident exposes code designed to decrypt VPN communication and enable remote administrative control of devices.

Security researchers today expressed deep concern over the disclosure by Juniper Networks this week that it had discovered unauthorized code in its ScreenOS firewall operating system that could allow an attacker to decrypt VPN communications or take complete administrative control of a compromised system.

In an out-of-cycle advisory issued yesterday, Juniper senior vice president and CIO Bob Worrall said the company discovered the code during a recent internal review and moved quickly to patch the vulnerabilities. “We launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS,” Worrall said.

According to the company, all Juniper NetScreen devices running versions OS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 of ScreenOS are vulnerable and need to be patched immediately.

In a separate advisory, Juniper said the code causes two security issues. “The first issue allows unauthorized remote administrative access to the device over SSH or telnet. Exploitation of this vulnerability can lead to complete compromise of the affected system,” the company noted. Certain entries in the log file would indicate if someone had exploited the vulnerability, Juniper said.

The second issue allows someone with the know-how to monitor and decrypt VPN traffic. Enterprises would have no way of knowing if the vulnerability has been exploited to snoop in on their encrypted VPN traffic. Juniper said the two issues are separate and distinct from each other.

Security experts described the disclosure as being deeply troubling and said it raised several questions about who might have had access to the source code, how they might have tampered with it unnoticed and most importantly, why.

Edward Snowden’s leaks about U.S. surveillance practices at home and abroad included details about the National Security Agency’s Tailored Access Operations (TAO) and the tools the agency apparently used as part of the operation to infiltrate systems. One of the tools allegedly was a software exploit for Juniper’s firewalls dubbed Bananaglee.

It’s quite possible that Juniper’s disclosure this week has nothing to do with Bananaglee at all and is a completely separate issue. But that does not mitigate the serious nature of the disclosure, analysts say.

“This is extremely worrisome,” says Richard Stiennon, chief research analyst at IT-Harvest. “It has all the hallmarks of a very sophisticated infiltration and corruption [campaign] … One can’t help wonder if Juniper has discovered a TAO backdoor.”

Though documents leaked by Snowden listed Juniper as one of several equipment manufacturers that may have been targeted as part of TAO, the company, like others has never publicly disclosed any known backdoors in its products, Stiennon says. Businesses using unpatched firewalls run the risk of having all the network traffic routed through a VPN being read by an attacker and having additional APT-style code installed on their systems, Stiennon says.

There are several possible ways the code could have been inserted into Juniper’s operating systems, says John Pescatore, director at the SANS Institute. An insider, for instance, could easily hide unauthorized code in such a manner as to evade detection during the testing and QA process.

If Juniper hadn’t taken adequate measures to protect its source code, an external attacker could have gained access to it as well, Pescatore says. “A variant is someone compromising tools Juniper developers used,” he says. “[But] that doesn’t seem too likely here.”

It’s important for enterprises to find out from Juniper what exactly happened, Pescatore says, and how and what the vendor has changed to prevent it from occurring again. “Then make sure to ask your other vendors why this won’t happen. This is all part of supply chain integrity in IT,” Pescatore says.

Rich Mogull, CEO of security research firm Securosis, says it appears that the backdoor code was inserted into the Juniper supply chain. “We can’t really speculate as to how it happened, but some options include everything from malicious employees to compromise of development pipeline servers and repositories, to compromise of employee systems with access to any of those assets,” he says.

This is not the first example of a company’s code development and release process being compromised — and it won’t be the last, he says. In fact, this sort of compromise happens far more commonly than most vendors, especially security companies want to admit, Mogull says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/juniper-discovers-unauthorized-code-in-its-firewall-os-/d/d-id/1323622?_mc=RSS_DR_EDT

These must-follow Twitter feeds offer plenty of cybersecurity humor to keep infosec pros giggling even when the attacks keep coming.

Let’s face it—information security isn’t inherently the most humorous field in the world. While the subject matter might elicit more laughs than something like periodontal dentistry, odds are it wasn’t the potential yuks that drew you to the profession. But like paramedics, morticians, and other professionals used to dealing with traumatic situations, infosec pros tend to be a pretty funny bunch of folks–even if the humor runs a little black.

