STE WILLIAMS

The world has never been so dependent on computers, networks and software so ensuring the security and availability of those systems is critical.

Despite this, major security events resulting in loss of data, services, or financial loss are becoming increasingly commonplace.

Brian Honan, founder and head of Ireland’s first CSIRT and special adviser on internet security to Europol, argued that failures in cybersecurity should be viewed as an opportunity to learn lessons and prevent them happening again.

He made the remarks during a keynote presentation at the #IRISSCERT conference in Dublin on Thursday.

He used commercial airlines as an analogy. Fatal accidents per one million flights have decreased from four in 1978 to less than one in 2016. A similar, more disciplined approach has the potential to push down infosec failures too.

We need to learn from incidents rather than making the same mistakes, Honan said, adding that victim blaming – commonplace in infosec – isn’t helpful. In addition, cybercrime ought to be reported to the police. A business wouldn’t hesitate to report that someone had broken into its office but they won’t report malware – an attitude Honan said needs to change.

Sean Sullivan, a security advisor at F-Secure, made a similar point in a different context to El Reg earlier this week. “People aren’t learning from each other when they get hacked,” he said.

No postmortem was carried out following the iPhone SDK hack in February 2013. This attack was blocked by Facebook and other targets but hackers were able to use the same techniques of abusing Java in the browser to successfully attack Sony Pictures Entertainment years later. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/24/infosec_disasters_learning_op/

The massive Uber data breach will be discussed by the European Union’s data protection authorities next week.

The group, known as the Article 29 Working Party, is meeting on November 28-29 and has put the hack, which affected 57 million users, high on its agenda.

A spokeswoman for the group, which is chaired by Isabelle Falque-Pierrotin from France’s data protection authority, said that the aim was to better coordinate national investigations.

This might include writing to Uber’s CEO to push for full information to be released – as it did for the Yahoo data breach – or to launch a full taskforce.

The spokeswoman noted that the group had already formed taskforces for Google, Facebook and Microsoft in the past.

And one was recently set up to investigate WhatsApp’s privacy policies, which it said are at odds with the EU’s data protection laws.

Elsewhere in its meeting, the group will consider the first annual review of the Privacy Shield agreement that governs transatlantic data flows.

Uber has, as yet, failed to offer authorities any further information about those affected by the breach, which happened in October 2016 but was only revealed this week.

A spokeswoman for the biz said that this information would not be released until it completes the process of notifying regulators and government authorities, and “expect to have ongoing discussions with them”.

Meanwhile, the breach was discussed in UK Parliament yesterday, where digital minister Matt Hancock confirmed that the first he heard of it was in media reports.

“As far as we are aware, the first notification to UK authorities – whether the Government, the [Information Commissioner’s Office] or the [National Cyber Security Centre] – was through the media,” Hancock told MPs.

Wes Streeting, Labour MP for Ilford North, said it was “outrageous” that Uber had hushed up the breach, and urged the government to sever ties with the ride-hailing firm.

I am pro-tech, pro-competition and pro-innovation, but given that Uber stands accused by the Metropolitan Police of failing to handle serious allegations of rape and sexual assault appropriately, given that Uber has to be dragged through the courts to provide its drivers with basic employment rights and to pay its fair share of VAT and given that we now know that Uber plays fast and loose with the personal data of its 57 million customers and drivers, is it not time that the Government stopped cosying up to this grubby, unethical company and started standing up for the public interest?

Hancock didn’t respond directly to that comment, instead noting that taxi licensing was an issue for local authorities, as well as taking the opportunity to plug the higher fines that would be available to the ICO under the government’s proposed Data Protection Bill. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/24/eu_data_protection_watchdogs_to_investigate_uber_data_breach/

The British emergency services are to be equipped with 4G phones thanks to a new handheld device contract with Samsung worth up to £210m.

The deal with the South Korean company will last for at least three years, with a potential to provide up to 250,000 phones, which is part of a continuing £1.2bn project to replace the current Airwave radio network with Emergency Service Network (ESN) devices which use normal 4G network signals instead, provided by EE.

Currently only 70 per cent of the UK’s landmass is covered by British mobile operator EE’s 4G network. This needs to be increased to 97 per cent to match Airwave’s coverage.

Samsung competed for the contract alongside specialist emergency coms company Sepura, and also Motorola, which operates the Airwave network.

