STE WILLIAMS

Come Sunday, the NSA will end its ferocious dragnet surveillance of American citizens’ phones, the White House insists.

From 2359 Eastern Time (0459 GMT) on November 29, the super-spy agency must jump through some extra hoops to access US folks’ telephone records.

Although this information does not include the content of phone calls, the records – such as who called whom, and when – are enough to piece together a person’s private life.

The climbdown in surveillance, apparently the biggest since spying was ramped up post-9/11, was triggered in May when the NSA’s mass spying operation was ruled illegal by a court of appeal.

In June, Congress passed the USA Freedom Act allowing the NSA to continue to dig into the logs of Americans’ phone calls – but with some limits. The intelligence agency must get a court order before asking telcos for the metadata, and only ask for accounts relating to specific investigations, as opposed to intercepting every last scrap of data just in case it’s needed later. Each order lasts up to six months.

In other words, the telephone companies keep the records, and the g-men have to ask nicely for them, rather than automatically grabbing it all off the wire directly. In addition, the court scrutinizing the requests for metadata will not just hear evidence from the US government’s side but will, in certain circumstances, have an advocate presenting the viewpoint of those being spied upon.

The NSA was allowed to continue its dragnet slurping of records until the end of November; the USA Freedom Act requires this blanket surveillance to end on the 29th, and the Obama administration says the replacement spying systems will be in place by that time. All the metadata collected so far will remain in NSA archives until February 29, and will be purged once the agency is clear of any and all legal action involving the surveillance program.

The daily gulping down of innocent citizens’ phone metadata was revealed by intelligence whistleblower Edward Snowden in 2013 before he fled to Russia from Hawaii via Hong Kong.

Of course, all this applies to US spies spying on US citizens; non-Americans are still fair game for total surveillance by Uncle Sam. And it must be noted: the US government has previously found ways to sneakily access its citizens’ communications metadata from beyond its borders. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/27/nsa_phone_spying_deadline/

Names, home and email addresses, security questions and answers, and more information on millions of families worldwide have been swiped from a top toymaker’s database.

And the birthdays, names, and genders of nearly a quarter of a million kiddies have been accessed, too.

Chinese electronics giant VTech today admitted its systems were compromised on November 14. Miscreants were able to extract customer records from its Learning Lodge app store, which provides downloads of games, books, music and other stuff for VTech toys. The Hong Kong-based biz specializes in making computer-like gizmos for preschool kids to play with, settling them in for a lifetime of fondleslab smearing and internet addiction.

Computer security bloke Troy Hunt says he has seen a copy of the swiped information, and reckons he found “4.8 million unique customer email addresses,” suggesting that many accounts have been raided by hackers.

He also said people’s account passwords were one-way encrypted using MD5, a particularly weak hashing algorithm, meaning simple passwords can be easily cracked and revealed. No salting was used, so off-the-shelf rainbow tables can be used to divulge rudimentary passwords like “children15” or “welcome81”.

Hunt was passed the information by journalist Lorenzo Franceschi-Bicchierai, who says the copied data “also includes the first names, genders and birthdays of more than 200,000 kids.” And by more than 200,000, it looks like 227,000.

The Vice journo earlier alerted the toy company to the database intrusion after he was contacted by hackers who claimed to have broken into the Chinese giant’s systems.

VTech does indeed collect contact information from parents, and their tykes’ names, genders, and dates of birth, when a family creates a Learning Lodge account.

In short, this security breach has revealed that sensitive and private information on nearly five million families was poorly protected from crooks and identity thieves – families in the US, Canada, United Kingdom, Republic of Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia and New Zealand, we’re told.

Youtube video of Learning Lodge

The toymaker said in a statement: “Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.

“It is important to note that our customer database does not contain any credit card information and VTech does not process nor store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.”

VTech added it is still investigating the infiltration, and has vowed to shore up its IT defenses. It has also emailed its Learning Lodge customers to warn them of the security breach – here’s a copy sent to El Reg by reader Simon:

Dear Valued Customer,

On November 24 HKT we discovered that an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database on November 14 HKT. Our records show that you are a customer of the Learning Lodge.

Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.

It is important to note that our customer database does not contain any credit card or banking information. VTech does not process or store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.

In addition, our customer database does not contain any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers).

Upon discovering the unauthorized access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks. Our investigation continues as we look at additional ways to strengthen our Learning Lodge database security.

Yours sincerely,

King F. Pang

Group President

VTech Holdings Limited

VTech was not available for immediate comment. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/27/vtech_hacked/

According to Ronald Reagan, the nine most terrifying words in the English language are: “I’m from the government and I’m here to help.”

Thanks to Edward Snowden, those concerned with security and privacy would probably agree. I’m here to tell you that there is a different side to this story and it’s one that is worth writing about.