Because in spite of the frustration and long hours, there’s a lot that is really hilarious about security, as long as you look at it in the right way. We’ve rounded up ten of the funniest security-related Twitter accounts that do just that. Their posts range from the daily face palm variety all the way up to some pretty strange high-concept stuff. Either way, it’ll help you keep your sanity intact through some healthy exercise of the funny bone. 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/10-funny-twitter-feeds-for-security-geeks/d/d-id/1323216?_mc=RSS_DR_EDT

In the US, it was called Operation Avalanche. In the UK, its name was Operation Ore.

Results of the two operations: the identification of thousands of suspects involved in the trafficking of child abuse images, thousands of homes searched, thousands of arrests, thousands of charges being brought, thousands of convictions, hundreds cautioned, and more than a hundred children removed from suspected dangerous situations.

None of this is new: not the surveillance tactics, not the sting, not the idea of going after people who access these types of sites.

After all, such content isn’t protected by free-speech laws.

On Tuesday, University of Chicago Professor Eric Posner, the fourth most-cited law professor in the US as of May 2014, proposed that we start treating terrorist propaganda similarly.

From Posner’s article on Slate:

Consider a law that makes it a crime to access websites that glorify, express support for, or provide encouragement for ISIS or support recruitment by ISIS; to distribute links to those websites or videos, images, or text taken from those websites; or to encourage people to access such websites by supplying them with links or instructions.

Such a law would be directed at people like [Ali] Amin: naïve people, rather than sophisticated terrorists, who are initially driven by curiosity to research ISIS on the Web.

Posner’s reference is to Ali Amin, the subject of a recent article in the New York Times about how naive Americans get drawn into Islamic State, also known as ISIS, ISIL or Daesh.

Posner:

Lonely and bored, the 17-year-old Virginia resident discovered ISIS online, was gradually drawn into its messianic world, eventually exchanged messages with other supporters and members, and then provided some modest logistical support to ISIS supporters (instructing them how to transfer funds secretly and driving an ISIS recruit to the airport).

He was convicted of the crime of material support of terrorism and sentenced to 11 years in prison.

Amin did not start out as a jihadi; he was made into one.

This is the threat represented by naive people like Amin, Posner says:

Using their own websites, Twitter, Facebook, YouTube, and other platforms, [terrorists] lure young men and women to their mission – without having to risk the capture of foreign agents on U.S. soil. The Americans ensnared in ISIS’s net in turn radicalize others, send money to ISIS, and even carry out attacks.

Never before in our history have enemies outside the United States been able to propagate genuinely dangerous ideas on American territory in such an effective way – and by this I mean ideas that lead directly to terrorist attacks that kill people.

And here is Posner’s proposed “new thinking” about limiting freedom of speech in order to address the threat: introduce laws with graduated penalties that start out with a warning letter from the government and escalate to fines or prison sentences for those who view Islamic State-related websites.

This is not about targeting the sophisticated terrorists who’ve mastered encrypted communications, Posner says.

Rather, it’s about intercepting people like 17-year-old Amin, who get drawn into online relationships by recruiters after doing things like running a casual online search for more information.

Posner:

When people discover ISIS websites and circulate them by Twitter, Facebook, and other public websites, those people often disclose their identities. Many are too naïve to use pseudonyms; others reveal their identities to their ISPs, which can be forced to cough them up to police.

Teenagers who are curious about ISIS but not yet committed to it are unlikely to use complicated encryption technologies to mask their identities from ISPs. Laws directed at this behavior would make a dent in recruitment, and hence in homegrown radicalism, even if they do not solve other problems.

As word spread, people like Amin “would be discouraged from searching for ISIS-related websites and perhaps be spared radicalization and draconian punishment for more serious terrorism-related crimes,” Posner suggests.

As far as legitimate research goes, the law would contain exemptions for those who can demonstrate a legitimate interest in viewing Islamic State websites, including journalists, academics, private security agencies and the like.

Posner suggests that to prove their “legitimate” interest, such people might be required to present documentation such as press credentials, a track record of legitimate public commentary on blogs and elsewhere, academic affiliations, or employment in a security agency.

