STE WILLIAMS

BlackBerry is saying “no” to government backdoor access to communications on its services and devices, in actions that speak louder than words.

Earlier this week, BlackBerry announced it is shutting down its operations in Pakistan and will leave the country by 30 December, after refusing to provide Pakistan’s government with backdoor access to its customers’ communications.

Marty Beard, BlackBerry’s chief operating officer, wrote on the company’s blog that the Pakistan Telecommunications Authority told mobile phone operators in July that BlackBerry would no longer be allowed to operate in the country for “security reasons.”

Beard said that Pakistan wanted unfettered access to all emails, BBM messages and other Blackberry Enterprise Service (BES) traffic, but the company refused on principle:

… [R]emaining in Pakistan would have mean forfeiting our commitment to protect our users’ privacy. That is a compromise we are not willing to make.

Beard stated unequivocally that BlackBerry does not support backdoors:

As we have said many times, we do not support “back doors” granting open access to our customers’ information and have never done this anywhere in the world.

BlackBerry has long made statements to that effect, but its message hasn’t always been so clear.

A few weeks ago, speaking at the FedTalks government IT summit, Beard said BlackBerry has a much more “balanced approach” to the issue of backdoors than some of their competitors who are “all about encryption all the way.”

Those comments were interpreted by some in the media as an endorsement for backdoors, such as The Inquirer’s Dave Neal, who wrote that “BlackBerry would be open to letting governments into its hardware and all over its encryption.”

Not so, BlackBerry says – the company is merely “happy to assist law enforcement agencies in investigations of criminal activity,” as Beard wrote in his blog post this week.

BlackBerry does have a somewhat checkered past when it comes to giving governments special access.

In 2012, BlackBerry (then called RIM) agreed to provide India’s government with a technical solution allowing it to intercept encrypted communications, including enterprise emails.

BlackBerry called it an “appropriate lawful access solution” rather than a backdoor.

The company faced scrutiny in 2013 after documents leaked by NSA contractor Edward Snowden revealed that the British intelligence agency GCHQ was able to “penetrate the security of BlackBerry smartphones” to intercept communications of government officials at the G20 summit in 2009.

As now, BlackBerry said in response to the Snowden leak that it’s policy on backdoors was “no backdoors.”

In 2014, BlackBerry again faced accusations that it had a backdoor in its products, due to its use of a faulty encryption algorithm developed by a BlackBerry subsidiary that was contracted by the NSA.

Again, BlackBerry issued a statement that its policy on backdoors is a strict “no.”

This time around, BlackBerry isn’t just saying the same line its used for the past three years – it’s walking away from a huge market in Pakistan.

Beard said this week Pakistan was “only” seeking access to its BES servers, but the government’s demand for access to a “significant swath” of its customers’ data left BlackBerry “no choice but to exit the country entirely.”

Originally, Pakistan ordered BlackBerry to shut down operations by 30 November, but has since extended the deadline to 30 December, and the company said it will pull up stakes by then.

BlackBerry’s official policy on backdoors may not have changed, but it’s actions in Pakistan are a strong affirmation of that policy in practice.

Follow @NakedSecurity

Follow @JohnZorabedian

Image of giant keyhole with little people courtesy of Shutterstock.com.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Ves-em-5Z60/

Facebook is now blocking Belgians if they haven’t signed in.

Those Belgians who don’t have a Facebook account are now unable to view Belgian Facebook pages at all, even public profiles such as those for local businesses.

The change was forced on Facebook when a Belgian court ruling last month ordered the social network to either face fines or stop tracking people who browse the site when they’re not signed in.

Those were stiff fines: at the time of the ruling, Facebook was given 48 hours to comply, lest it face fines of up to €250,000 EUR ($267,000 USD) a day.

According to the BBC, Facebook expected to receive an order this week and plans to contest it.

In the meantime, it’s complying: cookies will no longer be set for non-users, and visitors to the site must have accounts to access content.

The Belgian court last month said that Facebook uses a special cookie that visitors pick up if they visit a friend’s page on Facebook or any other page on the web with Facebook “like” or “share” code in it – all without the visitor having ever signed up for a Facebook account.

That cookie stays on a given device for up to two years, enabling Facebook to keep track of people and what they’ve looked at on the web.

Facebook calls this particular contentious cookie the “datr” cookie and has claimed it’s safe.

Safe, or maybe even some type of terrorist repellent.