Last week, I had the privilege of being invited to a workshop hosted by the Canadian Cyber Incident Response Centre (CCIRC).

The stated mandate of CCIRC is as follows:

In support of Public Safety Canada’s mission to build a safe and resilient Canada, CCIRC contributes to the security and resilience of the vital cyber systems that underpin Canada’s national security, public safety and economic prosperity.

As Canada’s computer security incident response team, CCIRC is Canada’s national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber events. It does this by providing authoritative advice and support, and coordinating information sharing and event response.

Much like many such organizations around the world, CCIRC wants to ensure that Canadian citizens enjoy a free*, secure and safe online experience.

The workshop included individuals from both the public and private sectors and from diverse countries.

The goal of the week was to seek a better understanding of the types and magnitude of online threats faced by Canadians, what tools we might use to combat cyber threats and how the public and private sectors can better co-operate to achieve a safer cyber Canada.

We separated into teams that were tasked with looking at the problems we face in cyberspace from different perspectives. As a security vendor, my team was asked to supplement the available information with data from SophosLabs. If we could somehow enrich the data being gathered by CCIRC to provide additional context and attribution then CCIRC would be in a better position to act on the data.

One such example would be to help CCIRC identify known malicious actors within Canadian cyberspace. Once identified, CCIRC can work with its partners in law enforcement to pursue appropriate action if necessary.

This is how we can clean up cyberspace. We need to work together to identify cybercriminals and provide solid evidence so the justice system can fairly prosecute the offenders.

It starts with cleaning up your own back yard. Sure it’s always nice to look after your own people but by cleaning up Canadian cyberspace we can also make it safer for people around the world to confidently access Canadian systems.

All of this isn’t as easy as one might think. There are a lot of moving parts. It takes a great amount of coordination and care to make it all work smoothly.

This is where all the really talented individuals I met come into the picture. These are people that are passionate about cybersecurity and care deeply about providing a better online experience for all.

So what was accomplished? Existing tools were updated and new tools created. Processes were streamlined and new alliances formed. Cyberdefence got a little stronger in our part of the world and while it’s too early to tell, maybe a few bad guys will get a dose of justice.

Despite the negative press government agencies involved with all things cyber have been getting lately (some richly deserved), this event was anything but negative. The CCIRC and its equivalents around the world are what we imagine governments can and should be.

I, for one, am glad they’re here to help.

*Democratically speaking. You still have to pay your ISP, even in Canada.

Follow @John_Shier

Follow @NakedSecurity

Image of padlock courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/opuWXz7zffs/

Online takeaway service Hungryhouse has reset the passwords of thousands of its customers following an apparent data breach at a third party hosting company.

Scott Fletcher, chief executive of Hungryhouse, said: “We had no affiliation with the web hosting company that was hit by a data breach. But when our head of security noticed that a number of our customers’ details appeared on the list of emails that had been breached, we took the pre-emptive step of asking them to change their passwords.”

One Hungryhouse customer got in touch with The Register to say he had been told by the fast food folk this morning that 10,000 of its customers had had their passwords reset following the breach.

“They assured me that my card details were OK. I asked if it was the result of a DDoS attack, but the guy didn’t know,” he said.

The outfit told one customer via Twitter this morning: “Hungryhouse have [sic] ourselves re-set a number of customer’s [sic] passwords as a preventative security measure against a 3rd party.”

It is understood Hungryhouse will email customers today with an update.

Customers have taken to Twitter to complain:

@hungryhouse password reset invoked without my requesting it, worried about my bank card. No one answers your phones. Pls follow, dm me

— Damian (@MajorDamo) November 27, 2015

Have @hungryhouse reset your password? They’ve reset mine. Have they been hacked? #NoStraightAnswer Help @BBCWatchdog @MartinSLewis

— Jonathan McIlwaine (@jnm8210) November 27, 2015

Hey @TalkTalkCare pls can you contact @hungryhouse and help them out with PR and anti-hack advice! @MoneySavingExp @BBCWatchdog #hungryhack

— Mike (@mikebarthere) November 27, 2015

®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/27/hungryhouse_password_change/

A two-man break in at the London offices of children’s charity Plan UK has resulted in theft of five computer servers.

Plan UK has stated that while “the likely motive was to steal the equipment itself, rather than the data … we cannot escape the fact that personal information is also stored on the servers”.

Explaining what data had been compromised, the charity listed “supporter names, addresses, emails, as well as bank account and sort code numbers”.

Neither credit nor debit card details were stored on the server, and Plan UK claimed “the information obtained by the criminals cannot be used directly to access supporters’ bank accounts”. It’s widely contested whether account numbers and sort codes are enough to result in theft.

Plan UK also stated that “we cannot fully guarantee that there isn’t a slight increased risk of supporters being open to fraud” and encouraged its patrons to be vigilant.

