STE WILLIAMS

Aventura Technologies – an American surveillance equipment vendor located on Long Island, New York – has been busted for allegedly slapping phony “Made in the U.S.A.” labels on Chinese gear and selling it to customers including the US military and federal government.

For years, Aventura’s been shipping out boxes with American flag logos to outfit government agencies. Its gear – the company sells surveillance cameras, ground-based radar, artificial intelligence (AI) and facial recognition software, and many other hardware and software security technologies – has been installed on everything from aircraft carriers to a Department of Energy facility.

The alleged fraud was discovered last year by an Air Force service member who noticed Chinese characters displayed on the built-in screen of one of the company’s body cameras.

On Thursday, federal prosecutors in Brooklyn said that seven defendants – current and former Aventura employees – have allegedly been lying for years, claiming that the equipment had been manufactured at Aventura’s base in Commack, New York. Actually, they were allegedly peddling made-in-China electronics with “known cyber vulnerabilities”, raising the possibility that US agencies have installed software in security networks that China could use for spying.

According to the Department of Justice (DOJ), Aventura has made more than $88 million in sales revenue – including over $20 million in federal government contracts – since November 2010, and the alleged fraud has been ongoing since at least 2006.

Besides Aventura, the complaint charges seven individuals: Jack Cabasso, Aventura’s Managing Director and de facto owner and operator; Frances Cabasso, his wife and Aventura’s purported owner and CEO; senior executives Jonathan Lasker, Christine Lavonne Lazarus and Eduard Matulik; current employee Wayne Marino; and recently retired employee Alan Schwartz.

Per federal guidelines, a product’s country of origin can determine whether the government or the military will procure a product, and it also matters to some private sector customers. All products imported into the US are supposed to be marked with their country of origin. The seven defendants have all been charged with unlawful importation and conspiracy to commit wire and bank fraud.

Four of them have also been charged with defrauding the US government by allegedly lying about Frances Cabasso being the owner and operator of the company so that the company would be eligible for valuable government contracts reserved for women-owned businesses. In fact, her husband actually ran the business, prosecutors claim. The Cabassos have also been charged with laundering the proceeds from their alleged scams.

Intercepted, covertly marked packages

During its investigation, feds intercepted and covertly marked numerous shipments coming to Aventura from Chinese sources. In some cases, cameras shipped from China were pre-stamped with patriotism: they bore Aventura’s logo and the phrase “Made in USA,” along with the stars-and-stripes. In many instances, investigators traced those items and found that they’d allegedly been resold to US government agencies – agencies that had been told they were buying American-made gear.

For example, the China-sourced gear included a $13,500 laser-enhanced night vision camera purchased in March 2019 by the US Navy. Investigators had intercepted that camera when it was on its way to Aventura, and they had subtly marked it in a way that was hard to detect unless you knew what you were looking for. Two weeks after they’d done that, the marked camera was delivered to a US naval submarine base.

Investigators did the same thing to $156,000 worth of networked automated turnstiles destined for a facility in Tennessee. The DOJ says that the package that showed up in Tennessee was identical to the one investigators had intercepted – except that the shipping labels from China directing the crates to Aventura had been peeled off. There were still visible traces of paper and glue from the old labels.

A time zone in China and multiple Chinese logos

As far as the body cameras ordered by the Air Force go, after the service member noticed the Chinese characters on the display screen in August 2018, the cameras were sent for analysis. A specialist downloaded the bodycam’s firmware and found still more clues that it had been made in China, including multiple preloaded images that were apparently designed to display on the built-in screen, including the Air Force logo, the logo of the Chinese Ministry of Public Security, and the logo of a Chinese manufacturer.

All of the logos had been saved to the camera’s firmware using the same software, on a computer that was set to a time zone in China. The presence of the Air Force logo indicates that the manufacturer knew the Air Force was the likely end user of the bodycam, the DOJ says.

Can’t you do anything about your initials on the circuit boards?

None of the products on Aventura’s price list mention that they’re made in China. In fact, a long laundry list of Aventura employees’ emails show how much care the company allegedly took to scrub any sign of the equipment’s true origin. For example, here’s an email from Jack Cabasso to one of multiple Chinese manufacturers after stressing the need to take steps so that “they cannot trace”:

The housings are a problem since you publish them on your website but nothing we can do about that.

Cabasso had allegedly told the manufacturer that Schwartz was “putting together a list” of steps to be taken to hide the equipment’s true country of origin. Cabasso also allegedly told the manufacturer that “the biggest problem” was that its initials were marked on its circuit boards, and said that he had “lost several potential customers” because of similar practices by another Chinese manufacturer.