In the recent “Facebook is as bad as the NSA” rhetoric swap, Facebook claimed that its cookies keep Belgium from becoming “a cradle for cyber terrorism.”

Beyond fending off cyber terrorists, Facebook has argued that the datr cookie also provides better security for users by blocking the creation of fake accounts, protecting users’ content against theft, deterring denial-of-service (DoS) attacks, and reducing the risk of what it says are quite a lot of account hijacking attempts.

The BBC quoted a Facebook spokeswoman:

We had hoped to address the [Belgian Privacy Commissioner’s] concerns in a way that allowed us to continue using a security cookie that protected Belgian people from more than 33,000 takeover attempts in the past month.

We’re disappointed we were unable to reach an agreement and now people will be required to log in or register for an account to see publicly available content on Facebook.

Facebook will no longer set datr cookies for non-users, and those cookies that have already been baked will be deleted where possible.

Facebook told the BBC that it plans to come up with cookies for logged-in users to protect against certain attacks.

At the heart of the Belgian court case is a move Facebook made in June 2014 to give advertisers more ammunition to target users, by mixing data about what we do on its site with data about what we do on other sites.

Which leads us to another likely reason for Facebook’s mighty struggles against the ban against tracking non-users: the public pages of local businesses, sports teams, tourist attractions and celebrities that were formally accessible to non-users are now hidden away from Belgian non-users.

That surely isn’t going to make Facebook advertisers happy.

That’s what Paul Bernal, a privacy commentator and law lecturer at the University of East Anglia, had to say about it to the BBC:

[If] people cannot now find their Facebook pages [the business owners] will not be happy about it.

Beyond unhappy businesses, this case could ripple out to other European countries, he said:

I think the other protection authorities all over Europe will be looking at this.

Belgium isn’t applying Belgian law, it’s applying European law, so if they’re applying it in Belgium why shouldn’t they apply it everywhere in Europe?

In the meantime, EU privacy advocate Max Schrems, who first went after Facebook by filing complaints against what he said was its illegal data collection/retention, is demanding that Facebook stops data transfers between the EU and the US, due to snooping.

Schrems on Tuesday made legal moves in the wake of the European Court of Justice having in October struck down the Safe Harbor data transfer pact.

That pact had allowed companies to transfer European citizens’ personal data to the US.

Thousands of companies will be affected by that court decision.

Facebook’s on the front line when it comes to feeling the impact, because it’s called to abide by the individual data privacy regulations in each of the member states of the EU.

Schrems has filed complaints with data protection officials in Ireland, Germany and Belgium to block Facebook from transfering data to the US.

Schrems says he wants to “ensure that this very crucial judgment is also enforced in practice when it comes to the US companies that are involved in US mass surveillance.”

Schrems has warned that other companies that have participated in US snooping – he mentioned Apple, Google, Microsoft and Yahoo – may face similar complaints in the future.

Ars Technica quotes him (link added):

We are reviewing the situation in relation to all PRISM companies right now.

Follow @NakedSecurity

Follow @LisaVaas

Image of Facebook logo courtesy of tanuha2001 / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nnnKBuXg0hc/

Google has fired back at allegations that Chromebooks running its education software spy on children in classrooms and push adverts.

“Our goal is to ensure teachers and students everywhere have access to powerful, affordable, and easy-to-use tools for teaching, learning, and working together,” said Jonathan Rochelle, director of Google Apps for Education. “We have always been firmly committed to keeping student information private and secure.”

Earlier this week the Electronic Frontier Foundation claimed, in a submission to the US Federal Trade Commission, that Google Apps for Education (GAFE), and in particular the Chrome Sync features, were being used to collect the browsing and search habits of the nation’s schoolchildren.

“Minors shouldn’t be tracked or used as guinea pigs,” EFF staff attorney Nate Cardozo said.

But according to Rochelle, the EFF has its facts wrong. The data collected by GAFE was to enable students to log into their accounts, and none of it is used to build advertising profiles, he said.

As for Chrome Sync, Rochelle explained that information such as web histories and website visits is only stored to allow students to access their accounts across a wide range of devices. There’s no behavioral analysis, and no data on specific individuals is collected.

“We use this data to holistically improve the services we provide,” he said. “For example, if data shows that millions of people are visiting a webpage that is broken, that site would be moved lower in the search results.”

In any case, Chrome Sync is an option, he pointed out, and it’s up to schools whether they allow it or not. Sync is turned on by default, but it’s easy to shut down.

All of this leaves the EFF’s “Spying on students” campaign looking a little deflated. But the group says it still has concerns that if students sign onto personal Google accounts while still in their educational accounts, it’s possible that could be used to serve up adverts. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/03/google_negates_claims_its_fiddling_with_kids/

Microsoft’s released a new flavour of Windows 10.

Windows 10 IoT Core Pro is a version of the OS destined for original equipment manufacturers cooking up connected things.

Redmond says the Pro cut’s big differentiator is “the ability to defer updates and control distribution of updates through Windows Server Update Services.”

“With these servicing options,” Microsoft’s Billy Anders writes “we are bringing flexibility for our partners and customers to help meet their servicing needs while helping ensuring their devices are secure and managed.”

Or not, if a thing-maker decides to defer updates and therefore deprive things of fixes. And seeing as things are online … you get the rest, starting with the probe for the state of a Windows IoT Core Pro device, the p0wnage that follows and the red faces as someone explains they had a perfectly good reason for turning off security updates.

The vanilla version of Windows 10 IoT Core has also earned some tweaks. There’s a new “’direct memory access bus’ driver that gives you the ability to run native code for the significant performance improvements in GPIO.” Raspberry PI 2 owners “now have full support for the TX/RX pins” and support for Realtek Wi-Fi chipsets RTL8188EU and RTL8192EU. For those of you unfamiliar with those chipsets (shame on you) Microsoft says they’re used in plenty of USB WiFi dongles, so support means easier wireless connections for things. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/04/new_version_of_windows_10_turns_security_nightmares_into_reality/

We know Microsoft can be pretty secretive about its spyware-as-a-service Windows 10, but Redmond has now taken its furtiveness to a whole new level.

You may or may not know that its disk encryption tool Bitlocker has suddenly stopped working in the latest version of its operating system for a number of people.

Bitlocker refuses to work if you try to enable it on a self-encrypting drive with the hardware-accelerated encryption switched on: when you do a clean install of the latest build of Windows 10 – the November 2015 edition aka version 10586/1511 – you’ll find you’re unable to enable Bitlocker on your self-encrypting drive.

This affects a good number of folks, who were looking forward to using Windows 10 on their self-encrypting flash drives. One frustrating solution is to install an older version of the OS from scratch, enable Bitlocker with hardware encryption, and then gradually bring it up to version 1511 via Windows Update.

Microsoft pulled .ISO images of the November release, used to perform clean installs of version 1511 of Windows 10, but later reinstating the files after fixing a privacy bug. There was no mention of the Bitlocker issue, although version 1511 did add support for 256-bit XTS-AES encryption, which is performed by software rather than your drive’s hardware. That may have something to do with it. Some readers have told us the reinstated .ISO download is actually still build 10240 of Windows 10 from July, so your mileage may vary.

To the crux of the matter: we asked Microsoft to shed some light on the problem, and hopefully get an ETA for a fix for this encryption snafu. The patch KB3116908 released on Wednesday didn’t fix it. We asked Redmond twice – before and after the Thanksgiving break here in the US – for any information at all. Anything.

Aptly for the trouble at hand, we were sent a statement enciphered using an algorithm and key we cannot possible fathom, rendering it roundly indecipherable. Can you make any sense of this?

Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide solutions via our current Update Tuesday schedule.

Where’s GCHQ when you need it? ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/04/windows_10_bitlocker/

Java applications have been found to have many fewer common vulnerabilities than those coded using web scripting language. Less than a quarter of Java apps sport sporting SQL injection vulnerabilities, compared to more than three quarters of those written in PHP.

So says Veracode’s new State of Software Security report (PDF).

The research crawled languages including PHP, Java, JavaScript, Ruby, Microsoft Classic ASP, .NET, C and C++, iOS, Android, and COBOL, scanning 50,000 applications over the last 18 months.

It found PHP apps fared worse than all with 86 percent bearing SQLi, one of the dangerous, perennial, and easy-to-exploit web application vulnerabilities.

More than half of those apps also contain cross-site scripting holes, the other chief web app security irritant.

About two thirds of ASP apps contain SQLi vulnerabilities, with , to no-one’s surprise, ColdFusion coming closely behind with 62 percent of applications carrying the bugs.

Worse, 80 percent of apps written in PHP, ASP, or ColdFusion flunked kindergarten security tests sporting one of the Open Web Application Security Project’s Top Ten quality coding benchmarks.