It added it regretted the incident and stated it is “in the process of informing the Information Commissioner”.

A letter has been sent to supporters informing them their data has been compromised.

The Register contacted Plus UK to enquire about its security practices. We have not received a response as of publication. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/27/plan_uk_sever_theft_data_breach/

For the past three years, we’ve done an annual poll to find out which web browser you trust the most.

We didn’t ask which browser you think is most secure, or which one you use the most in real life. We asked, simply, “Which browser do you trust the most?”

The results were, in a word, interesting. So, here comes a related question…

Which search engine do you trust the most?

In some ways, what you’re trusting in a search engine is different from what you’re trusting in a browser.

For the most part, your browser goes where you tell it.

So, what you want is a browser that won’t crumble if cybercrooks throw dodgy content at it in the hope of taking over your computer.

Also, your browser sees the content of every web form you fill in and every web page you read, so you want a browser vendor that won’t abuse that privileged position.

In contrast, you go where your search engine tells you.

Strictly speaking, search engines only advise you, and then it’s up to you to decide, but that decision is as good as controlled by what your search engine chooses to include and exclude, and the order in which it presents its answers. So you want a search engine that won’t abuse that privileged position.

After all, a link on the first page of results might be a website that has earned a high ranking through quality and trustworthiness. Or it might be little more than a secret ad, its position paid for behind the scenes.

Also, search engines typically learn an awful lot about you over time, based on what you’ve searched for and the results that you subsequently chose.

That means trusting your search engine provider not to sell that information to unreliable third parties, and also to stick up for your privacy if a surveillance agency asks it to hand over that information without due process.

Ironically, of course, the more a search engine knows about you, and the more aggressively it acts on that data, the more useful and likeable you’ll probably find the results. Nevertheless, those may not be the best results if objectivity is important.

In short, as with browsers, the handiest, or fastest, or most usable search engine may not the one you actually trust the most, for a wide range of reasons.

So…

….which search engine do you trust the most, and why?

Can’t see the poll above?
Vote directly on Polldaddy’s site.

You may remain anonymous in the comments by leaving the name field blank.
Your email address is never published, but you may leave it blank too if you wish.

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xdGEK7qzptg/

Malwarebytes threat analysis man Jerome Segura says compromised Reader’s Digest pages are being used to serve the Angler Exploit kit and trojan backdoors.

Segura says the site was still serving the highly capable threat today as the publisher had not yet responded to his disclosure.

“The attack consists of a malicious script injected within compromised WordPress sites that launches another URL whose final purpose is to load the Angler exploit kit,” Segura says.

“Site owners that have been affected should keep in mind that those injected scripts/URLs will vary over time, although they are all using the same pattern.

“The website of popular magazine Reader’s Digest is one of the victims of this campaign and people who have visited the portal recently should make sure they have not been infected.

Attackers infected an article 9 Home Remedies for Foot Odor That Are Shockingly Effective but could have targeted other pages visited by the site’s three million readers a month.

The Bedep payload dropped the Necurs backdoor, which could change dynamically if attackers decide to tweak the attacks.

“We hope that by making this public we will raise awareness and prevent unnecessary infections.”

Feature: Malware menaces poison ads as Google, Yahoo! look away.

Malvertising, a separate threat, is one of the worst online threats to end users because it is completely stealthy and can attack users who update their software.

Advertising networks have shied away from addressing the problem.

It is allowed to prosper because advertising networks do not vet the security of ads or ad buyers, and websites are willing to accept and display the untrusted content for revenue. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/27/malvertisers_spray_readers_digest_stinky_feet_with_exploit_kit/

The FBI has linked a hacker said to be in part behind the plundering of 1.2 billion credentials from some 420,000 websites to the handle “Mr Grey”.

The hack as reported by The Registercould be one of the biggest data theft hauls in history.

The US agency linked the hacker to the handle using open source data including email addresses posted to Russian crime forums and domain data.

Mr Grey, part of a group dubbed CyberVor, is said to used those boards to offer for sale information on any social media account including Facebook, Twitter, and Russia’s VK, Reuters reports.

The papers released by a Milwaukee, Wisconsin court, show Mr Grey offered in 2011 to sell account information.

US police agencies did not comment on Grey.

The theft was revealed by Hold Security who at the time said attackers used bot-infected computers to find the 420,000 websites that were each vulnerable to SQL injection attacks.

The unnamed sites were flagged up to the malware’s masters who then returned to harvest sensitive data from vulnerable servers.

The south central Russian group hauled in a staggering 4.5 billion credentials, whittled down to 1.2 billion pairs when duplicates were removed. There were 542 million unique email addresses among the cropped cache.

Hacked websites ranged from household names to small businesses located all over the world. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/27/mr_grey_the_russian_hacker_who_helped_haul_in_12_billion_logins/

More than 26,000 Cisco devices sold by Australia’s dominant telco Telstra are open to hijacking via hardcoded SSH login keys and SSL certificates.

The baked-in HTTPS server-side certificates and SSH host keys were found by Sec Consult during a study of thousands of router and Internet of Things gizmos.

Cisco warns that miscreants who get hold of these certificates, can decrypt web traffic to a router’s builtin HTTPS web server via man-in-the-middle attacks. The web server is provided so people can configure devices from their browsers. The decrypted traffic will reveal usernames, passwords, and other sensitive information.

The devices’ firmware also includes hardwired SSH login keys, meaning anyone can gain control of any of the products across the network or internet once the keys are extracted.

There are no patches or workarounds available for the security blunder, which potentially affect millions of users. One workaround would be to ensure the SSH and HTTPS configuration servers in the routers are firewalled off from harm.

Telstra has been contacted for comment.

The telco is by no means alone and appears to be one of the least impacted vendors; US outfit CenturyLink has had HTTPS remote administration service exposed in half a million of its subscriber devices, while Mexican telco TELMEX has the same flaw affecting a million customers.

Cisco says 25 of its products are affected including WAN routers, firewalls, cameras, and switches. Here’s how Cisco explains the SNAFU:

A vulnerability (CVE-2015-6358) in the cryptographic implementation of multiple Cisco products could allow an unauthenticated, remote attacker to make use of hard-coded certificate and keys embedded within the firmware of the affected device.

The vulnerability is due to the lack of unique key and certificate generation within affected appliances. An attacker could exploit this vulnerability by using the static information to conduct man-in-the-middle attacks to decrypt confidential information on user connections.

This is an attack on the client attempting to access the device and does not compromise the device itself. To exploit the issue, an attacker needs not only the public and private key pair but also a privileged position in the network that would allow him or her to monitor the traffic between client and server, intercept the traffic, and modify or inject its own traffic. There are no workarounds that address this vulnerability.

Cisco has not released software updates that address this vulnerability.

No patches no workarounds have been released and all users are exposed.

ZTE has assigned CVE-2015-7255, Unify CVE-2015-8251, ZyXEL CVE-2015-7256, and Technicolor has issued CVE-2015-7276 for their flaws. There appear to be no CVEs or advisories from other vendors.

Sec Consult senior security consultant Stefan Viehböck discovered nearly a million different devices from various vendors are using the same key possibly thanks to OEM or white box manufacturing, or stolen or reused code. Huawei, Zhone, ZTE, and ZyXEL are among those implicated.

The platforms from Cisco, Huawei, ZTE, General Electric, and Ubiquiti Networks are among those from 10 confirmed vendors that share a pool of about 230 unique private keys.

All told up to 43 vendors could be affected including Motorola; Linksys; TP-LINK; Seagate; Vodafone, Deutsche Telekom, and Alcatel-Lucent.

Knowledge of the keys would allow attackers to intercept traffic, create trusted phishing pages, or foist malicious updates to users.

Criminals will largely need to be on the same network as targets such as at public wifi spots, however.

The US is the biggest hit country, followed by Mexico and Brazil. Britain makes it in tenth spot while Australia is not on the list.

Carnegie Mellon’s computer emergency response team says it does not known of “practical solution” for the flaws. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/27/nine_percent_of_encrypted_traffic_open_to_hijack_from_shared_keys/

Malwarebytes threat analysis man Jerome Segura says malvertisers have infected Reader’s Digest, using the publication’s pages to serve the Angler Exploit kit and trojan backdoors.

Segura says the site was still serving the highly-capable threat today as the publisher had not yet responded to his disclosure.

“The attack consists of a malicious script injected within compromised WordPress sites that launches another URL whose final purpose is to load the Angler exploit kit,” Segura says.

“Site owners that have been affected should keep in mind that those injected scripts/URLs will vary over time, although they are all using the same pattern.

“The website of popular magazine Reader’s Digest is one of the victims of this campaign and people who have visited the portal recently should make sure they have not been infected.

Malvertisers infected an article 9 Home Remedies for Foot Odor That Are Shockingly Effective but could have targeted other pages visited by the site’s three million readers a month.

The Bedep payload dropped the Necurs backdoor which could change dynamically if attackers decide to tweak the attacks.

“We hope that by making this public we will raise awareness and prevent unnecessary infections.”

Malvertising is one of the worst online threats to end users because it is completely stealthy and can attack users who update their software.

Advertising networks have shied away from addressing the problem.

It is allowed to prosper because advertising networks do not vet the security of ads or ad buyers, and websites are willing to accept and display the untrusted content for revenue. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/27/malvertisers_spray_readers_digest_stinky_feet_with_exploit_kit/