STE WILLIAMS

Welcome back to the Naked Security roundup of this week’s episode of Mr. Robot. Here’s last week’s episode recap if you missed it.

The vast majority of this week’s episode focused on psychological drama, but the major events of the episode were bookended by a bit of Elliot’s (or is it Mr. Robot?) hacking ingenuity. Let’s take a peek.

WARNING:SPOILERS AHEAD – SCROLL DOWN TO READ ON

Elliot takes down the chain of command

As Elliot attempts to repair ECorp from the inside, we see him playing a part that’s familiar to many — the dreaded presentation to uninterested middle managers – while also going after managers that are in his way. All he needed was to get enough information about them to make a reasonable guess at their email passwords (given he works with them, their usernames are easily known), and he finds a treasure trove of blackmail-worthy information.

The first boss he sets the FBI on innocuously mentions his love of the band the Goo Goo Dolls, and Elliot correctly guesses that this boss used a slightly modified version of a Goo Goo Dolls album name (“aboynamedg00”) as a password. Easy enough. The next target in the food chain was even simpler, the personal hint about his favorite hobby wasn’t even needed, Elliot was able to see this manager typing in his spin cycling-related password (“tapitback”) with a simple ‘shoulder surf’ — hacker vernacular for peeking over somebody’s shoulder as they type a password.

This sequence was a nice reminder of two key points:

1. “Hacking,” whether it is a technical or social hack, doesn’t always have to be complex, in fact often enough the simplest methods are quite effective. In Elliot’s case, all he had to do was pay attention and listen, or peek over someone’s shoulder, and he got enough information to infiltrate his managers’ email accounts. No fancy tools needed, just his eyes and ears.
2. Both managers’ passwords are shamefully simple. Nobody likes typing complex passwords, but dictionary words? Personally identifiable information? Changing l3tters for numbers? Come on. They’re not even trying.

I’d like to summon the Game of Thrones “Shame” meme here, but it might be dangerous to cross the streams.

Elliot trusts his instincts

The event on the tail end of the episode shows Elliot realizing what Mr. Robot meant by “we’ve been compromised” in regards to Darlene. Elliot suspects that his sister may be acting against him somehow, but we (the viewer) aren’t sure what exactly he knows, or if he realizes the extent to which Darlene is informing on him to the FBI.

In a moment of clarity, Elliot reboots his machine, plugs in a USB drive with a fresh image of Kali Linux on it, and boots up a clean instance of the hacker-friendly operating system. He runs rkhunter, which is the tool Rootkit Hunter, an anti-rootkit scanner. This is our clue that Elliot is looking for something Darlene may have planted on his machine. RKHunter, however, shows that his machine is clean of any software-based backdoors or rootkits, and this is our first hint at what Darlene did.

The show switches a few times to the FBI’s view of what’s going on. There’s a Python script running that’s spitting out PNG screenshots of Elliot’s computer at frequent intervals, and they can see he’s running Kali and RKHunter. So this is our second hint — given he had just rebooted his machine, booted into an entirely different operating system and RKHunter showed the system as clear of any software that could be spying on him; however, the FBI still has a view into what he’s up to, so there has to be something hardware-based working against him.

The screenshots seem quite high-resolution and don’t look like they’re being generated via a camera pointed at his monitor, so we can surmise that something is pulling the images from his monitor directly. Indeed, if we think back to a bit earlier in the episode, when Darlene was staying over at Elliot’s place, we did see her fiddling with something (or perhaps installing) in the back of Elliot’s monitor while he was asleep.

The third hint follows immediately after RKHunter comes back clear. The FBI agent observing Elliot’s monitor says he pulls the URL from the email Elliot was sending to Tyrell, checked it and found that it didn’t contain anything interesting. Dom then makes her realization: “This email isn’t for Tyrell, it’s for us.” Indeed, it’s for the FBI and for us, the viewers. The URL Elliot sent was an obfuscated link to a repository on GitHub for a Dell monitor exploit proof-of-concept (PoC) that was presented at Defcon 24, called “A Monitor Darkly.”

It’s Elliot’s own way of saying to the FBI: “I’m way ahead of you.”

The actual monitor exploit says it can allow an attacker to read pixels on the monitor, but the proof of concept for this exploit is for actually displaying images on the target monitor. The researchers who worked on this exploit did acknowledge that there’s potential for this kind of attack to be made more effective with additional hardware like a Funtenna (basically a hacked antenna being used for attack purposes).

