STE WILLIAMS

For anyone lucky enough to get them, Android’s December 2019 updates arrived this week, patching a small list of system and Qualcomm flaws across the operating system’s two patch levels.

In Google’s estimation, at the top of the urgent list on the 2019-12-01 patch level (see below for explanation) is CVE-2019-2232, a critical flaw affecting Android versions 8.0, 8.1, 9, and 10.

This, Google said, could allow an attacker to cause a “permanent” denial of service by sending users a specially crafted message. The company doesn’t qualify what it means by this alarming description, and there is no indication it’s being exploited, but users won’t want to find out the hard way.

Overall, the update fixes 15 CVEs (2019-12-01) and 5 CVEs (2019-12-05), with another 22 patching Qualcomm components.

Patch level 2019-12-01

This level affects most third-party handsets – those not made by Google. If the patch level on your phone uses the ‘01’ date beside the month, that means you’re getting the security updates up to and including that date, which is to say all the essential ones.

Three fixes on this level are listed as critical, but for two of these – CVE-2019-2222 and CVE-2019-2223 – the rating only applies for versions 8.0, 8.1, and 9. On Android 10, that drops to ‘high’. That could be because 10 has extra mitigations or because it uses Project Mainline through which some critical updates are applied more quickly via Google Play.

One recently disclosed flaw that was quietly fixed some time ago via the Play store is the hijacking flaw affecting Google’s camera app.

Patch level 2019-12-05

If your device specifies this date, you’re getting everything in 2019-12-01 plus the additional five CVEs and the Qualcomm stuff. However, arguably, the real difference between these two levels isn’t the updates on offer, but when they become available. For 05, that should be from this week – for 01, it could be weeks or months.

You can find out by checking Settings About phone Android security patch level.

On Android 9, this changes to Settings System Advanced System updates.

Note that individual manufacturers add their own updates to Google’s. For example, for Samsung, this month’s crop is outlined on its security update site.

Having different patch levels plus separate Qualcomm and vendor patches is confusing for users. That’s one reason why Google recently started looking into overhauling how Android uses the Linux kernel that sits at its heart, to make things simpler, easier and cheaper for all concerned.

Goodbye Pixels

If you own a 2016 Google Pixel or Pixel XL, this month’s update will be the final one that those devices receive, extending their patched life by a month longer than was originally promised.

For more on the support period for other Google devices, see the table on this support page.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Z6rqHUlLVrM/

Python developers have once again fallen victim to malicious software libraries lurking in their favourite package manager. The Python security team deleted two software imposters that mimicked packages commonly used in Python programs.

Much of Python’s success stems from its rich development community, which produces hundreds of modules or packages that help developers with basic tasks. One of the most well-known of these communities is the Python Package Index (PyPi). Developers can install and use other peoples’ packages in their own programs using a simple command (pip install) followed by the package’s name.

One popular package is dateutil, which extends Python’s already powerful date and time manipulation capabilities. You install this using pip install python-dateutil.

Because there are so many of these packages, it’s possible for someone to slip imposters into the package manager under the radar. An attacker did just this with a rogue package called python3-dateutil.

Note the additional 3 in that name. That’s significant because the Python community is currently making a mass change from version two of the programming language to version three. It’s no surprise to see a package include Python3 in its name, which is what the attacker was banking on.

The fake version contained yet another imposter package, this time impersonating jellyfish, which is a Python library for matching strings of text. The attacker’s version used an old-school phishing trick, replacing a letter with another that looks similar. In this case, it replaced the first l with a capital i.

Lukas Martini, a contributor to the real dateutil package on GitHub, raised the alarm earlier this week. He analysed the code and found it snooping in the victim’s home directory and others, looking for sensitive files including keys used for SSH access and GPG encryption.

He reported the issue to the Python security team, which removed the packages on the same day. The offensive code also used a shortened link to call out to a repository on alternative code hosting site GitLab, which to its credit also took down the code from the malicious user on its site.

