STE WILLIAMS

Builders merchant Jewson has confirmed in writing to customers that their privates could have been exposed in a cyber break-in that occurred late this summer.

In a letter sent to customers – seen by The Reg – Jewson stated: “As a Jewson Direct customers, we regrettably are writing to inform you that our website (www.jewsondirect.co.uk) has suffered a security breach and, as a result, your personal data including your credit/ debit card details may have been compromised.”

The digital burglary is “likely” to have taken place on 23 August but was only discovered on 3 November. The website was temporarily shuttered on learning of the breach and remains closed. The ICO was then informed of the hack on 10 November. The hackers were seemingly left undetected for weeks, plenty of scope to do all sorts of mischief.

“We are commissioning a detailed and thorough forensic investigation into the breach. The investigations of the breach are ongoing,” the missive added.

Based on the information to hand, Jewson warned that customers’ names, location, billing address, password, email, phone number, payments details, card expiry dates and CVV numbers “may” have fallen into the hands of an “unauthorised person”. Oddly, despite this, when we asked the firm, a spokeswoman told us that “no card data is stored by Jewson”.

It is not known how the information was encrypted. Although we asked the organisation to clarify, a spokeswoman sent us this odd statement:

At this stage we are aware that a foreign piece of code was encrypted into the Jewson Direct (formerly Jewson Tools Direct) website. The code has been identified and removed, and we are investigating the breach of security and any related potential loss of information/personal data. No card data is stored by Jewson, however, until the investigation has been completed, customers have been informed of a potential breach of card data as an advisory measure.

We follow the Payment Card Industry Data Security Standard (PCI DSS). The Jewson Direct website has been taken offline and will not be turned back on until we are informed by independent third parties that any security issues have been corrected.

In a bid to “mitigate possible adverse effects of the breach”, customers are advised to monitor their accounts. In further no-shit-Sherlook guidance, punters that spy any unusual activity or transactions they do not recognise should contact their credit or debit card provider.

The letter sent to customers vowed: “To help you monitor your personal information for certain signs of potential theft, we are offering you a complimentary 12 month memberships to Experian ProtectMyID. This service helps detect possible misuse of your personal data and provides you with identify monitoring support, focused no the indentation and resolution of identity theft.”

Reassuring indeed. Or maybe not.

In addition to the question about how the data they had held was encrypted, The Reg also asked Jewson how many customers details were likely compromised, how the miscreant accessed the data and what subsequent steps were taken to improve security.

Concerned customers can contact Jewson’s customer services help desk on 024 7660 8235.

A representative of the Information Commissioner’s Office told us, “We are aware of an incident involving Jewson, and will be making enquiries.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/14/jewson_suffers_data_breach/

Russia has denied that a person nabbed by Estonian local authorities was one of its spies. Estonia alleges the suspect had been intent on hacking into the Baltic country’s computer network.

Alexei Vasilyev, 20, was arrested in the northeastern border city Narva on 4 November as he was about to leave Estonia by officials of the Estonian Internal Security Service (ISS). The Russian national has since been detained on suspicion of being an agent of the Russian Federal Security Service (FSB).

Russian ambassador to Estonia Alexander Petrov told Interfax on Monday that he was “perplexed as to why the Estonian authorities said right after his detention that he is an FSB agent”, Estonian news outlet ERR reports.

Local reports suggest the arrest is not connected to recent security problems with Estonia’s ID-card nor is it connected to Estonia’s current term of presidency of the Council of the European Union.

The suspect is alleged by Estonia to have been making preparations into a hack into unspecified Estonian state institutions. According to the Estonians, these activities were “monitored throughout” and were “unsuccessful”. No further details of the alleged offences have been released to date.

“Acting against the Republic of Estonia as an agent of a foreign power’s special service is definitely a serious crime and we will find out all important details as soon as possible,” state prosecutor Inna Omblerr said, the Baltic Times reports. “At present we can say without disclosing any details that bigger damage was prevented.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/14/alleged_hacker_spy_arrested_in_estonia/

Apps found in Google Play turned mobile devices into cryptocurrency miners unbeknownst to their users, according to researchers from security firm Ixia.

A Russian developer installed cryptocurrency mining code in his popular crossword game app Puzzle as well as his in-game awards and bonuses app Reward Digger, without notifying users they would be mining cryptocurrency coins on his behalf, according to researchers.

