STE WILLIAMS

The US government is fighting to keep a former police officer in prison because he claims not to be able to remember the code to decrypt two hard drives under investigation.

Francis Rawls, a former sergeant in the Philadelphia police department, has spent nearly two years in prison for contempt of court after refusing to provide the passcode for two hard drives that were taken from his house in 2015 during an investigation into child abuse images.

Rawls claims he can’t remember the passcode for the two drives, encrypted using Apple’s FileVault system. The government says that he’s stalling because he fears that the contents could see him in serious trouble with his former employers.

The ex-cop has twice appealed the decision to detain him, once in federal court and once in the 3rd US Circuit Court of Appeals. His lawyers argue that holding him breaches his Fifth Amendment right to not incriminate himself.

Both have turned him down, in the latter case because an examination of the drives showed that they had been used in a computer that had visited child abuse sites and claimed they contained files with the same hash values as known child pornography files.

On Monday Rawls’ legal team filed a request [PDF] that he be released on bail pending his final appeal to the US Supreme Court. The filing pointed out that Rawls’ stay in prison had already exceeded the maximum 18-month sentence under the 28 USC § 1826 statute for failure to comply with an order to testify or provide other information in federal judicial proceedings.

But on Wednesday the government hit back [PDF], saying that Rawls should stay in prison until he coughs up his encryption keys. It points out that Rawls isn’t being held under 28 USC § 1826, but rather the All Writs Act – the archaic legislation the FBI tried to use against Apple.

It says that they are not asking him for his decryption keys per se – they’re simply saying he needs to perform the physical act of decrypting the drives and he’s free to go. The government is also arguing that, as Rawls didn’t use his Fifth Amendment rights in his initial appeal he can’t try to use that defense now.

It points out that in other cases, people have been held for contempt of court for nearly seven years, and cites the appeals court verdict that “no temporal limitation on the amount of time that a contemnor can be confined for civil contempt when it is undisputed that the contemnor has the ability to comply with the underlying order.”

The government points out that if the drives do contain child abuse images then Rawls is looking at over 20 years in prison, and there is no statute of limitations for crimes against children. It asks that Rawls should be given another chance to decrypt the drives, and if he refuses, he should get used to prison. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/30/ex_cop_jailed_for_not_decrypting_data/

Siemens has plugged a man-in-the-middle vulnerability in its LOGO!8 BM FS-05 industrial automation hardware – but a second remains unpatched.

The vulnerabilities were turned up by German researcher Maxim Rupp.

According to Siemens’ advisory, CVE-2017-12734 can be exploited by an attacker to sniff the session ID from an active user session.

If the devices’ admin web server is visible from the internet and a user is logged in, that would allow a remote attacker to hijack the admin session. The equipment maker notes the admin interface should be restricted to trusted networks. All versions of Logo!8 BM older than 1.18.2 are vulnerable and need a firmware update.

The second unpatched vulnerability is CVE-2017-12735: this is predominantly a local risk, in which an attacker could perform a MITM attack between a LOGO! BM unit and other devices on the network.

In the absence of a fix, Siemens provides configuration instructions which include using a VPN to protect traffic between cells in the network.

The Register notes that such fixes are more likely to be applied in industrial and commercial environments with IT and security teams. However, Siemens also pitches the at-risk units to domestic environments – such as gate controls, for example – where there may not be a dedicated IT person to apply the updates, and thus the upgrades might be less likely.

Other Siemens patches that landed this week include a fix for products affected by a resource exhaustion flaw, and a denial-of-service bug in a Sentron Ethernet module. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/31/siemens_patches_one_vuln_leaves_customers_to_block_second/

Instagram is blaming a bug in its API for the partial breach of verified users’ accounts.

All verified users have been notified that some of their profile data – email address and phone number – could have been viewed by one or more attackers.