The Top Ten is held up as the control against which the boilerplate statement “we take security seriously” is measured.

Some 87 percent of Android apps have cryptography implementation issues while 90 percent have code quality issues, more than any other language studied.

“When organisations are starting new development projects and selecting languages and methodologies, the security team has an opportunity to anticipate the types of vulnerabilities that are likely to arise and how best to assess for them,” Veracode security boss Chris Wysopal says.

“The data in this report can inform decisions around language selection, developer training and which assessment techniques to use in order to make the inevitable remediation process less onerous.

“This information can make it easier for security to work with development to increase the maturity of security in the software development lifecycle and produce less risky applications.”

Reading an application security book or taking a course will bolster the infosec chops of a developer by about a third, however. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/04/veracode_programming_languages/

Pub chain JD Wetherspoon has confessed to a data breach in which a third party managed to snag the personal data of 650,000 customers, together with some financial data, through a hack on its old website.

Some of the pub chain’s staffers’ personal info was also accessed.

A database containing personally identifiable information was accessed, potentially compromising the names, email addresses, dates of birth, and phone numbers of 656,723 customers.

An email to customers stated “very limited credit/debit card information” was stolen from “a tiny number of customers (100), who purchased Wetherspoon vouchers online before August 2014”, however ‘Spoons was unable to confirm to customers whether they had specifically been affected.

The data was not encrypted, said the firm, “because the first 12 digits and the security number on the reverse of the card were not stored on the database.”

The Information Commissioner’s Office has been informed of the breach, stated the company, which further explained how it collects customer information:

Despite being discovered on 1 December, ‘Spoons noted “the breach took place some time ago” – between 15 and 17 June this year.

“There has been no information from customers, or from our cyber security specialists, that leads us to believe that fraudulent activity has taken place,” the company said, adding, “although we cannot be certain.”

In a letter to investors, JD Wetherspoon claimed the information had been obtained from its old website, which has now been replaced in its entirety.

Luke Scanlon, a technology lawyer at Pinsent Masons, said: “Every business which collects personal data from its customers has a responsibility to ensure that cyber protection measures are in place that provide a level of security which takes into account “best practice” and the “state of the art” security technologies available to them, proportionate to the costs of implementing those technologies and the risks inherent in the nature of data being processed.”

“Currently in the UK, businesses (with the exception of some telcos) are under no obligation to report a breach but this is due to change under the incoming General Data Protection Regulation, meaning that companies could face significant fines in addition to reputational damage and other legal consequences if they choose to not to report a breach,” said Scanlon. “Each time a breach of this nature occurs, it is a wake-up call for businesses – the threat is a very real and constant one which could have damaging consequences for a business if the appropriate security isn’t in place.”

JD Wetherspoon CEO John Hutson said: “We apologise wholeheartedly to customers and staff who have been affected. Unfortunately, hacking is becoming more and more sophisticated and widespread. We are determined to respond to this by increasing our efforts and investment in security and will be doing everything possible to prevent a recurrence.”

Rest assured, The Register has enquired as to how this theft was possible through an attack on the website. The company has told us that no further information will be provided before their investigation is complete.

If you can shed any light on the situation, drop us an email. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/04/wetherspoons/

Mattel’s Hello Barbie doll, the Wi-Fi-equipped playmate that talks to its owner and reports back on the conversations to mummy and daddy, has more security problems than first thought – this time on the software side.

Last week security researcher Matt Jakubowski found that it was relatively easy to purloin wireless network names, account IDs, and MP3 files from the toy. Now an examination by a different team has found that both the mobile app controlling the doll and the server-side systems used by the plastic playthings also have serious issues.

After unboxing, Hello Barbie is set up with a Wi-Fi connection that allows the owner’s questions to be sent to a remote server, analyzed, and an appropriate response sent back. The iOS and Android mobile app required to do this has some fairly basic errors, according to Bluebox Labs and Andrew Hay, director of research at OpenDNS.

The app uses client certificate authentication to talk to the main servers, and password-protects the certificate. But the password is hardcoded into the app’s executable and can be reverse-engineered, the researchers report, or the certificate obtained from the app after it has been decrypted.

The doll is also set up as a wireless access point with the name “Barbie” followed by four random alphanumeric characters. When the mobile app searches for an access point, it will connect to any network with the phrase Barbie in its name. This makes spoofing a connection easy and resulting traffic susceptible to surveillance.

On the server side, the team spotted that ToyTalk, Mattel’s tech partners on Hello Barbie, use SSLv3 for encryption – meaning it is susceptible to the POODLE attack first reported in October last year.

None of these problems are unfixable, and the researchers are in contact with ToyTalk and are patching up the holes. But, given the somewhat sensitive nature of the doll in these days of worry over privacy, they should really have been fixed earlier.

“ToyTalk were great to work with,” Bluebox’s lead security analyst Andrew Blaich, told The Reg. “Within a day of us getting in touch they were patching their systems, which is almost unheard of for this kind of internet of things device, and they had already updated SSLv3 to bar POODLE attacks.”

So if you’re buying a Hello Barbie for your little snowflake this Christmas, there shouldn’t be too much to worry about – apart from the doll’s option to report back its conversations with children to their parents. That could cause a few problems, particularly if the little tyke asks why mummy shouts to Jesus when the postman comes around. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/04/wireless_barbie_slipshod_security/

Google has fired back at allegations that Chromebooks running its education software spy on children in classrooms and push adverts.

“Our goal is to ensure teachers and students everywhere have access to powerful, affordable, and easy-to-use tools for teaching, learning, and working together,” said Jonathan Rochelle, director of Google Apps for Education. “We have always been firmly committed to keeping student information private and secure.”

Earlier this week the Electronic Frontier Foundation claimed, in a submission to the US Federal Trade Commission, that Google Apps for Education (GAFE), and in particular the Chrome Sync features, were being used to collect the browsing and search habits of the nation’s schoolchildren.

“Minors shouldn’t be tracked or used as guinea pigs,” EFF staff attorney Nate Cardozo said.

But according to Rochelle, the EFF has its facts wrong. The data collected by GAFE was to enable students to log into their accounts, and none of it is used to build advertising profiles, he said.

As for Chrome Sync, Rochelle explained that information such as web histories and website visits is only stored to allow students to access their accounts across a wide range of devices. There’s no behavioral analysis, and no data on specific individuals is collected.

“We use this data to holistically improve the services we provide,” he said. “For example, if data shows that millions of people are visiting a webpage that is broken, that site would be moved lower in the search results.”

In any case, Chrome Sync is an option, he pointed out, and it’s up to schools whether they allow it or not. Sync is turned on by default, but it’s easy to shut down.

All of this leaves the EFF’s “Spying on students” campaign looking a little deflated. But the group says it still has concerns that if students sign onto personal Google accounts while still in their educational accounts, it’s possible that could be used to serve up adverts. ®

Sponsored:
IT evolution to a hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/03/google_negates_claims_its_fiddling_with_kids/

Virus slingers who find themselves unsatisfied by merely ruining computers with ransomware are now first stealing a victim’s admin passwords to enslave their websites into attack campaigns.

The battery starts with the installation of the Pony malware, which in 2013 stole some two million passwords through its global botnet.

Pony can also plunder passwords from more than 100 applications, social media sites, and Google accounts.

It is not clear how that initial Pony infection takes place, however.

Heimdal Security bod Andra Zaharia says stolen passwords are used to upload scripts to a victim’s site before users are pushed to malicious drive-by-download pages.

There the infamous Angler exploit kit delivers the as-yet insurmountable Cryptowall 4.0 ransomware.

“The campaign is carried out by installing a cocktail of malware on the compromised PC … which systematically harvests all usable usernames and passwords from the infected system and sends them to a series of control and command servers controlled by the attackers,” Zaharia says.

“The Angler exploit kit will then scan for vulnerabilities in popular third party software and in insecure Microsoft Windows processes, if the system hasn’t been updated.

“Once the security holes are identified, Angler will exploit them and force-feed Cryptowall 4.0 into the victim’s system.”

Zaharia says the campaign is “extensive” and operates from six bulletproof hosting servers in Ukraine.

It is one of the most complex and likely effective ransomware attacks to date that makes use of the latest Cryptowall variant released less than a month ago and Angler, the world’s most effective and popular exploit kit.

Other web scum have taken to recruiting victims into an affiliate program.

Chimera has begun recruiting ransomware victims into an affiliate program where they can gain a 50 percent profit split for spreading the malware, Trend Micro threat man Anthony Joe Melgarejo says.

They are not excused from paying the one Bitcoin ransom, however. ®

Sponsored:
Improve app performance in the hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/04/domination_crims_steal_admin_logins_infect_sites_drop_cryptowall_4/