STE WILLIAMS

A looming deadline – now less than three weeks away – means that Google Chrome users who visit unencrypted websites will be confronted with warnings.

From July, Chrome will name and shame insecure HTTP websites

READ MORE

The changes will come for surfers once Chrome 68 stable updates go live on 23 July. After then, any web page not running HTTPS with a valid TLS certificate will show a “Not Secure” warning in the Chrome address bar. The warning will apply both to internet-facing websites and corporate/private intranet sites accessed through Chrome, which has about a 60 per cent share of the browser market.

SSL certificate firm DigiCert released research on Tuesday that found 43 per cent of the Alexa top million sites used HTTPS by default, while a W3Techs June survey reported that HTTPS is the default protocol for 35.6 per cent of the top 10 million websites. Many smaller and less-visited sites may still rely on HTTP.

Security researcher Scott Helme makes use of web crawlers to collect daily data on the top million sites. He’s an advocate of HTTPS-everywhere and has spoken at several conferences on the topic.

“The July update to Google Chrome is a significant milestone in the progress to ensuring the web is safer for all to use,” Helme told El Reg. “We’ve been rapidly advancing towards an encrypted web for years but staggering progress has been made in the last two years. I’ve been tracking an accelerated rate of adoption for HTTPS across the web and other independent research also confirms that this is indeed the case.”

Helme said he welcomed the changes to be brought by mainstream Chrome releases at the end of the month because the security status of a site will be far more visible. Instead of being obliged to check for a padlock to check a site is secure, surfers will be confronted with a warning if it isn’t.

Symantec cert holdout sites told: Those Google Chrome warnings are not a good look

READ MORE

“The move to mark HTTP as ‘Not Secure’ is also being followed by plans to simplify the HTTPS indicators too, the two approaches go hand in hand,” Helme said. “As HTTPS becomes more and more the default, it makes no sense to keep the ‘Secure’ indicator present, the browser should only tell us when something notable happens. Going forwards the notable thing is set to become that the connection was [insecure], and not that it was secure, proving that encrypted communications have become the expectation and not the exception.”

Security consultant Paul Moore added a note of caution, pointing out that even HTTPS sites can have vulnerabilities.

“I remain concerned by the insinuation that a site is ‘secure’ simply because they deploy TLS. That’s clearly not what Google are suggesting… however, the target demographic (the general public) are unlikely to understand the difference and will likely use ‘secure’ as an umbrella term to describe the entire site, rather than the connection itself.”

The Chrome update is designed to spur the millions of sites still using HTTP to adopt HTTPS. The web has made great strides in that direction of late but there’s still work to be done. “Many sites need to catch up to avoid the ‘Not Secure’ warnings,” said DigiCert chief product officer Jeremy Rowley. “We urge IT administrators to check the sites they look after and deploy the appropriate TLS certificates.

“In some instances, administrators may believe they don’t need certificates on all pages, but incorrect configuration and deployment will still lead to warnings within Chrome.”

Research from earlier this year by Ipsos found that the vast majority (87 per cent) of internet users will not complete a transaction if they see a browser warning on a web page. More than half (58 per cent) of respondents said they would go to a competitor’s website to complete their purchase. European surfers were confronted by privacy update notices at multiple sites as a lawyer-mediated and probably intended side effect to the introduction of GDPR. Whether or not this would have any effect on responses to browser warnings is unclear.

Although Chrome is the first browser to deploy such a visible warning system on non-HTTPS websites, it’s likely that Microsoft, Apple and Mozilla will follow suit. Rowley added: “HTTP 2.0 requires TLS encryption in major browsers. As the major browsers migrate to the newer technology, websites will find certificate deployment becoming increasingly important.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/03/google_chrome_http/

No less than four federal agencies in the US are now investigating Facebook following yet more revelations over how it gave vast quantities of personal data to developers.

As well as the Department of Justice, the Federal Trade Commission (FTC), the FBI, and America’s financial watchdog the Securities and Exchange Commission (SEC) are now all digging into the issue, even reportedly holding joint meetings to discuss how to proceed.

The investigations have also been expanded to look at what Facebook executives knew, when they knew it, and what they did in response, including their public statements.

That expansion comes after Facebook dumped more than 700 pages of information [PDF] at midnight on Friday in response to questions from the House Energy and Commerce committee, which has also been looking into the issue.

Amid that glut of information were two significant new admissions: it shared huge quantities of its users’ personal profile data with no less than 52 hardware and software companies including Apple, Amazon, and Microsoft – but also Chinese tech giants Alibaba and Huawei. And it gave 61 Facebook app and extension developers an additional six months to comply with new policies that restricted data access and came into effect in May 2015.

Facebook is now – finally – being open about the enormous sharing and mining of personal information gathered from its addicts. Just this week it admitted to yet another “bug” that meant some blocked users were effectively unblocked and able to see some people’s posts. The number of people impacted? No less than 800,000.

About time

But that openness has only come after years of stonewalling. Even for Congressmen with the power of subpoena, it has been like getting blood out of a stone. Federal investigators suspect that may be because executives knew they have been misleading investors and the public over the true extent of the sharing of personal data for several years.

The fact that Facebook’s shares dove more than 10 per cent in March after it was revealed that Cambridge Analytica has accessed the profiles of tens of millions of users through an app that very few people actually used has led the SEC to wonder whether the company has been less-than-entirely truthful with investors: something that is a serious issue as a publicly listed company.

Cambridge Analytica dismantled for good? Nope: It just changed its name to Emerdata

READ MORE

Likewise, the FTC is looking into whether Facebook’s approach has broken an agreement it reached with the social media giant back in 2011 over safeguarding people’s private details. Due to the sheer scale of the problem – tens of millions of people – the company faces an astronomical fine.

Former FTC chairman William Kovacic noted that if each instance of sharing user data wrongly was viewed as its own separate “violation,” the company – which has more than a billion people logging in every day – could face a fine that totals “more money than there is on the planet.” Literally trillions of dollars.

In reality, the FTC can’t impose a fine that would effectively put an American tech goliath out of business, but if found guilty, Facebook would almost certainly be at the end of the FTC’s biggest ever fine, possibly as much as $1bn.

That’s not all, either: Facebook inserted a disclaimer into its info dump that has already caught the attention of lawmakers. “It is important to note that the lists above are comprehensive to the best of our ability,” the biz noted in the middle of the doc. “It is possible we have not been able to identify some extensions.”

Boy who denied wolf

Given the fact that Facebook has repeatedly given what appear to be straight answers but with little caveats that turn out to be blatant efforts to hide damaging information, this disclaimer has already got people raising their eyebrows and wondering what else the company is hiding.

Even Facebook’s home turf representative appears to have had enough. “I support a full investigation to get all the facts that is not politicized,” tweeted Representative Ro Khanna (D-CA), who district covers a big chunk of Silicon Valley this week. “I am hopeful that Facebook will cooperate fully and be transparent, recognizing this a matter of public trust.”

In short, the chicken is finally coming home to roost. Whatever Facebook has got up to is unlikely to stay hidden with so many people with investigative powers digging into the matter.

And to be frank, when it all does emerge, a lot of academics and some tech press – and we include ourselves in that – will be fully justified in standing up and exclaiming: “We told you so.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/03/four_federal_agencies_facebook/

Security is a top priority when it comes to making decisions on payment methods and technologies.

In the list of considerations for how to pay for purchases, the security of the transaction method tops cash back and loyalty points for most consumers. That’s the conclusion of a recent major payment industry study, reinforced by separate results from new private research.

The “2017 TSYS U.S. Consumer Payment Study,” the latest annual version of research conducted by the payments provider, indicates that security is a top-of-mind issue for the majority of consumers. Regarding a question about moving to electronic wallets on smartphones, the study reports, “Consumers continue to be most interested in mobile features that allow them to instantly identify and stop unauthorized credit and debit transactions,” with 80% reporting this as a reason for pursuing wallet apps. The ability to instantly see transactions was cited as another reason by nearly three-quarters (72%) of respondents. Both of these responses outpaced any convenience-related justifications for the new technology.

Security for new payment technology is in line with a response from TSYS’s 2016 study that found when considering a new credit card, 74% of consumers ranked security and fraud protection as their priority, with 26% preferring rewards.

The survey on which the study was based also asked consumers about their comfort level with different authentication levels. Traditional passcode was the top response, with 69% stating their comfort with the method, but fingerprint authentication was close behind, at 63%.

For more, read here and here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/consumers-rank-security-high-in-payment-decisions/d/d-id/1332211?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The first half of 2018 saw more cryptocurrency theft than all of 2017 combined, driving a rise in digital money laundering as criminals elude authorities.

Cybercriminals are snatching cryptocurrency like never before, driving a rise in money laundering as they hide their digital funds and evade authorities.

The first half of 2018 saw a threefold increase in cryptocurrency theft compared with the full year of 2017, researchers state in CipherTrace’s new “Cryptocurrency Anti-Money Laundering Report” for Q2 2018. Attackers launder digital currencies using a variety of tools and technologies, including mixers, chain hopping, privacy coins, and gambling sites, to name a few.

Much of the rise in theft can be attributed to “old-school” cybercriminals who used to target financial institutions with phishing attacks, ransomware, and malware to steal money and credit card information, explains Dave Jevans, CEO of cryptocurrency startup CipherTrace. Now they’re finding new targets to build their illicit fortunes: cryptocurrency exchanges.

But many of the actors snatching digital money are new to cybercrime, Jevans adds.

“We’re now seeing, in the last probably eight to 12 months, a real influx of new criminals that are highly technically sophisticated,” he explains. There’s a major difference between seasoned threat actors and those who have been dabbling in cybercrime for less than 12 months: operational security.

It isn’t a question of technical prowess so much as lack of experience, Jevans continues. Cybercrime’s newest threat actors can craft advanced malware designed to target cryptocurrency addresses and inject similar addresses, under their control, to receive funds. Their malware is designed to target digital funds in a way traditional malware isn’t, created by people who grew up learning about virtual currencies and can exploit them in new ways.

The problems start when they secure the money. Traditional phishers and large-scale malware attackers have learned through trial and error how to conceal illegal activity online. New entrants leave tracks all over the place.

“It’s clear these people really understand cryptocurrency and crypto assets really, really well,” he explains. “What they don’t understand is old-school operational security … they’re just not sophisticated that way. Legacy folks, they definitely have better operational security. They’re better at how they interface with it, how they distribute malicious code, how they manage user handles on different forums.”

However, signs indicate the newest actors are smart enough to learn – and they’ll be tougher to pin down once they do.

How Virtual Money Laundering Works
The first step of cryptocurrency laundering is called layering. In traditional money laundering, this would involve buying and reselling expensive goods. In the virtual world, it involves putting funds in the cryptocurrency system and moving them around with mixers or using privacy coins. The more money moves, the harder it is to trace.

Mixers, also called tumblers and foggers, accept coins from several customers and mix them together before reallocating mixed funds. They typically require a 1% to 3% fee and have advanced in recent years to better conceal the money’s origin. Now, Jevans says, they keep incoming and outgoing funds completely separate on the blockchain so there’s no way to link the two.

The Internet also has 100 to 200 gambling sites that serve as money-laundering tools. Thieves create accounts and transfer funds to be laundered. Some make simple bets; some withdraw funds to a new address without making bets at all. Gambling sites often don’t have a “know your customer” regulation, so it’s tough for law enforcement to learn where money came from.

Privacy coins like Zcash and Monero don’t make up the majority of transactions – most actors prefer bitcoin – but Jevans notes many cybercriminals are adopting them to fly under the radar. However, he anticipates these coins will soon be regulated so they comply with AML regulation.

AML Regulation Crackdown
Regulators are narrowing their focus on anti-money laundering (AML) regulation as virtual currencies are exploited to support malicious activity. The 5th Annual Europol Virtual Currency Conference, which recently took place in the Netherlands, became a place of conversation around how controls will be put into place.

“Where we’re seeing it going is toward more global standards,” Jevans says. “Trends are definitely toward more clear regulation [that is] easier to follow.”

The Office of Foreign Assets Control (OFAC) has a list of people, companies, addresses, bank accounts, and countries that are not allowed to conduct business with the US, and it plans to add cryptocurrency addresses to the list. FinCEN says money transmitters in foreign countries will be held accountable if they violate US AML regulations.

The US Secret Service is taking a closer look at privacy coins, such as Monero and Zcash, and their role in cybercrime while advising Congress to consider additional legislative action. On June 20, the Secret Service claimed to have seized over $28 million in digital currencies in its criminal investigations. Main government branches are allegedly considering new regulations.

Related Content:

• Ransomware vs. Cryptojacking
• ‘Clipboard Hijacker’ Malware Builds on Cryptocurrency Threat
• 7 Ways Cybercriminals Are Scamming a Fortune from Cryptocurrencies
• Coin Miner Malware Spikes 629% in ‘Telling’ Q1
  

 

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/cryptocurrency-theft-drives-3x-increase-in-money-laundering-/d/d-id/1332212?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

DDoS attacks continue to plague the Internet, getting bigger and more dangerous. And now, the kids are involved.

DDoS attacks don’t arrive on little cat feet; they announce their presence with the subtlety of a shovel to the face. Two just-released reports show that these loud DDoS attacks are getting louder, larger, and more numerous with the passage of time.

Verisign released its Q1 2018 DDoS Trends Report and Akamai published its State of the Internet/Security Summer 2018 report and neither was filled with good news if your job is defending a company or network against DDoS attacks. Together, the two reports paint a detailed and disturbing picture of the way DDoS attacks are evolving to be both more common and more dangerous.

Both reports noted the largest DDoS attack in the period, a 170 Gbps, 65 Mpps (million packets per second) operation notable for two things: its target and its originator.

The target was not a single organization or individual. It was, instead, an entire /24 subnet on the Internet. The size of the attack and the broad target meant that scores of websites and services around the world felt the effects.

Akamai’s report notes that the threat actor was also notable, given that it was a 12-year-old who originated the attack mechanism on YouTube and coordinated the attack through Steam (an online game-playing platform) and IRC.

When adolescents can use YouTube to launch a globe-spanning attack, it marks the dawn of a new definition of “script kiddies.”

“I believe [kids are] growing up faster because they’re exposed to it,” says Lisa Beegle, senior manager of information security at Akamai, when asked about the age of this attack developer. “They also have a greater amount of time they can commit to it.” She continues, “Was this kid as smart as an adult threat actor? No, but there was still a level of sophistication as to the target.”

That target was hit with a reflection and massive amplification attach using memcached — an attack that saw a returned payload directed at the victim subnet that was 51,000 times the size of the spoofed request sent by the attacker.

While memcached has been in existence for 15 years, this attack seems to be the first major assault using the function in a malicious manner. Since it is a distributed memory object caching system, memcached becomes a very effective tool in the DDoS attacker’s arsenal.

While new attacks are available, the Verisign report notes that UDP floods remain the favorite DDoS mechanism, accounting for roughly half of all attacks seen in the quarter. TCP attacks were the next most common, involved in approximately one-quarter of the attacks. In many cases, though, both types (and others) could be involved, since 58% of attacks involved multiple attack types in a single event.

The nature of attacks continues to evolve through the industry. “Last year, we were seeing smaller attacks that were coming in under the radar — they were causing an impact in 30 seconds, before we could see it and respond,” Beegle says. Now, “I’ve seen attacks that were a week long, where [the attacker] changed the dynamics during the attack,” she says. Moving forward, Beegle expects both types of attacks to continue. “I think there will always be the mix, depending on who the target is and who the attacker is,” she says. “We’ve seen some nation-state action and that will always be different than the script kiddies.”

Related content:

• Destructive Nation-State Cyberattacks Will Rise
• DDoS Amped Up: DNS, Memcached Attacks Rise
• Wicked Mirai Brings New Exploits to IoT Botnets
• 7 Variants (So Far) of Mirai

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/bigger-faster-stronger-2-reports-detail-the-evolving-state-of-ddos/d/d-id/1332213?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Survey company Typeform has admitted suffering a breach caused by attackers downloading a “partial backup” of its customer data.

The Spanish company said it noticed the issue on 27 June, remedying its cause within 30 minutes. The affected data was that collected prior to 3 May, which meant:

Results collected since May 3rd 2018 are therefore safe and not compromised.

As breaches go, this is a slightly complicated one because Typeform’s paying customers are businesses that use its software to conduct customer surveys and quizzes.

Each one of those collects data from possibly tens of thousands of their own customers when they take part, which widens the breach’s scope.

Each affected provider will therefore need to contact these customers independently – a situation that draws parallels with the breach suffered by email marketing provider Epsilon in 2011, which saw dozens of large brands sending out apology emails.

Typeform said affected account holders would be informed by email. The Tasmanian Electoral Commission, British prestige brand Fortnum Mason, digital bank Monzo, and food maker Birdseye have been among those issuing their own alerts, but this is only a fraction of the company’s business customer base, which runs to thousands.

Announced Monzo:

Our initial investigations suggest that some personal data of about 20,000 people is likely to have been included in the breach.

Which data was compromised?

Typeform is vague about specifics, choosing to mention only what isn’t at risk, namely subscription payment data, Typeform account passwords, any payments collected via Stripe integration, and audience payment data.

According to Monzo’s alert, in the vast majority of cases it will have been email addresses, and in a small number of cases, Twitter usernames, postcodes, salary bands, and ages.

What do to?

If you’re a business, Typeform has helpfully provided an apology email to send to customers, although large brands will likely decide to write their own. It does add this interesting detail:

If your name and email was downloaded by the attacker, then we recommend that you watch out for potential phishing scams, or spam emails.

Which brings us to the coalface of this breach – the unknown number of people who have never heard of Typeform, nor realised their data was being stored by them, but who might receive alert emails from the business that used it.

If you’re unlucky enough to be one of these, it seems the risk is, as stated, receiving phishing scams, that might use personal data from the breach to try to lure you in.

Be careful what you click on.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/2JPKwnO2mqk/

What do Russian internet company Mail.ru, car maker Nissan, music service Spotify, and sports company Nike have in common? They, and 57 other companies, were revealed by Facebook in a US House of Representatives’ Energy and Commerce Committee submission to have been given temporary extensions to access private Friends data API despite the company supposedly changing the policy allowing this in May 2015.

This is news because it shouldn’t have been possible. As Facebook explains the policy, first communicated to all companies in April 2014:

We made clear that existing apps would have a year to transition – at which point they would be forced to migrate to the more restricted API and be subject to Facebook’s new review and approval protocols.

It wasn’t a long extension, amounting to six months for all bar one company, accessibility app company Serotek, which was given eight months in total.

Facebook doesn’t make clear why this happened, a frustrating omission in a document that runs to 747 pages of answers to around 2,000 questions sent by US lawmakers following Mark Zuckerberg’s Senate grilling in April.

It’s the latest story to emerge from what in retrospect looks like a slightly botched and inconsistent transition from one API policy to another, more restrictive one.

Contentiously, the earlier policy was not only allowing access to the data of each app’s users – name, gender, location, birth date – but that of their friends too, if they had their profiles set to Public.

Post-Cambridge Analytica, and suddenly everyone’s looking at Facebook’s privacy modus operandi and asking why the new API policy was allowed to slide for some but not others.

For the most part, the policy change has only served to draw attention to the fact that it was in need of changing. That such a policy was ever in place highlights the sort of access Facebook has been giving partners without anyone – least of all its users – knowing about it.

To make matters worse, it seems some had highly privileged access all along: 60 device makers, including Apple, Samsung, Amazon, and BlackBerry had separate, long-term agreements allowing them access to the same Friends data.

It’s almost as if sharing restrictions depended on that company’s value to Facebook. Said researcher and former FTC chief technologist, Ashkan Soltani, to the New York Times:

It’s like having door locks installed, only to find out that the locksmith also gave keys to all of his friends so they can come in and rifle through your stuff without having to ask you for permission.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/n35rGLGIQrU/

A former high-ranking lawyer at US Immigration and Customs Enforcement is going to jail for four years after stealing the identities of US immigrants.

Until he was charged in February, Raphael A. Sanchez was the Chief Counsel at ICE’s Office of the Principal Legal Advisor. He used his position as a government lawyer deporting immigrants in Alaska, Oregon and Washington in what courts described as “an intricate web of deception” to steal their records and use them for personal gain.

According to a Department of Justice press release issued in late June, 44-year-old Sanchez admitted to targeting people who were in the middle of being deported by ICE. He would misuse their personal information to take out credit cards, personal loans and other lines of credit in their names.

Sanchez had access to their records via ICE databases, and their official Alien Files, also known as ‘A-Files’. These are immigration documents with an individual Alien Registration Number that is used to identify non-citizens.

According to the US Citizen and Immigration Service, Alien Files are rich sources of biographical information, sometimes containing visas, photographs, applications, affidavits and correspondence. Sanchez used the information in them to obtain social security cards and Washington State drivers’ licenses in victims’ names and then open credit card and bank accounts and even public utility accounts with them.

His sentencing memo shows that he used his own photograph on fake IDs of male victims, and even used the photograph of a murdered woman that had been published in the press to create fake female IDs.

According to the February indictment, in 2016 Sanchez sent himself an energy bill, a permanent resident card, and part of a passport issued to a victim.

The indictment says that Sanchez used details like these…

…to obtain money and property by means of materially false and fraudulent pretenses, representations, and promises, and in doing so, transmitted and caused to be transmitted by means of wire communications in interstate or foreign commerce, writings, signals and email communications for the purpose of executing such a scheme and artifice to defraud.

Sanchez, who earned $162,000 from his job at ICE, spent the four years between October 2013 and 2017 defrauding financial institutions including American Express, Bank Of America, Capital One, Citibank and J.P. Morgan Chase using personal information stolen from seven people.

Sanchez would transfer money from accounts in these victims’ names to his personal account via businesses operating under various trade names. He used payment services like Square and Venmo to try and cover his tracks by making it look as though victims were making legitimate purchases.

He also registered a car in one victim’s name and claimed three ‘aliens’ as relative dependents on his tax returns to fraudulently claim deductions.

All in all, Sanchez made $190,000 in profit from the fraud, which he will have to repay as part of his sentence.

He pleaded guilty in February to one count of wire fraud and one count of aggravated identity theft, and will serve 24 months for each, consecutively.

In explaining the four-year prison term, the sentencing memo said:

Sanchez abandoned the principles he swore to uphold and used his authority merely as a vehicle for personal profit. He left numerous victims to suffer in his wake. More broadly, his greed may have diminished the public’s trust in the honest services of its government.

Follow @NakedSecurity
Follow @dannybradbury

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vV6QUPnOHd4/

Just because a document isn’t digital doesn’t mean it doesn’t contain metadata. Printed documents often have their own hidden details, and now German researchers have developed tools to help you scrub them clean.

We have known for over a decade that most colour laser printers embed unique details to trace each document back to its source. They typically use tiny patterns of yellow dots, invisible to the naked eye, containing information such as their serial number and when the document was printed.

Now, researchers have released software to strip documents of that information. This could help whistleblowers to reveal sensitive information without getting caught, they claim.

Printer manufacturers have included this feature for years. The devices add the invisible dots to the image just before it hits the paper. The information hides in plain sight as a repeating matrix, nestled in the document’s white spaces, viewable only with a blue LED light and a magnifier, but it can trace every printout uniquely to your printer. Manufacturers rarely notify customers about these features, but law enforcement uses them to fight counterfeiters.

Timo Richter and Stephan Escher, researchers at TU Dresden’s Chair of Privacy and Data Security, cited NSA whistleblower Reality Leigh Winner as an example of what happens when governments and companies use these tracking dots to invade peoples’ privacy.

Winner, who worked for Pluribus International Corporation, was stationed at the NSA where she printed a top-secret document detailing a cyber attack by Russian military intelligence on US election infrastructure.

She had produced the documents using NSA printers, which investigative journalism site the Intercept then scanned and reproduced online. Winner’s arrest affidavit shows that she was identified following an ‘internal audit’.

Errata Security showed at the time how the document contained a dot pattern showing when it was printed, and on what device, which may have been one of many clues leading to her arrest. Winner is set to serve at least five years in jail after reaching a plea deal last week.

Reading between the lines

The TU Dresden researchers wanted to give people the chance to manipulate these dots for themselves. They analysed 1286 prints from 141 printers spanning 18 manufacturers, to document the patterns that they were using. They found four separate pattern formats used by different manufacturers.

Along with colleagues Dagmar Schönfeld and Thorsten Strufe, the duo created a tool, called Dot Extraction, Decoding and Anonymisation (DEDA). They also wrote a paper detailing its inner workings.

The tool offers a range of functions in two broad groups: analysis and anonymization.

On the analysis side, DEDA ‘reads’ the dots in a scanned document to find out what pattern it uses and to extract any information it can. If the tool cannot read any information from the dot pattern, it can extract the dots for further analysis. Users wanting to forensically analyse several files at once can also use the tool to find any produced by different printers.

On the anonymization side, DEDA can anonymize a scanned image by wiping all the dots from its whitespace. It can also anonymize a document for printing by adding more dots to the existing pattern, confusing anyone that tries to read the information. This is a more time-consuming process, involving the production of a mask which must then be aligned with the scanned document before printing the anonymized version.

TU Dresden’s isn’t the only project to target these yellow dots. A year ago, CryptoAUSTRALIA researcher Gabor Szathmari submitted a pull request to an open source sanitising tool called PDF Redact Tool, produced by the Intercept’s owner, First Look Media. The changes, which were added to the product, take a lower-tech approach by converting images to black and white, effectively removing the tracking dots.

User beware

Does all this mean that you can safely use these tools to scrub your whistleblowing documents of any identifying data? Perhaps not.

The EFF, in its no-longer-updated list of yellow dot-producing printers, cites documents that it received from the government in FOIA requests. These suggest that all major manufacturers may have entered into an agreement to embed some kind of forensic tracking technology, it says, adding:

It appears likely that all recent commercial laser printers print some kind of forensic tracking codes, not necessarily using yellow dots. This is true whether or not those codes are visible to the eye and whether or not the printer models are listed here. This also includes the printers that are listed here as not producing yellow dots.

There are also other tracking mechanisms (which the TU Dresden team describes as ‘passive’ in their paper). These include analyzing halftone patterns in printed images and looking for slight geometrical differences in printed characters. Forensic analysts used that technique to trace typewritten documents long before printers came along.

So if you’re planning to blow the lid off a scandal by scanning and reprinting the telltale documents, be careful – there may, quite literally, be more than meets the eye.

Follow @NakedSecurity
Follow @dannybradbury

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/hWIc2GSE6pY/

Confidential information on 150,000 NHS patients has been distributed against their wishes for years due to a “coding error” by healthcare software supplier TPP.

NHS Digital, the body that oversees the healthcare service’s use of data, fessed up to the bungle – which saw data on the affected patients used in ways they had specifically requested it wasn’t – this week.

It affects patients who registered what is known as a type 2 opt-out – which says clinical information can’t be used for anything other than their own care – between March 2015 and June 2018 at a GP surgery that used TPP’s SystmOne software.

According to NHS Digital, a coding error in the SystmOne application meant that the opt-out information was not sent to NHS Digital, and so the body used the information for other purposes, such as research or clinical audits.

The body said that TPP spotted the error on 26 June, and that it stopped data-sharing on patients who had made type 2 opt-outs the day after. It is now contacting the affected patients, which amounts to about 10 per cent of the total number of opt-outs, along with GP practices.

It added that TPP and NHS Digital would “ensure that testing and assurance of patient data extracts is enhanced” in future to prevent similar errors.

In a statement to Parliament, health minister Jackie Doyle-Price appeared to try to sugarcoat the pill, saying that the data had been used “in clinical audit and research that helps drive improvements in outcomes for patients”.

Both NHS Digital and TPP issued the usual missives setting out their “unreserved apologies”, with TPP clinical director John Parry saying in a canned statement that “privacy of patient data is a key priority for TPP, and we continually make improvements to our system to ensure that patients have optimum control over information”.

Half a million ‘de-identified’ patients records to be shared in Bradford

READ MORE

However, the error will be seen as another black mark against the NHS and its ability to handle confidential patient information at a time when it is trying to regain public trust following previous botched data-sharing schemes.

Phil Booth, co-ordinator at MedConfidential, said that the incident demonstrated why patients should be able to see what is done with their data.

“NHS Digital failed to see this in over three years, and the IT company that made the error failed to see it too. But any patient, especially someone concerned enough to opt out, would have spotted this in an instant.”

The Information Commissioner’s Office confirmed that it was aware of the issue and was making enquiries. The watchdog already carried out an in-depth review of NHS Digital’s handling of type 2 opt-outs in 2016.

The 2016 probe was provoked by the revelation that NHS Digital had failed to honour the requests of about 700,000 patients who had attempted to register a type 2 opt-out before 29 April 2016. At that time, the body avoided a penalty after promising it had set up a new system to process and uphold the objections would ensure it toed the line.

And it isn’t the first time that TPP’s SystmOne has come under fire. In March 2017 it was revealed that it was not possible for GPs to find out exactly who had accessed patient information through a newly introduced record-sharing feature.

The aim of that feature was to allow organisations such as hospitals and care homes to access GPs’ notes to help patient care, but it was found that the audit function could only say point at organisations, not individuals.

NHS Digital said that the errors revealed this week “would not be able to occur using the new National Data Opt-Out” – a system that was introduced on 25 May that should allow patients to register their data-sharing preferences via a form available online, by phone or on paper.

This was echoed by Doyle-Price, who claimed that the system “has simplified the process of registering an objection to data-sharing for uses beyond an individual’s care”.

However, Booth countered that the online process “makes expressing a choice significantly harder for families with children and other dependants”, as it can require them to send in various forms of identity documentation, rather than making a direct request of their own GP. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/03/confidential_patient_info_nhs_software_share_tpp/