The Facebook-owned organisation isn’t explaining any details of the API flaw, which it says has been patched. It’s not clear, for example, whether the API only leaked verified members’ details, or that attackers only dug into verified accounts because they’re more likely to be celebrities.

The notice to users says the malicious activity “was targeted at high-profile users,” and added extra vigilance, particularly if anyone encountered “unrecognised incoming calls, texts, and e-mails”.

As entertainment industry bible Variety has reported, someone recently hijacked actor Selena Gomez’s account to post Justin Beiber nudes.

While it’s feasible that Gomez was tricked into giving her credentials to an attacker who’d obtained her e-mail or phone number through the API bug, there’s nowhere near enough information to definitively link the two events.

The New York Daily News says Instagram confirmed to it that only one attacker had tried to exploit the bug.

The Register notes that the API lets developers see profile information, which is why Instagram and Facebook both had to change their terms of service in March to prevent developers mining data for surveillance purposes. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/31/instagram_leaks_verified_members_contacts_via_api_bug/

More than a third of the White House National Infrastructure Advisory Council (NIAC) has given President Donald Trump a failing grade on cybersecurity. But before that, they had a hand in a draft cybersecurity plan that could improve that grade.

A group resignation, which reduced the council from 28 to 20 members last week (three were Obama administration holdovers), came with a resignation letter protesting what the outgoing members said was Trump’s “disregard for the security of American communities”.

Much of their focus was on moral and environmental issues – what they said was Trump’s failure to “denounce the intolerance of hate groups,” after the violence in Charlottesville, Va., and his withdrawal from the Paris climate agreement.

But they also cited “insufficient attention to the growing threats to the cybersecurity of the critical systems upon which all Americans depend, including those impacting the systems supporting our democratic election process”.

They’re not the only critics. Sen. John McCain (R-AZ), chairman of the Senate Armed Services Committee and a regular critic of the president, recently had harsh things to say about both Trump and his predecessor, President Obama, when it comes to their leadership on cybersecurity.

Speaking at the Arizona State University Congressional Conference on Cybersecurity Conference last Wednesday, McCain said that as America’s enemies “seized the initiative in cyberspace, the last administration offered no serious cyber deterrence policy and strategy. And while the current administration promised a cyber policy within 90 days of inauguration, we still have not seen a plan.”

All of which is true, but all of which is not the whole truth. Trump has indeed been late – quite late – on promises regarding cybersecurity. He promised an executive order on it within weeks of his inauguration, and was reportedly due to sign it in late January, but it was delayed until May 11.

That order, however, did provide some specifics – it instructed federal agencies to implement the NIST Framework for Improving Critical Infrastructure.

It got mixed reviews from cybersecurity experts. Jacob Olcott, vice-president at BitSight and former legal adviser to the Senate Commerce Committee and counsel to the House of Representatives Homeland Security Committee, said it was “smart policy and a big win for this administration”.

On the other side, Daniel Castro, vice-president of the science- and tech-policy think tank Information Technology and Innovation Foundation (ITIF), called it “mostly a plan for the government to make a plan, not the private sector-led, actionable agenda that the country needs to address its most pressing cyberthreats”.

But such a plan could be in the works if the administration acts on a draft report approved just a couple of weeks ago by the NIAC, prior to the resignations.

The report, titled “Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure“, is based on “the review of hundreds of studies and interviews with 38 cyber and industry experts, (which) revealed an echo chamber, loudly reverberating the enormity of the challenge and what needs to be done”.

It says that while both government and the private sector have

… tremendous cyber capabilities and resources needed to defend critical private systems from aggressive cyber attacks … today we’re falling short. Cyber capabilities and oversight are fragmented, and roles and responsibilities remain unclear. We’re simply not organized to keep up with the threat.

The report declares that “there is a narrow and fleeting window of opportunity before a watershed, 9/11-level cyberattack to organize effectively and take bold action”.

