STE WILLIAMS

At least one Linux distribution is withholding security patches that mitigate the latest round of Intel CPU design flaws – due to a problematic license clash.

Specifically, the patch is Chipzilla’s processor microcode update emitted this month to stop malware stealing sensitive data from memory by exploiting the L1 Terminal Fault vulnerability in Intel’s silicon. The biz had released microcode in July that corrected the underlying problem mostly for server-grade CPUs; this latest fix now covers desktop processors.

Ideally, Intel’s CPU microcode is updated by the motherboard firmware during boot. However, manufacturers may be slow to emit patches, so operating system kernels can also push updates to the chipset during startup. Since microcode updated in this way is discarded every time the power is cycled, it is up to the firmware and OS to reapply the update as early as it can during the boot process.

Some people prefer to install microcode updates via their OS as it’s easy to do and avoids fiddling with firmware settings. Also, the patches are picked up during the usual monthly routine of fetching and stalling operating system software updates. And some motherboard makers are slow to release fixes, leaving it to OS developers to roll out patches.

While Intel hoses down the industry with fixes for its design blunders, it is up to the maintainers of the various Linux distributions to take a good look at what Chipzilla has given the world, and then ship the code to users.

It is with the latest set of CPU microcode updates that things have come unstuck somewhat, for Debian at least.

Three more data-leaking security holes found in Intel chips as designers swap security for speed

READ MORE

Debian developer and kernel driver engineer Henrique Holschuh argued in a posting in Debian’s bug tracker that yes, packages containing Intel’s fixes are ready to go, but, no, they aren’t about to be sent out to the world due to a new end-user license file added by Intel to the archive.

The license prohibits, among other things, users from using any portion of the software without agreeing to be legally bound by the terms of the license. Debian, which is famously proud of its open approach to licensing, has taken a look at those terms, and concluded: nope, not having that. Not until the wording is mitigated.

And Intel has plenty of experience in mitigating things.

Other distributions have found ways to work around the problem. Gentoo, for example, will likely restrict mirroring of the software and get users to accept Intel’s license before proceeding. SUSE, Arch, and Red Hat are said to be OK with the fine print.

Why Intel felt the need to update the license is unclear. In a statement to The Register, Imad Sousou, corporate vice president and general manager of the Intel Open Source Technology Center, said it’s “not true” that Debian can’t distribute the microcode package.

“The license section 2, subsection (iii) grants rights needed for redistribution,” he said. “Specifically, ‘…distribute an object code representation of the Software, provided by Intel, through multiple levels of distribution.’”

El Reg has dropped Debian a line to find out if Intel’s response deals with its licensing concerns. Holschuh was not entirely clear why the license is a problem. In any case, the packages are being held up for Debian users, and so they’ll have to go down the firmware route to install the latest Intel CPU microcode. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/21/intel_cpu_patch_licence/

A security vulnerability in “smart” power plugs can be exploited to infiltrate local computer networks.

The flaw, spotted in Belkin’s Wemo Insight smartplugs, would potentially allow an attacker to not only manipulate the plug itself, but also allow hopping to other devices connected to the same Wi-Fi home network.

Researchers at McAfee this week said they reported the remote code execution flaw, designated CVE-2018-6692, to Belkin in March.

The exploit stems from a buffer overflow in the Universal Plug and Play (UPnP) software the Wemo plug uses to connect to stuff via the Wi-Fi network, enabling the owner to do things like turn the plugs on and off with a smartphone or PC.

McAfee’s research team of Douglas McKee, Eoin Carroll, Charles McFarland, Kevin McGrath, and Mark Bereza found that when the flaw is abused to inject instructions into memory, the plug itself could not only be commandeered, but the UPnP service could also be accessed to send commands to other devices on the network, effectively making the plugs a network gateway for attackers.

“A smart plug by itself has a low impact. An attacker could turn off the switch or at worst possibly overload the switch,” the team explained.

“But if the plug is networked with other devices, the potential threat grows. The plug could now be an entry point to a larger attack.”

In this case, the team said, it was able to create a proof of concept that combined the Wemo security flaw with weaknesses in the Roku API application to send HTTP commands to the set-top box via the smart-plug.

“Using the Wemo as a middleman, the attacker can power the TV on and off, install or uninstall applications, and access arbitrary online content,” the researchers explained.

Another IoT botnet has been found feasting on vulnerable IP cameras

READ MORE

“Smart TVs are just one example of using the Wemo to attack another device. With the attacker having established a foothold on the network and able to open arbitrary ports, any machine connected to the network is at risk.”

The bug underscores the primary risk posed by IoT devices and connected appliances. Because they are commonly built by bolting on network connectivity to existing appliances, many IoT devices have little in the way of built-in network security.

Even when security measures are added to the devices, the third-party hardware used to make the appliances “smart” can itself contain security flaws or bad configurations that leave the device vulnerable.

“IoT devices are frequently overlooked from a security perspective; this may be because many are used for seemingly innocuous purposes such as simple home automation,” the McAfee researchers wrote.

“However, these devices run operating systems and require just as much protection as desktop computers.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/21/mcafee_flaws_smartplugs/

Hackers claim to have grabbed the personal details of almost 20,000 bods who shopped online at Superdrug, the British cosmetics retailer has confirmed. Payment card details are not said to be among the haul.

The biz has emailed customers, El Reg can confirm, advising them of the “possible disclosure of your personal data, but not including your payment card information.”

“On the evening of the 20th of August, we were contacted by hackers who claimed they had obtained a number of our customers’ online shopping information,” the note from boss Peter Macnab stated.

“There is no evidence that Superdrug’s systems have been compromised. We believe the hacker obtained customers’ email addresses and passwords from other websites and then used those credentials to access accounts on our website.”

The cyber villains alleged they had “obtained information on approximately 20,000 customers but we have only seen 386,” the chain added, leading us to believe this is a classic credential-stuffing stunt by the crooks. That’s when scumbags take passwords and usernames leaked from one website and use them to log into accounts on other sites, exploiting the fact people reuse their passphrases across various online services and profiles.

Customers’ names, postal addresses and “in some instances” date of birth, phone number and points balances “may have been accessed”, the email stated. The retailer advised customers to update their Superdrug.com password “now and on an on-going, frequent basis.”

Superdrug has contacted the cops and Action Fraud about the incident, and “will be offering them all the information they need for their investigation.” It is believed the miscreants contacted the retailer in hope of extorting money from the business in exchange for their silence.

A spokesperson for Superdrug was not available for immediate comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/21/superdrug_hackers_claims/

Olumuyiwa Adejumo and co-conspirators targeted CEOs, CFOs, and other enterprise leaders in the US with fraudulent emails.

Chief US District Judge Janet Hall last week sentenced Olumuyiwa Adejumo to 15 months in federal prison for his role in a business email compromise scheme targeting organizations in the United States. His sentence will be followed by 3 years of supervised release.

Adejumo, also known by a slew of aliases, including “Ade,” “Slimwaco,” “Waco,” “Waco Jamon,” “Hade,” and “Hadey,” teamed up with co-conspirator Adeyemi Odufuye and others to target CEOs, CFOs, and other corporate leaders with fraudulent emails. Their messages were crafted to appear as though they came from the legitimate email addresses of business executives.

The actors sent fake emails with the goal of having recipients send or wire money to bank accounts they controlled. Investigators found they controlled multiple email and social media accounts related to the scheme; in some cases, they sent malicious attachments to targets.

Adejumo admitted his role in the scheme caused total losses exceeding $100,000 to at least three organizations. He was ordered to pay $90,930 in restitution.

Read more details here.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/ohio-man-sentenced-to-15-months-for-bec-scam/d/d-id/1332614?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

More than half of organizations could be out of compliance, new research shows.

When an old protocol refuses to die, it can have a major impact on security — and cause an organization to fall out of regulatory compliance. Case in point: New research from Panorays shows more than half of organizations could be out of PCI compliance because they just can’t let go of TLS 1.0.

Panorays’ review of 1,150 organizations indicated that 52% use TLS 1.0 on all of their websites (a total of 29,000), while another 45% use TLS 1.0 on at least one site. PCI DSS requires organizations to replace TLS 1.0 with TLS 1.1 or 1.2. The older protocol has been shown to be more vulnerable to man-in-the-middle and other attacks than its replacements.

Among the reasons speculated for companies retaining TLS 1.0 on their websites are the need to take care of endpoint users with old browsers and applications that don’t support newer versions of TLS, and a lack of awareness of the PCI DSS requirements.

Read more here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/clinging-to-tls-10-puts-sites-outside-pci-dss-compliance/d/d-id/1332625?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

If you spend $10,000 on an awareness program and expect it to completely stop tens of millions of dollars in losses, you are a fool. If $10,000 prevents $100,000 in loss, that’s a 10-fold ROI.

Back in 2013, I was perhaps one of the most visible defenders of awareness programs during a time period when many in the industry questioned the need for their presence as a security strategy at all. I still firmly defend awareness programs, and the arguments are still relevant.

To reiterate one of the stronger justifications: the measure of any countermeasure is if it provides a greater return on investment than what you are spending. If you spend $10,000 on an awareness program and expect it to completely stop tens of millions of dollars in losses, you are a fool. If that $10,000 prevents $100,000 in loss, it is a 10x return on investment.

On the other hand, most awareness programs are set up poorly. But just because a single firewall can be misconfigured and is, therefore, ineffective, it doesn’t mean that all firewalls are ineffective. The reality is that few organizations know how to implement awareness programs effectively. Awareness is not about throwing phishing simulations at people until they recognize the simulations or forcing them to watch videos. That may be a piece of it, but awareness requires an ongoing program of reinforcing desired behaviors, well beyond phishing.

However, the underlying problem is not that awareness programs are poor but that users exhibit behaviors that are insecure. The point of my recent article was that the most effective security awareness effort occurs when security professionals examine business processes and attempt to proactively prevent or mitigate the problematic behaviors. The article offers two methods for that: specifically defining behaviors in governance to eliminate options, and the implementation of technologies to remove, prevent, or mitigate insecure behaviors.

You can never downplay the importance of governance, which is more than simply placing documents on the shelf. Good governance should define specific actions that are implemented throughout the organization. While individuals may not follow defined procedures to the letter, if you do not have such defined procedures, harmful actions on the part of users are again your fault.

Ideally, technology prevents users from making insecure decisions, such as creating bad passwords or perhaps removing the need for passwords at all. The implementation of technology should be determined in the context of an organization’s business processes and the likelihood that the technologies will mitigate a user’s failures to properly implement governance.

I will continue to argue that defining user actions within business processes is as important as an awareness program. That is true with any security countermeasure. An effective awareness program is still critical, however. The ultimate goal of awareness is to reduce the loss from areas where governance and technology eventually will fail.

Related Content:

• 6 Ways to Tell an Insider Has Gone Rogue
• The Fundamental Flaw in Security Awareness Programs
• Shadow IT: Every Company’s 3 Hidden Security Risks
• IT Managers: Are You Keeping Up with Social-Engineering Attacks?

 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info. 

Ira Winkler is president of Secure Mentem and author of Advanced Persistent Security. View Full Bio

Article source: https://www.darkreading.com/careers-and-people/how-to-gauge-the-effectiveness-of-security-awareness-programs-/a/d-id/1332589?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Operation appears to have disrupted early stages of an attack campaign using spoofed nonprofit, Senate, and Microsoft domains.

In a sign that US security experts and officials this election season are on high alert for potential Russian hacking and meddling during the midterms, Microsoft today revealed that it has taken over six potentially malicious Internet domains set up by the nation-state hacking team Fancy Bear, aka APT 28, Pawn Storm, and Strontium.

The sinkhole operation shutting down the domains appears to have disrupted the early stages of a possible cyberattack campaign. Microsoft president Brad Smith said there was no indication that the attackers had used the domains in any full-blown attacks, nor were they able to discern the actual targets Fancy Bear may have been after by using these domains.

The domains provide a sneak-peek at some of types of targets the Russian nation-state hacking team, which is believed to be the Russian military intelligence agency, GRU, was after: my-iri.org, which site poses as that of the International Republican Institute, a nonprofit with several high-profile politicians and government officials on its board including Sen. Marco Rubio (R-Fla.) and Gen H.R. McMaster; hudsonorg-my-sharepoint.com, which resembles the domain of the Hudson Institute, another conservative nonprofit that has sponsored events and written reports on Russian government corruption; and senate.group, adfs-senateservices, and adfs-senate.email, which appear to be spoofing US Senate websites and servers.

Microsoft also found and sinkholed a domain that was a little too-close-to home-looking called office365-onedrive.com, which the attackers appeared to be setting up to look like a legitimate Microsoft Office365 domain.

The sinkhole operation, which was engineered by Microsoft’s Digital Crimes Unit via a court order last week, is the twelfth time in two years that Microsoft has legally wrested control of phony websites set up by Fancy Bear. It has sinkholed 84 of Fancy Bear’s malicious websites in that timeframe.

“Despite last week’s steps, we are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States. Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France,” Smith wrote in the post.

Daniel Twining, president of the International Republican Institute, said in a statement that the organization had been targeted before, and had already been taking “proactive steps” for such attacks. “This latest attempt is consistent with the campaign of meddling that the Kremlin has waged against organizations that support democracy and human rights. It is clearly designed to sow confusion, conflict and fear among those who criticize Mr. Putin’s authoritarian regime,” he said.

The Hudson Institute said in a statement that the attack was likely to gather information, compromise, or disrupt its democracy-promotion programs – and namely its “initiatives to expose the activities of foreign kleptocratic regimes,” including Russia.

“Microsoft, working in conjunction with private, U.S.-based cybersecurity firms and American law enforcement agencies, detected this malicious campaign in its early stages, shortly after Russian hackers registered a fraudulent internet address designed to mimic a legitimate Hudson webpage and infect the computers of unsuspecting visitors with malware. The fraudulent internet address was successfully taken offline,” the nonprofit said. “This is not the first time authoritarian overseas regimes have attempted to mount cyberattacks against Hudson, our experts, and their friends and professional associates. We expect it will not be the last.”

Same Old Fancy Bear

Trend Micro, which like many security companies has been tracking Fancy Bear/APT 28/Pawn Storm for several years, says Fancy Bear’s tactics and targets mostly have remained consistent with its profile of the group published in a April 2017 report.

Mark Nunnikhoven, vice president of cloud research at Trend Micro, says the three Senate-spoofed domains Microsoft shut down were also identified  by his firm earlier this year as those used by Fancy Bear.

It was around three years ago, according to Trend, that the nation-state group began to expand beyond pure cyber espionage. That shift was punctuated in 2016, when the Russian group hacked the Democratic National Committee (DNC) and leaked stolen information in an attempt to sway public opinion and the US presidential election in favor of Donald Trump. 

“Pawn Storm is known for its sophisticated social engineering lures, efficient credential phishing, zero days, a private exploit kit, an effective set of malware, false flag operations, and campaigns to influence the public opinion, about political issues,” Trend Micro wrote in that report.

John Hultquist, director of intelligence analysis at FireEye, which has studied the Russian nation-state hacking groups moves for several years, says Fancy Bear/APT 28 long has targeted think tanks and legislative bodies as part of traditional cyber espionage.

Free Security for Candidates, Campaigns, Nonprofits

Microsoft today also launched AccountGuard, a free cybersecurity service for federal, state, and local candidates and campaign offices, and think-tanks and political organizations that use Office 365. “We’re concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections,” Smith said in the post today.

Among the services included in AccountGuard is a detection and notification service from Microsoft of attacks by nation-state or other groups, including both corporate O365 account as well as personal accounts of users who opt into the service.

“In this way organizations can get protection for high profile surrogates helping a campaign, board members of nonprofit organizations or volunteers who use their personal accounts to communicate,” Smith wrote. “Threat detection and notification will initially be available only for Microsoft services including Office 365, Outlook.com and Hotmail.”

Microsoft also will provide best practices guidance and materials and workshops, covering threat modelling, secure coding, phishing awareness, and identity management, for example. The organizations who register for AccountGuard also get early access to new Microsoft security features.

Related Content:

• 8 Nation-State Hacking Groups to Watch in 2018
• FBI Warns Users to Reboot All SOHO Routers
• Russian-Speaking APT Recycles Code Used in ’90s Cyberattacks Against US
• Destructive and False Flag Cyberattacks to Escalate

 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/microsoft-sinkholes-6-fancy-bear-apt28-internet-domains/d/d-id/1332628?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cybercrime incidents and costs increase with each passing minute on the Internet.

A famous song from the musical Rent pointed out that there are 525,600 minutes in a year. A new report looks at just how much Internet evil can fit into each minute of the year, and it’s definitely not all about love.

It’s about the numbers inside the $1,138,888 dollars of cybercrime cost each minute that add up to $600 billion in damage each year, according to a February, 2018 McAfee report on the impact of cybercrime. And the details of those numbers tell a story of growing risk due to a growing computer footprint, detailed in The Evil Internet Minute, a new infographic generated by researchers at RiskIQ.

“Some of it [the data] is based on reports from companies like McAfee and Gartner, but the research comes from our own systems,” says Yonathan Klijnsma, threat researcher at RiskIQ. He explains that RiskIQ builds large databases from information found in global data crawling and used portions of that data to draw conclusions on individuals threats and trends.

Those conclusions involve numbers that become almost mesmerizing as the time scales and dollar amounts change: For example, RiskIQ reports that four potential vulnerable Web components are discovered each minute. That works out to more than two million such discoveries every year.

Klijnsma worries more, however, about active criminal activities like the .07 incidents of Magecart (36,792 per year) that RiskIQ found. “People thought the Ticketmaster breach was a one-off based on Magecart, but it’s a credit-card skimming group,” Klijnsma says, referring to the June incident. Instead, he says, the group has taken the “classic” credit card skimmer attack and moved it from the gas pump and ATM to e-commerce sites.

The lesson for organizations from reports such as this? “You want it to be more expensive for the bad guys,” he says. “You need to keep your stuff updated. People tend to install things and forget about them,” Klijnsma says.

“Whatever’s online immediately starts to go out of date. If you leave it on the Internet, it will be out of date in a few months,” he says. 

Beyond up-to-date software, he says, “One golden rule is limiting exposure. Nothing goes accessible online until it really has to.”

Related Content:

• Proving ROI: How a Security Road Map Can Sway the C-Suite
• Equifax Avoided Fines, but What If …?
• Shadow IT: Every Company’s 3 Hidden Security Risks
• 5 Ways Small Security Teams Can Defend Like Fortune 500 Companies 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info. 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/application-security/how-threats-increase-in-internet-time/d/d-id/1332629?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

This fall – very likely in September – Apple will unveil the next major release of its mobile operating system, iOS 12. The beta version of iOS 12 has been available for a little while now, so I took it for a test and tried out some of the security-related changes we’ll see rolling out when it is released.

Safari stomps out social trackers

Apple has been making a point to position itself as taking user privacy seriously on a number of fronts. With the iOS 12 update, Safari takes a cue from a number of other browsers in slapping the hands of social media trackers and forcing them to stop tracking users.

From iOS 12, Safari will both stop advertisers from knowing uniquely identifying information about the user’s phone, and stop sharing-buttons and comment boxes from tracking users unless the user has opted in to interacting with those buttons/boxes.

This will prevent social media sites (read: Facebook) from keeping tabs on users when they’re not using the sites, and will also prevent advertisers from tracking phone users (to serve up highly-targeted ads, of course) while they’re going about their browser-y business.

Many browsers already had either built-in or add-on features for the privacy-minded, in some cases quite similar to what Safari will now offer – for example, Firefox’s Facebook Container add-on. A notable difference here is that these tracking protections will now be present in the browser by default, guarding the privacy of users who may not even have realized they were being tracked in the first place.

iOS can now update automatically

After installing iOS 12, your phone will reboot, and as with all major iOS updates, you’ll go through a brief initialization process. These are usually pretty similar – enter your iCloud credentials, and set up a passcode if you haven’t already (and you should). However, this time, a new feature stood out: Enable automatic updates for iOS.

Right now, users have to manually download and install each iOS update. Given all the incremental updates that roll out between major versions, this can be both burdensome to users and suboptimal for security reasons: Users who don’t install updates right away (or don’t know how) are missing out on updates that could protect them from active threats and attacks.

Apple will now put the option unskippably front and center for its iOS users as they run iOS 12 for the first time, with a big prompt to turn on automatic updates:

Users who have this option enabled will get a warning from their phone that a new update will install, as well as a notification after-the-fact that they’ve been brought up to date.

Credential AutoFill supports third-party password managers

Many of the updates in iOS 12 seem to indicate that Apple wants to make it easier for everyone to manage their passwords, even if they don’t want to exclusively use Apple products. Of course, their preference is that iOS users stick with Safari, so the bulk of these updates will only work when it is being used as the web browser.

That said, third-party password managers will be able to AutoFill credentials into apps and Safari via an API. So if you’re visiting a website and you know your (non-Apple) password manager of choice has the login credentials stored, you no longer would need to do a somewhat annoying switch-back-and-forth-cut-and-paste dance to grab the username and password between your app or browser and your password manager. Instead, the password manager will work much like it does on your computer-based browser, where Safari will show an option to auto-populate your credentials from your password manager right in the QuickBar.

This credential AutoFill feature will only work if your third-party password manager (like 1Password or LastPass) supports Apple’s password manager API for iOS 12.

Right now as we’re in beta, password manager makers are still working on getting their side of things up and running, but 1Password and LastPass have both said they will support AutoFill when iOS 12 officially launches. (KeePass users, there have already been several requests for iOS AutoFill support on several KeePass mobile apps, so keep an eye out for this feature.) Previously, iOS users who wanted something like this would have had to install an extension or opt to use iCloud keychain.

For iOS users who are loyal to both non-Apple password managers and non-Apple browsers (like Firefox or Chrome), at this point it still looks like it’s up to them to download mobile extensions or add-ons if they want a similar experience.

Making it easier to replace reused passwords for strong, unique passwords

In addition to helping users adopt stronger, unique passwords by making it easier for them to use a password manager, iOS 12 will also give users a friendly poke if they’re re-using passwords across sites.

iOS 12 will also go a step further and generate a unique, complex password to replace the old one, and offer to store that new password in the iCloud Keychain.

This is functionality that many third-party password managers offer as well, but having this built-in will allow for better password hygiene in users who rely on Apple-native products. A change like this might not have the pizazz that impresses most iOS users, but these features will make it easier to have better, more unique passwords – all without much effort or thought on the side of the user.

Making SMS 2FA a little less annoying

While a larger discussion (justifiably) continues around the security of SMS 2FA, and how to get more people to adopt token-based 2FA instead, the reality is while it may not be the best solution for 2FA, it’s often the only choice available. In the pursuit of not letting perfect be the enemy of good, there’s an update in iOS 12 that will make it even easier to grab the 2FA code texted to you.

The code will now be easy to highlight within the Messages view, and the code will also appear as an AutoFill text field within the browser, so users won’t have to click back and forth between apps to get the code they need.

If you’re thinking this is all small stuff, consider that the little changes do add up for a big impact. For years IT and security pros have been wheedling, begging, pleading, forcing users to use strong, unique passwords. We’ve written about why unique passwords matter, and how it can be so simple to do when you use a password manager.

But getting on board with this kind of thing requires considerable time and effort (researching a password manager, downloading it, setting it up), as well as, well… giving a hoot about any of this to begin with.

Any measures that reduce the friction in adapting better security is a good thing. Usability and security should not be enemies. We may have our work cut out when it comes to making security something that “the average user” cares about, but that’s why I applaud any measures that make better security something the average user can do.

So what say you? Will you be installing iOS 12 in beta and giving this a test drive? Here’s hoping all third-party password managers make the deadline so their extensions are ready when iOS 12 launches.

In the meantime, I’m taking advantage of a non-security iOS 12 update: a reminder to call my mother!

Follow @mvarmazis
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qCPm7WAV_Wo/

The European Commission is done with waiting for social platforms to voluntarily fix the problem of extremist content spreading via their technologies. On Sunday, the Financial Times reported that the EC’s going to follow through on threats to fine companies like Twitter, Facebook and YouTube for not deleting flagged content post-haste.

The commission is still drawing up the details, but a senior EU official told the FT that the final form of the legislation will likely impose a limit of one hour for platforms to delete material flagged as terrorist content by police and law enforcement bodies.

The EC first floated the one-hour rule in March, but it was just a recommendation at that point: something that the EC let companies implement voluntarily to the best of their abilities.

Or not, as the case may be. Although the one-hour rule was only a recommendation at the time, companies and member states still had requirements they needed to meet, including submitting data on terrorist content within three months and on other illegal content within six months.

Whatever tech companies have done to satisfy those requirements, the EC isn’t happy with it. Julian King, the EU’s commissioner for security, told the Financial Times that Brussels hasn’t “seen enough progress” from the platforms and that it would “take stronger action in order to better protect our citizens”.

We cannot afford to relax or become complacent in the face of such a shadowy and destructive phenomenon.

The recommendations that came in March followed the commission having promised, in September, to monitor progress in tackling illegal content online and to assess whether additional measures were needed to ensure such content gets detected and removed quickly. Besides terrorist posts, illegal content includes hate speech, material inciting violence, child sexual abuse material, counterfeit products and copyright infringement.

Voluntary industry measures to deal with terrorist content, hate speech and counterfeit goods have already achieved results, the EC said in March. But when it comes to “the most urgent issue of terrorist content,” which “presents serious security risks”, the EC said procedures for getting it offline could be stronger.

Rules for flagging content should be easy to follow and faster, for example. There could be fast-tracking for “trusted flaggers,” for one. To avoid false flags, content providers should be told about decisions and given the chance to contest content removal.

As far as the one-hour rule goes, the EC said in March that the brevity of the takedown window is necessary given that “terrorist content is most harmful in the first hours of its appearance online.”

The proposed legislation will have to be approved by the European Parliament and a majority of EU member states before being finalized as law. King told the FT that the new law will help to create legal certainty and would apply for all websites, big or small:

The difference in size and resources means platforms have differing capabilities to act against terrorist content, and their policies for doing so are not always transparent. All this leads to such content continuing to proliferate across the internet, reappearing once deleted and spreading from platform to platform.

The tech companies have protested the one-hour rule, saying it could do more harm than good. In fact, the FT reports, some parts of the commission believe that self-regulation has been a success on the platforms that terrorists most like to use to spread their messages.

In April, Google pointed to success in artificial intelligence (AI) -enabled automatic content takedown: during its earnings call, Google CEO Sundar Pichai said in prepared remarks that automatic flagging and removal of violent, hate-filled, extremist, fake-news and/or other violative videos was having good results on YouTube.

At the same time, YouTube released details in its first-ever quarterly report on videos removed by both automatic flagging and human intervention.

There were big numbers in that report: between October and December 2017, YouTube removed a total of 8,284,039 videos. Of those, 6.7 million were first flagged for review by machines rather than humans, and 76% of those machine-flagged videos were removed before they received a single view.

Back in March, EdiMA, a European trade association whose members include internet bigwigs such as Google, Twitter, Facebook, Apple and Microsoft, acknowledged the importance of the issues raised by the EC but said it was “dismayed” by its recommendations. EdiMA described it as “a missed opportunity for evidence-based policy making”.

Our sector accepts the urgency but needs to balance the responsibility to protect users while upholding fundamental rights – a one-hour turn-around time in such cases could harm the effectiveness of service providers’ take-down systems rather than help.

The trade group also pointed out that it’s already shown leadership through the Global Internet Forum to Counter Terrorism and that collaboration is underway via the Hash Sharing Database.

Here’s what Facebook told TechCrunch at the time:

We share the goal of the European Commission to fight all forms of illegal content. There is no place for hate speech or content that promotes violence or terrorism on Facebook.

As the latest figures show, we have already made good progress removing various forms of illegal content. We continue to work hard to remove hate speech and terrorist content while making sure that Facebook remains a platform for all ideas.

One EU official told the FT that the EC’s push for an EU-wide law targeting terrorist content reflected concern that “European governments would take unilateral action.”

German lawmakers last year OKed huge fines on social media companies if they don’t take down “obviously illegal” content in a timely fashion. The new German law gave them 24 hours to take down hate speech or other illegal content and imposed a fine of €50m ($61.6 million) if they don’t.

The German law targets anything from fake news to racist content. But the FT reports that with the one-hour rule, the EU is specifically targeting terrorist content, leaving it up to the platforms to determine which content violates the rules when it comes to areas that are less black and white, including hate speech and fake news.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/G0daOP0GTVg/