STE WILLIAMS

Every year, US Congress must pass a new Intelligence Authorization Act to continue funding Uncle Sam’s spies for the next 12 months. This year, the act passed, as expected, the committee stage smoothly with only one minor bump in the road: Senator Ron Wyden (D-OR).

Wyden objected to a clause in the bill [PDF] that described WikiLeaks as a “non-state hostile intelligence service,” which was inserted after the website pissed off enough people in government. The wording would give the intelligence services more power to investigate the site and its founder Julian “I’m not in a cupboard” Assange.

This isn’t to say Wyden is defending Assange: the senator fears journalists will also be labeled hostile intelligence services for embarrassing the administration.

“My concern is that the use of the novel phrase ‘non-state hostile intelligence service’ may have legal, constitutional, and policy implications, particularly should it be applied to journalists inquiring about secrets,” said Senator Wyden.

“The language in the bill suggesting that the US government has some unstated course of action against ‘non-state hostile intelligence services’ is equally troubling. The damage done by WikiLeaks to the United States is clear. But with any new challenge to our country, Congress ought not react in a manner that could have negative consequences, unforeseen or not, for our constitutional principles.”

In the end, the act passed the Senate intelligence committee in a vote of 14-1. You can easily guess which side Wyden took.

The senator did, however, manage to get three amendments into the bill, one of which could stymie President Trump’s suggestion that the US and Russia should join forces on a cybercrime unit to investigate hacking. If such a scheme is mooted, Congress will have to be informed as to what intelligence is shared and how. The President backtracked on that idea, for what it’s worth.

Wyden’s second amendment is about mounting fears over hacking mobile phones via SS7 protocol flaws that can turn any mobe into a spy in your pocket. The amendment requires the intelligence agencies to report any evidence that foreign powers are using the SS7 flaw for surveillance purposes.

Finally, Wyden’s third amendment will require US intelligence officials to work with the Treasury Department’s Office of Terrorism and Financial Intelligence on a report into Russian money laundering in the US. Such data could be very useful in the ongoing probe into possible Putin interference in the last US elections.

The tweaked proposed funding legislation will now be submitted to the House of Representatives and the Senate for their approval and modifications. Whether the amendments survive all the way is up to Congress, and whether Trump signs it is up to him. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/23/intelligence_act_2018_amendments/

From this week, for a while at least, the word “Oreo” will have two popular meanings that might confuse anyone unfamiliar with smartphone OS naming conventions.

The Oreo is a famous US cookie, of course, but thanks to a commercial tie-up with Google, from August 21 the snack is also the name of the latest version of Android, version 8.0.

The connection between a circular biscuit and the piece of software bearing its name is not immediately obvious beyond the need for a Silicon Valley company to humanise the impersonality of its product empire. But behind the cute name, does Oreo add enough security goodness to the ingredients list?

Compared to Android 7.0 Nougat, launched a year ago, we see useful progress.

Play Protect

First up are tweaks to Google Play Protect, a layer of security features – a confusing number of which (the ability to locate, lock/wipe a device remotely, Play Store and device monitoring, Safe Browsing, etc), have been around for a while.

But at least Play Protect’s settings appear under the Security and Location menu rather than buried under version 7.0’s Google menu where nobody notices them. Google claims that Play Protect enforces “stricter app install controls”, although it doesn’t fully explain how.

The Autofill API

The Autofill API allows Oreo to better integrate with password managers. While these already work on Android, Autofill allows better support for data such as credit cards and addresses across multiple browsers without the need to enable specific permissions. LastPass’s Autofill beta announcement mentions improved performance.

Project Treble

This is a way for smartphones other than Google’s own to get software updates (including patches) faster than at present. The gist is that the part of the OS vendors customise is now kept separate from low-level firmware, making it much easier to update.

Instant apps

Android Instant apps is a new technology that makes it possible to run or preview apps in the cloud before installing them. This isn’t tabled as a security feature but, in a way, it is – if users can study and app’s behaviour before running it that offers some reassurance.

Other small improvements include reforming the risky setting that lets users side-load apps from beyond the Play Store. This is no longer a universal setting and must be set for each app (frankly, this should have done long ago). We are promised that rogue apps can no longer hijack the lock screen.

A new chapter

Perhaps the biggest progress in a year that has seen the usual clutch of Android security scares is simply that Android security improvements are now seen as central to its appeal rather than as entertainment for the paranoia brigade.

This is positive, but another way to assess a platform’s security improvements is to ask how well they might defends against the real-world malware targeting its users.

Google underlined this in July with an analysis of a piece of malware called Lipizzan, allegedly the work of an Israeli cyberarms group. Earlier in 2017, the company discovered a similar piece of spyware called Chrysaor.

These are rare and unusual, but they show what Oreo and every Android version from this point onwards is up against. The punchline? Chrysaor, which came from outside the Play Store, had been targeting Android users undetected for years.

Google’s response is to make Android more locked down and “iPhone-like”, hence the growing importance of Play Protect. What Lipizzan and Chrysaor tell us is that the malware writers will still look for ways to crawl through the cracks that even Google’s clever engineers don’t anticipate.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/pys4MjErtGU/

How do you feel about apps tracking you even when you’ve explicitly told them not to? The iOS version of AccuWeather was found to be doing just that by security researcher Will Strafach.

Strafach had peeked into the AccuWeather application (iOS version) and discovered the application was phoning home, even when told not to do so.

This is not the first time an entity has found itself explaining why its app functions differently than expected. In April 2017, Uber’s then CEO, Travis Kalanick found himself receiving a dressing down from Apple’s CEO Tim Cook for “secretly identifying and tagging” iPhones.

This instance is disconcerting, but not as egregious.

According to ZDNet’s Zach Whittaker, who shared Strafach’s research on August 22, the AccuWeather application continues sending data that could be used to deduce location, even when the application was explicitly told to not share location data. This data is shared with Reveal Mobile, the third-party intermediary collecting the location data for AccuWeather’s use.

When users of the AccuWeather app have their GPS location data settings turned off for use with the application, the application stops sending the precise location data to the application’s servers. What Strafach’s findings showed is that the app continued to intermittently share the Wi-Fi router name and MAC address.

With such information, it is child’s play to convert that information into a general geographic location. While there are a great many geolocation applications, ZDNet used the Find Wi-Fi app created by Alexander Mylnikov. We put our own device data into this free app and it immediately found our location with pinpoint accuracy.

Strafach confirmed to Naked Security that he had only looked at the iOS version of the application, and had not review the Android version to determine if it operated in the same manner. He hoped that if the iOS version were fixed, they would also fix the Android one, if applicable.

We reached out to Reveal Mobile and asked for clarification. It acknowledged that the MAC address is obtained, as is the Wi-Fi name, but said that it isn’t using the data in the manner depicted in the ZDNet piece. Nonetheless, they understood the need to make an adjustment.

Reveal Mobile’s issued guidance on August 21,  in which it acknowledged that in “looking at our current SDK’s behavior, we see how that [device location] can be misconstrued”. Reveal told us that users who do not wish to share their location should ensure they have opted-out at both device and application level permissions. The guidance also notes that Reveal Mobile “provides the ability for anyone to opt-out of data collection by Reveal Mobile by contacting us directly”.

The new SDK (for both iOS and Android) was released on August 22 with more explicit details within the documentation.  It says:

Reveal Mobile provides a native mobile audience SDK that allows developers to provide targeted audiences to their ad network based on a user’s location, beacon interactions and installed applications.

We dug into the referenced Reveal Mobile’s privacy policy, and it explicitly notes:

The IP addresses to which your device connects.  When your phone or tablet connects to WiFi, for example, it connects to a specific IP address.  We collect these IP addresses as it can help determine other devices that connect to the same WiFi, such as your home laptop or desktop computer.

The wifi router to which your device connects. When your phone connects to a wifi router, we receive back the names of that router, known as the SSID and BSSID.

So what should you do if you’re an AccuWeather user – either on iOS or Android?

• Turn off your device’s GPS function
• Opt out for location within the application
• Turn off the device’s WiFi
• Contact Reveal Mobile directly and ask that your data isn’t collected.

Follow @NakedSecurity
Follow @burgessct

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KpjTe0JkkW0/

Security researchers have uncovered an Android banking malware hiding on Google Play using stealthy new tactics.

A game called “Bubble Shooter Wild Life” and an app named “Earn Real Money Gift Cards” in the Google Play Store are actually designed to drop banking malware named BankBot. “The malware only becomes active when the actors decide to drop the real trojan on the victim’s device and therefore bypassing Google’s internal malware scanner named Bouncer,” Han Sahin, co-founder of Securify, told El Reg.

Separate research from Zscaler supports Securify’s discovery. The apps are able capable of abusing Android’s accessibility permissions to download additional programs without the user’s knowledge.

