STE WILLIAMS

A California bloke fighting a computer hacking conviction has lost his final appeal after the US Supreme Court declined to hear his case.

The ramifications of this decision could affect everyone in America who has ever shared a password with their friends and family. We’ll explain.

In 2004, David Nosal was a high-level regional director at recruitment consultancy biz Korn/Ferry. He then left to start up his own firm, although stayed on for a year as a contractor. During that time, he tried to lure his former colleagues over to his new business, and convinced three of them to share their passwords to Korn/Ferry’s internal database of consultants with him.

Using the purloined passwords, Nosal copied the firm’s one million-person database so that he could use it to kickstart his own recruitment outfit. When this was discovered, the US Department of Justice charged him with hacking crimes under America’s Computer Fraud and Abuse Act.

At the heart of the matter was the fact that Nosal used the passwords to gain unauthorized access to a computer system.

Chap fails to quash ‘shared password’ ‘hacking’ conviction

READ MORE

Nosal was found guilty by a jury in 2013, and was sentenced to a year and a day in the cooler. He was also fined $60,000 for his troubles. He appealed, arguing that his shenanigans fell shy of actual proper computer hacking that the law is supposed to tackle, and last year was shot down in a 2-1 split decision by the California 9th Circuit Court of Appeals.

The lone dissenting appeals judge said he had serious doubts about the case. Sharing a password among folks is a fairly common practice, be it someone sharing banking credentials with their spouse to pay a bill or friends sharing Netflix account details. The dissenting judge, Stephen Reinhardt, feared the justice system, by convicting Nosal, was about to outlaw the simple act of sharing passphrases.

Crucially, Nosal’s fate hinged on the law’s definition of authorized access. Since Nosal clearly didn’t have permission aka authorization to access the database, the appeals court ruled that the hacking conviction should stand. So the legal precedent seemed to be that you cannot access a system you are not allowed to, whether or not you were slipped the password by an authorized user. And that appeared to be pretty straight forward.

That wasn’t good enough for the Electronic Frontier Foundation, though, which filed an amicus brief to the US Supreme Court. The digital rights warriors argued the appeals court decision will criminalize millions of Americans simply for sharing their passwords among each other. Giving your friend the password to, say, your online video-streaming account may violate the terms and conditions of the website’s use, which may trigger a prosecution under America’s computer hacking laws. After all, your friend did not have authorization from the website to access the service.

In other words, even though you gave your pal permission to watch streamed TV shows from your account, the website may forbid such shared use – and that would be an unauthorized access, the kind that ultimately landed Nosal in the clink. This is why the EFF found the appeals court’s ruling particularly dangerous.

The foundation has a real beef with the Computer Fraud and Abuse Act, which is key to this whole case, and has previously called for reforms in order to, as EFF staff attorney Jamie Williams put it, prevent “overzealous prosecutors” from exploiting the law to lock up folks. The campaigners therefore asked the Supreme Court to clarify that sharing passwords can never be a crime.

“This [appeals court] ruling threatens to turn millions of ordinary computer users into criminals,” Williams said earlier this year. “Innocuous conduct such as logging into a friend’s social media account or logging into a spouse’s bank account, with their permission but in violation of a corporate prohibition on password sharing, could result in a [Computer Fraud and Abuse Act] prosecution. This takes the CFAA far beyond the law’s original purpose of putting individuals who break into computers behind bars.”

Well, the Supremes didn’t see a need to take this further: this week, they declined to hear the case. So for now, to be safe, don’t share your password with anyone – not just because it may break the rules and therefore possibly the law, but also because it’s just not good security hygiene. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/11/us_supreme_court_password_sharing/

Purchase of DNS and enterprise cybersecurity solutions company is designed to bolster Akamai’s offering to telecom carriers.

Akamai Technologies acquired DNS and enterprise cybersecurity company Nominum, in a move to enlarge its offerings to telecom carriers, Akamai announced Wednesday.