That aspect might prove problematic.

David Rothman, founder and publisher of the TeleRead e-book site and cofounder of LibraryCity.org, writes that even a published writer such as himself can’t convince the government of his bona fides:

I’m a lifelong liberal Democrat and Obama supporter, I’ve appeared in the Washington Post, the Baltimore Sun, the Nation and even its philosophical opposite, National Review… but the White House switchboard would not even connect me to the press office when I was seeking possible comment on library-related matters.

There are also security researchers such as those affiliated with Ghost Security Group who work anonymously to infiltrate terrorists’ online sites in order to gather intelligence and thwart attacks.

If Posner’s suggestion were to bear legislative fruit, would researchers like GhostSec have to give up their credentials in a bureaucratic manner that would risk exposing their identities and jeopardizing their operations, or would they quietly be given a pass?

What legal hurdles would be faced by a law against viewing terrorist sites online?

Posner says the obvious problem would be that it could be struck down on First Amendment grounds, given that it would interfere with the right of people to receive or read political information, as would proposed laws that would require internet companies such as Facebook and Twitter to remove Islamic State-related propaganda from their websites.

Child abuse imagery, terrorist recruitment sites: should they both be deemed similarly criminal to access?

Does it approach thought crime, or is it justifiable in the light of current events?

Please share your thoughts in the comments section below.

Follow @NakedSecurity

Follow @LisaVaas

Image of Sign courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/I4krGsDwbM0/

A few years ago, in the leadup to the holiday season, we programmed a computer to use the web carelessly.

We generated mis-spellings of six well-known domain names, and deliberately browsed to them.

For example, instead of typing facebook.com into the address bar, our purposefully careless computer tried sites like:

gacebook.com
hacebook.com
facebool.com
faceboom.com
faebook.com
fajcebook.com

…and so forth.

By applying every possible one-character typo to the domain names of Facebook, Google, Twitter, Microsoft, Apple and Sophos, we generated 2249 website names.

Of these, an astonishing 1502 websites were alive and active, serving up 14,495 different URLs containing web pages, JavaScript, images and more.

We took a screenshot of every page as it looked after letting it load for 9 seconds.

Let’s just say that very few of them had anything to do with the site, the service or the products of the company whose domain name we’d tweaked.

This trick is called typosquatting, and it’s like having street vendors selling knockoff products right outside a brand-name store – except that it’s often much less obvious that you’re dealing with an imposter.

In short: the sort of typing errors that you make all the time, if you make them in your browser, can put you where you don’t want to be, or where you don’t want your kids to be.

Type carefumbly this Christmas!

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

Follow @NakedSecurity

Follow @duckblog

Images of Christmas tree and Advent calendar courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vRVDY_gpp4s/

A group of tech billionaires has launched a new organization for studying artificial intelligence (AI), called OpenAI, using $1 billion of their own money.

The backers include Tesla/SpaceX/PayPal founder Elon Musk, LinkedIn founder Reid Hoffman, and PayPal co-founder/venture capitalist Peter Thiel.

Musk and a lot of other very smart people are increasingly worried that advances in AI could one day pose a threat to human existence.

If and when machines become more intelligent than humans, will they be interested in keeping us around?

OpenAI has a goal of advancing artificial intelligence that prioritizes “a good outcome for all,” instead of developing the technology solely for the benefit of shareholders, and its research is “free from financial obligations,” as the founders put it in a letter introducing OpenAI last week:

As a non-profit, our aim is to build value for everyone rather than shareholders. Researchers will be strongly encouraged to publish their work, whether as papers, blog posts, or code, and our patents (if any) will be shared with the world. We’ll freely collaborate with others across many institutions and expect to work with companies to research and deploy new technologies.

Musk has been at the forefront of efforts to study AI, having funded 37 research teams via the FLI (Future of Life Institute) as part of a program aimed at “keeping AI robust and beneficial.”

Not everyone agrees that AI is a threat to human existence, but it’s hard to argue at this point that it doesn’t at least threaten some of our jobs (even skilled jobs like doctors and writers).

Other researchers have pointed out that we already have “killer robots,” like the military drones that are increasingly used in warfare.