The police, firefighters and paramedics won’t be using your average handset however. Their custom models are toughened, water resistant and have push to talk buttons like their old radios.

They will also have internet access in the field for the first time, allowing live video broadcasting and access to records and other information.

A Home Office statement said “using a single ESN 4G device is more effective, efficient and less costly than using a combination of the existing Airwave devices and multiple commercial networks and standard 4G devices.

“The new Emergency Services Network will provide the dedicated teams who work so hard protecting the public and saving lives with the most advanced communications system of its kind anywhere in the world.”

There have been problems in bringing the ESN online, however. There have been two delays to its activation already, and there is still work to be done to improve signal quality in remote areas.

In light of these issues, it is likely that Motorola’s Airwave system will have to be kept running after its intended switch-off in 2020, adding to the total cost of activating the ESN. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/24/samsung_4g_devices_for_police_fire_and_ambulance/

Plugging the infosec skills gap with expensive consultants or by trying to hire already skilled people won’t fix recruitment headaches, Thom Langford, CISO at Publicis Groupe, insisted at the #IRISSCERT conference in Dublin this week.

He argued that the industry should be looking for “passionate people and inspire them”, rather than people with CVs ticking the appropriate boxes.

“I’m not asking for people to take chances, rather give people opportunities” by looking beyond qualifications and experience and thinking about potential.

“We need to stop looking only for round pegs to go into round holes,” Langford said, adding that those with an IT background pick things up more quickly.

Lee Munson, senior associate for information security at Publicis Groupe, added that would-be infosec entrants should “demonstrate their passion” and the tech skills should follow naturally.

Another speaker was Christopher Boyd, an analyst at Malwarebytes. Boyd’s degree was in fine art but the consequences of a friend becoming infected with malware prompted him to take down a hacker group and led him to become more and more involved in infosec.

Boyd is a seven-time Microsoft MVP in Consumer Security. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/24/infosec_recruitment/

Linus Torvalds has offered a lengthy explanation of his thoughts on security, in which he explained a calmer and more detailed version of his expletive-laden thoughts on the topic earlier this week.

Torvalds was angry that developers wanted to kill dangerous processes in Linux, a measure that would have removed potential problems but done so in ways that users may not have enjoyed.

His long post on the matter suggested to security practitioners that “’Do no harm’ should be your mantra for any new hardening work.”

“And that ‘do no harm’ may feel antithetical to the whole point,” Torvalds adedd. “You go ‘but that doesn’t work – then the bug still exists.’ But remember – keep your eye on the endpoint, and that this is just the first step. You need to not piss off users, and you need to not piss of developers.”

Torvalds explained that the kind of security person he does not like thinks “the big win is when the access is _stopped_.”

“But from a developer standpoint, things _really_ are not done. Not even close. From a developer standpoint, the bad access was just a symptom, and it needs to be reported, and debugged, and fixed, so that the bug actually gets corrected,” he added. “So from a developer standpoint, the end point of hardening is just the starting point, and when _you_ think you’re done, we’re really only getting started.”

The Linux overseer added that when hardening efforts see a process or feature disabled, users see it as “just a latent bug that got exposed.”

“And the keyword here is that it was _latent_, and things used to work, and the hardening patch did something – probably fairly drastic – to turn it from ‘dangerous’ to ‘benign’ from a security perspective.”

“So from a user standpoint, the hardening was just a big nasty annoyance, and probably made their workflow _break_, without actually helping their case at all, because they never really saw the original bug as a problem to begin with.”

Torvalds’ post explained his view that “… the number one rule of kernel development is that ‘we don’t break users’.”

“Because without users, your program is pointless, and all the development work you’ve done over decades is pointless.”

“Because in the end, those users really do matter. Without those users, your system may be ‘secure’, but all your security work was still just masturbation. You didn’t do anything useful at all in the end.”

Torvalds therefore outlined his preferred way of working, which involves security people reporting issues first, so that kernel developers can address them root and branch as they update Linux.

“All I need is that the whole ‘let’s kill processes’ mentality goes away, and that people acknowledge that the first step is always ‘just report’,” he wrote, then concluded with “Do no harm. Please.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/24/linus_torvalds_approach_to_security/

Mozilla developer Nihanth Subramanya has revealed the organisation’s Firefox browser will soon warn users if they visit sites that have experienced data breaches that led to user credential leaks.

A recently-released GitHub repo titled “Breach Alerts Prototype” revealed “a vehicle for prototyping basic UI and interaction flow for an upcoming feature in Firefox that notifies users when their credentials have possibly been leaked or stolen in a data breach.”

Subramanya explained that Mozilla has teamed with haveibeenpwned.com to source data that will warn users. He also outlined the following goals for the feature:

1. Inform users about data breaches through the Firefox UI – for example, a notification when they visit a site (or maybe when they focus a form on a login page) known to have recently been breached.
2. Expose documentation/educational information about data breaches in the Firefox UI – for example, a “Learn more” link in the notification mentioned above leading to a support page
3. Offer a way for interested users to learn about and opt into a service that notifies them (e.g. via email) when they may be affected by breaches in the future.

The feature’s not complete, in code or conceptually.

On the code front, Subramanya used the structure of a legacy add-on, which Firefox 57 recently trashed. He’s therefore admitted that’ll need to change.

The concept also needs work, as Subramanya explained:

The third goal brings up some privacy concerns, since users would need to supply an email address to receive notifications. Who is the custodian of this data? Can we avoid sending user data to haveibeenpwned.com? Can we still offer useful functionality to users who opt out of subscribing their email address? While the project is still in infancy, the idea is to offer as much utility as possible while respecting the user’s privacy.

He also wrote that the tool will report on hacks like Adobe.com or LinkedIn.com that occurred several years ago and have been the subject of advisories from those vendors. Being notified of those incidents over and over may not meet the stated goal of educating users “on the repercussions, what they can do when such a breach occurs, and protect themselves in the future.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/24/firefox_data_breach_warning_plan/

Hackers have stolen another $30.9m in cryptocurrency.

In a “critical announcement” on Monday, cryptocurrency startup Tether said the funds had been removed from the Tether Treasury wallet on 19 November and sent to an unauthorized bitcoin address.

But things aren’t as bad as they seem, Tether said – technically the money is not yet out of reach.

In a Bitcoin theft we might expect the thief to try and launder the stolen cash via a so-called tumbler service, something that makes following the money through the currency’s anonymous but transparent transaction logging very difficult.

But this isn’t a normal Bitcoin theft – the total value of bitcoins transferred into the unauthorized address on 19 November wasn’t $31m worth, it was closer to $41,000.

Confused? Welcome to the world of cryptocurrencies.

Tether is described by Coindesk as “a proxy for the US dollar that can be sent between exchanges, notably including Bitfinex, Poloniex and other markets without fiat trading.”

So what the hackers took off with wasn’t $30.9m USD in US dollars or bitcoins. Instead it was $30.9m USDT, “tokens” backed one-to-one by US dollars Tether says are held in reserve. The Tether transactional ledger that records what happens to those USDT tokens is embedded as metadata in the distributed ledger that records transfers of bitcoins, the blockchain.

Tether said it knows the address that is holding the funds, and won’t redeem any of the tokens.

As Tether is the issuer of the USDT managed asset, we will not redeem any of the stolen tokens, and we are in the process of attempting token recovery to prevent them from entering the broader ecosystem.

The attacker is holding funds in the following address: 16tg2RJuEPtZooy18Wxn2me2RhUdC94N7r. If you receive any USDT tokens from the above address, or from any downstream address that receives these tokens, do not accept them, as they have been flagged and will not be redeemable by Tether for USD.

The company says it is also providing a new version of its Omni Core software. The update, available from Github, is designed to isolate those stolen coins, “any and all exchanges, wallets, and other Tether integrators should install this software immediately in order to prevent loss,” the company wrote.

Doing so will create a temporary so-called “hard fork,” which will, in essence, reverse the hack. That is the same trick performed by another troubled cryptocurrency, Ethereum, in June 2016, after an app called the DAO (Decentralized Autonomous Organization) was hacked and the attacker siphoned off an estimated $50m.

Finally the company said that, aside from the stolen tokens, “all Tether tokens remain fully backed by assets in the Tether reserve.”

So, no problem? Just a hiccup?

Well, online cryptocurrency watchers are openly dubious about the assurances coming from Tether and have raised virtual eyebrows in the direction of the suddenly-empty Tether transparency page.

Beyond all that, CoinDesk reports that the announcement of the hack, “comes amid a period of growing discussion – and controversy – around Tether.”

Tether also was not responding to emails or calls as of Tuesday.

But, the incident has apparently not caused major disruption to the value of Tether or Bitcoin. According to Coinmarketcap, Tether is ranked as the 19th most valuable cryptocurrency, with a market capitalization of $674 million.

The company said it issued over $300 million worth of USDT in the last week alone.

And Bitcoin, while it took a hit earlier in the day, recovered quickly and was listed at $8,152 at the end of Tuesday.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8X51j-y0dUk/

A Type 45 destroyer has been recalled to Britain with propeller problems, leaving the Royal Navy’s traditional “east of Suez” deployment without proper warship cover.

As revealed in The Times, HMS Diamond is on her way back to the UK after a propeller problem proved too much for the ship’s crew to repair on their own.

The problem is not linked to the Type 45’s notoriously unreliable WR-21 engines. Rumours have swirled that Diamond is a testbed for an interim fix before a proper solution is rolled out in 2019.

As discussed elsewhere, including on the Thin Pinstriped Line defence blog, the withdrawal of Diamond from her planned nine-month deployment leaves naval planners in a very difficult situation. While the RN does have a permanent presence in the Middle East, at the moment it is down to four minesweepers and their lightly armed support ship.

Nearly a year ago today the First Sea Lord, Admiral Sir Philip Jones, complained about negative media coverage of the RN, writing: “The Royal Navy may be smaller than in the past but has a strong future so this is no time to talk the Navy down.”

Without a proper destroyer (anti-air) or frigate (anti-submarine) on the scene, the five British naval vessels in the region are at increased risk of, if not an outright attack, something provocative and cheeky – such as when Iran snatched a boat containing more than a dozen British sailors.

The withdrawal of the destroyer reveals the wider problem that lack of funding, and all the knock-on effects that causes, has on the Royal Navy. In yesterday’s Budget, chancellor Philip Hammond did not mention defence, though the Ministry of Defence’s budget is set to increase by a billion pounds per year until 2019. This may sound like a lot until one considers that the MoD’s budget is £36bn – and defence-watchers reckon the department needs a lot more cash than that to follow through with its spending commitments.

Already, Parliament has been told that flagship British defence projects such as the F-35 fighter jet may be cut back, in response to the value of the pound sinking against the dollar over the last year or so. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/23/hms_diamond_withdrawn_middle_east/

Last week’s episode may have left us with a cliffhanger, but this week’s episode tied up a big loose end from last season… though not in the way I imagine any of us wanted.

Darn you, Sam Esmail!

WARNING: SPOILERS AHEAD – SCROLL DOWN TO READ ON

Dark Army hacks planes to go down, not sideways

At the end of the episode, we see the Dark Army agents (very sadly) use Mobley and Trenton as pawns in their greater scheme for their next attack – creating malware that targets major air traffic control systems in huge US metro areas to simultaneously crash airplanes.

The idea of hacking planes isn’t new, though it has been relegated to the realm of the theoretical or extremely unfeasible until the last few years.

Two years ago, researcher Chris Roberts claimed to have successfully hacked a plane on which he was a passenger by messing with the in-flight Wi-Fi.

Roberts tweeted that he was able to play with the oxygen mask deployment protocols, and according to the FBI, even said – to much disbelief – that he was able to make the plane briefly fly sideways by messing with the engines.

Around that same time in 2015, the US Government Accountability Office (GAO) released extensive reports about airplane and air traffic security, leading to rather wild headlines such as “hackers could bring down [planes] using passenger Wi-Fi”, a claim that we felt rather mis-represented the points that the GAO was trying to make.

With this backgound, it’s not a surprise to see plane hacking come up in the Mr. Robot story now as a real attack vector used by the Dark Army.

I should add that this week’s episode is particularly topical, because just a week ago the Department of Homeland Security claimed that it had remotely hacked a plane in a controlled experiment. (They didn’t share how it was done, or even what was hacked – I imagine they don’t want anyone else to give it a shot.)

Other notes

• It was a nice touch to nice to see Trenton messing with the bike lock around her wrists. Lockpicking – ahem, I mean locksport – is a cool part of hacker culture, practised as a surprisingly relaxing hobby by many security researchers. I’ve attended many hacker conventions, from the big ones like DEF CON to small local BSides chapters, that have a lockpick village or a lockpick table where you can try out lockpicking for the first time, brush up on skills, or help teach others. Granted, cheap bike cable locks are no more than half a step up in complexity from a child’s diary lock, and we didn’t see Trenton do anything more sophisticated than messing with the numbers until she felt the lock tumblers set in place, but it was still nice to see.
• I chuckled when Elliot’s therapist, Krista, got yelled at about potentially violating HIPAA regulations. We hear about HIPAA a lot in the professional information security world, as keeping patient data safe is a legal and ethical concern for so many organizations. It’s easy to that organizations outside thw world of computer security have to comply with HIPAA regulations as well, so it was interesting to hear about it in a non-security context.

As always, I’d love to hear your thoughts on this week’s episode.

Are you alarmed about Angela’s suddenly very fragile state of mind?

I’m hoping Dom is the one person who manages to unravel Whiterose’s whole plan, but it’s not looking likely at all.

How about you – does Mr. Robot (the show, not the character) have you rooting for the Feds, or are you Team Hacker no matter what?

Follow @mvarmazis
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1dTfJNeRhZY/

Android users, are you wary about being tracked via your phone’s location data?

…So worried that you turn off location services for apps in your settings?

…So cautious that you haven’t even inserted a carrier SIM card?

Well, that’s all been an exercise in futility!

A new report from Quartz has discovered that Google’s been collecting the locations of Androids (and therefore their users) – triangulating them via nearby cell towers.

Quartz tested it on devices that had no apps installed, that lacked SIM cards, and that had location services turned off.

Google has confessed. Yes, it said when contacted by Quartz, it’s been calling home with cellphone tower data since January 2017, in spite of our privacy concerns and the preferences we stipulate in settings.

A Google spokesperson told Quartz that Android devices have been sending the addresses of nearby cell towers as part of the system Google uses to manage push notifications and messages.

The location data was never used, and therefore was never stored, according to the spokesperson. (If you don’t find that particularly comforting, too bad – it’s not possible to disable the feature.)

However, the spokesperson told Quartz that Google is “taking steps to end the practice… at least as part of this particular service.” Google didn’t say whether there are other Android services that do this, but it did say that Android phones will stop snarfing up cell tower location data by next Thursday.

It wasn’t a bug, the spokesperson said in an email. It was intended as a way to grease the wheels of our messaging!

In January of this year, we began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery. However, we never incorporated Cell ID into our network sync system, so that data was immediately discarded, and we updated it to no longer request Cell ID.

The finding pertains to all modern Android devices. Quartz talked to a source familiar with the matter who said that Google started collecting the cell tower addresses after it changed its Firebase Cloud Messaging service, which is owned by Google and runs on Android phones by default.

Quartz observed the location data being shared even on devices reset to factory default settings and apps. Mobile phones keep in touch with the cellular network even if you don’t have a SIM card inserted, which is why you’ll see a signal strength indicator even when you’re not able to make calls. So, Google gets data every time a device comes within range of a new cell tower, and as long as the device has internet access – even if you’re only connected over Wi-Fi- Google can call home with that data.

You don’t have to look far to find instances where location data has been used in surveillance scenarios in which the information of scads of unintended targets gets caught up in dragnets. One of the most notorious such dragnets was revealed by Edward Snowden, when he released documents that showed that the National Security Agency (NSA) was collecting and storing data in a vast database that contained the locations of at least hundreds of millions of devices.

Nevertheless, there’s no evidence that Google was up to no good, and therefore no obvious reason to distrust the statement that the data was submitted but discarded.

After all, after the Google Wi-Spy scandal – where Street View cars drove around sniffing out Wi-fi network names but accidentally saved additional data fragments along the way, soemtimes including passwords, usernames, email contents and so on – you’d like to think that Google wouldn’t keep data it wasn’t directly using.

How does one avoid being tracked by cell phone towers that track you even with location services turned off? Most consumers would likely imagine that powering down their handsets should prevent it from emitting or receiving a signal. They might be wrong.

With Snowden’s release of documents, the possibility arose that the NSA can even trace a phone that’s powered off. In fact, the US State Department’s Bureau of Diplomatic Security in 2013 warned those traveling to the Winter Olympic Games in Russia to be extremely cautious with communications. The department’s list of precautions included removing batteries from phones entirely when not in use. Snowden himself told people to store their phones in the refrigerator, given that it’s a Faraday cage that blocks electromagnetic fields.

So there you have it: if you’re really worried about tracking, it seems you only have two choices: de-batterize the sucker, or get your kitchen appliances to shut it up.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/z5ZwOLxdXWM/