STE WILLIAMS

IPB The UK government’s bid to massively ramp up surveillance of Brits’ online activity is due to land imminently in the form of the draft Investigatory Powers Bill.

It’s not the first time, though: successive UK governments have gone through a series of aborted attempts to push to legislate for the bulk collection of Brit netizens’ data. But each time they have failed. This time, though, things could be different.

First up, it’s worth casting your mind back to this passage from the Tory’s then-Coalition partners, the Liberal Democrats (remember them?), back in November last year when IP address-matching powers for police and spooks were briskly waved through Parliament in the form of the Data Retention and Investigatory Powers Act.

This is exactly the kind of thing that we need to take action on, rather than proposing an unnecessary, unworkable and disproportionate Snoopers’ Charter. There is absolutely no chance of that illiberal Bill coming back under the Coalition government – it’s dead and buried.

Sorry to go all pantomime on you all, but, “Oh no it’s not!” As we’ve long written here in these pages, the surveillance plan never really went away.

In fact, the Tories have been playing the long game, having said back in 2010 (PDF) that it wanted to store and acquire internet and email records by June 2015.

The Home Office missed that deadline but will it now get its way, at long last?

Meanwhile, Home Secretary Theresa May and her minions have been doing their best to spin the government’s proposed law in a positive light before it has even been perused by parliamentarians, with Whitehall sources muttering to the nationals about judicial safeguards.

And, before the Tories came to power with the Lib Dems in 2010, Labour had been attempting to bring in its Interception Modernisation Programme.

IMP – which was supposed to help security services monitor difficult-to-tap tech such as peer-to-peer communications – limped on to a shelf to gather dust, following criticism from civil liberty groups in the UK.

With the arrival of May as Home Sec, British netizens faced yet another Snoopers’ Charter, this time dubbed the Communications Capabilities Development Programme (CCDP), at the cost of £1.8bn to the public purse over the course of 10 years.

CCDP morphed into the draft Communications Data Bill, but it failed to pass muster with politicos and peers, who labelled the plans far too sweeping, misleading and suspicious.

If the spin coming out the Home Office and GCHQ over the last few weeks is to be believed, then none of us have anything at all to fear about the draft Investigatory Powers Bill.

Journos: UK officials don’t want to “ban encryption” — they want to ban encryption that *works*. Deceptive intent. pic.twitter.com/wTgLeFYJqi

— Edward Snowden (@Snowden) November 2, 2015

May has said that spooks, police and other public sector authorities won’t “go through people’s browsing history”. She’s also confirmed that inadequate encryption will be left well alone. Encryption that actually works, on the other hand … Well, it will all soon become very clear, won’t it? ®

Sponsored:
Are DLP and DTP still an issue?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/04/licence_to_snoop_investigatory_powers_bill/

Mozilla has released Firefox 42 and Firefox ESR 38 38.4, which include fixes for worrying security vulnerabilities in the web browser.

The November 3 update squashes at least three bugs that can be potentially exploited to achieve remote code execution.

Two Mozilla engineers, Tyson Smith and David Keeler, uncovered two flaws (CVE-2015-7181 and CVE-2015-7182) in NSS, a toolkit used by Firefox to encrypt web traffic over SSL/TLS.

By exploiting “a use-after-poison and buffer overflow in the ASN.1 decoder,” a malicious HTTPS website can potentially inject arbitrary evil code into the connecting browser and execute it, it appears. That seems a particularly neat way to install malware on PCs.

These programming blunders are fixed in NSS versions 3.19.2.1, 3.19.4, and 3.20.1, which are used in Firefox 42 and Firefox ESR 38 38.4.

Other applications that use the open-source toolkit for encrypting internet traffic must be rebuilt with a non-vulnerable version of the libraries, and pushed out to people to install.

Meanwhile, Google security engineer Ryan Sleevi found an integer overflow bug (CVE-2015-7183) in NSPR, which is a component of NSS. The code can be exploited to potentially execute arbitrary malicious code in the browser.

Mozilla has also squished three possible remote-code execution bugs (CVE-2015-7198, CVE-2015-7199 and CVE-2015-7200) in the ANGLE graphics library‘s handling of SVG files. The programming cockups were reported by security researcher Ronald Crane. “These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them,” Team Mozilla notes.