What the show portrays certainly seems in the realm of possibility, if you take this PoC to a logical extreme, especially if you were to put the brainpower of covert agencies behind furthering development. We’ve seen Mr. Robot stretch concepts like this before for the sake of good television — remember the Pringles cantenna? — and arguably that’s what happened here as well.

…Or, perhaps the link is purposely close-but-not-correct to throw all of us off Elliot/Mr. Robot’s trail, as perhaps there was malicious code in the linked file and Elliot actually managed to successfully phish the FBI? I’d just as well believe this as a hardware hack.

What did you think of this week’s episode? Was Elliot’s link to the monitor hardware hack PoC an affirmation of the FBI’s tactic, or is this meant to throw us, the viewers, off?

Follow @mvarmazis
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/YzHXIlQo98M/

Has Santa Claus, the Tooth Fairy or the agnostic Birthday Gnome ever gifted your tot a smartwatch?

Toss it. All those wrist wraps are Internet-of-Things (IoT) security car wrecks, according to a new report (PDF) from the Norwegian Consumer Council (NCC).

The main point of smartwatches is to geolocate your offspring, but some models also allow parents to call or text their kids. After all, it’s cheaper than a full-fledged smartphone, and somewhat less likely to be buried in a sandbox.

Much like drone makers do to their aircraft, some parents also use the GPS-connected smartwatches to geofence their kids: some models send out an alert when a child leaves a designated area. Some smartwatches have an SOS feature that allows a kid to send an emergency message to a caregiver.

That’s great, except when it’s not. NCC researchers looked at four smartwatch models and found that they can give parents a false sense of security. Some features, such as the SOS and the geofencing alerts, didn’t work reliably.

And, most worrying of all, through simple steps, strangers can take control of the smartwatches. Given the lack of security in the devices, eavesdroppers can listen in on a child, talk to them behind their parent’s back, use the watch’s camera to take pictures, track the child’s movements, or give the impression that the child is somewhere other than where they really are.

Researchers found that several of the watches also transmit personal data to servers located in North America and East Asia, in some cases without using encryption. One of the watches also functions as a listening device, allowing the parent or a stranger with some technical knowledge to audio monitor the surroundings of the child without any clear indication on the physical watch that eavesdropping is going on.

It not only challenges a child’s right to privacy, says Finn Myrstad, director of digital policy for the NCC – “It also threatens their safety,” he says.

Until these issues have been resolved, these watches should be in no stores, even less so on a child’s arm.

In one watch, knowing a user’s phone number “gives an attacker full access to the device,” the report found. In another watch, the researchers “inadvertently came across sensitive personal data belonging to other users, including location data, names and phone numbers.”

One of the watches allowed the researchers to pair an existing gadget with a completely new account, enabling them to see user data, including the watch’s current location and location history and contact phone numbers in the account, all without notifying the watch user.

CBS News quotes Myrstad:

This data can be abused for so many different things – finding out where kids have been means getting extremely sensitive data around where they live, where they go to school. It’s far, far away from any basic standard of security.

According to The Telegraph, the UK retailer John Lewis has already responded to the NCC’s report by withdrawing one of the smartwatch models – the Gator 2 – that the researchers analyzed.

They also tested Viksfjord and Xplora smartwatches. A fourth model, the Tinitell, lacked major security flaws, but it also lacked clear privacy protections, according to the report. According to CBS News, all of the watch models except for Xplora are on sale in the US.

So, another crop of IoT things is insecure. Quelle surprise.

Santa, Tooth Fairy, Agnostic Birthday Gnome, et al., I’m beginning to suspect one of two things:

1. You’re all NSA agents. That would explain Hello, Barbie, the joke-telling, story-swapping, interactive game-playing, eavesdropping doll that spawned the Hell No Barbie campaign from privacy groups. It would also explain her Hell-spawn sister, My Friend Cayla, which was fitted with a camera and an artificial intelligence (AI) chip for interpreting children’s emotions… and which Germany’s privacy watchdog declared was an “illegal espionage apparatus” that parents should destroy. Given all that, you’re either creeps, government spies, or then again…
   2. You really need help with securing the IoT.

I suspect it’s No. 2. But you’re not alone: we all need help with securing the IoT.

Here are some security tips on how to get that done – ideally before Christmas!

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/flsQ8yWLGXM/

You’ve been told privacy is dead? It’s actually worse than that. Your identity has been reanimated as a zombie and it could be roaming about trying to do things without your consent.

That’s according to Internal Revenue Service (IRS) Commissioner John Koskinen at a recent briefing to reporters: If you are an American, you should assume that any number of cyber criminals have enough information about you to pose as you.

Koskinen was speaking Tuesday ahead of the agency’s annual Security Summit, about the IRS’s data security efforts heading into the 2018 tax season and, inevitably, was asked if the mammoth, catastrophic breach of big-three credit reporting agency Equifax would have an effect on tax fraud.

Not even enough to notice, was the response, reported in The Hill. “We actually think that it won’t make any significantly or noticeable difference,” he said.

Why? “Our estimate is a significant percent of those taxpayers already had their information in the hands of criminals,” he said.

Here are the numbers that matter:

There are about 250 million Americans 18 and older.

An estimated 145.5 million people were affected by the Equifax breach where hackers had access to names and addresses and other personally identifiable information (PII) – including information that’s difficult or impossible to change like Social Security numbers and dates of birth.

Meanwhile the official IRS estimate is that more than 100 million Americans have had their PII stolen by hackers.

There’s wiggle room in both figures but the difference between them is as much as 45 million people, more than the individual populations of the large majority of European countries – almost as much as Spain; more than four times that of Greece, Portugal and Sweden; nearly 10 times that of Norway, Ireland and numerous others.

So, according to Koskinen, the reality could be much worse than the official estimate. He advised all Americans to “assume their data is already in the hands of criminals and ‘act accordingly.’”

He’s not the first one to say so, of course. Star security blogger Brian Krebs said essentially the same thing in more than one of the multiple posts he filed on the Equifax breach. But it came across, at least to some privacy experts, as not only a casual dismissal of one of the most damaging breaches of the year, but also uninformed, as if it were at the same level as a credit card breach.

Rebecca Herold, CEO of The Privacy Professor, called it, “simplistic and naïve.”

He apparently doesn’t realize that Equifax, and the other two major US credit reporting agencies (CRAs), possess an amount of data far beyond the other types that have been breached elsewhere – such things as job histories and associated salaries, home addresses, medical information, schools attended, and so much more.

To try and minimize a breach of this magnitude is disappointing, to say the least, from him.

Koskinen, in prepared remarks, said the agency does take tax fraud very seriously, and is having some very serious success in reducing it. The Security Summit – a joint project of the IRS, state tax agencies and the private sector launched in 2015 – is a major reason for that he said. Those improvements are in the fraud statistics, he said:

We’ve seen the number of identity theft-related tax returns fall by about two-thirds since 2015. Over the past two years, fewer false returns have entered the system, fewer fraudulent refunds have been issued and fewer taxpayers have reported to the IRS that they were victims of identity theft.

In the “identity theft” category, Koskinen said the number of reported victims in 2016 was 376,000 – 46% down from 2015. And this year, through August, the number is 189,000, a drop of about 40% from the same time last year.

Kay Bell, self-described “tax geek” and author of the blog Don’t Mess With Taxes, complimented the IRS on 37 relatively new data filters created in conjunction with the Security Summit that she said would easily stop a criminal even if he had a name, address and SSN. The filters, she said, make sure, “the meat of the return would be a guessing game.”

Koskinen, in his statement, said other methods of catching fraudulent returns and refunds include:

• Stronger password protocols.
• Working with financial institutions to flag questionable refunds.
• A pilot program that adds a verification code to W-2 forms.

Of course, Koskinen didn’t go into much detail about what individual citizens can do to “act accordingly” in response to assuming that their PII is already in criminal hands. That may be because, other than putting a credit freeze in place with all the credit bureaus and monitoring their own finances, there isn’t a whole lot they can do.

As Herold put it:

All those people whose personal life data was breached at Equifax did not directly do business with Equifax, as is most often the case with those other breaches he references. There was no way the impacted individuals could have done anything to ensure Equifax had appropriate security controls in place for their associated data – they had no choice.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/moWXbqyDf94/

Last month’s hack of the Security Exchange Commission may prove to be the most high-profile corporate gatekeeper attack to date. But it definitely won’t be the last.

Traditionally, insider traders followed the Gordon Gekko roadmap to acquiring illicit information, gaining material non-public corporate information from in-person physical sources, such as company executives or company lawyers and accountants, or even from the printer a company used to print deal documents. As the business world has changed, however, insider traders have updated their techniques and taken advantage of the concentration of digital information to obtain a bounty of non-public information that their analog counterparts in the 1980s could never have imagined.

Today, hackers — many of whom are either traders themselves or sell stolen information — are focusing their data intrusion efforts on corporate gatekeepers such as law firms, newswire services, and other third parties that often possess confidential corporate information for numerous publicly traded companies. Predictably, this trend of “insider trading hacks” has continued, reaching its logical extension last month when the Securities and Exchange Commission (SEC) announced that it had been the victim of a significant breach and was investigating whether this intrusion “resulted in access to non-public information [that] may have provided the basis for illicit gain through trading.”