Nominum develops DNS-based solutions for both fixed and mobile carrier operators, managed services, and web applications providers. The company’s solutions are designed to protect and improve customers’ networks and strengthen the security for residential and business subscribers.

“We believe this acquisition is a key investment in our security capabilities because Nominum will bring complementary technology, engineering, technical support, and sales talent to better reach and serve our carrier partners and their enterprise customers,” says Robert Blumofe, Akamai’s executive vice president of the Akamai Platform division and general manager of its enterprise and carrier division.

Additionally, Akamai intends to offer its customers an enhanced range of security products that will feature improved capabilities for identifying, blocking, and mitigating threats, such as, data exfiltration, ransomware, phishing, and malware.

Read more about the acquisition here.

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/akamai-acquires-nominum-/d/d-id/1330103?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New study shows the majority of cybersecurity positions get filled at salaries above the original compensation cap, while jobs sit unfilled an average of six months.

A soon-to-be published study shows how the traditional corporate human resources operation actually hampers cybersecurity hiring against a backdrop of the industry’s well-documented talent gap.

The Jane Bond Project report, commissioned by security talent recruiting firm CyberSN, found that in addition to the lack of available talent for those positions, respondents say their HR generalists are not equipped to recruit and hire cybersecurity talent, and that flawed salary data complicates their ability to issue the best job offers.

More than 80% of the 83 cybersecurity positions studied in the report ended up with compensation offers higher than the salary caps stated in the original job descriptions. Half of the 52 organizations participating in the study say they had to up the compensation offers to seal the deal. The positions in the study include security engineers, product sales engineers, incident response analysts, SOC analysts, and product security experts.

Meanwhile, the typical cybersecurity job sits unfilled for an average of six months, the report shows. “It boggles my mind” that some jobs sit vacant up to nine months, says Chenxi Wang, founder of The Jane Bond Project.

Most respondents said recruiting for cybersecurity positions was “difficult” or “very difficult,” and especially challenging for the more experienced positions.

Wang, who headed up the study, titled “The Cyber Security Hiring Crisis,” says one CISO she interviewed lamented that HR was “looking in all the wrong places” for cybersecurity talent. The CISO has filled positions by recruiting from veteran databases, where he’s found candidates with some military training that he was able to tap and then train for cybersecurity, he told Wang.

In addition to more accurate and updated IT security salary information, Wang says, the industry needs HR specialists focused on security talent who have an understanding of the industry.

“I had a CISO tell me [in the study] he had a recruiter turn away a really good hacker because he ‘didn’t look into your eyes’ when he talked to you. The HR recruiter turned him away as ‘not a good fit,'” she says. “But the security team knew he was a good hacker and wanted him. The criteria in which HR generalists [vet candidates] does not work” in all cases for cybersecurity, she notes.

Most hiring managers in the survey say they rely more on their own personal networks of contacts and LinkedIn – not HR – for their recruiting efforts.

Deidre Diamond, founder and CEO of CyberSN, says HR really shouldn’t be expected to recruit  and hire cybersecurity talent. “It’s really unfair to even suggest that the HR department has the department to support the recruiting efforts of a cybersecurity position,” she says. “It’s so niche, there’s no common language there … I feel badly for HR.”

Many HR teams end up cut-and-pasting cybersecurity job descriptions that don’t accurately reflect the actual day-to-day responsibilities of the opening. Companies also end up starting way too low with their offers, sometimes $10,000- to $20,000 under the appropriate salary range for a security job, she says, often because HR doesn’t have the proper budget approval for a competitive offer.

Meanwhile, two of out five organizations review or adjust salary offers every six months, and three out of five do so annually.

Diversity Deficit

While the study did not look at diversity, it did find that only eight percent of the cybersecurity positions in the report were filled by female candidates. And of those women, none had negotiated a salary higher than the job offer.

“I had five organizations [in the study] that talked about their hiring practices and what they see. A few of them said ‘women don’t negotiate,'” Wang notes. “But a lot of men don’t, either.”

CyberSN’s Diamond says the gender salary gap should improve when the Equal Pay Act kicks in next year. “Now, women often make less money, so their offers” are for less, she says.

“But that’s only going to change is women push for it” and learn to negotiate for equal salaries in cybersecurity, she says.

Diamond says her firm plans to release a free tool for cybersecurity job candidates to create strong profiles that are attractive to prospective employers. 

A recent ISC(2) study shows organizations aren’t tapping in-house talent as a way to fill security slots, either. More than 60% of respondents in the ISC(2) report say their organizations are short on staff, but just 34% say their companies cover the cost of security training.

Related Content:

• New Dark Reading Conference Will Focus on Defense
• Best and Worst Security Functions to Outsource
• Why InfoSec Hiring Managers Miss the Oasis in the Desert
• 8 Valuable Security Certifications For 2017

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/cybersecuritys-broken-hiring-process-/d/d-id/1330104?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security leaders call for device manufacturers to buckle down on device security as the Internet of Things evolves.

CYBERSEC EUROPEAN CYBERSECURITY FORUM – Kraków, Poland – If cybersecurity was a health issue, “we would call it a pandemic,” Sir Julian King, European commissioner for the UK Security Union said in his opening keynote remarks here this week.

Europeans were subject to two billion data breaches last year, and the threat is poised to escalate, he said.

The Internet of Things is pushing billions of connected devices online, he noted. Last year’s Mirai malware attack, which mobilizes hundreds of thousands of devices as bots, highlighted the vulnerability of the Internet of Things and served as an example of what could go wrong.

“Today, connectivity isn’t just about phones and laptops, it’s about homes and hospitals, governments and electricity grids,” he noted, adding that products in industrial control systems often rely on uncertified, off-the-shelf software.

Manufacturers forget security or don’t give it enough profile or importance, he said. Update policies are often unclear, encryption isn’t being used, and unnecessary ports, hardware, and code make attack surfaces larger than they need to be.

“We need to move to a world in which there are no default passwords on connected devices, where connected devices and software are updatable for their entire lifespan,” he urged.

Melissa Hathaway, president of Hathaway Global Strategies and former cybersecurity advisor for the George W. Bush and Barack Obama administrations, called for higher software standards and said manufacturers should prioritize both security by design and safety by design.

The need to patch a product suggests it wasn’t securely designed to begin with, she continued. We don’t “patch” drugs when something is wrong; we recall them. The same goes for automobiles. Why not recall connected devices when a dangerous vulnerability is found?

“The IoT is either the insecurity of things, or the Internet of threats. It’s an unbelievable risk we have to manage,” Hathaway said during a panel entitled “Internet Things: Will They Live Happily Ever After?”

She referred to the medical device industry as an example. Products like pacemakers and insulin pumps were never designed with the idea someone would cause harm. Now they’re wireless devices that must be updated, and people have died, she added.

“At some point, we need to get to a more responsible discussion about responsible disclosure and corporate responsibility,” said Hathaway. “We have to actually fix these problems.”

Alastair Teare, CEO at Deloitte in central Europe, said the danger of the IoT is both a security and governance issue. Companies are ill-equipped to put governance around IoT security, and the government needs to engage with businesses to ensure proper frameworks are in place.

“The problem is playing catchup, and we’re not doing very well, in my opinion,” he said. “Huge problems need to be addressed and we need to get on with it, because it’s going to get worse.”

Allan Friedman, director of cybersecurity initiatives at the National Telecommunications and Information Administration at the US Department of Commerce, said if we’re going to expect manufacturers to be more secure, “we’re going to have to be as explicit as possible.”

However, he said, there is a problem with creating standards for devices connected to the IoT.

Creating standards involves using standards for static risks, he explains. However, software doesn’t have static risks, and we’re going to end up with unknown states. Focusing on an adaptive model for risks is one of the paths forward as the IoT continues to evolve.

“Perfect security is not something you can expect,” Friedman said. “The challenge with any certification is it’s a snapshot; it’s a moment in time. We’re predicting based on certain values, and that’s really hard. Most things were thought secure at one point.”

Related Content:

• New 4G, 5G Network Flaw ‘Worrisome’
• Unstructured Data: The Threat You Cannot See
• Artificial Intelligence: Experts Talk Ethical, Security Concerns
• More Businesses Accidentally Exposing Cloud Services

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/endpoint/iot-insecurity-of-things-or-internet-of-threats/d/d-id/1330105?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

September spear phishing attack appeared to be more reconnaissance activity than sign of impending attack, FireEye says.

Known threat actors based in North Korea recently targeted several US electric companies in a spear-phishing campaign that appeared to be more of an early reconnaissance mission than an attempt to cause any immediate disruption.

Even so, the attacks are another indication of North Korea’s willingness to go after cyber targets that others tend to leave alone for fear of retaliation, says Christopher Porter, chief intelligence strategist at FireEye, which this week issued an alert on the incident.

“North Korea probably is attempting intrusions into US energy companies to deter potential military action,” Porter says. The goal is to try and increase anxiety over their capacity to retaliate, he says.

“They [have used] these same techniques against South Korea, compromising nuclear industry targets and exaggerating the access they had in order to instill fear disproportionate to North Korea’s ability to cause damage,” Porter notes.

FireEye said its security controls detected and stopped spear phishing emails sent to targets at multiple US electric companies on Sept. 22. There was nothing about the campaign to suggest broader North Korean cyberattacks or capabilities against US critical infrastructure targets.

The threat actors did not use any tools or methods that were designed to compromise or to manipulate industrial control systems or disrupt electricity supply, according to FireEye.

State-sponsored spear phishing campaigns against energy sector targets are not at all unusual, especially during times of high geopolitical tensions between nations. Often the goal is to gather intelligence that could be used to formulate retaliatory attacks in case the situation warrants it. FireEye itself has detected more than 20 threat actor groups sponsored by at least four other nation states that have targeted energy sector companies for this reason.

What makes the North Korean campaign significant is the nation’s willingness to use its offensive capabilities in cyberspace without a whole lot of thought to potential consequences. “North Korean hackers are highly skilled but, more importantly, they are willing to conduct operations that the other major cyber powers do not do,” Porter says.

As examples, he points to North Korea’s suspected involvement in the 2016 cyberattacks on the SWIFT financial network, its attacks on European financial regulators and banks in Southeast Asia, and on cryptocurrencies. Many, including the US National Security Agency (NSA) believe North Korea was also responsible for the WannaCry ransomware pandemic earlier this year.

Multiple nation-state sponsored groups have the ability to carry out similar attacks. North Korea is the only one to go ahead and carry them out with little regard for discovery and attribution. “Because North Korea is so isolated diplomatically and economically there is little downside for them to conduct aggressive operations,” Porter says.

Compared to threat groups from other countries, those in North Korea still rely mostly on spear phishing and relatively simple malware to break into most targets. They have also been innovative in their deployment of state-controlled ransomware and disk wipers. But “the real danger from North Korea is that they are willing to experiment with new techniques against sensitive targets,” he notes.

Concerns regarding the threat that North Korea poses to US critical infrastructure targets need to be taken seriously, says Eddie Habibi, CEO of PAS, a provider of ICS security services.

“Process control networks in the critical infrastructure industries are the most vulnerable cyber assets with the most significant physical consequences if compromised,” he says. Many organizations do not maintain an accurate inventory of their ICS equipment and at best have visibility into about 20% of the devices on their process control network — meaning the remaining 80% is left unprotected.

North Korea itself has continued to evolve its network attack capabilities and all indications are that country’s ability to target other nations will mature, Habibi says. At the same time, North Korea’s own limited connectivity to the outside world and its use of third-party proxy operatives makes them less vulnerable to reciprocal attacks, he says.

FireEye’s report on the phishing attack follows a new report from the New York Times this week about North Korean threat actors stealing classified wartime contingency plans from a South Korean military network last year.

During the Sept 2016 attack codenamed “Desert Wolf,” North Korean actors managed to break into some 3,200 systems, including 700 apparently air-gapped computers belonging to the South Korean military. The breach resulted in the theft of some 235 gigabytes of classified data, which included plans to remove North Korean president Kim Jong-un in the event of a war in the Korean Peninsula.

Related Content:

• NSA Reportedly Confident North Korea Was Behind WannaCry
• Why North Korean Actors May Be Targeting Cryptocurrencies
• South Korea: Cyberattack By North Korea Exposed Data Of 10 Million Consumers
• 6 Free Ransomware Decryption Tools

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/north-korean-threat-actors-probe-us-electric-companies/d/d-id/1330106?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft has added the ability to “fuzz” for a number of dangerous memory corruption flaws to its automated security testing service, Microsoft Security Risk Detection (MSRD).

Security fuzzing works by throwing millions of tweaked and permuted (fuzzed) input files at an application in the hope of trigger unexpected or hard to find bugs and thereby highlighting security vulnerabilities.

Because it’s a “black box” technique, no access to source code is needed. The tester pokes and probes an application from the outside in the same way a hacker would, hoping to uncover weaknesses without a clear understanding of the application’s inner workings.

At the end, the tester gets to see precisely what state caused the problem.

However, fuzzing can be time-consuming, resource intensive and leave your development team chasing bugs that aren’t exploitable security vulnerabilities, so some developers skimp.

In 2015, Microsoft hatched its answer in the shape of Project Springfield, an Azure cloud testing service built around its own internal fuzzing tools with AI used to do the heavy lifting. Initially, this offered static source code analysis (examining code without running it), or “white box” fuzzing.

Now slowly emerging from beta as MSRD, the company keeps adding new capabilities, the latest of which is VulnScan, a tool that looks for five different types of memory corruption flaws using the black box approach.

This sounds a bit dry but a lot of security vulnerabilities have at their root these memory problems – buffer overflows being the obvious example – which fuzzing is good at finding. Adding this capability makes MSRD a lot more useful.

Do we know this kind of fuzzing works? And why the recent enthusiasm for it?

According to Microsoft UK’s Mateusz Krzywicki:

Over a 10-month period where VulnScan was used to triage all memory corruption issues for Microsoft Edge, Microsoft Internet Explorer and Microsoft Office products. It had a success rate around 85%, saving an estimated 500 hours of engineering time for MSRC engineers.

Microsoft is so flush about this it even includes a breakdown of how it was used to get to the bottom of the Chakra memory corruption vulnerability (CVE-2017-0134), disclosed in March.

Google is also a fuzzing fan, earlier this year talking up the success of its OSS-Fuzz project, claiming to have found 264 vulnerabilities in 47 open source projects.

So it works, and being a black box technique it can work just as well for the bad guys as it does for the good ones. For development teams that have had “start fuzzing” on their to do list for a while the emergence of cloud-hosted fuzzing tools on Azure and Google Compute Engine is both a solution to the resources problem and a wake up call to get on with it.

We don’t know how much MSRD will cost when the wrapper comes off the beta, but I assume it won’t be cheap. There’s no doubt fuzzing could be a sizeable business for Microsoft, helped along by its support for Linux.

It’s as if Microsoft has come full circle from the dark days of 2004, an era when its under-estimation of Windows XP’s security nearly sank Windows. That led to the Security Development Lifecycle (SDL), which laid the foundations for the emerging world of security tools and testing solutions packaged into cloud services.

Microsoft is still not a security company exactly but the advent of cloud fuzzing and the MSRD might yet make it some money from an area that once caused it huge pain.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jaJ8ay3h-oU/

Credit checking agency Equifax now believes that 15.2 million UK records were affected by the massive data breach that hit its US operation last month.

The records related to individuals entered its database between 2011 and 2016, and “sizeable test datasets, duplicates and spurious fields”, which suggests that potentially anyone in Britain who applied for a financial product requiring a credit check during that period could be caught up by the breach in some way.

Importantly, not everyone is affected to the same degree. The highest-risk group are 693,665 people (up from September’s 400,000 estimate) comprising the following groups:

• 14,961 people who had “portions” of their 2014 equifax.co.uk membership details accessed, including user names, passwords, secret questions/answers, and partial credit card details
• 637,430 people whose phone numbers were accessed
• 29,188 people whose driving license numbers were accessed
• 12,086 people who had an email address associated with their equifax.co.uk account in 2014

The company is now contacting these people by letter “to offer them Equifax and third-party safeguards” in the form of subscriptions to the company’s ID protection service.

What does this admission tell us about the scale of damage the breach will cause in the UK?

Let’s start with the large number of people not deemed high risk. The company states:

The balance of the 14.5m records potentially compromised may contain the name and date of birth of certain UK consumers. Whilst this does not introduce any significant risk to these people Equifax is sorry that this data may have been accessed.

In Equifax’s view, then, this group does not face significant risks despite an unknown number having personally identifiable data compromised (data that is often used by banks for security questions, for example). This assessment isn’t exactly reassuring.

The next concern is what Equifax plans to do to protect the nearly 694,000 people in the highest-risk categories.

Of these, 56,235 will be offered free subscriptions to the company’s Equifax Protect ID service that gives users unlimited access to credit files held on them as well as emailed reports of any new activity.

The company hasn’t confirmed how long this service will be offered free of charge, but the risk is likely to remain high for these individuals for many years to come.

The remaining 637,430 whose telephone numbers were accessed will also be offered a free “identity monitoring service”, although it’s not clear which one or for how long it will remain in place.

What the UK Information Commissioner’s Office (ICO) will make of all this is anyone’s guess, but it’s a reminder that one of the most serious data breaches ever to affect UK citizens happened in the US, beyond the oversight of this country’s data protection regime.

It’s not even clear whether 2016’s tightened EU-US Privacy Shield agreement, which governs how data on EU citizens should be handled when transferred by US companies, would have made a difference.

In the end, most of the Britons caught up in the great Equifax breach of 2017 will probably shrug their shoulders. Many will never have heard of Equifax, let alone been aware it held their personal data, and Equifax seems satisfied to have kept them waiting weeks for information.

Security expert Bruce Schneier recently summed up the strange situation “customers” find themselves in with the following observation:

Markets work because buyers choose between sellers, and sellers compete for buyers. In case you didn’t notice, you’re not Equifax’s customer. You’re its product.

Judging by the response we’ve seen, people in US have certainly noticed, but we aren’t holding our breath for reform there either.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5J2tLI8jgS0/

We noticed a lull in recent months in emails and web pages that SHOUT THAT YOUR MAC IS INFECTED and then offer free advice on what to do next – “free” advice that you should urgently buy a product to remove a threat that doesn’t exist, that is.

But, then it happened.

Like the proverbial buses that keep you waiting for ages and then three come along at once…

…we visited an innocent-sounding website yesterday, only to be bombarded with three different Apple-focused scams in quick succession.

In old-school Windows technical support scams, the scammers often made an effort to avoid actually stating that they worked for Microsoft – they’d say things along the lines of being a team “working with Windows” rather than “a division of Microsoft”.

That distinction made no difference in practice – fake support scams are based on a pack of lies anyway – but seemed to matter greatly to the scammers, as though a tame lawyer had advised them that the ramifications would be worse if they actually claimed to be Microsoft.

(In fact, in at least one case, the scammers turned out to be living a double life – Microsoft Gold Partners by day; con artists by night.)

But in this case, the scammers have unashamedly stolen Apple’s name and brand, claiming to be the Apple Support Center:

Indeed, if you scroll down on the page run by the crooks, you’ll see it is stolen outright from Apple’s official pages – the only difference, surprisingly, is that the crooks have neatened up the layout slightly, avoiding the ugly orphaned word should on a line of its own:

This page comes with a voiceover that churns out a whole list of falsehoods about your Mac, and threatens dire consequences from Apple if you don’t act (words in boldface are incorrect in the audio file itself):

Critical alert from Apple Support. Your Mac has an alert. Your system is infected with viruses, spywares and pornwares. These viruses are sending your credit card details, Facebook logins and personal emails to hackers remottly. Please call us immediately on the toll-free number listed so that our support engineers can walk you to the removal process lowver the phone. If you close this window before calling us, we will be forced to disable and suspend your Mac device to prevent further damage to our network. Error number 268D3.

Refreshing the page a few times produced a slew of different redirections, mostly offering to sell us various domain names or to let us stream TV shows, but we were soon faced with a similar but different scam:

When we clicked [Proceed ], we were presented with a fake anti-virus scan, just like the old days, followed by a warning to download and install a third-party Mac utility, from which we assume the crooks will receive some sort of affiliate payout:

A few more page refreshes later, and the third bus, sorry, scam appeared, this time in the guise of a fake Flash update (an amusing irony considering that Adobe actually skipped Flash Patch Tuesday in October 2017, with no update provided):

We weren’t able to find whether the crooks would have foisted a pay-to-play utility on you, or tried to infect you with malware, because the download link – fortunately for any potential victims – wasn’t working:

What to do?

Macs don’t attract anywhere near the amount of attention from cybercriminals as Windows computers, but “much less than” is not the same as “zero”.

In other words, if you’re a Mac user, be sure to follow the same sorts of online safety precautions as your Windows cousins:

• Use a real-time Mac threat protection product. Look for one that not only has an on-access virus scanner to prevent malware from running, but also has live web protection to stop you arriving at risky URLs in the first place. (Sophos Home is 100% free for Windows and Mac.)
• Don’t fall for offers of support (or threats of disconnection) that arrive unsolicited. If you didn’t ask for technical help, but it suddenly falls into your lap, just say, “No”.
• Beware of threat detection tools where the scan is free but when a “threat” is found, you suddenly have to pay. There are plenty of legitimate free tools available, including our own Sophos Home, where detection, prevention and cleanup are all included.
• If in doubt, don’t rely on unknown web pages for advice. Seek out the help of a friend: someone whom you know, and like, and trust.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bB-kfac3q2c/

Continuing the US government’s menacing of strong end-to-end encryption, Deputy Attorney General Rod Rosenstein told an audience at the US Naval Academy that encryption isn’t protected by the American Constitution.

In short, software writers and other nerds: the math behind modern cryptography is trumped by the Fourth Amendment, and in any case, there has never been an absolute right to privacy.

This message came at the end of Rosenstein’s wide-ranging speech on Tuesday, which repeated fixations heard in previous speeches.

He called for backdoors in April, and doubled down last week, then saying: “Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection.”

In this week’s speech, Rosenstein time-travelled from the American Revolutionary War to the tragic death of US student Otto Warmbier at the hands of North Korean authorities, before launching a volley into encryption.

Amid a rising backlash that’s uniting some tech giants and developers, academics, and civil libertarians, Rosenstein still believes criminal investigators should be able to crack strong and so-called “warrant-proof” encrypted communications on demand without any legal headaches:

Encryption is a foundational element of data security and authentication. It is essential to the growth and flourishing of the digital economy, and we in law enforcement have no desire to undermine it.

But the advent of “warrant-proof” encryption is a serious problem. Under our Constitution, when crime is afoot, impartial judges are charged with balancing a citizen’s reasonable expectation of privacy against the interests of law enforcement. The law recognizes that legitimate law enforcement needs can outweigh personal privacy concerns.

Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection, especially when officers obtain a court-authorized warrant. But that is the world that technology companies are creating.

Those companies create jobs, design valuable products, and innovate in amazing ways. But there has never been a right to absolute privacy. Courts weigh privacy against other values, including the need to solve and prevent crimes. Under the Fourth Amendment, communications may be intercepted and locked devices may be opened if they are used to commit crimes, provided that the government demonstrates showing of probable cause.

Warrant-proof encryption defeats the constitutional balance by elevating privacy above public safety. Encrypted communications that cannot be intercepted and locked devices that cannot be opened are law-free zones that permit criminals and terrorists to operate without detection by police and without accountability by judges and juries.

Readers will surely be aware that the famed Daniel Bernstein spent nine years establishing that cryptography is free speech in the US, and therefore protected by the First Amendment, a notion that would have to be overturned for Rosenstein to get his way, we presume.

The remainder of Rosenstein’s arguments will already be wearyingly familiar to followers of the debate: encryption can be and should be rendered accessible to law enforcement bearing warrants without weakening it for everyone; and allowing people to “go dark” – such as using cryptography and anonymizing networks – just helps criminals escape justice.

Rosenstein offered a list of what he called “responsible encryption” – in which messages are safeguarded from hackers and criminals yet accessible to authorized third parties – to prove his case, which we present so readers can dismember it in the comments.

“Such encryption already exists,” the Deputy AG claimed. “Examples include the central management of security keys and operating system updates; the scanning of content, like your emails, for advertising purposes; the simulcast of messages to multiple destinations at once; and key recovery when a user forgets the password to decrypt a laptop.”

Rosenstein concluded with:

There is no constitutional right to sell warrant-proof encryption. If our society chooses to let businesses sell technologies that shield evidence even from court orders, it should be a fully-informed decision.

El Reg will get the ball rolling by saying content-scanning middle-boxes are known to be insecure, so that’s not a great example of “responsible” cryptography. We await your comments with enthusiasm. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/11/deputy_us_ag_rosenstein_encryption_isnt_free_speech/

Hackers believed to be from North Korea are casing out US electric companies in preparation for a possible cyber attack – so says security firm FireEye.

“FireEye devices detected and stopped spear phishing emails sent on Sept. 22, 2017, to US electric companies by known cyber threat actors likely affiliated with the North Korean government,” the infosec outfit reported on Tuesday. “This activity was early-stage reconnaissance, and not necessarily indicative of an imminent, disruptive cyber attack that might take months to prepare if it went undetected.”

FireEye has previously detected suspected Nork hackers probing the systems of South Korean utilities. The firm adds that DPRK hackers are yet to display ability to interfere with industrial control systems much less cause power outages. All this probing is nonetheless a cause for concern.

In December 2014, the South Korean government claimed that nuclear power plants operated by Korea Hydro and Nuclear Power (KHNP) were targeted by wiper malware. North Korean hackers were the prime suspects in the attack, the impact of which may have been exaggerated for propaganda purposes. “This incident did not demonstrate the ability to disable operations,” FireEye said. “Instead, sensitive KHNP documents were leaked by the actors as part of an effort to exaggerate the access they had and embarrass the South Korean government.”

Reports of reconnaissance on US utilities follow earlier reports alleging DPRK spies stole a large cache of military documents from South Korea, including a plan to assassinate North Korea’s leader, Kim Jong-un.

Documents including wartime contingency plans put together with the US were stolen from South Korea’s defence ministry. Information on power plants and military facilities in the south also featured among the stolen data, the BBC reports.

Rhee Cheol-hee, a South Korean lawmaker who sis on its parliamentary defence committee, said 235GB of military documents were swiped from the Defence Integrated Data Centre, adding that 80 per cent of these documents have yet to be identified. The South Korean defence ministry has so far refused to comment on the breach, which reportedly dates back to last September.

Chris Doman, a security researcher at AlienVault, said: “The recent North Korea cyber hack may relate to the reported August 2016 compromise of the South Korean ministry of defence. The group behind those attacks are named Andariel and likely a sub-group of the attackers behind the Sony attacks, WannaCry and SWIFT banks. They are very active and we continue to see new malware samples from them every week.”

Suspicions that Pyongyang may have stolen intel from South Korea will do nothing to de-escalate tensions with the US, which are already at a 50-year high following the North’s rocket tests. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/11/dprk_hackers_probe_us_utilities/