STE WILLIAMS

Global leaders weigh the benefits and dangers of a future in which AI plays a greater role in business and security strategy.

CYBERSEC EUROPEAN CYBERSECURITY FORUM – Kraków, Poland – The future of artificial intelligence was a hot topic at the third annual CYBERSEC Cybersecurity Forum, where security professionals representing Poland, the Netherlands, Germany, and the United Kingdom discussed the pitfalls and potential of AI, and its role in the enterprise.

Is it too soon to have this discussion? Absolutely not, said Axel Petri, SVP for group security governance at Deutsche Telekom AG. “Now is the time to ask the questions we’ll have answers for in ten, twenty years,” he added. Cybersecurity supported by AI and machine learning can leverage data to generate more insight and fight fraud.

“You are able to use the workforce you have in a smarter and better way by using AI,” he said. “How nice would it be if we could have a junior SOC analyst act as well as the smartest guy in the SOC, of which you currently have very few?”

Andrzej Zybertowicz, research fellow at Nicolaus Copernicus University and social adviser to the President of Poland, explained that while locally used artificial intelligence can increase cybersecurity, the effects are “potentially disastrous” on a global scale. It’s time to discuss the broad risks of AI and regulations to avoid them, he said, and others agreed.

“The problem is, there are so many risks,” said Noel Sharkey, professor of artificial intelligence and robotics at the University of Sheffield, who believes there are both opportunities and threats in the field. “There’s not just one thing.”

Sharkey presented an example in the medical field, where AI could help doctors research diseases. This is a good thing, he said, but what happens when the machine is right long enough and the doctor stops questioning it? Should a doctor automatically agree with a machine? What are the implications if they do, and the machine someday gets it wrong?

“What’s core is making sure there’s clear accountability, and being concerned with the types of controls we seek in AI,” Sharkey continued. There is a need for deep learning, and deep reinforcement learning, as we seek AI applications in child care, elder care, transport, and agriculture. “Future-proofing” AI should consider its implications for human rights.

“Artificial intelligence transforms everything around us; every industry, our health, our education,” explained Aleksandra Przegalinska-Skierkowska, assistant professor at Kozminski University and research fellow for Collective Intelligence at MIT. “Especially if we want autonomous vehicles or virtual agents, we need a code of conduct for them.”

We are at a point when people have begun to reflect on issues related to machine ethics and morality, she added. Building a structure for ethical AI systems should be a collaborative effort, especially as more businesses generate connected products.

“From the perspective of a company selling digital services, we should put one very important thing at the center of our attention — this is a customer using the AI,” said Petri. “What we need is the trust of users in every technical system. If we don’t have they trust, we don’t have users.”

The discussion of regulatory measures soon turned to threat actors who will break them. Almost every technology is dual-usage and can be weaponized, Zybertowicz pointed out. “We are here talking about rules, but we are dealing with a group of bad actors who don’t play by the rules,” said Petri. “The bad guys are innovating faster than the good guys.”

Related Content:

• Security Analytics: Making the Leap from Data Lake to Meaningful Insight
• PassGAN: Password Cracking Using Machine Learning
• Security Orchestration Automation: Parsing the Options
• What CISOs Need to Know about the Psychology behind Security Analysis

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/artificial-intelligence-experts-talk-ethical-security-concerns/d/d-id/1330081?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security bods have closed off a malvertising campaign targeting an ad network spread through an ad network that targeted smut site P0rnHub.

The attacks exposed “millions of potential victims in the US, Canada, the UK, and Australia”, said the Proofpoint researchers who discovered the attack.

Proofpoint said the campaign was waged by the KovCoreG group (distributor of the Kovter malware) for more than a year.

Kovter isn’t new: it turned up in poisoned ad campaigns in 2015, and again earlier in 2017.

In the most recent campaign, Proofpoint said the campaign hooked users through fake Chrome/Firefox/IE browser updates (and a fake Flash update for good measure), and the attack was active for more than a year until the ad network, Traffic Junky, and the smut site lowered the boom.