Though the SEC breach will likely prove to be the most high-profile insider trading hack to date, it certainly was not the first. Recent history shows that hackers have been increasingly targeting corporate gatekeepers — entities storing material non-public information for a number of publicly traded companies. For instance, from 2010 through 2014, a group of hackers systematically targeted three newswire services that helped numerous publicly traded companies distribute information about earnings and other corporate transactions.

These hackers collaborated to steal not-yet-published press releases containing material non-public information about hundreds of publicly traded companies. They then passed the information on to a group of more than 30 domestic and international traders who used the valuable intel to trade in the window of time between when the companies uploaded the information to the newswire service and the distribution service published the press releases. Over five years, the hackers stole more than 150,000 news releases prepared by publicly traded companies and used this information to make more than $100 million in illegal trading profits.

The SEC and Department of Justice eventually uncovered the scheme. On August 11, 2015, the SEC charged 32 defendants with securities fraud and froze numerous trading accounts in the United States and abroad. To date, the SEC has settled with 13 defendants and has obtained judgments totaling more than $52 million. Meanwhile, the US Attorney’s offices for the District of New Jersey and Eastern District of New York separately brought charges against nine individuals involved in the scheme. All but one criminal defendant has pleaded guilty.

Law firms are another type of corporate gatekeeper targeted for insider-trading hacks. In December 2016, the SEC and the US Attorney’s Office for the Southern District of New York announced charges against Iat Hong, Bo Zheng, and Chin Hung, all citizens of China. The government alleged that over a period of 11 months, the three men hacked into the servers of two elite New York City-based law firms — reportedly Cravath, Swaine Moore and Weil, Gotshal Manges — and stole substantial quantities of sensitive, non-public information involving potential mergers or acquisitions of the firms’ public company clients, which include some of the largest and most well-known companies in the world. The three allegedly then used this information to trade ahead of public merger announcements, generating nearly $3 million in trading profits.

With hackers and traders targeting these critical gatekeepers, the SEC itself, the biggest gatekeeper of all, was an obvious target. On September 20, 2017, the SEC announced that in 2016, hackers exploited a weakness to gain access to the SEC’s Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system, which is used by securities industry actors to file more than 1.7 million documents annually with the agency. To date, the SEC either does not know or is not disclosing the amount of information stolen by the hackers, though it has admitted that it is investigating whether the hackers used this information to make illicit trades.

It is also unclear whether the hacked information from EDGAR could be used to make illicit trades because there may not be the same window of time between acquisition of the information and full market disclosure, as in the newswire and law firm hacks described above. But it is clear that the SEC cannot let its guard down. In recent years, securities fraudsters have exploited EDGAR by, for instance, filing fake merger documents for Avon, Rocky Mountain Chocolate, and Integrated Device Technology to create and trade on short-term stock price increases.

As we head into this new era of insider-trading hacks, there remain unanswered questions about who may be liable when data breaches occur. The SEC has already intimated that it will use enforcement actions against securities industry actors who fail to protect investors’ information, and public companies that fail to make timely and adequate disclosures about data breaches. It is possible that public companies could also face scrutiny from the SEC (and potentially shareholders) if they fail to take prudent steps to protect their data, even in the hands of third parties. Third-party gatekeepers may also be subject to liability where they acted negligently or recklessly.

Insider-trading hacks are also costly from a resource and public relations perspective; the SEC hack is another large, blinking warning sign for publicly traded companies. These companies must be aware that domestic and international hackers are targeting this valuable and confidential corporate information. As the cases discussed in this article make clear, public companies cannot simply build their own cyber defenses. They must ensure that the third parties they work with every day — law firms, accounting firms, consultant groups, newswire services, and others — are also up to the task of protecting this valuable information by taking proactive steps such as limiting the digital data trail, requiring third parties to use code words when communicating internally about corporate transactions, or requiring newswire services to issue press releases immediately after a company uploads a document to reduce the opportunity to engage in illicit trading.

The SEC hack was the latest gatekeeper insider-trading hack, but it will not be the last.

Related Content:

• The 7 Most Significant Government Data Breaches
• SEC Says Intruders May Have Accessed Insider Data for Illegal Trading
• Ukrainian Pleads Guilty To Stealing Press Releases For Insider Trading

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

David L. Axelrod, Partner, Ballard SpahrBallard Spahr partner David L. Axelrod is a former supervisory trial counsel at the U.S. Securities and Exchange Commission’s (SEC) Philadelphia Regional Office. At the SEC, he directed all aspects of litigation, leading complex, … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/whats-next-after-the-sec-insider-trading-breach/a/d-id/1330162?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new survey shows that 63% of respondents are worried about the impact of the Internet of Things on corporate security technologies and processes.

A majority of enterprises cite cybersecurity as their main concern with corporate Internet of Things deployments, according to a survey released this week commissioned by BlackBerry.

In the survey, which queried 200 IT decision makers, 63% of respondents cited security as their top concern about IoT technologies and processes in the enterprise, yet only 37% of participants said they had a formal digital strategy in place. A full 78% of respondents indicated interest in a solution that would allow them to manage all their endpoints in one place. Nearly two-thirds of respondents (61%) identified hackers and cyberwarfare as a major threat from the IoT.

“If a device isn’t secure, it shouldn’t ‘work’ for companies or consumers. Organizations that connect unsecured IoT devices to their network are ultimately putting attack vectors inside their company. The risk of losing their IP and customers’ information is not worth the reward or using an IoT device that simply works,” says Marty Beard, chief operating officer for BlackBerry.

He adds that endpoint security is the most important aspect of IoT security because the endpoint is the easiest to attack and tends to be the place where employees will bypass security for convenience. 

Read more about the survey here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/iot-deployment-security-top-concern-for-enterprises/d/d-id/1330172?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It’s Cybersecurity Awareness Month. Make sure your users are briefed on these 10 attacker techniques that are often overlooked.

It’s the middle of National Cybersecurity Awareness Month: the perfect time to look beyond the obvious stolen passwords, phishing and malware, and into some of the social engineering attacks less known to the average end user. And here’s something you security professionals might not know: 43 percent of breaches in the last year were related to social engineering attacks, according to the Verizon Data Breach Investigations Report. 

[Get tips on “Developing and Maintaining a Real-World Security Awareness Program” from Samantha Davison, security engineering manager of Snap, Inc. at Dark Reading’s upcoming INsecurity Conference, Nov. 29-30 in the Washington D.C. area.]

“We’re seeing a lot of social attacks, especially taking advantage of lonely guys at home,” says Aaron Higbee, CTO at PhishMe. “Attackers will entice a person with a nude picture then get him to send a nude picture of himself. Then the attacker will say they will send it to Facebook unless they pay a ransom.”

Christopher Hadnagy, chief human hacker at Social-Engineer adds that people should be aware that social attacks such as phone-based vishing where attackers try to steal money over the phone are becoming more prevalent.

“Criminals buy data on the Dark Web then call people saying they owe several thousands of dollars in back federal taxes from a few years ago.” Hadnagy says. “Even though people may know that the IRS will only notify them in writing and will never call them directly, they still fall for it.”

Based on interviews with Higbee, his colleague and chief threat scientist at PhishMe, Gary Warner, and Social-Engineer’s Hadnagy, Dark Reading has developed a list of 10 hacks that might not always be as readily apparent,

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/10-social-engineering-attacks-your-end-users-need-to-know-about--/d/d-id/1330171?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

We’re used to corporate ads following us around – from a brief visit to the online flip-flop emporium to Facebook to Slashdot to “will you please get out of my face, retailer who’s clinging to my flirtation with rubber footwear?”

It’s more annoying than scary. Who takes it personally? They’re only soulless corporations behind those ads, right? Yes, tracking from advertisers grows more and more granular all the time, but it’s not like they’re stalking our physical location or winkling out our secrets by looking at where we go and the apps we use, right?

Maybe not, but it’s actually quite doable, by stalkers as easily as corporations.

Researchers have set themselves the task of stalking individuals by using an advertising network to track people and extract information about them, including their location. They succeeded. It cost them a measly $1000. That’s all an attacker needs, plus a website for ads to direct to.

In a paper (PDF) put out by the Security Privacy Lab at at the University of Washington’s Paul G. Allen School of Computer Science Engineering, researchers describe how somebody can use a targeted advertising system to conduct physical and digital surveillance of targets that use smartphone apps with ads.

Which targeted advertising system? All of them, pretty much. From the team’s FAQ about their research:

Our results – both our experiments with one advertising network and our survey of many others – point to an an industry-wide issue. We therefore choose not to single out the specific advertising network through which we purchased our ads.

The researchers bought targeted ads on what’s known as a demand-side supplier (DSP) – in other words, an advertising platform such as AdRoll, Choozle, MediaMath, MightyHive, Tapad, Google AdWords, Facebook, MediaMath or Centro. That’s where the $1000 went to: it was a deposit with a DSP.

All of those platforms give ad buyers the ability to deliver targeted ads to individuals. But that delivery is a two-way street: they also suss out an incredible wealth of data about a targeted device, including when the ad is viewed. Also, all but one of the DSPs the researchers looked at allow some form of location-based targeting, be it basic (restricted to city and ZIP code) or more granular.

Sixty percent of DSPs use what’s called “hyperlocal” location targeting. The DSP they chose could get as close to their surveillance targets as four to 11 meters, depending on latitude.

The researchers used ten Moto-G Android smartphones and concocted new-user accounts for fake 27-year-old female users. They connected the devices to local Wi-Fi networks, downloaded the apps that would display the ads, and also downloaded apps to capture the devices’ network and GPS data.

The app they focused on was the most popular one that the researchers could serve ads to through their DSP: Talkatone, a free calling and texting app. Then, they made location-targeted ad buys in a grid around a 3-mile square section of Seattle that would display through Talkatone.

Whenever one of their target phones had Talkatone open near one of the coordinates set on their grid of ad buys, the ad popped up, the researchers would be charged 2 cents, and the DSP would send confirmation of approximately where, when, and on which phone the ad had been shown.

With that method, they found that they were able to follow their test phones’ locations within a range of about 26 feet any time the phone user left an app open in one location for about four minutes, or if they opened it twice in the same location during that time span.

Over the course of a week, the University of Washington researchers found they could easily identify a target’s home and work address, based on where they stopped. They could also, of course, detect what apps the ads are served on.

Some of those apps can be sensitive. The researchers only tested the gay dating app Grindr, but this type of surveillance – they call it ADINT, similar to SIGINT in signals intelligence – can be done with a host of other sensitive apps, including other dating apps, torrent apps, or those affiliated with religions, such as Quran Reciters.

In order for this tracking method to work, the target has to have a certain app open on their phone at the time they’re being tracked. Otherwise, the ad won’t show up. Ad-buying spies also have to know a phone’s unique advertising identifier, which is known as a Mobile Advertising ID (MAID).

But the researchers say that those limitations are simple to bypass. All it would take to surmount the first limitation would be to buy ads on a range of popular apps, which would at least increase the chances that somebody might have one of the apps open when they get within range.

There are also multiple ways to get a phone’s MAID: an attacker can get the identifier if a target clicks on any of their earlier ads; it can also be potentially exfiltrated via JavaScript; or it can be purchased online.

Wired offered a few potential, theoretical attacks:

A domestic abuser could, for instance, obtain a spouse’s MAID from their home network, and then use it to closely track him or her by placing ads in apps he or she uses frequently. A person on a laptop at the next table over at the Starbucks could steal your MAID when you connect your phone to Wi-Fi, or a co-worker could do the same in the office, and then either could receive periodic pings of your location whenever you see an ad they’ve placed. Or an ad buyer could use active-content ads to gather the MAIDs of the people at a specific location, like a protest, or users of a potentially sensitive app like gay-dating apps or religious apps – plus other demographics provided by ad networks – and then track those targets’ movements.

If somebody has $1000 to spend on spying on you they likely have better options. Nevertheless academic research like this tends to do just enough to make its point and, understandably, doesn’t concern itself with refining or optimising the attack into something more practical.

They have succeeded in pointing out a weakness others might exploit or build upon though.

So, if you’re concerned, how can you protect yourself? The researchers say that if you care about your privacy, you should consider resetting your MAID. Here’s how to do it on an iPhone, and here’s how to do it on an Android. Also, you may want to turn off location access to apps on your phone: here’s how on iPhone, and here’s how on Android.

Wired had another good option: think about ponying up the money for a premium, ad-free experience.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/lNs1_NVug7Q/

Britain’s F-35B fighter jets currently cost around $123m each – and British officials are quite content that the only engine overhaul facility for the stealth aircraft’s engines is located in Turkey.

The House of Commons’ Defence Committee questioned British ministers, civil servants and senior officers on the F-35 purchase programme, revealing that Britain is still publicly committed to buying 138 F-35Bs.

Speculation had mounted that Britain may not buy its full complement of the aircraft thanks to well-publicised holes in the defence budget, which – in a break with tradition – caused Defence Secretary Sir Michael Fallon to publicly call for a bigger defence budget.

The committee, consisting of mostly Conservative MPs along with a smattering of Labour MPs and sole representatives from each of Scotland’s SNP and Northern Ireland’s DUP, initially questioned executives from Lockheed Martin about the F-35. This, rather predictably, resulted in the execs insisting everything was fine with the F-35 – including questions over the aircraft’s handling in the transonic region, where it goes from sub-sonic flight to supersonic flight.

“All F-35 variants display objectionable or unacceptable flying qualities at transonic speeds, where aerodynamic forces on the aircraft are rapidly changing,” we reported the Straus Military Reform Project as saying in a report earlier this year.

Peter Ruddock, Lockheed’s UK chief exec, said in reply to the commitee’s questions: “The problem here is the different parts of the aircraft become supersonic at different times and there’s always a controllability issue with that. I’ve spoken to some of the test pilots involved … the quality of the handling is more than satisfactory or better throughout the flight regime.”

Unfortunately, in his later questions, committee chairman Julian Lewis MP once again focused on the bizarre notion that the NATO-standard Link 16 data comms standard, as fitted to the F-35 for talking to older aircraft, is somehow inherently insecure. He asked, after correctly identifying that the new MADL (Multi-function Advanced Data Link) system allows talking to older aircraft such as the RAF’s Eurofighter Typhoons, whether Link 16 meant using an “older system that might reveal their presence?”

Lockheed’s Steve Over, director of F-35 business development, told the committee in response: “It doesn’t affect the stealthiness of the aircraft but it’s an omnidirectional transmitter. If someone has a receiver listening for a Link 16 transmitter…”

This is what Reg readers will recognise as a basic principle of RF transmission and direction-finding. You can encode it and compress it into as short and low-powered a burst as you like, but you’ve got to light up the airwaves somehow to get your message out.

Defence procurement minister Harriet Baldwin also revealed, in response to a separate question, that the UK does not negotiate directly with Lockheed Martin over future F-35 purchases. Instead, she said, “We have an MOU [memorandum of understanding] with the Joint Programme Office who do the contracting for us.”

The F-35 Joint Programme Office is a US Department of Defense body that does not answer to the UK. Its website explains: “The F-35 Lightning II Program is a joint program with no lead service, staffed by [US] Air Force, [US] Navy, and [US] Marine Corps personnel. The Program Executive Officer position alternates between the [US] Departments of Navy and Air Force, and reports to the [US] Service Acquisition Executive (SAE) of the other service.

Engine failure before takeoff

The only other major item from the committee hearing, other than Labour MP Ruth Smeeth having a pop at DDC – the Ministry of Defence’s Directorate of Defence Communication, its spin doctor battalion – was SNP MP Martin Docherty-Hughes questioning Baldwin on engine overhauls. As El Reg reported last year, the Pratt and Whitney F135 engines of Britain’s frontline carrier fighter jets can only be overhauled in Turkey, by decree of the American Joint Project Office managing the F-35 project.

“In terms of the engine programme,” said Baldwin in response to Docherty-Hughes’ questions, “that will happen again within Turkey. I believe the warehousing [of other aircraft components] is happening in the Netherlands, and there’s a serious of ongoing competitions. Turkey is a NATO country.”

“This has never happened before,” shot back Docherty-Hughes.

“The UK is doing a significant part of those repairs, overhauls and upgrade for all 3,000 planes as I understand it. Not surprisingly, if you’re Australia, Holland, one of the other partner nations, you’re keen to have that ongoing global support,” retorted Baldwin, continuing to talk about the UK’s avionics overhaul deal instead of Docherty-Hughes’ question. She emphasised that support contracts are awarded as part of a “series of competitions the JPO are running.”

Docherty-Hughes refused to be deterred. “The minister didn’t answer the question. Is it value for the UK taxpayer? Are we one step away from a disaster? This is unprecedented, it’s never happened before. It’s clearly the United States directing the MoD to put the engines in for overhaul in another country. Has this happened before?”

Baldwin spoke briefly about the “net benefit” of having a Turkey overhauling mission-critical major components of the only fast jets capable of flying from Britain’s new aircraft carriers, in exchange for avionics repairs being carried out in North Wales, and described the latter as “good for the UK industrial base”

Lewis, catching onto the general idea, prodded the minister further: “Is it the case that we’re having some of our F-35, if not all our F-35 engines, serviced by Turkey, and we will be doing things to F-35s that belong to the Turkish air force?”

A grateful Baldwin nodded: “That is the idea.” Air Commodore Lincoln Taylor, MoD senior officer in charge of military fast jet projects, sitting next to Baldwin, loyally chipped in that the avionics repair hub will be of “enormous benefit to the UK”.

Defeated in his attempt to make the minister answer a direct question about the stability of a critical British defence supply line, Docherty-Hughes said he was “not reassured” but would “take the minister and department’s answers”. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/19/f35_fighter_engines_turkey_overhaul/

The YouTube account of the researcher behind the KRACK WPA2 Wi-Fi vulnerability was restored early on Thursday hours after it was shut down for violating “community guidelines”.

Mathy Vanhoef‏ was told that his YouTube account had been sin-binned late on Wednesday. The move provoked criticism from security pros. Around two hours later the account was restored, also without explanation. In the meantime Vanhoef created an account at Vimeo.

The incident is not without precedent. Marcus Hutchins, the security researcher behind the WannaCry kill switch, commented: “YouTube are shitty when it comes to ‘hacking’ videos, even completely legal ones. Had a couple of friends banned for same bs too.”

El Reg asked Google, YouTube’s owner, to comment on the incident but we’re yet to hear back.

Vanhoef‏ went public with research demonstrating a critical design flaw in the underlying technology used to secure wireless networks. The Key Reinstallation Attacks, aka KRACK, mean that latest WPA2 Wi-Fi encryption might be circumvented to either snoop on communications or inject malign content.

Several caveats apply. A prospective hacker would have to be within range of the network to pull off an attack and any communications projected to end-to-end encryption (such as with HTTPS servers and VPN traffic) would still be shielded – miscreants would only be able to pull off the first layer of encryption. Patching is already well under way.

Youtube Video

The four-minute YouTube video uploaded by Vanhoef demonstrated the wireless security weakness in Linux and Android devices, the most vulnerable class of client devices. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/19/youtube_krack_down/

What’s This?

A new survey paints a compelling picture of the modern security executive, how they succeed, and how much power they wield.

Chief Information Security Officers are in a tough spot. Organizations are squeezed by cyber criminals, new compliance requirements, and bleeding-edge technologies that erode privacy and stability. The team that leads defense efforts is becoming a more and more vital player in the long-term survival of any organization that sells, uses, or produces information technology — that is to say, everyone. But what do we really know about CISOs and how they operate?

Many surveys talk about CISO salaries and job prospects, but we felt that the industry as a whole needed to fully understand what goes into the day-to-day job of a CISO. F5 and research firm Ponemon teamed to directly survey CISOs. Our goal: to draw as complete a picture as we could on the modern security executive. In the report, “The Evolving Role of CISOS and Their Importance to the Business,” we focus on key areas like budgetary control, organizational influence, decision rationale, and strategic methodology. In other words, how do CISOs succeed, and how much power do they wield? We also delve into the background of CISOs and their experience, both in terms of technical capability and business savvy.

To cast a wide net, we interviewed senior level IT security professionals from 184 organizations in seven countries, tracking nearly 70 questions. We wanted a deep, unbiased look at the contemporary CISO. The results are eye-opening, and both encouraging and worrisome.

First, the discouraging news: security programs appear to be reactive: 60% of respondents say material data breaches and cybersecurity exploits are the primary drivers of change in security programs. A mere 22% of respondents say their organizations’ security function is integrated with other business functions. Perhaps most concerning, only 51% say their organization has an IT security strategy and, of those, only 43% say that the company strategy is reviewed, approved, and supported by C-level executives.

Now the is good news. A full 77% of respondents say their IT security operations are aligned with IT operations, although fewer respondents (60%) say they have achieved alignment of IT security operations with business objectives.

Furthermore, there are some promising trends in the day-to-day responsibilities CISOs hold. Most CISOs (67%) believe they should be responsible for setting security strategy, and the majority are influential in managing their companies’ cybersecurity risks, with 65% reporting to senior executives (meaning, no more than three steps below the CEO on the organization chart). Over half (61%) set the security mission and are responsible for informing the organization about new threats, technologies, practices, and compliance requirements (60%). In the event of a serious security incident, more than half (60%) have a direct channel to the CEO.

These findings indicate both the challenges and the progress CISOs are making in today’s complex environment. I invite you to reflect on and discuss these findings with your peers and in the comment section below. My hope is that we now have a foundation for more meaningful conversations with one another, and have a greater impact on our organizations. I also hope the broader discussions we are driving here at F5 Labs are providing CISOs and future CISOs the tools to tackle this challenge.

There’s a lot there. You can read the full report here. 

Get the latest application threat intelligence from F5 Labs.

Mike Convertino has nearly 30 years of experience in providing enterprise-level information security, cloud-grade information systems solutions, and advanced cyber capability development. His professional experience spans security leadership and product development at a wide … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/cisos-striving-toward-proactive-security-strategies/a/d-id/1330156?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple