STE WILLIAMS

Phones. Pffft! They’re so passive. They just sit there, warming your sweaty palm in a crowded subway or elevator as mouth breathers shoulder-surf your PINs or swipe patterns – or your texts, or what should be your private, confidential web browsing – out from under your nose.

But not for much longer, if two Google researchers have any say about it! They’re working on a machine-learning, facial recognition system that will pick up on when some nosey snoop – one who’s definitely not you, given that it’s a facial recognition system and knows what its master or mistress looks like – is staring at your screen.

Researchers Hee Jung Ryu and Florian Schroff show in a demo use case video that when the system detects that somebody’s gaze is pointed at a phone, a Hangouts messaging conversation will come to a screeching halt.

As a front-facing camera detects strangers looking at the screen, it will interrupt the conversation, show both the phone owner’s and the shoulder surfer’s faces, put a red bounding box around the stranger’s face, and then flash a warning in full-cap red letters:

A STRANGER is LOOKING ALERT!!!

On top of that, it will show the stranger vomiting a rainbow. With sparkles. Alarming, but pretty!

Besides rainbow effluent, the system’s got a mouthful of a name: according to the demo description page, it’s called the Electronic Screen Protector with Efficient and Robust Mobile Vision.

Technical details are scarce. It looks to be an academic project at this stage, rather than an upcoming feature. The Electronic Screen Protector is due to be presented at the Neural Information Processing Systems (NIPS) conference next week in California.

The researchers do note that using facial recognition – which has typically been used for authentication – to protect privacy is a logical extension.

Face recognition alone is not enough when you want to have private online conversations or watch a confidential video in a crowded space where there are many other people present. Each of them may or may not be looking at your private content displayed on your device, e.g. a smart phone.

They said that the Electronic Screen Protector is fast, robust, and accurate at detecting gaze and face identity simultaneously, in real time.

Hence, the application, an electronic screen protector, can enable its enrolled users to continue reading private and confidential contents on [their] mobile device, while protecting their privacy from onlookers in a crowded space such as the subway or an elevator.

The researchers also say that the system is robust under varying lighting conditions and head poses.

Well! It’s high time that somebody thought to teach a phone self-defense, wouldn’t you say? Lord knows we humans manage to screw it up.

We’re terrible at creating and remembering secure passwords and PINs, for one thing.

We’re also bad at choosing and answering password recovery questions.

Most of us can’t even cook up an unlock pattern for our Androids that’s not crazy easy to predict, be it by shoulder-surfing or the tell-tale streaks we leave with our greasy fingers.

Bring on the face-detecting, gaze-tracking, alarm-sounding phones that can protect themselves – sparkly rainbows and all!

 

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Kck-rlXkYqI/

Federal prosecutors unsealed an indictment against three Chinese nationals this week in a US District Court, accusing them of hacking into at least three multinational corporations over the past seven years.

The eight-count indictment accuses Wu Yingzhuo, Dong Hao, and Xia Lei of conspiracy to commit computer fraud and abuse, trade secret theft, wire fraud and aggravated identity theft against Siemens AG, Moody’s Analytics, and Trimble, a geospatial technology firm. Siemens is a major contractor for US critical infrastructure.

The indictment doesn’t mention the Chinese government directly, but it does mention the UPS Backdoor malware the defendants allegedly used, which has been linked to the government.

The three worked for what is nominally an internet security firm called Guangzhou Bo Yu Information Technology (Boyusec). Wu and Dong are founding members and equity shareholders of the company, while Xia is an employee.

The indictment alleges that in 2014 the hackers broke into the network of Siemens and stole employee user names and passwords and 407GB of data relating to the company’s energy, technology, and transportation businesses – all of which fall under the “critical infrastructure” heading.

In the case of Moody’s, the hackers placed a rule on an email server that caused all messages sent to a prominent company economist to be forwarded to a dummy account created by the attackers.

While the indictment only described the economist as “Employee A,” the Wall Street Journal reported that most of the rumors point to Mark Zandi, “chief economist” at the firm who, “has frequently been cited by congressional Democrats and Obama administration officials.”

Against Trimble, the hackers allegedly stole data on a Global Navigation Satellite Systems (GNSS) product that the company had spent three years and millions of dollars developing.

While the technology apparently has no military application, Reuters reported that an anonymous US official said the Chinese government could have been interested in using it to track dissidents, Chinese citizens who are overseas and foreign spies.

Ars Technica notes that an anonymous group called Intrusion Truth published a report in May claiming that Boyusec was a front for APT3 – one of the hacking units of the People’s Liberation Army. Also, a few days later, security firm Recorded Future reported that APT3 – which is also known as Gothic Panda, Buckeye, UPS Team, and TG-0110 – worked directly for China’s Ministry of State Security.

That is significant, given that, according to the indictment, the hacking began no later than 2011 and continued until at least May 2017 – nearly two years after President Obama and Chinese President Xi Jinping announced, with considerable fanfare, an agreement aimed at curbing economic espionage.

According to the White House press release, dated 25 September 2015:

Neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.

Of course, that carefully worded language contained holes – major holes. It refers only to the governments of both countries – not their private sectors. And saying the government will not “knowingly support” something is obviously not a promise that it will take steps to stop it.

Besides a flurry of news stories about the indictment, what does this all mean?

Almost certainly very little. The defendants are out of the reach of US law enforcement. President Trump is trying to get Xi to assist in putting pressure on North Korea, and is very unlikely to want to jeopardize that by making an issue out of IP theft.

Indeed, if history is any guide, all this is likely to do is generate a few denials and veiled threats from China’s leaders.

Back in 2014, US prosecutors indicted five military officers from the notorious People’s Liberation Army (PLA) hacking unit 61398.

China warned it would retaliate if the US pressed the issue. And that was pretty much that.

Which is the way Kevin Murray, director at Murray Associates, a counter espionage consultancy, sees this case playing out. Does the indictment mean anything significant will happen? “No,” he said, offering a brief history lesson.

Go back 1,000 years, remembering that the Chinese invented things like silk, gunpowder, paper. All this intellectual property was stolen from them. At that time, the law in China was that if you engaged in it, that was your life. But it still got stolen. So now they’re getting back at us. And we’re trying to replicate what they did by punishing the criminal. Is it going to help? No.

Murray said if those responsible for protecting IP faced charges, “then you’d see some changes.”

But whoever gets prosecuted, things are unlikely to change. A report earlier this year by Cybereason, on compliance with the US/China agreement, noted that monitoring it is increasingly difficult due to a trend toward nation states “outsourcing” cyberespionage to private firms.

According to the report:

The use of what are called, “cutouts and sympathetic agents to collect information on their behalf,” makes attribution of the attackers more difficult and also gives the governments “plausible deniability.”

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/taqvWm9Z7Kg/

The time has come, finally, after years of confusion, to iron out what kind of privacy – if any – Americans can expect with regards to their phones’ location data.

The Supreme Court today will take up a slew of questions that arise from the modern era of ubiquitous cellphone usage. The case in question, Carpenter v. United States, is one of many that have arisen when police have used cellphone-derived location data to pinpoint suspects’ whereabouts and whenabouts.

The story of this case begins in a humble enough setting: a Radio Shack store in Detroit that was the site of an armed robbery a couple of weeks before Christmas 2010. It was one of a string of robberies in the Midwest in 2010 and 2011.

In April 2014, Timothy Ivory Carpenter was sentenced to 116 years in jail for robbing six cellular telephone stores, including that Radio Shack, at gunpoint. The robbers took with them bags filled with expensive phones. Ironically enough, it was their own phones that helped to send them to prison.

To get him convicted, prosecutors relied on vast amounts of data collected from cellphone companies that showed the movements of Carpenter, who they said was the ringleader of the robbery spree.

They got those records without a warrant. On Wednesday, the Supreme Court will start its review of the case, with the goal of determining whether that warrantless search violated Carpenter’s Fourth Amendment protection against unreasonable search.

Carpenter’s lawyers have argued that a prosecutor had sought access to more than five months of his cellphone location records. They didn’t seek warrants based on probable cause, however. Rather, they requested the records under the Stored Communications Act, which has a lower standard and allows phone companies to disclose records when the government shows “specific and articulable facts showing that there are reasonable grounds to believe” that records at issue “are relevant and material to an ongoing criminal investigation”.