Python developers worried about their dateutil installations can use the command pip freeze to list everything they have installed from PyPi. If their version of the package shows up as python-dateutil, they’re okay. If they see python3-dateutil, they should uninstall it immediately and check their home, documents, downloads, and PycharmProjects folders for sensitive files that may now be in the attacker’s possession.

Malicious attacks on open-source repositories aren’t new. One exploit discovered in October 2018 buried crypto mining code under the hood. In 2017, ten packages were found to contain malicious code, again using typosquatting to fool developers.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/84sg5-2L6eI/

Dutch police have turned up yet another iCloud-hacking Celebgate drooler/crook/nudie-stealing/doxing creep who decided to use women’s privacy as his personal doormat. This time around, it’s a politician, and he’s no longer on the city council: instead, he’s looking at up to three years in prison.

Make that a wannabe politician: Mitchel Van der K, a copywriter who was running for city council (and who had been voted in) in the Dutch town of Almere, withdrew from politics after an investigation led to his iCloud password-cracking escapades. His problems began after he leaked nude images and a sex tape from Dutch vlogger star Laura Ponticorvo in March 2017 – a leak that sparked both media attention and an investigation.

According to prosecutors, the extent of Van der K’s data theft is “unprecedented.” He invaded hundreds of accounts, “frequently and repeatedly” violating his victims’ privacy. The prosecutor’s office cited victims’ statements such as these:

It feels like someone has broken into me.

It feels like a digital assault.

I feel dirty and I feel watched.

I also have a private life and I am very careful with that.

A month after Dutch investigators tracked him down, raided his home, and arrested him, Van der K was publicly outted by the famous Dutch crime journalist, television presenter, and former police officer John van den Heuvel.

On Tuesday, the public prosecutor of the North Holland Public Prosecution Service asked that Van der K – a member of the VVD political party in the Netherlands – be sentenced to three years in prison for hacking into the cloud storage accounts of both celebrities and people he actually knows.

The content he stole from his victims’ iCloud accounts included financial data such as insurance documents, family photos, and, of course, the material that so many crooks have been groping for in the multiyear crime spree that is Celebgate – nude photos and videos.

Besides, Ponticorvo, Van der K’s local victims included another celeb: Dutch field hockey star Fatima Moreira de Melo.

Where’s the “allegedly”?

No need to couch this in “the accused is innocent until proven guilty” language, because Van der K straight-up admits that he frequently hacked – or tried to hack – iCloud accounts.

Van der K claims that he did so because he was being extorted. His story goes like this: he was forced to hack women’s personal accounts and steal their personal data because some other, mysterious, unknown extortionist was threatening to reveal revealing footage of him.

The public prosecutor’s response: Seriously? That makes no sense. Most of the victims – more than half – were non-celebs. They were women Van der K knew from work or his personal life. Why would somebody force Van der K to go after the intimate photos of women whom (relatively) nobody knows? From a translation of the prosecutor’s public statement:

Why an unknown extortioner would have forced the suspect to browse their accounts for photos and videos, I completely miss.

They just can’t stop mugging women

The first wave of celebs who suffered this kind of hacking and nudie larceny came in 2014 with Celebgate 1.0. In v1, thieves and many equally scumbaggy photo-sharers trampled over the privacy of Jennifer Lawrence, Kate Upton, Kirsten Dunst, Selena Gomez, Kim Kardashian, Vanessa Hudgens, Lea Michele, Winona Ryder, and Hillary Duff, among dozens of other women celebrities.

In 2017, we got another sad sequel in Celebgate 2.0, starring the victimized celebs Emma Watson and Amanda Seyfried, among others … followed a few months later by Celebgate 3.0, in which photos were gang-grabbed from Miley Cyrus, Stella Maxwell, Kristen Stewart, Tiger Woods, Lindsey Vonn and Katharine McPhee.

Here’s wishing his victims a nice Christmas gift

According to the prosecution, the Dutch court is expected to rule on Van der K’s case on 24 December – as in, Christmas eve.

Culprits can’t seem to get it through their skulls that they might get caught, thanks to investigators’ skill at tracking them down. We’ve seen a slew of them get busted and sentenced.

We’ve also seen their methods revealed. One of them, Edward Majerczyk, got to his victims by sending messages doctored to look like security notices from ISPs. Another Celebgate convict, Ryan Collins, chose to make his phishing messages look like they came from Apple or Google.

These guys’ pawing was persistent: the IP address of one of the Celebgate convicts, Emilio Herrera, was used to access about 572 unique iCloud accounts. Herrera, who was sentenced to eight months in prison, went after some of those accounts numerous times: in total, he tried to access 572 iCloud accounts 3,263 times. Prosecutors said that he also tried to reset 1,987 unique iCloud account passwords approximately 4,980 times.

Some of them used a password breaker tool to crack accounts: a tool that doesn’t require special tech skills to use. In fact, anybody can purchase one of them online and use it to download a victim’s iCloud account if they know his or her login credentials.

To get those credentials, crooks break into a target’s iCloud account by phishing, be it by email, text message or iMessage…

What to do

…All of which points to how scams that seem as old as the hills – like phishing – are still very much a viable threat.

Anybody who owns an email account and a body they don’t want to see parading around the internet without their permission should be on the lookout, though telling the difference between legitimate and illegitimate messages can be tough.

Here are some ways to keep your private images from winding up in the thieves’ sweaty palms:

• Don’t click on links in email and thus get your login credentials phished away. If you really think your ISP, for example, might be trying to contact you, instead of clicking on the email link, get in touch by typing in the URL for its website and contacting it via a phone number or email you find there.
• Use strong passwords.
• Lock down privacy settings on social media (here’s how to do it on Facebook, for example).
• Don’t friend people you haven’t met on Facebook, and don’t share photos with people you don’t know and trust. For that matter, be careful of those who you consider your “friends”. One example of creeps posing as friends can be found on the creepshot sharing site Anon-IB, where users have posted images they say they took from Instagram feeds of “a friend”.
• Use multifactor authentication (MFA) whenever possible. MFA means you need a one-time login code, as well as your username and password, every time you log in. That’s one more thing the scumbags need to figure out every time they try to phish you.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/s-5lDDIutIw/

Thanks to Simon Porter of SophosLabs for his help with this article.

Ransomware still hogs the “malware attack” headlines these days, for obvious reasons.

But there are still plenty of other malware families out there to worry you, including some that go after data you probably never thought crooks would care about.

For example, just under 18 months ago, our researchers looked into a malware strain they dubbed AdKoob (koob is book backwards), which featured code that tried to sneak into your Facebook acount to peek at how you were spending your online ad money.

As curious as this sounds, don’t forget that:

• Any data-grabbing malware means you have suffered a breach. If any of that data relates to your customers, you’re left with a lot of explaining to do, including, “What else did these guys do while they were inside?”
• Operational data about your business has value to the crooks. That data can be used or sold on for use in further attacks, giving the crooks an intimate and believable pretext to contact you or your customers in future.
• This might be the tip of the iceberg. If the same stolen password or credentials could also be used to buy ads, to read your Facebook contacts, or to mess up your on online presence, then looking at your ad data might merely be a test for whether to press on with the attack.

Well, AdKoob variants have made a return in recent weeks, so the crooks still seem to have a use for them.

We wrote up a detailed analysis of its behaviour back in 2018, and while a lot of the malware code looks the same, some of the details have changed, including what you’ll see if you receive one of these files.

Most of the samples pretend to be PDF-related, and launch an installer with a name like pdfreader2019 Setup that, unsurprisingly, installs an app called pdfreader2019.

Note that this malware triggers a User Account Control (UAC) that asks you to “allow this app to access your device.”

That’s shorthand for “this software wants to access parts of your system that aren’t strictly necessary to install a vanilla app, so you need to give it permission to perform actions that would normally need an Adminstrator login.”

Malware that doesn’t trigger a UAC pop-up is dangerous enough on its own – typically, it can read and modify all your files right away – but malware that gets “access your device” powers can do much more, including installing background services that keep running even after you log out, and spying on other users as well as on you.

In other words, the absence of a UAC prompt doesn’t mean that you aren’t dealing with malware…

…but the presence of a UAC warning means that if what you are installing turns out to be malware, you just made a bad thing much worse.

Many of the recent samples are digitally signed to give them a veneer of authenticity. (We’ve blanked out the names of the companies that own the certificates used for signing – we don’t want to suggest that they were directly involved in creating these malware executables.)

Sadly, digital certificates for signing Windows EXE files aren’t terribly difficult for crooks to acquire, so in this case, as the old joke goes, the certificates aren’t worth the paper they’re not printed on.

There are several approaches the crooks can take to get their hands on digital certificates in other people’s names, such as:

• Steal a certificate by hacking into a company server. Like Bitcoin wallets and customer databases, code signing certificates are just computer files that can be copied.
• Find a certificate that was accidentally included in a public software upload. Many software repositories, such as GitHub, now scan through uploads to look for files that should have been excluded, but it’s easy for a careless developer to upload more than was intended.
• Pretend to represent a company and buy a certificate in its name. Crooks can look through company registration websites to find small businesses whose names they can assume, and then talk a certificate issuer into believing they are the technical contact for the business.

As we mentioned above, one of the tricks up this malware’s sleeve is to dig into your browser’s database of cookies to look for authentication tokens – basically, short-term web passwords – that can be used to do Facebook lookups to reveal your ad spending.

Quite what the crooks do with this information, we can’t tell you – for all we know, the ad-spend lookup might merely be a way of verifying that the authentication token is valid, ready for worse to come later on.

However, and intriguingly, what we do know is that some of the samples of this malware were signed with a certificate that appeared to belong to a company associated with adware.

Indeed, that certificate had also been used to sign adware.

Adware isn’t strictly malware, but most people want to keep it off their computers anyway, because it goes out of its way to foist ads on them that they don’t want, and to track the sort of ads they’re seeing from other sources.

You can imagine how a company like that might be very interested indeed in sniffing out what ad money you are spending, and what you’re spending it on.

What to do?

• Watch out for emails or websites that urge you to install “a new document reader or video viewer” to display their content. If you genuinely need new software to view a file you’ve just received, do your own search and make your own choice of which app to install. Never install apps just because someone else told you to.
• Be suspicious if apps pop up User Acess Control warnings asking for powers you don’t think they need. Malware is dangerous enough without “access your device” powers, so don’t make things even easier for the crooks by inviting them in as Administrators.
• Log out of websites and online services when you aren’t using them. Malware can’t steal authentication tokens that aren’t there, so don’t make it easier for the crooks by leaving login tokens around when they aren’t needed.
• Guard your cryptographic signing certificates. If you’re a developer and you let your code signing certificates fall into the hands of crooks, you’ve become part of the problem, not the solution.

The good news is that this malware isn’t likely to get onto your computer without your help, so be conservative about the apps you install!

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/BMsSHs9eEAA/

This week Peter Mackenzie shares a happy ransomware story where he saved a casino from attack. We also discuss the children’s smartwatch that leaks sensitive location data and HPE’s warning of impending SSD disk doom.

Host Anna Brading is joined by Peter Mackenzie, Paul Ducklin and Mark Stockley.

Listen below, or wherever you get your podcasts – just search for Naked Security.

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/BD7DOxGIIMo/

Black Hat Europe Faking digital evidence during a cyber attack – planting a false flag – is simple if you know how, as noted infosec veteran Jake Williams told London’s Black Hat Europe conference.

Speaking to a packed room, Williams informed his rapt audience that it’s straightforward to misdirect investigators trying to attribute a cyber attack to a particular location or nation state.