It’s a bit ironic that Musk, whose Tesla is pushing the envelope on autonomous vehicles, would be warning us against threats from intelligent computers.

Musk is joining what seems to be a new breed of tech industry philanthropists looking to tackle the world’s biggest problems using their considerable wealth.

Facebook’s Mark Zuckerberg and his wife Priscilla Chan recently launched a new foundation called the Chan Zuckerberg Initiative, to which they’ve pledged to donate 99% of their Facebook shares, worth about $45 billion.

Bill Gates and his wife Melinda have handed out grants totaling $34.5 billion since launching the Bill and Melinda Gates Foundation, and the Microsoft founder’s philanthropic efforts have included noble causes such as public health and education.

Some are calling this trend “hacker philanthropy.”

These philanthropy hackers bring a spirit of innovation that will hopefully generate new ideas and new solutions.

But that doesn’t mean they will always know best.

The billionaires behind the OpenAI institute seem to be setting a good example, by standing back and deferring to the researchers who have dedicated their life’s work to the problem.

Follow @NakedSecurity

Follow @JohnZorabedian

Image of robots courtesy of Shutterstock.com.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/VVAj-inbTv4/

Microsoft Office exploits are cunningly-crafted, deliberately malformed chunks of data, inserted into Office files, that crash the application in a way that gives cybercriminals control, so that they can install malware without you noticing.

With a reliable exploit in hand, they don’t need to persuade you to click a web link, or to download and install a program, or to enable Office macros (which are off by default, with very good reason) and re-open the document at a lower security level.

Just opening the document to read it, or in some cases merely looking at it in a preview window, may be enough to infect your computer with malware.

TRACKING THE THREAT

In order to keep track of the burgeoning appetite of the criminals for Office-based attacks, we’ve been monitoring the usage patterns of the most popular Microsoft Office exploits.

For many years, one exploit has been at the top of our charts: CVE-2012-0158.

As explained above, document-based malware is an alternative infection vector for malware authors, and in recent months, some cybercrime groups have started using documents as their primary malware-spreading mechanism.

In a typical infection scenario, booby-trapped documents are attached to phishing email messages and sent out:

• To large numbers of random recipients in the case of cybercriminals who are in it for the money.
• To a small number of selected recipients in the case of Advanced Persistent Threat (APT) groups, who are typically focused on specific organisations.

Older exploits still work against a surprising percentage of users, thanks to poor patching habits, but new exploits have more value, because even fewer users are likely to be patched against them.

As the name tells us, CVE-2012-0158 has been around for more than three years now, so it is no wonder that the malware authors were looking for a replacement.

Over the years there were a few candidates, such as CVE-2013-3906 and CVE-2014-0761, but none of those threatened the dominant position of the old exploit, presumably because they simply didn’t work as effectively in the real world.

NEW KID ON THE BLOCK

Nothing endangered the reign of CVE-2012-0158 until August 2015, when a new Office exploit known as CVE-2015-1641 started to become popular with the crooks.

This exploit showed up only in small APT incidents before that time, but it was August when it found its way into the broader cybercrime scene.

The new exploit quickly became popular, and as we reach the end of 2015, it is poised to move into first place:

As we have written before, malware authors usually don’t concern themselves with the details of how Office exploits work, and they don’t need the technical skills to produce booby-trapped documents of their own.

They can simply do a deal, via the cyberunderground, with an exploit provider – “crimeware as a service” (CaaS), as it is known – who will arrange for the delivery of their malware to a specified number of victims, using booby-trapped documents as the infection vector.

💡 LEARN MORE – Crimeware as a Service: Objekt, the criminal behind Microsoft Word Intruder ►

IN CONCLUSION

Cybercrime gangs find Office documents a convenient way to spread their malware.

They have been using this method steadily over the past two years, and there is every sign that they will continue to do so.

Their approach is evolving over the time: they use various underground tools to generate their booby-trapped documents, and thanks to the development of these tools they automatically get to use newer Office exploits.

The good news is that they aren’t using zero-days, which are security holes for which an exploit appeared before a patch was available. (They’re called “zero-days” because there were zero days during which you could have been proactively patched).

Even the freshest exploit in their arsenal was fixed six months ago.

In other words: patch early, patch often!

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EITQRGT9zG4/

The security of mobile banking apps has improved over the last two years but there’s still scope for improvement.

Ariel Sanchez, security consultant for IOActive, has revisited research into the topic first conducted two years ago to see if there’s been any improvement.

Although security has increased over the two years, many apps still remain vulnerable.

As before, the research covered 40 mobile banking apps for iOS in use around the world. Sanchez confined himself to looking for client side security weaknesses or vulnerabilities and didn’t include any server-side testing.

His testing methodology is explained in much more detail in a blog post here. iOS does not name the apps or the banks who released the apps it tested.

Five of the 40 audited apps failed to validate the authenticity of the SSL certificates presented, which makes them susceptible to Man-in-The-Middle (MiTM) attacks. And more than a third (35 per cent) of the apps contained non-SSL links throughout the application. This shortcoming would allow an attacker to intercept traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or attempt similar scams.

In addition 30 per cent of them failed to validate incoming data. leaving them potentially vulnerable to JavaScript injections. The results may not appear impressive but at least they are an improvement on results from 2013.

The testing also covered binary and file system analysis. this phase of the audit revealed that 15 per cent of the apps store unencrypted and sensitive information, such as details about customers’ banking accounts and transaction history, in the file system via sqlite databases or other plaintext files.

“Most of the apps have increased transport security of the data by properly validating SSL certificates or removing plaintext traffic,” Sanchez concluded. “This helps mitigate the risk of users being exposed to MiTM attacks.”

“Although the numbers are down overall, there are still a high number of apps storing insecure data in their file system. Many of them are still susceptible to client-side attacks,” he added.

Sanchez added that few of apps provide alternative authentication solutions, with most relying simply on username and password for authentication. Only 17 of the 40 (42.5 per cent) of the apps provided alternative authentication solutions to mitigate the risk of leaking user credentials and impersonal attacks. ®

Sponsored:
Building secure multi-factor authentication

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/18/ios_banking_app_audit/

Hacking humans in the banking industry through rogue help desks is becoming a significant problem.

Jane, the senior fraud analyst in a top-tier bank, was looking at the latest series of reported online banking fraud cases and shook her head. This can’t be right, she decided. The fraudulent money transfer was coming from the victim’s device, which normally indicates some sort of Trojan-induced Man-in-the-Browser (MITB) attack designed to defeat device recognition and geo-location analysis. But these MITB attacks are normally picked up by the state-of-the-art malware detection service used by the bank.

She looked at the list of alerts and double-checked. There was nothing there. Was it some sort of new Trojan that went undetected by the system? If so, the Trojan operators must have known they have safe passage; they spent a long time in the account, and the money transfer they made was enormous. It’s as if they knew it wouldn’t be detected by any of the existing lines of defense. 

They were right about that, Jane thought, and picked up the phone to call the Internet user who reported the fraud. The story she heard made her realize she was facing something totally new… 

Remote Administration Tools, or RATs, started as completely harmless remote support tools, the kind that a help desk would use to support users whose PC needed attention. In fact, every major operating system, including mobile ones, have remote access protocols embedded in the OS level. But while RATs are a relatively new entrant in the growing arsenal of tools available to online banking fraudsters, state-sponsored hackers have been using them for a long time. Since 2009, wave after wave of Advanced Persistent Threats (APT) campaigns used spear phishing to install RATs on employee machines in thousands of corporations worldwide. These attacks create invisible tunnels that allow an outsider to completely control a victim’s device from anywhere. 

RAT capabilities based on VNC back-connect later appeared as a new feature in advanced banking Trojans such as Citadel, as well as a hoard of next-generation Zeus clones. The fraudsters learned from government hackers that RATs are an extremely powerful weapon, allowing attackers to not only harvest information or run automated scripts in browsers, but to actually gain full remote control of a device, and access a victim’s bank account from their own machine. 

