STE WILLIAMS

The Federal Trade Commission (FTC) is the offical consumer watchdog in the USA.

As you can imagine, the FTC is particularly interested in dodgy marketing practices.

These days, that doesn’t only involve accuracy and fairness, but also covers issues such as how personal information about potential customers is collected and used.

For example, in recent months, the FTC has acted against a range of online activities that it has deemed devious, deceptive or dishonest, such as:

• A mobile phone tracking company that claimed to have an opt-out feature, yet not only failed to tell you about it, but also didn’t opt you out even if you found out what to do and asked.
• A Kickstarter project operator who attracted significant investment but then made little or no effort to spend the money as claimed, instead using it for his own “unjust enrichment”.
• A diet pill company that made unreasonable promises for its products, backed up its ads with fake endorsements, and violated anti-spam laws to spread the word.

Where next?

Today, the FTC is holding a workshop in Washington DC entitled Cross-Device Tracking.

Tracking you via your browser, or by means of a mobile app, is fairly straightforward, for example by setting a browser cookie, or using a unique identifier in the app.

Even if marketers don’t know who you are, they can target you more effectively with ads (or so that say, at any rate) if they know something about your interests and your product preferences.

And if they can feed you ads that are more likely to work, they can charge their customers more, and everyone is happier, including you (or so they say).

But tying together those identifiers between different devices is altogether more difficult.

You might have a cookie code of LNT67QT­ABZID in Firefox on your Windows laptop, but an advertising identifier of 13N5TSD­FFYHT on your mobile phone.

To an online marketing company, that’s effectively two people – unless and until they figure out that the same person is denoted by both those codes.

Once they’ve done that, each code can stand in for the other, so both your laptop and your mobile activities can be tied back to you from then on.

Obviously, if you login to the same service as the same user on two different devices, that lets a service provider associate both those devices to you.

Likewise, a company might offer you a free service such as Wi-Fi, redemeed via a code that is SMSed to your phone, which lets them tie your laptop and phone together in future.

The FTC refers to this as deterministic tracking, because there is an explicit element to it, and there is at least some opportunity for you to give informed consent.

Probabilistic tracking

More worrying is so-called probabilistic tracking, where what you do and how you do it – such as device type, operating system version, screen resolution and IP number – is used to infer which devices probably have a common user.

As the FTC points out:

Such “probabilistic” tracking is generally invisible to consumers and, unlike tracking through cookies, the consumer has no ability to control it. Accordingly, this practice raises a number of privacy concerns and questions.

Inaccuracy is perhaps as much of an issue in systems of this sort.

A company could use all sorts of measurements, such as how you move your mouse, the way you type, and many other digital flourishes, as if they offered identification, not merely supposition.

And then, of course, they could sell on these unreliable “identifications” to third-party companies, where they might end up working against you in an almost Kafkaesque way.

BadBIOS is back

One of the most intriguing – and perhaps the most outlandish – technique for cross-device tracking is mentioned in the public comment submitted to the FTC’s workshop by the DC-based Center for Democracy and Technology (CDT).

The CDT makes reference to an Indian company that claims to offer a TV-to-smartphone tracking system that works, if you can believe it, using ultrasound.

Just like the BadBIOS controversy from late 2013, which was supposed to be hardware-level malware that could steal data even across a so-called network “air gap,” such as the one that exists between the average TV and smartphone.

The idea is that you can use regular audio waves to transmit data between two computers that have no other sort of network connection.

In the early days of modems, this technique was quite common, using an acoustic coupler that played modem tones directly into the mouthpiece of a regular telephone to transmit data from a remote site.

But BadBIOS introduced a new twist: unlike a landline voice telephone, modern devices have loudspeakers and microphones that are capable of producing and recording sounds at frequencies beyond the range of a normal human ear.

In theory, then, or at least in the laboratory, a even a computer (or a TV) with no LAN connection, no Bluetooth and no Wi-Fi, could produce sounds that a co-operating device nearby could receive and interpret as data, and you wouldn’t be able to tell.

Unlike the telltale tones of a modem connection, such as you can hear in the jingle at the start of every Sophos Security Chet Chat podcast, high-frequency sounds may be “audible” to a mobile phone’s microphone, but undetectable to the human ear.

Ultrasound tracking

The company described in the CDT’s documents claims that its mobile app framework can detect ultrasonic data codes that you embed in the soundtrack of your TV ads.

The idea is that if a viewer’s phone is turned on, and in range of the TV, and they have one of your apps installed and running, you will be able to tell whether they saw your commercial.

You’ll even be able to tell whether they switched channels during the commercial, or fast-forwarded through it.

If they didn’t skip the commercial, of course, you still won’t know whether they actually watched it or not.

Unless – and who can say? – you have another app that can keep track of the viewer’s smart home devices and monitor water usage (e.g. a toilet flush) or power consumption (e.g. a kettle activation) to help you guess whether they used the commercial break for other households tasks.

As the CDT notes, the insidious aspects of this sort of tracking are that:

[The tracking company’s] policy is to not “divulge the names of the apps the technology is embedded,” meaning that users have no knowledge of which apps are using this technology and no way to opt-out of this practice.

There’s nothing fundamentally wrong with tracking TV viewers’ habits, whether by explicit network feedback from a smart TV, or by audio feedback from a non-networked TV, provided that they know it’s happening, have agreed to it, and know they can withdraw that agreement at any time.

But just the mention of ultrasound, even without its memories of the BadBIOS story, and of mobile apps that secretly use your microphone to detect inaudible content, does have a whiff of deceit about it.

If mainstream apps – we’re thinking of Skype, Facebook and others – are willing to come clean about whether they use this sort of technology or not, we’ll be able to defeat this sort of tracking by deciding which apps we trust with our microphone.

So we await the outcome of the FTC’s workshop with interest!

Will it actually work? Can inaudible ultrasonic frequencies make it to a viewer via the compression used by digital TV, for example? Audio compression relies on saving bandwidth by throwing out parts of the audio signal that don’t affect its clarity much, or even at all. Obviously, ultrasonic frequencies can unexceptionally be discarded altogether, because they have no effect on what a listener will hear. So broadcasters would, presumably, need to co-operate by using non-standard transmission encodings. We’re sceptical about the practicability of this system, but it is at least theoretically possible, and thus well worth considering at the FTC’s workshop, if only because it raises important issues about consent.

💡 LEARN MORE: BadBIOS malware explained ►

💡 LEARN MORE: Security and privacy on your phone ►

💡 FREE TRIAL: Sophos Mobile Control ►

Follow @NakedSecurity

Follow @duckblog

Horror TV image courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ina8tYvrkII/

The tragi-comedy that is the extended US presidential election campaign has taken two turns into technological territory.

First, the trivial.

As reported by The Hill, last week’s debate among Republican candidates for the presidency offered the Wi-Fi password “StopHillary” to members of the press.

The Democratic debate on Saturday raised the tone by offering the password “13MillionNewJobs”, a reference to President Obama’s time in office.

DNC Wi-Fi network takes jab at RNC #demdebate pic.twitter.com/GxvrL4mfol

— Matthew Claiborne (@MattJClaiborne) November 14, 2015

From a technical standpoint, the Democratic password is more secure: it’s longer and mixes numerals and letters, getting it a little closer to the correcthorsebatterystaple ideal.

On the second and more serious note, leading Republican candidate Ted Cruz has announced an immigration policy that calls for a review of the United States’ H-1B visa. The H-1B visa is a Silicon Valley favourite, because it allows companies to bring in workers from offshore for up to six years.

Cruz wants to “suspend the issuance of all H-1B visas for 180 days to complete a comprehensive investigation and audit of pervasive allegations of abuse of the program.” Another Republican contender, Donald Trump, has pledged to legislate higher wages on H-1B workers so that the cost advantage to be had bringing workers from lower-paid countries diminishes. Neither Cruz nor Trump needs votes from India, but H-1B changes are not popular there are they are seen as deliberately targeting Indian IT workers. Opponents counter that Indian companies enjoy an unfair advantage because they can bring their own staff to the United States on H-1Bs and therefore enjoy lower costs.

That the visa has become a political football is remarkable in itself, seeing as there’s only around 85,000 issued each year, a drop in the ocean of the US workforce. Yet with political “debate” happy to include Wi-Fi passwords, fights over small migration programmes shouldn’t surprise. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/16/us_presidential_race_becomes_wifi_password_snark_battle/

Black Hat Europe Haroon Meer, founder of applied research company Thinkst, opened the Black Hat Europe conference last week with a keynote attacking the fashionable obsessions of the security businesses, including blind faith in Big Data and an obsession with zero-day vulnerabilities.

The keynote, entitled What Got Us Here Won’t Get Us There*, exhorted conference attendees to roll their sleeves up and focus on deliverables and assisting their businesses rather than aiming for an unachievable security nirvana using Big Data and other fashionable technologies. Security pros face big trouble on the horizon with a crisis of both relevance and confidence.

Security teams and budgets are larger but this alone will not help unless infused priorities switch towards supporting the business with steady improvement instead of searching for the next great leap forward, according to Meer.

“We don’t know what’s going on but more data will fix it,” Meer told his audience. “Get as much data as we can and surely we can connect the dots. The [Edward] Snowden leaks disprove this.”

Likewise threat intelligence services, though of value to some, are not much use for the majority of organisations, Meer argued.

“There is a good argument for threat intel in limited cases but it doesn’t make sense for 90 per cent of people who are still dealing with 2003’s problems. The OPM [US government Office of Personnel Management] breach and Sony hack were about poor housekeeping, not about a lack of threat intel.”

Meer also criticised the infosec business’s “unhealthy obsession” with zero-day vulnerabilities. “Networks are getting compromised without zero days,” he pointed out.

Rather than focusing on the latest – hyped – technologies, businesses would do better to focus on attack mitigation technologies such as Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).

“EMET is really useful,” Meer said. “Yes, it can be bypassed, but it will block a whole lot of attacks.”

Meer also highlighted honeypots as another effective, but unfashionable, technology as well as creating rather than buying effective security technologies.

“Busy work that doesn’t matter. We need to focus on therapeutic work,” Meer concluded, adding: “We should try lots of stuff because nothing we’re doing now is working.” ®

Blockquote

*The title of the talk was a reference to Marshall Goldsmith’s best seller What Got You Here Won’t Get You There.

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/16/security_black_hat_europe_keynote/

Black Hat Europe Full-disk encryption on mobile devices is nowhere near as secure as commonly believed and Android offers less granular control than iOS, according to security researchers from NCC Group.

Daniel Mayer and Drew Suarez debunked some commonly held but inaccurate beliefs about smartphone crypto as well as presenting a comparison between iOS and Android during a presentation at last week’s Black Hat Europe conference in Amsterdam, The Netherlands.

The talk, Faux Disk Encryption: Realities of Secure Storage on Mobile Devices, peeled out a few realities known to those in computer forensics, if not those in the wider IT community – much less the general public. In particular, the talk highlighted some of the risk that arise from lost or stolen devices.

For one thing, crypto keys are kept in memory if a smartphone is running, which means that attackers with physical access to a target smartphone or tablet can recover its secrets. Although passcode-protected iPhones have robust permissions tied into hardware components, it might still make sense to protect data until it is read. That way attackers would have to enter a code to get access to that information, even if they got their hands on a running device.

Suarez explained that the fragmentation of Android creates additional mobile device encryption security risks over and above those found on iOS devices. A targeted device may not be fully patched. In addition, not all the boot processes on Android are signed. This makes it possible to backdoor Android firmware and plant it on a device, given physical access. The same risk does not exist of iPhones and iPads because code is signed.

The latest version of Android (Marshmallow 6.0) mitigates several of these risks so arguably the bigger risk is that many mobile application developers fail to take advantage of security protections built into Android. More than 50 per cent make mistakes in this category, according to Suarez.

This is important because in traditional browser-server applications, data tends to be stored on the server side where tight controls can be enforced. In contrast, many mobile applications cache data locally on the device thus exposing it to a number of new attack vectors. Moreover, locally stored data often includes authentication tokens that are, typically, long-lived than browser applications.

The loss or theft of a device which grants an attacker physical access might therefore be be used to bypass security controls in order to gain access to application data. The research is far from theoretical. Mayer and Suarez told El Reg that problems with lost smartphones are already causing problems from NCC Group’s clients.

The talk aimed to helping mobile app developers to better understand the risks and thereby take steps to secure app data as well as debunking common misconceptions about full-disk encryption, which the researchers warned is not sufficient for most attack scenarios. More secure storage methods are available on both platforms and ought to be considered even though they may incur some usability tradeoffs that mean they aren’t suitable in every case.

A white paper on the research can be found here (pdf). The researchers’ 70 page presentation, which digs much deeper into the problem, is here (pdf). A video of an earlier version of the talk, as delivered at Black Hat US, can be found here. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/16/faux_disk_encryption/

Sir Iain Lobban, the former chief of GCHQ, has joined a British company’s advisory council and has said he finds the prospect of a hands-on role “a scintillating propostion”.

Glasswall Solutions formally launched on Friday. The company’s big claim is, accepting that “94 per cent of all successful attacks start with files and documents attached to emails” its in-house tech will simply destroy and rebuild – to developers’ standards, all of the potential phishing attacks thrown at companies’ employees.

Glasswall breaks down every file to byte level, searching only for ‘known good’ and matching the files against manufacturers’ standards. A fully-compliant, completely clean file is regenerated in real-time, giving businesses total confidence in security.

That patching Adobe applications has become a regular feature in to-do lists will be a detail brushed under the carpets of history, according to Stan Black, who told The Register that the company’s tech meant unstructured data zero-days “didn’t exist anymore”.

The advisory council is headed by Sir Iain, and has the former Microsoft senior director Ken Urquhart on board as scientific advisor, along with Citrix CSO Stan Black as technology advisor. The big names in the council are expected to help the privately funded company achieve a $20m round of fundraising while dodging any VC investment.

In a canned quote, CEO Greg Sim said he is “honoured that Sir Iain will lend his expertise to Glasswall, as one of a group of extraordinarily talented and authoritative names in the industry that make up our very active board and advisory council.”

“Working with Glasswall is a scintillating proposition – a pioneering UK company showing the world how to incorporate security into best business practice,” said Sir Iain.

Glasswall claims its solution “is wholly effective in any organisation receiving files, typically via email, over which the vast majority of documents bearing malevolent macros are delivered. In Glasswall’s world, viruses and malware do not exist.” Time, as always, will tell. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/16/former_gchq_head_now_heading_cybersecurity_firms_advisory_board/

Millennials–especially young women–not pursuing careers in cybersecurity due to lack of both awareness and interest.

You’ve heard it over and over:  the embarrassment of riches in cybersecurity job openings that sit unfilled due to a lack of skilled talent for those gigs. Meanwhile, the number of women in the cybersecurity field remains static at an anemic 10% worldwide over the past two years. And don’t count on millennials to infuse fresh talent or diversity into the cybersecurity industry: a recent survey by Raytheon and the National Cyber Security Alliance (NCSA) found that 18- to 26-year-olds worldwide just aren’t pursuing careers in the field.

Young millennial women are less interested and informed about the field than millennial men, according to the report: 52% of millennial women say cybersecurity programs and activities aren’t available to them in school, while 39% of millennial men said the same. Only about half of millennial men are aware of what cybersecurity jobs entail, while just 33% of women are, the survey found.

Why aren’t young people drawn to this hot industry? The Raytheon-NCSA survey indicates they just aren’t getting the proper information in school. But another big hurdle is a lack of entry-level cybersecurity jobs, which limits young graduates’ opportunities in the industry.

Join me on the next episode of Dark Reading Radio, “Millennials The Cybersecurity Skills Shortage,” this Wednesday, November 18 at 1pm ET/10am PT, as we explore this conundrum with the experts:  Valecia Maclin, Raytheon’s program director for the Department of Homeland Security’s network security deployment division, and millennials Jennifer Imhoff-Dousharm, co-founder of the dc408 and Vegas 2.0 hacker groups, and Ryan Sepe, information security analyst at Radian Group Inc.

Register for the radio broadcast (it’s free) and live chat here. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/operations/next-on-dark-reading-radio-a-cybersecurity-generation-gap/a/d-id/1323158?_mc=RSS_DR_EDT

The Dark Web’s sinister allure draws outsized attention, but time-strapped security teams would benefit from knowing what’s already circulating in places they don’t need Tor or I2P to find.

High-profile data breaches are once again thrusting the Dark Web into the spotlight, spurring security professionals online to better understand how these conversations might be relevant to the security threat to their organizations. But this renewed – and, in some cases, potentially unhealthy – interest has its own dark side.

To successfully harness the Dark Web as part of a complete threat intelligence program, organizations need to develop a keener understanding of the environment and how cyber criminals are leveraging it. Here are three common misconceptions:

Misconception #1: Almost all cybercrime takes place on the Dark Web.
For those who appreciate its risks and pitfalls, the Dark Web can be a great source for understanding threat actors and their techniques. However those who narrowly fixate on it are likely to be blind to more relevant threats and information sources existing elsewhere.

For example, in the past six months, security researchers at Digital Shadows observed nearly 3,000 instances of credit cards being offered for sale on the visible, surface web. Sites like Reddit and Pastebin — much easier to browse than the Dark Web’s corners — increasingly contain stolen account information.

Social media platforms likewise hold important clues; we’ve witnessed examples of drugs for sale on Instagram. Social media often contains vital clues as to the identity of would-be criminals. The Dark Web’s sinister allure draws outsized attention, but many time-strapped security teams would benefit from knowing what is already circulating in places they do not need networks such as Tor or I2P to find.

Misconception #2: Scouring the Dark Web is key to understanding my attack surface.
Researching the Dark Web can be a valuable activity for security professionals, but the reality is that this resource will not be relevant to all organizations. For example, large enterprises, particularly in the financial services industry, are more susceptible to having their customers’ credentials and card details sold in criminal marketplaces as this is readily monetized. These marketplaces exist in the dark, surface and deep webs. Alternatively, smaller organizations should instead look towards the surface and deep web, including social media and traditional search engine platforms, to understand their exposure and attack surfaces.

Search engines are also valuable tools for organizations that want a better understanding of their attack surface. There are many files indexed by search engines, which should not be. These files are often exposed inadvertently by employees, suppliers or third parties, which hackers can harvest and exploit either as part of hostile reconnaissance or bundled together and branded as a data breach. Sensitive information such as email addresses, embarrassing information on employees and technology, can be found on social media and leave an organization exposed. Spoof LinkedIn profiles, over-sharing, and misconfigured privacy settings are all exploited for attackers’ reconnaissance.

Misconception #3: There’s no harm in just poking around.
Not all content on the Dark Web is immediately accessible; it can take considerable time, expertise and manual effort to glean useful information. More importantly, impromptu Dark Web reconnaissance can inadvertently expose an organization to greater security risks because of unknown malicious files that can infiltrate the corporate network.

Additionally, several criminal forums on the Dark Web utilize a “vouching” system, similar to a private members club, that might require an investigator to commit a crime or at least stray into significantly unethical territory to gain access to the content.

Lastly, while it can be tempting to download files pertaining to purported breaches, you should be mindful that taking receipt of stolen goods is a felony in the United States (18 U.S.C. § 2315) and can leave you exposed. Beyond that, your activities may disrupt the legitimate work of legal authorities engaged in enforcement actions.

At the end of the day, there are many legitimate purposes for harnessing the Dark Web, but only when security teams take steps to empower their efforts, not endanger them. To cover the basics, organizations should:

• Have essential security tools and procedures in place to safeguard data.
• Understand threats compromising peers and the weaknesses these may reveal in your company.
• Search the public and deep web to observe how hostile threat actors perceive your organization.
• Discover where your key information assets, employee credentials or other sensitive documents are being exposed online.
• Weigh the benefits and enhanced protection from the intelligence you gather against the impact on your limited information security resources. 

James Chappell has over twelve years of technical information security experience, acting as an advisor to large private sector and government organizations. Much of his work has involved counteracting the growth of crime and fraud in computer networks and developing … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/dont-toy-with-the-dark-web-harness-it/a/d-id/1323078?_mc=RSS_DR_EDT

Google is getting ready to alert Gmail users when messages are received in the clear instead of encrypted, in response both to slow adoption of encryption by some hosts, and apparent hostility to encryption in some countries.

Seven countries – Tunisia, Iraq, Papua New Guinea, Nepal, Kenya, Uganda and Lesotho – should be regarded as dangerous places to send e-mails to, according to Google’s research.

In all of those cases, “STARTTLS stripping” – forcing the sending machine to skip encryption and degrade the communication to plain text – results in more than 20 per cent of messages arriving without protection.

Most of them are in the twenties, from Lesotho (20.25 per cent) to Iraq (25.61 per cent), but Tunisia is a standout: it degrades e-mail communications back to clear text in 96.13 per cent of cases.

As readers will remember, the world is just catching up with the idea that e-mail security is lagging far behind our use of encryption for other services.

Google’s multi-year project, published by the Association for Computing Machinery, comes to a similar conclusion: there’s a long tail of servers managed that aren’t keeping up with the need to encrypt.

And there’s a lot such machines out there, the research finds: “best practices have yet to reach widespread adoption in a long tail of over 700,000 SMTP servers, of which only 35 per cent successfully configure encryption, and 1.1 per cent specify a DMARC authentication policy”, the research states.

“This security patchwork— paired with SMTP policies that favor failing open to allow gradual deployment— exposes users to attackers who downgrade TLS connections in favour of cleartext and who falsify MX (mail exchanger) records to reroute messages.”

The MX record is a DNS entry indicating where to send messages for a particular target domain. The worst offender in terms of fake MX records was Slovakia, followed by Romania, Bulgaria, India, Israel, Switzerland, Poland and Ukraine.

“Whether malicious or well-intentioned, STARTTLS stripping and falsified DNS records highlight the weakness inherent in the failopen nature and lack of authentication of the STARTTLS protocol.”

There’s good news in the research, however: between December 2013 and October 2015, the proportion of encrypted e-mails Gmail received from non-Gmail addresses nearly doubled, from 33 per cent to 61 per cent, and the proportion of outgoing Gmails using TLS rose from 60 per cent to 80 per cent.

More than 94 per cent of inbound messages to Gmail use some form of authentication, the post notes.

Google’s post discussing the research is here, and the paper is here. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/16/google_wants_to_add_not_encrypted_warnings_to_gmail/

Threat researchers are warning of two pieces of point of sales malware that have gone largely undetected during years of retail wrecking and now appear likely to earn VXers a haul over the coming festive break.

The Cherry Picker and AbaddonPOS malware, exposed in the last week, are the latest evolution in stealthy and capable point of sales credit and debit card plundering.

Cherry Picker has been targeting retail businesses since 2011 and now sports new anti-analysis tricks, persistence mechanisms, and better card ripping functionality.

Trustwave researcher Eric Merritt says the malware is expert at wiping evidence of itself after an attack has occurred, overwriting files multiple times and removing data exfiltration locations.

The memory-scraping malware runs on Windows platforms including Windows 7 and the hard-to-kill XP, running remote administration services.

It targets retailers in the food industry running any POS software.

Proofpoint’s contribution to the bad news was its description of the Abaddon point of sales malware, which also sports anti-analysis, obfuscation, and wiping tricks.

The researchers found Abbadon on seven client networks that had been delivered after a Vawtrak infection.

“On October 8, Proofpoint researchers observed Vawtrak downloading TinyLoader … which then downloaded AbaddonPOS,” the researchers say.

“The practice of threat actors to increase their target surfaces by leveraging a single campaign to deliver multiple payloads is by now a well-established practice,” the researchers say.

“While using this technique to deliver point of sale malware is less common, the approach of the US holiday shopping season gives cybercriminals ample reason to maximise the return on their campaigns.”

PoS malware will be further challenged as the United States deploys EMV credit card technology, notably when crucial PIN features are used in place of antiquated signatures. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/16/more_pos_malware_just_in_time_for_christmas/

T-Mobile has crushed a bug in subsidiary MetroPCS that could have allowed attackers to steal details on any of its 10 million customers, according to reports.

Cinder researchers Eric Taylor and Blake Welsh say the vulnerabilities were simple to exploit up until a patch was dropped.

Motherboard exploited the vulnerabilities using a Firefox plugin that sent a HTML request with the target’s phone number.

That spat out full names, home addresses, phone model and serial numbers, and billing details of those who agreed to be tested as part of the research.

A script could have been easily written to harvest the MetroPCS database, the pair say.

Neither the researchers nor Motherboard described the vulnerability in detail, but such vulnerabilities are unfortunately common across large and prominent organisations.

It was compared to the 2010 vulnerability in Apple discovered by Goatse Security which exposed thousands of Apple iPad users. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/16/metropcs_patches_hole_that_opened_10_million_user_creds_to_plunder/