STE WILLIAMS

Give your organization’s leadership an impactful, out-of-office experience so they know what’s at stake with their budgeting decisions.

Late in the summer of 2015, I orchestrated an off-site workshop with one of our biggest customers. I had two objectives: One was to create an unforgettable experience that demonstrated to executives how risk translated into strategy — and action — for the cybersecurity staff. 

And by scheduling this in fourth quarter of our fiscal year, the second, less obvious agenda was to make sure these same decisionmakers knew precisely what was at stake when it came time to debate my proposed security budget for the coming fiscal year. 

At least for my department, what had been mostly an academic exercise could then be imbued with a deeper understanding for the board about the real-world impact of their spending decisions.

As a global CISO, I saw the end of the year as a balancing act between short-term returns to finish the year strong and strategic investments to set my organization up for a successful new year. 

For many CISOs, the greatest end-of-year investment that they can make is bridging the gap between business and technology stakeholders. This is why I organized an experiential tour of one of our high profile customers, one with whom the board and CEO would be excited to visit and spend time. The tour included a presentation from our outside consulting team that discussed the risks of cutting edge technology when implemented without proper security measures. 

The event paid dividends, both short- and long-term. Because the CEO and board had a richer context to work from, they increased our security budget for the following year. And because other business leaders in attendance learned more about security, the company in turn developed a more risk-aware culture. 

For CISOs and security leaders looking to make a similar investment to fight security fatigue, here’s my five-step blueprint for showcasing the importance of next year’s cybersecurity investment — and emerge victorious from next year’s budget negotiations. 

1. Be the Engineer, Not the Executor
As the cybersecurity leader, you want to secure more budget for your organization and the board and CEO know this. Consequently, you cannot be seen as the face of this experiential event. My recommendation is to source a consulting firm or collaborate with a team you’re already working with to present this experience to the board and CEO. 

2. Create a Powerful Agenda
You may not be the front-of-the-room leader for the experiential tour, but don’t delegate the day’s schedule and pacing. Here are some criteria I settled on to create the first phase of the experience: 

• Make it exciting: Find a customer or partner whose business your CEO and board will recognize and be excited to interact with. 
• Align with your business: Ensure there are sufficient touch points between your business and the one you visit. The business challenges, the industry sector – there must be something relatable. Ensure that the board and CEO don’t have to work hard to tie their learning back to your organization. 
• Get out of the office: Remember, this investment is an experience. Creating an event that breaks the pattern and makes it more memorable and engaging for your CEO and board.  

Work closely with the third-party consultants, but in the end, you are the engineer for this experience and it’s up to you to show executive leadership the risks the organization faces. The consultants in the room can help bridge the gap and make the presentation more relatable to business-side stakeholders. 

3. Show, Don’t Tell 
The next part is the “shock and awe” that takes place back in the boardroom: Show, don’t tell, your board and CEO what happens when that business’s technology is used for nefarious purposes. If you tour a crane company, show them how white-hat hackers broke into IoT-enabled cranes. If you tour a connected home manufacturer, demonstrate how a hacker covertly accessed a Nest camera and talked to the woman in the house for hours. This allows your board and CEO to see the direct impact of cyber threats, and the direct impact to your organization and its customers and partners if these threats and risks aren’t remediated. 

It’s your best opportunity to show your board and CEO that business progress and innovation can be almost completely undone without strong cybersecurity and cyber risk management. 

4. The Direct Ask
Following the two-phase, hands-on experience, this is where you as the security leader take a presenting role. Illustrate to your board and CEO what you and your security organization are doing and capitalize on the realizations that have been made during the workshop thus far. Then be direct and clear: Tell them what you need to ensure that your organization and its customers don’t suffer a similar fate. 

5. Where to Increase Spending
There are two prongs to increasing spending for your cybersecurity program in the wake of this experience: Incident response (and activities that fall under the Respond categories in the NIST CSF: response planning, communications, analysis, mitigation, and improvements), and increasing visibility and reporting at the executive level. 

Remember your priorities for this investment: Making your CEO and board care about cybersecurity and elevating cyber to a board and executive-level issue. I strongly discourage spending on another endpoint tool, and instead, trace the narrative of your entire presentation through to the outcomes that you’re looking to achieve: A more resilient, cyber-aware enterprise. 

Specifically, investing in red-blue-team incident response drills whether tabletop or full mock exercises, will show your board and CEO that you’re prepared for a real incident. Follow that with an investment in a solution that increases visibility into your cyber program. This is where you must implement integrated solutions that allow you to automate reporting and visualize your cyber program in a business context for the company’s directors and executives. 

As we enter the last quarter of the year, it’s critical to use up all your annual budget, and also use your budget effectively. Investing in an experience like this can shift how your executive management sees cybersecurity and break through general security fatigue. Executed properly, the short- and long-term wins will improve your risk posture and help business leaders make more informed decisions about security spending.

Related Content:

• Security Leaders Share Tips for Boardroom Chats
  
• The ‘Department of No’: Why CISOs Need to Cultivate a Middle Way
• Calculating the Value of Security

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Home Safe: 20 Cybersecurity Tips for Your Remote Workers.”

George Wrenn is the founder and CEO of CyberSaint Security, an integrated risk management company that streamlines and automates risk, compliance, and privacy programs. Prior to founding CyberSaint, George was the VP of cybersecurity (CSO) for Schneider Electric, a Global … View Full Bio

Article source: https://www.darkreading.com/risk/5-ways-to-champion-and-increase-your-2020-security-budget/a/d-id/1336436?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An infected minicomputer distributed an unidentified threat to 23 machines connected to the LiveScan fingerprint tracking system.

The New York Police Department (NYPD) pulled its LiveScan fingerprint tracking system offline after a ransomware virus spread to 23 machines connected to the database over the weekend.

The incident began on October 5, when a contractor installing a digital display at a Queens police academy plugged in an infected NUC mini-PC, the New York Post reports. The minicomputer spread an unidentified virus to 23 machines connected to the LiveScan system. Within hours, police detected the breach. NYPD cyber command and Joint Terrorism Task Force were alerted.

The ransomware never executed; however, the NYPD shut down its fingerprint scanning system for the night and reinstalled software on 200 computers across the city as a precaution. Its team was bringing the system back online by early Saturday morning, Deputy Commissioner for Information Technology Jessica Tisch told the Post. 

Officials have not disclosed the vendor, which was questioned but ultimately not charged. An NYPD spokeswoman told the publication this affected 0.1% of the department’s computers. That said, the NYPD database is linked to the Statewide Automated Fingerprint Identification System, which New York’s Division of Criminal Justice Services says contains about 7 million files, the Post notes.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Home Safe: 20 Cybersecurity Tips for Your Remote Workers.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/nypd-pulls-fingerprint-database-offline-due-to-ransomware-scare/d/d-id/1336466?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Distributed denial-of-service (DDoS) attacks have become more common, more powerful, and more useful to attackers. Here’s how to fight back.

On the flip side of the proliferation of Internet of Things (IoT) devices, the quest for increased connectivity and bandwidth (think 5G) and skyrocketing cloud adoption, IT is increasingly being weaponized to unleash cyberattacks in an unprecedented order of magnitude. Coupled with the emergence and anonymous nature of both the Dark Web and cryptocurrencies, illicit transactions have never been easier or more convenient. Distributed denial-of-service (DDoS) attacks have become more common, more powerful, and more useful to attackers. They have advanced from mere botnet-based approaches to artificial intelligence (AI) and data-driven models.

Scholars at the University of Cambridge last year published a research note describing how they used data science to shed light on criminal pathways and ferret out the key players linked to illegality in one of the biggest and oldest underground forums. Perhaps surprisingly, they found that most cybercrime is committed by people who aren’t technical geniuses. Many of them offer so-called “booter” services — basically, they’re hired DDoS guns — and they have become so widespread that they even include school-age children.

While not all of these attacks are spotlighted in the media, they cause significant financial blowback for companies in the form of paid-out ransoms, business downtime, lost revenue, and reputational losses, among other costs. This havoc is perpetrated by the members of a busy underground economy where cyberattack services are traded and monetized.

Attacks on the Rise
Europol’s “Internet Organised Crime Threat Assessment 2019” report outlines how DDoS attacks are among the biggest threats reported in the business world. The favorite DDoS targets of criminals in 2019 were banks and other financial institutions, along with public organizations such as police departments and local governments. Travel agents, Internet infrastructure, and online gaming services were also in the cybercriminals’ crosshairs. Some arrests were made, but they had no noticeable impact on the growth rate of DDoS attacks or on the Dark Web infrastructure that makes them possible, according to Europol.

While many DDoS attacks go unreported and unnoticed, some are making the news. In October, a major DDoS attack roughly eight hours long struck Amazon Web Services (AWS), making it impossible for users to connect because AWS miscategorized their legitimate customer queries as malicious. Google Cloud Platform experienced a range of problems at about the same time, but the company says the incident was unrelated to DDoS. A few weeks earlier, a number of DDoS attacks crippled an ISP in South Africa for an entire day.

Everybody Is Vulnerable
Interestingly, it’s not just legitimate organizations that are plagued with DDoS attacks. Anyone familiar with Dark Web market listing service will know that markets are usually listed with an “uptime,” with the main reason for any downtime being DDoS attacks.

These hidden services are open to DDoS attacks because of certain characteristics of the Tor browser, which is commonly used to access the Dark Web. Earlier this year, the three biggest Dark Web markets all suffered serious and extended DDoS attacks. The operators of Dream Market were reportedly taken for $400,000, which illustrates that even the criminals are vulnerable to attacks by DDoS extortionists.

APIs Move into the Spotlight
But the DDoS problem is moving beyond infrastructure. As part of their digital strategy, many organizations are turning to cloud-native applications, and — as part of the Fourth Industrial Revolution — manufacturing, logistics, and utility companies are equipping their production lines, warehouses, factories, and other facilities with wireless connectivity and sensors. Each of these require an API in order to work.

However, while APIs simplify architecture and delivery, they can also become bottlenecks that open up companies to a spectrum of risks and vulnerabilities. When a business-critical application or API is compromised, it knocks out all the operations related to the business and initiates a chain reaction. Thus, simply protecting OSI layers 3/4 is no longer sufficient; layer-7 attacks create more damage with less total bandwidth.

Job #1: Building Cyber Resilience
In digital business, there is no room for outages. That’s why organizations of all sizes must do everything they can to safeguard the resilience, integrity, and uptime of their digital platforms and services. As network bandwidth and computing power multiply, they enable black hats to leverage the increased resources to launch more powerful attacks. DDoS against national infrastructure networks can wreak major real-life havoc and shut down access to the services that grease the wheels of our economy and society. The US Department of Homeland Security (DHS) reports that in the past five years the size of attacks has increased by a factor of 10, and that “it is not clear if current network infrastructure could withstand future attacks if they continue to increase in scale.”

Upgrading the Arsenal
The increase in attack frequency, added risk of APIs, and cost of downtime have combined to create a threat greater than the sum of its parts. This evolution of the threat landscape necessitates a similar evolution in defense methods. An organization would be naive to think that the preparedness posture that worked a decade ago can still work unchanged against modern threats.

“To address the increased frequency of attack, a modern defense must be efficient,” says Andrew Shoemaker, a DDoS veteran and founder of NimbusDDoS, a pen-testing provider that vets DDoS mitigation solutions. “This means embracing automated mitigation approaches, and moving away from slow manual processes,” he adds. “Manual approaches may have been effective in the past when an organization was only attacked a few times per year, but the administrative burden of manual mitigation becomes overwhelming when attacks are happening monthly or weekly.”

Related Content:

• 13 Security Pros Share Their Most Valuable Experiences
• New DDoS Attacks Leverage TCP Amplification
• DDoS Attacks Up Sharply in Third Quarter of 2019
• Look the Other Way: DDoS Attacks as Diversions

 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Home Safe: 20 Cybersecurity Tips for Your Remote Workers.”

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/ddos-an-underestimated-threat/a/d-id/1336423?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Web inventor Sir Tim Berners-Lee is so worried his 30-year-old creation is turning into a “digital dystopia” that he’s proposed a Contract for the Web to rescue it from a headlong plunge into a moral abyss.

It’s not an original worry – Berners-Lee has publicly fretted about the web’s direction many times in recent years – and it’s not hard to understand where his pessimism comes from.

Governments enact laws mandating forms of mass surveillance and information control, while big internet companies and data brokers vacuum up as much data as they can for ever-more intrusive ad targeting.

Meanwhile, political parties invest in manipulative advertising, on top of the shadowy forces pushing ever more outlandish conspiracy theories and deepfakes that embed fiction as fact with bad consequences for democracy.

That’s before examining the toll of scams, malware campaigns, data breaches, and websites selling illegal and disturbing material in ways the established rule of law struggles to contain.

Worst of all, nobody seems to care. The web started as a promising, anarchic force but nobody said people with bad intentions couldn’t and wouldn’t turn it into a disturbing free-for-all.

Said Berners-Lee to The Guardian:

I think people’s fear of bad things happening on the internet is becoming, justifiably, greater and greater. If we leave the web as it is, there’s a very large number of things that will go wrong. It’s not that we need a 10-year plan for the web, we need to turn the web around now.

Just be good

After a year spent pondering these problems with his World Wide Web Foundation and 80 other organisations, Berners-Lee has come up with a set of nine principles to turn the tide, three each for governments, companies, and web citizens themselves.

Important principles include that governments and companies should respect the privacy of individuals, support the digital commons, and basically keep a lid on new technologies that might be misused.

The biggest recommendation is that governments and companies should ensure reliable universal access to the internet, which some might see as ironic given the terrible brain-destroying state Berners-Lee says it’s in.

Principle 1 – Governments will… Ensure everyone can connect to the internet
Principle 2 – Governments will… Keep all of the internet available, all of the time
Principle 3 – Governments will… Respect and protect people’s fundamental online privacy and data rights
Principle 4 – Companies will… Make the internet affordable and accessible to everyone
Principle 5 – Companies will… Respect and protect people’s privacy and personal data to build online trust
Principle 6 – Companies will… Develop technologies that support the best in humanity and challenge the worst
Principle 7 – Citizens will… Be creators and collaborators on the web
Principle 8 – Citizens will… Build strong communities that respect civil discourse and human dignity
Principle 9 – Citizens will… Fight for the web

In many ways, it’s a development of Berners-Lee’s 2014 proposal that the web needed an equivalent of the 13th century English Magna Carta to tame powerful interests.

It’s still impressive that he’s managed to sign up 150 organisations to these principles, including Microsoft, Google, Facebook, and Twitter.

Some will argue that the latter three are, in different ways, part of the problem he’s trying to solve – namely allowing anyone and everyone to say what they like in the name of profit regardless of the consequences.

There are also surprising omissions from the list of backers such as Mozilla and Cloudflare, both companies that have recently turned internet privacy into their public raison d’être.

But rather than pick holes, perhaps concerned internet users should applaud Berners-Lee for at least trying – nobody doubts he’s one of the good guys after all.

For instance, while it’s likely some governments and companies will ignore the Contract for the Web and internet doom-mongers dismiss it as too little too late, techies will understand that on the internet it’s not always what the people in charge think that matters.

The internet once challenged the established order, and it has it within its power to do so again. It wouldn’t take every government and company to sign up for privacy and democratic control for the emergence of new technologies backed by a core of organisations to make that a reality.

Berners-Lee’s Contract for the Web is just a set of ideas. Its long-term contribution might be that the optimists now have something to aim for.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ei841Vw1q5s/

Ransomware attacks don’t discriminate. They are just as happy targeting those with four legs as those with two.

Anonymous sources told cybersecurity reporter Brian Krebs this week that National Veterinary Associates (NVA) has fallen victim to a ransomware attack that has affected hundreds of hospitals.

NVA describes itself as one of the largest veterinary pet care services organisations in the world. It partners with over 700 general practice veterinary hospitals, spanning general practice clinics, equine hospitals, and pet resorts in a network spanning the US, Canada, Australia, and New Zealand. Founded in 1996 by Dr. Stan Creighton, it began by buying hospitals from retiring veterinarians. It now has 2,600 veterinarians in its network.

Ryuk ransomware

NVA didn’t respond to our requests for comment, but reports said that the company discovered a ransomware attack on Sunday 27 October. The culprit was apparently Ryuk, an especially pernicious form of ransomware first detected by researchers in August 2018.

According to sources quoted by Krebs, the ransomware hit nearly 400 hospitals in the company’s 700-strong network. The infection wasn’t ubiquitous because hospitals have some autonomy in how they run their IT networks, but some were left struggling to provide care after they lost access to their patient information management systems, reports said.

A source also told Krebs that this wasn’t the first Ryuk infection than the company has endured. The company had discussed the first attack more openly, the source said.

Things were different this time, according to Krebs. The company reportedly sent out instructions explaining how members of its network should discuss the incident. A screenshot read:

Use the verbiage “Computer Outage” – Joe would like us to use generic terms.

Ryuk kills over 40 processes and stops more than 180 services on infected computers, including some anti-virus tools. It also writes itself to the Run registry key to maintain persistence. It has been involved in ransomware attacks against organizations including the Chicago Tribune and cloud hosting provider DataResolution.net.

In the UK, the National Cyber Security Centre (NCSC) is investigating Ryuk ransomware campaigns linked to Emotet and Trickbot. The Centre says that Ryuk is a targeted strain of ransomware that allows its owner to set the ransom according to the victim’s perceived ability to pay. It often operates under the radar for a period of time ranging up to months, enabling the attacker to move laterally through the network and infect as many assets as possible.

Krebs’ source expressed concern that NVA may not have completely eradicated the first attack.

How to protect yourself from ransomware

• Pick strong passwords. And don’t re-use passwords, ever.
• Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
• Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
• Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
• Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

For more advice, please check out our END OF RANSOMWARE page.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ph3qbePJfZk/

The dry facts: A US court has come down in favor of Fifth Amendment protections against forced disclosure of a 64-character passcode in a child abuse imagery case = an important interpretation of whether forced password disclosure is the modern equivalent of an unconstitutionally coerced confession.

The gut punch: The defendant is a man previously convicted over distribution and possession of child abuse imagery who, on the ride over to his arraignment, openly chatted with cops about how much he likes watching sexual videos featuring 10- to 13-year-old victims.

The ruling, handed down last Wednesday, quoted appellant Joseph J. Davis’s response when asked for his passcode:

It’s 64 characters and why would I give that to you? We both know what’s on there. It’s only going to hurt me. No f*cking way I’m going to give it to you.

Agents from the Office of the Attorney General (OAG) were investigating a child abuse imagery ring that led them to Davis’s apartment twice: once in 2014, and again in 2015. They said that his computer had repeatedly used a peer-to-peer file-sharing network, eMule, to share the imagery, which OAG agents received and confirmed to be illegal.

Davis was charged with two counts relating to disseminating child abuse imagery and one relating to criminal use of a communication facility. In 2015, prosecutors filed a pre-trial motion to compel Davis to give up that 64-character key to his encrypted computer. Davis responded by invoking his Fifth Amendment right against self-incrimination.

A lower court focused on whether the encryption was testimonial in nature, and, thus, protected by the Fifth Amendment – as in, would handing over his password be the same as revealing the contents of his mind?

As part of its analysis, the lower court had looked to the foregone conclusion exception to the Fifth Amendment. That standard keeps cropping up in these compelled-unlocking cases: it allows prosecutors to bypass Fifth Amendment protections if the government can show that it knows that the defendant knows the passcode to unlock a device.

In order to apply the foregone conclusion standard, the government has to show that it knows that the evidence it wants is authentic and that it actually exists, and that a defendant has or controls it.

Well, in Davis’s case, they knew it all, the lower court found: they knew his computer had hard-wired internet access only; Davis admitted it was encrypted with TrueCrypt, said that he was the only user and the only one who knew the password, and that he’d “die in prison” before giving up that password; and that the state was pretty sure there was child abuse images on there.

In other words, we’re not going to learn anything that we don’t already know, the lower court ruled, so cough up that password: the foregone conclusion standard has been met.

The case went to appeal, and thus was an important question about password disclosure vis-a-vis the Fifth Amendment and the foregone conclusion standard decided last week.

In a 4-3 decision in Commonwealth v. Davis, the Pennsylvania Supreme Court ruled against the lower court on Wednesday, finding that disclosing a password is, in fact, testimony that’s protected by the Fifth Amendment’s privilege against self-incrimination.

The court decided that unlocking and decrypting a mobile phone or computer is, in fact, what the Electronic Frontier Foundation (EFF) calls “ the modern equivalent” of coercing a confession or forcing a suspect to lead police to incriminating evidence.

The EFF had filed a friend of the court brief in the case, arguing that the foregone conclusion exception applies only when an individual is forced to comply with a subpoena for business records, and only when complying doesn’t reveal the contents of their mind.

”Sometimes a shelter to the guilty”

The Pennsylvania Supreme Court agreed. It noted in its ruling that sometimes when protecting the rights of the innocent, you also wind up shielding those who are guilty scumbags:

Requiring the Commonwealth to do the heavy lifting, indeed, to shoulder the entire load, in building and bringing a criminal case without a defendant’s assistance may be inconvenient and even difficult; yet, to apply the foregone conclusion rationale in these circumstances would allow the exception to swallow the constitutional privilege. Nevertheless, this constitutional right is firmly grounded in the ‘realization that the privilege, while sometimes a shelter to the guilty, is often a protection to the innocent.’

The decision is considered a big win for privacy-rights advocates. The EFF:

This ruling is vital because courts must account for how constitutional rights are affected by changes in technology. We store a wealth of deeply personal information on our electronic devices. The government simply should not put individuals in the no-win situation of choosing between disclosing a password = and turning over everything on these devices – or instead defying a court order to do so.

Recent, related cases

This isn’t the first such decision. Some, but certainly not all, courts have similarly decided that compelled password disclosure amounts to a violation of Fifth Amendment rights against self-incrimination.

One example is the decision that came out of the Florida Court of Appeal in November 2018: it’s one of at least two such cases that have involved an intoxicated person who crashed their car, leading to the injury or death of passengers, then refused to unlock their iPhone for police.

In Florida, the court refused a request from police that they be allowed to compel an underage driver to provide the passcode for his iPhone because of the “contents of his mind” argument about the Fifth Amendment.

But the Florida court also went beyond that, saying that whereas the government in the past has only had to show that the defendant knows their passcode, with the evolution of encryption, the government needed to show that it knew that specific evidence needed to prosecute the case was on the device – not just that there was a reasonable certainty the device could be unlocked by the person targeted by the order.

If prosecutors already knew what was on the phone, and that it was the evidence needed to prosecute the case, they didn’t prove it, the Florida court said at the time.

Regardless of the “foregone conclusion” standard, producing a passcode is testimonial and has the potential to harm the defendant, just like any other Fifth Amendment violation would, the Florida court said. It’s not as if the passcode itself does anything for the government. What it’s really after is what lies beyond that passcode: information it can use as evidence against the defendant who’s being compelled to produce it.

And yet, just last month, a court ordered a woman who was high on meth when she crashed into a tree, seriously injuring one adult and five children passengers, to type in her iPhone password so police could search the device.

Supreme Courts in both Indiana and New Jersey are currently considering similar cases.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tytTDlPZrB0/

Another mouthbreather with nothing better to do than hack a baby monitor and broadcast their “love” for a 3-year-old has apparently struck again.

This time, it happened to a family in Seattle.

According to local broadcaster King 5, a couple who asked to be identified only as Jo and John said that their daughter, Jaden, was spied on by a stranger who spoke to the tot via a babycam last week. The King 5 segment is also available on Insider.

What Jaden’s mom, Jo, told King 5:

We were both downstairs working in our office here, and our daughter called out. She’s saying, ‘Mommy, mommy.’ She said, ‘The voice is talking to me.’

After Jo went upstairs to check, here’s what she heard:

I said, ‘What’s going on?’ And she said the man said, ‘Jaden, I love you.’ And I said, ‘What!’

Neither parent heard the voice of the hacker first-hand. At first, they thought nothing of it. But then, the couple said, John’s mother heard a stranger’s voice coming from upstairs last week. Meanwhile, Jaden’s story has stayed consistent: yes, the voice comes from the camera, no, not from a nearby stuffed animal.

Jo and John also noticed that the camera had been mysteriously resetting itself, moving its focus from its typical angle of looking down into Jaden’s crib, to instead peer up, into the room, without their input.

The spycam in question

The couple say that the baby monitor is a Taococo FREDI model that they got as a baby shower gift for their youngest child about six months ago. Going for around $50 on Amazon, it’s a Wi-Fi-enabled webcam that lets people keep an eye on their babies, their elders, their pets, or, surreptitiously, their nannies, beaming out a live stream to phones “any time, no matter where you are.”

As SEC-Consult has previously reported, it’s a little tough to figure out exactly who manufactures these webcams. A quick search on Alibaba.com returns several suppliers for this type of camera, most of which offer “OEM/ODM” services, including custom branding, for wholesale customers.

One of the OEMs, Shenzhen Gwelltimes Technology Co., Ltd., develops the camera firmware, designs the hardware and operates the “P2P Cloud” service that’s enabled by default and which is typical of consumer-grade surveillance products. The cloud service makes it easy for users to access video data no matter where they are, from their phones or desktops.

However, the fact that there’s an internet connection involved raises all sorts of security questions, such as whether the stream is encrypted or whether that connection can be intercepted by hackers. Another question: who’s monitoring the servers? A country that’s governed by data privacy laws such as the General Data Protection Regulation (GDPR)? Or a country that isn’t, such as China?

As it is, the “P2P Cloud” service was successfully attacked in 2017 by Berlin-based Security Research Labs. The researchers started by scanning for valid device IDs, brute-forcing passwords, and then exploiting missing firmware update integrity/authenticity checks to gain remote code execution (RCE) and persistence on the device.

To somebody who just wants to make sure their baby’s OK – that’s a lot of “yikes!”.

A history of hacks

In 2018, it was 24-year-old Jamie Summit whose $34 FREDI wireless baby monitor was hacked by a stranger who spied on her, moving the camera to face the bed where she breastfed her 3-month-old son.

Summit told WCIV that she felt guilty “for not doing enough research on this.”

I didn’t know this was something I needed to look into. I thought baby monitors were kind of cut and dry. You find a baby monitor, you watch them napping, it was supposed to be a safety thing.

How to research a baby monitor

About a year ago, Naked Security’s Maria Varmazis was in the market for a baby monitor. Unlike many parents of newborns, Maria was, in fact, very aware of the need to research the safety of baby monitors. After she did, she put together this guide on how to buy and set up a safe and secure monitor.

Using Maria’s tips, I put together the following list of questions for the OEM behind the FREDI monitor… a monitor that Mozilla has deemed to be easily hacked, from a company that seems to lack a privacy policy.

I’ll update the story if I hear back, though nobody who’s looked into this particular monitor has reportedly ever heard back from the manufacturer/OEM.

1. Does this product offer at least SSL/TLS encryption for video transmission over the internet?
2. Does it offer AES for encrypting any data that’s stored on a device or in the cloud?
3. Does this baby monitor use a default password?
4. Does the product force customers to change the default password before using the baby monitor?
5. Does your company have a privacy policy? If so, please send a link to that policy.

Feel free to adapt those questions in order to do your own research into babycams, and most certainly feel free to share what you find, in the comments section below.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/lcvDFj3ym4E/

Twitter and Facebook on Monday claimed some third-party apps quietly collected swathes of personal information from people’s accounts without permission.

The antisocial networks blamed the data slurp on what they termed a pair of “malicious” software development kits (SDKs) used by the third-party iOS and Android apps to display ads. Once a user was logged into either service using one of these applications, the embedded SDK could silently access that user’s profile and covertly collect information, it is claimed.

In the case of Twitter, the offending SDK was built and maintained by marketing house oneAudience, and was allegedly caught collecting user names, email addresses, and Tweets via unspecified Android apps.

“We have evidence that this SDK was used to access people’s personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS,” Twitter said in announcing the incident.

“We have informed Google and Apple about the malicious SDK so they can take further action if needed. We have also informed other industry partners about this issue.”

Facebook, meanwhile, says it has had to shut down two SDKs for similar activity: both the oneAudience SDK and an SDK from marketing company MobiBurn were allegedly found to be harvesting profile information including names, genders, and email addresses when used in third-party apps.

“Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores,” a Facebook spokesperson told The Register.

PSA: You are now in the timeline where Facebook and pals are torn a new one by, er, Borat star Sacha Baron Cohen

READ MORE

“After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts.”

Spokespeople for oneAudience declined to comment. Meanwhile, MobiBurn has issued a public statement on the matter.

“No data from Facebook is collected, shared or monetised by MobiBurn,” it said. “MobiBurn primarily acts as an intermediary in the data business with its bundle, i.e., a collection of SDKs developed by third-party data monetisation companies. MobiBurn has no access to any data collected by mobile application developers nor does MobiBurn process or store such data. MobiBurn only facilitates the process by introducing mobile application developers to the data monetisation companies. This notwithstanding, MobiBurn stopped all its activities until our investigation on third parties is finalised.”

At this point, these sort of personal data disclosures are nothing new for users of social networking sites. The loss of netizens’ personal and profile information has been documented on nearly all of the major networks over the years, and execs have been taken to task by governments around the world for failing to properly secure personal data.

This latest incident brings back memories of the largest of those data thefts: the 2016 collection of Facebook information by political marketing strategists at Cambridge Analytica. In that case, tens of millions of user profiles were combed through for personal information that was then used to place highly-targeted campaign ads. ®

Sponsored:
Technical Overview: Exasol Peek Under the Hood

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/26/facebook_twitter_data_loss/

The breach, estimated to have affected more than a million customers, came from malicious external actors.

More than a million T-Mobile prepaid customers’ personal information and account details were exposed in a data breach. According to the company no payment information, Social Security numbers, or passwords were exposed in the breach, which it described as “malicious, unauthorized access.”

T-Mobile informed effected customers on Friday and says that the unauthorized access was shut down by its internal security team. While passwords were said not to be compromised, T-Mobile is advising affected customers to change their passcode or PIN as soon as possible.

For more, read here and here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “In the Market for a MSSP? Ask These Questions First“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/t-mobile-prepaid-hit-by-significant-data-breach/d/d-id/1336462?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Companies that rely solely on CVE/NVD are missing 33% of disclosed flaws, Risk Based Security says.

A new report shows companies that rely solely on the Common Vulnerabilities and Exposures (CVE) system for their vulnerability information are leaving themselves exposed to a substantial number of security issues they don’t know about.

Risk Based Security’s researchers have so far this year identified 5,970 more vulnerabilities than reported in the CVE and National Vulnerability Database (NVD). Of them, 18.4% had a CVSS v2 score ranging from 9 to 10, meaning they were considered critical. When vulnerabilities with a severity rating of 7 to 9 were also counted, some 43.5% of the 5,970 flaws not reported in the CVE/NVD system were either high risk or critical. Flaws not listed in CVE/NVD included those involving products from major vendors including Oracle, Microsoft, and Google.

“Organizations that rely on vulnerability intelligence are dealing with an alarming number of issues that impact all parts of their infrastructure,” says Brian Martin, vice president of vulnerability intelligence at Risk Based Security.

CVE and NVD only include vulnerabilities that security vendors and researchers directly report to them. As a result, thousands of flaws that researchers discover and disclose in other ways are not getting listed in CVE/NVD, he says. According to Risk Based Security, organizations that rely solely on CVE/NVD likely miss 33% of all disclosed vulnerabilities, on average.

Researchers can disclose vulnerabilities in different ways and different places — from their own blogs to one of millions of repositories on GitHub. “GitHub currently has over 100 million repositories, and that is just a single site,” Martin notes. “Factoring in BitBucket, SourceForge, GitLab, and many others, the amount of places a vulnerability may pop up is insane.”

Researchers might blog about a vulnerability discovery but often don’t cross-post the disclosure to known vulnerability reporting sites such as Bugtraq, Full-Disclosure, or PacketStorm. “Every week we find around a dozen more sources like this, as well as new software being released, or software and third-party libraries,” Martin says.

In total, Risk Based Security’s VulnDB team aggregated 16,738 security vulnerabilities in the first three quarters of 2019. Nearly half — 48% — had a severity score ranging from 6 to 10. Troublingly, exploit code or proof-of-concept code was available for 39% of the disclosed flaws that Risk Based Security’s researchers counted for that time period.

Oracle topped the list of organizations with the most reported security vulnerabilities. Risk Based Security’s data showed the company reported 969 security flaws in its products between Jan. 1 and the end of September. Google, with 945 flaws, and SUSE, with 812 flaws, were in second and third place, respectively.

Both Oracle and Google moved up in Risk Based Security’s Top 10 list; last year Oracle ranked third and Google ranked fourth among companies that disclosed the most security vulnerabilities in their products. SUSE improved from topping the list last year to moving to the third spot so far in 2019. Meanwhile, Microsoft, which often is perceived as reporting more vulnerabilities than others, was in ninth spot with 485 vulnerabilities, while Cisco landed in 10th spot with 390 vulnerabilities.

As with last year, a majority of the disclosed bugs (10,868) over the past three quarters impacted system integrity. About 1,800 impacted availability and slightly more than 2,600 were related to confidentiality.

Related Content:

• GitHub Becomes CVE Numbering Authority, Acquires Semmle
• MITRE Releases 2019 List of Top 25 Software Weaknesses
• Predicting Vulnerability Weaponization
• 8 Trends in Vulnerability and Patch Management

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Home Safe: 20 Cybersecurity Tips for Your Remote Workers.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/most-organizations-have-incomplete-vulnerability-information/d/d-id/1336460?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple