STE WILLIAMS

Your daily round-up of some of the other stories in the news

Vertu auctions its phones off

Last month, it was announced that Vertu was calling time on producing luxury mobile phones after a scheme to stop the company going into liquidation failed.

At the height of production, the handmade, bejewelled phones were out of most people’s price ranges. Even the company’s ‘budget’ range, the Vertu Aster, started at £4,500 (roughly $6,000).

But, the company is now auctioning off its back catalogue for just a fraction of the original price tag.

A Ferrari Quest Edition Phone in Black Ceramic with Sapphire Keys that would have sold for around £5,500 ($7,100) is currently going for £450 ($580), and a Signature 18k yellow gold model that retailed at £14,700 ($19,000) can be yours for ‘only’ £1,550 ($2,011).

Also listed is the company’s entire Vertu museum collection and other collectibles, including a bronze sculpture of a soldier riding a horse.

Uber gets in-app messenger

Uber’s latest app update will roll out with a communication feature to replace its clunky method of sending an SMS or calling your driver. The new messenger will allow drivers and riders to chat live directly through the app.

To contact their drivers, riders will choose ‘contact’ then ‘chat’ from the feed section of the Uber app. In turn, the app will read the message aloud and the driver will be able to send a thumbs up with one tap. As with many messaging services, both parties will be able to see when their messages has sent and been read.

As well as the ease-of-use factor, the messenger will enable riders and drivers around the world to keep their phone numbers private and put a stop to those awkward text exchanges.

Ikea gets smart

TechCrunch reports that Ikea has added another tentacle to the IoT (Internet of Things). The latest version of the Swedish furniture company’s smart lighting system can be controlled from your phone via Apple’s HomeKit, or by voice using Amazon Echo or Google Home.

The update also makes it possible for your Ikea lights to hook up with your Philips Hue bridge hub.

If the Philips Hue bridge sounds familiar but you’re not sure why, perhaps you’re recalling its wobbly internet debut. In a move that won’t surprise anyone familiar with IoT stories the bridge originally came with an API (a way for other computer programs to talk to it) that was unencumbered by either authentication or encryption. An approach to security that our own Paul Ducklin rather charitably described as “underwhelming”.

Hue lights have also had 15 minutes of fame thanks to their own eye-catching vulnerability. The joint Israeli-Canadian team that discovered it publicised their work with a video that showed a drone taking control of the bulbs remotely and then using them to flash an SOS in Morse code.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/yrOZ__AjQuQ/

Analysis The UK Home Office’s ambiguous response to whether or not the Investigatory Powers Act gives the British government the authority to pressure or force people to work for GCHQ is troubling.

When Reg reader Simon Clubley pointed out the unclear wording of section 190 of the new law, it generated a lively debate among legal experts and security pros, covered by The Register back in May.

The law was ambiguously worded enough so that not even experts could discern whether or not the compulsion to assist in surveillance operations applied only to telecoms firms or whether it meant security experts could be press-ganged into assisting the UK’s law enforcement and intel agencies.

Clubley decided to ask the Home Office for clarification directly, an inquiry that sparked a curious response – a key extract is below:

Section 190 of the IPA allows equipment interference authorities to require the assistance of any person in giving effect to a bulk equipment interference warrant (section 126 of the Act provides for this in the context of targeted equipment interference warrants). A warrant can only be served on a person whom the equipment interference authority considers may be capable of providing the assistance required by the warrant. In some circumstances equipment interference agencies and other persons will work co-operatively together, without the need to serve a warrant.

While a warrant can be served on any person, the duty to comply [our italics] with providing assistance in relation to a targeted or bulk equipment interference warrant, is only enforceable against a telecommunications operator, as set out in section 128 of the IPA.

A telecommunications operator who has been served with a warrant must take all steps for giving effect to a warrant which are notified to them. A telecommunications operator will not be required to take steps which are not reasonably practicable to take.

Allegedly, there are safeguards against misuse:

Bulk equipment interference warrants will be subject to a “double-lock” system whereby a Secretary of State and a Judicial Commissioner must be satisfied that the warrant is necessary and proportionate before it may be issued.

Any individual who thinks that surveillance powers have been used against them unlawfully can apply to the Investigatory Powers Tribunal to review their case.

Er, OK.

Clubley told El Reg: “The Home Office are saying that, yes, literally anyone can be served with a warrant but they are also saying that only telecommunications companies can be compelled to assist.

“The disconnect between those two statements doesn’t seem to make sense. After all, why give yourself the power to do something if you cannot then enforce it?”

He added: “The only conclusion I have been able to reach is that the government knew it would never get a law passed which compelled everyone to cooperate with GCHQ, so they are instead relying on the actual act of serving a warrant to intimidate people into cooperating.”

The Home Office statement indicates that, under paragraph (3)(f) of section 132 of the IPA, anyone served with a warrant – even if they are under no obligation to assist the government – is liable to prosecution simply by revealing they had been served with a warrant, said Clubley.

“This leaves the government free to shop around, serving warrants on multiple experts, until they find one they can intimidate into working with them,” according to Clubley. “For myself, if I received such a warrant, I would simply tell the government to get lost, but I can imagine for some people, actually receiving such a warrant, along with threats about what would happen if they revealed its existence, would be enough to scare them into cooperating with the government,” he added.

Prof Alan Woodward, a computer scientist at the University of Surrey in the UK, agreed that the Home Office letter was “ambiguous.”

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/10/gchq_techie_deputisation_powers/

Kaspersky Labs is dropping its antitrust complaints against Microsoft in Russia and Europe.

The Russian antivirus biz had claimed the US software giant was unfairly promoting the use of Windows Defender over third-party security products.

In November last year, Russia’s Federal Antimonopoly Service probed a complaint by Kaspersky against Microsoft that had been filed in late 2015. The biz submitted two other formal gripes, to the European Commission and the German Federal Cartel office, in June 2017. All those complaints have now been dropped.

And, by sheer coincidence, according to Microsoft on Wednesday, the Windows goliath has agreed to let its antivirus partners, such as Kaspersky, keep their software on equal footing with Windows Defender. In particular, we’re told, AV vendors will:

• get additional time to test their software for any compatibility issues before new Windows releases,
• be able to use their own alerts and notifications for product renewal
• and there will be a persistent notification about product expiration until a choice between renewal or picking another solution is made (instead of an ignorable notification).

The changes will be implemented in the Windows 10 Fall Creator’s Update, we’re told. Redmond claims it made the changes following the Microsoft Virus Initiative forum last month, and “these discussions have helped us clarify our roadmap and implementation plans.”

“We are absolutely satisfied with the changes that will be implemented in the Windows 10 Fall Creators Update,” VP of Kaspersky Consumer Products Andrei Mochola wrote in a blog post, “and we will be taking all necessary steps to withdraw our claims and inform all regulatory bodies that we no longer have any matters for Microsoft to address.”

A Microsoft spokesperson declined to comment further, simply pointing us to the blog post. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/10/kaspersky_drops_antitrust_complaint_against_microsoft/

A teenager in Uruguay has scored big after finding and reporting a bug in Google’s App Engine to view confidential internal Google documents.

While bored in July, high schooler Ezequiel Pereira, who has all the makings of a competent security researcher, used Burp to manipulate the Host header in web connections to Google’s App Engine. The 17-year-old’s target: webpages protected by MOMA, Google’s employees-only portal apparently named after a museum of modern art.

Normally, connecting to a private staff-only Google service requires signing in via MOMA. However, it appears not all of these services fully checked a visitor was authorized to view the content.

By connecting to a public Google service, such as www.appspot.com, and changing the Host header in the HTTP request to, say, yaqs.googleplex.com, Pereira was redirected to Google’s internal project management system YAQS. Viewing that system should have required a MOMA sign-in, but instead, he was able to view YAQS pages marked “Google confidential.”

The student reported the loophole to Google on July 11, and on August 4, about a month before his 18th birthday, he was told the issue had been fixed and that he had earned a $10,000 reward from the ad giant’s bug bounty program. Pereira, who has previously earned a few thousand of dollars for reporting vulnerabilities to Google, was stunned by this single payout.

“I just think it was a very simple bug and I didn’t expect the large bounty at all,” he told The Register on Thursday. “Maybe I’ll learn how to invest it, maybe I’ll travel somewhere nice and do some tourism.”

A couple of years ago, Pereira won Google’s annual Code-in programming competition for pre-uni students, earning him a trip to San Francisco and the Googleplex in California. Clearly, he couldn’t tear himself away from the place, poking at internal services via the App Engine earlier this year.

“Most of my attempts failed, either because the server returned a 404 Not Found, or because it had some security measure such as checking that I used a Googler account ([email protected]) instead of a normal Google account,” he explained this week.

“But one of the websites I tried, ‘yaqs.googleplex.com’, didn’t check my username, nor had any other security measure. The website’s homepage redirected me to “/eng”, and that page was pretty interesting, it had many links to different sections about Google services and infrastructure, but before I visited any section, I read something in the footer: ‘Google Confidential.'”

Once he saw that, Pereira said he backed out immediately. While he didn’t think it was a serious issue, he pinged a bug report about it to the Chocolate Factory just to let them know. The teen got a response that day from Google thanking him. He thought no more of it but then got the following message just under a month later:

It seems Google researchers found out that the vulnerability could be used to access some very confidential data indeed. It was presumably so serious that Google felt ten large was a suitable reward.

For a schoolboy in Uruguay that’s a serious amount of cash – it’s five times the average monthly salary. We think we’ll probably be hearing from Pereira again in the near future. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/10/schoolboy_google_bug_bounty_http_host/

If you’re worried about Google’s attempts to track you more closely than ever before, there’s another approach you can take to online search engines: host your own.

Google came under fire recently for its super-intrusive proposal to track our in-store purchases. Privacy groups are doing their best to fight it in the courts, but in the meantime its users seem doomed to live under its ever-watchful eye.

The company knows an awful lot about you, as Naked Security has detailed here. Sure, you can delete all of your cookies, sign out of Google when conducting sensitive searches and use Tor for anonymity. But let’s be honest – we don’t really make the effort, do we?

“Most users search Google while signed in, so all of the information on their online life is available: YouTube searches, emails and past search history,” says Adam Tauber.

Tauber is the founder of Searx, an alternative search engine that prides itself on its user privacy. Unlike many other search engines, Searx doesn’t monetize its users. Users don’t even have to use its hosted search service to take advantage of it.

Written in Python, Searx is a meta-search engine, pulling in search results from a wide variety of sources. The program is self-hosted, meaning that you can use one of several instances hosted by other people like this one, or just install and run your own.

Tauber conceived the idea five years ago in a camp organised by a hacker space in his native Hungary.

“During a discussion around the campfire we realised that we don’t really have any option to search privately on the web without tons of browser addons/operating system hardening/VPN tunnels/etc,” he told Naked Security. Two weeks after the camp, he launched an alpha version on Github.

Bursting the filter bubble

Searx doesn’t crawl and index the web itself. Instead, it sends searches to about 70 supported search engines, and supports custom integrations with others of your choosing (this is open source software, so you can code it yourself). It submits searches without cookies or identifying information, meaning that the engines – including Google – don’t know anything about who’s searching.

“When using Searx, the IP address of Searx, a random User-Agent and a search query is sent to Google by default,” he says. “Of course, you can customize Searx to forward other extra parameters like search language or the page number of the requested result page.”

Cloaking the user from Google in this way has its upsides and downsides. For those that don’t buy the “nothing to hide” argument, it stops the search engine from invading your privacy by tracking what you’re doing. On the other hand, if it doesn’t know anything about you, then it can’t return the localized, more relevant results that search engines use to add value for users. Searching for restaurants nearby won’t focus the lens on local eateries. Says Tauber:

In this case Google cannot access any personal information or preferences. [It] only selects results for you based on the IP address of the Searx instance you use. By not having all the possible information on you, it makes it harder to tailor results to your taste.

For him, this is a feature worth having. “Thus, [the] filter bubble can be escaped.”

That’s a big deal for those worried about the echo chambers created by the likes of Google, Facebook and other large search and social media hubs. Some worry that by personalizing what they show us, these companies limit alternative perspectives. If a search engine only ever shows you stories about football and fashion, it will limit your potential to grow and expand your horizons.

More worryingly, if you lean one way politically and search engines only show you content that supports your viewpoint, you risk losing the ability to see someone else’s perspective and think critically. That has far-reaching implications, especially for younger people who grew up not knowing any different. You might argue that this has contributed to our current polarization problem.

Six years ago, when Eli Pariser wrote the defining book on this problem, The Filter Bubble, he said that Google used 57 signals about you to personalize your content. How many might there be now?

Alternative search engines

There have been other attempts to wrest users away from Google. Startpage in effect acts as a proxy for Google, while Disconnect offers private search as part of its broader privacy protection and tracker blocking service.

Then, there’s DuckDuckGo, which draws search results from third party sites such as Bing and Yandex without tracking you. Privacy is a key selling point for DuckDuckGo, which doesn’t log IP addresses, cookies, or search history. It includes a Tor exit relay and to help speed up search results for users of the anonymizing network.

DuckDuckGo uses its rel=”nofollow”community members to enhance its results. DuckDuckHack lets them code their own search engine responses, pulling from third-party databases online.

The search engine makes its money from advertising but avoids the intricate user tracking that you see on sites like Facebook and Google, arguing that serving ads based on keywords are enough.

While DuckDuckGo monetizes its users, Tauber wants to continue with his purist non-profit vision. He has big plans for Searx in the future.

Apart from implementing features requested by the community on GitHub, it is planned to make hosting and running Searx instances more accessible to everyone.

The Searx community has already created a package for its software in the Debian Linux distribution, and it also plans an administrative interface and images that can be preinstalled on multiple other platforms, in effect creating a baked-in, self-hosted search engine. “This way not only tech-savvy people are able to run their own instances,” Tauber concludes.

Most people will continue using data-slurping search engines. DuckDuckGo doesn’t even feature in this list, for example, which shows Google with more than four fifths of the global market share. Users generally either take the time to adjust their privacy settings on Google, don’t bother, or simply don’t know or think about them.

For those that are privacy-conscious, however, a handful of alternatives ranging from DuckDuckGo through to the ultra-private Searx represent viable alternatives.

Follow @NakedSecurity
Follow @dannybradbury

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wz1MN90_fQM/

Do you use the internet? Of course you do. Whether you’re at your PC or reading this on your mobile device, you’re using the internet right now. Transport Layer Security, the successor to Secure Sockets Layer, encrypts many of the internet protocols we use every day. Whenever you send sensitive data such as authentication credentials or credit card information over the web, you’d better see HTTPS in your address bar. In fact, more and more websites are being completely delivered over HTTPS, even when you’re just reading the news. Hopefully soon the entire web will be on port 443, the default for HTTPS, exclusively. TLS is also used for internet services such as email, FTP and VPN.

Although TLS encrypts internet traffic to improve our cybersecurity, it’s far from perfect. Remember Heartbleed, back in 2014? A simple syntax error made most versions of OpenSSL 1.0.1, a TLS implementation, completely useless for encryption. OpenSSL 1.0.1g’s release in April 2014 fixed the bug, and many operating systems had to be updated to their later versions.

Now it’s time to make sure that all of the pertinent software we use supports TLS 1.2 in some form or another. The protocol was initially defined in August 2008, so you’d hope developers would have caught up by now. TLS 1.0 and 1.1 are vulnerable to cipher block chaining attacks: TLS 1.2 fixes that.

Kurt Roeckx, a Debian developer, dropped TLS 1.0 and 1.1 support in Debian Unstable’s implementation of OpenSSL. In his post, he wrote:

I’ve just uploaded a version of OpenSSL to unstable that disables the TLS 1.0 and 1.1 protocol. This currently leaves TLS 1.2 as the only supported SSL/TLS protocol version.

This will likely break certain things that for whatever reason still don’t support TLS 1.2. I strongly suggest that if it’s not supported that you add support for it, or get the other side to add support for it.

OpenSSL made a release five years ago that supported TLS 1.2. The current support of the server side seems to be around 90%. I hope that by the time Buster (Debian Linux 10) releases the support for TLS 1.2 will be high enough that I don’t need to enable them again.

Roeckx’s change will only affect Debian Linux 10 and Linux distributions that may be built with it, such as future releases of Ubuntu and Linux Mint. But considering the inferior security of TLS 1.0 and 1.1, now is the time to make sure that your software supports TLS 1.2, regardless of which operating systems and web browsers you use.

Qualys SSL Labs has a list of specific web browsers, Android versions, OpenSSL versions, and Java versions and whether or not they support TLS 1.2. You should check it out yourself. If your version of Android is 4.3 or older, if you’re using Internet Explorer 10, Firefox 26, or Chrome 29, you’re out of luck. Update your software now.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0eiuTerVem8/

The proposed UK Data Protection Bill, if passed, will bring UK law into harmony with the EU General Data Protection Regulation (GDPR). Matt Hancock, the digital minister, told the Mirror that the bill should “give consumers the confidence that their data is protected and those who misuse it will be held to account”.

