adm – Page 737 – STE WILLIAMS

Mobile security – how to have your cake and eat it [PODCAST]

library
crime | hacking | security

Here’s #5 of last week’s Security SOS Week podcasts, right here #ICYMI.

In this episode: Mobile security – how to have your cake and eat it.

Join us as we talk to Sophos security expert Matt Boddy about how you can embrace the “bring your own” world of 21st century IT while staying safe and secure at the same time.

If you enjoy our podcasts, please share them with other people interested in security and privacy, and give us a vote on iTunes and other podcasting directories.

YOU MIGHT ALSO LIKE

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wSZevor7LI8/

Facebook, Google, Microsoft and Twitter make leaving easier

library
crime | hacking | security

Facebook, Google, Microsoft and Twitter are working together on a joint open-source project to help their users move their data between services as easily as possible.

The project, called the Data Transfer Project (DTP), will allow users to directly transfer data that they own between any services that participate in the DTP, without the need to download, clean or reformat it.

It’s really important to note here that this isn’t an initiative to make it easier for these companies to share customer data between themselves for monetary gain; this project is specifically for handling user requests for moving their own data. It does not include any kind of special provision for deleting data, or making data deletion any easier.

The Data Transfer Project aims to “enable direct, service-to-service data transfer with streamlined engineering work.” For anyone who’s tried this on their own, the results can be wildly inconsistent: Sometimes you get lucky and everything works just fine, but more often than not, you have a mess on your hands and need to spend a good deal of time cleaning up your own data. It’s not something most users really want to deal with.

If this sounds like data standardization to you, you’re on the right track. However, it’s not just a standard data format: the DTP also includes tools to convert data to the open source format. The DTP says that…

…this makes it possible to transfer data between any two providers using existing industry-standard infrastructure and authorization mechanisms, such as OAuth.

The data transfer protocol requires any data at rest to be encrypted by default, but does leave a lot of the details about how data should be encrypted during the transfer process up to the individual companies themselves – for example, it’s up to the individual service provider to determine how they want to grant auth tokens for the data transfer process.

The example that the DTP gives for one such case is a user who wants to move their photos from Google Photos to Microsoft OneDrive. The user would simply need to click “transfer photos” from within Google Photos, select Microsoft OneDrive, and then approve the data transfer. The user prompt looks very similar to what people are used to seeing when prompted to sign in to a service using their Google or Facebook accounts.

Image provided by the Data Transfer Project.

So, is it a good thing that Google, Facebook, Microsoft and Twitter are all teaming up to make it easier to share your data between them? It’s a great move from a business perspective, for sure – it reduces customer frustration, as it aims to make it much easier for a user to adopt a new tool and migrate over from an older one with minimal fuss.

The DTP could also lessen developer frustration in dealing with customer complaints as data formatting becomes more proprietary and byzantine over time.

But where did the impetus for all this data sharing come from, just the benevolence of their hearts?

We undoubtedly have GDPR to thank for this: Remember, data portability is a key point in the regulation set. So yes, this will make things easier and more convenient for users, and along the way the companies participating in the DTP get to check another box for GDPR requirements.

The DTP, being open source, is open to any other organizations that wish to participate and use this technology. So watch this space – perhaps we’ll see more companies opt to participate in the near future.

Follow @mvarmazis
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bVr78jx17tk/

WhatsApp limits message forwarding in response to lynchings

library
crime | hacking | security

Don’t allow these persons in [the] red car to escape. They are child kidnappers.

As The Indian Express reported earlier this month, that message was sent to WhatsApp groups, accompanied by a video of four men distributing chocolates to schoolchildren.

Within 30 minutes, one of the men – 32-year-old Mohammed Azam Ahmed, a software engineer with Accenture in Hyderabad – had been lynched. His three companions were seriously injured, one police inspector had his leg broken, and five other policemen who were trying to protect the victims suffered head injuries caused by a rock-throwing village mob.