“The chain begins with a malicious redirect hosted on avertizingms[.]com, which inserts a call hosted behind KeyCDN, a major content delivery network”, Proofpoint writes.

As an example of the obfuscation the campaign used, Chrome users were hit with a JavaScript which beaconed back to the attackers’ server: this prevented analysts working through the infection chain if their IP hadn’t checked in.

“This makes it extremely unlikely that the JavaScript can be run alone and provide the payload in a sandbox environment. This is most likely why this component of the chain has not been documented previously.”

“It should be noted that both P0rnHub and Traffic Junky acted swiftly to remediate this threat upon notification”, Proofpoint noted in its post. ®

Bootnote: Using “Pr0rnHüb” instead of the site’s real name helps our news to pass content filters so you can enjoy this news at work.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/10/smut_watchers_suckered_by_evil_advertising/

We’re leaking location data everywhere, and it’s time to fix it by design.

An example: if you go on safari in Africa, you’ll be asked to turn off your smartphone’s location tracking capabilities.

The reason is that most people have no idea that every photo they take with their phone embeds location data in the exchangeable image file format (EXIF) metadata that describes each snap. But poachers know. And when a stream of snaps depicting something remarkable hits the web, they read that EXIF and know exactly where to start their hunt for a valuable beast.

Hence the request for a visit to your phone’s Settings before safaris.

It gets worse. As reported in El Reg, little bit of code published to Github a fortnight ago showed how any app granted access to the photos on your smartphone (hint: that’s quite a few of them) can simply walk through your database of images and generate an accurate map of your movements. In many cases this record of movements can go back years.

Every geek I’ve told about this had the same reaction: a facepalm. Of course our photos keep a record of our movements. Of course any app that has access to our photos can produce a map of our movements. Two unrelated features collide, generating a kind of retrospective self-surveillance of which the NSA would be proud.

First things first. Close that security hole on iOS 11 by going to Settings Privacy Location Services Camera. That screen lets you turn off that automatic location tagging of images. On Android YMMV but try Settings Apps Camera App Permissions Location. Next, review all the apps that have access to the Camera Roll, and revoke the lot – they’ll ask for permission next time, and then you can make your own call about whether their need is commensurate to the risk.

We need for much more finely-grained access controls for our image archives. Apps should be able to have write access easily, but read access provably needs to be far more restrictive and conditional and time-limited.

What about all the other places you’ve posted your photos – Facebook and Flickr and Picasa. Can’t someone simply wander through those images, stalking you via a breadcrumb trail of EXIF location data? Of course they can.

If that weren’t bad enough, yesterday software engineer Rob Heaton published a short essay showing how to use WhatsApp to track the waking and sleeping patterns of almost anyone, anywhere, just by using their phone number. That little bit of location data – activity – leaks out of WhatsApp all the time, and can be used to map your active hours just as surely as any fitness tracking device.

This huge-and-growing hole in privacy flags another, larger issue that can no longer be avoided: we can not simply outsource our security to others. Neither Google nor Apple are wholly capable of anticipating all of the mis-use cases that end with our data being weaponised against us. You can’t fault them for trying – it’s just that the problem is too big for any one company (even companies worth north of a half a trillion dollars) to handle.

Whether they’re even interested in plugging this hole is another matter altogether.

This is not the kind of security issue that can be patched. This is a problem of design, or rather, a lack of design thinking with respect to the security and privacy of the individual.

We urgently need a reset, rethink, and redesign, grounding this process inside an ethics and methodology of individual privacy, integrity and security. We need to do this for ourselves – in partnership with the device manufacturers, software architects, carriers, and app makers. Everyone has to be involved in a comprehensive assessment of devices that are so intelligent and so flexible they are being put to uses beyond the imagination of any single actor.

That process will not be easy: Privacy is the enemy of utility, and security is the enemy of seamlessness. Something that “just works” is almost always something that “just leaks” private information.

No one wants a world that’s both connected and hostile. No one wants to worry about every photo snapped — or every word uttered around Siri or Alexa or Google Assistant. But unless we change our ways, the future looks like a infinite series facepalms. Forever. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/10/leakybydesign_location_services_show_outsourced_security_wont_ever_work/

Websites mostly belonging to small- to midsized firms got hit with more than 60 attacks per day on average, new analysis finds.

Websites belonging to small- to midsized (SMB) businesses experienced an astonishing 63 attacks per day in the second quarter of this year, a study by SiteLock showed.

That number, which extrapolates to some 23,000 attacks annually, represented an increase of 186% over the 22 attacks per day that websites averaged during the same period last year. Automated bots were responsible for more than 85% of these attacks.

Despite the steep increase in attacks, many websites were inadequately protected and site owners instead relied heavily on search engines and third parties, such as Web hosting providers, to alert them about potential security issues and breaches. Four in 10 site owners continued to erroneously believe their hosting provider was responsible for website security, SiteLock found.

SiteLock’s report is based on an analysis of data from more than 6 million websites and from a survey of over 20,000 website owners.

“Many website owners are unaware that website security is their responsibility and rely too heavily on popular search engines and other third parties to notify them when they’ve been compromised,” says Logan Kipp, WordPress evangelist at SiteLock. That sort of alerting typically only happens after a breach has occurred – when it is too late, he says. “Bottom line; website owners need to take proactive secure measures.”

The tendency by website owners to rely on search engines and browser-makers to warn about security issues had another downside as well. Browsers correctly flagged only 23% of infected websites in SiteLock’s study as being dangerous for visitors. The remaining 77% of infected websites provided no warning to users at all because search engine and browser makers tend to be overly cautious about marking sites as being potentially unsafe, SiteLock said.

For purposes of the study, SiteLock described a website attack as any activity prohibited by administrator-configured security preferences or prohibited by SiteLock’s global security rules. Some common examples of activities that were considered a website attack included SQL injection and cross-site scripting attacks, cross-site request forgery (CSRF), and local and remote file inclusion and other common attacks such as those outlined by the Open Web Application Security Project (OWASP).

As has been the case for several years now, many website compromises in Q2 resulted from common, well-known Web application vulnerabilities. SQL injection (SQLi) and cross site scripting (XSS) errors once again topped the list of most commonly occurring Web application vulnerabilities.

Over 300,000 of the six million-plus websites that SiteLock considered for the survey had either a high-risk SQL injection bug or a high-risk XSS issue. On average, a website with an SQLi vulnerability had 20 vulnerable URLs each across their site, while those with XSS flaws averaged 74 vulnerable URLs site-wide. The survey’s results suggest that there may be as many as 90 million websites worldwide that have similar issues.

The numbers are especially significant because they pertain only to high-risk SQLi and XSS flaws of the sort that can be detected quickly, SiteLock said.

CMS Mess

SiteLock’s analysis also showed that a website’s content management system had an impact on overall security. Websites running Joomla, for instance, tended to be more than twice as vulnerable to attacks compared to websites running WordPress or Drupal. Nearly one in five of the sites running Joomla had a version that stopped receiving security updates as many as five years ago.

“One of the reasons that Joomla websites demonstrated an elevated risk profile in our analysis was the low adoption rate for updates we observed in the sample,” Kipp says. “The largest single version subgroup for Joomla was those running v1.5, which has not been supported since September of 2012, and demonstrated an infection rate of 6.31%,” he says.

Interestingly, even when a CMS had the latest security updates, it often ended up being vulnerable because of buggy plug-ins. This was especially true in the case of WordPress, which supports the ability to integrate a wide variety of third-party plugins, SiteLock said in its report. Some 44% of those plugins had not been updated for over a year at the time that SiteLock was doing its report. Not surprisingly, nearly 7 in 10 infected WordPress websites had the latest security patches installed, but were compromised because of vulnerable plugins.

The SiteLock analysis also showed that websites infected with spam generally tend to have a lot more infected files compared to other websites. In Q2 2017, spam-infested websites averaged some 1, 967 malware infested files: 62% of which consisted of spam; 23%, backdoors; and 8%, malicious redirects.

“Spam infections are notorious for dumping a lot of files into websites,” Kipp says. Only eight percent of the total infected website sites in the SiteLock study contained spam. Even so, spam accounted for 62% of all the infected files that SiteLock discovered.

“This means that spam infections are characteristically much more disruptive in terms of their scope of impact with regard to file structure,” he says. “For example, your average infected website may only have a handful of files directly impacted by malware, but spam infections may create hundreds or thousands of files and directories, making them a very one of the noisier infection types.”

Related Content:

• New OWASP Top 10 Reveals Critical Weakness in Application Defenses
• Study: Backdoors Found on 73% of Compromised Websites
• 80% Of Web Applications Contain At Least One Security Bug
• 7 Common Reasons Companies Get Hacked

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/sitelock-website-attacks-surged-186--in-q2/d/d-id/1330079?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It’s now the second week of October, and that means the second themed week of National Cybersecurity Awareness Month (NCSAM) has kicked in.

Last week’s theme was Simple steps to online safety, so we gave you 3 tips for cybersecurity throughout your digital life – small behavioural changes that ramp up your resilience to cybercrooks.

This week’s theme is more work-focused, and is officially entitled Cybersecurity in the workplace Is everyone’s business.

We couldn’t agree more.

Computer security at work used to be IT’s problem; IT set the rules, and that was that.

But there are two problems with that approach: it’s inefficient (IT can’t predict everything that might go wrong), and it’s unbalanced (if IT doesn’t block a website, for example, that doesn’t automatically make it safe to use).

It’s a bit like speed limits – they’re statutory maxima, so you’re never allowed to exceed them, no matter how important you might think you are; at the same time, they’re not entitlements, so it’s often necessary to drive slower, perhaps much slower, than the signposted limit.

We have several articles of tips and a Facebook Live video planned for this week, so keep your eyes on the Naked Security website, and follow our @NakedSecurity Twitter feed, as we give you our advice on How to do cybersecurity at work.

#ICYMI, last week we ran a competition on @NakedSecurity to find the worst security advice ever, with a prize of Sophos socks. (We’ve just announced the winner.)

This week, we’re looking for the weirdest scam you’ve ever received, so be sure to head to Twitter and tell us – this week’s prize is a beanie, nicely timed for the Northern winter.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/QTZ0R5AGXlU/

It’s National Cybersecurity Awareness Month (NCSAM) and this week’s theme is Cybersecurity in the workplace is everyone’s business.

I’m a Service Engineer working in IT at Sophos and Naked Security asked me to share my thoughts on the mistakes that the IT people in your workplace secretly wish you wouldn’t make.

Your IT guys and girls will thank you for reading it!

1. Lock your computer

Plenty of people lock their computers when they walk away from their desks, but enough people don’t bother that this one is top of my list.

Remember to lock your computer!

Your screen isn’t meant for anyone else’s eyes so if you’re not looking at it, nobody else should be looking at it either. Nobody else should be using your login either, no matter if it’s a colleague sending a joke email in your name when you go for a coffee or a rogue employee rifling through your stuff for confidential information.

To lock your Windows computer use CTRL+ALT+DEL and select Lock, or press ⊞+L. (That square character is the key with the Windows logo on it.)

On a Mac press CTRL+⌘+Q (the four-leafed clover key is also labelled “command” ), or press the power button briefly.

2. Loose lips sink ships

The expression “loose lips sink ships” is a phrase used in World War 2 to warn of the dangers of unguarded talk. It works in cyber security too.

It’s easy to leak information by accidentally sending things to the wrong people, saying the wrong thing in the wrong place, mislaying printed documents or leaving meeting rooms without erasing whiteboards.

So, re-read what you’re about to sending in emails, instant messages or texts, and make sure that what you’re about to send will go to your intended recipients.

Review files before attaching them – it’s easy to leak sensitive information if it’s in a small section of a much bigger spreadsheet or document.

When you’re talking, be aware of where you’re standing and who is around you. Ask yourself if it’s appropriate to share what you’re saying about sales figures, targets, staffing or whatever else you’re talking about with the people in earshot.

And erase the whiteboard before you leave a meeting room. It’s not just a courtesy for the next users of the room, but a routine precaution that ensures nothing confidential will find its way onto the mobile phone of a camera-happy passer-by.

3. Save regularly

I’m aware of how easy it is to get sucked into whatever it is you’re doing but we can’t protect things that you haven’t saved. Saving things regularly, to the appropriate place – such as network drives – ensures that the data you have is secure in the event that your laptop is stolen.

We’ll make sure your work laptop is encrypted so that your data won’t end up in the wrong hands if your laptop is lost or stolen, but we can’t recover your data if you haven’t saved it somewhere safe and secure where we can keep an eye on it for you.

4. Separate personal and professional

If you use your home email, personal WhatsApp account – or anything else outside the reach of your IT’s policies – for work then we can’t protect you and you’ll be answerable for the consequences.

If you use your work computer, email or phone for personal stuff, for eBay, PayPal, adult websites (it happens), pictures of your kids and pets, or anything else, it won’t be there if you leave the company. As an IT professional the first thing I’ll do after revoking your access is to wipe your stuff, poof, gone!

And, whilst I can assure you that almost all of us in IT are lovely and would never take advantage of the information you’ve left behind there will always be some bad apples. The principle of least privilege applies – we don’t need access to your personal stuff so we shouldn’t have it.

5. Tell us what happened (seriously, tell us everything)

Finally, if you have to report something to your IT department please, please don’t cut down or amend your story. We want to know everything. Something small and insignificant can drastically change the troubleshooting steps we need to go through and even a small detail missed can reduce our efficiency and effectiveness.

We want to know literally everything you can remember before and after an event to build a better picture of what happened. (We will find it eventually and be annoyed you didn’t share!)

We’re on your side, and we’d love to have you on ours – we’re all in this together.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/kPJBOTCwvws/

Keeping the UK safe from cyber attacks is now as important as fighting terrorism, the new GCHQ boss has said.

Jeremy Fleming, director of the signals intelligence service, said increased funding for GCHQ was being spent on making it a “cyber-organisation” as much as an intelligence and counter-terrorism unit.

Fleming, who joined GCHQ from the security service (MI5) earlier this year, told The Telegraph: “If GCHQ is to continue to help keep the country safe as we prepare for our second century, then protecting the digital homeland – keeping our citizens safe and free online – must become and remain as much part of our mission as our global intelligence reach and our round-the-clock efforts against terrorism.”

The UK’s National Cyber Security Centre said last week that there had been 590 “significant” cyber attacks needing a national response in the last year, as previously reported. This included the WannaCry ransomware outbreak that disrupted the operations of several NHS trusts back in May and attacks on parliamentary email systems in June, among others.

Fleming’s take on the importance of cybersecurity are the most extensive public comments he has made since leaving MI5 to head up GCHQ, but they shouldn’t be confused as a significant shift in priorities or policies by the UK government. For example, the government reaffirmed cyber as a tier-one threat in its 2015 National Security Strategy (PDF, page 13) and has committed to spending £1.9bn between 2016 and 2021 on updating this. Cyber has been treated as a tier-one threat since the 2010 defence review. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/09/gchq_cyber_priority/

Weaknesses in the voice and data convergence technology can be exploited to allow cybercriminals to launch DoS attacks and hijack mobile data.

4G and 5G wireless networks’ Evolved Packet Core (EPC) architecture can be exploited to intercept and collect mobile data as well as launch denial-of-service (DoS) attacks, according to new research. 

Positive Technologies recently discovered a key flaw in EPC’s GTPv2 protocol: EPC’s special interfaces used to exchange information between its components and based on its GTPv2 protocols lack built-in data encryption mechanisms.

The findings represent the latest in a string of vulnerabilities discovered in 4G networks. Researchers have spotted flaws that can be exploited to make IMSI-catchers more adept at snooping, as well as to allow the Diameter protocol to play a role in launching DoS attacks on 4G and 5G devices.

EPC converges voice and data on the network, a step up from processing voice and data separately. But EPC also has shortcomings, says Dmitry Kurbatov, head of Positive Technologies’ telecommunications security department.

When a user is on a 4G network with his or her mobile phone, the EPC nodes use a number of protocols, including the General packet radio service Tunneling Protocol (GTP). This protocol is a group of IP-based communications protocols that carry general packet radio service within mobile networks. It allows mobile users to remain connected to the Internet when traveling or moving about, Kurbatov explains.

However, DoS attackers using brute force on Tunnel Endpoint Identifiers (TEIDs) can simultaneously disconnect a number of users at once, because multiple phone connections run through the same GTP tunnel, he adds.

“The potential risks are large enough to be worrisome,” says Silke Holtmanns, a security expert at Nokia Bell Labs, who has conducted research on the 4G Diameter protocol.

Attackers looking to exploit these types of vulnerabilities in 4G networks do not need hard-to-obtain tools or considerable skill, says Kurbatov.

“Before 4G LTE, voice-call interception required that attackers have special equipment and in-depth knowledge of all the specific protocols used for voice calls,” explains Kurbatov. “But since 4G networks are built on the principle of an all-IP network, the attacker can use all currently available hacking tools, which are largely automated and do not require a deep understanding of the nature of the attack.”

Other risks include EPC nodes found exposed on the Internet that then can be hacked and, of course, there is always the potential of an insider gaining access to the infrastructure to launch attacks, says Pavel Novikov, head of Positive Technologies’ research group for telecom security.

Security researchers like Andrew Blaich at Lookout say 4G and 5G attackers are likely to be groups with an interest in conducting surveillance on others, such as nation-states, or cybercriminals seeking to commit bank fraud and other crimes.

Risks to Smart Cities, Businesses, and Users

The 4G and 5G EPC attack scenarios largely fall into three categories: interception of data, such as text messages and unencrypted email messages; a collection of data, such as the location of the device; and disruption of services like DoS attacks.

“Just like with any DoS attack, IoT devices used in the infrastructure of smart cities can be almost permanently disconnected from the network, which means cities lose control over their operation,” says Kurbatov.

Enterprises should assume that when they send something over a 4G or 5G network, it has the potential to be intercepted, says Blaich. As a result, organizations should safeguard their apps, devices, and services with their own security layer, rather than relying on the security of the network.

He also advises enterprises to use apps and services that have the latest version of TLS, or HTTPS, to ensure data cannot be easily decrypted when connected to a website. He adds that man-in-the-middle security technology should be deployed to catch improperly signed certificates that pretend to vouch for bogus services.

“These protections need to be enabled at the device and app layer as well as checks back on the services and server side to ensure proper end-to-end protection for sensitive data,” Blaich advises.

For users, the risk on a 4G or 5G network is similar to other mobile networks as well as on Wi-Fi, warns Blaich. Users need to use apps that transmit data securely using secure transport channels and protocols, rather than relying on SMS/MMS for sensitive information, he adds.

Positive Technologies has not contacted mobile operators regarding its findings in its report, but instead has contacted industry trade groups, such as Groupe Speciale Mobile Association (GSMA), to notify them of its research and potential ways to address the architecture security issues, says Kurbatov. Ultimately, he notes, the responsibility mainly falls on mobile operators to resolve the issue.

Holtmanns holds a similar view. “There are huge differences between operators. Not all networks are equal,” she warns, adding that some operators will push security improvements through, while others do not.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

• 4G Cellular Networks At Risk Of DoS Attacks
• New 4G LTE Hacks Punch Holes In Privacy
• Activists Beware: The Latest In 3G 4G Spying

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/perimeter/new-4g-5g-network-flaw-worrisome-/d/d-id/1330062?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

VB2017 Poor disclosure and intrusive advertising are becoming a bête noire for gamers who increasingly find themselves getting fragged by promos.