Rather than telling the world how to do bad things, however, the point of his talk – which he made with some force at the outset – was to inform investigators and defenders alike that common attribution go-tos can be manipulated to deceive. It’s no good confidently telling people that X was a Chinese hack if crafty black hats from elsewhere are leaving a false trail intended to trick you into saying that.

“Policy and corporate leadership don’t understand how easy it is to fake digital evidence,” Williams said. The key is making sure you leave a trail of breadcrumbs that are detected by your target and then lead investigators in the right (wrong) direction.

“Know what your target has available,” continued the one-time US Army veteran and SANS instructor. “I don’t want to create false flag artefacts that my target can’t see. What can your target see? If they can’t see it, it doesn’t matter if you falsify that evidence.”

Black hat, black hat, o wherefore art thou at?

The simplest of all the fake breadcrumbs is the origin of the attacker’s traffic. Referring to now-defunct threat intel firm Norse Corp’s rather dubious “DDoS attack map” from 2015 which showed the points from whence cyber attackers were launching their attacks (“100 per cent was done by IP,” sniffed Williams), the infosec consultant said it was trivially easy to rent infrastructure in countries known for harbouring purveyors of online badness.

“I can buy infrastructure in Iran very easily, it turns out,” he said. “That’s not 26 servers; that’s 26 different VPS providers that, with a credit card or Bitcoin, I can go ahead and buy servers in Iran that I can send traffic through. It’s going to be awesome!”

Next easiest is modifying one’s browser settings to mimic those of a lazy attacker in one of a number of known bad countries. You don’t need in-depth knowledge to do this, either.

“About:config in Firefox,” said Williams. “Changing the accept-language header can confuse savvy investigators. I can look at IP addresses ostensibly out of the US but set to accept-language Chinese,” he continued, adding that changing the browser’s user-agent string works in much the same way. If the people you’re trying to plant the false flag on are known for using a particular browser or specific build, just copy theirs!

Yup, PowerShell’s in there too

Pointing out how Kaspersky had spotted in last year’s Olympic Destroyer malware attacks that the malicious software probably wasn’t written by North Korea, as everyone else had concluded, Williams observed “that the rich header data had been modified, intentionally, taking Russian malware… they had replaced the rich header with a known North Korean rich header.”

Although Olympic Destroyer’s data-destroying function was a copy of one of the North Korean Lazarus Group’s tools, metadata from the rich header pointed to the whole malware package having been written using Visual Studio 10.

PowerShell, long known as a favourite of malicious folk, can also be a useful tool in laying a trail of false breadcrumbs. Williams said you can move PowerShell transcripts from one machine to another – say, an attacker’s box to target server. Being a text log of all PowerShell commands and outputs during a session, these transcripts can be useful information for investigators… and those looking to deceive them.

“We’ve done that,” said Williams, referring to a red-team exercise, “and [blue-team investigators] took it for granted that the PowerShell transcript must have been crated by an attacker. We used some of these techniques and I can tell you first hand, they work.”

In a similar vein, “typed URLs” can be made to serve the same purpose of misdirection. By looking up the wordwheelquery Windows registry key, one can view Windows Explorer-typed search queries. “Poisoning it from the command prompt would suggest [remote desktop protocol] or console access,” suggested Williams.

Be on your guard and cross-reference your attribution attempts carefully against all the data points you have. You never know who’s trying to fool you. ®

Sponsored:
What next after Netezza?

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/05/fooling_attribution_breadcrumbs/

US prosecutors have slapped a $5m bounty on the heads of two Russian nationals they claim are part of the malware gang behind the banking trojans ZeuS and Dridex.

The crew, nicknamed “Evil Corp” by the Americans in a press conference today, was named and shamed with the help of Britain’s National Crime Agency (NCA) and GCHQ offshoot the National Cyber Security Centre (NCSC).

“Maksim Yakubets, aged 32, from Moscow, is charged in relation to two separate international computer hacking and bank fraud schemes, spanning from May 2009 to the present,” the NCA said in a press release issued this afternoon.

He is charged alongside 38-year-old Igor Turashev, allegedly Yakubets’ sysadmin and controller of the Dridex malware.

Dridex was largely taken down by America’s Federal Bureau of Investigation in 2015. ZeuS was its predecessor. Both strains were used by cybercriminals to harvest banking login details and empty innocent victims’ bank accounts, whether those accounts belonged to individuals, businesses or even banks themselves.

“If Yakubets, who used the online moniker ‘Aqua’, ever leaves the safety of Russia he will be arrested and extradited to the US,” thundered the NCA today, expressing the hope that other cybercrims will now find him “toxic” to deal with.

NCA chief exec Lynne Owens said in a canned statement: “It is our assessment that Maksim Yakubets and Evil Corp – the cybercrime group he controls – represent the most significant cybercrime threat to the UK.”

Yakubets is said to have “employed dozens of people” to run his operations from the basements of Moscow cafés.

American prosecutor Brian Benczkowski said today: “Because many of the victims are small and medium enterprises, their accounts typically don’t have the same legal protections afforded to consumer accounts. Some of the losses involved were particularly devastating. They did not discriminate in their choice of targets.” He also alleged that among other individuals and corporate entities, the Russian duo had targeted a US-based order of Franciscan nuns.

Rob Jones, director of the NCA’s cybercrime unit, told the US-based press conference that the operation to identify Yakubets and Turashev “goes back many years”, hinting that British police agencies and the NCSC had been actively trying to “degrade the threat posed by the organisation”.

“We estimate 300 organisations in 43 countries were affected in these attacks and that’s an underestimate,” said Jones, adding that “tens of millions of pounds” had been “stolen”.

Jones said that British investigators on the trail of the Evil Corp gang had pieced together their identities bit by bit over “many years”, meticulously piecing together “a trail of breadcrumbs that leads you back to real-world identities”, adding: “That shows these people have made significant mistakes online.”

Not wasting the opportunity of having British and American news media hanging off his every word, Jones also appeared to have a pop at apparent criticism from within the British police establishment directed at his unit.

“A fundamental point around cybercrime: many will say, as colleagues have already pointed out, you’re wasting your time trying to arrest people, deliver evidence. That is plain wrong. We will extend our reach, we have a long memory, we will relentlessly pursue individuals online.”

Both men live in Russia. An American confirmed in this afternoon’s press conference that the Russian authorities had co-operated with a mutual legal assistance treaty request but refused to give details. ®

Sponsored:
What next after Netezza?

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/05/evil_corp_russian_bounty_doj/

Collaboration site Keybase, once touted for its encrypted meetup channels and robust developer features, is struggling to ward off an epidemic of harassment and spam brought about by its shift toward cryptocurrency.

Longtime users of the site who spoke with The Register have complained that Keybase, a multi-platform secure messaging and meeting service, has recently become inundated with bad actors and scammers who are bombarding them with unwanted messages, and there is no way to turn it off.

Launched in 2014, Keybase was soon enough pushed as a sort of secure, more capable version of collaboration tools like Slack.

“Slack is mainly for chat, so for a primary use case inside one company the chat is a little nicer I think,” said Adam Alexander, a principal developer at Salesforce and longtime user.

“But Keybase gives you more guarantees especially when collaborating with customers or other outside partners. And Slack doesn’t have anything like Keybase’s file sharing and git repo sharing.”

The encrypted communication, combined with file-sharing and support for GitHub, earned Keybase a devoted following, particularly with developers, security professionals, and other highly technical users.

However, things began to change. The cryptographic-centric Keybase threw its lot in with the other “crypto”, teaming up with cryptocurrency Stellar to begin a series of free “drops” where the coins were distributed into users’ wallets.

This, veteran users say, attracted a new type of crowd solely interested in cashing in on the currency.

Uptick in spam

“Cryptocurrency people tend to be just really scammy ‘get rich quick’ types. They’re not much different than the multi-level-marketing people of the ‘real’ world,” explains Noid, a hacker and Keybase user who has extensively chronicled the issue and its underlying causes.

“There was a huge uptick in spam, unsolicited messages, etc. right after the last round of Stellar coins being seeded out to those who are in the program.”

Making matters even worse was a policy in Keybase that, depending on your viewpoint, was either a handy feature or a glaring shortcoming. Users cannot opt out of receiving a message from a follower or being added to a conversation.

In a world of infosec rockstars, shutting down sexual harassment is hard work for victims

READ MORE

This meant that any user could connect with, then message, anyone else on the site, or add them to a group chat. The result was a flood of unsolicited, unwanted communications from the new crop.

“It’s always something like ‘what’s up?’ or ‘hello’, or ‘I see you are interested in something’,” said developer Bert Reeger. “The users follow me, and leave a bunch of messages behind in the interface, notify me on my phone/watch/computer and it is something I have to deal with.

“Unfortunately there are no good settings on Keybase to help reduce this noise; there’s no setting that forces people to go through a friending process; no way to filter all messages from people I don’t follow into a ‘message requests’ bucket like Twitter. It is frustrating.”

While many of those messages were of the annoying, shady business offer or coin scam variety, others were more personal and more disturbing.

Netizens report that, in some cases, they are inundated with sexually explicit advertisements, are propositioned for sex, or are otherwise harassed. And, what’s worse, thanks to Keybase’s policies, they have no way to block the initial messages.

Some have even snubbed the platform entirely. Aria Stewart, a Keybase user since 2014, quit the service over the relentless, prolonged harassment including numerous sexual propositions.

“The harassment has been off and on forever, any messaging platform that lets one be visibly a woman and allows unsolicited messages will get some,” Stewart said.

“It has been increasing in seriousness and intensity, though, for several months, and a really notable uptick in the last month.”

It has been increasing in seriousness and intensity for several months

Keybase, for its part, says it is working on a new interface with more controls for users, including the ability to block and report users directly to an administrator with two clicks. What’s more, Keybase says in the coming weeks it will allow users to specify that they can only be contacted by users with whom they are directly connected, something the site calls “the nuclear option”.

“These options will create a custom walled-garden experience,” Keybase said. “It won’t be necessary for most people – especially after the blocking features launch – but it will 100 per cent shut down all unwanted contact.”

The changes are likely to alleviate the problems in the short term, but not everyone is convinced that addressing the harassment issue will be as easy as adding a handful of screening options.

As Stewart notes, Keybase is not unique in its struggles to connect people freely and easily while also protecting them from bad actors. “The problem is one of balancing hypergrowth with harassment. Growth incentives pervert everything,” Stewart said.

“Social networks can probably survive organic growth. But VC funding in particular drives strong incentive to grow at all costs. ALL costs.” ®

Sponsored:
What next after Netezza?

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/05/keybase_struggles_with_harassment/

The industry can only go so far in treating security as a challenge that can be resolved only by engineering.

In the early days of computing and connected devices, there was a lot we didn’t yet know about designing secure products and environments. Today, there are established, well-known frameworks and lots of advice to help people protect data and devices in their care for everyone from home users to CISOs of Fortune 500 companies.

So, why is it that good security practices are rarely adopted at every level of interaction with technology? It’s because we still view the issue as a technology not a people problem. Consider these four human factors that prevent the security industry from moving towards a better future.

Human Factor 1: Usability and Accessibility
There’s a kind of inertia that’s created by the usability patterns that are baked into popular software (including operating systems), which keeps people from choosing the most secure option because they are designed to make us flow from one app to another naturally and almost without thought. These user-friendly designs do not encourage people to be cautious or wary.

What’s worse is the fact that the steps we can and should take to protect ourselves are, more often than not, designed to interrupt this flow. While this is not necessarily a bad thing, our industry still needs to understand why people are practicing poor online hygiene. It is already a Sisyphean task to make things more secure; making things less secure is like rolling that same boulder downhill. This effect is magnified for those with different accessibility requirements, such as people with vision impairment.

Human Factor 2: Cybersecurity Skills
There are many reasons that companies are having a difficult time hiring and retaining people in cybersecurity roles, starting with the widespread assumption that this is a career path suitable only for people who’ve been immersed in coding and mathematics since the time they could reach a keyboard.

There’s also a collective perception that security people can be incredibly hostile and antisocial, especially toward newcomers. Those who decide to seek a career in infosec often find that an entry-level job requires that they already have work experience. Too often, people who actually make it into the industry (especially those from underrepresented groups) leave midcareer due to burnout, an unsupportive culture, or an ill-defined career path.

Human Factor 3: Solutions in Search of a Problem
Technological advances are typically approached as if they’re all unquestionably good. We often fail to even ask whether there are downsides to these innovations, much less whether we can mitigate the damage after the fact. At the very least, we should all assume that any given product or service will eventually be misused, no matter how beneficial its original intent.

Human Factor 4: One Size Does Not Fit All
If you’ve ever gone to battle with your IT department over a policy that treats all employees as if their job functions were identical, you’ll understand how frustrating such a cookie-cutter approach can be. Asking people to mold their life or job circumstances to fit a security policy is simply unrealistic. Doing so is a recipe for reduced productivity, and may strongly contribute to employee burnout.

Human Factor 5: Broadening Our Experience and Knowledge Base
The good news is that human problems are neither new nor unique to tech. There are entire industries that focus on studying human behavior, and there are people who specialize in the concerns of marginalized or vulnerable populations. Ideally, we should all be hiring people from these populations. But hiring challenges sometimes mean that there is work to be done on improving company culture, which experts can help with. For example, our industry has a long history of partnering with law enforcement. We should also be working with people specializing in industrial/organizational and educational psychology, as well as social workers and ethicists.

The security industry can only go so far in treating security as a problem that can be solved by engineering alone. Until we couple technology with a better understanding of the humans who are using technology insecurely, there’s a limit on how much progress we can ultimately make.

Related Content:

• A Realistic Threat Model for the Masses
• The ‘Department of No’: Why CISOs Need to Cultivate a Middle Way
• A Security Strategy That Centers on Humans, Not Bugs

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Home Safe: 20 Cybersecurity Tips for Your Remote Workers.”

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all … View Full Bio

Article source: https://www.darkreading.com/the-human-factor-5-reasons-why-cybersecurity-is-a-people-problem/a/d-id/1336494?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Mac computers will now have the option to use Microsoft Defender Advanced Threat Protection’s endpoint and detection response.

Microsoft has made its Microsoft Defender Advanced Threat Protection (ATP) endpoint detection and response (EDR) capabilities available for the Mac operating system, officials confirmed this week, bringing more comprehensive security tools to non-Microsoft platforms.

Back in March, Microsoft debuted Defender ATP for Mac with new antivirus capabilities. This let enterprise customers strengthen Mac security, get Mac computers onboarded in the same portal as Windows devices, and expand dashboard visibility to include macOS-related alerts. The new EDR support announced today brings more detailed context to security detections.

Additional capabilities include a machine timeline, which contains information about process creation, network connections, and file creations. Microsoft’s advanced hunting tool lets users conduct free-form investigations using a powerful query engine and growing set of shared queries. Users can search for threats across macOS devices using up to 30 days of raw data.

Microsoft notes much of the investigation experience, including the hyperlinked exploration between monitored entities (files, processes, network connections, alerts), is the same on Mac machines as it is on Windows computers. Monitored entities can be explored on Mac devices.

This marks the latest step in Microsoft Defender ATP for Mac; Microsoft plans to continue expanding its capabilities to non-Windows platforms.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “A Cause You Care About Needs Your Cybersecurity Help.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/microsoft-defender-atp-brings-edr-capabilities-to-macos/d/d-id/1336526?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple