STE WILLIAMS

New Office 365 Phishing Scam Leaves A Voicemail

A fake voice message lures victims to a fake Microsoft 365 login page that prompts them to enter credentials.

A new Office 365 phishing campaign delivers a fake voicemail message to redirect victims to a Web page that prompts them to enter login credentials, McAfee researchers discovered.

Researchers initially thought one phishing kit was being used to steal users’ data; however, an investigation revealed three separate kits and proof of several high-profile companies targeted.

The attack starts with an email informing victims they missed a phone call and instructing them to log into their accounts to access a voicemail. When they load the attached HTML file, it redirects them to a phishing website. Researchers note this attachment varies; in most recent attacks, it contains an audio recording disguised to sound like the beginning of a real voicemail.

When redirected, victims sees a phishing page prompting them to log into their Microsoft accounts. The page is prepopulated with their email addresses, researchers say, a tactic intended to make the scam seem legitimate. Victims who enter their passwords are sent to another page saying the account was “successfully confirmed” before they’re redirected to the Office login page.

Researchers were surprised to see three phishing kits used in this attack and say they are “almost identical.” They differentiated the kits by analyzing the generated HTML code and parameters accepted by the PHP script. Attackers are primarily after the service industry (18%), followed by finance (12%), IT services (12%), retail (10%), and insurance (9%). A wide range of employees were targeted, they report, from middle management to executive staff.

Read more details here.

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/new-office-365-phishing-scam-leaves-a-voicemail/d/d-id/1336231?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Quantifying Security Results to Justify Costs

The CISO job isn’t to protect the entire business from all threats for any budget. It’s to spell out what level of protection executives can expect for a given budget.

Most modern security programs are centered around “maturity” toward compliance to a security framework, or a subjective “expert” opinion. Neither of these approaches can justify security spend or deliver a meaningful protection-from-impact result. To justify security budget, CISOs need to be able to answer questions, such as:

  • Who can and cannot breach a crown jewel?
  • Is this level of protection justifiable?
  • What cost did we achieve this for, and is that cost reasonable?

To answer these questions, CISOs need quantifiable data and terms that influence costs and results because executives are results driven. They care much less about what security is doing, and much more about what they get in return for it. They want to know how differences in security spending quantifiably change the business’s exposure to big impacts. For that reason, security professionals need to change the narrative from “security is a journey, not a destination” to “security is a chosen destination, with a justified journey to get and remain there.”

Our starting point: Align protection “destinations” to assets that irrefutably matter to executives. Let’s call these the crown jewels. Keep these easy to understand and in business terms. With well-chosen protection targets, the value of protecting them and the liability of not credibly doing so will be obvious. This way, you also don’t need to rely on a cadre of quants using dubious data sets and computing probabilistic equations to produce “risk statements” that tell the board what they already know: They have a security risk exposure problem.

An annual report is a great source for target discovery as it typically states what matters most to the business. Generally, you’ll want to consider how the business generates revenue (e.g., products and markets, income mechanisms, customer experience and satisfaction, and trade secrets that produce competitive advantage), sensitive operations like finance, human resources, and legal, and core operations such as facility access, email, accounts, and networks.

Now that you have established protection targets that are meaningful to executives, you need to manage the key dimensions that influence security cost. The first two are the quality and quantity of security. These directly impact the level of protection and the exposure to impact to be expected. The latter two affect the pace and the proficiency of security operations to deliver protection results.

How deep is our security quality? Threat actors aren’t all equal. We know some are more sophisticated than others. The more advanced the threat actor, the more access to attack resources and methods they have. This makes them more complex to protect against because controls must implement more complex countermeasures.

How broad is our security scope and coverage? Attackers can breach an organization across many surfaces (e.g., Internet devices and applications, mobile devices, facilities, personnel, vendor supply chain). Leadership must consider how much security coverage they can apply to these assets. As we know from previous breaches, it’s often the forgotten accounts, devices, etc., that are the key links in the breach chain. More scope and coverage will logically cost more, but it crucial to close the scope and coverage gap for a security program to be successful.

How quickly can we achieve protection targets? Security operations leverage expensive resources: people, technology, vendors, and even property. It’s usually the case that if you want something done faster, you need to apply more resources sooner to get that result. Not only are you spending money sooner, you often must also pay more to get access to those resources sooner.

Are our resources and operations optimized? We don’t have to be Six Sigma black belts to know that there is often a lot of irrelevance, ineffectiveness, and inefficiency in SecOps. Some even call it security theatre. There is usually considerable duplication of effort, missed opportunities to gain efficiencies of scale, and overbuilding some controls while underbuilding others. Most frustrating is the failure to leverage expensive people, technology, and vendor resources.

The CISO job isn’t to protect the entire business from all threats for any budget. The successful CISO must spell out what business executives can expect for any given budget. That way, business executives and the board end up choosing the risk appetite on clear cost-benefit terms. The board may see that they can only justify protection up to, say, organized crime, but leave breach coverage from nation-state actors to insurance, for everything other than critical business crown jewels. The CISO benefit is that it doesn’t matter how much security budget you have. By laying out clear protection strategies that quantify levels of protection against specific threats, you’ve put yourself, and your team in a position to succeed in a well-defined mission.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Cybersecurity’s ‘Moral Imperative.’

Douglas Ferguson, a security professional of over 20 years, is the founder and CTO of Pharos Security. Pharos specializes in aligning security goals and strategy to the business and a calibrated risk appetite, ensuring an integrated business plan and optimized … View Full Bio

Article source: https://www.darkreading.com/operations/quantifying-security-results-to-justify-costs-/a/d-id/1336186?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Coalfire CEO Wants Criminal Charges Against His Employees Dropped

Felony charges against two employees tasked with testing the physical security of the Dallas County, Iowa, courthouse have been lessened, but that’s not enough, CEO says.

The CEO of cybersecurity services firm Coalfire on Wednesday released a statement pledging to clear two employees of all charges stemming from their arrests by the Dallas County, Iowa, sheriff during a security test at the county courthouse last month. 

Coalfire will “continue to support and aggressively pursue all avenues to ensure that all charges are dropped and their criminal records are purged of any wrongdoing,” said Tom McAndrew. While charges against Coalfire employees Justin Wynn and Gary Demercurio have already been reduced from the initial felony charges to misdemeanor trespass, McAndrew said the reduction is insufficient.

Coalfire had been hired by the state of Iowa to test courthouse security. At issue is whether the state judicial system had the authority to authorize this sort of physical pen test for a building owned and operated by a county. Coalfire’s employees seem caught in the middle of this jurisdictional disagreement.

The Iowa Supreme Court Chief Justice has apologized for the pen test and announced changes will be made to the contracts for any future such tests, including prohibitions on entering courthouse property after business hours.

Read more here.

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/coalfire-ceo-wants-criminal-charges-against-his-employees-dropped/d/d-id/1336232?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Chinese Cyber Espionage Group Steals SMS Messages via Telco Networks

APT41’s new campaign is latest to highlight trend by Chinese threat groups to attack upstream service providers as a way to reach its intended targets, FireEye says.

APT41, a Chinese hacking group known for its prolific state-sponsored espionage campaigns, has begun targeting telecommunications companies with new malware designed to monitor and save SMS traffic from phones belonging to individuals of interest to the government.

Researchers from FireEye Mandiant earlier this year spotted the malware — which they have dubbed MESSAGETAP — deployed on a Short Message Service Center (SMSC) server being used by a telecommunications firm to route SMS messages to intended recipients.

The malware is being used to extract SMS message content, mobile subscriber identity numbers, and the source and destination phone numbers of targeted individuals. APT41 is also using MESSAGETAP to collect call data records of high-ranking foreign individuals of interest to the Chinese government.

FireEye’s s investigation of MESSAGETAP showed that APT41 has targeted at least four other telecommunications companies in similar fashion in 2019. According to the vendor, none of the entities targeted so far are based in China. But FireEye would not disclose just where the targets are located.

FireEye’s disclosure on MESSAGETAP is the second development this week involving individuals being targeted via malware placed on service provider networks. On Tuesday, Facebook filed a federal compliant accusing Israeli technology firm NSO Group of exploiting a flaw in WhatsApp to distribute a surveillance tool to mobile devices belonging to numerous numerous human rights activists, journalists, lawyers, and others. NSO has denied the allegation.

APT41’s campaign is the latest evidence that China-based groups have increasingly begun focusing their attacks on organizations that are multiple layers above their targeted end-users or organizations. Strategic access to these upstream entities — like telcos, for instance — is giving Chinese intelligence services a way to obtain data at scale for a wide range of purposes, FireEye Mandiant said in a report Thursday.

“FireEye has noted a trend of Chinese espionage actors increasingly targeting telecommunications companies and other third parties in order to gain access to desired information or systems,” says Steven Stone, director of advanced practices at FireEye.

Other organizations that these groups have targeted include major travel agencies, healthcare providers, and other verticals where data from multiple sources converge into single or concentrated nodes. “This type of activity has two benefits: it is more efficient for attackers, and can make compromises more difficult to detect,” Stone says.

A Unique Threat Actor

APT41 has been operating since at least 2012 and is somewhat unique among China-based actors in that it engages both in cyberespionage and financially motivated attacks. FireEye has previously observed the group using its highly specialized cyber espionage tools in cybercrime campaigns where personal financial gain appeared to be the primary motive.

The group’s targets over the years have included numerous entities in the high-tech, healthcare, and telecommunications sectors as well as individuals working for news and media firms, education, and travel services.

APT41’s new campaign is a threat to both individuals and businesses of interest to the Chinese government, Stone says. “Businesses are not exempt from this threat as Chinese threat actors have a long history of stealing sensitive business data for reasons ranging from intellectual property theft to competitive intelligence that provide advantage to domestic Chinese firms,” he notes.

Stone says that FireEye has not been able to identify the initial infection vector that APT41 is using in the current campaign. But historically, the group has employed multiple tactics to gain a foothold on a targeted system or network including spear-phishing, Web-server intrusions, and supply-chain compromises.

The new campaign also demonstrates the technical prowess of groups like APT41. “The systems and information within telco environments are often very unique and the threat actors would need to develop a high level of familiarity with this environment to operate and execute this type of data theft,” Stone says.

An artifact showing this type of familiarity is an encoding key used in APT41’s MESSAGETAP malware, Stone says. The key is a URL linking to a legitimate document that describes the short message service for GSM and UMTS networks, as well as the requirements and protocols for SMS. “It is reasonable to believe this was one of the many specifications that APT41 actors referenced to perform this intrusion,” Stone says. 

Organizations that are in the crosshairs of threat groups such as APT41 need detection mechanisms throughout the environment. “Network segmentation is critical to prevent an attacker that has performed an initial breach on either the perimeter or on users’ systems from moving deeper into critical data systems within the network,” Stone says.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Is Voting by Mobile App a Better Security Option or Just ‘A Bad Idea’?.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/chinese-cyber-espionage-group-steals-sms-messages-via-telco-networks/d/d-id/1336235?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

WhatsApp sues spyware maker for allegedly hacking phones worldwide

In May 2019, Facebook revealed its discovery of an “advanced cyber actor” that was spying on some users of its massively popular, end-to-end encrypted WhatsApp messaging app.

WhatsApp users were getting hacked due to what’s known as a zero-click vulnerability: one that allowed attackers to silently install spyware just by placing a video call to a target’s phone.

WhatsApp quickly fixed the vulnerability, and now it’s going after the maker of the cyberweapon it says is behind the attack – an attack that let somebody or somebodies call vulnerable devices to install spyware that could listen in on calls, read messages and switch on the camera.

On Tuesday, WhatsApp publicly attributed the attack to NSO Group, an Israeli company that sells off-the-shelf spyware and which also goes by the name of its parent company, Q Cyber Technologies.

Also on Tuesday, WhatsApp filed a complaint in the US District Federal Court in Northern California, accusing NSO of “unlawful access and use” of WhatsApp computers.

In a statement published by the Washington Post, Will Cathcart, head of the Facebook-owned WhatsApp, said that responsible companies report vulnerabilities, instead of exploiting them, and that companies have no business selling services to anybody who launches attacks.

At WhatsApp, we believe people have a fundamental right to privacy and that no one else should have access to your private conversations, not even us. Mobile phones provide us with great utility, but turned against us they can reveal our locations and our private messages, and record sensitive conversations we have with others.

Pegasus allegedly flies again

The lawsuit specifically refers to NSO Group’s notorious Pegasus – a type of spyware known as a remote access Trojan (RAT).

Pegasus enables governments to send a personalized text message with an infected link to a blank page. Click on it, whether it be on an iOS or Android phone, and the software gains full control over the targeted device, monitoring all messaging, contacts and calendars, and possibly even turning on microphones and cameras for surveillance purposes.

According to the lawsuit, NSO couldn’t get its spyware past WhatsApp encryption. In order to hack the messaging app, NSO created a Pegasus version that didn’t require that targets be spearphished with a rigged link.

Rather, NSO allegedly formatted call initiation messages containing malicious code to make the calls look legitimate, as if the calls originated from its signaling servers. By concealing the code within call settings, NSO allegedly used WhatsApp’s own servers – relay and signaling – to route the company’s spyware.

WhatsApp managed to tie certain WhatsApp accounts used during the attacks back to NSO, as it describes in the complaint. The accounts were created to place the calls that injected the spyware, the lawsuit says.

WhatsApp had first been tipped off to the attack by suspicious calls, but because of its privacy and data-retention rules, it had no idea whose numbers they were. Citizen Lab, a cybersecurity research laboratory based at the University of Toronto, volunteered to find out: as the New Yorker reports, its experts worked to determine whether any of the numbers belonged to civil society members.

Citizen Lab told Reuters that the targets included well-known TV personalities, prominent women who had been subjected to online hate campaigns, and people who had faced “assassination attempts and threats of violence.”

From Citizen Lab’s post:

As part of our investigation into the incident, Citizen Lab has identified over 100 cases of abusive targeting of human rights defenders and journalists in at least 20 countries across the globe, ranging from Africa, Asia, Europe, the Middle East, and North America that took place after Novalpina Capital acquired NSO Group and began an ongoing public relations campaign to promote the narrative that the new ownership would curb abuses.

Neither Citizen Lab nor WhatsApp have identified the targets by name.

Multiple lawsuits

NSO’s Pegasus and other spyware products have already been implicated in a series of human rights abuses. WhatsApp’s is just the latest to result from hacks allegedly tied to NSO’s products.

Pegasus has been unleashed against Mexican political activists and targeted at the human rights-focused NGO Amnesty International in a spearphishing attack.

NSO’s spyware also allegedly played a part in the death of Washington Post journalist Jamal Khashoggi, who was murdered at the Saudi Consulate in Istanbul a little over a year ago. In December 2018, Omar Abdulaziz – a Saudi Arabian dissident who was close to Khashoggi – joined with a group of seven activists and journalists who filed a lawsuit against NSO in Israel and Cyprus, charging that NSO helped the royal court take over the murdered journalist’s smartphone and intercept his communications and that all their phones had similarly been compromised.

Amnesty International is also suing NSO, calling a June 2018 spearphishing attack on an Amnesty staff member “the final straw.”

WhatsApp’s suit is looking for a permanent injunction to bar NSO from accessing or attempting to access WhatsApp and Facebook’s services. It also seeks unspecified damages.

NSO denies it all

NSO Group’s response to incidents of operators unlawfully using its software to persecute dissidents, activists and journalists has been consistent: it repeatedly points out that Pegasus is supposed to be used solely by governments, to enable them to invisibly track criminals and terrorists.

From the statement it put out in response to WhatsApp’s lawsuit:

In the strongest possible terms, we dispute today’s allegations and will vigorously fight them. The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/rTg4uWB-Hmg/

Researchers find hole in EU-wide identity system

A flaw in a cross-border EU electronic identity system could have allowed anyone to impersonate someone else, a security consulting company has warned.

SEC Consult issued an advisory warning people of the flaw this week. It demonstrated the problem in the electronic identification, authentication and trust services (eIDAS) system by authenticating as 16th-century German writer, Johann Wolfgang von Goethe.

eIDAS came about because of a 2014 EU regulation that laid out the rules for electronic identification in Europe. The regulation, which came into effect in 2016, made it compulsory for EU countries to identify each other’s electronic IDs by the middle of last year. It covered a range of identification assets like electronic signatures and website authentication.

The problem is that there’s a flaw in the software used to manage this cross-border identification process, known as eIDAS-Node. Each country has to run a copy of this software to connect its own national identity management systems to others in the EU, creating a cross-border ID gateway. Using this gateway, citizens in the UK, say, could identify themselves to use electronic services in Germany, such as enrolling in a university or opening a bank account.

Like many federated identity systems, eIDAS uses the Security Assertion Markup Language (SAML). It’s an XML-based protocol from the nonprofit Organization for the Advancement of Structured Information Standards (OASIS). It lets users prove their identities across multiple service providers using a single login. Version 2, launched in 2005, includes support for features like encryption and the exchange of privacy information such as consent. It’s powerful but complex.

The flaw lay in the integration software that the EU provides for coupling eIDAS nodes together. Its SAML parsing allowed an attacker to avoid the signature verification process, meaning that they could tamper with a SAML message to impersonate anyone.

When an eIDAS node provides a service to someone in another country, it asks that country’s eIDAS node to send an authentication message. It must check that the message is signed by a trusted node to avoid imposters and it does this by looking for a digital certificate.

To do this, it first checks its local collection of trusted certificates, known as a trust store. If it can’t find the certificate there, it looks for other (supplemental) certificates in the SAML message.

The problem is that when the software looks for those other certificates, it only checks to see if the distinguished name (DN) of the authority that issued the certificate matches the DN of the other eIDAS system. The software misses an important step by not checking to see if the issuer’s certificate actually signed the other eIDAS system’s certificate. SEC Consult also said:

Moreover, other checks, such as whether the basic constraints of the issuer certificate allow it to act as a certificate issuer are not verified.

Luckily, the EU fixed the problem after SEC Consult contacted the relevant authorities on 4 July this year. It updated the software and released it for general download on Wednesday 28 October.

Exploiting the vulnerability would have required an attacker to have control of the eIDAS node or impersonate one, and the researchers point out that another study of eIDAS security last year didn’t pick up the bug. That makes it highly possible that it was only recently introduced, they concluded.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/pCEuDkvSosQ/

Judge lambasts porn company for spewing copyright lawsuits

For years, people have handed thousands of dollars to copyright trolls in order to avoid the embarrassment of getting dragged through court over charges of downloading pirated videos from BitTorrent sites.

The trolls have pounced on downloaders, filing copyright lawsuits over illegal downloads against “John Doe” defendants, whom they only know by IP address.

But last week, a court in the US state of New Jersey refused to play ball, instead coming down on the side of the privacy rights of the ISP account holders who are targetted.

A federal judge in New Jersey denied a prolific copyright-filing porn video company from getting the expedited subpoena it wanted in order to reveal the identities of internet users whom it claims illegally downloaded pirated content over BitTorrent.

The company is Strike 3 Holdings – the company behind the adult entertainment videos produced by the Vixen, Tushy and Blacked studios. According to TorrentFreak, Strike 3 is the most active filer of piracy lawsuits in the US.

Judge Joel Schneider didn’t just deny Strike 3 its request to see the identities of people whose IP addresses it had connected to illegal downloads, he also became the latest in a string of judges to criticize the company’s strategy of filing a massive number of copyright lawsuits against anonymous downloaders.

In January 2019, TorrentFreak reported that Strike 3 had filed 2,092 cases over the previous 12 months.

This is how these copyright cases work:

  1. The company claiming to be a victim of piracy gets a list of allegedly infringing IP addresses from BitTorrent swarms – i.e., a group of computers downloading and uploading the same torrent.
  2. The copyright holder requests a subpoena from the court that will compel ISPs to hand over the customer data associated with the IP addresses.
  3. Once the copyright holder gets hold of the identities of people behind the ISP accounts, it starts chasing them down for cash settlements.

It works. They’ve been pulling in big bucks. Last year, in one of the first cases to signal how sick and tired judges are of seeing their courts flooded by these cases, Judge Royce C. Lamberth called Strike 3 a “cut-and-paste” serial litigant whose lawsuits “smack of extortion” – a company that turns tail at the first sign of a defense and which, he said, had been using his court “as an ATM”.

Both that decision, from November 2018, as well as last week’s decision from District Court Magistrate Judge Joel Schneider, outline a slew of problems with the way that copyright trolls have been unleashing swarms of lawyers to hound people who allegedly watch their content through BitTorrent.

First, because BitTorrent masks users’ identities, Strike 3 can only identify infringing IP addresses. From an IP address it can identify the ISP that allocated it and, using geolocation, the likely jurisdiction the IP address resides in.

That method is “famously flawed,” Lamberth wrote, given the flimsy links between an IP address, a person and a location. Multiple people might share the same IP address: family, neighbors, guests, roommates, for example, and an IP address can be reallocated at the whim of the ISP.

An IP addresses might also point to virtual private network (VPNs) or Tor node, or a home computer compromised by malware and being used without its owner’s knowledge.

Geolocation has its issues too – it’s far from pin-point accurate and, in extremis, it might randomly assign an address to a default location.

Case in point on that last item: the couple whose quiet rural farmhouse became associated with the geographic center of the US and who, because of an internet mapping glitch, have been accused of being identity thieves, spammers, and scammers, and who’ve found on their doorstep FBI agents, federal marshals, IRS collectors, ambulances searching for suicidal veterans, and police officers searching for runaway children, and who have been wrongfully punished by irate people who’ve published their names and addresses or left a broken toilet in their driveway.

In short, as Judge Schneider said last week in his detailed, 47-page decision, the only thing that Strike 3 actually knows is that an IP address is associated with downloading copyrighted work. That doesn’t mean that the ISP account holder has infringed anything.

But even if the infringement claim were based on sturdier evidence, Judge Schneider wrote, the requests for expedited discovery would still be denied, due to these additional issues:

  1. Strike 3 bases its complaints on unequivocal affirmative representations of alleged facts that it does not know to be true.
  2. Strike 3’s subpoenas are misleading and create too great of an opportunity for misidentification.
  3. The linchpin of Strike 3’s good cause argument, that expedited discovery is the only way to stop infringement of its works, is wrong.
  4. Strike 3 has other available means to stop infringement besides suing individual subscribers in thousands of John Doe complaints.
  5. The deterrent effect of Strike 3’s lawsuits is questionable.
  6. Substantial prejudice may inure to subscribers who are misidentified.
  7. Strike 3 underestimates the substantial interest subscribers have in the constitutionally protected privacy of their subscription information.

The “other available means” that Strike 3 isn’t bothering to use in order to stop infringement are Digital Millennium Copyright Act (DMCA) takedown notices.

From the decision:

One would think that Strike 3 would be eager to notify ISP’s that its subscribers are infringing their copyrights, so that an infringer’s internet service would be interrupted, suspended or terminated and infringement would stop. However, Strike 3 does not take this simple step but instead files thousands of lawsuits arguing that it has no other recourse to stop infringement.

But why would it? Copyright trolls find it easy, and highly lucrative, to simply shake down alleged infringers, particularly when courts go along with their requests for expedited subpoenas to get the subscribers’ identities.

In fact, in August 2018, we saw a lawyer plead guilty to creating a porn honeypot so he could cash in on the easy money you can make from copyright trollery. He and another lawyer made porn films, seeded them to BitTorrent websites, and then extorted those who downloaded them, threatening to file lawsuits unless they paid $3,000 to stay out of court.

From 2011 to 2014, the (now debarred) lawyers made more than $3m from lawsuits.

Judge Schneider concedes that the court’s decision might make it tough for Strike 3 to identify copyright infringers. Be that as it may, he said: people’s right to privacy trumps that difficulty:

To the extent this is the price to pay to assure compliance with the applicable law, so be it. A legal remedy does not exist for every wrong, and it is unfortunately the case that sometimes the law has not yet caught up with advanced technology. This is not the first time, nor will it be the last, where a party who believes it was wronged was denied discovery.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/taz38WMm0MY/

Linux maintainer: Patching side-channel flaws is killing performance

Mirror, mirror on the wall, which is the worst side-channel vulnerability of them all?

For a while it was Meltdown and Spectre, the two biggies that kicked off the era of microprocessor security worry in early 2018, followed some months later by another contender, PortSmash.

In May this year, news emerged of more weaknesses with fancy names – ZombieLoad (CVE-2018-12130), RIDL, and Fallout (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091).

The thread loosely holding this list together is a new class of weaknesses known as Microarchitectural Data Sampling (MDS) flaws, in the case of PostSmash and ZombieLoad in Intel’s Simultaneous Multithreading (SMT) hyper-threading.

When it was introduced nearly 20 years ago by Intel, SMT multithreading was promoted as a clever way of boosting processor performance.

In the absence of patches, the simplest way to mitigate the numerous security issues stemming from hyper-threading was to turn it off via the BIOS, something researchers initially estimated would cause a performance drop of up to 30% for datacentre installations, depending on which flaw was being addressed.

Lock it up

During 2018, the maintainers of security-first operating system OpenBSD started recommending turning SMT off if it was being used in certain types of installation – just patching it on a piecemeal basis wasn’t enough.

An easy-to-miss mainstream follow up to that was Google’s 2019 decision to disable MDS on Chrome v74 in its Chromebooks, a move it followed up with additional mitigations in later versions.

By now, the SMT fire was burning on several fronts, especially comments made by the maintainer of the stable branch of Linux, Greg Kroah-Hartman. In May, he summed up a year of doubt about SMT:

As I said before just over a year ago, Intel once again owes a bunch of people a lot of drinks for fixing their hardware bugs, in our software…

Only days ago, Kroah-Hartman came back with another salvo in comments to The Register:

A year ago, they [OpenBSD] said disable hyper-threading, there’s going to be lots of problems here. They chose security over performance at an earlier stage than anyone else. Disable hyper-threading. That’s the only way you can solve some of these issues. We are slowing down your workloads. Sorry.

And there is no way of jumping the performance shark either:

I see a slowdown of about 20 per cent. That’s real. As kernel developers we fight for a 1 per cent, 2 per cent speed increase. Put these security things in, and we go back like a year in performance. It’s sad.

Reducing performance by that big a hit could cause major issues for datacentres to the extent they might have to consider leaving it turned on and take the risk.

Encouraging the conservative response is the fact that reported attacks exploiting issues such as ZombieLoad are non-existent.

That might be because attackers have yet to figure out how to do that or because detecting side-channel attacks is difficult, or even impossible, once a compromise fundamental enough to reach microprocessor level has been attained.

But when someone like Kroah-Hartman starts talking about performance as a necessary sacrifice – possibly for many years to come – perhaps we should listen.

What’s become apparent is that patching side-channel issues is the microprocessor problem with no simple answer.

Customers will carry on patching the issues that pop up, caught in a sort of dented version of Moore’s Law where microprocessor performance continues to rise exponentially for some customers, but not others.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/4OlRsV8RD_Y/

Belgian city slurps mobile data to track visitors – report

The Belgian city of Kortrijk in West Flanders is reportedly using data provided by a mobile phone company to count the number of people present in the town and where they come from.

Even more worryingly, local public-service broadcaster VRT has reported that city officials will try to cross-reference this data with credit and debit card databases.

Kortrijk is a popular tourist destination: between July and August, 799,336 people visited the town, almost 20,000 a day when students, employees and residents are excluded.

According to VRT, the city is paying telco Proximus €40,000 a year for data on how many phones are in each part of the city, presumably using cell location data. Proximus then apparently extrapolates data for the rest of the area while taking into account subscribers to other networks and those without mobile phones. We’ve asked both Proximus and local city officials for comment.

But the Belgian data protection regulator has told The Register that, contrary to reports, it had not approved the scheme and was examining whether or not it breaks Belgian data protection law.

In an email, a spokesperson said:

We did not approve the tracking of mobile phones in Kortrijk. The Privacy Commission (the predecessor of the Belgian Data Protection Authority) had reacted positively to a similar project in 2016; that was three years ago and was not about this precise case. We have heard concerns from citizens about this project, therefore we will look into it. We cannot comment further at the time because we do not have all the details about the project and the processing.

The data will be collected once every three months and analysed to improve marketing campaigns for tourism and commerce.

Data provided to the city apparently includes the nationality of the subscriber or the province or even municipality within Belgium they come from.

The intention is that city hall will then cross-reference this with data from Visa and debit card companies to see how much people are spending. VRT said the first results show sales days bring in more visitors – 49,000 for Whit Sunday. Of these, 79 per cent of local visitors were from West Flanders, 4.82 per cent came from Hainault, and 1.53 per cent from Antwerp. Of foreign visitors, half were French and 14 per cent Dutch.

It also emerged yesterday that the statistics authority in Spain (Instituto Nacional de Estadística, INE) is planning to track every mobile handset in the country that uses the three largest network providers – Movistar, Vodafone and Orange – over a period four days in November.

Between 18 and 21 November, mobile subscribers will be counted and their location logged. A further four days of data slurping are already planned for Christmas and next summer.

Spanish citizens have been assured the data will be anonymous and aggregated.

To ensure anonymity, the INE has divided the country into cells with a minimum of 5,000 inhabitants. So Madrid is made up of 128 cells while in rural areas the individual cells will stretch for miles.

Location checks will be made between midnight and 6am to establish a place of residence, and again between 9am and 6pm when subscribers are assumed to be at work. To account for shift workers, locations will also be checked at six specific points during the day – 6am, 10am, 2pm, 6pm, 10pm and 2am.

The aim is to provide information on numbers of people commuting from dormitory towns into municipal centres and those staying near home for work.

Researchers also hope to gain a better understanding of so-called “empty Spain” – the swathes of rural countryside suffering severe depopulation. The institute will run similar checks for two days in the summer and on Christmas Day to check holiday movements.

The INE is confident that no data laws will be breached by the mass surveillance because the data is genuinely anonymised. It also notes that similar questions are asked in the Spanish census.

An INE mouthpiece told The Register (courtesy of Google Translate):

The INE is conducting a study based on data from mobile phones to incorporate them into the mobility information it offers traditionally in the Population and Housing Census.

The methodology of the study divides the national territory into about 3,200 cells, each of they with at least 5,000 residents. For each cell, the INE will receive information from all three Spain’s main mobile phone operators on how many terminals are they find in that cell at various times of the day.

This information will be limited to a terminal count that will be provided to the INE [in the] form of aggregate tables of results. Operators will not provide individual data on telephone numbers, or on the holders of the lines, so that under no circumstances will the INE be able to track the position from any terminal.

The INE wants to emphasise that it is a submitted statistic, like all that it produces, to the Law on Public Statistical Function, which guarantees statistical secrecy and that complies with all the requirements of the Data Protection Law.

An El Pais report is here, in Spanish. ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/31/belgian_town_track_every_mobile_user/

‘Don’t be so concerned with your image’… US prosecutor lets rip on Uber for hack cover-up as pair plead guilty

Two men have confessed they siphoned confidential information from databases hosted in the Amazon cloud, and then demanded payment to delete their copies of the data.

Brandon Charles Glover, 26, of Winter Springs, Florida, America, and Vasile Mereacre, 23, of Toronto, Canada, each pleaded guilty to one charge of conspiracy to commit extortion involving computers at a San Jose court house in California on Wednesday. In agreeing to admit their crimes, and forgo a lengthy trial, the duo are set to face up to five years in the clink and a fine of $250,000 apiece. They will be sentenced in March.

The two hatched their scam in late 2016: they obtained the private access keys to an Uber backend database hosted by Amazon Web Services-hosted database, and gave the credentials to a “technically proficient hacker,” who used the information to rifle through the repository and seek out interesting archives.

Some 57 million customer and driver personal records were subsequently downloaded by Glover and Mereacre.

Glover and Mereacre then contacted Uber via a Protonmail address, and demanded money to destroy the data from their local storage, enclosing a small sample in the email to prove they had the goods.

uber

Uber: Hackers stole 57m passengers, drivers’ info. We also bribed the thieves $100k to STFU

READ MORE

Rather than call the police, Uber executives met the pair, and agreed to pay them $50,000 each to wipe the purloined files. The bosses made the duo sign non-disclosure agreements to keep the whole thing hush-hush. Uber also hid the database intrusion from America’s trade watchdog FTC, which was investigating another hacking attack against the taxi app maker.

Emboldened, the two then tried to pull the same stunt with Lynda.com, now owned by LinkedIn. “[P]lease keep in mind, we expect a big payment as this was hard work for us, we already helped a big corp which paid close to seven digits, all went well,” the pair told Lynda’s staff in an extortion note. Lynda told them where to stuff it, and called in the cops.

“We appreciate the ongoing work by the US Attorney’s office to pursue and bring to justice those responsible for the 2016 breach of Lynda user information,” the online education outfit told The Register today. “We’re glad to see the resolution of this investigation.”

Prosecutors were not impressed at Uber’s attempt to cover up the cyber-break-in, and slammed the San-Francisco-based tech upstart.

“Companies like Uber are the caretakers, not the owners, of customers’ personal information,” said David Anderson, United States Attorney for Northern California, in an email to The Reg. “What gets stolen in a computer extortion belongs to your neighbors, not to yourselves. Don’t be so concerned with your image or reputation. Be concerned with the real losses others have suffered. Report the intrusion promptly. Cooperate with law enforcement.”

Uber’s decision to hush things up and pay off the duo ultimately cost it a small chunk of change. It ended up paying US states a $148m settlement, and the decision also cost at least two of its security team their jobs, including Joe Sullivan, Facebook’s former Chief Security Officer during the Cambridge Analytica scandal and now CSO at Cloudflare.

“We’re dealing with the most sophisticated cyber actors in the world,” FBI Special Agent in Charge John Bennett chimed in, bafflingly, via email.

“In order to take on those people on the front lines of the cyber security battle, we rely heavily on our valued relationships and open dialogue with private sector companies in cyber industries. Their willingness to speedily report intrusions to our investigators allows us to find and arrest those who commit data breaches.” ®

Sponsored:
What next after Netezza?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/30/hackers_guilty_extortion/