STE WILLIAMS

Black Friday is coming up on 27 November 2015, and with it the start of the busiest part of the retail season in the US.

Indeed, the name is said to come from the fact that on the Friday after US Thanksgiving (the fourth Thursday in November), retailers do so much trade that they get “into the black,” covering their costs for the year to date.

In theory, then, that leaves the rest of the holiday season, heading towards Christmas, to pile on the profit.

What that means is a lot of people shopping, both at the mall and on the net.

To extend the fun beyond the Thanksgiving holiday, there’s also Cyber Monday, which is your online chance to snap up the bargains you missed over the weekend.

And lots of people shopping online means lots of passwords being entered on e-commerce sites, lots of forgotten passwords being reset, and lots of new accounts being created…

…often in a bit of a hurry.

WHAT IF YOU CUT CORNERS?

So, what happens if you cut corners, or are just feeling uninventive, and enter a short or easily-guessed password by mistake?

How hard will the average website try when it comes to protecting you from yourself?

For example, if you accidentally just press [Enter] and choose a blank password by mistake, will the website allow it?

Almost certainly not.

But what if you do the next worst thing and choose a very obvious password, such as 12345678 or baseball, or a very short one, like XYZZY?

It’s easy enough for a website to warn you if you make a truly awful choice, but a retail season survey by password manager company Dashlane suggests that even that doesn’t always happen.

The company claims that 56% of e-commerce sites it surveyed “allow users to have a password less than eight characters long.”

And 32% allowed users to choose passwords from a super-obvious list of ten passwords that come right at the top of any password cracker’s list:

password
123456
12345678
abc123
qwerty
monkey
letmein
dragon
111111
baseball

Dashlane also claims to have tested how many times a website will let you guess incorrectly before taking some sort of action to shut down or limit the speed of further guessing.

Apparently, 36% of e-commerce sites “allowed 10 or more repeated logins without any secure measures being deployed.”

This just reinforces (or re-reinforces, or perhaps re-re-reinforces) the importance of learning how to Pick Proper Passwords.

After all, even if a website stops you making gratuitously bad choices, it may nevertheless let you get away with mediocre or average passwords.

Indeed, many websites (and some companies) try to define randomness, for example by having rules such as “you can’t have a password without a punctuation mark,” even if you chose aYTLZM5kp20vt9KO.

Ironically, that string is an encoding of about 95 bits’ worth of data straight from my Mac’s high-quality random number generator, making it a 1-in-10,000 million million million million choice.

Artificial complexity means that PassWord99! might pass muster, and be considered strong enough, even though a password cracking algorithm would try it long before it got to aYTLZM5kp20vt9KO, or even to the less orderly WordP9!9ass.

Other websites or services won’t let you have more than, say, 16 characters (Microsoft Outlook.com and Google Android both do this), so you can’t use a long phrase like algorithms get you only so far and then it’s up to intelligence, even if that’s what you want.

FIGHT YOUR OWN PASSWORD BATTLES

In short, if a website tells you your password is weak, it probably is; but when it comes to creating passwords that are strong, you need to fight your own battles.

Keep our advice in mind:

1. Make your passwords hard to guess.

Avoid using details that are easy for other people to figure out, such as birthdays, nicknames, the names of your pets, songs or bands you like, and so on.

And don’t rely on trivial alterations, such as writing your dog’s name as r0ver or rover99, because password guessing programs try modifications of that sort early on.

2. Go as long and complex as you can.

If you add one letter (from A-Z) to a 10-character password, you make it just 10% longer to type and remember, but 26 times (that’s 2600%) harder to guess.

Choose an extra letter from A-Za-z and you make it 52 times, or 5200%, harder to guess.

You can also hinder password guessing programs by switching between lOWer and UppERCase letters, adding in d29igits and mixing in punc/;tua#tion characters.

But as we mentioned above, watch out for “predictable complexity” such as always and uninventively appending a question mark to comply with “must have punctuation” rules, or switching l3tt3r5 1nt0 d1g1t5 using only simple substitutions.

Some people prefer to pick multiple, unrelated words, like the famous XKCD password correcthorsebatterystaple, finding very long passphrases easier to remember and even to type.

But not all websites and services allow long phrases like this, and many insist that you mIX 1n o//ther characters anyway, regardless of your passphrase length.