Adverts in gaming or advergaming systems are becoming more complex as marketeers resort to techniques that embed advertising deep enough so that earlier ad-blocking attempts no longer work. The market was explored in a talk by Chris Boyd of Malwarebytes titled Exploring the virtual worlds of advergaming, which was delivered at the Virus Bulletin conference in Madrid last week.

Around $41bn of the estimated $90bn gaming market is spent on mobile and around $2.7bn on VR. A survey for game engine developer Unity Industries found that 62 per cent of gamers would regularly interact with ads for an in-game reward.

Developers are making use of heat maps to calculate the best location for placements. Game level design sits hand in glove with exposure to branding. For example, in first-person shooters, narrow checkpoints will be covered in posters. Overturned vending machines that offer the sole source of cover in exposed areas may be festooned with advertising. Players are obliged to stand up to shoot before crouching down to cover behind a branded logo multiple times in order to complete a level.

Mobile apps have embraced advergaming, trending against upfront payments in favour of free games financed through data collection, adverts and in-app purchases. Of the top 30 games on Google Play, 27 apps contained ads and the same number contained in-app purchases. All were free to download and targeted casual gamers.

Terms-of-use policies for mobile games can be absurdly long. The linked privacy policies for Tetris run to 407,000 words, compared to 450,000 words for the entire Lord of the Rings trilogy. The Tetris count would be even higher but for the 30 per cent of pages that were unobtainable. “This is a truly astonishing number of words to attempt to read, in order to play a simple mobile game,” Boyd commented.

In the arms race between ad-slingers and ad-blockers, DNS blocking offered one way to filter out ads from games. One of the newer blocking counters involves turning ads into a component of gameplay. Players need to view an ad to progress or power-up or even keep playing. This approach is most prevalent on free-to-play mobile games.

And if ad-blocking or filtering moves into augmented reality, something that wants to add digital elements to the real world – and developers are trying – there could be serious health issues with tracking, analytics and privacy. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/09/mobile_gaming_ads/

BAE Systems, maker of military machinery, is to slash more than 1,000 jobs, according to reports, with most roles affected at its Warton plant in Lancashire – the main factory that builds the Eurofighter Typhoon.

While nominally a multinational aircraft, the Typhoon is effectively a BAE design from top to bottom and under the sovereign control of the UK; in September, Defence Secretary Sir Michael Fallon signed a letter of intent with the Qatari defence minister to sell the Middle Eastern nation 24 of the fighter jets, as built by BAE Warton.

“After a number of years of negotiations between our two countries, I am delighted to have been able to sign today with Qatar’s Defence Minister, this Statement of Intent on the purchase of 24 Typhoon aircraft by Qatar,” burbled Sir Michael at the time.

Meanwhile, Sky News reported that the Warton redundancies “are understood to relate largely to a continued slowdown in production of the Eurofighter Typhoon fighter aircraft” and referred specifically to an upcoming potential deal with Saudi Arabia. The Saudis already fly a relatively large number of Typhoons, as can be seen by looking up serial numbers ZK060 onwards on an unofficial UK military aircraft serial number database. Military aircraft built in Britain for export customers are put on the UK military register for flight testing and delivery.

The Financial Times reported this morning that a potential order for 48 more Typhoons from Saudi Arabia may not materialise, adding: “BAE’s jet exports are likely to halve in 2018, and again in 2019,” quoting figures from an industry analyst.

The expected redundancies would come three months after BAE’s new chief exec, Charles Woodburn, took post. In an August statement, Woodburn said: “We are confident that we will win further Typhoon orders, what we can’t be confident around is the timing.”

More than 9,000 people are employed at Warton and the neighbouring site at Samlesbury, both in Lancashire, according to the BBC. A BAE spokesman told the broadcaster: “If and when there are any changes proposed we are committed to communicating with our employees and their representatives first.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/09/bae_systems_1000_job_cuts_reports/