Today, RATs are a popular tool commonly used by cybercriminals. Dyre is currently the most widespread Trojan that uses RAT; Dridex, whose operation was recently disrupted by law enforcement, was also heavily using a RAT capability. Other Trojans include Neverquest, Shifu and many Zeus clones that feature VNC functionality with back-connect. Recently, there has been a spinoff of these RAT attacks: Social RATs.

In this rapidly growing social engineering attack, the victim gets a phone call from someone claiming to be from their bank, internet provider, or other trusted third party. The fraudster then gets the victim to download a commercially available remote administration tool, such as TeamViewer, in order to help fix the “problem”. 

Providing a rogue help desk with remote access rights into your PC is not something most readers of this article would do, but good social engineering is, at times, extremely convincing and effective. The banking industry is particularly vulnerable due to its lack of effective fraud detection for remote access attacks.

After the RAT is installed?

While on the phone, attackers instruct victims to go through “security checks” to verify the safety of their accounts by logging into their bank accounts. Even after victims believe themselves to be logged out, an attacker can linger undetected. Part of the reason banks are experiencing a growing number of socially engineered attacks is because they are cheap to execute and offer a huge payoff to attackers; with limited technological training, attackers can send a quick email, or briefly chat over the phone, and access someone’s entire life savings.

A similar problem exists in corporate banking. From a regulatory perspective, there are no requirements for a bank to make a business customer whole if it lost money due to fraud. However, publicity surrounding large fraud cases has made many banks realize that while they do not have the obligation to do so, making customers confident in their online banking usage is in their best interest.

Social RAT attacks stretch this dilemma even further: first, they involve higher-than-usual monetary losses, and second, falling victim to a ploy in which you end up granting someone remote control over your device is viewed by many banks as crossing the line from naiveté to gross negligence. This spells trouble for business banking, as it could set a dangerous precedent where trust between banks and their customers erode quickly.

Two factors contribute to the success of rogue help desk RAT campaigns. First, users are familiar with the concept of help desks that ask permission to take over their device. So, given the right social engineering, they’ll be susceptible to manipulation. The second issue: existing security controls do not detect RATs. 

To help close the gaps, banks can protect themselves by educating customers about social engineering threats. Users should be encouraged to refuse unsolicited help and contact their banks or other financial institutions if they receive suspicious emails, text messages or phone calls.  Moreover, customers should be made aware of ways they can verify conversations with customer service representatives.

Uri Rivner is recognized globally as an industry expert on cybercrime and advanced threats. He is a regular speaker in the leading security and syber conferences, and writes a cybersecurity blog read by thousands of professionals. Prior to joining BioCatch Uri served as Head … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/when-rats-become-a-social-engineers-best-friend/a/d-id/1323576?_mc=RSS_DR_EDT

What’s green and enjoys whisking Christmas toys away?

There’s always the Grinch.

Last year, of course, it was the heart-of-a-seasick-crocodile Lizard Squad hackers who ruined gamers’ Christmas by launching Distributed Denial of Service (DDoS) attacks against PlayStation Network and Xbox Live.

This year, the green uglies are a new hacking group that’s threatening to take down the two gaming networks for a week during Christmas.

The DDoSers call themselves Phantom Group (@PhantomSquad) and are blaming the victims – the targeted companies – as did Lizard Squad last year.

Two of the messages coming out of that now-suspended Twitter account:

We will take down servers on christmas

I get asked a lot on why we do this? Why do we take down PSN and Xbox Live? Because cyber security does not exist.

If it sounds like the Ghost of Lizards past, you recall last Christmas correctly.

A man speaking for the hackers last year told Sky News that the Christmas attack was done “to raise awareness” and “to amuse ourselves” and that it was all Microsoft and Sony’s fault:

They [Microsoft and Sony] should have more than enough funding to be able to protect against these attacks.

The Phantom Squad claims that it’s not affiliated with Lizard Squad.

On Tuesday, the hackers claimed responsibility for knocking Reddit offline.

Today Reddit.com . What should it be tomorrow

Reddit confirmed that something was up, saying that its databases were coming “under extreme load” – an issue that could have been caused by a DDoS attack.

According to The Hacker News, neither Microsoft nor Sony confirmed the DDoS attacks, but Microsoft, at least, acknowledged issues with Xbox Live when Phantom Squad claimed responsibility for knocking it offline on Saturday.

In short, it seems that the group isn’t bluffing.

It could pull the plug on gamers who might not even be able to play their new Christmas games offline, given that many gifted games will attempt to update before first run, while new consoles will need to be updated before they’ll play a game.

Phantom Squad might not think it has affiliation with Lizard Squad, but it shares the same garlic-laced soul of its predecessors.

Sooner or later, its members may well look forward to sharing a similar fate: namely, getting arrested.

A lot!

Follow @NakedSecurity

Follow @LisaVaas

Image of Santa on laptop courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/e9G2c5q-6P8/

On Thursday, a Brazilian judge overturned a 48-hour block of WhatsApp that a lower court had imposed when the company refused to hand over user data demanded by prosecutors in an investigation.

WhatsApp, a phone-messaging app which Facebook owns but considers a separate company, estimates it has 100 million personal users in Brazil: about half the population.

The truncated block – it lasted 12 hours on Thursday – infuriated users and led to angry exchanges on the floor of Congress, Reuters reports.

The block had been ordered by a judge in Sao Paulo and was supposed to be in effect starting midnight on Wednesday (0200 GMT Thursday) after the company, in spite of being fined, failed to comply with two judicial rulings to share information in a criminal case.

A judge in a higher court, Judge Xavier de Souza from the 11th criminal court of Sao Paulo, on Thursday issued an injunction to restore WhatsApp services, calling it unreasonable to punish millions of Brazilians due to one company’s recalcitrance, suggesting instead a higher fine:

Considering the constitutional principles, it does not look reasonable that millions of users be affected as a result of the company’s inertia to provide information.

Imagine Facebook boss Mark Zuckerberg stabbing the air and shouting “EXACTLY!”

That’s the same argument that he made on his Facebook page earlier in the day:

This is a sad day for Brazil. Until today, Brazil has been an ally in creating an open internet. Brazilians have always been among the most passionate in sharing their voice online.

I am stunned that our efforts to protect people’s data would result in such an extreme decision by a single judge to punish every person in Brazil who uses WhatsApp.

Details about the criminal case in question are scarce, given that it’s sealed, but it reportedly involves a drug trafficker linked to one of Sao Paulo’s most dangerous criminal gangs who’d allegedly used WhatsApp while committing crimes.

The Associated Press says that Brazil’s biggest telecoms didn’t put up much of a fight against the block.

As it is, they’ve been complaining about WhatsApp for months, given that its free services are taking a bite out the revenues they’d otherwise get by selling their own text messaging services.

The suspension reportedly spilled over Brazil’s border to affect WhatsApp users in Chile and Argentina too.

The AP talked to one of the many Brazilians, Caroline Largueza, who were howling in frustration over the block.

The university student had been planning to meet friends to exchange Christmas presents on campus, but they’d planned to consult over WhatsApp to figure out exactly where.

The AP quoted her as she furiously tapped away on her phone in a Rio de Janeiro mall:

This is insane. It’s ruining my ‘secret Santa’ party!’

Without WhatsApp it’s extremely hard to communicate with anybody.

Meanwhile, lawmakers fumed on the floor of Congress.

Reuters quoted a yelling congressman Caio Narcio:

This is ridiculous. What about our freedom to communicate?

The response shouldn’t surprise anybody. After all, Brazil has been dubbed the Social Media Capital of the Universe, spending more than double the global average when it comes to how much time they’re on social networks.

But as Tech Crunch’s Julie Ruvolo notes, a temporary WhatsApp shutdown in this communication-happy nation is nothing.

What the conservative congress would really like to see is a take-down of “the entire social web as we know it,” she writes, given bills circulating that would criminalize posting social media and which would allow the government to spy on citizens.

She points to PL 215/2015, nicknamed the Big Spy (“O Espião”), a surveillance law that would require Brazilians to enter their tax ID, home address and phone number to access any website or app on the internet; as well as requiring companies like Facebook and Google to store that information for up to three years, and provide access to police with a court order.

Follow @NakedSecurity

Follow @LisaVaas

Image of Whatsapp icon courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0FQsgwPJFzg/