STE WILLIAMS

All you bug hunters out there are about to get a nice Christmas gift – the US federal government finally wants to hear from you. Unhelpful websites and cybersecurity departments will soon be a thing of the past, thanks to a new missive from the Cybersecurity and Infrastructure Agency (CIRA).

The Agency, which is part of the Department of Homeland Security, issued a surprising tweet on 27 November announcing that it would force federal agencies to be welcoming and responsive to cybersecurity bug reports from the general public:

When things are easier to do, more people will do them. Reporting vulnerabilities shouldn’t be hard. That’s why we… twitter.com/i/web/status/1…

—
Cybersecurity and Infrastructure Security Agency (@CISAgov) November 27, 2019

Binding Operational Directive 20-01 would finally give ‘helpful hackers’ a sense of legitimacy when reporting bugs to federal government agencies in the US, solving some problems that CIRA admits to pretty freely in the document. It says:

Choosing to disclose a vulnerability can be an exercise in frustration for the reporter when an agency has not defined a vulnerability disclosure policy – the effect being that those who would help ensure the public’s safety are turned away.

The directive acknowledges that researchers often don’t know how to report a bug when agencies don’t include an authorized disclosure channel in the form of a webpage or email address. They shouldn’t have to search out security employees’ personal contact information, it points out.

Communication after a bug report is just as important, CIRA says. An inadequate response to a bug report, or no response at all, may prompt a researcher to report the bug elsewhere outside the agency’s control.

Perhaps the most egregious mistake that agencies make is threatening legal action. The directive admits that the federal government has a reputation for being heavy-handed and defensive in response to bug reports. Threatening language warning against unauthorized use can also choke off a useful stream of bug reports, it says.

The report draws a distinction between a vulnerability reporting program and a paid bug bounty initiative. While often useful, the latter isn’t mandatory, it says.

What is now mandatory is a system to receive unsolicited reports about security bugs. That means updating the .gov domain registrar with a security contact field for each registered domain. Agencies must use trained staff to monitor those email addresses.

Agencies must make updates within 15 days of the directive’s enforcement. Then, 180 days after it comes into play, they must publish an official vulnerability disclosure policy on their website defining which systems are in scope, the types of testing allowed, and a description of how to submit vulnerability reports.

The policy must also tell researchers when they can expect a response, and commit to letting them know what’s happening as the agency fixes the bug.

Finally, it must promise not to sue security researchers for reporting security flaws.

The document forces agencies to include all newly launched internet-accessible systems in the future, and all existing internet-accessible systems must be included within two years.

Agencies can’t just hold onto bugs indefinitely under the terms of the directive, because their policies must allow researchers to report bugs elsewhere after a reasonable time period.

CIRA also protects bug reports against use by spooks. It explicitly forbids agencies from funneling them through to the Vulnerabilities Equities Process (VEP). This is a government initiative that decides whether to use security bugs for the greater public good, or to keep them secret as potential weapons against others.

While broadly welcomed, CIRA’s directive proposal met a measured response from Katie Moussouris, CEO of security company Luta Security, who said that the timelines were too long:

This is the most important part of this new directive from @CISAgov :
“Submissions are for defensive purposes; they… twitter.com/i/web/status/1…

—
Katie Moussouris (@k8em0) November 28, 2019

Her twitter thread warns agencies against just turning to a third-party bug bounty program as they scramble to meet the directive’s requirements. Still, as she mentions, some federal organizations have used them in the past. The Pentagon famously used HackerOne’s bug bounty services to find bugs in its systems.

Although the government may move at a glacial pace to implement this new initiative, it’s better than some policies in the private sector, as we saw when researchers had problems reporting bugs to open source projects like Bitcoin Cash.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1jIWQRoKIEI/

The Russian ‘Sandworm’ hacking group (not to be confused with the malware of the same name) has been caught repeatedly uploading fake and modified Android apps to Google’s Play store.

They were detected by Google Threat Analysis Group (TAG), making the attacks public during a presentation at the recent CyberwarCon conference.

In a blog on the topic this week, Google says the first attack connected to the group happened in South Korea in December 2017 when the group used bogus developer accounts to upload eight different apps to the Play Store.

On the face of it, the campaign was unsuccessful, garnering fewer than 10 installs per app, but it’s likely that the targets were highly selective.

That came after an attack in September 2017, when TAG detected that Sandworm hackers had uploaded a fake version of the UKR.net email app, downloaded by 1,000 users before it was stopped.

In late 2018, the group switched to inserting backdoors into the apps of legitimate developers in one of its favourite locations, Ukraine.

However, the Google Play Protect team caught the attempt at the time of upload. As a result, no users were infected, and we were able to re-secure the developer’s account.

There’s nothing unusual about this – hackers compromising developer keys to pass their own malware off as legitimate apps has been happening for years.

The significance of the Sandworm (aka Iridium) attacks is that the group is alleged to be connected to the Russian Government – one of a list of hacking entities that also includes Fancy Bear (APT28), Dragonfly, Energetic Bear, Grizzly Steppe, and many others. Sandworm is allegedly behind the NotPetya worm and the cyberattack on the 2018 Winter Olympics.

There are now so many of these that it’s hard to keep up. And it is not helped by the habit of the security industry of giving them different, proprietary names.

Google also reveals that it has detected alleged Russian disinformation campaigns in African countries such as Central African Republic, Sudan, Madagascar, and South Africa.

We terminated the associated Google accounts and 15 YouTube channels, and we continue to monitor this space.

Similar campaigns were uncovered in the Indonesian provinces Papua and West Papua “with messaging in opposition to the Free Papua Movement.”

Sandworm itself has been around since at least 2014, which makes it middle-aged by the standards of Russian hacking groups.

However, it would be a mistake to see this phenomenon as a uniquely Russian affair. Russian groups are highly active, as are ones connected to countries such as China and Iran, but the popularity of nation state-backed hacking and disinformation is spreading across the globe.

This might one day become ubiquitous. If that happens, it will not only be another bad day for the internet but could eventually rebound on its perpetrators too.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/4Dunl7ID7xQ/

Sponsored Organisations are attacked every day: cybercriminals gain a foothold within the corporate network, and data is stolen and operations disrupted. The target of an attack could be your employer, a customer, a social media platform, or an intermediary responsible for secure access control, or financial record holding.

So, who is the victim and can blame be solely attributed to the attackers?

The organisation is always the victim, but the repercussions almost always spread to users and customers.

Whether motivated by financial gain, hacktivism, whistle-blowing, or some other reason, any kind of cyber attack is illegal and should therefore be prosecuted if attribution is possible. There’s no doubt however, when an organisation is targeted and successfully hacked, it must bear some responsibility for data loss if security controls were incorrectly implemented or reasonable protections were not in place. But how far does this responsibility go? Who we define as the victim or the responsible party often isn’t associated with how securely an organisation operates, but how it responds to the attack.

Effectively, it becomes a challenge for the marketing department. Who we blame as the customer, depends on how we consume this media and our own personal bias. This shouldn’t be the case. In many instances of corporate breach, there is a clear defining line over where responsibility lies. For example the organisation may have been irresponsible in its data handling, management of systems and maintenance, and should therefore absorb some of the blame. However, in cases where a flagrant lack of security controls is discovered, a large proportion of the blame can be placed on the organisation.

There have been many instances recently where a breach has occurred and the business’ response has been the generic, ‘your security is our priority’, ‘we take security very seriously’ or ‘this was a targeted attack by professional hackers’.

However, it frequently turns out that the actual hack was against an unpatched webserver (Equifax), Java from a third party (BA), un-secured FTP (TJ Maxx) and countless other known vulnerabilities and configuration errors that could have been mitigated. Often, we learn the data stolen wasn’t encrypted or hashed, or was stored with other data that made it useful or tradeable. In the end, adequate protection comes down to money, time and expertise which in turn translates to having the right people, processes and technology in place. The majority of hacks and data theft in the last 10 years come down to one of these critical failings.

I’ve heard arguments recently that the victims (corporate or otherwise) can never be blamed for the actions of an attacker. A data breach has been compared to a simple street mugging: “You can’t blame the victim for being robbed even if they are walking late at night, on the phone or wearing expensive exposed jewellery; it isn’t their fault”. This isn’t really a comparable example, since, if the victim was doing all of the above and had the personal data of 10,000 people on their person and was then mugged, it would be fair to attribute some of the blame to the victim for their failure in protecting an asset for which they were responsible at the time. At the end of the day, it’s all about taking sensible precautions.

In instances of corporate failure to assess, control and report security failures, blame must be applied accordingly. If you leave the house and lock all the doors, but leave the windows wide open, you can realistically expect something to be missing when you return. When the contents of your house include the personal and private data of your employees, customers and the general public, they expect you to act with their best interest in mind, not the shareholders. Some companies that have been the victim of an attack, have offered a free credit monitoring service to affected customers but in reality this is of limited use and could be seen as closing the stable door after the barn has burnt down.

In this internet connected world where data is fuel, powering everything from financial platforms to politics, it’s the corporate powers who are trusted with our information. That trust should be earnt and held in high regard.

SANS is the most trusted and by far the largest source for information security training and security certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet’s early warning system – the Internet Storm Center.

To find out more about SANS training head to their website.

Sponsored by SANS Institute.

Sponsored:
How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/02/the_blame_game_corporate_failure_or_attacker/

Promo As more and more organisations move to new technologies, data thieves constantly try to find ingenious new ways of penetrating even the most well-protected systems.

If you’re an IT security professional keen to stay ahead of this ever-changing game, the place to fill any gaps in your security knowledge is SANS Institute’s training event in London from 16-21 March 2020.

A range of intensive, hands-on courses and labs covering everything from security basics to ethical hacking, aim to prepare attendees thoroughly for real life scenarios.

Students are assured they will be able to put their new skills into practice as soon as they return to work. See this promise in action at SANS London March!

Ten courses are already on the agenda so far, including the brand new FOR498: Battlefield Forensics Data Acquisition. You can also Challenge yourself before the enemy does with SANS DFIR NetWars Tournament, an incident simulator packed with a vast amount of forensic and incident response challenges, for individual or team-based “firefights”.

Other courses available include:

Battlefield forensics and data acquisition

Millions can be lost if data evidence is not properly collected and interpreted. Hands-on labs provide practice in retrieving data from hard drives, memory sticks, cellular phones and network storage.

Hacker tools, techniques, exploits, and incident handling

Turn the tables on data thieves by learning their tactics and latest attack vectors.

Network penetration testing and ethical hacking

Learn to conduct a full-scale, high-value penetration test. Lab workshops cover planning, scanning, target exploitation, password attacks and web app manipulation.

Advanced incident response, threat hunting and digital forensics

When security and monitoring tools are not enough, the key is to catch intrusions in progress. How to detect breaches, assess damage, contain incidents and amass threat intelligence.

Advanced network forensics: threat hunting, analysis, and incident response

Forensic investigations frequently require data evidence. The course focuses on network communications with numerous use cases.

Reverse-engineering malware: malware analysis tools and techniques

Help for forensic investigators and incident responders who need to examine malicious programs that target Windows systems.

Defending web applications security essentials

Defend your organisation’s assets by learning to understand and test web application vulnerabilities.

Find full details of all courses and the complete agenda for the event here.

Sponsored:
How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/02/sans_london_training_event/

Another Netflix phishing scam!

We’ve written about these scams before, and we’ll probably write about them again…

…for the sadly simple reason that THEY WORK.

They work because scammers know that the less inventive they are, the more believable their messages become.

It’s also a lot less effort to copy genuine content and adapt it just a little than to try to create your own material from scratch.

That’s what Naked Security Editor-in-Chief, Anna Brading, thought when she received this scam yesterday:

This is a notice to remind you that you have an invoice due on, 27/11/2019. We tried to bill you automatically but you local bank being held a transaction.

Sadly for the crooks, and fortunately for anyone who received this scam, the tiny bit of text that the criminals decided to write by themselves contains several rather jarring errors.

For the most part, however, this email is disarmingly simple, and therefore surprisingly believable, for all that it’s given away by typos, grammatical mistakes and orthographic errors.

It’s not overly dramatic, it’s not threatening, and it’s polite.

It’s the sort of thing that might easily happen from time to time – a recurring credit card transaction that’s temporarily failed – and that in real life is usually pretty easy to sort out.

Indeed, it’s the sort of glitch you’ve probably dealt with once or twice before, and that you may well have resolved entirely online without even leaving your browser.

Of course, even if you missed the spelling mistakes (a genuine retailer or cloud service is unlikely to mis-spell the word invoce, which should be invoice), the link would be a giveaway – this one uses a URL shortening service, but with an HTTP (insecure) URL instead of HTTPS.

Nevertheless, if you clicked without taking a moment to check it, you would end up redirected to a surprisingly believable page that is hosted on a website with a valid HTTPS certificate:

Sure, you’re not on a netflix.com web page, which is an obvious indicator that this is a scam, but the crooks have disguised the actual server they’re on by using a domain name that starts with a 32-character hexadecimal string.

The long, random starting text in the URL shoves the final part of the domain name off to the right far enough that your browser probably won’t have enough space to show it.

The domain used in this attack was only registered on 2019-11-17, and the web certificate was created yesterday, so the site was probably set up specially for this scam, perhaps along with a bunch of others.

Remember that once you have acquired a domain name such as example.com, you’ve also acquired the right to create as many subdomains beneath it as you like.

Of course, if you are in a hurry, and don’t take a few moments to look for the obvious clues, you might easily end up entering your password – by which time it’s already too late, because the form submission button uploads it to the crooks, not to Netflix.

If you still don’t spot the deception (we’re hoping you wouldn’t have got this far!), then the phishing continues, taking you via this page…

…to one that asks directly for your card details:

Ironically, these crooks would probably have been better off skipping the intermediate page that starts, “Dear friend,” because it’s awash with telltale signs of bogosity.

Errors you should spot for yourself include spelling mistakes, poor grammar, and a mixup with languages (there’s a link in the middle of an otherwise all-English page that mysteriously offers to sell you a gift card in French).

What you need to know

Here’s what you need to know about this particular scam:

• If you deleted the original email without clicking anything, you did the right thing. The crooks have tried and failed, so you win.
• If you clicked through to the fake login page but bailed out without entering anything, you’re also safe.
• If you went far as trying to login on the bogus site, the crooks know your password. Get yourself to the genuine Netflix login page as soon as you can and change your password.
• If you gave away your credit card details, the crooks know those too. Call your bank as soon as you can to cancel your card. (Look on the back of your actual card for the number to call, for safety’s sake!)
• If you think your card was compromised, keep a close eye on your statements. You should keep your eye on your financial records anyway, but you might as well step up your scrutiny after a security scare of this sort.

What to do?

Given that today is Black Friday, which is by all accounts the biggest, boldest and baddest retail day of the year in North America, here are three general tips that we urge you to adopt if you haven’t already:

• Never login via web pages that show up in an email. If you always find your own way to login pages, for example via a bookmark or your password manager, then you never have to worry whether a login link is phishy or not, because you won’t be clicking it anyway!
• Use a password manager. Your password manager won’t put your Netflix password – or, indeed, any password – into a bogus site for the simple reason that it won’t recognise the site and won’t have a password to submit in the first place.
• Measure twice, cut once. The scam above has plenty of giveaways, including obviously fake URLs; the use of HTTP instead of HTTPS in the email; and spelling errors. Getting scammed is bad enough without the pain of realising afterwards that all the signs were there for you to spot easily, but you were in too much of a hurry to stop and check.

LEARN MORE ABOUT STAYING SAFE ONLINE

If you like our videos, why not subscribe to our new Naked Security YouTube channel? (Don’t forget to click the bell icon so you receive notifications when we upload new videos.)

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/64ze2qxoiPc/

AI just won another battle in the war for supremacy against humans. Master Go player Lee Se-dol has handed in his stones after deciding that there’s just no way to beat a machine when playing the ancient Chinese board game. The ninth dan South Korean player reportedly submitted his retirement letter to the Korea Baduk Association (KBA), which governs the professional Go community there.

Se-dol, 36, who began his career at 12, told the Korean Yonhap News Agency about his retirement in an interview on Monday 25 November, explaining:

With the debut of AI in Go games, I’ve realized that I’m not at the top even if I become the number one through frantic efforts. Even if I become the number one, there is an entity that cannot be defeated.

He’s referring to AI, and in particular to AlphaGo, the computerised Go player from Google’s AI subsidiary DeepMind. The two squared off in a five-game match in 2016, where AlphaGo beat him four times after he had predicted his own “landslide” win.

Se-dol attributed his one winning game to a bug in the AlphaGo system. He made an unexpected move that seemed to confuse the computer, causing it to resign. “It’s due to a bug,” he told the agency, adding that the move wasn’t one that an opponent could counter in a straightforward way.

After it won the match against Se-dol, the KBA awarded AlphaGo an honorary 9th dan ranking.

Programming an AI algorithm to play Go is no mean feat. The 2,500-year-old game is more complex than chess, featuring a 19 x 19 grid as a board with a broader array of alternative moves than chess on average. AlphaGo’s programmers used neural networks to teach the computer about millions of past Go matches, and also enabled it to play against itself.

A year after beating Se-dol, AlphaGo beat the world champion Ke Jei and promptly retired (that decision was not its own).

Se-dol is the only person to have beaten AlphaGo, which makes his retirement even more poignant. However, the Korean news agency explained that he had an existing disagreement with the KBA over fees, and has sued the Association, having left it in 2016.

This isn’t the first time that AI creations have competed with humans in gaming tournaments. IBM’s Deep Blue won in a series of chess games against world champion Garry Kasparov in 1997. Some 14 years later, the company’s Watson machine defeated two reigning champions over three episodes of the general knowledge game show Jeopardy, winning 69% more prize money than the humans combined.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bWAqrK3UmqQ/

Pressure is gathering for a federal privacy law in the US with the introduction of a second bill that would protect consumer data. The Consumer Online Privacy Rights Act from Washington Senator Maria Cantwell not only outlines strict privacy and security rules, but also establishes a dedicated FTC office to enforce them. Cantwell also pointed out in her Bill announcement that it defines privacy as a right in federal law.

The proposed law would prevent companies from mishandling data to cause individuals harm. They’d also have to hand over a copy of the data to the individual owning it at their request and name any third party that they’d given it to. They’d also have to delete it when asked.

Companies would need to publish clear privacy policies, and they’d need to get a person’s consent before weakening their privacy measures. The consent measures are pretty close to those under the California Consumer Protection Act (CCPA) that comes into effect on 1 January 2020, in that they require companies to get permission to process someone’s data and allow individuals to opt-out of having their data transferred to others.

The legislation defines data broadly, including the usual suspects like email, financial account numbers, government-issued identifiers like social security numbers, and information about race, religion, union membership, and sexuality. It also covers things like biometric data, geolocation information, communications content or metadata, data about online activities over time and across third-party websites or online services, and even calendar appointments. The law singles out intimate photos and videos of people, too, in a clear attempt to prevent online creeps.

All the above falls under the term ‘sensitive covered data’, while ‘covered data’ seems to cast a wider net, encompassing “information that identifies, or is linked or reasonably linkable to an individual or a consumer device, including derived data”. That’s a broad definition, and like the CCPA’s seems to take in things like IP addresses.

Companies needn’t deliberately violate privacy rules to incur a penalty. The Bill also forces them to put security measures in place to avoid an accidental breach, including vulnerability assessments and training.

One thing in this law that isn’t in the CCPA or GDPR is the establishment of a separate Bureau to focus on information privacy issues. In California, that’s up to the state’s Attorney General, while European countries have their own data protection registrars like the UK Information Commissioner’s Office (ICO). This Bureau would be in the FTC and would pick up oversight traditionally conducted by other consumer protection bureaus.

The text of the bill doesn’t specify the FTC’s penalties but it does allow for an award of up to $1,000 per violation per day in individual civil suits, which could run into billions of dollars.

This isn’t the only federal law on the hustings. In October, Oregon Senator Ron Wyden announced the Mind Your Own Business Act (formerly the Consumer Data Protection Act), which would impose fines and jail sentences of up to 20 years on senior executives that flouted strict privacy rules.

The bill has broad if partisan support from senators Ed Markey (D-Mass.), Amy Klobuchar (D-Minn.) and Brian Schatz (D-Hawaii). However, as James Mariani, associate in the data privacy group at Frankfurt Kurnit Klein Selz PC points out, there’s a world of difference between getting a law through in a state like California compared to getting it through Capitol Hill.

Millionaire Alastair Mactaggart forced through the CCPA after preparing an even stricter ballot initiative that could have put big tech firms on the ropes. Ballot initiatives aren’t a thing on the Hill, let alone most US states, which is one reason why, for example, a state privacy law died in the lower House in Washington.

James Mariani said of passing a Bill that is “as encompassing and as prescriptive as California’s”:

We are so bipartisan that getting anything passed is going to be difficult without cutting it up and making all sorts of concessions.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ByE-W6V8KfQ/

Adobe’s Magento Marketplace has suffered a data breach, the company has said in an email sent to customers.

The Magento Marketplace is where the Magento e-commerce Content Management System’s 250,000 customers can access software add-ons including extensions, themes and third-party services.

The company hasn’t said when the breach happened, merely that its security team discovered a vulnerability on 21 November 2019 that had allowed an “unauthorised third party” to access account information.

Data compromised includes names, email addresses, MageID, billing and shipping addresses and phone numbers, plus limited commercial information such as “percentages for payments to developers.”

The email, which can be read in full courtesy of a Twitter user who posted it, continued:

Upon discovery, we immediately launched an investigation, shut down the service and addressed the issue.

No passwords or payment data was compromised, and none of Magento’s core products or services (i.e. software hosted on the site) were affected, the statement added.

The company also posted a brief online statement, although this offers no additional information on the causes of the incident. It refers affected users to the Security Center, which itself has no mention of this specific incident, or what to do about it.

We appreciate all that you are doing to maintain good security hygiene and to keep your Magento instance and extensions current. Please refer to the Magento Security Center to help ensure the security of your Magento store.

The two missing pieces of important information are how many accounts were affected and how long the breach lay undiscovered. On past form, this information will probably never be revealed.

Adobe, of course, infamously suffered one of the largest data breaches ever recorded when 38 million user accounts were compromised in a 2013 incident.

More recently, an Elasticsearch database with customer data for 7.5 million Creative Cloud accounts was discovered in an unsecured state.

Separately, the Magento platform itself has also suffered security flaws, including one from earlier in 2019 that criminals started exploiting only days after researchers made it public.

Adobe acquired Magento for $1.68 billion in 2018.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dhp-DUcd-b0/

When it comes to the issue of managing drones (Unmanned Aircraft Systems, or UAS) the US Department of Justice wants Americans to know it’s on the case.

In 2015, the DOJ published what was meant to be a comprehensive policy governing how US Government departments and law enforcement use drones to take account issues such as privacy, law and the Constitution.

Four years on and things have moved on a bit, prompting tweaks addressing more recent concerns, including misuse, access to airspace, and the cybersecurity of the drones themselves.

Large parts of the 2015 policy and its 2019 update sound almost identical. On privacy, both policies limit departments gathering drone data that contains personally identifiable information (PII) to 180 days unless there’s a specific reason to keep it longer.

In other words, it’s much the same mix of privacy rules, limits, and exceptions applied to all areas of technology which give officials just enough wiggle room to gather and retain data in defined circumstances.

Cybersecurity

That said, a few of the 2019 policies could turn out to be significant, the most important relating to the cybersecurity design of the drones themselves.

It’s a complex new front that won’t be any easier to manage with drones than it is in other areas of computing. For instance, the section on drone procurement states:

The procurement of IT must comply with applicable laws, policies, and regulations, including those administered by the Office of the Chief Information Officer. The Department ensures appropriate security and privacy protections for data and IT through the risk-based Department Cybersecurity Program and effective IT management.

Which is a way of saying that before buying them departments must do the same cybersecurity assessment on drones that they would on other IT equipment.

On this topic, earlier this month the Department of the Interior (DOI) grounded many Chinese-made drones in use by government departments, in order to carry out a review of their security risk.

It seems US officials have grown concerned that foreign drones could be used to covertly take pictures of national infrastructure.

It’s not an outlandish worry although no evidence was provided that this had ever happened in the past, but the US Government is treating it with an abundance of caution, as indeed do other governments around the world.

A second anxiety is how drones might be misused. It doesn’t set any specific rules for this but mentions that the DOJ is talking to the Federal Aviation Authority (FAA) about the issue of “specialized air traffic and airspace management support.”

It’s not hard to imagine where that thought has come from – nearly a year ago drones brought London’s Gatwick Airport to a halt for two days, prompting mild panic after it became apparent that the authorities had no easy way of stopping them.

Repeat incidents are inevitable, but at least anyone trying such a thing now has been well warned. As the DOJ says in this week’s press release:

The Department welcomes lawful and beneficial uses of UAS, which promise to enhance the economy and transform the delivery of goods and the provision of critical services ranging from search-and-rescue to industrial inspections.  At the same time, the Department will not hesitate to take action against those who threaten the safety of our skies and the public.

Although the policy document is intended for internal government use, it could also be interpreted as a warning to commercial operators to make sure their drones aren’t hijacked, a scenario which a report from earlier this year warned might be possible.

For drone lovers, this is a lot to take in. In just a few years, these devices have gone from being viewed as entertaining novelties to dangerous military weapons or spying devices for criminals and foreign governments.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8ggat1Uqm_E/

Watch our latest Naked Security Live video for practical tips for staying safe online – not just on Black Friday and Cyber Monday…

…but on Tempting Tuesday, Wild Wednesday, Too-Good-To-Be-True Thursday, plus all the other days that cybercrooks have you in their sights (which is every day of the year).

Here are our tips in summary form:

• If is sounds too good to be true, it IS too good to be true. Don’t take risks just because it’s the shopping season.
• Use a password manager. A password manager will make sure you pick a different password for every site, can remember 18-character jumbled up passwords just as easily as you can remember your cat’s name, and won’t let you put the right password into the wrong site, which protects you from phishing.
• Consider getting a prepaid credit card for one-off purchases from new websites. A prepaid credit card has a fixed amount of money on it, which limits your risk if something goes wrong.
• Measure twice, cut once. Not all scams are easy to spot, but the cybercrooks behind many of them often make at least one obvious mistake. Don’t be so hasty that you fail to notice a giveway (whether it’s a typo, a weird date format, or a dodgy URL) that you later realise would have saved you.
• Whatever extra steps you take on Black Friday – keep on doing them all the time. If a cybersecurity precaution is worth taking on Black Friday then it is worth taking every day of the year.

While you’re here, why not subscribe to our new Naked Security YouTube channel? (Don’t forget to click the bell icon so you receive notifications when we upload new videos!)

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-X5vmpBnASU/