“The malicious apps have been able to conceal themselves by hiding on Google Play and leveraging techniques like time delays and code obfuscation. At this point, the apps are fairly new to the Play store with fewer than 5,000 downloads. However, there is a concern around the increase in availability of dubious apps online,” Zscaler warns.

El Reg asked Google to comment on the incident, in particular the suggestion that crooks had figured out a way to smuggle malicious code past its security controls, but have not yet received a response.

The latest Android security kerfuffle highlights the need for consumers to be careful about downloading applications, even if they come from the official Google store.

App alerts generated by Google can sometime be wrong. For example, last weekend OnePlus phones started having Google Play flag a preinstalled system app as malicious. “GPIO Switch” generated an apparently false alert. In a response to a thread on its forum, OnePlus said it was chasing the issue. Since the snafu related to a system app, users would be unable to manually uninstall it, even if they wanted to.

El Reg has queried both organisations but we’re yet to hear back. We’ll update this story as and when more information comes to light. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/23/banking_trojan_on_google_play/

A new attack, dubbed ROPEMAKER, changes the content of emails after their delivery to add malicious URLs and corrupt records.

The assault undermines the comforting notion that email is immutable once delivered, according to email security firm Mimecast. Microsoft reckons the issue doesn’t represent a vulnerability, a stance a third-party security expert quizzed by El Reg backed.

Using the ROPEMAKER exploit, a malicious actor can change the displayed content in an email, according to security researchers at Mimecast. For example, a hacker could swap a benign URL with a malicious one in an email already delivered to your inbox, or simply edit any text in the body of an email, as illustrated here.

The exploit works without direct access to a target’s inbox. The intersection of email and web technologies, more specifically Cascading Style Sheets (CSS) used with HTML, has also introduced an exploitable vector for email. Attackers would be able to weave their malignant magic after redirecting users to dodgy websites.

Being able to alter CSS and change what’s displayed in a message is kind of the whole point of how it works, an independent security expert pointed out. Our man, who asked not to be named, expressed scepticism about Mimecast’s research.

To date, Mimecast has not seen ROPEMAKER exploited in the wild. But the security firm has been able to get the trick to work on the most popular email clients and online services. As such, the hack is particularly useful for targeted attacks, which might already be taking place under the radar.

Matthew Gardiner, cyber resilience expert at Mimecast, said that the firm has shown through testing that email using remote resources (such as a remote CSS) is exploitable.

“We can certainly debate whether it is an application vulnerability (thus requiring a patch), an example of the misuse or abuse of an application, or a fundamental design flaw when email and the web were merged,” Gardiner said. “I would argue it is all three. When you have a remote resource (like a remote CSS) under the control of an untrusted entity, it opens the door to mischief.”

Conveniently Mimecast has been able to add a defence against this exploit for its customers. In the short term, controls in the email clients can mitigate against the threat. The longer-term fix would involve a revision of internet standards and more intelligent security controls at the network and the endpoint, according to Mimecast. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/23/ropemaker_exploit/

Facebook Safety Check, the tool that lets users tell friends if they’re OK when disaster strikes, has earned itself a permanent home.

Facebook announced on Monday that starting now and continuing through the coming weeks, Safety Check is rolling out as one, central place to check on friends and post your own status. If you don’t see it yet, hang tight: it’s on its way.

As you can see in Facebook’s images, Safety Check is getting its own dedicated button in the app’s navigation menu. It will also be available via the Facebook website on the desktop.

Safety Check will be automated if enough people post about a crisis in a given area. Users will be prompted to use the tool to let friends know that they’re safe and to check up on others who might be in danger.

Safety Check will also be telling people how they can give or receive help. That part of the tool builds on an update to Safety Check, called Community Help, that Facebook introduced in February. While “thoughts and prayers” are all well and good during times of crisis, Community Help is more concerned with getting people tangible help, be it food, shelter and/or transportation.

In June, Facebook also announced updates to Safety Check that included enabling people in the US to start a fundraiser from within the tool. At the same time, the company said that it would be adding more details about given crises. The context is sourced from NC4, a third-party global crisis reporting agency.

Safety Check, which launched in 2014, initially grew out of Japan’s experience with the devastating 2011 magnitude-9 earthquake and tsunami – a disaster that affected more than 12.5m people and caused the evacuation of 400,000, according to the Japanese Red Cross.

In the aftermath, Facebook engineers in Japan built what was called the Disaster Message Board to make it easier for people to communicate. Facebook kept working on that message board until it eventually turned into Safety Check.

Here’s how it works:

Safety Check figures out where you are, either by looking at what you were most recently beaming out as your location with Nearby Friends or by checking out the city listed in your profile, as well as by the city where you’re using the internet.

Safety Check is meant to corral what can be a scattershot way to get updates from a range of social media about your loved ones when something bad happens. But it hasn’t escaped criticism: following the horrific Grenfell tower blaze in west London in June, some users said that Safety Check added to people’s stress in its drive to increase user engagement.

One such lived six miles away from the site of the fire, he said. Essentially, he and other detractors say, Safety Check overreaches, flagging people who don’t live close enough to a crisis to be affected.

At any rate, given its tighter integration with Facebook’s apps, the tool is clearly here to stay, for better or worse.

And considering that there’s a lot of “worse” these days — be it the recent murder of a woman following the white supremacist rally in Charlottesville, Virginia, or the terrorist attack in Barcelona (pictured) that left 14 killed and 120 injured — there are likely far more people who are glad to have a tool to easily find out if friends are safe than those who wish Safety Check would go silent.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EzBe0sGukSg/

Mobile developers, listen up: when you pick up that easy-to-use advertising API, make sure it’s not snoopware.

That’s the lesson, the take-out, or (god have mercy on my soul) key learning from work by security outfit Lookout, whose analysis of the Igexin advertising SDK ended with hundreds of apps returning “not found” on Google Play.

The firm found the SDK behaved badly by watching over smartphones and saving call time, calling number, and call state and sending that back to igexin.com.

More than 500 apps that Lookout checked were carrying the SDK, after the company’s researchers spotted apps communicating with malware-associated IP addresses and wondered why.

“We observed an app downloading large, encrypted files after making a series of initial requests to a REST API at http://sdk[.]open[.]phone[.]igexin.com/api.php, which is an endpoint used by the Igexin ad SDK”, the company explains here.

“The encrypted file downloads and the presence of calls within the com.igexin namespace to Android’s dalvik.system.DexClassLoade (used to load classes from a .jar or .apk file) were enough to warrant more in-depth analysis for possible malware hiding in its payload.”

From there, the researchers went on to find that some versions of the SDK had a framework allowing the client to load arbitrary code, getting their instructions from the endpoint http://sdk[.]open[.]phone[.]igexin[.]com/api.php.

The app would then download and load JAR files that implemented the SDK’s “phone home” capability. And, as the discussion notes, neither the user nor an app’s developer have any control over what happens: “Users and app developers have no control over what will be executed on a device after the remote API request is made”.

While the amount of data the app could exfiltrate was still constrained by Android’s permissions, Lookout says in addition to call logging, it still spotted one app that exfiltrated user logs.

While Lookout doesn’t say “apps phoned home to China”, they didn’t stop far short of making that allegation. The igexin.com domain’s registrar is Beijing-based Xin Net Technology Corporation, a registrar in the past named as spam-friendly, and as having breached its registrar agreement by ICANN [PDF] in 2014. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/23/adware_api_phones_home_to_chinese_company/

There were almost 90,000 cases of identify fraud recorded in the first six months of 2017 – 5 per cent higher than the first half of last year, according to data released today.

Fraud prevention firm Cifas, which released the figures, said identity fraud was rising at record levels and now accounts for more than half of all fraud reported by its members.

“We have seen identity fraud attempts increase year on year, now reaching epidemic levels, with identities being stolen at a rate of almost 500 a day,” Cifas chief exec Simon Dukes said.

These frauds are “taking place almost exclusively online”, he said, with online crime comprising 83 per cent of the total in the most recent figures.

There has also been a shift in the types of product targeted by identity fraudsters this year.

Although plastic cards and bank accounts remain the most common products – with 29,852 and 24,759 reported cases, respectively – these figures represent declines of 12 and 14 per cent.

Meanwhile, there has been a 61 per cent increase in telecoms-related fraud, rising to 9,097, and a 56 per cent increase in online retail, rising to 5,097.

The figures also give an indication of the ages of the fraud victims, although not all cases recorded a date of birth, and some frauds involve an entirely fake identity.

The overall profile of fraud by age group remained the same as in the first half of 2016, with most of the cases in the 31-40 and 41-50 brackets (24 per cent and 23 per cent, respectively).

However, under-21s saw a big increase in identity fraud this year, jumping 50 per cent, from 684 to 1,023 cases in the first half of 2017, compared with 2016.

Glenn Maleary, head of the economic crime division at the City of London police, said the increase in online fraud was “no surprise”, adding that increased use of social media allows criminals easier access to a wealth of personal information.

Dukes echoed this statement, noting that the “vast amounts” of data held online – and exposed to breaches – is “only making it easier for the fraudster”.

Dukes added: “For smaller and medium-sized businesses in particular, they must focus on educating staff on good cybersecurity behaviours and raise awareness of the social-engineering techniques employed by fraudsters. Relying solely on new fraud prevention technology is not enough.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/23/identity_fraud_cifas_report/

The lottery sysadmin who fooled around with random numbers has a new variable to consider: how much up to 25 years he’ll have to serve of his latest sentence.

While working for the Iowa offices of the Multi-State Lottery Association, Eddie Tipton’s scam was to rig the lotteries’ random number generator so that one certain days, he’d be able to predict the numbers.

As we reported in 2015, he tampered with security cameras watching over a lotteries machine, and installed a rootkit that let him run his own code.

The scam came unstuck in an investigation over a US$16.5 million winning draw in December 2010, when a gas station CCTV showed a customer, later identified by co-workers as Tipton, bought the winning ticket.

His attempts to collect the winnings anonymously brought him to the attention of authorities.

In July 2015, he was handed a maximum ten-year sentence for fraud, but that wasn’t the end of the matter: prosecutors in several states also chased him on charges of lottery fraud.

The Des Moines Register reports a Polk County, Florida, court has added its sentence to Tipton’s woes.

District Court Judge Brad McCall has given him a maximum 25 years, but his lawyers hope for parole within three or four years.

Investigators believe the scam eventually reached to six lotteries in five states, and Tipton was helped by his brother Tommy and a Texas businessman called Robert Rhodes, who was drawn into the investigation in December 2015. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/23/florida_judge_gives_lottery_scammer_more_private_time/

Your daily round-up of some of the other stories in the news

There’s a hole in my AWS bucket

We’ve written about data breaches many times where the leak has come from improperly secured Amazon Web Services (AWS) buckets, with organisations hit ranging from Dow Jones and Verizon to the Democratic National Committee, and Amazon has since issued guidance to help its customers secure their instances.

So it’s not good news to see that yet another organisation, this time hotel booking service Groupize, has apparently allowed data to leak from its AWS bucket. According to researchers as reported by MacKeeper, the Boston-based company had stored data including full credit card details, contracts and agreements in an AWS repository that required neither logins nor passwords.

Groupize has denied that any sensitive details were leaked, and added that it was “grateful [Kromtech, the researchers] shed some light on a potential vulnerability on one of our S3 buckets on Amazon. We have taken immediate action to remedy the situation.”

If you’ve got data in an Amazon S3 bucket, now might be a good time to double-check that you’re not inadvertently sharing it with the world.

Healthcare provider data exposed in hack

And while we’re on the subject of data breaches, the UK’s beleaguered National Health Service (NHS) has apparently been the focus of an attack, with 11m records relating to 1.2m patients allegedly stolen.

A man claiming to be linked to Anonymous told The Sun that he had been able to access the database of a company called SwiftQueue, which provides an appointment-booking service to eight NHS trusts, the administrative units that manage hospitals and services in the regions.

The man told The Sun: “I think the public has the right to know how big companies like SwiftQueue handle sensitive data. They can’t even protect patient details.”

SwiftQueue said that its initial investigation had found that only 32,501 “lines of administrative data” – including patient names, emails, dates of birth and phone numbers – had been exposed. It added that the breach had been “fixed within three hours”.

HBO hackers threaten to release more GoT episodes

The group targeting HBO has been busy again, this time threatening to make the final two episodes of the current series of Game of Thrones available online.

The group that calls itself “Mr Smith” gave Mashable details of its latest data dump, which apparently also includes passwords to a number of HBO’s social media accounts. The group told Mashable that it has “access to many HBO platforms already”.

HBO said it’s not “in communication with the hacker and we’re not going to comment every time a new piece of information is released … the hacker may continue to drop bits and pieces of stolen information in an attempt to generate media attention. That’s a game we’re not going to participate in.”

It seems that that “stolen information” may well be those episodes of Game of Thrones. In its email to Mashable, “Mr Smith” added: “Be ready for GoT … as soon as possible.”

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5JqcKzADoTg/