The cellphone records didn’t reveal Carpenter’s conversations. Rather, they revealed that over a five-month span in 2010 and 2011, his cellphone connected with cell towers in the vicinity of the robberies.

Carpenter had argued that the records should be suppressed because the government hadn’t obtained a warrant for them.

But a district court denied the request, saying that Carpenter “had no reasonable expectation of privacy in cellphone location records held by his service provider.” He was convicted on 11 of the 12 counts for which he was indicted.

The US Court of Appeals for the Sixth Circuit upheld Carpenter’s convictions, similarly rejecting Carpenter’s arguments that disclosure of his phone records to the federal government was a “search” for which the government needed a warrant. Its rationale: cellphone companies had collected the data “in the ordinary course of business” for their own purposes, including “to find weak spots in their network and determine whether roaming charges apply”.

The court argued that Carpenter had no reason to believe that his cellphone records would be kept private, given that the records simply show where his phone connected with cell towers, without giving away any information about call content.

The Federal government had urged the Supreme Court to deny a review of Carpenter’s case. In doing so, it pointed to two Supreme Court cases from the 1970s that held that obtaining a business’ records about somebody doesn’t equate to a “search” of that person, and hence doesn’t merit a warrant even if the records contain information about the person. It shouldn’t matter that Carpenter’s case involves “new technologies” like cellphones, the government has tried to argue.

But the Supreme Court has increasingly grown uncomfortable with the notion of police having unfettered access to our digital data. Thus, in June 2017, the Supreme Court refused to go along with the Feds, instead agreeing to review Carpenter’s case.

As of May 2015, a US court had ruled that police could access phone location data without a warrant. But that decision didn’t resolve the issue, given that it ran counter to lower courts in several states having ruled that phone records are constitutionally protected, including Montana, Maine, Minnesota, Massachusetts, and New Jersey.

Since that 2015 decision, we’ve been stuck with what Electronic Frontier Foundation civil liberties lawyer Hanni Fakhoury has called a hodgepodge, with the question of warrantless phone tracking left in limbo as state courts and some higher courts have come to contradictory decisions.

Simply put, at issue is whether the warrantless seizure and search of historical cellphone records revealing the location and movements of a cellphone user over the course of 127 days is permitted by the Fourth Amendment.

Does the Fourth Amendment to the US Constitution protect cellphones and their constant recording of cellphone locations, or not? Are those records private, or are phone companies akin to eyewitnesses to a crime – as in, it’s reasonable to interview them?

Does law enforcement need a warrant to get at months of our whereabouts, including when/where we go to church and when/where we sleep, or not? Do we have a reasonable expectation of privacy with regards to our location data?

So many questions, and such a mishmash of court decisions that have flip-flopped in their answers over the years: say, when law enforcement pored over the bank records of an illegal whiskey-distilling operation without a warrant (1976: US v. Miller – police didn’t need a warrant, the Supreme Court decided, since all they got was information voluntarily handed to banks).

Or in 1979, in Smith v. Maryland. Ditto for that one on the “nope, there’s no Fourth Amendment violation here” decision: sure, police got the phone company to install a pen register to record all phone numbers a suspected robber placed from his home. But no, how can you expect privacy when there’s a company involved to make those calls happen?

First, it is doubtful that telephone users in general have any expectation of privacy regarding the numbers they dial, since they typically know that they must convey phone numbers to the telephone company and that the company has facilities for recording this information and does, in fact, record it for various legitimate business purposes.

Experts in privacy law told the New York Times that Carpenter v. United States could spur a new era in digital privacy. The newspaper quotes Jeffrey Rosen, the president of the National Constitution Center, a nonprofit group devoted to educating the public about the Constitution:

Carpenter could be the most important electronic privacy case of the 21st century.

It’s certainly attracted a small blizzard of amicus curiae briefs. One came from a group of more than a dozen of the nation’s top tier of tech companies, including Airbnb, Apple, Cisco Systems, Dropbox, Evernote, Facebook, Google, Microsoft, Mozilla, Nest Labs, Snap, Twitter and Verizon.

Other briefs have come from rights groups, including one from the Electronic Privacy Information Center (EPIC) and another from the Electronic Frontier Foundation (EFF). Also chiming in has been the legal luminary Orin Kerr.

Kerr, a research professor at the George Washington University Law School who will soon join the faculty at the University of Southern California, argued in a post on the SCOTUSblog that what’s at issue in Carpenter is “what you might call the eyewitness rule: the government can always talk to eyewitnesses”.

In the case of Carpenter, he said, the wireless carrier is an eyewitness. “Customers use their services and hire the companies to place calls for them,” he wrote, which means the business record of what they did for customers doesn’t have Fourth Amendment protection.

The right question for the court, he contended, is not Carpenter’s “expectation” of privacy, but whether he should “have a right to stop others from telling the government about what they saw [him] do”.

The tech companies, unsurprisingly, have urged the Supreme Court to protect privacy rights of people who use their products. To get that done, the Supreme Court would have to drag the Fourth Amendment out of the 18th century, when it was drafted, and into the modern era of devices tucked into our purses, pockets and briefcases. From their brief:

No constitutional doctrine should presume that consumers assume the risk of warrantless government surveillance simply by using technologies that are beneficial and increasingly integrated into modern life.

The court’s decision is expected by June 2018. It’s going to apply to far more than that Detroit Radio Shack and a robber’s cellphone data. As the NYT suggests, the court’s decision may also apply to email and text messages, internet searches, and bank and credit card records.

Kerr:

The case is hugely important in that it defines the constitutional role in a really wide range of cases.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Id6CbpvuRL4/

British shipping company Clarkson has ‘fessed up to a data breach, saying a miscreant has accessed its systems and the public should expect some of it to be made public.

Clarkson PLC declined to answer The Register‘s inquiry about how much data had been compromised or whether it belonged to customers and merely referred us to the company’s announcement (PDF) for any additional information.

Clarksons boasts on its website that it is “the world’s leading provider of integrated shipping services, bringing our connections and experience to an international client base”. It began operations 165 years ago and now operates in 21 countries. Its 2016 revenue was £306.1m.

According to the announcement, “unauthorised access” to “computer systems” was “gained via a single and isolated user account which has now been disabled”.

Cryptically, the announcement noted “the person or persons behind the incident may release some data” and “the data at issue is confidential and lawyers are on standby wherever needed to take all necessary steps to preserve the confidentiality in the information”.

The announcement notes the firm is “working with the police in relation to this incident”.

The company boasts it began a cyber security review earlier this year and “put in place additional security measures to best prevent a similar incident happening in the future”.

CEO Andi Case said in a statement: “We hope that, in time, we can share the lessons learned with our clients to help stop them from becoming victims themselves. In the meantime, I hope our clients understand that we would not be held to ransom by criminals, and I would like to sincerely apologise for any concern this incident may have understandably raised.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/29/clarksons_got_some_data_stolen/

Uber has finally come up with a figure for the number of UK-based riders and drivers affected by its massive data breach: 2.7 million.

The taxi hire firm has been slammed by regulators around the world for keeping the hack, which happened in October 2016, quiet for the best part of a year.

To make matters worse, when it eventually ‘fessed up, Uber was unable to give regulators a nation-level breakdown of the 57 million affected users for days afterwards.

It has today updated the information on its webpage about the hack, saying that it involved “approximately” 2.7 million riders and drivers.

“This is an approximation rather than an accurate and definitive count because sometimes the information we get through the app or our website that we use to assign a country code is not the same as the country where a person actually lives,” Uber said.

The Information Commissioner’s Office said that it expected Uber to alert the affected people as soon as possible. (We assume this means actively getting in touch with people, rather than hoping they’ll be regular visitors to the hack info page.)

However, both the ICO and National Cyber Security Centre have said that, based on the information stolen, it is unlikely to directly expose people to financial crime but could put them at risk of scams.

“Uber has said the breach involved names, mobile phone numbers and email addresses,” said deputy commissioner James Dipple-Johnstone.

“On its own this information is unlikely to pose a direct threat to citizens. However, its use may make other scams, such as bogus emails or calls appear more credible.”

Dipple-Johnstone added that the ICO’s investigation team is “still waiting for technical reports which should give full confirmation of the figures and the type of personal data that has been compromised”.

The UK’s investigation is just one of many the taxi biz is facing, with European regulators due to discuss what action to take at a meeting today.

Meanwhile, across the pond, the firm is facing state-backed lawsuits, with the second landing yesterday from the State of Washington. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/29/uber_says_27_meeellionish_uk_users_affected_by_hack/

Samsung Electronics partners with Bugcrowd to deliver timely payments for its Mobile Security Rewards Program.

Samsung Electronics is giving its newly minted two-month-old bug bounty program a boost by bringing in Bugcrowd to handle the payment processing, the companies announced Wednesday.

“Bugcrowd helps fortify partnership with the security research community by ensuring the community receives payouts in a timely manner,” Henry Lee, senior vice president of Samsung’s mobile security technologies group, mobile communications business, said in a statement.

Under the Samsung Electronics’ Mobile Security Rewards Program, security researchers can collect up to $200,000 per vulnerability, depending on severity, for any of the company’s mobile devices that currently receive either monthly or quarterly security updates.

Samsung has four categories for the vulnerabilities: low, moderate, high, and critical. The device maker stresses that all vulnerabilities submitted must have a security impact.

Read more about Samsung’s bug bounty program here.

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/mobile/samsungs-mobile-device-bug-bounty-program-gets-a-boost/d/d-id/1330509?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Vulnerability affects machines running High Sierra operating system.

Mac users and administrators need to be on the lookout for compromised machines after a security researcher disclosed late yesterday a big flaw in Apple’s macOS High Sierra platform that allows for password-less logins to root accounts. Publicly disclosed by software engineer Lemi Orhan Ergin via Twitter, the flaw allows someone with physical access to the machine to log in as “root” by leaving the password field empty in a System Preferences unlock screen.

This could be particularly thorny for enterprise environments where users might walk away from their machines, leaving them unattended, says John Bambenek, threat research manager for Fidelis Cybersecurity.

“Most times when people are outside corporate environments, they’re either using their laptops or they’re in their bag with them,” he says. “In the corporate environment, you leave your stuff at your desk, insiders could easily start enabling local administrator accounts that then they could use to bypass local access controls on the endpoint.”

According to Mike Buckbee, security engineer for Varonis, this flaw provides another reminder that physical access to a machine is still one of the biggest threats to that machine.

“If left for just a few moments in the wrong hands, your device could easily be compromised,” he says.

Bambenek says that this flaw might also help enable laptop theft and that even though there’s nothing found in the wild just yet, it could also potentially fuel phishing campaigns. 

“It’s possible to script and create a working exploit to put into a phishing email or a browser-based lure. I don’t think anyone has fully operationalized this maliciously in the wild yet, but if that did start happening, cleanup becomes more important,” he says. “People will click on dumb things and Mac users have an artificial sense of security.”

Early reports indicate that the issue came because the operating system doesn’t handle a very specific error condition well; if that holds, Bambenek believes Apple will be able to get a patch out fairly quickly. In the interim, Apple has created a guide for users to work around the problem and mitigate the threat. Once the patch is applied, the trick will be figuring out which machines have had root accounts tampered with maliciously.

“Fixing the code seems pretty straightforward, but the cleanup part is hard,” he says. “It’s figuring out what to do with all the machines that may have these accounts created. You can’t reset the passwords because somebody might legitimately have set the root password.”

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/endpoint/big-apple-flaw-allows-root-access-to-macs-without-password/d/d-id/1330516?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Alleged computer hacker Lauri Love’s appeal against extradition from the UK to the US begins this morning at the Royal Courts of Justice in London.

United States prosecutors have accused 32-year-old Love of having “carried out a series of cyber attacks against the websites and computer systems” of a list of American government agencies and private sector firms. It’s alleged Love used methods including SQL injections, manipulations of vulns in Adobe ColdFusion and planting backdoors on servers for later exploitation.

The United States has sought Love’s extradition so he can answer those charges on its soil.

Love, of Stradishall, Suffolk, denies all wrongdoing but faces a prison sentence of up to 99 years if he goes to trial in America. It is thought that the Americans want to use that lengthy sentence as a bargaining tool to secure a guilty plea in return for a much-reduced sentence.

Today’s hearing will see Love’s defence team are appeal against an earlier magistrate’s court decision. They are arguing his case before the Administrative Court, a branch of the High Court of England and Wales. His case, titled Love v Government of the United States of America, will be heard in Court Four at the historic Royal Courts of Justice and is scheduled to last for a day and a half.

Sitting in judgement will be the Lord Chief Justice, Lord Ian Burnett, along with Mr Justice Duncan Ouseley. The latter presided over a number of notable cases, including Julian Assange’s unsuccessful 2011 appeal against extradition from the UK, handed down shortly before the chief Wikileaker went to hide in an Ecuadorian embassy broom cupboard.

Three separate indictments with a total of 13 criminal charges have been filed against Love, a dual British-Finnish citizen. The cases have been filed in separate US courts: the Southern District of New York; the District of New Jersey; and the Eastern District of Virginia. Thanks to the vagaries of the US legal system, this would mean three separate trials for the same alleged crimes, giving American prosecutors multiple attempts to secure a conviction. In the UK, this is not permissible.

Love, who suffers from asthma, eczema and depression, has also been diagnosed with Asperger’s syndrome. He says treatment for these conditions is not easy to access in the US prison system. He has also argued that he is very likely to kill himself if extradited to America – something his parents confirmed at an earlier court hearing.

Test case for the “Forum Bar”

In September 2016 District Judge Nina Tempia, sitting alone at Westminster Magistrates’ Court, ruled that Love could be extradited to the United States. In her full judgment (PDF, GOV.UK website, 32 pages) the judge also ruled that the “forum bar” – a doctrine that allows accused criminals to appeal against extradition on because their crimes took place substantially in the UK, or due tocompelling grounds for them to be tried in Britain – does not apply to Love.

The forum bar was a change in British law passed after the Gary McKinnon case, a very similar set of circumstances in which American prosecutors tried to extradite an accused British hacker who also suffered from mental health difficulties. In McKinnon’s case, then-Home-Secretary Theresa May eventually refused to hand him over to the Americans.

Crucially, the forum bar has never been tested in court. Today’s appeal is expected to focus on the forum bar, as well as the state of Love’s health and conditions in the US prison system.

Human rights pressure group Liberty has also been granted permission to be heard before the Administrative Court. The Register will report at intervals from the hearing as it unfolds. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/29/lauri_love_appeal_high_court/

What’s the maddest, baddest, craziest, can-you-believe-it, how-did-that-happen security blunder of recent memory?

Companies contending for the top three spots in the past three months surely include:

• Uber. Suffered a breach, paid the hackers off, pretended it never happened, got found out anyway.
• Equifax. Permitted crooks to carry off personal data, including social security numbers, for about half of US adults .
• Apple. Let you read off the actual password of an encrypted device simply by clicking [Show password hint].

Well, Apple just did it again, and this one is even zanier that before – so Cupertino may well be back in first place.

The default root login password is…

In High Sierra, the latest version of MacOS (currently at 10.13.1), you can easily guess the password for root, the all-powerful system administration account.

The average number of guesses you need is…

…ONE.

In fact, strictly speaking you need ZERO guesses, because you almost certainly KNOW the password already.

Just login as root with the password “”, by which we mean no password at all – just hit [Enter].

We’re guessing that Apple didn’t bother to set a password for root because you don’t usually login or authenticate as root.

Instead, you specify that one or more regular accounts have Administrator powers, and can perform root-like activities one-at-a-time, as needed, by putting in their own passwords.

In theory, this is good for security because: you aren’t logged in as an administratoer all the time; you don’t need to share a single root password amongst multiple administrators; and there’s accountability because admin activities are tied back to the user who initiated them.

In practice, of course, you need to have a password on the root account if it’s active, and ideally it should be randomly set when you configure the system, so no one knows it. (It’s much easier to stop someone using a password by mistake, or against policy, if they don’t have that password in the first place.)

If you have no login password on the root account, you need to configure the account so it can’t be used to login, no matter how many different sneaky ways an attacker finds to get at a login prompt.

This is an epic fail by Apple, and all the world knows about it now, because it was disclosed publicly on Twitter rather than privately to Apple.

What to do?

You can easily set a strong root password of your own, so no one else knows it or can guess it.

The good news is that there’s an easy and safe way to check and fix this problem.

Open a Terminal window and enter the command passwd root, which is how you set the root password in the first place.

Don’t worry – you can’t set a new password this way unless you already know the old one, so just hit [Enter] three times:

$ passwd root
Old Password: [just hit enter to assume that it's blank]
New Password: [hit enter again to leave it blank if it already is]
Retype New Password: [hit enter a third time]

Note that if the old password isn’t blank, you don’t get an error message until the end, so if you see an error like this…

passwd: authentication token failure

…then you don’t have a blank root password and you may stand down from high alert.

However, if you don’t see any message at all, then your password was, and still is, blank, so you need to change it.

Run the same command again, but this time put in [Enter] as the old password and choose a proper password for root:

$ passwd root
Old Password: [just hit enter]
New Password: **************
Retype New Password: ***************
$

Job done.

Technically, you don’t even need to keep a record of the password you typed in (though you can’t just type random garbage because you need to put the same password in twice).

You’ll still administer your Mac with your regular Administrator-enabled account by typing in your regular password when needed, just like before.

Check your Mac, and fix this now!

Note. We think that the default setup of macOS prevents you using this trick remotely. You must have physical access to the computer. Also, if FileVault (full disk encyrption) is turned on and the Mac is shut down rather than logged off or locked, you have to enter the disk password before you can get at a login prompt at all.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/q8CJe_NO9Ss/

Challenged on Monday by US senators to explain its failure to report that it had allowed hackers to grab records on 57 million customers and drivers and then paid hush money in an attempted year-long coverup, Uber has been presented with its second state-backed lawsuit for not alerting authorities to the pilfering.

The first such suit arrived on Monday, from the State of Illinois and the City of Chicago, featuring a chiding from Chicago Mayor Rahm Emanuel: “The City of Chicago will not tolerate these kinds of irresponsible practices, which is why we are taking legal action to hold Uber accountable for their reckless actions.”

The second landed Tuesday, from the State of Washington, where the state’s IT security breach law requires notification of consumers within 45 days and, if more than 500 state residents are implicated, notification of the state Attorney General. Uber, apparently, did neither: it sat on its hands for a year until the lid was blown on the coverup.

Washington’s complaint, filed in King County Superior Court, claimed the hacking exposed data for an undisclosed number of customers and at least 10,888 drivers in Washington, and that Uber failed to say anything in a timely manner.

In a statement, Washington Attorney General Bob Ferguson said the law is clear that businesses must inform people put at risk by a computer security breach. “Uber’s conduct has been truly stunning,” he said. “There is no excuse for keeping this information from consumers.”

The complaint asks the court to assess damages of up to $2,000 per affected individual, which could amount to $20m for drivers alone.

As a point of reference, Uber lost about $2.8bn last year, according to Bloomberg. Even so, despite the San Francisco upstart’s bottomless well of scandals, reports this year suggest losses have been narrowing and ride bookings have been rising.

Uber’s reputation for flouting laws has turned the taxi-app biz into a legal punching bag. Also on Tuesday, the judge hearing Google’s trade secret lawsuit against Uber delayed the pending trial after evidence emerged the company had operated a secret unit explicitly for stealing trade secrets.

As a measure of its alleged malfeasance, Uber has been sued almost 80 times in US civil court so far this year. And there may be more lawsuits coming from other states, given that almost all have some form of data breach notification requirement.

Uber did not respond to a request for comment.

In its breach disclosure and apology last week, CEO Dara Khosrowshahi said Uber will learn from its mistakes. The ride hailing biz may also contribute to the career advancement of a significant number of lawyers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/29/uber_hacking_coverup_draws_state_lawsuits/