The bill specifically calls out how UK citizens will have the right to be forgotten,

• Individuals will be able to ask for their personal data to be erased (some exemptions may exist)
• Require social media platforms to delete information posted during their childhood
• Request social media companies to delete any or all posts (with very narrow exemptions)
• Digital footprints – IP addresses, cookies and biometric information are categorized as personal data.
• Opt-in will be unambiguous and easily withdrawn.
• Personal information being held by an organization shall be revealed, at no charge, to the individual upon request.

The bill adjusts how the right to be forgotten will be administered, noting that the

… principle difference is a strengthening of the law from being applicable when substantial damage or distress is likely to be caused, to whenever a data subject withdraws their original consent for the data to be available, as long as it is no longer necessary or legally required for the grounds on which it was originally collected, or there are no overriding legitimate grounds for processing.

The UK data regulator, the Information Commissioner’s Office (ICO), has created a data protection self-assessment toolkit to assist organizations in their efforts to be compliant with the GDPR which comes into force in May 2018. The modules include data protection assurance, getting ready for the GDPR, information security, direct marketing, records management, data sharing and subject access, and CCTV.

The ICO, in a follow-up to its publication of the draft data protection bill, took a stab at slaying some of the myths finding their way into the headlines, which characterized the GDPR as a vehicle to greater fines for those with infractions. In her piece, the Information Commissioner, Elizabeth Denham,  makes clear that “this law is not about fines. It’s about putting the consumer and citizen first.” Denham also states that she will be providing myth-busting guidance in the weeks ahead via the ICO’s blog.

What’s missing from the ICO’s proposed bill?

Search engines!

The bill speaks to social networks and organizations, but not to search engines.

Google, for example, has been supporting the EU GDPR right to be forgotten for just over three years. In 2016, it extended the “right to be forgotten” to all domains. During the past three years, Google processed more than 720,000 requests, removing approximately 43% of the 2m links submitted for removal – which means that fewer than half of all requests to have URLs removed are successful.

If you are an EU resident, you can ask Google to remove a URL from its search results by filling out the EU Privacy Removal form. That removes it from search results, but if you want the offending content taken down, you’ll have to ask the site it’s hosted on to remove it.

What about the other side of the pond?

The United States has limited “right to be forgotten” statutes available to its residents. The Electronic Privacy Information Center tells us of laws across the states that “allow individuals to remove records containing disparaging information, including personal bankruptcy and juvenile criminal history”.

California has a law in place “California Eraser Law” which provides minors the right to request information be removed from websites or online applications.

New York State Assembly is considering a “right to be forgotten act” Bill A05323, sponsored by Rep. David Weprin (D-23), which calls for search engines, publishers and indexers who make information about an individual available to “remove such information, upon the request of the individual, within 30 days of such a request”. Rather broad brushed, without consideration for the First Amendment, scholarly research and the like.

In Canada, meanwhile, Google has been ordered to remove entire domains and websites by the Canadian courts. Thus, as the Electronic Frontier Foundation tells us, in effect “making them invisible to everyone using Google’s search engine”.

What’s the back story?

We’ve been discussing the right to be forgotten for a good number of years. In her book, Ctrl-Z: The Right to be Forgotten, Meg Leta Jones identifies two cases as having instigated the discussion.

The first concerned Mario Costeja Gonzalez and his request to have a newspaper remove information about his property and insolvency proceedings. When the paper refused Gonzalez, he asked Google remove the information from search results, they declined and Gonzalez took Google to court and won. Contemporaneously, in the United States, two American Idol contestants sued a number of defendants about online content which served to have them disqualified from the program. Their cases was thrown out, because the information was “true.”

Then there is the Google Bomb phenomena, which is when people try artificially to boost a website in the search rankings by linking to it from other websites – which can be done for many reasons including malicious ones, such as when the author of Google Bomb, Sue Scheff, found herself the subject of the ill-intentioned individuals spreading falsehoods.

Google has evolved, and those in the US can make requests of Google and other search engines in instances similar to that described in the Google Bomb.

For now, if you are in the EU or the UK, you’ve a path to removing information from organization’s databases, as well as search engines. Elsewhere, the discussions continues both in and out of the legal systems.

Follow @NakedSecurity
Follow @burgessct

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/UYkwCU7Y_zQ/

The Information Commissioner’s Office has whacked TalkTalk with a £100,000 fine after the data of the records of 21,000 people were exposed to fraudsters in an Indian call centre.

The breach came to light in September 2014 when TalkTalk started getting complaints from customers that they were receiving scam calls. Typically, the scammers pretended they were providing support for technical problems. They quoted customers’ addresses and TalkTalk account numbers.

The Register has documented the scam since February last year, which included customers being convinced to install a remote control software package via which they then deploy a trojan.

Fraudsters had breached maintenance visits data in order to convince customers to allow them remote access to their computers.

A probe by TalkTalk found an issue with the company’s portal through which customer information could be accessed. One of the companies with access to the portal was Wipro, a multinational IT services company in India that resolved high level complaints and addressed network coverage problems on TalkTalk’s behalf.

A specialist investigation by TalkTalk identified three Wipro accounts that had been used to gain unauthorised and unlawful access to the personal data of up to 21,000 customers.

Forty Wipro employees had access to data of between 25,000 and 50,000 TalkTalk customers.

Staff were able to: log into the portal from any internet-enabled device, with no controls in place to restrict access to devices linked to Wipro.

They were also able to carry out “wildcard” searches – for example, entering “A*” to return all surnames beginning with that letter. This allowed staff to view large numbers of customer records at a time and to export data, potentially offsite, to view up to 500 customer records at a time.

The ICO found this level of access was unjustifiably wide-ranging and put the data at risk.

Information Commissioner Elizabeth Denham said: “TalkTalk may consider themselves to be the victims here. But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people.

“TalkTalk should have known better and they should have put their customers first.”

The ICO said it fined TalkTalk because it did not have appropriate technical or organisational measures in place to keep personal data secure.

A TalkTalk spokeswoman said: “We notified the ICO in 2014 of our suspicions that a small number of employees at one of our third party suppliers were abusing their access to non-financial customer data.

“We informed our customers at the time and launched a thorough investigation, which has led to us withdrawing all customer service operations from India. We continue to take our customers’ data and privacy incredibly seriously, and while there is no evidence that any of the data was passed on to third parties, we apologise to those affected by this incident.”

The Register has asked Wipro for a comment. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/10/talktalk_fined_100k_for_exposing_personal_sensitive_info/

Marcus Hutchins’ British supporters believe his best chance of getting home within the next few years is to accept a plea deal with US prosecutors, some of them opined last night.

Nobody present appeared to seriously believe that Hutchins is guilty, but knowledge of the US legal system’s slant against defendants did not appear to inspire confidence.

At a meeting in east London’s Newspeak House – an activist hub for “political technologists” – a small gathering discussed Hutchins’ plight after the 23-year-old was arrested by the FBI a week ago as he returned home from Las Vegas’ DEF CON hacking conference.

Hutchins was released on a $30,000 bail bond on Monday and is currently thought to be making his way to Milwaukee to answer charges of selling malware online. As we reported earlier this week, Hutchins’ bail conditions include a total ban on using the internet.

Naomi Colvin, of activist support organisation the Courage Foundation, described Hutchins’ bail conditions as “really debilitating … a lot of his friends and colleagues will be people he mainly communicates with online.”

Colvin also mentioned fundraising efforts for Hutchins to cover both legal fees and his living expenses. As he entered the US on a tourist visa, Hutchins is unable to work. Tarah Wheeler, a US infosec activist who is co-ordinating the fundraising efforts, said on Twitter a few days ago that so far the public had raised $12,000 for Hutchins.

Karen Todner, the solicitor instructed by various Britons charged by American authorities with cyber-crimes, said at the meeting: “There’s nothing any of us can do to get him back here. 98 per cent of people charged in America take a plea deal. The sentence can be six or seven times longer if [the defendant pleads not guilty but is] found guilty.”

Todner has not been instructed by Hutchins and was giving her personal view of his situation.

Some of Hutchins’ other friends and supporters objected to the pessimistic view of the room as a whole. They were supported by alleged hacker Lauri Love, who said: “We all have an interest in this being done correctly. The UK does have a responsibility to its citizens when they’re abroad.”

One who spoke to El Reg and asked not to be named speculated that US authorities may be trying to “flip” Hutchins into becoming an informant: “They’ll pressure him. Young lad, security researcher with contacts…”

Another friend of Hutchins told us: “I’d be surprised if the US didn’t know who Marcus is. I don’t know how that would work but there he was on the BBC, etc, [at the time of the WannaCry outbreak], it seems shady. Do we stop trusting our side? Take one step wrong and…” He shrugged.

Hutchins’ first friend chipped in again: “Criticising the system is not helpful. If you don’t want to live under that system, don’t go there.”

In a statement made shortly after his arrest, Hutchins’ MP, Peter Heaton Jones (Conservative, North Devon), said: “I accept the UK cannot interfere in the judicial process of another country, and I make no judgement about the case against Marcus one way or another. However, people who know him in Ilfracombe, and in the wider cyber-community, are astounded at the allegations against him. This is particularly so given his role in helping to protect the NHS and many other institutions from what could have been a devastating cyber-attack just a few months ago.”

As reported everywhere, Hutchins was the man who stopped the NHS-slaying WannaCry/WnnaCrypt malware outbreak of May this year. While reverse-engineering the ransomware’s binary, he noticed that it “phoned home” to a particular web domain which nobody else had registered. Upon registering it himself, with the intention of analysing what the malware did when it connected to the site, he found that the domain’s simple existence acted as a kill-switch once WannaCry detected its existence.

He also provided GCHQ with data about WannaCry via its public-facing offshoot, the National Cyber Security Centre. We have asked the NCSC for comment and will update this article if we hear back from them.

A Foreign Office spokesman said: “We are in contact with the local authorities in Las Vegas following the arrest of a British man, and are providing support to his family.”

The next hearing in the Hutchins case will take place on Monday 14 August in Milwaukee, at 10am local time. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/10/marcus_hutchins_support_meeting_newspeak_house/

Salesforce fired two of its senior security engineers after they revealed details of an internal tool for testing IT defenses at DEF CON last month.

Josh Schwartz, director of offensive security, and John Cramb, a senior offensive security engineer based in Australia, were sacked by a senior Salesforce executive via text message, according to sources familiar with the matter.

The duo were told in a message, sent 30 minutes before the start of their talk, that if the presentation went ahead, they would be terminated, it is claimed. Schwartz and Cramb didn’t see the text in time, gave their talk, and shortly after leaving the stage, Schwartz confirmed they no longer worked at Salesforce.

The talk centered on an internal project called MEATPISTOL, which was described as “a modular malware framework for implant creation, infrastructure automation, and shell interaction.” It’s similar to the popular penetration-testing tool Metasploit; that MEATPISTOL is an anagram of Metasploit is no coincidence. The plan was to open-source MEATPISTOL, although this move was resisted by bosses and lawyers at Salesforce despite being signed off earlier this year.

Schwartz and Cramb were part of the San Francisco financial cloud giant’s red team, a group of hackers specializing in testing and strengthening network security by finding and exploiting weaknesses. They had been working on MEATPISTOL to help other red teamers do their job. Here’s a description of the code and the presentation from the DEF CON website:

Attention Red Teamers, Penetration Testers, and Offensive Security Operators, isn’t the overhead of fighting attribution, spinning up infrastructure, and having to constantly re-write malware an absolute pain and timesink!?! It was for us too, so we’re fixing that for good (well, maybe for evil). Join us for the public unveiling and open source release of our latest project, MEATPISTOL, a modular malware framework for implant creation, infrastructure automation, and shell interaction. This framework is designed to meet the needs of offensive security operators requiring rapid configuration and creation of long lived malware implants and associated command and control infrastructure. Say goodbye to writing janky one-off malware and say hello to building upon a framework designed to support efficient yoloscoped adversarial campaigns against capable targets.

Within hours of giving their talk at 5pm on Friday, July 28, Schwartz tweeted that he and Cramb had exited Salesforce. He later removed the tweet after pressure from managers. Cramb later tweeted to say they “both care deeply about MEATPISTOL being open sourced and are currently working to achieve this.”

A spokesperson for Salesforce declined to comment as the matter involved individual employees. Schwartz and Cramb could not be reached for immediate comment. The pair are being represented by attorneys at the EFF, who told The Register no legal action has been taken so far by either side as a result of the DEF CON presentation. ®

Additional reporting by Shaun Nichols. Hat-tip to journo Zack Whittaker for breaking the news late on Wednesday.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/10/salesforce_fires_its_senior_security_engineers_after_defcon_talk/