It was only the most recent event in a fake-news crisis that’s seized India, which in recent months has seen dozens of mob lynchings sparked by rumors that have spread virally on social media. According to Business-Standard, over the past 18 months, there have been 33 people killed and at least 99 injured in 69 reported lynchings.

At least 18 of these incidents have been specifically linked to WhatsApp.

On Thursday, the Facebook-owned company announced that it’s launching a test to limit the type of message forwarding that’s fueling the fake-news wildfire – one that has been most particularly violent in India, but has also cost dozens of lives in countries including Myanmar and Sri Lanka.

WhatsApp said in a blog post that it’s going to limit forwarding to everyone using WhatsApp. The limit will be most restrictive in India, where people forward more messages, photos and videos than any other country in the world, WhatsApp said. In India, it’s going to test a lower limit of 5 chats at once and will also remove a quick-forward button next to media messages.

Hopefully, this will help bring the free, encrypted messaging app back to what it started as, WhatsApp said: a “simple, secure and reliable way to communicate with family and friends.”

We believe that these changes – which we’ll continue to evaluate – will help keep WhatsApp the way it was designed to be: a private messaging app.

This isn’t the first step that WhatsApp has taken to fight the consequences of fake news in India. A week earlier, WhatsApp had published full-page advertisements in leading Indian newspapers in an effort to advise people how to spot false information.

ater a spate of mob lynchings in India, fuelled by fake news, WhatsApp takes out full page newspaper ads to help us… twitter.com/i/web/status/1…

—
＼＼(۶•̀ᴗ•́)۶//／／ (@howtodressvvell) July 18, 2018

Police claimed to have traced the WhatsApp message that resulted in the recent death of Mohammed Azam Ahmed. They say it came from a farmer who was the administrator of some half a dozen WhatsApp groups. He is one of 30 or so people who’ve been arrested so far.

The Indian Express quoted Dilip Sagar, Circle Police Inspector (CPI) of Kamalnagar Circle:

[The farmer] sent this provocative message – that these men are child kidnappers and should not be spared – to WhatsApp groups in Murki and surrounding villages, which triggered the chase and the attack on the men. His message instigated the attack.

Presumably the police have the phone the message was sent from, or one of the phones that received it, because, as WhatsApp itself has made clear in its ongoing court battles with governments, the company itself can’t see the contents of users’ chats. One of its biggest selling points – end-to-end encryption – ensures that’s the case.

That hasn’t stopped countries from trying to ban encrypted messaging apps such as WhatsApp, or to suggest planting backdoors into them.

True to form, India is threatening to hold WhatsApp accountable for the fake-news inspired violence. Unimpressed by WhatsApp’s announcement about drastically cutting back on the ability to forward messages, India’s information technology ministry on Thursday issued a statement saying that WhatsApp could face legal action over the issue.

Khaleej Times quoted the statement:

Rampant circulation of irresponsible messages in large volumes on their platform have not been addressed adequately by WhatsApp. When rumours and fake news get propagated by mischief-mongers, the medium used for such propagation cannot evade responsibility and accountability.

If [WhatsApp] remain mute spectators they are liable to be treated as abettors and thereafter face consequent legal action.

As other countries before it, India’s information technology ministry also called on WhatsApp to enable the “traceability” of provocative or inflammatory messages when an official request is made.

At the time of writing WhatsApp hadn’t issued a statement about the potential threat of legal action.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/2RmzP8FAbVM/

Google Chrome: HTTPS by default D-Day is tomorrow, folks

library
crime | hacking | security

Google Chrome users who visit unencrypted websites will be confronted with warnings from tomorrow.

The changes will come for surfers using the latest version of Google Chrome, version 68. Any web page not running HTTPS with a valid TLS certificate will show a “Not secure” warning in the Chrome address bar from version 68 onwards. The warning will apply both to internet-facing websites and intranet sites accessed through Chrome, which has approximately 60 per cent market share.

In Chrome 68, the address box will display “Not secure” for all HTTP pages.

The Chrome update is designed to spur sites still stuck on HTTP to move over to HTTPS, as Google explained back in February. The web has made great strides in that direction of late but much work is yet to be done.

Security luminary Troy Hunt is developing a site called whynohttps to coincide with the Chrome 68 launch. The site will list the world’s largest websites that don’t do HTTPS by default.

Hunt and his colleague Scott Helme are looking to list HTTPS laggard sites by industry sector, a task they’d like some help in automating, as well as country. Hunt explained in a Twitter update: “For people offering support on this, I’ve sorted the country data, but what I really need now is data on the category of the site. Is there any service that says ‘Baidu is a search engine, Fox News is media, etc’?”

The majority (542K) of the top one million sites do not redirect to HTTPS and will therefore be labelled as insecure from tomorrow onwards, Cloudflare warned.

Running secure sites is not only for the big boys and is not necessarily expensive. Letsencrypt certs are free. Aside from the security benefits of preventing pages from being tampered while in transit, HTTPS has commercial benefits for site owners too. Both browsers and search bots favour HTTPS sites.

Although Chrome is the first mainstream browser to affix high-visibility warnings system to non-HTTPS websites, it’s likely that Microsoft, Apple and Mozilla will follow suit. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/23/https_dday_google_chrome/

Who watches Sony’s watcher? Boffins poke holes in surveillance kit

library
crime | hacking | security

Security researchers at Cisco Talos have found two serious flaws with Sony’s network-facing surveillance kit, the IPELA E Series Network Camera.

A command injection vulnerability in the measurementBitrateExec functionality could be abused to cause arbitrary commands to be executed in response to a maliciously contracted HTTP request.

And an exploitable stack buffer overflow flaw in the “802dot1xclientcert.cgi” functionality of the camera range is worse since it directly opens up the door to remote code execution on vulnerable devices.

“A specially crafted POST request can cause a stack buffer overflow, resulting in remote code execution,” Cisco Talos reported. “An attacker can send a malicious POST request to trigger this vulnerability.”

The vulnerabilities discovered by Cory Duplantis and Claudio Bozzatoare detailed in a blog post here.

El Reg invited Sony to comment on the findings. We’ll update this story as and when we hear more. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/23/sony_surveillance_cam_flaws/

Two-Thirds of Organizations Hit in Supply-Chain Attacks

library
crime | hacking | security

New global survey by CrowdStrike shows the average cost of a software supply chain attack is $1.1 million.

Less than 40% of organizations in the US, UK, and Singapore have vetted all of their external suppliers in the past 12 months, according to a new survey, and most organizations worldwide have been victims of a software supply chain attack.

While two-thirds say their organizations suffered a supply chain attack in the past year, 71% say they don’t consistently require the same security requirements of their third-party suppliers as they use internally. The survey, conducted by Vanson Bourne on behalf of CrowdStrike, includes responses from 1,300 senior IT decision-makers and security pros in the US, Canada, UK, Mexico, Australia, Germany, Japan, and Singapore.

Some 90% of organizations say software supply chain attacks cost an average of more than $1.1 million. Attackers are increasingly using an “indirect route” to hit their targets, says Dan Larson, vice president of product marketing at CrowdStrike. “They now inject malicious code into legitimate software,” he says. “It’s mostly invisible, which is why these attacks are becoming more common.”

London Calling with New Strategies to Stop Ransomware

library
crime | hacking | security

The new London Protocol from the Certificate Authority Security Council/Browser Forum aims to minimize the possibility of phishing activity on high-value identity websites.

Website security begins with having a confirmed identity of the website owner to prevent phishing attacks. Without it, online users are at a major disadvantage against identity fraudsters with fake domain validation phishing sites that imitate high-value sites to steal passwords and credit card numbers.

The genesis of the London Protocol, an initiative to improve identity assurance and minimize the possibility of phishing activity, rests on data presented by multiple sources indicating that anonymous domain validation SSL/TLS certificates are the principal reason for a recent rise in phishing attacks, along with our collective interest in preserving secure Internet transactions to protect both organizations and the user community who transacts with them.