The pot calling the kettle black

Meanwhile, Cabasso was allegedly ratting out other contractors, accusing a dozen of selling surveillance equipment to the government that was manufactured in China. It’s a “big problem” that “doesn’t get any worse,” he allegedly said in a November 2016 email to the General Services Administration (GSA). He said that the Chinese manufacturer was “actually the Communist Chinese Government and ha[d] ‘significant’ cybersecurity issues aside from” compliance with US laws specifying country-of-origin requirements for government purchases.

Cabasso said that the manufacturer “will acknowledge they manufacture no products outside of China.”

All the while, Cabasso was allegedly importing equipment from the manufacturer he was complaining about.

US Attorney Richard Donoghue said in the DOJ’s press release that for years, the defendants have been disregarding the country’s national security by allegedly peddling made-in-China electronics with known cyber vulnerabilities and jeopardizing the safety of the armed forces:

With today’s arrests, the defendants’ brazen deceptions and fraud schemes have been exposed, and they will face serious consequences for slapping phony ‘Made in the USA’ labels on products that our armed forces and other sensitive government facilities depended upon.

Prosecutors said that besides the arrests and arraignments, they also executed search warrants at Aventura’s headquarters and at the Cabassos’ home. They seized $3m, spread over 12 bank accounts, as well as the Cabassos’ 70-foot luxury yacht.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/zfDZroWWndo/

A text-generating artificial intelligence (AI) algorithm whose creators initially deemed too dangerous to release – given its ability to churn out fake news, spam and misinformation after feasting on a mere headline – has been unleashed.

So far, so good, says the research lab, OpenAI. In a blog post last week, the lab said that the researchers have seen “no strong evidence of misuse” of the machine-learning language model, which is called GPT-2… at least, not yet. From the post:

While we’ve seen some discussion around GPT-2’s potential to augment high-volume/low-yield operations like spam and phishing, we haven’t seen evidence of writing code, documentation, or instances of misuse […] We acknowledge that we cannot be aware of all threats, and that motivated actors can replicate language models without model release.

Exactly how convincing is the output? Well, you can try it out yourself at a web version on TalkToTransformer.com that lets you enter your own prompts.

On the “Whew – this thing’s pretty stupid! Our jobs as writers are SAFE!” side, we have what The Verge got out of GPT-2. The publication fed it six prompts that produced a varyingly jumbled and ludicrous set of outputs, including one that said that Gimli, the dwarf from Lord of the Rings, was a tall man who was also a dwarf, and one that concluded that Gregor Samsa had a terrible struggle with a vermin that was more like an ape.

On the more worrying side is what GPT-2 did when I fed it part of a Naked Security article about an IT services pro who hacked his former client’s email.

The prompt I fed it is in bold in this image, followed by what it came up with to complete the text:

An IT project manager has pleaded guilty to accessing the email account of a former client’s CEO, said reports this week.

The executive allegedly received an email containing inappropriate content from a business partner in 2011, with the executive’s wife receiving a text message from the executive, according to Reuters.

A source told Reuters that the IT manager, identified in the reports as ‘Y’, had access to the executive’s email account for around six years.

Y pleaded guilty to a misdemeanor charge of unauthorized access to a protected computer, according to Reuters.

The criminal act came to light after the former business partner filed a lawsuit against Y, claiming that he had sexually harassed her, according to the reports.

The former business partner, identified in the reports as ‘J’, told investigators that she first noticed inappropriate messages between the two of them in April 2011, while looking for a job.

“A source told Reuters”?! “Sexual harassment”?! An algorithm doesn’t have fleshy tubes from which to pull facts, but it surely was pulling them from somewhere outside of reality. Still, if somebody wasn’t familiar with the facts of the human-generated, bona fide news story, the text has no obvious give-aways that it’s full of misinformation, and you can see where the model could generate entire fake news stories after feeding on a mere headline.

A second test, with the text in bold, puffed out a convincing story of woe and called for donations to the Blackfoot Disaster Relief Fund:

17,000 people have been caught in a flash flood in ʻOjibwe’s Blackfoot Country on Thursday night.

The Ojibwe Nation’s chief and council are asking for donations to the Blackfoot Disaster Relief Fund to assist the people who have been displaced by the flooding.

More than 100 Ojibwe tribal members and more than 100 from other First Nations in Northern Manitoba were affected by the flooding…

OpenAI’s partners at Cornell University surveyed people in order to determine how convincing GPT-2 text is. It earned a “credibility score” as high as 6.91 out of 10.

Other third-party research found that extremist groups can use GPT-2 to create “synthetic propaganda” by fine-tuning GPT-2 models on four extremist ideologies. That hasn’t yet come to pass, OpenAI has found. Its own researchers have created automatic systems to spot GPT-2 output with ~95% accuracy, but the lab says that’s not good enough for standalone detection. Any system used to automatically spot fake text would need to be paired with “metadata-based approaches, human judgment, and public education.”

OpenAI first announced its “amazing breakthrough in language understanding” in February 2019, but it said that it would limit its full release, given its worry that “it may fall into the wrong hands.” We’ve seen a few examples of the “wrong hands” that AI has fallen into, in the form of deepfake revenge porn and scammers who deepfaked a CEO’s voice in order to talk an underling into a $243K transfer.

The decision to withhold the full model until last week stirred up controversy in the AI community, where OpenAI was criticized for stoking hysteria about AI and subverting the typical open nature of the research, in which code, data and models are widely shared and discussed.

The decision also led to OpenAI becoming the object of AI research jibes like these:

@yoavgo Similar situation here. We’ve had perfect automated story generation since 2010 but didn’t want to put any… twitter.com/i/web/status/1…

—
Mark Riedl but with a new font (@mark_riedl) February 15, 2019

@yoavgo My grandmother, used her interdisciplinary knowledge on how the world works to create the greatest common s… twitter.com/i/web/status/1…

—
Davide Nunes 🤖 (@davidelnunes) February 15, 2019

What do you think? Was releasing this tool a good idea or a bad one?

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Gp2bPEYqYs8/

Adobe has updated the sample configuration files that ship with its Experience Platform Mobile Software Development Kit (SDK) after a security company discovered insecure default settings.

The SDKs are offered by the company as templates for developers to integrate their apps with Adobe’s cloud services across a range of platforms.

All seemed well until, in March 2019, Nightwatch Cybersecurity noticed that the main app configuration file, ADBMobileConfig.json, contained settings that could lead to security problems.

This included several settings connected to SSL/HTTPS data transfer, specifically:

• An analytics setting defaulting to off (‘false’) rather than on (‘true’).
• Data transfers connected to the mediaHeartbeat object in the same insecure state.
• Other connections not using SSL by default.

In total, the researchers uncovered 28 templates across different platforms that embedded these settings.

Why does this matter?

Some developers have been using these configuration files inside their own apps, creating hidden problems, said Nightwatch:

When these options are used insecurely, attackers can view or modify information transmitted by the application back to Adobe’s cloud services.

No offenders are named but the company said it had found “multiple mobile applications” using them.

This isn’t surprising – larger dev teams will craft their own configuration while smaller ones will just use what’s handed to them by Adobe, even if that makes an assumption about the settings.

Fixing this issue requires those app developers to update their software, which might take a while.

After being told of the issue in March, Adobe recently released an updated version of its Mobile SDK (version numbers vary by platform).

Given that there’s no evidence the issue has ever been exploited, the discovery looks like a case of trouble averted. Even so, it’s still surprising that Adobe didn’t pick up on the problem.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/a-eEyz1mh7c/

Microsoft has urged people to patch their Windows systems following the report of widespread attacks based on the BlueKeep vulnerability.

BlueKeep is the code name for a security hole dubbed CVE-2019-0708, first revealed in May 2019. The flaw, in Windows 7 and Windows Server 2008, allows attackers break into a computer through the Windows Remote Desktop Protocol (RDP) – without bothering with the RDP logon screen first.

Exploiting the vulnerability was technically difficult, creating a tense race to patch systems in the wild before someone released an exploit.

There’s a full discussion of the BlueKeep attack in the Naked Security podcast this week:

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Security researcher Kevin Beaumont, who regularly monitors a network of honeypot devices to detect BlueKeep attacks, first raised the alarm on 2 November 2019:

huh, the EternalPot RDP honeypots have all started BSOD’ing recently. They only expose port 3389. https://t.co/VdiKoqAwkr

—
Kevin Beaumont (@GossiTheDog) November 02, 2019

The crashes started on 23 October, he said.

Those machines were the canaries in the coal mine, as they only exposed the port used for the RDP service susceptible to the BlueKeep vulnerability.

However, the exploit wasn’t being used to spread a worm, according to MalwareTech, aka Marcus Hutchins.

In an analysis of the attack code, Hutchins found that it used a BlueKeep exploit published in Rapid7’s Metasploit pen testing suite on 6 September. Instead of self-propagating, the attack based on this exploit installed a cryptocurrency miner.

Microsoft already had eyes on the attack. In a blog post on 7 November, it said that the attacks on Beaumont’s RDP honeypot triggered a behavioural detection mechanism in its Defender Advanced Threat Protection (ATP) enterprise security service. The company had installed a filter to look for the Metasploit exploit in September, it said.

The behavioural detection mechanism detected 10 times as many crashes in RDP-enabled endpoints daily starting on 6 September, spiking from 10 to 100.

The company warned that this may not be the last BlueKeep exploit we see. It said:

Security signals and forensic analysis show that the BlueKeep Metasploit module caused crashes in some cases, but we cannot discount enhancements that will likely result in more effective attacks. In addition, while there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners.

The company repeated the same advice that it has been giving to people since it first revealed the BlueKeep exploit: patch your systems.

Naked Security Principal Research Scientist Paul Ducklin had this to say:

If you are worried about BlueKeep because you haven’t patched yet, then you are probably missing a full six months of patches to go along with the BlueKeep one, which came out back in May 2019.

So take this BlueKeep alert as a general-purpose wakeup call, and stop putting off those updates. Patch early, patch often, so you aren’t giving even unsophisticated cybercrooks a free pass into your network.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/t3L4UyESmBg/

A data recovery company is dubiously claiming it has cracked decryption of Dharma ransomware – despite there being no known method of unscrambling its files.

Infosec researcher Brett Callow of Emsisoft had a little fun trying to replicate Emsisoft’s exposure of ransomware middleman company Red Mosquito Data Recovery earlier this year, now he has turned his attention in another direction.

Australian biz Fast Data Recovery boasted that it is capable of decrypting Dharma, which data recovery biz Coveware’s chief exec Bill Siegel described as implying “they have tools and computing power beyond that of the NSA”.

“If this was the case, they would sell their technology for millions, if not billions, rather than using it to help small businesses,” he added.

Callow posed as a customer (having borrowed his wife’s business email address, with her consent) while contacting Fast Data Recovery, asking if the firm could decrypt encrypted files that mentioned the word Dharma. What Callow had done was encrypt the files himself.

He got back a standard auto-reply email:

Thank you for contacting Fast Data Recovery – The Ransomware Recovery Experts.

Please note FREE evaluation can take up to 10 days and its dependable on our work load and its treated as a non-priority.

If this is an Emergency/URGENT please contact us or reply back to this email to use our Priority Evaluation Service for fast turnaround (4-24 hours) OR 1 HOUR quote for Dharma / Crysis Ransomware.

Dharma ransomware will have the following extensions at the end of your files (COMBO, BIP, GAMMA, JAVA, BRRR, HEETS, ETC, BTC, 888, ADOBE, GAMMA, Phobos). Click here for a full list of Dharma Ransomware.

Our Priority Evaluation service cost[s] $350AUD for most for most type of infections with the exception to [sic] Dharma and Gandcrab infections.

Dharma / Gandcrab Priority evaluation cost[s] $175 AUD.

Please note the cost of Priority evaluation will be deducted from the cost of recovery and in the unlikely chance we are unable to work with your encryption, a full refund will be issued.

We have a proven track record of 100% ransomware data recovery and back our claim with No Data = No Charge.

That was followed up with an offer to carry out a “server prevention and network security audit” at AU$750 per server and $120 per PC – with a discount to $70 if one had more than 10 PCs.

Michael Gillespie, creator of ID Ransomware, opined: “There is no way to ‘reverse engineer the ransomware decryption key’ for Dharma. The encryption is perfectly implemented, and it’s simply not possible. The only way to recover files encrypted by Dharma is with the ransomware dev’s key. Any company which claims it can recover files by other means is almost certainly just paying the ransom.”

When Emsisoft’s Callow didn’t reply to the quote, Fast Data Recovery tried again:

After analysis our engineers have determined a very high chance of data recovery after the analysis was performed on your sampling files.

Your infection is part of the DHARMA ransomware family. One of the most active types of ransomware on the internet since 2016 with 2-3 new infections per week.

Your files have been identified to have a complex encryption key. A time consuming/complex process but the recovery is guaranteed.

Our team has been successful in 100% of all dharma ransomware cases presented to our company.

We will be using our streamlined process and latest technology to speed up the recovery process.

We utilise our resources to reverse engineer the ransomware decryption key on your sample files. Once the decryption key has been reversed-engineered, we will need to connect to your system to start the recovery process.

At this point, Callow broke off contact with the firm, but the case smells similar to other companies claiming to be able to decrypt ransomware when all they do is act as a middleman, taking money on the pretence of “decrypting” ransomware, then paying the ransom and in turn banking a margin for doing so.

The most outrageous case aside from Red Mosquito (as mentioned above) was Dr Shifro, a Russian firm that also claimed to be able to decrypt Dharma. This turned out to be one Belarusian man who had made around £300,000 from taking Bitcoin payments while negotiating with ransomware authors.

If you’re worried that quantum computers will crack your crypto, don’t be – at least, not for a decade or so. Here’s why

READ MORE

Emsisoft’s CTO, Fabian Wosar, concluded: “Since emerging in 2016, Dharma has been reverse engineered to death by the entire malware research community. If a flaw existed that enabled the encryption to be broken, it would almost certainly have been discovered a long time ago. To break Dharma within any of our lifetimes without having discovered a flaw would require access to a quantum computer that is capable of running Shor’s algorithm. The highest number ever factorized using said algorithm and quantum computers is 21, which is just short of the 307 digits that would be required to break Dharma.”

Sometimes, these types of services really are too good to be true.

Fast Data Recovery has been asked for comment. ®

Sponsored:
Technical Overview: Exasol Peek Under the Hood

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/11/dharma_decryption_promises_data_recovery/

It can’t be overstated: Web attacks and credential stuffing are real, long-term threats. This white paper, sponsored by Akamai, focuses on how they are impacting the high-tech, video media, and entertainment sectors.

From January 2018 through June 2019, Akamai recorded more than 61 billion credential stuffing attempts and more than 4 billion web application attacks. In this special edition of the State of the Internet / Security Report, we’re focusing on data within the high tech, video media, and entertainment sectors — collectively named Media Technology.

These three industries accounted for nearly 35% of all credential stuffing attacks, and almost 17% of the web application attacks seen by Akamai during the 18-month reporting period. Our analysis indicates these three verticals are a stable and consistent attack source for two reasons: personal and corporate data. The targeted brands are household names, and criminals are looking to capitalize on that familiarity.

By attacking directly via web application attacks, criminals hope to expose customer records and financial data or leverage a vulnerable server to spread malicious code — also a common motive driving criminals to attack the retail sector. Credential stuffing abuses the brands targeted, as well as their customers, enabling the criminals to target personal information and corporate assets, such as media or digital products.

(Registration required.)

Article source: https://www.darkreading.com/edge/theedge/new-2019-state-of-the-internet---security-media-under-assault/b/d-id/1336222?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security needs to be a central element of due diligence if a merger or acquisition is to succeed

There’s a lot more attention being put on cybersecurity during the MA process, and for good reason. The Marriott-Starwood merger is a prime example, shining the spotlight on what can happen if you accidently acquire a data breach. As part of the merger, Marriott acquired many new hotel brands but also unwittingly inherited a large-scale breach that affected approximately 500 million customers resulting from a hack of Starwood’s customer reservation database prior to the acquisition deal.

According to a recent Forescout survey of IT and business decision-makers, 65% said they regretted making an acquisition because of a cybersecurity issue. But cybersecurity during MA isn’t just a point-in-time exercise. It should start with due diligence — but even more importantly, cybersecurity should be a key consideration in the entire integration process. That’s the real heavy lifting when it comes to cybersecurity and MA. 

Post-acquisition, there’s lots of pressure on the CIO and other executives to get the integration done as quickly as possible so the company can realize the benefits of the deal. While IT sometimes gets a bad reputation for moving slowly during this process, in reality there are a lot of factors and complexity that go into making sure the integration is done smoothly and securely with minimal business disruption. 

Weaving cybersecurity throughout due diligence and then integration planning is a way to set reasonable expectations on the priorities and timing. With that in mind, here are five processes to address before, during, and after a merger or acquisition. Being able to explain “the why” behind each of these priorities and time frames in a way the business teams can understand is critical in each step.

1. Cybersecurity Due Diligence Is Key 
Cybersecurity due diligence should start before any deal is made. You’re looking for cybersecurity issues that could rule out a deal or affect the sale price. For instance, Verizon knocked $350 million off of its purchase price for Yahoo after two data breaches were discovered. 

Our same survey revealed 73% said the discovery of an unknown data breach would be a deal breaker for an acquisition. To discover an unknown breach, you could engage a third-party auditor to conduct an internal cybersecurity assessment or do evaluations like a device audit. 

If it’s a product or services company acquisition, I would also put particular emphasis on evaluating the product or service itself to make sure the risk posture is understood and acceptable — you first and foremost want to be sure that the very reason you are acquiring the company does not create risk to your customers or your reputation. For instance, when Marriott was in the process of merging with Starwood, perhaps further due diligence could have been run on Starwood’s customer database to ensure that all guests’ personal information and preferences were stored securely. 

2. Basic Integration for Day 1 Collaboration
Then, once the deal is closed, you get to the second and larger piece of the MA process: the integration. Some of these tasks can move quickly thanks to the cloud, with tools like Office 365, Zoom, and Box. Getting systems like these integrated right from the start takes a lot of the pressure off the CIO because new team members are able to start collaborating and doing simple tasks like scheduling meetings and sending emails with their new colleagues right away. 

3. Comprehensive Integration Across Infrastructure, Security, Access
The deeper, more strategic work comes after that and this is really a joint effort with the business. This is the time when you have to take a step back and focus on the integration from an infrastructure, security and access perspective in order to ensure alignment across the organizations and to identify hidden sources of risk.

You can’t rush this without potentially introducing new risk. IT and business decision-makers identified the top areas of risk during integration as human error and configuration weakness (51%), connected devices (50%), and data management and storage systems (49%), according to Forescout’s survey. You have to go system by system and connect them, making sure data is kept secure and each person has the right access.

Although the technical integration is rarely as fast as the business would like, it is the easier piece of the process. More often, it’s things like systems and data access, new work processes, data migration, business impact (such as release cycles and end of quarter), and change management that will slow progress. Let’s face it, there is never a good time to do these things. 

4. Cultural Integration
You also have to factor in the cultures of the two organizations. One organization might have a more mature security posture than the other. Or they may be very married to the way they do things and don’t want to change. In other cases, you may have to integrate very different business models or capabilities into a single system. But in any situation, you have to bring everyone to the table and work together as one team.  

5. Rinse, Repeat, and Refine
The important thing to remember in all of this is that both the threat landscape and your IT environment and systems are always changing and evolving. While it’s important to incorporate cybersecurity into due diligence and the initial integration, it’s a process that you will have to continue throughout the full lifetime of the organization. 

Related Content:

• Massive Starwood Hotels Breach Hits 500 Million Guests
• Yahoo Trims Its Price Tag to Verizon by $350 Million
• Security Matters When It Comes to Mergers and Acquisitions
• Security Gets Added to the MA Lexicon

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s story: “4 Ways to Soothe a Stressed-Out Incident Response Team“

With more than two decades of experience driving global operational capabilities across some of the world’s largest cybersecurity and IT brands, Julie leads the people, business, and technology operations at Forescout. Julie has extensive operational and technical leadership … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/5-security-processes-you-shouldnt-overlook-during-manda/a/d-id/1336279?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Ever stay in an Airbnb listing that lacked a trash bin? A kitchen light? Running water? But one which had ample broken beer bottles littering the balcony, trash shoved into the holes in a milk crate, and filthy sheets on a bed that hadn’t been made?

That was my Airbnb misery. The details of yours, if you have one, are undoubtedly different. Maybe you showed up on the doorstep of your destination after driving four hours only to be told by baffled homeowners that you must have the wrong address. Maybe you discovered the beady eye of a hidden webcam trained on your bed.

Or maybe you’ve been told, at the last minute, that there was a plumbing emergency and that you’d be switched to a place that was 3x as large – wow, an upgrade – only to find that it was a cobwebby dump you could only get to by squeezing around trash bins as rats dashed past?

Fake listing scam

That, in fact, was the experience of one traveller who told their story to a Motherboard Vice reporter who uncovered a nationwide scam in which shady real estate rental companies are putting up lovely, and fake, listings, publishing them on Airbnb under the profiles of multiple fictional hosts, and then, at the last minute, switching we-have-no-other-choice guests to shabby rat-traps.

That’s what happened to writer Allie Conti, who went on to talk to multiple others who’ve banged their head against Airbnb trying to get refunds – refunds that apparently were issued in full to only the most persistent (namely, a lawyer who “loves to argue,” she told Vice), while others have only received partial refunds, or none at all.

The specific details of Airbnb nightmares aside, those of us who’ve fallen for a crappy or nonexistent listing may well wonder how in the world a company that’s been around for 11 years – one that’s due to go public and is estimated to be worth $35 billion – could fail to have the technologies and processes in place to weed out the fraudsters who find it so easy to take advantage of the platform.

Well, it hasn’t had those abilities. Nor has it apparently prioritized putting them into place. But now, it’s promising to change all that… or, at least, to give people 100% refunds if Airbnb can’t put them into another accommodation that’s “just as nice.”

Promises

A week after Vice published its hair-curling findings, Airbnb chief executive Brian Chesky published a series of Tweets in which he said that the platform plans to verify every one of its listings and every one of its hosts:

We are introducing the Airbnb Guest Guarantee. Starting on 12/15/19, if a guest checks into a listing and it doesn’… twitter.com/i/web/status/1…

—
Brian Chesky (@bchesky) November 06, 2019

Chesky said that starting next month – on 15 December – the new Airbnb Guest Guarantee will ensure that guests who stay in listings that don’t meet Airbnb’s “accuracy standards” will either be rebooked into someplace that’s “just as nice” or, failing that, they’ll get a 100% refund.

Up until now, some guests who’ve managed to get refunds have found that Airbnb slashed the refunds if they made the mistake (read, had no other option) of actually staying in one of these surprise-surprise switcheroos.

@bchesky What about for users who have currently been scammed before this is place? I had this happen on Wednesday… twitter.com/i/web/status/1…

—
anastasia c. wilson (@anastasiawils) November 08, 2019

There are also those who claim that Airbnb never followed through at all when their reservations were cancelled at the last minute:

@bchesky Hi Brian. This is brilliant. Looking forward to you reviewing my case. I actually contacted you guys in Ju… twitter.com/i/web/status/1…

—
Tina masani (@TinaMasani) November 06, 2019

…or has shuffled them from one “case manager” after another while they suffer:

@bchesky Too bad this will not help me with the situation my party is stuck in with no hot water. So far, it’s been… twitter.com/i/web/status/1…

—
AgeofReason (@Ageof_Reason) November 07, 2019

Airbnb says that it will verify each and every Airbnb listing and host by December 2020. Chesky didn’t say how. What we do know is that there are an awful lot of listings to scrub: according to one property management site, the platform currently has more than 650,000 hosts and over 6 million listings worldwide.

If Boston, Seattle and San Francisco can do it…

Some cities aren’t leaving it up to Airbnb to vet their hosts. As of January 2019, all Boston hosts were required to register short-term rentals with the city. The process of registering is on the grueling side: I’m an Airbnb host and have gone through it, having had to purchase a business certificate, pay to register with the state, and prove that I own my house, among other things.

Boston’s new regulations, which go into effect 1 December, forbid people from listing investment properties on Airbnb. You have to live in the house, in other words, to rent it out on Airbnb.

Nobody’s quite sure how many units rented by absentee investors – or swindlers like the ones that Vice uncovered – the new regulations will drain out of Boston’s Airbnb listing pool, though estimates put it in the thousands.

For its part, Hawaii is thinking about subpoenaing Airbnb for tax records of hosts.

Other cities that have passed regulations include Buffalo, San Francisco, and Seattle, while still others, such as Jersey City, are preparing to do the same.

Some cities have enough wherewithal to fight Airbnb in court so as to push through regulations to protect guests and their long-term rental housing stock. Others don’t. As Vice notes, New Orleans overhauled its short-term rental laws in August, for example, but it doesn’t have enough money and had to leave the Airbnb fox in charge of the henhouse to carry out oversight of the new rules.

Let’s hope that Airbnb comes up with a good way to dig out its rotten apples. There are cities and towns out there that can’t do it on their own, and the scammers are adept at taking advantage of that situation.

For the record – I got a 100% refund on my nightmare stay. I made sure to photograph every last little shard of beer bottle and suggest other unhappy guests do the same.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/IcTMFqqjWtI/

Roundup Time for a look at some of the other security stories making the rounds in the past week.

DNAye-aye-aye

Yet another reason not to use commercial DNA testing services: Genome sequencing biz Veritas Genetics says that an unauthorized user had been able to get access to a customer portal.

The unknown attacker wasn’t able to steal any genetic information, but beyond that Veritas isn’t saying exactly what sort of customer data was exposed. It is working with law enforcement to track down the culprit.

‘Iron March’ forum exposed

Bad news for those who frequented the now defunct neo-Nazi ‘Iron March’ forum as a hacker has managed to get access to a complete backup of the forum and share it online.

The archive includes a collection of all posts and DMs from the forum. The entire archive is available for download as a SQL database.

Cisco drops fresh set of patches

It’s once again time to patch up your Cisco devices. The networking giant has posted a fresh load of updates for both its hardware and software offerings, including fixes for a few high-risk code execution and denial of service bugs.

The updates include high-severity fixes for Cisco Small Business Router, TelePresence, Web Security Appliance, Wireless LAN Controller, and WebEx Network Recording Player.

Admins would be well-served to test and deploy the fixes before next Tuesday, when Microsoft and others unleash their Patch Tuesday patches.

rConfig found to contain pair of RCE bugs

Admins whose networks use rConfig will want to be sure to update their firmware following the disclosure of two remote code execution flaws in the utility.

While RCE flaws are never good news, there are at least some mitigating factors that should make these bugs a bit less dangerous.

Specifically, one of them requires the attacker to target a component in the ‘install’ folder.This directory is almost always deleted during or shortly after installation of the software, so most servers would not be vulnerable.

Meanwhile, the second flaw requires the attacker to already have valid login credentials for the target device, so ‘remote’ in this case does not mean unauthorized.

Bluekeep exploits spotted

If you have been dragging your feet on installing the months-old patch for the Windows RDP ‘Bluekeep’ flaw, you should probably take care of that now.

This is because there have been reports of active exploits targeting the remote desktop vulnerability. So far, they are mostly just coin-mining malware installations that have been collected by honeypot machines, but there is the risk for worse attacks.

“The new exploit attacks show that BlueKeep will be a threat as long as systems remain unpatched, credential hygiene is not achieved, and overall security posture is not kept in check. Customers are encouraged to identify and update vulnerable systems immediately,” Microsoft says.

“Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. Because BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.”

Expert shares thoughts on encryption

Over on the Lawfare Blog, Jim Baker of the R Street Institute and Harvard Law School shares how his views on encryption have evolved, and what changes could be on the horizon as the government continues to wrestle with how to deal with encrypted communications.

Google patches payment API bypass

A particularly nasty vulnerability has been patched by Google in one of the APIs it uses to handle card payments in Chrome. The Daily Swig reports that the vulnerability would have potentially allowed an attacker to use the API to access and copy any file on the victim’s machine.

Fortunately, because Chrome automatically updates itself, a simple browser restart will get you patched up against this bug.

Nvidia posts updates

Gamers (or really anyone else) running Nvidia graphics cards will want to get these two updates for their GPU and graphics cards. The bugs patched are not particularly dangerous on their own, but could potentially be chained together to achieve code execution. Users and admins should install them as soon as possible. ®

Sponsored:
What next after Netezza?

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/11/security_roundup_081119/

“Cutting to the chase, it’s not a case where the office cleaner finds a thumb drive, picks it up and takes the opportunity to make some use of it,” barrister Jonathan Barnes told the Supreme Court as he urged judges to dismiss Morrisons’ appeal against liability for its 2014 payroll data breach.

As reported yesterday, Morrisons is trying to overturn a Court of Appeal verdict that would see it paying out potentially tens of thousands of pounds in compensation to around 9,000 workers suing it.

The case is deceptively simple: should the supermarket be held vicariously liable for the actions of former auditor Andrew Skelton, who helped himself to nearly 100,000 employees’ payroll data and dumped it online?

“Morrisons [argues that it] is not the data controller,” said Barnes, picking apart one of the supermarket’s legal arguments. Morrisons claims that after Skelton had stolen the payroll, in data protection law Morrisons couldn’t be regarded as being in control of it – and therefore wasn’t liable for his actions.

Barnes continued: “So if we strip out the words ‘data controller’ from Morrisons’ description of itself at paragraph 97 of [its filed] case, we’re left with ‘innocent compliant employer’. But the condition of being an innocent compliant employer certainly does not ordinarily exempt an employer from a finding of vicarious liability.”

In written arguments, the workers say that Skelton didn’t stop being a Morrisons employee (that is, he was doing something the supermarket could have prevented or deterred) even though he was now the data controller of the stolen data. Legally, if the employees are right, this means the supermarket still ought to be held vicariously liable for the theft and dumping online of the staffers’ data.

Skelton was disciplined by Morrisons after a white powder was spilled in the company postroom. Police thought it might be amphetamine, though lab tests eventually showed it was the legal slimming supplement phenylalanine, for which Skelton was running a side business. Nonetheless, he was suspended from work for six weeks and given a verbal warning, causing the auditor to form “an irrational grudge” against the supermarket, as summarised in the employees’ case papers.

In November 2013 Skelton was tasked to help KPMG carry out its annual audit of Morrisons’ accounts. As part of that, the payroll was “uploaded from an encrypted USB onto Mr Skelton’s encrypted work laptop by another Morrisons employee,” as the joint Statement of Facts and Issues recounted. Skelton then sent the data to KPMG.

Five days later, “criminally and without Morrisons’ knowledge”, the auditor copied the payroll onto a personal USB stick. By mid-December the audit was finished – Skelton having retained access to it at work to answer KPMG’s questions – and he “ought to have deleted the payroll data” by that point. In January 2014 he posted it on a file-sharing website using Tor and later alerted three newspapers, who called the police.

Lady Hale, president of the Supreme Court – wearing a purple business jacket rather than the cheery jumper of the previous day – asked Barnes: “Was he entitled to read [the data] and look at it?… it seems to me he was entitled to read and look at it.”

In reply to Barnes’ arguments, Lord Pannick QC, barrister for Morrisons, thundered: “It cannot remain part of the law that the employee can be better off claiming under the common law when the vicarious liability is based on the act of the employer in giving access to the employee to the data, a matter specifically regulated in a statutory scheme… which is designed to a locate responsibility proportionately and fairly and properly as between different data controllers. That’s our case in relation to that matter.”

Many of the arguments were based around analogies and previous cases, with both sides’ barristers citing legal authorities where employers were blamed for their wrongdoings of their employees, ranging from one about a paedophile warden of a children’s home to a Singapore bus conductor who took out a rowdy passenger’s eye with his ticket machine.

Much time was spent debating whether Skelton had metaphorically “taken off his uniform” to go on a “frolic of his own”, outside his employer’s reasonable control.

Lady Hale remarked: “Now we shall go away and try and figure out what the answers are,” as the Supreme Court finished hearing both sides’ arguments yesterday. Judgment is expected in 2020. ®

Sponsored:
How to get more from MicroStrategy by optimising your data stack

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/08/morrisons_supreme_court_data_breach_payroll_arguments/