Although it’s not illegal for developers to put cryptocurrency-mining capabilities into their own apps, the issue becomes an ethical one if users are not aware their mobile devices are being used to mine cryptocurrency, says Steve McGregory, who leads the Application Threat Intelligence (ATI) team at Ixia that recently studied the rigged apps.

Oxothuk, the user name of the independent developer who created the two apps, included crypto-mining features in the apps without adequately informing users, McGregory told Dark Reading. Cryptocurrency mining consumes CPU power, electricity, and data usage as information is passed during the mining process, he notes, which can degrade device performance.

ATI discovered Oxothuk’s apps on Nov. 2 when it noticed their cryptocurrency mining capabilities. “We found he was not disclosing what the apps were doing and that is deceptive to users,” MGregory says. Puzzle alone has had 5 million to 10 million downloads.

One of the unique aspects of the apps is the creator shared his user name “Oxothuk” for the mining pools, rather than only list his wallet address to authenticate the miners, McGregory notes. “He felt he was doing nothing wrong at all, whereas others who know they are being deceptive will not want to be found and will try to obfuscate their identity,” says McGregory.

Indeed. Oxothuk, in an interview with Dark Reading, contends that he informed his users of his mining intent in the apps’ terms and conditions. He says some hackers instead hide their cryptocurrency mining intent from users and chew up their CPU power without their permission.

Regardless, Reward Digger was taken offline by Google after ATI reported the app, and Puzzle was updated on Nov. 8. But McGregory notes that the Puzzle app continues to trick users into letting them earn “in-game coins” while Oxothuk earns real crypto-currency coins.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

• Cybercriminals Employ ‘Driveby’ Cryptocurrency Mining
• How to Make a Ransomware Payment – Fast
• 5 Reasons Why the CISO is a Cryptocurrency Skeptic

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/mobile/russian-developer-snuck-cryptocurrency-mining-into-android-apps/d/d-id/1330413?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Home and business security giant launches ADT Cybersecurity to offer managed detection and response (MDR) service.

Physical security firm ADT today announced its purchase of managed detection and response services company Datashield in a bid to expand its cybersecurity services business for large enterprises and mid-sized companies.

As part of the acquisition, ADT is launching the new ADT Cybersecurity group, which will house Datashield’s real-time forensic MDR service as well as ADT’s existing network, router and firewall security services business, says Michael Malone, Datashield CEO and ADT’s senior vice president of ADT Cybersecurity.

ADT also anticipates adding more cybersecurity offerings to its new group in the coming year, says Malone.

“We can do 24/7 forensics and full-packet capture on the network,” Malone says. The new MDR service takes an estimated 15 hours from the time of a compromise to discovery, he says, a process that has shrunk 24 hours and is substantially less than the industry’s median time of 80 days.

“Our assumption is attackers are going to get in, but if they do we will stop the attack before it’s a big breach,” Malone says. “With our technology, we see the entire network, and with full-packet capture we can see what they are trying to take.”

Merging into One

The two companies initially met to discuss a potential ADT investment into Datashield back in the May-June timeframe, but those talks soon transitioned into a buyout offer after ADT became interested in MDR technology, Malone recalls.

“Our goal is to provide ADT customers with the most comprehensive security solution to protect their business, and in today’s world, this not only means their physical premise, but also their network,” Timothy Whall, ADT CEO, said in a statement.

Gartner predicts that approximately 20% of mid-market and enterprise companies will use MDR services by 2020, up from 1% in 2016.

Malone predicts that Datashield competitors Dell SecureWorks, eSentire, and others may find themselves entertaining potential mergers, or some form of business relationship, with brick and mortar security companies in the future.

“Our deal may raise a lot of eyebrows and get people thinking,” Malone explains.

Related Content:

• Enterprise Lessons From New ADT Home Security System
• ‘CyberUL’ Launched For IoT, Critical Infrastructure Device Security
• CrowdStrike Expands Its Market-leading Managed Threat Hunting Service

. 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/adt-expands-cybersecurity-business-with-purchase-of-datashield/d/d-id/1330417?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The deal will give Cloudflare technology to optimize mobile security, performance.

Web security firm Cloudflare has acquired startup Neumob to broaden performance and security support for mobile devices, the company said.

Neumob offers a mobile software developer kit to developers so they can embed their software in mobile apps. The SDK reportedly boosts load times and in-app performance by 30 to 300%, lessens app errors and timeouts by up to 90%, and cuts bandwidth usage and data fees. Early on, it released VPN software for end users to install on their mobile devices.

This is Cloudflare’s first mobile acquisition, and its first consumer offering, the company said.

This deal will scale both mobile performance technology and the VPN to Cloudflare’s network of 118 data centers in 58 countries, with more than 7 million domains. Cloudflare plans to relaunch Neumob’s VPN and acceleration products as part of its product suite, and migrate mobile firm’s retail hosting network, to improve both security and performance, it said.

“Combined with Cloudflare’s Railgun, Warp, and Argo products, the Neumob code means that data flowing to and from mobile applications will be optimized, secured, routed and accelerated across Cloudflare’s network end-to-end: from handset to origin server and back,” Neumob explains.

Read more details here.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/cloudflare-buys-mobile-firm-neumob-/d/d-id/1330418?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

While America explores quite how much its election was interfered with by outsiders, the news isn’t good for the rest of us, according to independent watchdog Freedom House.

In its annual Freedom of the Net [PDF] report on the state of the internet and democracy, the group surveyed 65 nation states comprising 87 per cent of internet users and found 18 where either governments or outside bodies had tried to influence an election by restricting or interfering with internet use.

“The use of paid commentators and political bots to spread government propaganda was pioneered by China and Russia but has now gone global,” said Michael Abramowitz, president of Freedom House. “The effects of these rapidly spreading techniques on democracy and civic activism are potentially devastating.”

While some of the election interference attempts were performed by outside countries, the majority were carried out either by the local government or opposition. And outside of elections, 30 countries have now been found to be running armies of paid trolls to try and influence general public opinion.

China is the biggest player in this field, with a huge army of paid bloggers and social media users who either broadcast state-friendly messages or muddy the waters with fake news or smearing political opponents. But other countries are catching up fast.

Russia has its Internet Research Agency, a trolling operation controlled by a businessman who supports Vladimir Putin. In the Philippines, President Duterte’s supporters offered $10 a day for members of the “keyboard army,” while in Turkey the 6,000-strong “White Trolls” pollute the online world with scores of pro-government propaganda.

“Not only is this manipulation difficult to detect, it is more difficult to combat than other types of censorship, such as website blocking, because it’s dispersed and because of the sheer number of people and bots deployed to do it,” said Sanja Kelly, director of the Freedom on the Net project. “The fabrication of grassroots support for government policies on social media creates a closed loop in which the regime essentially endorses itself, leaving independent groups and ordinary citizens on the outside.”

Overall, only 23 per cent of the internet is classified as “free” by Freedom House, and even some of those countries are on the shaky list. Freedom House notes that the Trump presidency’s demand for see the names of those who protested against the inauguration is a worrying sign and may signal further crackdowns ahead.

In all, 14 countries this year passed some kind of legislation to restrict internet use. The Russians banned VPNs, 19 countries have staged some kind of internet shutdown around a political event, and the authorities are increasingly targeting live steaming of events.

Most worryingly, physical attacks against people speaking their minds online rose 50 per cent in the last year, Freedom House reports. In eight countries journalists or online commentators have been killed for what they put online, with Brazil, Mexico, Pakistan and Syria the worst offenders.

The forecast for next year is for things to get worse still, so enjoy your free internet while you still have it. Even better, take action to try and improve things. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/14/think_the_us_is_alone_18_countries_had_their_elections_hacked_last_year/

Julian Assange’s WikiLeaks – that bastion of fiercely independent journalism – privately urged the Trump campaign to not concede the 2016 presidential election, to contest the result as rigged, and asked for one of Donald’s tax returns so as to appear impartial and nothing whatsoever to do with Russia’s meddling in the White House race.

Private Twitter messages obtained by The Atlantic detail how WikiLeaks interacted with the president’s son, Donald Trump Jr, between September 2016 and July of this year. The messages include requests for comment from the campaign, which is normal for journalists, and endorsements from Donald Trump of Wikileaks publications, which is a bit odd, as well as “advice” from Wikileaks staff to Trump Jr, which is flatout weird.

The DMs were part of a collection of documents Donald Trump Jr’s attorneys provided to US congressional committees investigating allegations of Russian interference in the 2016 presidential elections. During the campaigning, WikiLeaks dumped online private emails stolen from the Democratic Party; the source of those messages is believed to be Kremlin-backed hackers.

Most notably from that Twitter exchange is a conversation that took place in late October 2016, just weeks before the national election. In those messages, WikiLeaks suggested that Trump’s team provide it with “one or more” of Donald’s tax returns in exchange for continued favorable coverage. The TV celebrity was refusing to make his returns public, and it appears WikiLeaks sought a copy to publish in order to demonstrate it totally wasn’t rooting against Assange’s arch-nemesis, Hillary Clinton, and singing from the same hymn sheet as Trump and Moscow.

“If we publish them it will dramatically improve the perception of our impartiality,” WikiLeaks told Trump Jr.

“That means that the vast amount of stuff that we are publishing on Clinton will have much higher impact, because it won’t be perceived as coming from a ‘pro-Trump’ ‘pro-Russia’ source.”

Trump Jr’s Twitter account did not respond to the offer.

Even after the election, the two sides were said to have corresponded, with WikiLeaks offering Trump Jr advice, including one particular diplomatic request regarding Assange, who was and still is hiding out in the Ecuadorean embassy in London, England…

“It would be real easy and helpful for your dad [Donald Trump] to suggest that Australia appoint Assange ambassador to [Washington,] DC,” the WikiLeaks DMs read.

“They won’t do it but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons.”

The WikiLeaks account has not issued a formal statement in response to the leaking of the private messages this week, although founder Assange did take to Twitter…

I cannot confirm the alleged DM’s from @DonaldJTrumpJr to @WikiLeaks. @WikiLeaks does not keep such records and the Atlantic’s presentation is edited and clearly does not have the full context. However, even those published by the Atlantic show that: 1/

— Julian Assange 🔹 (@JulianAssange) November 13, 2017

WikiLeaks loves its pending publications and ignores those who ask for details. Trump Jr. was rebuffed just like Cambridge Analytica. In both cases WikiLeaks had publicly teased the publications. Thousands of people asked about them. 2/

— Julian Assange 🔹 (@JulianAssange) November 13, 2017

— Julian Assange 🔹 (@JulianAssange) November 13, 2017

WikiLeaks can be very effective at convincing even high profile people that it is their interest to promote links to its publications. 3/

— Julian Assange 🔹 (@JulianAssange) November 13, 2017

WikiLeaks has such chutzpah that it allegedly tried to convince Trump Jr to leak his father’s tax returns his own “Russian lawyer meeting” emails (he did). WikiLeaks appears to beguile some people into transparency by convincing them that it is in their interest. 4/

— Julian Assange 🔹 (@JulianAssange) November 14, 2017

Trump Jr, meanwhile, decided to get ahead of everyone by releasing his own full copy of the exchange.

Here is the entire chain of messages with @wikileaks (with my whopping 3 responses) which one of the congressional committees has chosen to selectively leak. How ironic! 1/3 pic.twitter.com/SiwTqWtykA

— Donald Trump Jr. (@DonaldJTrumpJr) November 14, 2017

Just a reminder: none of this is normal. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/14/wikileaks_leaked/

The more frequently you release apps, the more security vulnerabilities you are likely to introduce in the code, a new study confirms.

The frequency with which you release and update software has more of an impact on application security than factors like code size and whether you are developing your apps in-house or offshore, according to new research.

CAST Research Labs recently analyzed a total of 1,388 applications developed using either Java EE or .Net. The company ran some 67 million rule-checks against a combined 278 million lines of code and unearthed 1.3 million weaknesses in them.

The exercise showed once again—like many have been saying for years—that while agile practices can accelerate application delivery and make it easier for developers to adapt to changing requirements, they can also heighten security risks. 

Specifically, CAST Research found that Java EE applications released more than six times per year tended to have a significantly higher density of known security weakness (Common Weakness Enumeration—CWE) compared to code released less than six times per year.

CAST’s analysis showed that CWE density in Java EE applications remained fairly consistent regardless of the development methodology itself. In other words, Java-EE Applications developed using an agile/iterative model had roughly the same vulnerability densities as applications developed using a hybrid waterfall and agile method or a pure waterfall approach. What really made a difference to security was the frequency of updates and releases.

Interestingly, the results were statistically different with .Net applications. With .Net, applications that were developed using a traditional waterfall approach had a much higher CWE density compared to applications developed with agile, hybrid and even no methods at all.

“In Java we found that financial services and telecom had the highest densities, and that applications released to production more than six times per year were particularly vulnerable,” says Bill Curtis, SVP and Chief Scientist at CAST Research Labs.

Meanwhile, others factors like application size and where the development work is done had less of an impact on vulnerability density.

Generally, the larger the code set, the more opportunities developers have to make coding errors such as SQL injection and cross-site scripting issues. So larger applications generally tend to have more security vulnerabilities in absolute terms than smaller apps. But vulnerability density—or the number of errors per one thousand lines of code—remains the same regardless of application size, CAST’s analysis showed. The same was also the case for the source of the code.

“Interestingly, we did not find that whether an application was developed onshore or offshore, or whether it was developed in-house versus outsourced made a difference in CWE density.”

CAST’s study showed .Net applications on average having a higher CWE density than Java-EE applications. Most of the Java-EE apps across industries that CAST examined averaged five errors, or less, per one thousand lines of code.

In contrast, CWE density scores were much higher in .Net applications, especially in certain industries such as energy, insurance, and IT consulting. Many .Net applications that CAST analyzed had vulnerability densities in the 20- to 30-per-thousand lines of code range.

“We did not expect to see differences between Java and .NET in the pattern of factors related to CWE density, but they emerged,” Curtis says.

Appsec has become a hot topic. The adoption of agile and continuous release cycles has put pressure on organizations to integrate security testing and proceses earlier and throughout the software development lifecycle. The trend is driving new DevSecOps approaches focused on unifying development, security, and operations teams into one common goal. Studies such as those by CAST highlight the need for such efforts.

“IT organizations must accept responsibility for providing training in secure architectural and coding practices to those deficient in these skills,” Curtis says. 

In addition, organizations need to ensure they are using sound static, dynamic, and penetration testing techniques through the development cycle and that all vulnerabilities are patched as soon as possible. Dependencies and interactions with other applications or third-party software should be investigated for potential security weaknesses.

“Executive management owns the responsibility for ensuring cybersecure capabilities and enforcing cybersecure practices,” he says.

Related content:

• DevOps Security the Culture of ‘Yes’
• The True State of DevSecOps
• 7 Steps to Transforming Yourself into a DevSecOps Rockstar

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/application-security/frequent-software-releases-updates-may-injure-app-security/d/d-id/1330412?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The 2016 FBI vs Apple battle in federal court over government access to encrypted devices never settled the issue. When a contractor hired by the FBI was able to break into the iPhone of a mass shooter, the case became moot.

But there are, according to the US Department of Justice (DoJ), thousands more locked phones that it contends it has a right to access. So it probably shouldn’t be a surprise that the DoJ and Silicon Valley are likely headed for another collision in court, courtesy of Deputy US Attorney General Rod Rosenstein.

Rosenstein has been giving a lot of speeches lately, about “responsible encryption,” which he defines as the kind that can be defeated for any law enforcement agency bearing a warrant, but is otherwise bulletproof against anyone but the user.

And encryption experts have said just as frequently that this is magical thinking –  that it is impossible to have encryption work effectively if there is a way to defeat it, not least because that method will fall into the hands of hackers sooner rather than later, making every device vulnerable.

The signal that the conflict is headed to federal court again came this past week, just a couple of days after the FBI announced it had not been able to break into the iPhone of Devin Patrick Kelley, the shooter in the gun massacre in Sutherland Springs, Texas.

Rosenstein, in a lengthy interview with Politico Pro, said:

I want our prosecutors to know that, if there’s a case where they believe they have an appropriate need for information and there is a legal avenue to get it, they should not be reluctant to pursue it. I wouldn’t say we’re searching for a case. I’d say we’re receptive, if a case arises, that we would litigate.

Which sounds a lot like “searching” and “receptive to” are pretty much the same thing.

And that, of course, is because Round 1 ended without settling the fundamental conflict. It was launched after a mass shooting at in San Bernardino, California, in December 2015, and the FBI was unable to unlock the iPhone of one of the shooters.

A couple of months later, a federal judge asked Apple to provide “reasonable technical assistance” to the FBI, which meant providing a way around the system that locks all the data on the phone after ten incorrect password attempts.

Apple CEO Tim Cook refused, saying it would amount to providing the FBI with a master key – if they could unlock that phone, they could do it to any other.

The showdown ended when the FBI said it had been able to access the phone with the help of a third party – reportedly the Israeli mobile forensics firm Cellebrite, although that was never confirmed by the agency. This past September, a federal court ruled that the agency did not have to make the name of the company public because it would make the company a prime target of hackers and also threaten national security.

But the conflict remains. Rosenstein has said there are more than 7,000 phones in law enforcement custody that remain locked, and told Politico Pro that tech companies are, “moving in favor of more and more warrant-proof encryption.”

But, as Ars Technica noted last week, the DoJ and other law enforcement agencies, including the FBI, are working on defeating encryption with the help of Cellebrite or firms like it. Within the FBI is a department called the National Domestic Communications Assistance Center (NDCAC), which gives technical assistance to local law enforcement agencies.

The most recently published minutes of the NDCAC, from May 2017, said one of the department’s goals is to make tools like Cellebrite’s services “more widely available” to state and local law enforcement.

That’s already being done – in a sextortion case in Miami earlier this year, the NDCAC gave money to local law enforcement to pay Cellebrite to unlock a seized iPhone.

But that kind of game could be both expensive and complicated, of course. Reportedly the FBI paid Cellebrite about $900,000 to unlock a single phone. And, as the makers of digital devices improve the security of encryption, it may take considerable time, and increased expense for companies like Cellebrite to continue breaking it.

So the debate before federal judges will likely sound a lot like the one playing out in speeches, blogs and interviews. On the law enforcement side, those like former FBI director James Comey and now Rosenstein argue that it should be possible for companies like Apple to create a “key” to defeat encryption when law enforcement has a warrant to search a device. They say those companies don’t have to give the key to government – they can protect it within their own organization.

Rosenstein has argued in his speeches that tech companies already provide access to encrypted data through things like the management of security keys and operating system updates. This past week, he compared it to door locks for a house. “People want to secure their houses, but they still need to get in and out,” he told Politico Pro. “Same issue here.”

But encryption experts, noting that there is no such thing as bulletproof security, say if such a key exists, it will soon be in the hands of everybody else as well. Which would be like everybody getting the key to your house – and every other house.

Bruce Schneier, CTO at IBM Resilient and an encryption expert, has called Rosenstein’s reasoning “absurd” a number of times. Last year, in a paper sponsored by the Berkman Center for Internet Society, he used a different image:

Compare this with the tactic of secretly poisoning all the food at a restaurant. Yes, we might get lucky and poison a terrorist before he strikes, but we’ll harm all the innocent customers in the process. Weakening encryption for everyone is harmful in exactly the same way.

Rosenstein continues to argue that right now, the cost of strong (what he calls “irresponsible”) encryption is too great.

There is a cost to having impregnable security, and we’ve talked about some of the aspects of that. The cost is that criminals are going to be able to get away with stuff, and that’s going to prevent us in law enforcement from holding them accountable.

It is, of course, good politics to sell an encryption backdoor as a way to prevent terrorism, or to hold terrorists accountable. But good politics doesn’t necessarily make good law.

 

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0a9Tsv1Up3E/

Video Apple’s facial-recognition login system in its rather expensive iPhone X can be, it is claimed, fooled by a 3D printed mask, a couple of photos, and a blob of silicone.

Bkav Corporation, an tech security biz with offices in the US and Singapore, specializes in bypassing facial-recognition systems, and set out to do the same with Face ID when it got hold of a $999 iPhone X earlier this month. The team took less than a week to apparently crack Cupertino’s vaunted new security mechanism, demonstrating that miscreants can potentially unlock a phone with a mask of the owner’s face.

“Everything went much more easily than you expect. You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face,” the biz said in an advisory last updated on Saturday.

“It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID’s AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought.”

After registering a person’s face on the phone – and the handset should only unlock when it sees this face – the team built a 3D printed mask of the test subject using an off-the-shelf 3D printer. They then put 2D printouts of the user’s eyes, upper cheekbones and lips over the mask and added a silicone nose for realism.

The creation wasn’t able to defeat Face ID at first, as other folks with the same idea have found. But by sculpting and shading the false nose on one side to imitate shadow – plus a few other tweaks – the team managed to use the mask to fool the iPhone X into unlocking, it is claimed.

Brace yourselves, fanboys. Winter is coming. And the iPhone X can’t handle the cold

READ MORE

The hack was cheap – Bkav estimates the total cost in materials for a face to hoodwink Face ID was around $150. It acknowledged that the hack isn’t for everyone to try out. It requires an in-depth knowledge of how Apple’s face-scanning software works and what the weak points in the system are.

“With Face ID’s being beaten by our mask, FBI, CIA, country leaders, leaders of major corporations, etc are the ones that need to know about the issue, because their devices are worth illegal unlock attempts,” it said. “Exploitation is difficult for normal users, but simple for professional ones.”

The team is still researching how to crack the system more easily and refining their methods. In the meantime the biz advises sticking to fingerprints for biometric security. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/13/iphone_x_face_id/