STE WILLIAMS

Analysis Although Chancellor George Osborne recently spoke of the National Grid, hospitals and air traffic control as being potential targets of online attacks in a recent high-profile speech at GCHQ, only the financial services sector runs comprehensive stress tests.

The lack of exercises designed to hone defences raised serious questions about the robustness of key components of the UK’s critical national infrastructure.

The banking industry is getting tested but there isn’t anything like Waking Shark II and Resilient Shield for other elements in the critical infrastructure (power, telecoms etc.) And the need for preparedness against attack in other sectors is certainly there.

“For our country, defending our citizens from hostile powers, criminals or terrorists, the internet represents a critical axis of potential vulnerability,” Osborne said during his speech at GCHQ. “From our banks to our cars, our military to our schools, whatever is online is also a target.”

“We see from this place every day the malign scope of our adversaries’ goals, their warped sophistication and their frenetic activity. The stakes could hardly be higher – if our electricity supply, or our air traffic control, or our hospitals were successfully attacked online, the impact could be measured not just in terms of economic damage but of lives lost,” he added.

Osborne said during his speech that “GCHQ is monitoring cyber threats from high end adversaries against 450 companies across the aerospace, defence, energy, water, finance, transport and telecoms sectors”. The Chancellor warned that “every British company is a target, that every British network will be attacked”.

In the line of fire

Evidence that targeted attacks have spread and have affected victims far outside the financial sector is all too apparent, even though incidents of hackers taking out power grids (squirrels are a much bigger threat to power distribution systems, at least) or threatening lives are conspicuous by their absence.

Ed Wallace, director of incident response and advanced threats at security consultancy MWR Infosecurity, told El Reg: “After Stuxnet, Shamoon is probably the most widely known destructive computer attack and is frequently attributed to Iran. It targeted several organisations’ networks, most publicly Saudi Aramco (one of the world’s largest companies), wiping out their corporate network of nearly 30,000 machines, along with a similar attack against RasGas, as well as several others.”

Media and telecoms have also been hard hit by nation-state orchestrated attacks.

“The ’Dark Seoul’ attacks that wiped computers at three banks and three media organisations in South Korea [were an example]. Since then many parts of CNI [Critical National Infrastructure] in different countries have been attacked from telecommunications to nuclear power plants.

“By far and away the majority of these attacks have continued to focus on information theft but the recent attack a few months ago against French TV5 news channel (now attributed to Russia and the ‘APT-28’ group, often thought to be running under the Russian Military service, the ‘GRU’) shows that it’s not just the financial sector that is increasingly at risk.”

Wallace added: “At MWR we track various countries’ cyber programmes and most are looking to adopt variants of China’s ‘Unrestricted Warfare’ doctrine, which singles out five key sectors: Finance, Media, Energy, Telecommunications and Transport. The focus for most remains on Finance (as it is in China’s UW doctrine) but the other sectors are also under attack and are at risk.”

Jim Gumbley, who worked on security within the Cabinet Office before moving on to the private sector with global IT consultancy ThoughtWorks, said that financial sector firms are ahead of the resilience game.

“Our finance clients almost always have a structured and resourced approach to protecting against attack, however things are patchier in other sectors,” Gumbley told El Reg. Most of the finance sector works within regulation or policy that explicitly makes handling information security risk an executive responsibility. When the leaders of an organisation take information security risk seriously, it does seem to have an impact on outcomes.”

The high-profile hacks over the last year underline the need for companies to build more secure software from the outset, rather than adding it on at the end, according to Gumbley.

Dr Evangelise Ouzounis, head of secure infrastructures and services unit ENISA, the EU cyber-security agency, told El Reg that the banking sector does resilience testing because the regulator in that area has more authority.

Simply the CBEST

Cyber resilience tests are currently mandatory for the financial sector, and this is enforced by the bank of England.

MWR Infosecurity’s Wallace added that CBEST, a vulnerability testing framework designed to properly test key financial organisations cyber security, has no equivalent outside the banking sector.

He said: ”CBEST is a trail-blazing scheme in the UK and one which many other countries across the globe are following with great interest as they also look to implement similar improved security testing regimes. However, beyond the financial sector, there are little similar testing methodologies as advanced as CBEST for other parts of the critical national infrastructure.”

Other infosec experts warn that replicating this capability outside finance may take time and a lot of heavy lifting.