The London Protocol’s primary focus is to improve identity assurance and minimize the possibility of phishing activity on websites encrypted with organization validated (OV) and extended validation (EV) certificates, which contain verified organization identity information (Identity Certificates) to tell users they will be safer at those sites. We chose the name “London Protocol” because we officially announced the agreement at the most recent face-to-face meeting of the Certificate Authority Security Council/Browser Forum in London last month.

The genesis of our action stemmed from a report from HashedOut noting that “between January 1st, 2016 and March 6th, 2017, the Let’s Encrypt certificate authority issued a total of 15,270 SSL certificates containing the word ‘PayPal.'” These Let’s Encrypt certificates were issued to bad actors who used the name “PayPal” in their domains to trick online users into sending their personal data — in other words, to commit identity theft. The certificates issued by Let’s Encrypt are solely domain-validated certificates, which means that they can be issued to anonymous websites because issuance is 100% automated.

Identity Certificates: A Brief History
Back in 2001, only OV identity certificates were used to secure websites. For most CAs, obtaining an OV certificate was a detailed process that could take time to complete. At the time, we needed a different kind of certificate for organizations that needed to get certificates faster for encrypted communications on less sensitive websites, which is why I was one of the inventors of Domain Validated (DV) certificates. The intention was to create a digital certificate that could be validated quickly where proof of website ownership was not as important for user security, such as blogs and information pages. We figured that limiting validation steps for DV certificates to proof of domain ownership would be sufficient because it would prevent fraudsters from getting certificates for domains they didn’t own.

Unfortunately, DV certificates are now being used in a way that was never intended, leading to a surge in phishing attacks on fake websites encrypted with DV certificates. Encryption assures that sensitive data is safely communicated to the domain owner. However, the absence of a confirmed organization identity means the data can get transmitted safely to a bad actor trying to steal user information.

To make websites even safer for users, I then joined a small group of co-inventors of the Extended Validation or EV certificate. EV certificates are issued only after a thorough and strict vetting procedure that follow standardized guidelines binding on all CAs. The EV certificates developed by the CA/Browser Forum are displayed in the browser address bar to confirm website identity, tell users who’s behind the site, and offer potential recourse for any bad actions.

We tested our hypothesis that users are safer at OV and EV sites by collaborating with ComodoCA, recognized as one of the leaders in DV certificate issuance worldwide. Our research paper, “The Relative Incidence of Phishing among DV, OV and EV Encrypted Websites,” shows that over 99.5% of encrypted websites with phishing content use DV certificates, while there is almost no phishing associated with OV and EV websites. The data confirms our hypothesis that OV and EV certificates are safer for users than DV.

But as safe as OV and EV websites are today, we want to make them even safer. This brings us to the London Protocol, under which five CAs from the CA Security Council are cooperating to improve identity assurance and minimize the possibility of phishing activity on identity websites. Each participating CA will work with its OV and EV customers to help them remove any phishing content on their websites to make identity websites even safer for users. This effort will help to counter the surge of DV phishing attacks across major brands and let users feel safer when visiting OV and EV sites.

Read more about the London Protocol’s phased approach and hear from the other member certificate authorities.

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info.

Chris Bailey joined Entrust Datacard following its acquisition of Trend Micro SSL where he served as the general manager. Prior to that, Bailey served as the CEO and co-founder of the certification authority AffirmTrust, which was acquired by Trend Micro in 2011, and as … View Full Bio

Article source: https://www.darkreading.com/endpoint/london-calling-with-new-strategies-to-stop-ransomware-/a/d-id/1332338?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

24 Sentenced in India-Based Call Center Operation

library
crime | hacking | security

The scheme targeted US residents with fraudulent phone calls and conned victims out of hundreds of millions of dollars.

Twenty-one people were sentenced last week for an India-based fraud and money-laundering scheme that tricked US residents out of hundreds of millions of dollars, the Department of Justice reports. Three members of the same operation were sentenced earlier this year.

As part of the scheme, fraudsters called US targets and pretended they were government employees from the IRS and US Citizenship and Immigration Services (USCIS). They convinced victims they owed money to the US government and would be arrested or deported if they didn’t pay. When the money was transferred, US-based “runners” would liquidate the funds.

Members of the operation were sentenced with hefty prison terms. Miteshkumar Patel, who managed a group of runners in Chicago, was given the longest term of 240 months. Hardik Patel was given 188 months for wire-fraud conspiracy. Other participants were sentenced to 151-, 145-, 121-, 108-, 87-, 60-, and 45-month terms. On top of prison time, 22 defendants were “held jointly and severally liable” for restitution of $8,970,396 payable to identified victims.

The indictment also charged 32 India-based conspirators and five Indian call centers with wire-fraud conspiracy, general conspiracy, and money-laundering conspiracy.

LabCorp ransomed, 18k routers rooted, a new EXIF menace, and more

library
crime | hacking | security

Roundup This was the week of blunders by Venmo, million-dollar bank heists, and beefier bug bounties.

Here’s a few more bits of news.

Singapore sting

Any large-scale data breach is bad news, but one that results in the loss of the health information of a quarter of the population is downright disastrous.

Such was the case in Singapore, where an estimated 1.5 million people (about 25 per cent of the population) had their records lifted from the health and information ministries’ database.

Any Singaporeans worried this will get swept under the rug can rest easy(ish): Prime Minister Lee Hsien Loong was among those whose data got lifted in the heist. In fact, the nation’s Cyber Security Agency believes that it was Loong who was the original target of the attack.

Authorities have yet to find any of the pilfered information online, so it’s not clear whether this was the work of a nation-state sponsored operation or just an effort by cybercriminals to harvest valuable records.

Dear Uncle Sam, please come to your census

The US Census is coming up in just two years, and given the importance of the data for things like congressional seats and public assistance, getting the population data right is critical.

That’s why a group of former government security experts are pressing the Census Bureau to assess and report just how it plans to secure the census and prevent outside groups from manipulating the data. They’ve issued an open letter [PDF] requesting a security report.

“Our country’s elected representatives and, indeed, the American people deserve to understand the technical protocols and systems being utilized by the Census Bureau to ensure that the electronic collection and storage of information about millions of Americans will be handled as securely as possible,” the letter reads.

“This is especially important in an age in which new types and sources of cybersecurity threats seem to emerge almost weekly.”

The group claims they’ve already tried to get the data from the Census Bureau, but have thus far been ignored. Hence the decision to issue an open letter.

EXIF-iltration

Malware writers are now sullying the good name of Google (stop laughing) to infect users via image files.

Researchers with Sucuri explained how hackers have been using sites like Google+ or Blogger to upload image files that contain EXIF data within the “usercomment” data section. That EXIF code is where the magic happens, executing the script that actually attempts to infect the user with malware.

“In previous cases, hackers used EXIF data within images to hide malicious code inside files that are rarely scanned for malware,” Sucuri explains.

“In this specific case, we see that the main goal is to host malicious scripts on a reliable and trusted server so that they are always available for downloading from any compromised sites.”

DNS rebinding reloads for enterprise attacks

Last month we were alerted to the return of DNS rebinding attacks on consumer devices. Now, we’re hearing that enterprise hardware could also be vulnerable to a flaw that has been known about for more than a decade.

Researchers with security outfit Armis say that as many as half a billion pieces of kit in use by just about every enterprise could also be remotely hijacked and added to botnets via the same DNS rebinding techniques.

Armis argues that things like printers and VoIP handsets are just as vulnerable as your Roku or home router when it comes to vulnerabilities, and if admins don’t keep a close eye on all their hardware, those unattended items could become cogs in a massive new botnet.

