STE WILLIAMS

A Canadian hacker for hire has admitted ransacking webmail accounts for miscreants accused of orchestrating the Yahoo! megahack that hit all three billion Purple Palace user accounts.

Karim Baratov, 23, appeared in a federal district court in San Francisco on Tuesday after striking a plea deal with US prosecutors. He was charged with 47 counts of hacking, ID theft, and espionage. However, as part of the agreement, he was allowed to admit one count of conspiracy to commit computer fraud, and eight counts of aggravated identity theft.

Dressed in a faded Alameda county jail overall, the bespectacled Baratov confirmed he was pleading guilty and wasn’t being coerced. Judge Vince Chhabria warned him he was facing potentially 28 years in a cooler on American soil, and was likely to be deported back to Canada when his sentence was complete.

Baratov was born in Kazakhstan and emigrated to the Great White North where he worked as – among other things – a cyber-mercenary. He was linked to the Yahoo! megahack in May this year by American prosecutors, and extradited to the US in August to face the music. The US government claimed he was part of a Russian gang of four that hacked the Purple Palace’s servers in 2014, that Baratov was therefore connected to the caper, and that two of his fellow gang members and paymasters were at the time senior Russian FSB officers.

However, Baratov’s lawyers insisted he did not know who was hiring him. His defense team told The Register Baratov was approached online to infiltrate people’s webmail accounts for about $100 a pop. He was asked to hack 80 accounts, mostly Gmail inboxes, but only pwned eight before stopping, we’re told.

“He had no idea who he was working for,” defense attorney Andrew Mancilla told The Register. “The first he knew about the involvement of the FSB was when his indictment was unsealed.”

According to the plea agreement, Baratov confessed to hacking more than 11,000 webmail accounts between 2010 and 2017 for various clients, not just the alleged aforementioned FSB officers. He would send convincing phishing emails to targets pretending to be their mail provider, and ask them to log into a bogus website to harvest their passwords and user IDs. He would then send these credentials, along with a screenshot demonstrating they worked, to his paying customers.

Marissa! Mayer! pulled! out! of! retirement! to! explain! Yahoo! hack! to! Senators!

READ MORE

Baratov advertised his services on Russian dark-web marketplaces, and it was through these that he was approached. Between December 26, 2014, and March 25, 2016, Baratov hacked eight Gmail accounts via phishing, the court heard.

His targets included an assistant to the deputy chairman of the Russian Federation; a cybercrime officer in the Russian Ministry of Internal Affairs; and the chairman of a Russian Federation council committee. Interestingly, Baratov was also tasked with pwning the managing director, sales director, and a researcher at a “major Russian cybersecurity firm.” That last one is very interesting, since the only really major Russian security firm known in the West is Kaspersky Lab, which is accused of aiding the FSB in its activities against the US, wittingly or unwittingly.

According to the Feds, Baratov was recruited by FSB officers Dmitry Aleksandrovich Dokuchaev, 33, and Igor Anatolyevich Sushchin, 43, along with freelancer hacker Alexsey Alexseyevich Belan, aka Magg, 29. All three are Russian nationals thought to be at large in Russia, and all three are charged in the US with computer crimes in connection to the Yahoo! hack. In a strange twist, Dokuchaev was arrested in 2016 in his motherland on accusations of treason: Russian cops believed he passed information to the US.

“The illegal hacking of private communications is a global problem that transcends political boundaries,” said US Attorney Brian Stretch.

“Cybercrime is not only a grave threat to personal privacy and security, but causes great financial harm to individuals who are hacked and costs the world economy hundreds of billions of dollars every year. These threats are even more insidious when cyber criminals such as Baratov are employed by foreign government agencies acting outside the rule of law.”

Baratov, aka Kay, aka Karim Taloverov, aka Karim Akehmet Tokbergenov, will be sentenced on February 20. Judge Chhabria said he could impose sentences concurrently or consecutively. He said he would make his final judgment after receiving a pretrial report on Baratov’s conduct. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/29/canadian_hacker_webmail_yahoo/

In the age of DevOps and agile development practices that lean heavily on GitHub and other cloud resources, strong controls are more important than ever.

It might be fashionable to pile on Uber with criticism for its sloppy handling of data in a GitHub repository that contributed to the recently disclosed breach of tens of millions of Uber customers. But let’s not stack up those rocks inside our glass houses just yet. Uber’s mistake was bad, but it was far from exceptional. The truth is that as GitHub has exploded in popularity among modern developers, so too has the number of insecure repositories rife with poorly controlled sensitive information.

