STE WILLIAMS

American federal investigators are having a hard time hiring computer-savvy staff, according to a memo from the Inspector General for the US Department of Justice.

“Even as it works to expand the ranks of its cybersecurity team, the department continues to face challenges recruiting and retaining highly qualified candidates to do this work,” the memo [PDF] states.

Last year the FBI got the authorization and budget to hire 134 computer scientists for online investigations. We’re told the agency could only find 82 people interested in working for Uncle Sam. As a result, five of the FBI’s regional 56 Cyber Task Force teams don’t have a computer specialist on hand.

The DoJ’s Inspector General Michael Horowitz found that recruitment was being hampered by private industry, which is willing to pay more than the government could afford. Computer security specialists are in high demand at the moment, and universities aren’t putting out enough of them, so wages are only going to go up.

Another problem, Horowitz notes, is that the Feds have much stricter hiring guidelines than private companies. Last year FBI Director James Comey complained that he was having problems recruiting white hat hackers because too many of them were fond of a joint or two.

One logical way around this is for the government to work with private companies and borrow their expertise. But this too had run into problems because the Snowden revelations that the government was playing fast and loose with hacking into corporate servers had reduced trust over privacy.

“In an era of ever-increasing cyber threats, the Department will be challenged to sustain a focused, well-coordinated, and robust cybersecurity approach for the foreseeable future,” Horowitz concluded.

“The Department must continue to emphasize protection of its own data and computer systems, while marshalling the necessary resources to lead the effort to combat cybercrime, identify and investigate perpetrators, and engage the private sector and its state, local, and global partners in this crucial effort.” ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/17/us_cyber_task_forces/

Blackhat Europe Synopsys security boffin Ian Haken says un-patched PCs in enterprises are at risk of having user accounts popped and Bitlocker bypassed, in an attack he describes as “trivial” to perform.

The attack vector, sealed off in the latest round of Redmond patches (MS15-122), affect those Windows machines that are part of network domains, notably those in enterprise fleets.

Only sadistic sysadmins whose users suffer having to enter pre-boot passwords are immune, Haken says.

Haken says attackers with access to a lost or stolen laptop can spoofing the relevant network domain, to set up a fake user account which matches the username for the victim’s computer.

The fake account needs to be set with a creation date in the past. The password set does not matter.

Once the victim machine connects to the spoofed domain, Windows will throw a password reset prompt that will change the credentials in the computer’s local cache.

Picture: Ian Haken.

The laptop could then be disconnected from the spoofed domain and accessed using the changed credentials.

Haken says in the paper Bypassing Local Windows Authentication to Defeat Full Disk [pdf] presented at BlackHat Europe the attack is not foiled by Redmond’s Trusted Platform Module. Here’s a sample of his thinking:

… the domain controller is remote, and since the attacker has physical control of the machine, the attacker also has control of network communication and can direct communication to an attacker-controlled mock domain controller.

Since a machine with passwordless BitLocker will transparently retrieve the decryption key and boot to the Windows login screen, Windows authentication becomes the attack surface for defeating BitLocker.

There is no easy fix without Microsoft’s patch. Those admins who do not or cannot apply the patches can disable local credential caching, but that means users cannot login offline. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/17/bitlocker_blackhat_ian_haken/

X-Force’s top four cyber threat trends also names upper management’s increasing interest in infosec.

Ransomware and malicious insiders are on the rise, upper management is showing greater interest in infosec, and organizations actually have a reason to be grateful to script kiddies, according to a new threat intelligence report from IBM X-Force.

Ransomware rising

Ransomware like CryptoWall has become one of the top mobile threats, in addition to desktop threats. It’s been found wrapped into a variety of exploit kits — the Angler EK alone generated $60 million from ransomware — and has been seen spreading through malvertising campaigns.

IBM X-Force, however, states the top infection vector was simply unpatched vulnerabilities. “A well-known infection vector of ransomware can exploit unpatched operating system vulnerabilities to give attackers access to the system resources they want to lock or the data they want to encrypt,” according to the report. After unpatched vulnerabilities, drive-by downloads and spearphishing, respectively, were the leading attack vectors. 

To defend against, recover from, and mitigate the effects of ransomware, X-Force recommends creating and testing back-ups thoroughly; conducting better user training; using “software designed to catch anomalies related to binaries, processes and connections” which “can also help identify many kinds of malware, ransomware included;” and using file recovery software, professional services, or Microsoft Windows Volume Shadow Copy Service to try to recover files that the ransomware has copied/deleted or encrypted.

‘Onion-layered’ incidents

By “onion-layered incidents” IBM X-Force is not referring at all to onion routing. It is referring to detected security incidents that lead forensic investigators to discover evidence of hitherto undetected attacks.

“Were it not for the disruptive event caused by the script kiddies, the client might never have noticed anything wrong,” the report said.

The common trait in scenarios like this, said researchers, is that the compromised organizations were running old operating system versions that hadn’t been patched in a long time.

Malicious insiders

Malicious insiders are abusing remote administration tools and organizations are making those attackers’ work easier by following bad password policies, conducting insufficient logging, and failing to revoke employees’ credentials immediately after they leave the company.

“The common thread is that accountability was not enforced. … Knowledge can’t be stripped from an employee leaving an organization, but there are ways to minimize the risk of that knowledge being used for malicious purposes,” the report said.

X-Force found that in the organizations most prone to insider attacks, passwords were “routinely” set to never expire, password sharing between team members was not discouraged, admin accounts were shared, and user credentials were not immediately revoked when an employee was terminated or left the company.

“As a result, ex-employees with ill will toward former employers held powerful weapons they could use to express their resentment. They simply needed a way to get back into the network.”

The most common method, according to IBM: “In most malicious insider attacks we’ve seen, the disgruntled employee typically ‘prepared for departure’ by installing remote administration tools  such as LogMeIn or TeamViewer for access to the employer’s network.”

X-Force recommends that security teams that suspect or detect the unauthorized use of remote administration tools block access for the master servers of these tools.

Upper management interest

The average cost of a data breach in the United States was $6.53 million, according to a study by the Ponemon Institute and sponsored by IBM. Numbers like this have gotten the attention of upper management, say researchers. 

What is management asking their security teams for more? Enterprise risk assessment, incident response, and tabletop exercises like stress tests and cross-functional reviews are top of the list.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/ibm-report-ransomware-malicious-insiders-on-the-rise/d/d-id/1323163?_mc=RSS_DR_EDT

Members of the hacker collective Anonymous have declared war on the Islamic State, after the radical terrorist group claimed responsibility for the horrific attacks in Paris that killed over 120 people.

In a video posted to YouTube the day after Friday’s attacks, a man wearing a Guy Fawkes mask read a statement calling the attackers “vermin” and warning the Islamic State to prepare for “many cyberattacks.”

Speaking in French, the man said Anonymous would “hunt down” the attackers just as its members did after the terrorist attack in January 2015 on the French satirical magazine Charlie Hebdo, according to an English translation of the video:

On Friday 13 November our country France was attacked in Paris for two hours, by multiple terrorist attacks claimed by you, the Islamic State.

These attacks cannot go unpunished. That’s why Anonymous activists from all over the world will hunt you down. Yes you, the vermin who kill innocent victims, we will hunt you down like we did to those who carried out the attacks on Charlie Hebdo.

So get ready for a massive reaction from Anonymous. Know that we will find you and we will never let up. We are going to launch the biggest ever operation against you. Expect very many cyberattacks. War is declared. Prepare yourselves.

Know this: the French people are stronger than you and we will come out of this atrocity even stronger.

Anonymous sends its condolences to the families of the victims.

We are Anonymous. We are legion. We don’t forgive, we don’t forget. Expect us.

The video had been seen over 1.8 million times as of 7:30 pm GMT on Monday (16 November).

The video did not explain when or how those “cyberattacks” would happen, but on Monday, self-described Anonymous members said on Twitter that the attacks had begun.

After the attack on Charlie Hebdo in January, Anonymous members launched an #OpISIS to hack pro-Islamic State websites and social media accounts.

Another round of similar ops appears to be underway – #OpISIS and #OpParis.

By its nature, Anonymous is decentralized, and multiple Twitter accounts affiliated with Anonymous are taking credit for cyberattacks against the Islamic State.

One Twitter account, @opparisofficial, tweeted Monday that over 3800 pro-Islamic State Twitter accounts had been taken down.

Reuters reported that Anonymous members claimed to have identified 39,000 pro-ISIS accounts and reported them to Twitter, which supposedly took down 25,000 of those accounts.

Another Twitter account, @AnonyOpNews, Tweeted that Anonymous’s attacks on the Islamic State (also called ISIS, ISIL, and Daesh) would involve naming members of the terrorist group, similar to what Anonymous members did in an op against members of the Ku Klux Klan earlier this month.

What was done to the KKK is a hint of what you can expect. We will name you to the public. We have something you can’t kill, an idea #OpISIS

— Anonymous (@AnonyOpNews) November 16, 2015

And yet another Twitter account, @GroupAnon, declared war with the Islamic State, and stated that members of Anonymous are “better hackers.”

The Islamic State has used social media to recruit individuals to join its cause, and has used platforms like Twitter to threaten its enemies, including the United States.

Last month, a Malaysian man was arrested for allegedly providing material support for the Islamic State by hacking a US web hosting company to steal the identities of US service members and government employees.

The names and other identifying information of 1300 US service members ended up in the possession of a British citizen named Junaid Hussain, aka Abu Hussain Al-Britani, the leader of the Islamic State Hacking Division who was later killed in a US airstrike.

Hussain published the information via Twitter with instructions that sympathizers of the Islamic State should kill US service members “in their own lands.”

Pro-Islamic State hackers calling themselves the CyberCaliphate took over the Twitter and YouTube accounts of the US Central Command (CENTCOM) in January.

Despite Anonymous’s apparent intentions to join what is a global effort to defeat the Islamic State, it’s not clear that their tactics are effective, and they may even be counterproductive.

Some foreign policy analysts have said Anonymous taking out Islamic State websites and social media accounts could hurt intelligence-gathering by military and intelligence agencies that track the Islamic State through its online activities.

Meanwhile, social media has also served as an important source of information, and a way for people trying to connect with loved ones in the aftermath of the attacks.

Facebook turned on its Safety Check tool, helping people in France communicate that they were safe.

People all over the world took to social media on Friday after the terrorist attacks in Paris to express grief, anger and solidarity with France.

One of the most popular responses on social media – a simple, hand-drawn sketch of the Eiffel Tower resembling the peace symbol, created by a French graphic designer named Jean Jullien – went viral in the hours after the attacks.

Peace for Paris pic.twitter.com/ryf6XB2d80

— jean jullien (@jean_jullien) November 13, 2015

Anonymous has been known to misfire with its approach, misidentifying people in its #OpKKK last month with no connection to the hate group, and use of illegal tactics such as distributed denial-of-service attacks.

Jullien’s stroke of the pen is, in my opinion, the more powerful and far-reaching response to the terrorist attacks.

Follow @NakedSecurity

Follow @JohnZorabedian

Screenshot of Anonymous video via YouTube.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/onsGyjYizhA/

As world powers prepare to bomb barbaric ISIS into the medieval age it so dearly craves in the wake of the Paris attacks, Anonymous too has declared war on the terror group.

Make no mistake: #Anonymous is at war with #Daesh. We won’t stop opposing #IslamicState. We’re also better hackers. #OpISIS

— Anonymous (@GroupAnon) November 15, 2015

“To defend our values and our freedom, we’re tracking down members of the terrorist group responsible for these attacks. We will not give up, we will not forgive, and we’ll do all that is necessary to end their actions,” said a video posted online.

The campaign, dubbed #OpParis, will be aimed at shutting down websites and social media accounts used by terrorists to recruit sympathizers and support for their cause. The hacking group declared a similar campaign after the Charlie Hebdo massacre, and claims to have shut down thousands of Twitter accounts run by ISIS.

Youtube Video

On Monday, Anonymous has already stirred the waters by naming US content-delivery provider Cloudflare as one of the firms keeping ISIS online. It’s not the first time the group has made this claim, and in 2013 The US House Committee on Foreign Affairs; Subcommittee on Terrorism, Nonproliferation, and Trade, heard similar accusations.

“A website is speech. It is not a bomb. There is no imminent danger it creates and no provider has an affirmative obligation to monitor and make determinations about the theoretically harmful nature of speech a site may contain,” said Cloudflare’s CEO Matthew Prince at the time.

Cloudflare provides support services for a lot of websites that makes it easier for them to resist online attacks. The firm has managed the WikiLeaks website in the past, and – while it’s possible they could be hosting sites linked with ISIS – the firm has yet to respond to the new allegations. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/16/anonymous_isis/

The Dark Web’s sinister allure draws outsized attention, but time-strapped security teams would benefit from knowing what’s already circulating in places they don’t need Tor or I2P to find.

High-profile data breaches are once again thrusting the Dark Web into the spotlight, spurring security professionals online to better understand how these conversations might be relevant to the security threat to their organizations. But this renewed – and, in some cases, potentially unhealthy – interest has its own dark side.

To successfully harness the Dark Web as part of a complete threat intelligence program, organizations need to develop a keener understanding of the environment and how cyber criminals are leveraging it. Here are three common misconceptions:

Misconception #1: Almost all cybercrime takes place on the Dark Web.
For those who appreciate its risks and pitfalls, the Dark Web can be a great source for understanding threat actors and their techniques. However those who narrowly fixate on it are likely to be blind to more relevant threats and information sources existing elsewhere.

For example, in the past six months, security researchers at Digital Shadows observed nearly 3,000 instances of credit cards being offered for sale on the visible, surface web. Sites like Reddit and Pastebin — much easier to browse than the Dark Web’s corners — increasingly contain stolen account information.

Social media platforms likewise hold important clues; we’ve witnessed examples of drugs for sale on Instagram. Social media often contains vital clues as to the identity of would-be criminals. The Dark Web’s sinister allure draws outsized attention, but many time-strapped security teams would benefit from knowing what is already circulating in places they do not need networks such as Tor or I2P to find.

Misconception #2: Scouring the Dark Web is key to understanding my attack surface.
Researching the Dark Web can be a valuable activity for security professionals, but the reality is that this resource will not be relevant to all organizations. For example, large enterprises, particularly in the financial services industry, are more susceptible to having their customers’ credentials and card details sold in criminal marketplaces as this is readily monetized. These marketplaces exist in the dark, surface and deep webs. Alternatively, smaller organizations should instead look towards the surface and deep web, including social media and traditional search engine platforms, to understand their exposure and attack surfaces.

Search engines are also valuable tools for organizations that want a better understanding of their attack surface. There are many files indexed by search engines, which should not be. These files are often exposed inadvertently by employees, suppliers or third parties, which hackers can harvest and exploit either as part of hostile reconnaissance or bundled together and branded as a data breach. Sensitive information such as email addresses, embarrassing information on employees and technology, can be found on social media and leave an organization exposed. Spoof LinkedIn profiles, over-sharing, and misconfigured privacy settings are all exploited for attackers’ reconnaissance.

Misconception #3: There’s no harm in just poking around.
Not all content on the Dark Web is immediately accessible; it can take considerable time, expertise and manual effort to glean useful information. More importantly, impromptu Dark Web reconnaissance can inadvertently expose an organization to greater security risks because of unknown malicious files that can infiltrate the corporate network.

Additionally, several criminal forums on the Dark Web utilize a “vouching” system, similar to a private members club, that might require an investigator to commit a crime or at least stray into significantly unethical territory to gain access to the content.

Lastly, while it can be tempting to download files pertaining to purported breaches, you should be mindful that taking receipt of stolen goods is a felony in the United States (18 U.S.C. § 2315) and can leave you exposed. Beyond that, your activities may disrupt the legitimate work of legal authorities engaged in enforcement actions.

At the end of the day, there are many legitimate purposes for harnessing the Dark Web, but only when security teams take steps to empower their efforts, not endanger them. To cover the basics, organizations should:

• Have essential security tools and procedures in place to safeguard data.
• Understand threats compromising peers and the weaknesses these may reveal in your company.
• Search the public and deep web to observe how hostile threat actors perceive your organization.
• Discover where your key information assets, employee credentials or other sensitive documents are being exposed online.
• Weigh the benefits and enhanced protection from the intelligence you gather against the impact on your limited information security resources. 

James Chappell has over twelve years of technical information security experience, acting as an advisor to large private sector and government organizations. Much of his work has involved counteracting the growth of crime and fraud in computer networks and developing … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/dont-toy-with-the-dark-web-harness-it/a/d-id/1323078?_mc=RSS_DR_EDT

IBM X-Force’s top four threat intelligence trends also names upper management’s increasing interest in infosec.

Ransomware and malicious insiders are on the rise, upper management is paying greater interest to infosec, and organizations actually have a reason to be grateful to script kiddies, according to a new threat intelligence report from IBM X-Force.

 

Ransomware rising

Ransomware like CryptoWall has become one of the top mobile threats, in addition to desktop threats. It’s been found wrapped into a variety of exploit kits — the Angler EK alone generated $60 million from ransomware — and has been seen spreading through malvertising campaigns.

IBM X-Force, however, states the top infection vector was simply unpatched vulnerabilities. “A well-known infection vector of ransomware can exploit unpatched operating system vulnerabilities to give attackers access to the system resources they want to lock or the data they want to encrypt,” according to the report. After unpatched vulnerabilities, drive-by downloads and spearphishing, respectively, were the leading attack vectors. 

To defend against, recover from, and mitigate the effects of ransomware, X-Force recommends creating and testing back-ups thoroughly; conducting better user training; using “software designed to catch anomalies related to binaries, processes and connections” which “can also help identify many kinds of malware, ransomware included”; and use file recovery software, professional services, or Microsoft Windows Volume Shadow Copy Service to try to recover files that the ransomware has copied/deleted or encrypted.

 

‘Onion-layered’ incidents

By “onion-layered incidents” IBM X-Force is not referring at all to onion routing. It is referring to detected security incidents that lead forensic investigators to discover evidence of hitherto undetected attacks.

X-Force witnessed a trend of investigations into unsophisticated, noisy attacks by script kiddies unearthing sophisticated, long-term attack campaigns being carried out by advanced attackers skilled at evading detection who might have been lurking within a network for months.

According to the report: “Were it not for the disruptive event caused by the script kiddies, the client might never have noticed anything wrong.”

The common trait in scenarios like this, said researchers, was that the compromised organizations were running old operating system versions that hadn’t been patched in a long time.

 

Malicious insiders

Malicious insiders are abusing remote administration tools and organizations are making those attackers’ work easier by following bad password policies, conducting insufficient logging, and failing to revoke employees’ credentials immediately after they leave the company.

According to the report: “The common thread is that accountability was not enforced. … Knowledge can’t be stripped from an employee leaving an organization, but there are ways to minimize the risk of that knowledge being used for malicious purposes.”

X-Force found that in the organizations most prone to insider attacks, passwords were “routinely” set to never expire, password sharing between team members was not discouraged, admin accounts were shared, and user credentials were not immediately revoked when an employee was terminated or left the company.

“As a result, ex-employees with ill will toward former employers held powerful weapons they could use to express their resentment. They simply needed a way to get back into the network.”

The most common method, according to the report: “In most malicious insider attacks we’ve seen, the disgruntled employee typically ‘prepared for departure’ by installing remote administration tools  such as LogMeIn or TeamViewer for access to the employer’s network.”

X-Force recommends that security teams that suspect or detect the unauthorized use of remote administration tools block access for the master servers of these tools.

 

Upper management interest

The average cost of a data breach in the United States was $6.53 million, according to a study by the Ponemon Institute, sponsored by IBM. Numbers like this have gotten the attention of upper management, say researchers. 

What is management asking their security teams for more? Enterprise risk assessment, incident response, and tabletop exercises like stress tests and cross-functional reviews are top of the list.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/report-ransomware-malicious-insiders-on-the-rise/d/d-id/1323163?_mc=RSS_DR_EDT

Here’s a potentially dangerous thing that people do on Facebook: ignore their privacy settings but still go right ahead and post hundreds of photos of kids online.

And here’s what many see as a negative thing that Facebook does: it collects and stores biometric data via facial recognition in what some deem to be the largest privately held database of facial recognition data in the world.

What if Facebook put those two (more or less) negatives together and came up with a positive?

It’s gone ahead and done just that.

Last week, Facebook revealed a program it’s developing to warn parents if they are about to share photos of children publicly instead of just with friends.

Jay Parikh, Facebook’s vice president of engineering, revealed that Facebook plans to use facial recognition to spot kids in photos and to notify parents before they share such images with the general public.

The Evening Standard quotes Parikh:

If I were to upload a photo of my kids playing at the park and I accidentally had it shared with the public, this system could say: “Hey wait a minute, this is a photo of your kids, normally you post this to just your family members, are you sure you want to do this?”

I think [it’s] a nice, intelligent way for us to help you manage all of the data and the information around you, and that could be just helping you process this stuff and getting it right the first time.

As it is, police in Germany recently urged people to stop posting photos of their children online in an appeal on Facebook, noting that people freely post pictures of nude children while in a pool or at the beach, as if there were no consequences for posting such images.

Such consequences range from mild embarrassment once the child grows up, to bullying, or having the photos intercepted by a pedophile to be published elsewhere.

Of course, Facebook has been under fire for its facial recognition technology for years.

Following a backlash from users and regulators, the company in 2012 turned off facial recognition in Europe and deleted the user-identifying data it already held.

In the US, a class action lawsuit filed in April 2015 claimed that Facebook violated users’ privacy rights in acquiring what it describes as the largest privately held database of facial recognition data in the world, all without notifying users that biometric data was being collected or stored.

Still, Facebook’s facial recognition program is growing more powerful, and more accurate.

In fact, Facebook’s DeepFace technology rivals humans’ ability to recognize faces, accurately identifying faces 83% of the time, even in profile or with features obscured.

On the downside, Facebook’s facial recognition is potentially helping Big Brother’s surveillance efforts.

Australia plans to grab Australians’ faces off Facebook for a national biometric database, taking advantage of imagery that’s both high-quality and pretty accurately linked to identities.

That brings us back to Facebook’s new plan to use facial recognition for good: to put a stop sign in front of people before they post photos that could potentially put their children in harm’s way.

There are no indications yet about when we’ll see this new feature, but we’re glad to hear it’s in the works.

Follow @NakedSecurity

Follow @LisaVaas

Image of family selfie courtesy of Shutterstock.com.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/N3IAAs-6R_U/

Susan Carland is troll bait.

Not only is she a woman, she’s also an Australian academic with opinions, the wife of the talk-show host Waleed Aly, and Muslim.

As she wrote last week for the Sydney Morning Herald, she is perpetually bombarded with hateful tweets from trolls.

Her anonymous correspondents don’t ask her what she believes. In true troll fashion, they prefer to use her as a blank slate on which to project their beliefs.

Though they don’t know her, they’re quick to tell her what she thinks: namely, as she tells it, they tell her that as a Muslim woman, she loves “oppression, murder, war, and sexism.”

The threats entail…

… requests to leave Australia, hope for my death, insults about my appearance (with a special focus on my hijab), accusations that I am a stealth jihadist, and that I am planning to take over the nation, one halal meat pie at a time.

There are many ways to deal with trolls like these. Carland has tried many of them.

She tried blocking and muting. She tried engaging with the trolls. She attempted to ignore them.

One of the only things she didn’t try was the Curt Schilling method: naming and shaming.

But none of it made her feel that she was diverting, or diluting, what she calls “the merry stream of toxicity.”

Nor did what she was doing feel like the “edifying Islamic response” that the Koran calls for, she writes:

The Koran states “Good and evil are not equal. Repel evil with what is better.” … I’d tried blocking, muting, engaging and ignoring, but none of them felt like I was embodying the Koranic injunction of driving off darkness with light. I felt I should be actively generating good in the world for every ugly verbal bullet sent my way.

In order to honor the precepts of her faith, Carland decided to try a novel way of dealing with online hate: she pledged to donate one Australian dollar to the charity UNICEF for every hateful message received on Twitter.

I donate $1 to @UNICEF for each hate-filled tweet I get from trolls. Nearly at $1000 in donations. The needy children thank you, haters! 😎

— Susan Carland (@SusanCarland) October 21, 2015

She’s been doing it for months now. And not only did she manage to raise and donate over A$1,000 as of October, her action has garnered wide support and has even spurred others to follow her lead.

@SusanCarland @UNICEF I’ll match your donations to UNICEF (to $2,000). Please let me know the final amount.

— kevin armstrong (@kw8xi8) November 13, 2015

As of Thursday, Carland said that she was overwhelmed by tweets and instructed sympathizers to donate directly to UNICEF.

Thankyou for kindness, everyone ( shout out to haters who still can’t help themselves 😎).Overwhelmed by tweets.Donate to @unicefaustralia !

— Susan Carland (@SusanCarland) November 12, 2015

It’s unclear whether Carland’s action has encouraged trolls to send her more hate-filled tweets than ever, but what’s important is that she’s turned them into a force for good: the more poison they spew, the more a deserving charity benefits.

What’s more, she has refused to let trolls define her.

Or, in her own words:

By refusing to let the hate of others mould me, I am more secure and relaxed in my own identity than ever. Their hatred of what they believe Muslims are has encouraged me to recommit to the beauty of my tradition.

I have a choice: to respond similarly, or respond with “that which is better”. Their hate doesn’t define me; my beliefs do. And so what my response should be is clear.

Follow @NakedSecurity

Follow @LisaVaas

Image of sad troll courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8CpTdv4iO9c/

US Senator Al Franken is introducing legislation to ban so-called stalking apps, as part of a broader law to protect consumers from apps and devices that secretly track users’ location.

Franken, one of the Senate’s staunchest defenders of privacy rights, has introduced similar legislation before and has been trying to ban stalking apps since 2011.

If it seems inconceivable that apps marketed and sold for the purpose of monitoring their users are legal, there’s a maddeningly logical explanation.

Spying apps that can track location, read text messages, monitor calls (and much more) also have legitimate purposes, despite the likelihood for abuse.

Franken’s proposed law underscores the conundrum: Franken wants to ban the use of these apps for cyberstalking, while still permitting uses such as parents monitoring their children, emergency services locating people in distress, and “similar scenarios.”

In 2014, Franken called on the US Department of Justice (DOJ) to crack down on stalking apps, and in May 2015 requested an investigation by the DOJ and the Federal Trade Commission of the stalking app called mSpy, after a huge trove of mSpy data was leaked on the Dark Web.

Franken says his proposed legislation would close legal loopholes by requiring all companies to have users’ permission before collecting location data or sharing it with third parties, and would ban the “development, operation, and sale of GPS stalking apps.”

Yet companies that produce these apps, like mSpy and StealthGenie, operate in a legal limbo because of legitimate uses for their software.

Even requiring permission of the user to track someone’s location is another potential loophole, because the “users” of the app are the people doing the stalking, not their victims.

A US court case in 2014 demonstrates the fine legal line staking app makers are dancing around.

The CEO of StealthGenie was indicted in October 2014 for developing and selling spyware, and subsequently fined $500,000.

The DOJ noted that StealthGenie’s CEO, Hammad Akbar, had admitted in emails that the company’s business plan involved explicitly targeting the “spousal cheat” market for his stalking app – and that seems to have been his downfall.

StealthGenie and mSpy are still in business, selling their spy apps openly online, but they market these apps for uses that might allow them to avoid breaking laws prohibiting the sale of spyware.

For example, the mSpy website says its app is “monitoring software” (emphasis is ours):

mSpy is the most popular and user-friendly application for watching over your kids, preventing theft, and supervising your employees’ performance. Our mobile monitoring software runs on the target device to track all activity including call log history, GPS location, calendar updates, text messages, emails, web history, and much more! After following our easy, step by step instructions on how to create your own personal online mSpy account, you may log in to immediately begin viewing the tracked data.

In his legal case, the StealthGenie CEO’s defense denied any liability for illegal behavior and placed blame for stalking on whoever uses the app.

Laws against spyware and cyberstalking do prohibit users from surreptitiously tracking an un-consenting victim.

Recently, law enforcement in Germany, Switzerland and the UK made several arrests of users of a stalking app called DroidJack.

But DroidJack’s developers haven’t been arrested, and by operating in the shadows between what is legal and what is ethical, they are still in business.

Franken rightly says spyware apps like DroidJack, StealthGenie and mSpy pose a threat, including to victims of domestic violence and stalking, calling the use of these apps “unconscionable,” while noting that they are “perfectly legal” in the US.

Even if they’re legal in your jurisdiction, stalking apps are not something you want on your phone without your knowledge or consent.

Mobile security software will typically flag this sort of app so that you – or your network administrator – can decide whether it should be allowed or not.

Follow @NakedSecurity

Follow @JohnZorabedian

Image of phone spying courtesy of Shutterstock.com.

FREE DOWNLOAD

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/QAQscdO24Pc/