And that is followed by 11 recommendations, which include:

• Establish separate, secure communications networks, specifically designated for the most critical cyber networks.
• Facilitate a private-sector-led pilot of machine-to-machine information sharing technologies.
• Identify best-in-class scanning tools and assessment practices, and work with owners of critical networks to scan and sanitize their systems.
• Strengthen today’s cyber workforce by sponsoring a public-private expert exchange program.
• Streamline and expedite the security clearance process for owners of the nation’s most critical cyber assets.
• Rapidly declassify cyber threat information to share it with owners and operators of critical infrastructure.
• Create a task force of experts in government and the electricity, finance and communications industries, to act on the nation’s top cyber needs with the speed and agility required by escalating cyberthreats.

All of which sounds a lot like a plan.

Follow @NakedSecurity
Follow @tarmerding2

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/29Q0LjdnW1A/

Your daily round-up of some of the other stories in the news

Can’t wait for the next GoT book?

Game of Thrones fans feeling bereft after the end of season seven and fed up of waiting for creator George RR Martin to deliver the sixth of seven planned novels in the series, help is at hand. Well, sort of.

“Huge fan” Zack Thoutt of Udacity is busy training a neural network to write new chapters of “the book we’re all waiting for”.

As he explains on the Udacity blog, “writing the code for the model and training it only took a few days of work, and after turning the model’s hyperparameters, I started to get some interesting results”.

You can judge for yourself: Zack has posted the first five chapters of the new book on GitHub to read. Does a neural network mean that we can now discard the old metaphor of unlimited monkeys and typewriters, and will it keep you happy until spring 2019, when it’s thought that the next series of Game of Thrones makes it to air – assuming of course hackers don’t release it first, that is?

‘Hey Google, is my washing done?’

How do you feel about asking your washing machine if your laundry cycle is finished? Or telling your sprinklers to water the lawn – all without having to get off your sofa?

Just as we’ve started to get used to having smart speakers in our homes, with the Amazon Alexa devices – the Echo and the Dot – and Google Home, the next stage, according to Google, is adding its smart assistant to a much wider range of devices.

Google said at the annual IFA consumer tech show in Berlin that it was adding its Assistant to three other manufacturers’ devices: Anker’s Zolo Mojo speaker, the Mobvoi TicHome Mini and Panasonic’s GA10. And there are more partnerships to come – including LG, which, we learned at IFA, will soon add the ability to start the washing machine and check on your dryer’s progress.

‘Alexa, make friends with Cortana’

Meanwhile, another smart assistant partnership was being announced – an unlikely tie-up between the two giants of the Seattle area: Amazon’s Alexa and Microsoft’s Cortana.

The New York Times reported on Wednesday that the two companies have been collaborating for the past year to get the two assistants to talk to each other, and the functionality is expected to be rolled out by the end of the year.

What’s smart about this tie-up is that the two assistants are on very different devices and used in different ways. While Cortana is actually pretty good at the kind of queries you might ask of a mobile device, the death of the Windows Phone platform means that it’s an assistant that’s largely confined to PCs, while the Amazon devices have found a solid foothold in people’s homes – and are always on, which a laptop isn’t.

Amazon boss Jeff Bezos pointed out to the NYT that Cortana is deeply and very effectively integrated with Microsoft Office, which means for example that you could ask Alexa what time and where your next meeting with your boss is.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ubF7y7Q9Ocs/

It’s probably the most crucial patch of the year: Abbott Laboratories’ reworked firmware for its St Jude pacemakers has won the US Food and Drug Administration approval to ship.

According to the regulator’s statement, the upgrade should go smoothly, nearly all the time.

Its statement says “installing the updated firmware could potentially result in the following malfunctions (including the rate of occurrence previously observed).” Here are the risks to which users will be exposed:

Problems with various pacemakers and the Merlin@Home control system, made by St Jude (which Abbott later acquired), first emerged when MedSec Holdings uncovered the bugs, shorted St Jude’s shares, and then went public with its findings.

The Merlin@Home patch landed in January.

The pacemaker firmware flaws covered by the patch “could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”

In approving the firmware, the FDA notes the upgrade means patients won’t need new devices replacement. Instead they will have to attend their specialist, but the patch is applied using the RF wand that programs the pacemaker.

Abbott’s letter (PDF) issued in conjunction with the FDA says the patch also includes data encryption, and disables network connectivity features. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/30/st_jude_pacemaker_patch_approved/

A spambot operation has leaked 711 million email addresses in a massive data breach.

A Paris-based security researcher, who goes by the pseudonymous handle Benkow, discovered an open and accessible web server hosted in the Netherlands. The “open and accessible” system stored dozens of text files containing a huge batch of email addresses, some passwords and a list of email servers used to send junk mail.

Many of the addresses are repeated, defunct or otherwise unusable, according to an initial analysis by Troy Hunt, the security researcher behind the haveibeenpwned.com breach notification service. However a number of the records come with passwords, credentials spammers abuse in the furtherance of junk mail distribution.

The latest leak rivals the River City Media spill from March as the largest-ever breach involving a bulk mailer. Both spills leaked a witch’s brew of merged data from multiple sources, including the 2012 LinkedIn data breach among many others.

Jim Walter, senior research scientist at Cylance, said: “This is an important reminder of one aspect of the data-breach lifecycle. The threats outlined are not new or novel, nor is the credential harvesting/storage methodology. Data breaches don’t end after the public disclosure. Leaked/breached data can continue to live on and be used, reused, sold, resold, etc.”

James Romer, EMEA chief security architect at multi-factor authentication firm SecureAuth, added: “This latest Spambot leak highlights the fact that passwords are the root cause of many serious security problems for organisations today. 700 million passwords and email addresses is a treasure trove for cybercriminals, but despite increasingly complex password use, data breaches continue to soar.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/30/spambot_leak/

A highly advanced piece of malware, dubbed Gazer, has been found in embassies and consulates across Eastern Europe.

The software nasty was discovered by security shop Eset, which says the code uses a two-stage process to insert itself into Microsoft Windows machines. In a report published today, we’re told the initial point of infection is a spearphishing email attachment, which when opened drops and runs malware dubbed Skipper. That code then downloads Gazer.

The Gazer nasty opens a backdoor on the infected machine, is written in C++, and is designed to be hard to spot. It hides out in an encrypted container, using RSA and 3DES algorithms to scramble its bytes, and communicates with its command-and-control center by going to legitimate websites that have been compromised. It has been active since 2016, according to Eset.

It also regularly cleans up after itself, wiping out files it creates and generally covering its tracks. The code itself is written to look like it might be related to a video game, with phrases like “Only single player is allowed” dotted around in the binaries.

Once installed and running, Gazer allows full remote code execution and activity monitoring by its operators. It can also get out onto the infected PC’s network to spread, but doesn’t automatically do so.

Based on the malware’s similarity to other cyber weapons, it might be the work of the Turla hacking group – a Russian-speaking collective that is thought to be partly state sponsored by Putin’s government. Given the choice of targets, it seems likely that diplomatic espionage was the goal of the malware’s masterminds.

“Although we could not find irrefutable evidence that this backdoor is truly another tool in Turla’s arsenal, several clues lead us to believe that this is indeed the case,” the Eset team reports.

“First, their targets are in line with Turla’s traditional targets: Ministries of Foreign Affairs and embassies. Second, the modus operandi of spearphishing, followed by a first stage backdoor and a second stage, stealthier backdoor, is what has been seen over and over again.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/30/malware_on_embassy_computers_in_europe/

More than a third of the White House National Infrastructure Advisory Council (NIAC) has given President Donald Trump a failing grade on cybersecurity. But before that, they had a hand in a draft cybersecurity plan that could improve that grade.

A group resignation, which reduced the council from 28 to 20 members last week (three were Obama administration holdovers), came with a resignation letter protesting what the outgoing members said was Trump’s “disregard for the security of American communities”.

Much of their focus was on moral and environmental issues – what they said was Trump’s failure to “denounce the intolerance of hate groups,” after the violence in Charlottesville, Va., and his withdrawal from the Paris climate agreement.

But they also cited “insufficient attention to the growing threats to the cybersecurity of the critical systems upon which all Americans depend, including those impacting the systems supporting our democratic election process”.

They’re not the only critics. Sen. John McCain (R-AZ), chairman of the Senate Armed Services Committee and a regular critic of the president, recently had harsh things to say about both Trump and his predecessor, President Obama, when it comes to their leadership on cybersecurity.

Speaking at the Arizona State University Congressional Conference on Cybersecurity Conference last Wednesday, McCain said that as America’s enemies “seized the initiative in cyberspace, the last administration offered no serious cyber deterrence policy and strategy. And while the current administration promised a cyber policy within 90 days of inauguration, we still have not seen a plan.”

All of which is true, but all of which is not the whole truth. Trump has indeed been late – quite late – on promises regarding cybersecurity. He promised an executive order on it within weeks of his inauguration, and was reportedly due to sign it in late January, but it was delayed until May 11.

That order, however, did provide some specifics – it instructed federal agencies to implement the NIST Framework for Improving Critical Infrastructure.

It got mixed reviews from cybersecurity experts. Jacob Olcott, vice-president at BitSight and former legal adviser to the Senate Commerce Committee and counsel to the House of Representatives Homeland Security Committee, said it was “smart policy and a big win for this administration”.

On the other side, Daniel Castro, vice-president of the science- and tech-policy think tank Information Technology and Innovation Foundation (ITIF), called it “mostly a plan for the government to make a plan, not the private sector-led, actionable agenda that the country needs to address its most pressing cyberthreats”.

But such a plan could be in the works if the administration acts on a draft report approved just a couple of weeks ago by the NIAC, prior to the resignations.

The report, titled “Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure“, is based on “the review of hundreds of studies and interviews with 38 cyber and industry experts, (which) revealed an echo chamber, loudly reverberating the enormity of the challenge and what needs to be done”.

It says that while both government and the private sector have

… tremendous cyber capabilities and resources needed to defend critical private systems from aggressive cyber attacks … today we’re falling short. Cyber capabilities and oversight are fragmented, and roles and responsibilities remain unclear. We’re simply not organized to keep up with the threat.

The report declares that “there is a narrow and fleeting window of opportunity before a watershed, 9/11-level cyberattack to organize effectively and take bold action”.

And that is followed by 11 recommendations, which include:

• Establish separate, secure communications networks, specifically designated for the most critical cyber networks.
• Facilitate a private-sector-led pilot of machine-to-machine information sharing technologies.
• Identify best-in-class scanning tools and assessment practices, and work with owners of critical networks to scan and sanitize their systems.
• Strengthen today’s cyber workforce by sponsoring a public-private expert exchange program.
• Streamline and expedite the security clearance process for owners of the nation’s most critical cyber assets.
• Rapidly declassify cyber threat information to share it with owners and operators of critical infrastructure.
• Create a task force of experts in government and the electricity, finance and communications industries, to act on the nation’s top cyber needs with the speed and agility required by escalating cyberthreats.

All of which sounds a lot like a plan.

Follow @NakedSecurity
Follow @tarmerding2

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/29Q0LjdnW1A/

Can Bitcoin help you escape the latter half of Ben Franklin’s famous declaration that the only certainties in the world are death and taxes?

We’re likely to find out sometime in the coming months. While nobody has cheated death so far, some people figure the odds of avoiding taxes are way better – if the Internal Revenue Service can’t trace their profits.

But the IRS, very much aware of that kind of thinking, is working just as hard to reduce the odds on taxes to the same as those on death.

As is well established, Bitcoin – probably the best-known cryptocurrency – is widely used in the criminal underworld, since users can remain largely anonymous. But, besides the fact that the IRS demands that you pay your taxes on all income, including illegal income, it is going after those whose earnings may be totally legit but who also want to keep it all.

And while the lure of Bitcoin is anonymity, Big Brother is getting close to drawing back that veil. At a minimum, he knows where to look.

The Daily Beast reported last week that the IRS has had a contract since 2015 with Chainalysis, a New York-based company that markets a “Reactor” tool to track and analyze the movement of Bitcoin transactions. The goal of the agency is obvious – to “follow the money” as it moves from wallet to wallet, and eventually to an exchange where the owner cashes out in dollars or another fiat currency.

Based on pretty simple math, the IRS figures it’s more than worth the $88,700 it has reportedly paid Chainalysis so far – there’s likely a lot of people out there who aren’t paying their “fair share”.

For one thing, the gap between number of people dealing in Bitcoin and the number declaring income from it is wide – very, very wide.

The IRS said in court documents that between 2013 and 2015, fewer than 900 people per year reported income on Form 8949, which is used to account for “a property description likely related to Bitcoin”. That compares rather pitifully to the number of people using Coinbase – “the largest exchanger in the US of Bitcoin into US dollars,” according to the government – with 4.8m users and 10.6m wallets.

For another thing, it’s been a red-hot investment. Bitcoin’s US value was $13 at the start of 2013, and during the three-year period grew to nearly 85 times that, spiking to more than $1,100. Since then the percentage increase has slowed, but its US value was $4,563 at the time of publication, with some predictions that it could soar to $20,000 in the next three years, although there are others who think it’s a bubble, with about as much long-term value as a Ponzi scheme.

But, focusing on the three-year search of Form 8949s, the Department of Justice filed an ex parte petition last November in US District Court in California seeking authorization for the IRS to issue a “John Doe” summons that would require Coinbase to provide information on any US persons who

… at any time during the period January 1, 2013, through December 31, 2015, conducted transactions in a convertible virtual currency as defined in IRS Notice 2014-21.

The taxpayers being investigated have not been or may not be complying with US internal revenue laws requiring the reporting of taxable income from virtual-currency transactions.

With pretty good reason – Bitcoin and other virtual currency transactions don’t produce any third-party documentation, like the 1099s you receive from your bank or investment brokers.

Coinbase refused to comply, complaining that the summons was “indiscriminate and over broad”. And the company got some heavy hitters on its side in May, when several committee chairs in both the House and Senate sent a letter to IRS Commissioner John Koskinen seeking more information on the summons, which they said could affect as many as 500,000 people – 90% of whom they said were

… engaged in less than $10,000 in cumulative, gross transactions during the entire period requested.

Based on the information before us, this summons seems overly broad, extremely burdensome and highly intrusive to a large population of individuals.

Perhaps in response to that pressure, the IRS blinked in July – pretty big time. It reduced the scope of the summons to include only users who had made “at least the equivalent of $20,000 in any one transaction type (buy, sell, send or receive) …”

Which obviously would leave the vast majority of “less fortunate” Bitcoin players out of the dragnet.

Fortune reported in March that Coinbase CEO Brian Armstrong had offered to provide customers with 1099-B forms – the ones banks and brokerages provide. But the case is still ongoing.

And however it is resolved, this will not end the cat-and-mouse game. As a number of reports on the conflict noted, criminals are endlessly adaptive, and so are the tools created to serve them. Some have already left Bitcoin in favor of other virtual currencies like Zcash, which promises to “fully protect the privacy of transactions using zero-knowledge cryptography”, or Monero, which offers “secure, private, untraceable currency”.

Not to mention that, at least for now, they aren’t under the same level of federal scrutiny.

Follow @NakedSecurity
Follow @tarmerding2

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mKX7rIAUKeY/