Uber is just one of many embarrassing exposures via the GitHub platform in the past few years, and by the looks of it, it won’t be the last. In just the last month, we’ve seen two other public snafus. In one instance, a security researcher found that a Chinese drone maker left the private key for its Web certificate exposed on GitHub for four years. Meanwhile, another incident saw criminals managing to steal $64,000 worth of cloud infrastructure usage from an outsourcing firm by using its AWS private keys, which were stored on a public GitHub repo.

Even more embarrassing, earlier this fall consulting firm Deloitte left corporate VPN passwords, user names, and very sensitive operational details on a public GitHub repo. These are just a few anecdotal lowlights among what security experts say is a growing epidemic of similar incidents

“Cloud services like GitHub offer enormous value for private companies and government organizations that are in need of distributed, outsourced infrastructure to operate,” says Mike Baukes, co-CEO of UpGuard. “Yet misconfigured cloud assets litter the Internet, publicly accessible to anyone who stumbles upon them. These misconfigurations are the result of bad or nonexistent controls on data handling processes and a lack of automated monitoring for whether those controls are really being followed.”

Founded nearly 10 years ago, GitHub has grown to become the de facto code repository platform, particularly among DevOps and agile development teams. In the interim, the platform has garnered 24 million users across 1.5 million organizations. This loyal contingent is running more than 67 million repositories on the platform. Because code in and of itself is often proprietary and the cornerstone of organizations’ competitive differentiation, the contents contained in these repos are sensitive by their very nature, says Baukes.

“When you add in encryption keys and other stored credentials, as well as non-code files, like server or application configurations, it becomes clear that privacy is a major concern,” he says.

The problem doesn’t lie with GitHub. The firm has taken tons of steps to secure its underlying infrastructure, make accounts secure by default, and teach customers how to securely configure and control data on their repos. The problem is, as with any cloud platform, the buck always stops with the client organization.

“There are tools available right now within GitHub that automatically check code for embedded access credentials such as AWS API keys,” says Zohar Alon, CEO of Dome9. “This is something that any organization that is developing code can and should implement whenever a software engineer checks in code to GitHub. Relying on a developer or administrator to follow best practices is foolhardy at scale, and the errors seem to be more egregious each and every time a breach makes the headlines.”

Ultimately, it comes down to sound governance and technological controls to ensure the rules are being followed. On the governance side, Baukes says enterprises shouldn’t be allowing developers or anyone else to store proprietary code on public GitHub accounts. And even with corporate GitHub accounts, a number of precautions need to be in place.

“The default repository configuration should be set to private,” he says. “All GitHub users should use two-factor authentication. Repos in the corporate organization should be regularly audited for both public exposure and permissions. Users should also be required to include their real name on their account so that spotting aberrant accounts is easier.”

Additionally, organizations should be looking out for how their outsourced vendors use GitHub. Ideally, vendor assessment should track how well third parties adhere to similar best practices in flowing data through GitHub. 

At the end of the day, the only way to provide assurance over this behavior is through automated controls that can ensure the rules are being followed. 

Related Content:

• Uber Paid Hackers $100K to Conceal 2016 Data Breach
• How I Infiltrated a Fortune 500 Company with Social Engineering
• Security Gets Social: 10 of Dark Reading’s Most Shared Stories

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/application-security/git-some-security-locking-down-github-hygiene/d/d-id/1330511?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Karim Baratov admits he worked on behalf of Russia’s FSB.

A 22-year-old Canadian national arrested for his alleged role in stealing webmail user credentials in February entered a guilty plea in a US District Court for hacking activities on behalf of Russia’s FSB and the breach of 11,000+ webmail accounts for the Russian federal security service, the US Department of Justice announced today.

Karim Baratov – aka Kay, Karim Taloverov, and Karim Akehmet Tokbergenov – is one of four defendants charged in connection with the 2014 Yahoo cyberattack. The other three defendants are Russian nationals and remain at large: Igor Sushchin, an undercover Russian Federal Security Service (FSB) agent; Dmitry Dokuchaev, a former FSB officer who was arrested by the FSB for treason; and Alexsey Belan, a well-known Russian hacker.

In his guilty plea, Bartov confirmed his role in the theft of webmail accounts of people identified by the FSB and then sending those stolen credentials to Dokuchaev. Dokuchaev, Sushchin, and Belan had hacked into Yahoo’s network and compromised user accounts there, while Baratov stole credentials from users with Google Gmail and Yandex email accounts. He used mostly spearphishing to breach webmail accounts on behalf of the FSB between around 2010 until March 2017, when he was arrested. 

“This case is a prime example of the hybrid cyber threat we’re facing, in which nation states work with criminal hackers to carry out malicious activities,” said Executive Assistant Director Paul Abbate of the FBI’s Criminal, Cyber, Response and Services Branch.

Baratov is currently being held in California without bail, and his sentencing is scheduled for February 20, 2018, in US District Court in San Francisco. 

Read more about his guilty plea here. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/suspect-in-yahoo-breach-case-pleads-guilty/d/d-id/1330512?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A trivial-to-exploit flaw in macOS High Sierra, aka macOS 10.13, allows users to gain admin rights, or log in as root, without a password.

The security bug is triggered via the authentication dialog box in Apple’s operating system, which prompts you for an administrator’s username and password when you need to do stuff like configure privacy and network settings.

If you type in “root” as the username, leave the password box blank, hit “enter” and then click on unlock a few times, the prompt disappears and, congrats, you now have admin rights. You can do this from the user login screen.

The vulnerability effectively allows someone with physical access to the machine to log in, cause extra mischief, install malware, and so on. You should not leave your vulnerable Mac unattended, nor allow remote desktop access, until you can fix the problem.

And while obviously this situation is not the end of the world – it’s certainly far from a remote hole or a disk decryption technique – it’s just really, really sad to see megabucks Apple drop the ball like this.

Developer Lemi Orhan Ergan alerted the world to the flaw via Twitter in the past hour or so:

You can access it via System PreferencesUsers GroupsClick the lock to make changes. Then use “root” with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs

— Lemi Orhan Ergin (@lemiorhan) November 28, 2017

You can login this way as well. It’s 2017. Intentional backdoor.

— Earle Ady (@earle) November 28, 2017

It gets worse. You can use this programming blunder to disable FileVault…

oh god this actually works and it lets you do everything like turn off FileVault, well done Apple. pic.twitter.com/vQAqEK39Vk

— Jon (@jonp__) November 28, 2017

But there is a workaround for now. If you have a root account enabled and a password for it set, the above blank password trick will not work. So, keep the account enabled and set a root password right now…

Everyone with a Mac needs to set a root password NOW.

As a user with admin access, type the following command from the Terminal.

sudo passwd -u root

Enter your password then a new password for the root user.

Anyone got a better fix?@SwiftOnSecurity @rotophonic @pwnallthethings

— colourmeamused (@colourmeamused_) November 28, 2017

El Reg was able to replay the bug on our office Macs running High Sierra, which was released in September. A spokesperson for Apple was not immediately available for comment. Apparently, it’s due to the operating system accidentally creating a blank root account:

Thanks. We’ve confirmed this on 2 Macs are writing it up. Procedure creates new Root account, no password, runs root commands w/o sudo.

— Paul Wagenseil (@snd_wagenseil) November 28, 2017

This is not the password-less future we all had in mind.

— Mike Hanley (@mhanley_duo) November 28, 2017

Chalk this up as just the latest embarrassing flaw in Apple’s newest flavor of macOS, the OS formerly known as OS X. In October, fans noted that High Sierra would also do things like disclose the password for encrypted drives, and cough up account credentials to untrusted applications.

Earlier builds of the OS also had a habit of ruining the hard drives in iMacs, and rendering kernel-level security protections effectively useless, thanks to buggy code implementations.

Let’s hope Apple engineers can do a bit better with next year’s release, or we may all be left hoping for that iOS to Mac conversion sooner than later. We’ll update this article as and when new information arrives. The latest High Sierra beta release is not affected, apparently. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/28/root_access_bypass_macos_high_sierra/

A classified toolkit for potentially accessing US military intelligence networks was left exposed to the public internet, for anyone to find, according to security researchers today.

A Linux-based virtual machine designed to safely receive and handle secret material, and connect to protected Pentagon computers, was discovered, we’re told, in a misconfigured cloud storage service. Anyone with an Amazon Web Services account could have found and delved into the unsecured AWS S3 silo and pulled out the US government’s software files.

This does not mean the code, run when, would grant automatic access to US Department of Defense networks; merely, it’s a software kit for officials and agents to log into government computers to download sensitive reports, presumably while in the field. There were hashed passwords, and private keys belonging to a US military contractor, found alongside the code. However, it is unclear how useful these would have been to miscreants.

The find comes hot on the heels of the US military accidentally spilling the guts of its global social-media spying program onto the web from a badly configured AWS S3 bucket, which we reported earlier this month.

This latest exposed file store, in a silo marked “inscom,” belonged to the US Army Intelligence and Security Command (INSCOM), a joint US Army and National Security Agency (NSA) Defense Department intelligence gathering group. The documents – 47 viewable and three downloadable – were labeled a mix of classified, top secret – and NOFORN, meaning so secret that they couldn’t be shared with America’s foreign allies.

The virtual machine was an Oracle virtual appliance that ran on the database giant’s VirtualBox hypervisor. The VM’s hard drive had six partitions, varying in size from 1GB to 69GB. There was also some documentation, and custom code for training g-men on how to categorize classified materials.

Uncle Sam’s privates were glimpsed by Upguard’s Chris Vickery, a master at discovering misconfigured S3 buckets. He made this find on September 27, before Amazon introduced new controls to prevent people from leaving their S3 buckets open to the world, and promptly alerted the US government. The exposed silo has now vanished from public view.

Don’t panic, Chicago, but an AWS S3 config blunder exposed 1.8 million voter records

READ MORE

The software appeared to have been collated by Invertix, a military contractor that has since merged with another biz. The bucket included the private keys of Invertix administrators and hashed passwords.

Several documents in the bucket appeared to be related to the US military’s Red Disk system, a $5bn boondoggle that was sold as a way to bring real-time information to troops in the field. It never worked properly, and served only to enrich military contractors – who it seems were as good at security as they were at product development.

“Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser,” Upguard’s Dan O’Sullivan explained in a blog post.

“Although the UpGuard Cyber Risk Team has found and helped to secure multiple data exposures involving sensitive defense intelligence data, this is the first time that clearly classified information has been among the exposed data.”

Describing the contents of the file store, O’Sullivan said: “The largest file is an Oracle Virtual Appliance (.ova) file titled ‘ssdev,’ which, when loaded into VirtualBox, is revealed to contain a virtual hard drive and Linux-based operating system likely used for receiving Defense Department data from a remote location.

“While the virtual OS and HD can be browsed in their functional states, most of the data cannot be accessed without connecting to Pentagon systems – an intrusion that malicious actors could have attempted, had they found this bucket.”

A spokesperson for INSCOM was not available for immediate comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/28/amazon_aws_s3_us_military/

A drop in publicly disclosed breaches for the two industries is due in part to fewer point-of-sale breaches.

Publicly disclosed breaches in the retail and hospitality industries have fallen to less than five occurrences per month, down from double-digit figures over the last two years, a new report released today reveals.

This drop is attributed in part to merchants, hotels, and restaurant chains retooling their point-of-sale (POS) systems to accept EMV or chip payment cards, says Stephen Boyer, CTO and co-founder of BitSight Technologies, which authored the report.

“EMV adoption has really accelerated since the Target breach and that could partly be the reason why the total number of breaches is trending down,” Boyer says. “You hear a lot about breaches all the time, so I was not expecting the total trend to be going down.”

During the January 2015 to January 2017 period analyzed in BitSight’s report, the total combined number of publicly disclosed breaches in the retail and hospitality industries reached 320. But over the span of two years, it fell from 186 breaches in 2015, to 131 in 2016, with just three reported breaches in January.

POS systems were the largest vector of attacks for the hospitality industry, accounting for nearly 40% of the 181 breaches hotels and restaurants faced over the two-year period, according to BitSight’s data. The frequency of POS attacks fell sharply from eight a month in 2015, to as few as two toward the end of 2016.

Web apps, meanwhile, were the largest targets of attack in the retail industry, accounting for nearly 30% of the 139 breaches encountered during that period. During the first half of 2016, the retail industry had a slight spike in publicly disclosed Web app attacks, but no POS attacks, according to BitSight data. And in the first quarter of 2016, the hospitality industry got hit with six publicly disclosed Web attacks at a time when its POS attacks dipped.

“I have no doubt that EMV cards are forcing some cybercriminals to Web apps. I think that is the only explanation that makes a lot of sense,” says Avivah Litan, a Gartner analyst.

Chip cards are less lucrative and more work for cybercriminals to deal with, Litan says. EMV cards do not carry users’ data on a magnetic strip that can be skimmed and sold on the Dark Web, and specialized equipment is needed to pull information off the chip payment card, she notes.

Given those challenges, hitting a Web app and intercepting an e-commerce transaction may be easier for cyberthieves, according to BitSight’s Boyer.

He adds that although companies are getting better at protecting their customers’ data and transactions, cybercriminals remain highly motivated, and data breaches against the retail and hospitality industries aren’t likely to subside.

Related Content:

• Eddie Bauer Reports Intrusion Into Point Of Sale Network
• Oracle Probes MICROS PoS System Breach
• 80% Of Web Applications Contain At Least One Security Bug

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/mobile/retail-and-hospitality-breaches-declined-over-past-2-years/d/d-id/1330503?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

When a company suffers a data breach, there are currently a limited number of ways users get to hear about it.

Usually a company will tell its customers via email.  At this point, the media often makes a fuss too, which is how bad news is spread to the wider world.

A less obvious but increasingly influential route is through Troy Hunt’s Have I Been Pwned? (HIBP), a breach reporting site we’ve covered a bit recently.

HIBP is influencing breach reporting in two ways. First, because it often hears about breaches before companies do, said companies then hear about problems earlier (although that can still be years on from an incident).

Second, users hear about breaches earlier, both from companies told about them by HIBP but also, if they are registered users, direct via email or by manually checking on the site itself.

For instance, HIBP was behind the discovery of the Disqus breach in October as well as this week’s Imgur incident, to pick only two examples.

Now, Mozilla has had a radical idea – why not display HIBP’s alerts about breached sites inside the Firefox browser itself?

Browsers already warn users about phishing sites, malware downloads and insecure digital certificates, so extending this to data breaches sounds logical.

In a GitHub posting, Mozilla engineer Nihanth Subramanya has posted the code for an experimental add-on that developers can use to test this.

How it might eventually work is unclear, but one option is to warn everyone visiting a breached domain as a prompt to change passwords if they are registered users.

It might also allow users to register for alerts should HIBP detect that their email address has been discovered inside a public cache of breached data.

The innovation is that it could inform people about breaches more quickly than either the affected company or HIBP could on their own.

There are wrinkles of course.

The biggest of these is what breached companies will think about it. Given the number of breaches now being disclosed – especially ones a company didn’t know about until someone noticed data on the dark web – we might be beyond worrying about that, but it’s an issue all the same.

There’s also an issue over privacy (where are email addresses stored if they are supplied?), and whether HIBP alerting is activated automatically or has to be turned on.

HIBP’s Troy Hunt recently told a news site:

We’re looking at a few different models for how this might work, the main takeaway at present is that there’s an intent to surface data about one’s exposure directly within the browser.

Firefox’s embrace of HIBP shouldn’t obscure the unsettling paradox that a site run by one man, with a few helpers and limited resources, seems able to uncover multiple large data breaches more effectively than some of the world’s biggest companies.

It could be that many of them don’t look hard enough, but we should never lose sight of how silly this is. Telling people about breaches is all well and good but the industry must aspire to stop them happening in the first place.

 

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/i4Dk4zbrv-0/

The UK powers that be consider online porn to be akin to cyber matches: you just can’t let kids play with that stuff, lest they set their eyeballs on fire.

It’s a well-established, thoroughly legislated angst, with the most current relevant legislation tucked into the Digital Economy Act. The problem – well, one of many – is that this angst seems poised to set the adult population of the country up for Ashley Madison-esque breaches.

The country is eager to protect children from porn. It’s a worthy goal, mind you, given that research shows that exposing kids to porn can be damaging. Unfortunately, it’s a quixotic goal, given that porn is impossible to block. Nevertheless, the UK is now on the brink of creating a database of the country’s porn habits.

It also seems poised to hand the age verification piece of that puzzle over to an outfit that Vice refers to as “the shady company that controls the majority of free porn tube sites.”

That company is called MindGeek. Vice likens it to the Walmart of porn. Britain’s leading obscenity lawyer, Myles Jackman, says it supposedly owns about 90% of tube sites on the internet, and it didn’t get that way by making friends in the industry.

They’re deeply unpopular within the porn industry because they’re widely blamed for killing the production end of the industry by distributing other people’s paid-for-content for free.