3. Consider using a password manager.

Password managers can generate long and complex passwords on demand.

They can also automatically type them in for you at the right time, and can stop you from putting the password for site X into imposter site Y by mistake.

Password managers can also help you comply with the common rules that many websites impose, such as mixing in different types of character unpredictably. (A password manager can remember co*;m+@9-9$plicated as easily as it can remember c0mplic4ted!)

Just make sure you have a really strong password for the password manager itself, or else a crook could get hold of all your passwords at once.

4. One account, one password.

Use a unique password for each account: crooks who acquire one of your passwords will almost always try that password on all the other online services you use, just in case it lets them in.

Avoid using an obvious pattern, such as a common string of characters followed by, say, -FA for Facebook, -TW for Twitter, and so on.

If you can’t think up and remember unique passwords easily, use a password manager to do the hard work for you.

Don’t be the low-hanging password fruit this retail season.

To help you be more secure, now and into next year, here is a short and straight-talking video that goes through the points above:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

And once you’ve watched our tutorial video, here’s a short but funny video you can show to your IT guys if they have password “complexity rules” that really are just too darn’ hard:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

🙂 Enjoyed this one? Watch more Dave Malarky videos!

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/6AHo55HfB_c/

Two British suspects have been arrested accused of running the refud.me encryption site VXers use to evade antivirus.

The National Crime Agency says the suspects from Colchester, Essex have been bailed until February next year.

The pair operated the refud.me service which allowed VXers to test their malware against antivirus tools for free and made cash through encryption services.

Punters paid US$20 or US$100 a month for the Cryptex crypting services, depending on licence conditions.

Operators, one known as Killamuvz, sold the service under the guise of a service for developers to protect their code.

It is clear from forum posts that the service was being enjoyed by the malware-writing industry which requires crypters to evade security software and reverse-engineering by malware analysts.

Those customers are now fretting with some urging customers to DBAN (Darik’s Boot and Nuke) their machines before expected police raids. Here’s a sample of the chatter among former users:

” Damn I smell a fed raid, that is usually what happens when the NCA joins in. Former clients are raided. I would be wiping my hard drive RIGHT NOW. Will save you a lot of court $$$. All former Cryptex clients WIPE YOUR DRIVES NOW!!”

Forum members plugged the skill and professionalism of the coders. Unconfirmed comments claimed the pair were married.

Trend Micro, which partnered in the bust, says the encrypting tool had undergone “several major updates” since it was first sold October 2011.

“These tools saw frequent version updates to counteract new improvements in antivirus engines,” company researchers say.

“The current major iteration of the Cryptex toolkit is entitled “Cryptex Reborn” which was first advertised in September 2014.”

Many other similar crypters are still in operation. DarkEye is actively being sold for up to US$300 a month.

That software works by encrypting a customer’s malware using an encryption algorithm. DarkEye would execute when a user ran the customer’s malware, decrypting it and deploying the now cleartext payload.

“Any software developer wanting to protect his code properly” needs the service, the author wrote on the DarkEye shop page. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/24/refudme_anti_antivirus/

A malvertising campaign exploiting online videos to fling poison at netizens actually lasted for two months rather than the 12 hours previously reported, according to new research which suggested the previously unfavoured medium may be ripe for exploitation.

Contrary to The Media Trust‘s report that a video malvertising campaign hit “some of the largest, most heavily trafficked sites for more than 12 hours”, an investigation by malvertising monitors ClarityAd discovered it had actually been ongoing for two months.

Two security experts who have analysed the vector extensively stated that the duration of the mischief suggested the industry needed to put much more effort into dealing with the new threat of video advertising malware.

ClarityAd’s CTO and co-founder, Jerome Dang, as well as Malwarebytes’ senior security researcher, Jérôme Segura, stated that “the main bad actor” in the two-month campaign was the domain BrtMedia.net, in their in-depth analysis of the miscreant’s methods.

To date malvertising has mostly targeted “display” advertisements, whether they be based on patch-addicted Flash or images with some nasties embedded.

The use of video advertisements has been a less exploited medium due to the relative security of the video advertising XML compared to the horror of Javascript, and the much higher cost of running a video campaign.

That there is, as ad firms claim, so little unsold advertising inventory in the video advertising world additionally means that the sales environment is handled far more manually. This is in stark contrast to the ecology of display advertisements, where the business need to monetise has weakened the controls which may be expected to prevent less-committed malicious actors from succeeding.

However video’s XML – VAST (Video Ad Serving Template) proved insufficient for advertisers, who demanded an extension to execute code in advertisements. That led to VPAID (Video Player Ad-Serving Interface Definition), a specification released by the Interactive Advertising Bureau. It was this which made video malvertising campaigns feasible.

Route of all evil

Businesses’ vulnerability to protecting their revenue seemingly demands the frequent obfuscation of VPAID Flash files, “maybe in the hope of protecting some trade secret”, suggested the researchers. In doing so they “completely ruined the security model originally thought out with VAST.”

Subsequently, the advertising ecology from Real Time Bidding (RTB) which has allowed a torrent of poison in display ads, was exported to the video advertising market.

Programmatic advertisements now account for 39 per cent of that market according to a recent study by eMarketer.

The result is that: “Publishers now have no idea who serves what ads on their websites, making it virtually impossible to police for compliance and security – unless they rely on dedicated audit and scanning technology.”

BrtMedia’s campaign ran as a VPAID video advertisement on Facebook’s LiveRail “Monetization Platform for Publishes” since early September, and was most recently seen in early November. LiveRail’s RTB exchange locates bidding on the client-side, meaning that regardless of the result of the auction the malicious domain will be present in browser logs.

If the bid is indeed won, “the website’s video player parses the ad’s XML and executes the VPAID code (bidder.swf).”

Dodging iframes, VPAID allows attackers direct access to the DOM – where BrtMedia’s Javascript performs four naughty tricks, as the researchers explained:

• First it attempts to open a pop-up window to a fake Flash update URL at browsersafeupdate[dot]com. It also loops through each link on the page, and for each of them it assesses a 1 per cent chance of replacing it with the same malicious URL. From a visitor’s perspective, it looks as if the website itself is sending you to a malicious page!
• Secondly, the Javascript also loops through all ad formats on the page and replaces them with its own ads (amazon affiliation links).
• Thirdly, when the ad format is 300×250, it instead bootstraps a whole video player, looping through video ads on the same ad platform that it used to get to the page in the first place.
• Finally, BrtMedia also injects whole bogus websites on the page (i.e. turkey sandwich recipes), to profit from fake video ads traffic. This is done via a hidden iframe at http://trk.brtmedia.net/r/.

The Register has attempted to contact LiveRail regarding the platform’s use in this campaign but has not received a response at the time of publication. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/24/video_malware_advertising/

In today’s regulatory climate, companies can no longer depend on technology solutions alone – for example, SIEM — to protect corporate data and customer privacy. Here’s why.

To comply with major regulations from the FTC to SOX, we all know there is a requirement that you have “reasonable security.” But a lot of people look at that and ask, “What that does mean?”  For a long time in the eyes of the law, it has meant that you do what a reasonable person would do if he were in your shoes. While  every security professional you ask will have a different opinion as to what “reasonable” means, I think most competent security professionals will all agree in principle as to what has to be done. The challenge is that the approach to getting it done will vary.

One of the requirements that has been illustrated in case after case – including the FTC complaint against Wyndham – is that you must log access and events on your systems. After all, it is reasonable that you know what is happening or not happening in your own environment. Logging is not enough, though, because there is also a requirement (particularly in the aftermath of Wyndham) that the logs and events get analyzed in some manner, and this is where the security information and event management (SIEM) solution comes into play.

When clients come to me to help them with a compliance issue, I always tell them that it takes three things to solve the problem: technology, process, and people. Usually one of the three is a more prominent part of the solution, and with SIEM, most people believe it’s a technology issue. While I agree the technology is important, I believe the people are the most important part of the solution.

Technology
Every security expert has a flavor of technologies that they like and recommend, and there are some good ones (and then there are some terrible ones). However, the entry price for an SIEM is much more expensive than what most clients believe it’s going to be at the outset. Usually, most companies do not factor the total cost of ownership of a SIEM product, and as a result it becomes a tool that only gets partially implemented and never used. Typically that is because it has some data – but not all the data that is needed to work as designed.

My favorite client question is, “Can we exclude data to keep our licensing costs down?” to which I answer, “Yes, but then you don’t have a complete solution, which will eventually bring you back around to the question of whether this a reasonable implementation.”

Processes
You have to look at the solution holistically and not implement the SIEM solution with the architecture you have. Rather, consider this an opportunity to fix some of your infrastructure as you are doing the implementation and bring other areas up to best-practice standards. Good IT hygiene (which, by the way, is a fancy new phrase that means “get the basics right”) goes a long way for security. An important rule to keep in mind is to have distinct accounts for administrators that are used exclusively for administering, and then having user accounts the administrators can use to do everything else. Not only is this a good practice in general, but it will also simplify the data when you are implementing your SIEM.

People
At the end of the day, it’s the people on your team who will make or break your security solution. Usually, an SIEM is a complex solution that gets installed by the vendor of the product. And while they will do all sorts of cool things, they will leave at the end of the implementation and your people have to take the driver’s seat. If the vendor just delivered you a Ferrari and your people have only ridden bicycles before, you will have done it all for nothing.

I have seen companies spend hundreds of thousands of dollars on an SIEM and have it installed perfectly, only then to assume the work is all done! I have to break it to them that implementation is only the beginning. You have to have your people use the solution as a tool, and not just let it sit there and expect it to do your job. In order for that to work, beyond general skills the people in your security department have to be curious and knowledgeable. It takes them being able to see a security event and say, “Hmm, that does not look right, let me look deeper.” They will also have to be a bit mischievous (thinking like a hacker, for example) and to have the courage to ask the what-if questions that will infuriate your IT team. Bottom line? That’s a lot of work, and it takes more than technical knowledge to do it successfully.

[For more on the impact of the FTC ruling, check out FTC v. Wyndham: ‘Naughty 9’ Security Fails to Avoid by Jason Straight, senior VP and chief privacy officer at UnitedLex.]

In today’s regulatory environment, it will take all of your security solutions working together – and a little bit of luck – to catch a sophisticated attacker. But we can hedge our bets by having savvy people in place to think bigger than the technologies and processes to reap the full benefit of a good SIEM solution. 

IMPORTANT NOTICE: The information contained in this article does not, and shall not be construed to, constitute legal advice and/or to create an attorney-client relationship.

Tony is the owner of Porras Law, a legal practice focused exclusively on cybersecurity and data privacy and security. Tony spent more than 20 years as an IT/cybersecurity executive before entering the legal profession. As a result, he has the practical expertise in cyber and … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/parsing-what-is-reasonable-in-security-post-ftc-v-wyndham-/a/d-id/1323292?_mc=RSS_DR_EDT

Dell ships computers with all the tools necessary for crooks to spy on the owners’ online banking, shopping, webmail, and more.

The US IT titan installs a powerful root CA certificate, including its private key, on its Windows notebooks and desktops. These can be abused by eavesdropping miscreants to silently decrypt encrypted web browser traffic without victims noticing.

If you try to remove the dodgy certificate, the file is automatically reinstalled during or after the next boot up. The self-signed root CA cert appears to have been created in early April this year, and expires in the year 2039.

How can this certificate be abused? Well, an attacker could, for example, set up a malicious Wi-Fi hotspot in a cafe or hospital, intercept connections from Dell machines, and then automatically strip away the encryption – a classic man-in-the-middle attack, all enabled by Dell’s security blunder.

The decrypted traffic will include usernames, passwords, session cookies, and other sensitive information. The root CA certificate – eDellRoot – can even be used to sign programs, allowing scumbags to dress up malware as legit apps.

Web browsers, and other software, running on the affected Dell hardware will trust any certificates issued by eDellRoot. When the browser tries to connect to, say, your bank’s HTTPS-protected website, it could in fact be connecting to a malicious system on your network, such as the aforementioned evil wireless hotspot. This system can pretend to be your bank’s website, using an eDellRoot-signed SSL certificate, and you would be none the wiser as you type in your username and password. The intercepting system can even log into the bank on your behalf and pass the webpages back to your browser so you’re none the wiser of what’s going on.

Dell customers reported over the weekend finding the root CA certificate on newer Dell XPS, Precision and Inspiron desktops and notebooks.

So far, we’ve seen reports on Twitter and Reddit of the following affected gear: the XPS 15, Latitude E7450, Inspirion 5548, Inspirion 5000, Inspiron 3647, and the Precision M4800.

Our San Francisco office’s Inspirion 15 series laptop is also affected.

Caught red-handed … the eDellRoot CA cert on a Dell machine – click to enlarge (Source)

Information security expert Kenn White has created a webpage that demonstrates how vulnerable Dell computers will happily accept HTTPS connections signed with the eDellRoot key.

Crucially, White also said Firefox is not affected by the rogue certificate because it uses its own set of trusted certs.

If you have a recent XPS 15 running Windows and can load my page: https://t.co/qExUHLQwH0 then you’re vulnerable to Dell’s bogus root cert.

— Kenn White (@kennwhite) November 23, 2015

Another site to test whether your Dell is vulnerable to man-in-the-middle attacks can be found here.

Dell computer owner Joe Nord, who blogged details of the certificate installed in his Inspirion machine, noted the obvious security flaw with eDellRoot.

“Root certificates are always self-signed, so all I really know is that eDellRoot says eDellRoot is legit,” he explained. “Where it breaks down is that the private key IS PRESENT on my computer and that means … bad.”

Dell has yet to respond to a request for comment on the matter, although the Dell Cares support account on Twitter is downplaying the risk of attack for users:

@rotorcowboy It’s a Dell trusted certificate that is mentioned in the OS. It doesn’t cause any threat to the system, so we don’t recommend-1

— DellCares (@DellCares) November 22, 2015

The issue is just like Lenovo’s February Superfish scandal in which the PC-slinger was caught loading its machines with a tool capable of intercepting SSL traffic and injecting adverts into pages. In fact, the Dell certificate was created months after the Superfish blowup – was no one at the Texas goliath paying attention? ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/23/dude_youre_getting_pwned/

Dell has published a guide on how to remove the web security backdoor it installed in its Windows laptops and desktop PCs.

This confirms what we all know by now – that Dell was selling computers with a rather embarrassing hole it in their defenses.

New models from the XPS, Precision and Inspiron families include a powerful root CA certificate called eDellRoot, which puts the machines’ owners at risk of identity theft and banking fraud.

The self-signed certificate is bundled with its private key, which is a boon for man-in-the-middle attackers: for example, if an affected Dell connects to a malicious Wi-Fi hotspot, whoever runs that hotspot can use Dell’s cert and key to silently decrypt the victims’ web traffic. This would reveal their usernames, passwords, session cookies and other sensitive details, when shopping or banking online, or connecting to any other HTTPS-protected website.

Stunningly, the certificate cannot be simply removed: a .DLL plugin included with the root certificate reinstalls the file if it is deleted. One has to delete the .DLL – Dell.Foundation.Agent.Plugins.eDell.dll – as well as the eDellRoot certificate.

Dell has posted information [.docx] on how to do this properly, and future machines will not include the dangerous root CA cert. A software update process will run from November 24 that will remove the certificate automatically from machines, we’re told.

In a statement to the media, the Texas-based IT titan said:

The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability.

Dell said that it started including the root CA certificate with machines in August, although an Inspiron 15 series laptop we bought in July has an eDellRoot certificate on it.

“We deeply regret that this has happened and are taking steps to address it,” added Laura Thomas, Dell’s chief blogger.

“The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information.

“It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.”

If you’ve got a new Dell, you can check here to see if you the dodgy root CA cert installed. For everyone, we’ll leave you with this nightmare fuel… ®

We found a SCADA system on the Internet using the eDellRoot cert for HTTPS: https://t.co/N5XWQMTuFC #eDellRoot pic.twitter.com/4SoBhcMEL3

— Duo Labs (@duo_labs) November 24, 2015

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/24/dell_superfish_2/

British penetration tester Andrew Tierney says he has found dangerous vulnerabilities in network-connected alarm systems sold by the UK’s self-proclaimed market leader CSL DualCom.

Tierney says the flaws, also reported by the US Government CERT Coordination Center, relate to “incredibly bad” encryption, clunky physical firmware updating requirements, alleged non-compliance with standards, and poor overall security design.

CSL has “generally disputed” the disclosure, according to CERT CC. The company has been contacted for comment.

Tierney gives the company a pasting in a vulnerability analysis in which he rebuts the vendor’s assertions that the threats are either over-stated or not within the product risk model.

He says the CSL DualCom GPRS CS2300-R alarm signalling boards are open to signal spoofing and tampering thanks to poor communications protocol and a roll-your-own crypto scheme.

The units alert alarm receiving centres when alarms are tripped.

“I cannot stress how bad this encryption is,” Tierney says.

“Whoever developed it doesn’t even have basic knowledge of protocol design, never mind secure protocol design.

“I would expect this level of work to come from a short coursework from A-level IT students, not a security company.”

The bugs according to Tierney and CERT CC include improper authentication (CVE-2015-7285), busted crypto (CVE-2015-7286), duplicate and default credentials (CVE-2015-7287), and an undocumented SMS command (CVE-2015-7288) that attackers could intercept to alter device configuration.

The penetration tester has written a 27-page report [PDF] on the flaws.

Tierney claims the company says more risk-averse customers can buy more expensive and better secured devices. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/24/dualcom_cameras_vulnerability/

The world’s most complex sales till malware has been discovered … after it ripped millions of bank cards from US retailers on the eve of post-Thanksgiving shopping frenzies.

The ModPOS malware has pilfered “multiple millions” of debit and credit cards from the unnamed but large retail companies incurring millions of dollars in damages.

The attackers have operated in a low-key, ultra professional manner since late 2013 and has only come to light after weeks of painstaking reverse-engineering efforts by malware experts.

They have kept mum, too. Cybercrime forums are entirely devoid of references to the malware.

“This is POS [point-of-sale] malware on steroids,” iSight Partners senior director Steve Ward says. “We have been examining POS malware forever, for at least the last eight years and we have never seen the level of sophistication in terms of development …[engineers say] it is the most sophisticated framework they have ever put their hands on.”

Ward says his team took three weeks to debride one of ModPOS’ three kernel modules. By contrast it took the same experts 30 minutes to reverse engineer the Cherry Picker POS malware revealed last week.

The “incredibly talented” authors have done an “amazing job” and have such an understanding of security that the work has impressed the white hat engineers.

“It is hard not to be impressed,” Ward says.

He says the criminals have spent a “tonne” of time and money on each packed kernel-driver module which behaving like a rootkit is as difficult to detect as it is to reverse.

That approach to the 0module build is novel.

The anti-forensics componentry is highly-sophisticated, meaning most businesses that the advanced Eastern European attackers have popped will not know the cause of the attack.

It is clearly a tool targeted designed for large-scale revenue generation and return on investment.

Ward and his colleagues have briefed more than 80 major retailers across the US, all of which are on high alert for infection.

He says the attack group will need to change parts of its codebase to re-gain some of its now lost obfuscation, but adds that some changes will be much harder to implement than others.

The encryption used for network and command and control data exfiltration and communication is protected with 128 bit and 256 bit encryption, with the latter requiring a new private key for each customer.

This makes it much more difficult to know what data is being stolen, unlike other sales register malware that slurp details in cleartext.

“We will see disclosures and compromises in the future that point back to this framework.” ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/24/modpos_point_of_sale_malware/

An article by the UK Prime Minister’s chief speechwriter suggests Silicon Valley is happily aiding “tech-savvy jihadists.”

It echoes demands we’ve heard since the killings in France this month. A UK law professor and an infosec academic have helped us dismantle the piece.

The article in question, written by Clare Foges, slammed the encrypted messaging app Telegram for being a Daesh favourite and for putting terrorists “beyond the reach of intelligence agencies” – even though it’s not terribly secure, and a poor choice for anyone trying to evade nation states.

She also accused Google supremo Eric Schmidt of “extraordinary arrogance” for seemingly refusing to create a useful secure encryption system that can be unlocked on demand by governments, despite the mathematical infeasibility of such a technology.

During the course of her written philippic, which made much reference to the attacks in Paris, Foges forgot to disclose that she has been a key speechwriter for Number 10, which is also making similar demands for government-friendly backdoors in encryption.

“Paris must be a wake-up call,” she thundered. “If they had any conscience at all, these great Western powerhouses of the 21st century would be joining the fight to preserve our way of life – not helping to facilitate Islamic State’s way of death.”

She seems to be forgetting that the murderers behind the Paris massacre this month also used text messages to communicate, and warned of their plot in public; if they used truly unbreakable end-to-end encryption, we’ve yet to see evidence of it.

Foges also complained in her piece, published by the Daily Telegraph in London, that Snowden’s revelations tipped off terrorists to internet surveillance. She added:

In the wake of those tip-offs, tech companies faced a massive PR headache on privacy. And so Google, Apple, Facebook and the rest have been falling over themselves to offer products that no government can break into.

“These companies are not using cryptography to defend against governments,” Steven Murdoch, a principal research fellow in infosec at University College London, told The Register. “They’re trying to defend against those with no legitimate reason to access that information.”

“All of these companies do provide information to governments,” he added, citing these companies’ transparency reports.

“They deploy this kind of security because it is the most secure method for their users.

“The debate shouldn’t be framed as ‘security versus privacy’. For those in the intelligence agencies, security is privacy. The debate that should be happening should be framed in appropriate terms, rather than jumping on the bandwagon of ongoing events. It should look at previous cases that have happened and are appraisable.”

A mature debate

Paul Bernal, law lecturer at the University of East Anglia and author of Internet Privacy Rights: Rights to Protect Autonomy, told us: “The recent moves towards privacy and security are as much motivated by a need to protect people’s data from cybercrime as anything else.

“The government has been talking about this recently, without apparently seeing the disconnection between having a secure network to protect us from criminals and building in insecurity to supposedly allow us to be ‘protected’ from terrorists.

“The question many of us are asking is why this piece was commissioned in the first place – to say that the author of it is out of her depth is a massive understatement, while The Telegraph has access to journalists and others with great expertise, who could have written on the subject with both more knowledge and more clarity.”

The law prof went on:

The idea that the ‘Western tech companies’ are big supporters of privacy will come as a huge surprise to anyone who has been following the industry for any time – historically they’ve very much underplayed privacy risks, trying to encourage people’s sharing of as much information as possible on the internet, and to find ways to analyze and monetize that information as much as possible.

A few weeks ago Andrew Parker, the head of MI5, called for a ‘mature debate’ on surveillance as the Investigatory Powers Bill was introduced: immature articles like this seem designed specifically to undermine the chances of that debate.

@iucounu So only people with advanced tech knowledge are allowed to write about technology? Even though it’s pretty important these days?

— Clare Foges (@ClareFoges) November 21, 2015

“It looks very much as though this is a politically commissioned piece – but the question is why? Who is expected to be convinced by a piece like this? What are they trying to do?” Bernal questioned. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/24/silicon_valley_helping_techsavvy_jihadists/

Two British suspects have been arrested accused of running the refud.me encryption site VXers use to evade antivirus.

The National Crime Agency says the suspects from Colchester, Essex have been bailed until February next year.

The pair operated the refud.me service which allowed VXers to test their malware against antivirus tools for free and made cash through encryption services.

Punters paid US$20 or US$100 a month for the Cryptex crypting services, depending on licence conditions.

Operators, one known as Killamuvz, sold the service under the guise of a service for developers to protect their code.

It is clear from forum posts that the service was being enjoyed by the malware-writing industry which requires crypters to evade security software and reverse-engineering by malware analysts.

Those customers are now fretting with some urging customers to DBAN (Darik’s Boot and Nuke) their machines before expected police raids. Here’s a sample of the chatter among former users:

” Damn I smell a fed raid, that is usually what happens when the NCA joins in. Former clients are raided. I would be wiping my hard drive RIGHT NOW. Will save you a lot of court $$$. All former Cryptex clients WIPE YOUR DRIVES NOW!!”

Forum members plugged the skill and professionalism of the coders. Unconfirmed comments claimed the pair were married.

Trend Micro, which partnered in the bust, says the encrypting tool had undergone “several major updates” since it was first sold October 2011.

“These tools saw frequent version updates to counteract new improvements in antivirus engines,” company researchers say.

“The current major iteration of the Cryptex toolkit is entitled “Cryptex Reborn” which was first advertised in September 2014.”

Many other similar crypters are still in operation. DarkEye is actively being sold for up to US$300 a month.

That software works by encrypting a customer’s malware using an encryption algorithm. DarkEye would execute when a user ran the customer’s malware, decrypting it and deploying the now cleartext payload.

“Any software developer wanting to protect his code properly” needs the service, the author wrote on the DarkEye shop page. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/24/refudme_anti_antivirus/