A set of scary looking flaws (CVE-2015-4513 and CVE-2015-4514) deep within the browser engine have also been fixed. “Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code,” Moz admitted.

The bug-squishing round also includes six fixes for vulnerabilities that could allow sensitive information to be collected without permission, and nine other security issues rated as “moderate” or “low” risks.

As well as these patches, Firefox 42 has a handful of new features such as “tracking protection” in private-browsing mode that stops websites from identifying and tracking you with analytics software as you surf across the web.

“When you browse the web, you can unknowingly share information about yourself with third parties that are separate from the site you’re actually visiting, even in Private Browsing mode on any browser,” wrote Firefox product vice president Nick Nguyen on Tuesday.

“Private Browsing with Tracking Protection in Firefox for Windows, Mac, Android, and Linux actively blocks content like ads, analytics trackers, and social share buttons that may record your behavior without your knowledge across sites.”

Nguyen claims Chrome, Safari, Microsoft Edge and Internet Explorer allow websites to follow users as they browse from site to site, even in incognito mode. This is something that Firefox no longer allows – if tracking protection is enabled, of course.

The WebRTC and Login Manager components have also been updated and the browser tab view now includes an indicator icon and mute option for pages that automatically play audio. ®

Sponsored:
Are DLP and DTP still an issue?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/04/mozilla_patches_up_firefox_flaws/

Mining social media to protect your brand is a great idea, unless the tool you use becomes an attack vector.

That’s the slightly embarrassing bug Cisco’s just reported in its SocialMiner 10.0(1) product: its WeChat page is open to cross-site scripting.

It means some unfortunate support staffer who’s not paying close attention to what they’re receiving could get tricked into clicking a malicious link.

SocialMiner is yet-another “brand management for social media” application – in other words, if Foobar Inc sees unfavourable mentions or a call for help on a social network, the software will tell someone to respond. Preferably before anything looks like going viral.

Cisco’s advisory states: “The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by convincing the user of the affected device to follow a malicious link or visit an attacker-controlled website.

“An exploit could allow the attacker to submit arbitrary requests to the affected device via the affected web browser with the privileges of the user.”

While it only has a relatively low CVSS score of 4.3, there’s no fix as yet, nor are there workarounds.

However, it’s probably not a wonderful look in China, where WeChat has about half a billion users under its “Weixin” brand, and in addition to its Twitter-like micro-messaging, the app is used for payments, video-messaging, taxi bookings and other things. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/04/ciscos_lesson_in_social_support_dont_ship_vulns/

The plan to out members of the Ku Klux Klan hatched by persons using the name and iconography of online activist collective “Anonymous” (PUTNAIOOACA) isn’t going well.

As we reported last week, PUTNAIOOACA peeps posted a Pastebin page in which they threatened to expose members of the KKK.

Just such a list has since appeared, but we shan’t link to it mentions elected officials whose lawyers we’d rather avoid.

After news of the list hit the intertubes, @Operation_KKK, the Twitter handle behind the original pledge to out Klan members, posted this Tweet.

The anons at the helm of this initiative vouch ONLY for the dox list that will be released from this Twitter account on November 5 2015.

— Operation KKK (@Operation_KKK) November 2, 2015

November 5? Yes, that is Guy Fawkes’ Day, which features rather prominently in the Alan Moore and David Lloyd graphic novel V For Vendetta.

Let’s also parse the tweet a little further, because it shines a little light on what looks to be a another PUTNAIOOACA faction trying to clamber aboard @Operation_KKK’s effort. What a way to run an insurrection. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/04/anonymous_says_anonymous_kkk_dump_wasnt_from_anonymous/

The official website of vBulletin.com forum software has hit the big red password reset following a breach by hackers that exposed the IDs of hundreds of thousands of users.

A hacker claimed the had made off with a combined 480,000 records after an attack that led to the defacement of the vBulletin.com and a reported hack against Foxit Software’s forum, both supposedly pulled off using the same zero-day vulnerability.

vBulletin.com was taken down for maintenance of the immediate aftermath of the attack, which took place on Saturday, 31 October (Halloween, ooooh).

vBulletin.com has since returned online, seemingly not much the worse for wear, to claim the attack, though “sophisticated”, had been limited to the potential exposure of “customer IDs and encrypted passwords”.

Even though this might be enough in itself to actually hack into accounts vBulletin.com has applied a precautionary reset, as a statement (extract below) by a vBulletin support manager explains.

We take your security and privacy very seriously. Very recently, our security team discovered a sophisticated attack on our network.

Our investigation indicates that the attacker may have accessed customer IDs and encrypted passwords on our systems.

We have taken the precaution of resetting your account password.

We apologize for any inconvenience this has caused but felt that it was necessary to help protect your account.

A hacker using the handle “Coldzer0” claimed responsibility for the assault before dumping what purports to be user data. The dump was pulled offline by Tuesday afternoon. However screenshots of dumped data suggest names, email addresses, security questions and answers, and password salts were all exposed.

El Reg has requested clarification of what exactly was exposed and how the attack was carried out from vBulletin.com US West Coast PR team. We’ll update this story as and when we hear more.

Coldzer0 reportedly claimed to have exploited a zero-day vulnerability affecting vBulletin.com to pull off the attack, a suggestion some at least are taking seriously.

Coldzer0 claimed he hacked Foxit Software’s forum using the same exploit he used against the vBulletin.com forum software site itself, according to databreaches.net, a site that has set itself the ever expanding task of chronicling data breaches.

El Reg is yet to see anything solid to substantiate this point and using a zero-day to pull off a defacement seems rather a waste, given the lucrative black market for exploits, not to say something close to overkill.

It seems the hacker involved, or someone he’s very cleverly setting up for a fall, may have bragged about his exploits on YouTube and a personal Facebook page before the content was pulled (but after screenshots were taken, so too late).

A purported vBulletin 5.x.x remote code execution 0day exploit was offered for sale on Monday, seemingly by the same hacker that pwned vBulletin.com.

sql injection vulnerability, you can upload shell and remote execute Today I am hacked vbulletin.com, You can buy 0day today ;) http://www.vbulletin.com/forum/content.php/813-Recovering-a-hacked-vBulletin-Site

The whole sequence of an events is odd. A breach against the vBulletin.com forum software site took place but how it was effected remains far from clear, aside from the implication that long-term web security nemesis of SQL Injection played a central role in the security flap.

“Looks like it started as an SQLi and then they used shell access to deface the site,” said Reg reader Dillon L, the person who gave us the heads up about the breach.

Sites running vBulletin forum software getting hacked is, sadly, a not infrequent occurrence. The home base getting turned over is a bigger deal and the unproven suggestion that an unpatched bug in vBulletin might be involved only adds to the unease. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/03/vbulletin_forum_software_hacked_defaced/

The Global Alliance for Genomics Health has downplayed vulnerabilities found in its genome-sharing network by two Stanford researchers.

Carlos Bustamante and Suyash Shringarpure, postdoctoral scholars in genetics at Stanford, had raised concerns about The Beacon Project’s security in a paper which showed the triviality of re-identifying individuals whose data was held upon it.

However the Global Alliance for Genomics Health (GA4GH), responsible for running the network, has said that re-identification of individuals is only possible in the “exceptional scenario” where an attacker already has access to their victims’ genome – or that of a close relative – and as such was not a vector for further malicious action.

Hackers access to their victims’ genome sequence could be provided “directly from your saliva or other tissues, or from a popular genomic information service” according to Stanford’s initial statement. The vulnerabilities disclosed would allow a hacker possessing such info “to see if [their victims] appear in a database of people with certain medical conditions, such as heart disease, lung cancer, or autism.”

“The human genetics community needs robust protocols that enable secure sharing of genomic data from participants in genetic research” stated the researchers, whose paper titled “Privacy Risks from Genomic Data-Sharing Beacons” was published in The American Journal of Human Genetics last Thursday.

Through simulations, we showed that in a beacon with 1,000 individuals, re-identification is possible with just 5,000 queries. Relatives can also be identified in the beacon.

Re-identification is possible even in the presence of sequencing errors and variant-calling differences. In a beacon constructed with 65 European individuals from the 1000 Genomes Project, we demonstrated that it is possible to detect membership in the beacon with just 250 SNPs.

With just 1,000 SNP queries, we were able to detect the presence of an individual genome from the Personal Genome Project in an existing beacon.

Our results show that beacons can disclose membership and implied phenotypic information about participants and do not protect privacy a priori.

The paper additionally discussed risk mitigation through potential policies and standards. However, as GA4GH acknowledged in their response to the paper, anonymous pings of genetic beacons are still possible, increasing the attack surface for malicious adversaries to query the network.

Additionally, a lack of minimum beacon sizes, which would exponentially increase an attacker’s resources to identify particular persons, are yet to be implemented. GA4GH stated:

In most contemporary circumstances, if someone has already obtained a person’s genetic sequence elsewhere, there is not much more information to be gained by learning that this sequence also appears in a Beacon database.

However, the organisation recognises that “it is possible to obtain, perhaps illegally, a person’s genome without other information”.

In those scenarios, learning that the genome is among those present in a specific institutional Beacon database could reveal sensitive information.

For example, if a database is almost exclusively associated with a known phenotype, discovering that an individual’s genome is in the database may allow inferences about the individual’s phenotype.

The organisation has stated that its mitigation efforts “adhere to the best practices outlined in the GA4GH Privacy Security Policy, a good faith policy which allows organisations to implement their own risk-management programmes.

The Register has contacted GA4GH to request what time frame it has established for implementing these efforts and will update this article when and if we receive a response. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/03/genome_datasharing_network_hackers_vuln/

Members of British government taking a stab what members of American government have also been attempting to push through.

Tomorrow, a bill limiting the use of encryption will be presented in the U.K.’s Parliament. The Investigatory Powers Bill would prohibit technology firms and cloud service providers — like Apple and Google — from allowing customers to encrypt data in a way that makes it impossible for the company itself to decrypt the data.

The bill would also require Internet companies to store customers’ Web browsing history for up to one year. The purpose of the bill is to ensure that law enforcement can access evidence on criminals and terrorists, who U.K. Prime Minister David Cameron said (according to The Telegraph) must not be given a “safe space” online.

Prime Minister Cameron’s comments are similar to statements made by Dan Conley, district attorney of Suffolk County, Massachusetts at a Congressional hearing earlier this year stating “what Apple and Google are doing is dangerous and should not be allowed to continue.”

Nevertheless, efforts to limit encryption have met resistance in the U.S. — even from others in government — and, according to The Telegraph, the Investigatory Powers Bill “is expected to face a tough route through parliament.”

See the full story at The Telegraph. 

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/cloud/uk-bill-aims-to-limit-use-of-encryption/d/d-id/1322975?_mc=RSS_DR_EDT

Meanwhile, exploit broker Zerodium says it’s paid a $1 million bounty for a remote iOS 9 zero-day.

XCodeGhost — malware that snuck Trojanized iOS apps into the official App Store — mostly threatened iOS users in China, but now researchers at FireEye have also found XCodeGhost-infected apps hitting targets in the United States. They also unearthed a stealthier variant, XCodeGhost S, that has weaponized iOS 9 apps and can bypass static detection.

XCodeGhost, first discovered in September, was the first malware to show that non-jailbroken iOS devices could be compromised. Attackers created a malicious version of Apple’s application development software, Xcode, and uploaded it to Chinese cloud storage service Baidu Yunpan — a regional, third-party alternative to the Apple Store where download times are shorter for iOS and Mac developers in China. Then, innocent app developers used XcodeGhost to write apps and upload them to the official App Store, never knowing that those apps were malicious — over 4,000 apps in all.

Apple removed the compromised apps from the App Store. The command-and-control servers were taken offline — apparently voluntarily by the malware authors — but they could be hijacked by other threat actors, and researchers since have found that XCodeGhost is still in action.

Since most of the affected app developers were in China, most of the 4,000 infected apps were those popular in China, yet some are also “fairly popular” in the U.S. and have compromised American users, says Raymond Wei, FireEye’s senior director of mobile development.

In a four-week period, FireEye found 210 U.S. enterprises with infected apps, generating over 28,000 attempts to connect to command-and-control servers. The machines currently infected are mostly calling back to servers located in Germany (62%) and the U.S. (33%).

“The main point,” say Wei, “is that what was originally a threat in China is no longer just in China.”

In their investigation, FireEye also unearthed another variant, XCodeGhost S, which has been updated to Trojanize apps for iOS 9.

The variant was in operation at the same time as the original XCodeGhost, and Wei says the same malware authors were responsible for creating it, even if they aren’t responsible for its most recent activity.

Sep. 19, two days after the original XCodeGhost began attracting attention in China, someone claiming responsibility for it tweeted an apology, using the account @XcodeGhost-Author, saying it was just a coding experiment to explore the potential exploitation of a loophole in Xcode to enable advertisement delivery. 

But Hong Jia, a researcher at ThreatBook Labs, a threat intelligence start-up based in China, told DarkReading last month that she wasn’t convinced the apology was genuine — partly because the code had stealth capabilities that went beyond what the authors claimed it did.

XCodeGhost S’s stealth functions include the ability to bypass static detection tools by using character concatenation. Wei says that is making it more difficult for FireEye to find the apps infected with XCodeGhost S than the original variant. So far they’ve found two infected apps, but they expect to find more.

Now that this malware has been successful in cracking the Apple development environment’s walls of trust, will other attackers take the same approach?

“I think it’s possible, but I think it’s unlikely to be the same kind of tactic,” because of Apple’s swift action to block that sort of attack, Wei says. Regardless of the approach, however, app developers will always be a soft target, he says.

“The alert raised by FireEye is very important,” says ThreatBook Labs’ Jia. “[Users] should upgrade their iOS to latest version and upgrade the infected Apps as soon as possible to avoid being hijacked, which is not a difficult thing to do by hacker.”

Million-Dollar Bug Bounty

In other Apple news, intelligence contractor-slash-exploit broker Zerodium stated on Twitter that it paid out the $1 million bug bounty it promised for a remote iOS 9 exploit. The vulnerability is a browser-based jailbreak exploit.

Similar to Hacking Team, Zerodium sells zero-day vulnerabilities to government agencies to be used in offensive tools. Zerodium founder Chaouki Bekrar told The Register “We will first report the vulnerabilities to our customers, and we may later report them to Apple.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/xcodeghost-found-hiding-in-us-and-in-apple-ios-9-apps/d/d-id/1322978?_mc=RSS_DR_EDT

Facebook on Friday finally changed the real-name policy that has made using the service difficult for drag queens, the LGBTQ community, Native Americans, those who use pseudonyms, and persecuted groups.

The Nameless Coalition, consisting of 75 human rights, digital rights, LGBTQ, and women’s rights advocates – including the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) – had penned an open letter (PDF) to Facebook, on October 5, 2015, explaining why the policy is broken and how Facebook could mitigate the damages it causes.

The coalition included an appendix to the letter that contained multiple stories of how people have been harmed by the real-name policy.

A few of many stories, excerpted from the appendix:

• Journalists and human rights activists in Vietnam have been flagged en masse and forced to stop using pen names on Facebook. One user, a mother with two imprisoned sons, had largely used her account to campaign for their release from prison. In every case, Facebook asked the activists to verify their identities. To make matters worse, in several cases, when the activists submitted their identity documents, Facebook unilaterally altered their accounts to list their legal names, without consent or notice.
• Facebook enforced the policy against a user known as Lily in December 2014, forcing her to use her legal name. Only two weeks later a man who had, two decades earlier, beat and sexually abused Lily sent her a private message. “My blood ran cold, I was sweating, and [having] heart palpitations opening the message.”
• In the United States, Native American Dana Lone Hill was locked out of her account and repeatedly refused reactivation even after submitting multiple IDs, a library card, and a piece of mail showing her Lakota name. As one Native user points out, “I think that Facebook has to have no general knowledge of Native Americans or their surnames.”

On Friday, Facebook responded with its own letter.

Alex Schultz, Facebook’s VP for growth and internationalization, published a letter answering the coalition’s criticism and suggestions.

Schultz said that a Facebook team is now working on these changes and expects to test them in December:

1. A reduction in the number of people asked to verify their name on Facebook, when they’re already using the name people know them by.
2. Making it easier for people to confirm their name if necessary.

One thing at issue has been Facebook’s failure to provide technical details and documentation on the process of submitting identity information, including where and how it’s stored, for how long, and who can access it.

The Nameless Coalition had asked Facebook to provide users with the ability to submit the information using PGP or another common form of encrypted communication, so that their identity information would be protected during the submission process.

Done, Schultz said: going forward, IDs submitted to Facebook as part of the identity verification process will be encrypted when they’re temporarily stored on Facebook’s servers.

What’s more, Facebook’s ability to decrypt the IDs will expire after 30 days, and the IDs will be deleted shortly thereafter.

More changes in the works include requiring people to provide additional information about why they’re reporting a profile.

As it now stands, it’s trivial for any Facebook user to file reports claiming that a fellow user is violating the real-name policy. Abuse reporters haven’t had to submit any evidence whatsoever to support their claims.

As the Nameless Coalition had pointed out, those reporting supposed abuse can “file as many reports as they wish, as quickly as they wish, allowing targeted reporting sprees” – including those targeting Vietnamese journalists and activists and many others in South and Southeast Asia and the Middle East.

In fact, it turned out that one, lone Facebook user was behind the mass-reporting of the accounts of drag queens, drag kings, transgenders and others in the LGBT community that in September 2014 had resulted in the account lock-outs of multiple performers.

Schultz said that changes to the real-name policy include a new process that will let people provide more information about their circumstances – information that Schultz said should help Facebook’s Community Operations team better understand individuals’ situations, including the reasons why people can’t confirm their names, and thus help the company to potentially make future changes.

These are substantive changes, but make no mistake, Facebook’s real-name policy isn’t going away.

Facebook will still require people to use the name that their friends and family know them by. It has no plans to change that, given that the company continues to stand by its belief that the policy helps make Facebook safer.

Schultz:

When people use the name others know them by, they are more accountable for what they say, making it more difficult to hide behind an anonymous name to harass, bully, spam or scam someone else.

In fact, when Facebook reviewed its reports from earlier this year, it found that bullying, harassment or other abuse is eight times more likely to be committed by people using names other than their own than by the rest of the Facebook community, Schultz said:

When profiles were reported to us and our reviewers asked the person to verify the name on the profile, our analysis showed that the people behind these inauthentic profiles were much more likely to be involved in some form of bad behavior.

Still, Schultz said, Facebook is well aware that the current process doesn’t work for everyone.

It’s a tough balancing act, he said, but the company is “deeply invested in making this better.”

I’ve seen first hand how people — including LGBT people — can be bullied online by people using fake or impersonating accounts. At the same time, I’ve walked with our head of Community Operations at Pride in San Francisco, and heard the feed-back from the LGBT and other communities that our policy and tools aren’t enabling people to be their authentic selves on Facebook.

We also understand the challenges for many transgender people when it comes to formally changing one’s name. That’s why we’re making changes now and in the future, and will continue to engage with you and all who are committed to looking after the most vulnerable people using our product.

It’s a balance to get this right — we want to find a line that minimizes bullying but maximises the potential for people to be their authentic selves on Facebook.

One of the performers targeted in the reporting spree on the LGBT community in September 2014, Sister Roma, said in a Facebook post that she’s scheduled to meet with Facebook and reps from key LGBT organizations on Tuesday (Nov. 3).

Stay tuned, she said. But at this point, it’s looking like Facebook’s truly listening:

It looks like our hard work and protests are finally going to result in some tangible changes to the fake name reporting option.

Follow @NakedSecurity
Follow @LisaVaas

Image of Facebook logo courtesy of rvlsoft / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PSlp7z_IeRQ/

A controversial hacking company recently ran a competition offering $3m for up to three click-to-own exploits against Apple’s iOS. The exploits would be sold on to “eligible customers” only.

The competition is now closed, but one exploit apparently met the grade and will earn $1,000,000.

We investigate: what “click-to-own” means, why exploits of this sort are valuable, and whether this sort of competition works for the greater good.

Whether you’re a cybercrook who wants to spread money-making malware…

…or a warrant-wielding law enforcement agent trying to investigate a person of interest using surveillance software…

…there are two techniques that stand above the rest for delivering your payload.

The big two are: open-and-own, and click-to-own.

They work just as the names suggest.

Invisibly-delivered exploits

Open-and-own means you can send your victims a believable-looking document: a pay slip, an invoice, even an innocent-looking research paper.

When they open it, the application crashes in such a way that a tiny program hidden in the booby-trapped document takes over.

Your victims probably won’t even notice, especially if you rig up the attack so that a second, completely genuine, document pops up instead.

And click-to-own is the same sort of thing, but using a web link or phone message.

Visit the page, view the content, and – pop! – in the background, a tiny program hidden in the booby-trapped web page takes over.

Indeed, whenever you install security updates that say something like “this fixes a remote code execution flaw in {your browser, the image file viewer, your word processor, the video player, the font rendering software}”, you are patching exactly the sort of bug that could be used for click-to-own or open-and-own.

Click-to-own on iOS

One platform has been surprisingly resilient to this sort of attack in recent years: Apple’s iOS.

Apple has a triple reason for making it hard for you to “reprogram” your iPhone or iPad at all, let alone to do just with just a booby-trapped file or web page:

• Security. Whatever you think of the company’s policy on commercial lockdown, Apple prides itself on the safety and security of iOS against malware, especially compared to Android.
• Control. Apple doesn’t let partners make rival iDevices or derived operating systems, so Apple iDevices can only run iOS, and iOS can only run on iDevices.
• Software sales. Apple doesn’t allow “off market” software. So iOS is locked down so that you can only shop at the company mall: the App Store.

Apple’s success in the strictness of its lockdown has even led to a difference in vocabulary.

Users who take control of a locked-down Android device are said to have rooted it – slang for “getting admin-level access” (named after the admin account, called root).

But doing the same thing on iOS is jailbreaking, because it’s generally a lot tougher to do, by design.

Most iOS jailbreaks require physical access to the device, plus a cable connection, together with a fair bit of noticeable fiddling around – not the kind of thing that suits the average cybercrook or investigator.

The last click-to-own jailbreak for iOS was back at iOS 7 (we’re now at iOS 9.1), and once jailbreak holes are known, Apple typically patches them fairly quickly.

Enter Zerodium

Enter Zerodium, a recently-formed, controversial hacking company that offered up to $3,000,000 for jailbreak exploits.

Starting from 21 September 2015, the company offered to buy up to three full-on click-to-own iOS vulnerabilities for $1m each.

Zerodium’s founder is Chaouki Bekar, formerly of controversial bug-finding company Vupen.

Vupen figured out exploits – with some conspicuous success, winning numerous bounties in the PWN2OWN contest.

The company also sold on exploits to customers that reportedly included the NSA, the German BND and epic-security-fail Italian hacking company Hacking Team.

Vupen closed earlier this year, and Zerodium opened up in its wake, calling itself a “vulnerability and exploit acquisition program,” rather than a team of bug finders.

Loosely speaking, then, Zerodium, is pitching itself as an exploit broker: you sell them your exploit and they sell it on, presumably for a profit, to “eligible corporations and organisations.”

Officially, Zerodium says no more about its eligible customers that to describe them as an undisclosed list of “major corporations in defense, technology, and finance, in need of advanced zero-day protection, as well as government organizations in need of specific and tailored cybersecurity capabilities.”

Anyway, it seems that one of the $1,000,000 payouts has been claimed.

Unofficially, for now, the company is claiming via Twitter that:

Our iOS #0day bounty has expired we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered). Congrats!

What now?

That’s hard to say.

If the exploit is real, and you’re one of Zerodium’s defensive-capability customers, you’ll no doubt want to tell Apple so that the company can work on an official patch.

But Zerodium’s offensive-capability customers won’t want you to tell Apple, because an official patch would close the hole for everyone.

Indeed, we’ll assume that your contract with Zerodium would prevent you telling Apple, thanks to some sort of NDA (non-disclosure agreement).

If so, that NDA could end up reducing your security rather than boosting it.

Oh,what a tangled web we weave, when first we practise to buy in security information that we can’t then use as we might reasonably need to…

Of course, this could all be be smoke and mirrors.

As well-known security researcher Jonathan Zdziarski replied to Zerodium’s tweet:

Remember, unless the name gets publicly disclosed, it’s no more provable than a PR stunt.

Where do you stand on all of this?

Have your say in the comments below.

(Simply leave the name field blank if you wish to appear as Anonymous.)

Follow @NakedSecurity

Follow @duckblog

Phone imagery courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9KpnXD0aHNQ/