MindGeek got big by distributing free porn, in other words, and thereby choking porn companies that need to sell the stuff to fund its production.

And now, MindGeek, the WalMart of porn, is getting ready to become even more filthy rich by having maneuvered itself into the position of becoming gatekeeper for consumers of porn, be they adults or kids who don’t know how to use a virtual private network (VPN).

It’s not a done deal quite yet, but MindGeek has had several conversations with officials. It’s also currently pushing its own age verification platform, AgeID. If selected, Britons could be dealing with AgeID as the principal gate between themselves and their porn.

Starting in April 2018, part of the Digital Economy Act will force all porn sites operating in the UK to age verify (AV) their users. What if they refuse, or if they can’t afford to comply? Well, then, flip the switch on the way out: it’s lights-out time.

Age verification is tricky. And it will cost money. The Department for Culture, Media and Sport has tendered AV solutions to “whomever can come up with a foolproof plan to vet porn users.” Once the government-appointed regulator – likely the British Board of Film Classification (BBFC), subject to approval by Parliament – approves the plans, porn sites will choose which AV technique to buy into.

Some of the solutions put forth have been to verify age by credit card; to authorize an age verifier to rifle through your social media updates, photos, friend lists, education history, and personal metadata, and to use machine learning to crunch it all to determine if you’re over 18; to send you a text, to which you reply, after which the age verifier asks your telecom provider to verify your age; or to use facial recognition to compare a selfie and another photo: say, from your passport.

Rather than paying third parties to provide those AV solutions, MindGeek’s AgeID offers a package solution of “anything that works” from the list of AV technologies, all bundled up in an easy-to-use interface that porn sites can buy as a service.

Alec Muffett, a security expert, board member of the Open Rights Group, and former Facebook software engineer, says it doesn’t have to stop at porn. According to Vice, the government is already discussing ways such AV technology can be used for online sales of knives, acid, alcohol and other child-unfriendly products.

AgeID would work like this: when you visit a porn site, such as Pornhub, for example, you’ll be shuffled off to choose a third-party regulator-approved service to prove your age. AgeID does the shuffling, then comes back with a “pass” or “fail” verdict. Next time you log into a MindGeek site, or one that uses MindGeek’s service, you simply log in, without further ado.

Jackman says it’s pure genius:

They have gone on public record to say they expect to sign up 20 to 25 million adult consumers in the UK in the first month alone. That’s about a third of Britain’s adult population. In the first month! I mean, wow.

And who, exactly, are the AV companies handling all your personal data? And how well, exactly, are they securing it? After all, we’re looking at what will be a database of the UK’s porn habits. It’s a hacker’s dream.

Digital minister Matt Hancock told the Guardian that this gateway, presumably combined with children being oblivious to VPNs, will keep them safe.

Now we are taking the next step to put in place the legal requirement for websites with adult content to ensure it is safely behind an age verification control.

All this means that while we can enjoy the freedom of the web, the UK will have the most robust internet child protection measures of any country in the world.

Privacy advocates including Jackman, the legal director of the Open Rights Group, don’t see it that way. They see it, rather, as a invitation for huge privacy leaks. Here are remarks that Jackman posted in October:

One of the most serious problems with the Digital Economy Bill is the absence of any serious scrutiny around age verification for adult online pornographic material. We think this creates a huge risk of privacy leaks and also prejudices sexual minorities adversely.

Data collection creates an inherent risk of data loss through hack, breach, or other forms of intrusion. There is a significant risk of an Ashley-Madison style hack to all users of age verification. Personal identifying details linked with their sexual preferences, and this is an enormous risk for almost every consenting adult in this country.

At this point, Jackman said, there’s no imperative as to the privacy and safeguard of users to avoid the risk of private sexual interests being leaked into the public domain.

Muffett stresses that nobody’s arguing that children should be allowed to view online porn. That’s why we call it adult material, he says.

But the way that age verification is being mapped out – i.e, a visitor to a porn site gets redirected to a service where they input private details – just doesn’t make sense with the way the internet works. It’s a weak mechanism, he said, given that any teenager who knows a parent’s password for a bank or credit card or the like can forge the credentials, “prove” they’re older than 18, and get as much porn as they want.

Could the UK government, in its zeal to protect the children, be putting the country on a path that could well lead to more such sexual preference-related data breaches?

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_8Yf9gPE5bw/

An investigation by the Associated Press has revealed that the FBI never got around to telling a majority of US officials that they’d been targeted by “Fancy Bear” Russian hackers who tried to pry open their email accounts.

At all. Whatsoever. In some cases, that includes not being contacted by the FBI even after their emails had been stolen and published online.

Working off a hit list of the Russian government-linked cyberespionage group that was provided by the security firm SecureWorks, the AP identified more than 500 US-based people or groups that were targeted. Over the course of two months, relying on the work of a “small team of reporters,” the AP reached out to more than 190 of those targets.

The FBI had informed only two of them that their Gmail accounts had been targeted. The FBI reached out to a few more after their emails were leaked during last year’s presidential election.

Many of the officials were long-retired, but about a quarter were still working in government positions or held security clearances when they were targeted.

The AP did more than simply call those people: it also sent reporters to knock on doors in the countries where websites associated with breached information were hosted.

One such site was DCLeaks.com, which published caches of emails that were stolen during the Fancy Bear-linked hacking of Hillary Clinton campaign chairman John Podesta and other members of the Democratic National Committee (DNC).

DCLeaks was registered at THCServers.com: what the AP describes as “a brightly lit, family-run internet company on the former grounds of a communist-era chicken farm outside the Romanian city of Craiova.”

THC founder Catalin Florica’s response when the AP’s two reporters started asking questions? Nope, haven’t seen any FBI agents ’round these parts. Or law enforcement agents of any flavor, for that matter:

It’s curious. You are the first ones that contact us.

The AP got a similar reaction from the Kuala Lumpur offices of the Malaysian web company Shinjiru Technology, which it says hosted DCLeaks’ stolen files for the duration of the electoral campaign. Shinjiru CEO Terence Choong said he hadn’t heard of DCLeaks until the AP contacted him:

What is the issue with it?

The FBI, which launched its investigation into Russian meddling in the 2016 US election two months ago, declined to publicly comment on Fancy Bear’s spying. It did, though, provide the AP with a statement that said in part that yes, we do give people a head’s-up:

The FBI routinely notifies individuals and organizations of potential threat information.

But sources familiar with the matter, including one former and one current government official, told the AP that the FBI has known for more than a year about Fancy Bear’s attempts to break into the US officials’ Gmail accounts. A third, senior FBI official noted that the bureau was “overwhelmed by the sheer number of attempted hacks.”

It’s a matter of triaging to the best of our ability the volume of the targets who are out there.

Oh, that is so not cutting it, said Philip Reiner, a former senior director at the National Security Council who first heard from the AP that he’d been targeted in 2015.

It’s utterly confounding. You’ve got to tell your people. You’ve got to protect your people.

Another targeted official was Charles Sowell, who previously worked as a senior administrator in the Office of the Director of National Intelligence. He was targeted by Fancy Bear two years ago and told the AP that there’s no reason why the FBI couldn’t have done the same outreach and research that the news agency conducted:

It’s absolutely not OK for them to use an excuse that there’s too much data. Would that hold water if there were a serial killer investigation, and people were calling in tips left and right, and they were holding up their hands and saying, ‘It’s too much’? That’s ridiculous.

When the AP contacted the 190 officials, many were saddened at the FBI’s failure to inform them of the hacking attempts. They were also mystified as to what they should do about it, or what the ramifications of the attacks are. One such was retired Maj. Gen. Brian Keller, a former director of military support at the Geospatial Intelligence Agency. The FBI didn’t call Keller, even after DCLeaks posted his emails to the internet. He told the AP that he wasn’t clear on “what had happened, who had hacked him or whether his data was still at risk.”

Should I be worried or alarmed or anything?

Not everybody’s miffed at the Bureau. The AP talked to Nicholas Eftimiades, a retired senior technical officer at the Defense Intelligence Agency who teaches homeland security at Pennsylvania State University in Harrisburg and who was himself among the targets:

The expectation that the government is going to protect everyone and go back to everyone is false.

At any rate, beyond questions of why the FBI didn’t reach out to the hacking targets and what responsibility it has to at least try, there’s the question of how successful Fancy Bear attacks were. According to the AP’s analysis:

Out of 312 US military and government figures targeted by Fancy Bear, 131 clicked the links sent to them. That could mean that as many as 2 in 5 came perilously close to handing over their passwords.

Ouch. That’s a lot of people, in sensitive government positions, clicking where we’re all (hopefully) trained not to click. How could they?

Unfortunately, it’s far too easy to fall for phishing attempts. That was made clear by the New York Times when it explained how Podesta’s credentials were given up because of the simplest of errors: a mere two missing letters. Yes, he was caught out by a typo.

Not his typo, mind you. Rather, an aide forwarded a phishing email sent to Podesta, sending it to the campaign’s IT staff to ask if the notice was for real. The email, purportedly from Google, said that hackers had tried to infiltrate Podesta’s Gmail account.

Clinton campaign aide Charles Delavan replied that yes, the message was “a legitimate email” and that Podesta should “change his password immediately”.

There were two missing letters – “i” and “l” – that should have preceded the word “legitimate”.

As Delavan told the NYT, he knew the email was a phishing attack, given that the Clinton campaign was getting a steady stream of them. He meant to reply that the email was “illegitimate”.

What he should have told the aide was that the password should be changed immediately, directly through Google’s site and not by clicking on the link in the phishing email.

But instead, he inadvertently told the aide to click on the phishing link, and that’s how the attackers got Podesta’s Gmail login, enabling them to get into Podesta’s account and to about 60,000 emails stored therein.

Ouch, ouch, ouch.

You know, it would be great if we could rely on the FBI to inform all espionage targets of phishing attacks like that. Hell, it would be great if we could rely on the FBI to inform all of us about phishing attacks, particularly now that we’re knee-deep in Christmas retail glee and the fraud that it drags in.

But cybersecurity helps those who help themselves. And Naked Security – being all about helping those who help themselves (as well as family and friends!) – has put together 3 simple tips to stay off the hook this phishing season.

May they help you stay in the “didn’t click” percentage!

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Bu25cztCNK0/

Chinese drone-maker DJI’s bug bounty programme has been struck with fresh controversy after a security researcher claimed he was offered just $500 for reporting, among others, the years-old Heartbleed vulnerability.

Infosec chap Sean Melia – no stranger to bug bounty programmes – said he discovered that DJI’s servers not only had not been patched against Heartbleed, the OpenSSL bug revealed in 2014, but were also vulnerable to SQL code injection attacks and remote code execution with root privileges.

Melia told El Reg an attacker could have “captured plaintext session cookies for users and dropped in as their account”. He also described how the SQL injection attack gave “full access to the purchase order database and full access within the application itself to all purchase orders.”

After reporting the “severe vulnerabilities” to DJI, Melia claimed he was offered $500 through the company’s bug bounty scheme. He told us that Heartbleed, the SQL injection vuln and the parameter manipulation flaw were all patched on the same day he reported them, though the remote code execution vuln “took them a few more days”.

“I declined the payment and basically told them they should not have a bug bounty programme,” Melia added to El Reg.

Most companies who “roll their own” bug bounty program don’t do it properly from my experiences. FB, MS, google, etc are obvious exceptions. Those companies have mature security teams. DJI on the other hand.. :)

— Sean Melia (@seanmeals) November 27, 2017

He claimed that, based on DJI’s own guide to bug bounty payouts, he would have expected “$16k minimum”. The remote code execution vuln and Heartbleed both appear to fall within the “critical” category of vulns “that could cause leaks of a substantial amount of user data” or a “substantial amount of crucial servers being controlled”, qualifying for a minimum payout of $5,000 each, while the parameter manipulation attack appears to qualify for the “high” category, meaning a minimum $1,000 payout.

Previously, DJI left the keys to its virtual castle lying around on Github for years. Infosec researcher Kevin Finisterre previously turned down a $30,000 bug bounty over what he described as thinly veiled threats by the Chinese-headquartered company, an accusation it denies. The company has since announced in a press release that it fired two developers responsible for the blunder.

+Comment

While DJI has been at pains to tell El Reg that it collects very little personal data from its customers and drone operators, finding private keys on Github and years-old bugs on its servers that expose purchase orders and customers’ personal data should not be happening to a company which presents itself as a successful multinational.

British military, police and security forces all use DJI products.

Finisterre has since faced a barrage of accusations from DJI, including press statements from the company pouring scorn on his employer, drone detection company Department 13, including mentions of its stock price and the list price of its flagship product. DJI and Department 13 compete in the drone detection market.

At no point was Finisterre’s research into DJI vulnerabilities carried out under Department 13’s auspices, he told us.

DJI was unable to comment by the time of writing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/28/dji_heartbleed_rce_sql_injection_500_bounty/