Greg Tebbutt, head of engineering at Sparrho, a London-based startup developing a scientific literature recommendation service, commented: “Resilience testing is costly, difficult to address, and without immediate payoff. This is why companies don’t like spending on it in general. Add in the fact that many managers aren’t directly involved in or familiar with the technical side of things, and the financial and, more importantly, time commitment becomes too much.”

Traffic

Rob Partridge, head of The BT Security Acadamy, at the Cyber Security Challenge UK’s masterclass, said that the telco was active in running resilience tests internally despite the lack of telecoms industry framework, or at least the absence of one as mature as that already established by the banking industry.

“We are fully prepared for any threat that comes our way and we respond accordingly, and we practice and practice, and test, and we do that both as tabletop exercises,” Partridge told El Reg. “But clearly we wouldn’t want to discuss that openly because that would then mitigate our responses.”

Telcos already co-operate on security, Partridge explained.

“We certainly work together and cooperate. Government but cooperation strategies in place, things like the Cyber Information Sharing Partnership which is a publicly subscribable organisation run by CERT UK for us to share intelligence about threats and things like that.”

State of readiness

Marcus de Wilde of mobile application security testing biz Codified Security, highlighted one US precedent that illustrated how regulators might play a role in insisting in improvements to corporate security. The FTC had insisted on improvements at hotel chain Wyndham Worldwide Corporation and this policy was upheld by the courts when the hotel chain appealed. “Wyndham Worldwide Corporation is interesting due to Starwood hotel and others facing breaches recently,” he said.

The US National Cybersecurity Center of Excellence (NCCoE) recently released a draft document called “Identity and Access Management for Electric Utilities,” which was based on the NIST Cybersecurity Practice Guide. The proposals underscored the need for energy sector companies to do better and also displayed the state they are in through inference. Industry comment on the proposals from Lieberman Software Corporation can be found here.

Public-private partnership

During a recent high profile speech, GCHQ director Robert Hannigan said private industry wasn’t doing enough to improve cyber-security.

Jonathan Sander, VP of product strategy at privileged identity management firm Lieberman Software Corporation, responded that the spy centre boss may have a point and that private sector firms need to learn how to share information, something that cuts against the grain.

Herd immunity

“Doing cybersecurity well means doing at least two things that commercial organisations are very uncomfortable with – admitting errors in public and sharing information they create through their own investment to benefit all,” Sander said.

“These are things that fly in the face of what most think of as postmodern business practice in many cases. There are organisations who see past the petty competitive impulses and do wish to share and collaborate. However, since true cybersecurity will take a large dose of herd immunity, these information-sharing outliers are not enough to immunise the pack against today’s relentless attackers,” he added.

Sander added that pushing tougher regulations is not necessarily the way to improve security.

“While putting more laws and regulations into place will likely be ineffective, the government could create safe spaces for commercial organisations to share and collaborate that reduce their perception of the risks of that sharing,” Sanders said. “They could act as a clearing house for signal intelligence and threat data.”

We asked GCHQ’s press team for a comment on resilience testing outside the financial sector but it referred our inquiry to the CPNI, the lead UK agency for infrastructure protection.

“CPNI (the Centre for the Protection of National Infrastructure) works on programmes to protect major industries (example here) so for a response to your enquiry you would be best to contact them. CESG’s role is to work in conjunction with CPNI,” GCHQ told El Reg.

Press inquiries about the CPNI are run by the Home Office. Nobody knowledgeable on the topic was available for comment on Friday afternoon. We’ll update this story as and when we hear more. ®

Additional reporting by Alexander Martin

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/30/cyber_resilience_analysis/

Cybercrooks are selling a new strain of potent Point of Sale malware through underground forums.

“Pro PoS” weights in at just 76KB and packs mechanisms to frustrate antivirus analysis, as well as root-kit functionality, according to threat intelligence firm InfoArmor.

Developers of the malware also integrated a polymorphic engine, so that each build has different signatures, for added stealth and as a measure designed to foil security defences.

InfoArmor warns that the current version of “Pro PoS Solution” is in active use in attacks against retailers and SMBs in the US and Canada specifically. The malware was put together by eastern European coders.

Black Friday (27 November) brought significant updates, as well as a price increase to $2,600 for a six-month licence.

Cybercrooks urged to splash the Bitcoins and go Pro

Publicity around the hack of hotel chains – such as Hilton, Starwood and Trump over recent weeks and months – have spurred efforts among crooks to develop new Point of Sale malware.

Active support of TOR protocol for secure and anonymous communications between the infected victims and Command and Control (CC) servers has become a must-have feature.

Cybercrooks also are monitoring OS trends in retail sector by supporting new operating systems as they come online, specifically those used in modern backoffice systems in retail environments. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/30/pro_pos_malware/

Whether you’re looking for a gift to give at the IT department’s holiday party, for your science-loving kids, or for a genuine friend in the cube beside you, these gifts are sure winners.

Attention, IT shoppers. Put down those Starbucks sampler packs and generic gift cards. Nothing says “I don’t know you that well and don’t really care” more than those things. If you are like many folks looking for a creative gift for an office mate, industry colleague, or an otherwise lovable nerd, there’s no reason to go that route. In this day and age of geek chic, the creative options for nerdy gift-giving are off the charts. So much so that the options are almost overwhelming. Fortunately, we’ve done the dirty work and rounded up a whole bunch of fun gifts that will be a hit whether it is for a cube mate, boss’ gag gift, office gift exchange, or just a regular old under-the-tree gift for kids or kids-at-heart.

Remember: it’s not just the spirit of giving, it’s also being remembered as the person who bought that really cool gift. Which is just the reputation you want the next time you really need someone to cover your butt when incidents start lighting up the SOC dashboard like a Christmas tree.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/security-geek-gift-guide/d/d-id/1323285?_mc=RSS_DR_EDT

Security is everyone’s responsibility at the famous social network. These five ingredients are what make up the secret sauce.

Sophisticated systems and advanced engineering capabilities are critical for scaling security at Facebook, and we’re fortunate to have them. However, one of our most powerful defenses is something businesses of any size can develop: a strong security culture. 

Frequent and proactive discussions about security helped us create a culture where security is paramount and knowledge drives out fear. We nurture specific characteristics of our security culture at Facebook to keep it strong — and they’re things every company can do.

Ingredient #1: Openness
Security is everyone’s responsibility at Facebook and we don’t wait until something bad happens to talk about it. A member of the Facebook security team is part of every orientation session for all new hires to introduce them to our security approach and ensure they know how to reach our team for any reason. New engineers go through a six-week bootcamp program, which includes several courses on security. So, before they even start working on projects, our engineers are familiar with our expectations for security and are active participants in our defense strategy.  

But a security culture doesn’t start and end with training. Facebook employees have direct access to security teams at any time. We value feedback from anyone about what’s working and what isn’t; including employees in security discussions that could impact the way they do their job removes friction and builds a network of internal security advocates across the company. It also helps employees understand why we’re doing something not just what we’re doing

Ingredient #2: Company Mission
Tying security to the overall purpose and future of the company is also critical. It sets the tone for how security is treated within the organization. Is it an afterthought, an inconvenience, a compliance mandate, or is it critical to the company’s success? Facebook’s mission is to make the world more open and connected. To do this effectively, we must do it securely. This empowers everyone at Facebook to be part of making our services — and the Internet as a whole — safer and more secure. 

To succeed, we have to move fast with multiple code pushes per day involving a dizzying number of diffs. To do this securely, we complement traditional security reviews with secure development frameworks so engineers can be more productive while also removing vulnerabilities from our code.  A team of software engineers is dedicated to making it easier for developers to quickly create secure code by default. In this way, security contributes to the overall success of our company mission.

Ingredient #3: Community Collaboration
Exchanging ideas, lessons, and best practices with other security teams helps keep your skills sharp and your company informed. Whether you’re discussing new discoveries at events, sharing threat intelligence, or contributing to open source projects, collaboration allows us to solve problems as a community for the entire Internet. Take advantage of things that have already been solved by others, especially if you don’t have the resources or expertise to build solutions on your own.

We open-sourced osquery last year, giving other companies a way to detect intrusions in Linux and Mac systems. It’s now the most popular security project on GitHub with dozens of contributions from outside Facebook. Osquery has an active user community sharing new improvements and experiences with each other and our security team.

Ingredient #4: Empathy
With all its technical elements, it’s easy to forget the human side of security — and that can be a costly mistake. At Facebook, we strive to make empathy the driving force behind the problems we solve and how we apply solutions. Even well-intentioned people can find themselves in trouble if they don’t understand the implications of their choices. Don’t expect everyone to be a security expert, so look at your products from their perspective and plan for a variety of uses. This is an important consideration both internally and externally.

Empathy requires that security issues get addressed from the start, especially at Facebook where we develop, test, and iterate quickly. Empathy Labs in Facebook offices around the world give engineers a better understanding for how people with different abilities, in different parts of the world, facing various life situations might interact with our products. A strong commitment to empathy is the only way we could build products that work safely for everyone. 

Ingredient #5: Engagement
Most people need a level of muscle memory to recognize when something suspicious is happening. Thus, security education must be consistent and memorable for employees to recognize potential risks on their own. This can’t be done with periodic compliance training or static content alone. 

Hacktober is a month-long program at Facebook with contests and workshops designed to engage employees on how to protect our company and all the people who use Facebook. We use gamification to drive participation, rewarding employees not only for avoiding unsafe behavior, but also contributing to security improvements such as identifying bugs in code. Fun interactive activities help reinforce the principles we practice throughout the year without reverting to scare tactics.

There is no magic technology or process for creating a security culture — it’s about people. A security culture requires understanding your employees and the people you serve. Whether it’s empowering your security team to participate in industry collaboration or articulating how security enables the overall company mission, a focus on people is critical. This effort has made all the difference at Facebook where every employee is part of the team that helps us protect 1.5 billion people around the world.

Chris Bream is a security director at Facebook. Chris has 12 years of IT experience, with the previous ten focused on information security. At Facebook, he leads a team that helps drive security on the infrastructure that delivers Facebook, Instagram, and Oculus to people … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/how-facebook-bakes-security-into-corporate-culture/a/d-id/1323341?_mc=RSS_DR_EDT

Walmart has recruited aerospace, defence and security concern Lockheed Martin to comb open source intelligence in the lead up to Black Friday union protests, Bloomberg reports.

The super-colossal retailer has a difficult history with unions and engaged the defence contractor to keep tabs on its employees in the run up to the national fire sale.

Organisers at workers’ rights advocate OUR Walmart were encouraging staff to join its movement to protest against what it claims are poor wage conditions at the retailer that force some workers to rely on supplementary government assistance for basic clothing, food, and housing.

The allegations, found in more than 1000 pages of emails, reports, and testimony produced in discovery ahead of a National Labor Relations Board meeting between the OUR Walmart effort and the retail giant, and handed to Bloomberg Business Week.

Lockheed Martin sells the LM Wisdom open source intelligence service but it is not known if Walmart uses the product.

Monitoring activity through Walmart’s so-called Black Friday Delta Team produced intelligence about OUR Walmart union activity including planned disruption at various Walmart stores.

This included a map of how protestors on five buses would be travelling from their locations to Walmart stores.

“With some assistance from LM [Lockheed Martin] we have created the attached map to track the caravan movements and approximate participants,” emails show risk program senior manager telling colleagues.

When the team created in the lead up to the recent sales blitz learnt of potential involvement of members of the Occupy sit-in movement, the retailer contacted the FBI.

The monitoring allowed the company to stay ahead of some planned protests, foiling some disruption efforts and ensuring management would report news of union efforts.

A Walmart executive summary after the Black Friday sales found picketing was down from 214 stores last year to 203, flash mobs plummeted from 76 to 10, and flyers fell from 131 to 96. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/30/walmart_hires_lockheed_martin_in_union_open_source_spy_effort_report/

Virtual Private Network (VPN) protocols have a design flaw that can be potentially exploited by snoops to identify some users’ real IP addresses.

VPN provider Perfect Privacy, which discovered the security weakness, has dubbed it “port fail”, and says it affects VPNs based on the IPSec (Internet Protocol security) or PPTP (point-to-point tunnelling protocol) specifications, or using the OpenVPN client software.

Providers that offer port forwarding services are affected unless they’ve taken specific defensive measures, the company says.

Attackers need to have an account with the same vulnerable provider as their intended victim, and need to trick the target to visit a website under the hackers’ control.

“If the attacker has port forwarding activated for his account on the same server, he can find out the real IP addresses of any user on the same VPN server by tricking him into visiting a link that redirects the traffic to a port under his control,” the researchers say.

One redditor has offered a more detailed breakdown of the problem.

Major virtual private network providers have been warned about the flaw. Private Internet Access says it has fixed the flaw and paid its rival US$5,000 for the research effort.

BitTorrent users are under particular threat, Perfect Privacy says, because if they use port forwarding as their default torrent client port, they don’t need to be tricked into visiting an attacker’s web site.

Researchers suggest VPN providers set server-side firewall rules to block access from client’s real IP address to forwarded ports the client does not use. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/30/port_fail_vpn/

Black Hat Europe Upcoming connected cars that communicate with other vehicles or roadside systems might easily be tracked even by snoopers with limited resources unless the technology is tweaked, an expert in automated and connected vehicle cybersecurity warns.

Connected Vehicle is an upcoming technology that allow will allow cars and road-side infrastructure to communicate. This Intelligent Transportation Systems (ITSs) technology is touted as a means to improve traffic flow and safety.

Vehicles continually broadcast messages containing their location. But these messages might be intercepted.

During an experiment run on the campus of the University of Twente in The Netherlands, two Wi-Fi sniffing stations were able to track a target smart car nearly half the time, according to Dr. Jonathan Petit, principal scientist at Security Innovation and a researcher at the University of Twente.

Connected vehicles continually broadcast messages containing their location. These messages can be received by anyone, jeopardising location privacy.

Experiment results demonstrate that tracking is feasible even if such an attacker covers a small number of intersections. Vehicle pseudonym change strategies can mitigate passive surveillance, the exercise showed.

Experiment results demonstrate that tracking is feasible even if such an attacker covers a small number of intersections. For example, with only two sniffing stations, a mid-sized attacker can track the target vehicle on a zone-level 78 per cent of the time, and on a road-level 40 per cent of the time. Pseudonym schemes harden tracking by increasing the number of sniffing stations required.

“Everyone can deploy a surveillance system to track connected vehicles,” Petit’s talk concluded. “It is cheap and easy and somewhat effective. Countermeasures exist to mitigate the risk.”

Petit presented his research on tracking connected cars at the recent Black Hat Europe during a two-part session where he also discussed research into the security of sensors in self-driving cars.

Your next ride

Automated vehicles are equipped with multiple sensors (LiDAR or light-radar, camera for traffic sign recognition etc.) enabling local awareness of their surroundings. Petit and his team were able to develop remote attacks on camera-based system and LiDAR using commodity hardware. Left unresolved the shortcomings would potentially affect the safety of types of smart cars not expected to become mainstream for at least five years.

A fully automated vehicle will solely rely on its sensors readings to make short-term driving decisions. Sensors have withstand both deliberate attacks as well as glare from the sun and weather conditions on the road that might effect lower sensor data quality or alter sensor input to disrupt the automation system.

As previously reported, a cheap laser pointer together with a Raspberry Pi might be used to develop an attack rig for under $200. Adding a pulse modulator would increase the cost slightly while increasing the effectiveness and scope of attacks. Attacks could be mounted from up to 100m away. Temporarily blinding sensors could force a car into braking or swerving. A flash might blind a vehicle for two seconds or more, the experiments showed.

Countermeasures would involved developing more robust sensors, according to Petit, who described his finding as a “wake up call” for developers of automated cars and sensor suppliers.

Results from laboratory experiments show effective blinding, jamming, replay, relay, and spoofing attacks are possible. Spoofing can involve creating echoes of a fake car or (potentially) pedestrians. Tests on a commercial IBEO Lux lLiDAR unit in the lab showed such spoofing was possible but this does not necessarily translate onto a risk on the road. “Establishing stable objects on sensor output in real driving scenarios level for vehicle control could not be demonstrated,” as Petit put it.

Fortunately Petit and his fellow researchers have come up with software and hardware countermeasures that improve sensors resilience against these types of attacks. “Fooling camera-based systems is easy and cheap,” Petit warned. “Don’t trust automated vehicle sensors unless you implement countermeasures to mitigate such threats.”

Potentially vulnerable sensors are also deployed in the latest luxury cars for advanced driver assistance systems (ADAS), so the results of Petit and his team’s research have short-term relevancy beyond automated driving.

Slides from Petit’s Black Hat presentation, Self-Driving and Connected Cars: Fooling Sensors and Tracking Drivers, are here (pdf). Related research papers, Connected Vehicles: Surveillance Threat and Mitigation (pdf, here); and Remote Attacks on Automated Vehicles Sensors: Experiments on Camera and LiDAR (pdf, here), are also available.

Dr. Petit works as and advisor to governmental and commercial organisations that are rolling out trusted infrastructures to support communications for the connected vehicle market. He previously served as co-chair of the European PRESERVE research project, and early field test of connected vehicle security.

The two sides to the research by Petit and his team reveal that there are more issues to car safety and privacy than that revealed by the high profile hack into the brakes and engine of a Jeep Cherokee by Charlie Miller and Chris Valasek.back in the summer, which Petit described as more a hack on the cellular network of connected cars than anything. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/30/smart_cars_privacy_security/

Remond has updated its paid System Center Endpoint Protection and Forefront Endpoint Protection services with a feature to kill spammy and advertising injecting programs operating from within enterprise networks.

The upgrades will help system admins to eliminate potentially unwanted programs (PUPs) from networks that are not explicitly malware but at minimum are annoying and will escalate corporate attack vectors.

Microsoft security bod trio Geoff McDonald, Deepak Manohar, and Dulce Montemayor say the PUP destroyer will be delivered through automatic updates.

“These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time cleaning up the applications,” the trio say.

“Typical examples of behavior that we consider [to be PUPs] include ad-injection, many types of software bundling, and persistent solicitation for payment for services based on fraudulent claims.”

Annoying applications and reckless download bundlers foisted on users from major software attics will be blocked at download and install time if the opt-in feature is enabled.

The Redmond trio says admins should explicitly ban the installation of unsanctioned apps in corporate IT policies. If that is not practical, then admins using the new PUP killer should alert users that some downloads may be blocked. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/30/microsoft_potentially_unwanted_programs_nixed_in_forefront_and_systemcentre/

Mere days after opsec expert The Grugq warned that popular messaging app Telegram Messenger couldn’t be regarded as secure, another researcher has demonstrated how its metadata leaks expose users to stalking.

Over at Github, Ola Flisbäck offers up a depressing demonstration of just how easy it is to zero in on an individual by watching the stream of presence and status notifications.

Invisible to ordinary Telegram users, the metadata is accessible to command-line clients, Flisbäck says.

Here’s the problem: in trying to make sure Telegram is usable, it’s been made way too chatty. For example, Flisbäck writes, “The Telegram Android app sends a notification to all contacts when it becomes or stops being the “foreground” app on the device.

“Using that information alone it’s at times easy to make guesses about who’s talking to who if you have several contacts in common with a ‘victim’. An ‘attacker’ will sometimes see the victim and another contact taking turns going active/inactive as they pass messages back and forth.”

It gets better, Flisbäck notes, since if you know the target’s phone number, you can add their phone number to your contacts. That alone is enough to subscribe your phone to their metadata.

Telegram’s background chat a security risk. Image – Ola Flisbäck

Anyone capturing enough Telegram user metadata would have no trouble working out who is talking to whom, because (for example) a pair of users exchanging text messages will take turn going active and inactive.

If The Grugq and Matthew Green are right and Telegram’s encryption is also problematic, the app is probably more like the spook’s friend than the enemy of civilisation. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/29/telegram_delivers_candygrams_to_stalkers/

Back in February, The Register queried the security and privacy implications of Mattel’s “Hello Barbie”, and now the doll has hit the shelves, a prominent security researcher has turned up the first security problems with the toy.

After an initial flurry of concern, the issue went quiet, but last Friday Matt Jakubowski (formerly of Trustwave’s SpiderLabs) reignited it by extracting Wi-Fi network names, account IDs, and MP3 files from the toy.

That brought a defensive response from Oren Jacob, CEO of ToyTalk (which provides the cloud processing chunk of Hello Barbie). He called Jakubowski an “enthusiastic researcher”, said the data is “already available” to customers, and “no major security or privacy protections have been compromised”.

While it’s probably easier to get an SSID by standing outside a house and letting it pop up on your phone’s Wi-Fi connection list, an account ID is another matter, since all an attacker needs is to get a password and they have access to the Hello Barbie account.

From ToyTalk’s point of view – and Vulture South’s – that still looks like an unlikely scenario: is it worth staging a user-by-user attack against a child’s doll?

However, in the wake of the weekend’s breach of toymaker VTech, the question of children’s privacy is now on a few million minds.

Troy Hunt (of HaveIbeenpwned fame) writes about the VTech breach here, and some of his concerns regarding VTech are relevant to Hello Barbie: is it a good idea to extend children’s digital footprints to links between physical and digital assets, when they’re too young to understand notions of consent?

The other obvious question is how long Hello Barbie’s remaining security can last. Over at Somerset Recon, the first of two promised teardown articles has appeared, and it’s clear that her innards are as simple as you would expect given the limited space available.

The salient point is Somerset Recon’s teaser for its as-yet-unpublished follow-up: those researchers claim to have dumped the 16 megabits of firmware that runs the doll. It would be astonishing if that small an image proved resistant to reverse engineering. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/29/hello_barbie_controversy_reignited_with_insecurity_claims/