“Armis has found that the issue impacts hundreds of millions of IoT and other unmanaged devices used inside almost every enterprise,” notes Armis VP of research Ben Seri.

“From smart TVs to printers, digital assistants to IP phones and more, the exposure leaves organizations vulnerable to compromise, data exfiltration, and to devices getting hijacked for another Mirai-like attack.”

18,000 routers pwned in a day

We knew it was easier than ever to build a botnet, but who knew it was this easy?

Researcher Ankit Anubhav discovered and tracked down the creator of an 18,000 strong botnet made up entirely of vulnerable Huawei network routers. As it turns out, the person behind the botnet was able to put it together in under 24 hours and used just one exploit, for a flaw that has been known for more than half a year.

The motives are not clear as the attacker only told he is doing this “to make the biggest baddest botnet in town” . Probably DDoS.

CBE-2017-17215 related article https://t.co/5xiWKFynTY

Its painfully hilarious how attackers can construct big bot armies with known vulns. (3/3)

— Ankit Anubhav (@ankit_anubhav) July 18, 2018

Let this be yet another reminder: make sure you regularly patch everything on your network regularly. Firmware updates for routers or printers can be an easy thing to forget, but if they get compromised things could get ugly very quickly.

LabCorp says ‘it was ransomware what knocked over our network’

Earlier this week we shared the story of how a mystery attack had briefly taken down much of LabCorp’s medical testing network.

At the time, there was no official word on what had caused the diagnostics service to go dark, and there were fears that the company might have lost some of the millions of medical records it keeps from its lab test facilities around the country.

As it turns out, the culprit was in fact a ransomware infection. El Reg received an update from LabCorp that contained the following clarification:

“The activity was subsequently determined to be a new variant of ransomware,” the statement reads.

“LabCorp promptly took certain systems offline as part of its comprehensive response to contain and remove the ransomware from its system.”

The good news is no data was taken, and your medical records are safe. LabCorp says it is working with authorities to investigate the incident.

Get VLC 3.0.3 …Like right now

You will want to make sure your copy of VLC is up to date, after a high-severity security flaw was adapted for a popular metasploit exploit tool.

Researcher Davy Douhine broke the news on Twitter:

Update VLC ! Incoming #metasploit exploit targeting a UAF in VideoLAN VLC media player = 2.2.8 ! CVE-2018-11529 discovered and exploited by Eugene Ng and module coded by Winston Ho. I guess sharing this on Torrent will pop a few shells ;) https://t.co/CiKuiAtK0q pic.twitter.com/p61iqjFdJF

— Davy Douhine (@ddouhine) July 19, 2018

CVE-2018-11529 is a bug that can be exploited to allow remote code execution. It was discovered by Eugene Ng.

While a working Metasploit module ups the danger, there’s a simple and very practical solution for this one: update your copy of VLC to version 3.0.3 and you’ll have the bug all patched up.

File under: Good luck with that

The family of Silk Road boss Ross Ulbricht is still at it. The darknet drug market supremo was jailed for life without parole back in 2015, and while it’s highly unlikely that the American judiciary and prosecution would backtrack on its decision, Ross’ mother, isn’t giving up the fight to have her son released from lockup in this lifetime.

A Change.org petition seeks a clemency grant for Ulbricht.

“Ross is condemned to die in prison, not for dealing drugs himself but for a website where others did. This is far harsher than the punishment for many murderers, pedophiles, rapists and other violent people,” writes mother Ulbricht.

“Ross’s investigation, trial and sentencing were rife with abuse. This includes corrupt federal investigators (now in prison) who were hidden from the jury, as well as prosecutorial misconduct, constitutional violations and reliance on unproven allegations at sentencing. Ross did not get a fair trial and his sentence was draconian.”

Right now, the petition has more than 18,000 signatures. Unfortunately, the petitions have no legal sway, and it’s unlikely US Attorney General Jeff Sessions nor President Donald Trump will be moved to reverse their “tough on crime” stance for Ulbricht. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/21/july_21_security_roundup/