STE WILLIAMS

Analysis The UK government’s lightweight biometrics strategy has failed to make any serious policy recommendations – and instead reiterated a series of already announced promises and promising further consultation on governance.

The long-awaited strategy – first promised in 2012 – landed at 4pm on Thursday with a rather light thud, running to just 27 pages. Of these, three are cover and contents, one is a ministerial foreword, two are a glossary, and seven an annex.

This leaves a whopping 14 pages to detail the Home Office’s approach to the increased use of biometric information in everyday public services – and unsurprisingly, the pamphlet falls short of the mark.

“The government’s biometrics strategy is a major disappointment,” said Big Brother Watch director Silkie Carlo. “After five years of waiting, it reads like a late piece of homework with a remarkable lack of any strategy.”

Norman Lamb, chairman of Parliament’s Commons Science and Technology Select Committee, agreed, saying that a 27-page document “simply does not do justice to the critical issues involved,” and lamenting the fact it doesn’t say what actions the government will take or, “just as importantly, what outcomes it wants to avoid.”

Perhaps in anticipation of such criticisms, the Home Office noted that the strategy “does not seek to address all the current or future uses of biometrics.”

However, even with this proviso, the recommendations leave much to be desired, acting more like a scene-setter to the existing use of biometrics by the Home Office that pulls together previous announcements, while offering few concrete overarching policy objectives.

‘Kicking the can down the road’

Among the bigger picture promises on oversight are an already announced board to provide the government with policy recommendations on the use of facial biometrics, and a plan to seek opinions on the governance of biometrics through a 12-month consultation.

But Lamb said this exercise “smacks of continuing to kick the can down the road,” adding that it was “simply not good enough” to wait another year for a proper strategy to be produced.

Elsewhere in this section – which is somewhat optimistically titled “maintaining public trust” – the government promised to carry out legally required data protection impact assessments before it uses a new piece of biometric technology or applies an existing one to a new problem.

The strategy also fails to do more than make passing references to some of the most controversial and widely debated aspects of the Home Office’s use of biometrics.

For instance, on the continued retention of photos of people held in police custody who haven’t been convicted, despite this practice being ruled unlawful, the government simply reiterated the fact its computers systems do not support the automatic removal of images, and new systems should help.

“When the Law Enforcement Data Service, which will replace the Police National Computer (PNC) and the PND, is in place it will enable more efficient review and where appropriate, automatic deletion of custody images by linking them to conviction status, more closely replicating the system for DNA and fingerprints,” it said.

Automated facial recognition? Yep, we’re still trialling it

It’s a similar story on the police’s use of automated facial recognition – something that has stirred up public debate and is the subject of two legal challenges backed by Liberty and Big Brother Watch.

Although the Home Office pledged to work with regulators to update codes of practice and “ensure that standards are in place to regulate the use of AFR [automatic facial recognition] in identification before it is widely adopted for mainstream law enforcement purposes,” it failed to offer a detailed explanation of how these standards would be developed or what they might include.

And, in the meantime, the police will continue with their trials of AFR – which have been criticised for a lack of transparency and an apparent ad hoc nature – as Carlo noted, the capital’s Met Police was out using the kit in Stratford, London, on Thursday.

The Home Office also outlined its own plan to “run proof of concept trials to develop this work, including at the UK border,” and mooted allowing forces access to facial image collections at custody suites and on mobile devices.

It added it was considering sharing and matching facial images held by the Home Office and those of other government departments, but again offered precious little extra detail.

Other plans included an increased use of biometrics at ports, extending access to fingerprints within the criminal justice system – including a trial to allow prisons to cross-reference local and national databases – and improving automation of fingerprint enrollment at visa centres.

The overall effect is of a shopping list of ways the government could use biometrics combined with earnest but thin references to the importance of ethics and oversight, which is at odds to the detailed and considered reports drawn up by smaller organisations in less time.

Summing up the mood, Carlo said: “While Big Brother Watch and others are doing serious work to analyse the rights impact of the growing use of biometrics, the Home Office appears to lack either the will or competence to take the issues seriously.

“For a government that is building some of the biggest biometric databases in the world, this is alarming.”

‘Disappointing and short-sighted’

The biometrics commissioner, Paul Wiles, issued his response to the strategy late last night, complaining that the document lays out the current uses of biometric information and says little about future uses.

“It is disappointing that the Home Office document is not forward looking as one would expect from a strategy,” he said, pointing out that it falls short of proposing legislation to set rules on the use and oversight of new biometrics.

This failure to set out a definitive picture of the future landscape is “short sighted at best”, Wiles said.

He also noted that the proposed oversight and advisory board is described as focusing only on police use of facial images.

“What is actually required is a governance framework that will cover all future biometrics rather than a series of ad hoc responses to problems as they emerge,” Wiles said.

“I hope that the Home Office will re-consider and clearly extend the advisory board’s remit to properly consider all future biometrics and will name the board accordingly.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/29/uk_biometrics_strategy/

Brave Software has updated its web browser so that its private mode actually supports privacy, or nearly – a few lingering technical issues still need to get ironed out.

The outfit’s latest desktop release, Brave 0.23, integrates Tor, the free open-source software that aims to help netizens evade online surveillance, in its Private Tabs feature.

The Tor network masks users’ true public IP addresses, by routing connections through nodes scattered over the world, in an attempt to conceal their whereabouts and identity. Instead of connecting folks directly to websites and servers, it passes requests through a series of relays over encrypted connections, obfuscating the origin of the requests. Bear in mind the final relay to the public internet – your exit node – can snoop on your connection, so you should always use HTTPS to shroud your traffic from Tor relay administrators, just in case.

You can also use Tor to access sites within the anonymizing network, known as hidden services.

Popular browsers such as Chrome, Edge, Firefox (the basis for the official Tor browser) and Safari claim they support privacy, but they only get users halfway there. Their respective privacy modes prevent browsing data from being retained within the browser, however, they don’t conceal the user’s public IP address.

So if you were surfing the internet at home using Chrome’s Incognito mode, your browsing history and web cookies associated with that session would not be stored by Chrome. However, websites you visit, or surveillance boxes along your internet route, will log your public IP address, which can be used to track you down, via your ISP, to your home address, or identify you as you browse around the internet.

Most people won’t and don’t care about that. But maybe you do.

Dark web doesn’t exist, says Tor’s Dingledine. And folks use network for privacy, not crime

READ MORE

“We provide a browser that works out of the box rather than asking users to configure network services themselves,” a company spokesperson explained in an email to The Register.

“Brave’s Private Tabs with Tor are accessible from the File menu by clicking New Private Tab with Tor (or from the hamburger menu at the top right of the screen). This makes enhanced privacy protection conveniently accessible within the browser. A Brave user can also have one or more regular tabs, session tabs, private tabs, and Private Tabs with Tor open.”

The Brave browser also helps against browser fingerprinting.

“Most trackers aren’t able to attempt fingerprinting attacks against Brave at all because we block them before they even load,” the company’s spokesperson said.

Brave defaults to DuckDuckGo for search in Private Tabs with Tor, because Google treats anonymous users differently than those it can identify.

“If you’re using Tor then Google will show a lot of challenges asking you to prove that you’re a human, and that makes the site much less pleasant to use,” Brave explained on its website.

Other site may treat those using Private Tabs with Tor differently, too. Some may not work properly or may limit interaction – Wikipedia, for example, restricts anonymous edits over Tor.

There’s another potential downside: performance.

“Browsing via Tor is typically somewhat slower than using an unprotected connection,” Brave’s spokesperson said.

Like encryption program PGP, Tor amounts to pretty good privacy but it’s not perfect. In addition to the unavoidable risk of software vulnerabilities, the Brave team noted that the current integration of Tor remains a work in progress. In other words, it may leak your public IP address.

“Brave requires leak-proofing, which we intend to address in future versions (today is the beta release), as well as a New Identity button functionality, for instance,” Brave’s spokesperson said.

The browser biz advises downloading and using the full-blown Firefox-based Tor browser if you really need to protect your identity and hide your public IP address. Basically, if you like the cut of Brave’s jib, try out its Tor mode. If you’re particularly worried about privacy, go for the official Tor browser for now.

Those with serious, life-threatening privacy concerns, such as activists in authoritarian countries, should do their best to avoid technology altogether because digital security is so difficult to get right. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/29/brave_browser_tor/

Brave Software has updated its web browser so that its private mode actually supports privacy, or nearly – a few lingering technical issues still need to get ironed out.

The outfit’s latest desktop release, Brave 0.23, integrates Tor, the free open-source software that aims to help netizens evade online surveillance, in its Private Tabs feature.

The Tor network masks users’ true public IP addresses, by routing connections through nodes scattered over the world, in an attempt to conceal their whereabouts and identity. Instead of connecting folks directly to websites and servers, it passes requests through a series of relays over encrypted connections, obfuscating the origin of the requests. Bear in mind the final relay to the public internet – your exit node – can snoop on your connection, so you should always use HTTPS to shroud your traffic from Tor relay administrators, just in case.

You can also use Tor to access sites within the anonymizing network, known as hidden services.

Popular browsers such as Chrome, Edge, Firefox (the basis for the official Tor browser) and Safari claim they support privacy, but they only get users halfway there. Their respective privacy modes prevent browsing data from being retained within the browser, however, they don’t conceal the user’s public IP address.

So if you were surfing the internet at home using Chrome’s Incognito mode, your browsing history and web cookies associated with that session would not be stored by Chrome. However, websites you visit, or surveillance boxes along your internet route, will log your public IP address, which can be used to track you down, via your ISP, to your home address, or identify you as you browse around the internet.

Most people won’t and don’t care about that. But maybe you do.

Dark web doesn’t exist, says Tor’s Dingledine. And folks use network for privacy, not crime

READ MORE

“We provide a browser that works out of the box rather than asking users to configure network services themselves,” a company spokesperson explained in an email to The Register.

“Brave’s Private Tabs with Tor are accessible from the File menu by clicking New Private Tab with Tor (or from the hamburger menu at the top right of the screen). This makes enhanced privacy protection conveniently accessible within the browser. A Brave user can also have one or more regular tabs, session tabs, private tabs, and Private Tabs with Tor open.”

The Brave browser also helps against browser fingerprinting.

“Most trackers aren’t able to attempt fingerprinting attacks against Brave at all because we block them before they even load,” the company’s spokesperson said.

Brave defaults to DuckDuckGo for search in Private Tabs with Tor, because Google treats anonymous users differently than those it can identify.

“If you’re using Tor then Google will show a lot of challenges asking you to prove that you’re a human, and that makes the site much less pleasant to use,” Brave explained on its website.

Other site may treat those using Private Tabs with Tor differently, too. Some may not work properly or may limit interaction – Wikipedia, for example, restricts anonymous edits over Tor.

There’s another potential downside: performance.

“Browsing via Tor is typically somewhat slower than using an unprotected connection,” Brave’s spokesperson said.

Like encryption program PGP, Tor amounts to pretty good privacy but it’s not perfect. In addition to the unavoidable risk of software vulnerabilities, the Brave team noted that the current integration of Tor remains a work in progress. In other words, it may leak your public IP address.

“Brave requires leak-proofing, which we intend to address in future versions (today is the beta release), as well as a New Identity button functionality, for instance,” Brave’s spokesperson said.

The browser biz advises downloading and using the full-blown Firefox-based Tor browser if you really need to protect your identity and hide your public IP address. Basically, if you like the cut of Brave’s jib, try out its Tor mode. If you’re particularly worried about privacy, go for the official Tor browser for now.

Those with serious, life-threatening privacy concerns, such as activists in authoritarian countries, should do their best to avoid technology altogether because digital security is so difficult to get right. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/29/brave_browser_tor/

Special report Digital ad fraud is potentially lucrative, difficult to detect, and getting worse.

“It is one of the biggest ways bad guys have of pulling money out of the online economy,” said Louis-David Mangin, co-founder and CEO of Confiant, a firm that helps publishers mitigate the damage done by hosting bad ads, in a phone interview with The Register. “It’s definitely getting worse.”

Augustine Fou, a cybersecurity and ad fraud researcher who advises companies about online marketing, makes a similar point in a report he plans to publish on Monday.

“Ad fraud is the most lucrative way to cash out of other major criminal activities,” his report, provided in advance to The Register, reads.

It’s nearly the perfect crime in the sense that it often goes unnoticed and hasn’t been as high a law enforcement priority as other online threats. Some industry experts talk about digital ad fraud as if it were legal, though they don’t really mean it.

Illegal, or is it

Fou has in the past claimed digital ad fraud is legal, and he says something similar in his latest findings.

“Ad fraud isn’t illegal (no laws pertain to it) but other laws may be broken in the committing of it,” his report says.

“Ad fraud is against the terms of service of most ad exchanges, so it’s almost certainly a breach of contract,” said Ratko Vidakovic, founder and principal consultant at AdProfs, ad tech consultancy based in Toronto, Canada, in an email to The Register.

“Then again, plausible deniability is always on the table, so it’s very hard to prove that a publisher is deliberately engaging in ad fraud without a rigorous investigation. To my knowledge, it’s not explicitly illegal. Although, I’m sure some could argue that it constitutes wire fraud, or violates any number of computer crime laws.”

While online ad fraud may not be specifically defined as a crime, it is nonetheless fraud, and is actionable at least under US law. What’s more, there are various statutes that can be brought to bear related to computer crimes, money laundering and the like, depending on the circumstances.

Asked about this, Fou said what he means is that digital ad fraud isn’t often prosecuted.

A tsunami of scams

Digital ad fraud can mean many different things. It can involve fake websites, fake online traffic, fake ads, fake ad agencies, fake audiences, fake ad bidding, fake accounts, fake devices, fake apps, and fake data.

It’s not just click fraud – bots clicking on ads or loading display ads to get paid. It may involve installation fraud, by which physical or virtual devices download and install apps, cycling through fake device identifiers to collect the installation payment from the app publisher. Or it may involve showing ads that paid to reach a high-value audience to a low-value audience.

AdProfs describes some of the variations: invisible ads, traffic arbitrage (buying low-value traffic and reselling it for more than it’s worth), domain spoofing (bad publishers misidentifying their sites), site bundling (bad publishers bundling networks of domains under a single ad network identifier), ad injection, cookie stuffing (to get credit for affiliate fees), and click farms.

Of course, before anyone asks, El Reg‘s highly capable ad operations team works hard around the clock to ensure our ads are not only served to and seen by millions of real eyeballs each month, but also high quality and safe.

Evolved DNSChanger malware slings evil ads at PCs, hijacks routers

READ MORE

There is at least agreement that digital ad fraud happens, though not everyone considers it all that serious. A 2017 report by the Association of National Advertisers (ANA) put bot fraud losses at $6.5bn in 2017, down 10 per cent from $7.2bn in 2016.

The ANA report said 9 per cent of desktop display ad spending and 22 per cent of desktop video ad spending is lost to fraud. It dismisses mobile ad fraud as less than 2 per cent of spending, while noting “this does not include fraud in mobile web video or pay-per-click fraud, which remain high and problematic.”

Juniper Research last year predicted $19bn will be lost to digital ad fraud in 2018.

But ad fraud statistics offer an incomplete picture of what’s going on because they tend to focus on one specific segment of the industry while omitting others. Fou, who said he has stopped estimating ad fraud as a percentage, previously said 43 per cent of mobile display ad impressions were bogus.

Others have suggested about half of paid programmatic impressions are fake.

Call in the lawyers

Digital ad fraud litigation is not very common, but it does occur.

The US Justice Department brought a click fraud case against six Estonian nationals and one Russian national in 2011. There have been a handful of other criminal click fraud cases, such as one in 2017 against Fabio Gasperini.

There have also been a few notable civil cases as well. Google settled a click fraud claim by Lane’s Gifts and Collectibles in 2006 for $90m and in 2017 settled another click fraud case covering the 2004 through 2008 period for $22.5m. Last year, Uber sued ad biz Fetch alleging click fraud.

One reason for the scarcity of lawsuits, Fou and others have argued, is that there’s an industry incentive to maintain the status quo.

“This is because marketers want the fraud to continue,” Fou explained in an email to The Register. “If they cut out the fraud there will be less impressions to buy.”

Some marketers, at least.

“Certainly some buyers like cheap inventory and don’t care to ask too many questions, said Ben Edelman, an associate professor at the Harvard Business School who had conducted many ad fraud investigations over the years, in an email to The Register.

“But that’s not typical. In my experience most advertisers care about results – they have products to sell, which requires finding real buyers, which requires quality advertising inventory that real people see and engage with. In my view, that’s as it should be.”

“There is no direct incentive from anyone in the industry, with the exception of marketers, to eradicate ad fraud,” observed Vidakovic. “That said, it’s hard to generalize the industry’s will in such a way.”

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/29/ad_fraud_bad/

Special report Digital ad fraud is potentially lucrative, difficult to detect, and getting worse.

“It is one of the biggest ways bad guys have of pulling money out of the online economy,” said Louis-David Mangin, co-founder and CEO of Confiant, a firm that helps publishers mitigate the damage done by hosting bad ads, in a phone interview with The Register. “It’s definitely getting worse.”

Augustine Fou, a cybersecurity and ad fraud researcher who advises companies about online marketing, makes a similar point in a report he plans to publish on Monday.

“Ad fraud is the most lucrative way to cash out of other major criminal activities,” his report, provided in advance to The Register, reads.

It’s nearly the perfect crime in the sense that it often goes unnoticed and hasn’t been as high a law enforcement priority as other online threats. Some industry experts talk about digital ad fraud as if it were legal, though they don’t really mean it.

Illegal, or is it

Fou has in the past claimed digital ad fraud is legal, and he says something similar in his latest findings.

“Ad fraud isn’t illegal (no laws pertain to it) but other laws may be broken in the committing of it,” his report says.

“Ad fraud is against the terms of service of most ad exchanges, so it’s almost certainly a breach of contract,” said Ratko Vidakovic, founder and principal consultant at AdProfs, ad tech consultancy based in Toronto, Canada, in an email to The Register.

“Then again, plausible deniability is always on the table, so it’s very hard to prove that a publisher is deliberately engaging in ad fraud without a rigorous investigation. To my knowledge, it’s not explicitly illegal. Although, I’m sure some could argue that it constitutes wire fraud, or violates any number of computer crime laws.”

While online ad fraud may not be specifically defined as a crime, it is nonetheless fraud, and is actionable at least under US law. What’s more, there are various statutes that can be brought to bear related to computer crimes, money laundering and the like, depending on the circumstances.

Asked about this, Fou said what he means is that digital ad fraud isn’t often prosecuted.

A tsunami of scams

Digital ad fraud can mean many different things. It can involve fake websites, fake online traffic, fake ads, fake ad agencies, fake audiences, fake ad bidding, fake accounts, fake devices, fake apps, and fake data.

It’s not just click fraud – bots clicking on ads or loading display ads to get paid. It may involve installation fraud, by which physical or virtual devices download and install apps, cycling through fake device identifiers to collect the installation payment from the app publisher. Or it may involve showing ads that paid to reach a high-value audience to a low-value audience.

AdProfs describes some of the variations: invisible ads, traffic arbitrage (buying low-value traffic and reselling it for more than it’s worth), domain spoofing (bad publishers misidentifying their sites), site bundling (bad publishers bundling networks of domains under a single ad network identifier), ad injection, cookie stuffing (to get credit for affiliate fees), and click farms.

Of course, before anyone asks, El Reg‘s highly capable ad operations team works hard around the clock to ensure our ads are not only served to and seen by millions of real eyeballs each month, but also high quality and safe.

Evolved DNSChanger malware slings evil ads at PCs, hijacks routers

READ MORE

There is at least agreement that digital ad fraud happens, though not everyone considers it all that serious. A 2017 report by the Association of National Advertisers (ANA) put bot fraud losses at $6.5bn in 2017, down 10 per cent from $7.2bn in 2016.

The ANA report said 9 per cent of desktop display ad spending and 22 per cent of desktop video ad spending is lost to fraud. It dismisses mobile ad fraud as less than 2 per cent of spending, while noting “this does not include fraud in mobile web video or pay-per-click fraud, which remain high and problematic.”

Juniper Research last year predicted $19bn will be lost to digital ad fraud in 2018.

But ad fraud statistics offer an incomplete picture of what’s going on because they tend to focus on one specific segment of the industry while omitting others. Fou, who said he has stopped estimating ad fraud as a percentage, previously said 43 per cent of mobile display ad impressions were bogus.

Others have suggested about half of paid programmatic impressions are fake.

Call in the lawyers

Digital ad fraud litigation is not very common, but it does occur.

The US Justice Department brought a click fraud case against six Estonian nationals and one Russian national in 2011. There have been a handful of other criminal click fraud cases, such as one in 2017 against Fabio Gasperini.

There have also been a few notable civil cases as well. Google settled a click fraud claim by Lane’s Gifts and Collectibles in 2006 for $90m and in 2017 settled another click fraud case covering the 2004 through 2008 period for $22.5m. Last year, Uber sued ad biz Fetch alleging click fraud.

One reason for the scarcity of lawsuits, Fou and others have argued, is that there’s an industry incentive to maintain the status quo.

“This is because marketers want the fraud to continue,” Fou explained in an email to The Register. “If they cut out the fraud there will be less impressions to buy.”

Some marketers, at least.

“Certainly some buyers like cheap inventory and don’t care to ask too many questions, said Ben Edelman, an associate professor at the Harvard Business School who had conducted many ad fraud investigations over the years, in an email to The Register.

“But that’s not typical. In my experience most advertisers care about results – they have products to sell, which requires finding real buyers, which requires quality advertising inventory that real people see and engage with. In my view, that’s as it should be.”

“There is no direct incentive from anyone in the industry, with the exception of marketers, to eradicate ad fraud,” observed Vidakovic. “That said, it’s hard to generalize the industry’s will in such a way.”

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/29/ad_fraud_bad/

NHS trusts across England experienced more than 1,300 hours of downtime in the last three years, according to results from Freedom of Information (FoI) requests.

Nearly a third of the trusts (25 out of 80) that responded to an FoI request from Intercity Technology admitted they had experienced outages across their IT systems between January 2015 and February 2018.

Of the 25 trusts that endured a digi-blackout, 14 did so as a result of a security breach. In total, the trusts experienced 18 security breaches over the last three years, causing 18 days of downtime.

These attacks included the infamous WannaCry ransomware outbreak in May 2017, while others fell victim to the Locky and Zepto malware, the most severe of which knocked systems offline for two weeks.

One trust alone experienced an average of one breach per year, while others referenced cyber attacks that affected servers, PCs and internal systems. Another trust suffered problems after an unauthorised device was plugged into a network. This disrupted the business of two wards last year, resulting in downtime of approximately two hours.

Five trusts took their systems offline as a precautionary measure, in response to the WannaCry attack.

Intercity Technology sent 143 NHS Trusts in England FoI requests in February 2017. Eighty responded. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/28/nhs_downtime_troubles/

Online bank Monzo said it warned Ticketmaster that something weird was going on in early April, two months before the ticket-slinging giant revealed its payment pages had been hacked.

Monzo detected an abnormal number of customers who had both bought tickets from Ticketmaster since December and had fraudulent activity on their cards, leading staff to believe the two were related. On April 12, Ticketmaster staff visited the startup bank’s offices to see the evidence, we learned on Thursday this week.

According to Monzo, 50 customers had complained on April 6 that someone had hijacked their bank cards and spent their money – and 35 of them, or 70 per cent – had used Ticketmaster.

“This seemed unusual, as overall only 0.8 per cent of all our customers had used Ticketmaster,” Natasha Vernier, Monzo’s head of financial crime, said. A week later, on April 19, Ticketmaster told the upstart bank that, in Vernier’s words, “an internal investigation had found no evidence of a breach and that no other banks were reporting similar patterns.”

Fast forward to June 27, this week, and Ticketmaster admitted hackers gained access to the personal details and sensitive payment card information of up to five percent of its customer base.

Miscreants were able to modify JavaScript code on Ticketmaster’s payments pages to siphon off people’s information over the course of several months until June 2018. We asked the ticket-touting biz when exactly it learned of the cyber-break-in, and why the Monzo’s discoveries were not passed on to the public months ago. In response, Tickermaster offered the following statement:

When a bank or credit card provider alerts us to suspicious activity it is always investigated thoroughly with our acquiring bank, which processes card payments on our behalf. In this case, there was an investigation, but there was no evidence that the issue originated with Ticketmaster.

Indeed, Ticketmaster blamed third-party supplier Inbenta for the security cockup. US-based Inbenta developed and hosted code for Ticketmaster’s customer support site, as well as some JavaScript customized purely for Ticketmaster. According to Inbenta, this JavaScript was placed on the payments pages without Inbenta’s knowledge. This was a bad move because the code was not secure, and was abused by hackers to alter files on Inbenta’s servers, and ultimately snoop on ticket buyers.

According to an FAQ, the JavaScript was “a point of vulnerability that affects the capacity for web forms to upload files. It appears that the attacker used this vulnerability.”

Ticketmaster gatecrash: Gig revelers’ personal, payment info glimpsed by support site malware

READ MORE

“Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability,” Inbenta CEO Jordi Torras said in a statement.

We’re told crooks modified this script code, hosted on Inbenta’s servers, “to extract the payment information of Ticketmaster customers,” said Torras.

So, Inbenta was hacked to alter the JavaScript used on Ticketmaster’s site in order to steal sensitive data. Monzo said it spotted Ticketmaster-linked fraud in April. Ticketmaster had a rummage around, and found no signs of any hacking on its own systems. Then, by June, Ticketmaster said it had discovered Inbenta’s JavaScript code on its site had been hijacked to steal gig-goers’ payment information.

“The source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster’s particular requirements,” said Torras. “This code is not part of any of Inbenta’s products or present in any of our other implementations. Ticketmaster directly applied the script to its payments page, without notifying our team.”

Impact

UK customers who bought, or tried to buy, a ticket from Ticketmaster between February and June 23 this year, and international customers who flashed the plastic from September 2017 to earlier this week, were at risk. As many as 40,000 Brits had their details slurped.

If Monzo’s warnings had been fully followed up, fewer customers would have been impacted, said Tony Pepper, chief exec of data security outfit Egress.

“There are going to be a few eyebrows raised this morning about this breach and when Ticketmaster really discovered it,” Pepper said.

“Clearly data was at risk for some time and apparently, Ticketmaster had been alerted to the issue but didn’t heed those warnings. It is going to be interesting to see how the ICO reacts when they get to the bottom of this, given the emphasis now placed on data breach reporting and reflected in the changes made under the GDPR.”

Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, commented: “Hackers have, for years, used vulnerabilities in websites and other connected applications as a point of breach. Once through, it is only a hop, skip and jump into databases, web servers and other crucial infrastructure. It looks like that is exactly what has happened to Ticketmaster – and it’s the customers who pay.”

Ticketmaster responded to the intrusion by contacting those who may have had their info swiped by miscreants, and offering a free 12-month identity monitoring service. The malicious JavaScript code snatched Ticketmaster’s customer names, addresses, email addresses, telephone numbers, payment details, and login credentials. Affected users are being advised to change their passwords.

The Ticketmaster cyber-break-in is the first major computer security breach since Europe’s GDPR came into effect on May 25, so close attention will be paid on whether Ticketmaster complied with the regulation relating to breach notification and adequate security. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/28/ticketmaster_monzo_inbenta/

If you have fetched anything from Gentoo’s GitHub-hosted repositories today, dump those files – because hackers have meddled with the open-source project’s data.

The Linux distro’s officials sounded the alarm on Thursday, revealing someone managed to break into its GitHub organization account to modify software and webpages.

Basically, if you downloaded and installed materials from Gentoo via GitHub, you might be compromised by bringing in malicious code. And until the all clear is given, you should avoid fetching anything from the project’s ‘hub org account.

“Today, 28 June, at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there,” Gentoo dev Alec Warner said in a bulletin.

“We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on GitHub should for the moment be considered compromised.”

If there is some good news to be had, it’s that Gentoo does not believe the master copies of its code were tampered with – Gentoo keeps master builds separate from its GitHub-hosted wares on servers that were not hacked. Thus, penguinistas should be able to get clean copies of software without much problem via the Gentoo.org website.

“Since the master Gentoo ebuild repository is hosted on our own infrastructure and since GitHub is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org,” Warner said.

“Also, the gentoo-mirror repositories including metadata are hosted under a separate Github organization and likely not affected as well.”

The alert does not reveal who may have tampered with the code, how they were able to do it, or how long they were able to do it without being caught. Understandably, Gentoo is a bit light on the details as it works out the situation. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/28/gentoo_linux_github_hacked/

Cryptocurrency-mining malware writers are dialing back their use of your compute cycles in order to avoid detection.

This is according to Johannes Ullrich, head of research at SANS, who today pointed out that malicious mining apps are scaling down activity and employing built-in encryption to make them harder for antivirus packages to detect.

“The latest cryptocoin miners I have seen try to make it a bit more difficult to detect them by being less greedy and not asking for all the CPU cycles at once,” Ullrich said.

“They also take better advantage of some newer CPU features like AES support.”

Ullrich spoke out after a fresh strain of malware was found to be using a remote-code execution exploit for a vulnerability in Apache Struts. The payload included a particularly nasty bit of code that takes over the host server to mine crypto-coins for a wallet controlled by the attacker.

As Ullrich noted, crypto-coin-crafting malware is nothing new. Criminals have for years been hijacking the CPUs of unsuspecting users to generate virtual dosh for themselves. One of the dead giveaways of the malware is the high processor use that gets reported when the software nasty ratchets up its operations.

This particular coin-mining malware, however, is noteworthy for its limits on CPU activity, restraining itself to only access half of the threads available on the host processors.

As a result, Ullrich said, the malware attempts to make itself less visible on the host machine. But apparently the effort was not good enough, as the security wonk was less than impressed with the code.

“I really wish that attackers would actually come up with a new scheme to make money so life will be more interesting,” he mused.

“But then again, sometimes it is nice if security is a bit boring and not too exciting.”

At this point we ought to wheel out the standard security warnings: run up-to-date antivirus software on your machine, keep up with all patches, and don’t open any attachments from unsolicited or otherwise suspicious email, least you find yourself unwittingly mining fun bucks for a crook. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/29/coin_miners_cpu_throttling/

Millions of mobile devices are now making requests in what’s described as “an attack on the economy.”

Botnets have tended to hide in the nooks and crevices of servers and endpoint devices. Now a growing number are hiding in the palms of users’ hands. That’s one of the conclusions of a new report detailing the evolving state of malicious bots.

“Mobile Bots: The Next Evolution of Bad Bots” examined requests from 100 million mobile devices on the Distil network from six major cellular carriers during a 45-day period. The company found that 5.8% of those devices hosted bots used to attack websites and apps – which works out to 5.8 million devices humming away with activity that their owners know nothing about.

“The volume was a surprise,” says Edward Roberts, senior director of product marketing at Distil Networks. The research team even took another sampling run to verify the number, he says. In all, “One in 17 network requests was a bad bot request,” Roberts says,

Another significant step in the evolution of these bots is their use. The “traditional” use of botnets is as an engine for distributed denial-of-service (DDoS) attacks or spam campaigns. These mobile bots, though, seem to be focused on a different sort of attack.

“It’s an attack on the economy,” Roberts says, describing the activity in which bots repeatedly scrape prices from a retail site so that a competitor can constantly match or undercut the price.

Another activity for these mobile bots is hunting through brand loyalty sites looking for login information so that premium products or “points” can be harvested for the botnet owner. A side effect of this type of activity is much lower traffic volume than that often seen in bot-infected devices.

“We only see an average of 50 requests a day from these devices,” Roberts says. “The activity is low and slow and highly targeted.” In this targeted activity, the nature of a cellular-connected device comes into play, as the IP address will change every time the device moves from one cell to another.

The one thing that hasn’t evolved is the way in which the devices become infected. Tried-and-true infection mechanisms, including malicious file attachments in email, infected files behind website links, and drive-by infections that use redirected links, are all commonly found. As with desktop and laptop computers, the researchers recommend anti-malware software and user education as primary defenses against infection and botnet recruitment.

Related content:

• 10 Tips for More Secure Mobile Devices
• Duo Security’s Trusted Endpoints Integrated with Sophos Mobile
• Why CISOs Need a Security Reality Check
• Phishing Threats Move to Mobile Devices

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/mobile/botnets-evolving-to-mobile-devices/d/d-id/1332182?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple