STE WILLIAMS

Palaces, mountain resorts and ancestral estates. Yachts and vineyards in Russia and abroad.

That’s what Russian prime minister Dmitry Medvedev is all about, not smartphones and gadgets, according to an investigative documentary created by political opponents of Russian president Vladimir Putin that accuses Medvedev of embezzling an estimated $1.2bn.

Russian opposition leader Alexei Navalny has already lost a defamation case over the film. In May, a Russian court ordered Navalny, the film’s narrator, to stop distributing the film, upon which his allies posted it to Pornhub with the title “RUSSIAN CORRUPTED POLITICIAN F*CKED HARD.”

He’s also refused to take the documentary down from YouTube.

Its creators have also used Pornhub to distribute the documentary, which is titled “Don’t call him ‘Dimon’”.

Now, it’s being suggested that the clever porn-site workaround might be behind Russia’s latest rule, launched last Monday, that Pornhub viewers in Russia be required to log in with their VKontakte social media accounts: accounts that are linked to their passports and cellphones.

As Vice tells it, it’s only the latest skirmish in an ongoing feud between the world’s biggest adult site and the Russian government.

Pornhub was blocked in Russia in September, not for the first time, for allegedly spreading information that would harm children’s development. Pornhub reacted by mockingly offering the powers that be a free premium account.

.@roscomnadzor if we give you guys a Pornhub Premium account, will you un ban Pornhub in Russia?

— Pornhub ARIA (@Pornhub) September 14, 2016

The response: no, thanks, we’re not in the market.

Then, in April, Pornhub made it a requirement that users specify their age. The site was unblocked.

Now comes the requirement to log in to Pornhub via social media accounts. Pornhub announced the change on its own VKontakte page on Thursday, saying that “Now you can simply log in through your favorite social network” instead of filling in date of birth.

Vice suggests that this presumably isn’t about making it easier for Russians to watch porn. Rather, the government policy may have been enacted for surveillance purposes: users are required to enter their cellphone numbers to open a VKontakte account; and to legally purchase a SIM card in Russia, you need to disclose your passport information.

Pornhub disagrees, saying that the site doesn’t log or store personal information. Vkontakte, for its part, doesn’t see what users have viewed, Corey Price of Pornhub told Vice:

While this exact method is not a condition [from the Russian government], we found this is the best solution for our users to comply with Russian access laws. Also to be clear, Pornhub does not log or store any of your personal information, this is just a check to see if users are over 18… On [Vkontakte’s] end, all they will see is the request from that user, they will not know what that user browsed on Pornhub.

On May 31, Navalny took to his own VKontake page to thank Pornhub and to suggest that it do a remake of the documentary – “in the appropriate genre”.

Whether or not Russia is using Pornhub and Vkontakte to surveil dissidents is a valid question. After all, the government certainly isn’t above blocking websites, as it did in March, if that’s what it takes to stop anti-government protests.

We already know that the Russian government dislikes the free-wheeling nature of the internet. As the Guardian reported, in 2014, Putin called the internet a “CIA project,” signaling that his aim is to break up the global nature of the internet.

Should we take Pornhub at its word? As in, the new requirement is merely about protecting Russian kids from having their minds polluted by porn? Do you take it at face value when Pornhub says Vkontakte can’t see what users browse?

Your thoughts are welcome in the comments section below.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/XTXON8z5GTY/

The Ministry of Defence needs to stop reflexively demanding rights to its suppliers’ intellectual property if it is to attract more private sector tech innovators, according to the Royal United Services Institute.

In a report published on Tuesday, RUSI, the government’s defence and foreign policy thinktank, criticised the MoD’s current approach to adopting new ideas and technologies, branding its IP-hogging activities “a real disincentive” for private sector thinkers.

RUSI’s Defence Innovation and the UK report focused on “responding to the risks identified by the US Third Offset Strategy,” which is a policy wonk’s way of saying, “Oh bugger, China and Russia’s armed forces are catching up with our tech.”

The report (40 pages, PDF) mainly discusses how the US view of defence policy can be applied to the UK, and points out how the basic assumptions behind armed forces policy are shifting relatively quickly. It’s all well and good having two new aircraft carriers to dominate the high seas but if your immediate threat is Russian APT crews trying to hack MPs’ emails, you’re rather missing the point.

In its section titled “An emerging UK response”, the report goes into a bit more detail about MoD’s lukewarm efforts to attract interest from companies other than the usual suspects.

“Investments in ST [science and technology] and RD require a business case presenting a significant prospect of a rate of return. That private ST and RD spending from the defence industrial sector is limited is an indicator that industry is either receiving limited information from its main customer, or it has little confidence in the information it does get,” thundered RUSI’s authors.

Industry is wary of getting involved with the MoD and its reputation among potential suppliers, outside of the usual suspects such as BAE Systems, is low: last year the chief of the Motorsport Industry Association told Defence Secretary Michael Fallon that many firms in the MIA are “reticent to engage with defence”.

While the MoD launched its defence innovation fund last year, promising to spend £80m a year on taking innovative technological ideas from CAD file* to production, this spending makes up just 1 per cent of planned defence equipment spending, according to RUSI. Even then, seductive visions of robot war machines blasting Her Majesty’s enemies from the field of battle are probably best avoided for now, as the report states:

Currently, the MoD concentrates on technologies with high readiness levels, but a balance with emerging and adaptive technologies might offer greater utility… For example, in the US there has been some warning against focusing excessively on artificial intelligence and the man–machine interface.

Nonetheless, AI, autonomous tech in general, “electromagnetic capabilities” and “electronic warfare” are all areas that RUSI highlights as “key” for “future transformation” in defence technology.

That rules out the British Armed Forces fielding sharks with frikkin’ lasers for the time being. The lasers are still being tested at the moment. ®

*Who uses drawing boards in the modern era?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/12/rusi_defence_innovation_report/

Machine-learning enterprise-focused cybersec firm Darktrace has raised $75m in order to expand its sales operations into Latin America and Asia as it prepares for a possible IPO.

The $75m Series D fundraising round, led by new investor Insight Ventures, comes a year after a $65m funding round and propels the company towards tech unicorn status (startups valued at over $1bn). Analysts value Darktrace at $850m. Existing investors Summit Partners, KKR and TenEleven Ventures also contributed to the latest funding round.

Cambridge-based Darktrace, backed by one-time Autonomy chief exec Mike Lynch, uses machine learning and AI technology to protect corporate networks against cyber threats through what it markets as an “Enterprise Immune System”.

The technology creates behavioural models for users and computers on a network to differentiate between normal usage patterns and attacks, which it flags up and attempts to block. Darktrace boasts its software can automatically detect and take action against cyber threats within all types of networks, including physical, cloud and virtualised networks, as well as IoT and industrial control systems.

“It’s been just four years since Darktrace was created, but in that time, the business has managed to raise $180m in four rounds, grow its employee base to more than 500 people across 24 global offices and, reportedly, generate a total contract value of $200m, up 140 per cent from last year, from around 3,000 customers,” according to channel-focused analyst outfit Megabuyte.

“The business is notoriously secret about figures, but did note that the US continues to drive strong growth, with bookings up threefold. Last year’s funds were used to drive this growth, but this latest investment is reportedly being put towards Latin America and Asia Pacific, as Darktrace continues to fulfil its global ambitions.”

In a statement, Darktrace said it now has over 3,000 deployments worldwide, across all industry sectors, including global financial companies, telecommunications providers, media firms, retailers, healthcare providers, government agencies and critical national infrastructure facilities.

Other cybersecurity firms are hard at work trying to apply AI/machine learning to network security challenges posed by increasingly capable hackers and malware threats. Darktrace claims that its technology is the only machine learning technology to “detect and fight against in-progress threats in real time”. Competitors, such as Israeli startup SecBI, claim they have leapfrogged Darktrace to offer “more advanced machine learning and AI technology than Darktrace to do similar things, but without its costly appliance and complex deployment”.

“SecBI can also assist with encrypted traffic, which is a major challenge for Darktrace and other legacy network traffic analytics (NTA) companies,” it adds.

Network traffic analysis is a network-based approach to monitor network traffic, flows, connections and objects looking for malicious intent. Products aim to identify, monitor and triage security events, protecting enterprises in the process. Aside from Darktrace and SecBI, other players include Lightcyber (acquired by Palo Alto) and Cisco (Lancop). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/12/darktrace_funding_round/

Recorded Future finds new hacking tool that’s cheap and convenient to carry out that old standby attack, SQL injection.

Like a lingering cold, SQL injection continues to plague the enterprise with no end in sight. Researchers have found that the latest SQLi hits to some organizations have come by way of a new hacking tool that has made it easier than ever for attackers to wage these exploits: via their smartphones.

Known as “Katyusha Scanner,” this previously unknown tool combines the power of the Anarchi Scanner open-source penetration testing tool with the ephemeral and encrypted communication of the cloud-based Telegram messaging service. The resulting black market product makes it possible for the bad guys to carry out wide-ranging scans and attacks against a big volume of websites directly, and conveniently, from their mobile devices, according to Recorded Future, which published details on the tool yesterday. 

The scanner shows all signs of being a royal pain in the rear for enterprises, as criminal clients are catered to with a relatively cheap price point, simple interface, frequent updates, and seemingly good customer support. Its authors display a significant amount of business savvy, offering a Pro version for $500, a light version for $250 and a SaaS model for $200 per month.

Meanwhile, customer testimonials sing the praises of the rogue tool. “One actor enthusiastically boasting about the quality of the product and an immediate success in obtaining access to eight web servers wrote in Russian: ‘Excellent support! The seller has configured the software for my server, which was failing before, however, right now it flies divinely! I highly recommend the software, and it has found eight SQL vulnerabilities in half a day, great automation of the routine. Very grateful to the seller,'” writes Andrei Barysevich of Recorded Future.

SQL injection attacks have been well known in the security community for going on 20 years at this point, but the vulnerabilities that allow them to be carried out remain highly prevalent.

“SQL injection remains a critical vulnerability that effects far too many applications,” says Ryan O’Leary, vice president of WhiteHat Security’s Threat Research Center. “SQL injection can be blamed for a great many database breaches that cause millions of users personal records to be leaked. It’s a great favorite of attackers because of the relative ease of exploitation, but more importantly, the data that is gained when executed correctly.”

He says that older found SQL injection vulnerabilities are often time-consuming to permanently fix and that untrained developers continue to add new ones to software every day.

Last month, Tripwire’s Vulnerability and Exposure Team (VERT) conducted a study that showed how common it is for developers to keep piling on to the problem. It went out into the freelance Web design marketplace and engaged with a couple dozen budget developers to build a simple WordPress site. Every single one of the projects they paid for failed to protect any documents from unauthorized users and several of them made it trivial for attackers to compromise the Web server using authentication bypass server through a basic SQLi attack.

Meanwhile, attackers are well aware of the low-hanging fruit that SQLi vulnerabilities represent. Katyusha Scanner may stand out as a particularly dangerous example of attack tool authors taking their wares to the next level with loads of affordable and convenient featurs. But SQLi tools have been kicking around for a long time now, WhiteHat’s O’Leary says.

“sqlmap has been a powerful tool which also happens to be free and has been available for almost 10 years now,” he says. “The tools will continue to be made available since the payoff can be so lucrative for a successful exploit. We as an industry need to get better about coding secure applications in the first place. We need to train our developers on how to write secure code, including how to prevent SQL injection for good. This way we are never exposed and SQL injection can be a thing of the past.” 

Related Content:

• 8 Hot Hacking Tools to Come out of Black Hat USA
• Web App Vulnerabilities Decline 25% in 12 Months
• Microsoft Patches Critical Zero-Day Flaw in Windows Security Protocol
• How Code Vulnerabilities Can Lead to Bad Accidents

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/application-security/new-sql-injection-tool-makes-attacks-possible-from-a-smartphone/d/d-id/1329334?_mc=RSS_DR_EDT

Kaspersky Lab has been deleted from lists of approved vendors that government agencies use to buy tech products, the result of growing cybersecurity concerns.

The Trump administration has removed Kaspersky Lab products from lists of approved vendors used by US government agencies to buy IT equipment, marking “the most concrete action” it has taken against the Moscow-based firm amid growing security concerns, Reuters reports.

Intelligence officials and lawmakers have become increasingly concerned that Kaspersky Lab may be working too closely with Russian intelligence agencies. As a result, its products have been taken off the US General Services Administration (GSA) list of vendors for contracts including IT services and digital photography equipment.

US government agencies may use Kaspersky products bought outside the GSA contract process, however, the report notes.

Kaspersky said it has not received any updates from GSA or other US government agencies regarding its vendor status. It denies ties to cyberespionage efforts said it is “caught in the middle of a geopolitical fight.”

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/us-government-limits-purchase-of-kaspersky-lab-software/d/d-id/1329335?_mc=RSS_DR_EDT

Kaspersky Lab is facing new restrictions from the US government to go along with a fresh round of accusations that the antivirus makers works closely with Russian intelligence.

The US General Services Administration (GSA), the agency that handles government IT purchases and subscriptions, has removed the Russian software slinger from its list of approved suppliers for government contracts. That means Uncle Sam’s IT bods can’t officially order and install copies of the anti-malware suite, dealing a humiliating blow to the Moscow-based biz.

“After review and careful consideration, the General Services Administration made the decision to remove Kaspersky Lab-manufactured products from GSA IT Schedule 70 and GSA Schedule 67 – Photographic Equipment and Related Supplies and Services,” a GSA spokesperson told The Register today.

“GSA’s priorities are to ensure the integrity and security of US government systems and networks and evaluate products and services available on our contracts using supply chain risk management processes.”

While not outright banned from use by the government, the move does make Kaspersky products way more difficult for agencies to obtain, effectively freezing the technology out of offices. Members of the US Senate had previously called for an even stronger ban on Kaspersky products from government offices.

The GSA decision comes amid speculation that the Russia-headquartered Kaspersky Lab was working closely with the Kremlin and Russian police in their intelligence and law-enforcement efforts – something Kaspersky has soundly denied. Earlier this month, the vendor offered to open up its source code to investigators to prove its software was not stealing information for Moscow.

Still, stories of Kaspersky’s ties to Russia persist. Earlier today Bloomberg reported that the company was not only working closely with Russia’s FSB, but had taken the cooperation to the level of accompanying agents on raids. The story goes on to reference a 2009 email from CEO and namesake Eugene Kaspersky to an employee, referencing what is said to be a “big project” on behalf of the FSB.

“In the internal communications referenced within the recent article, the facts are once again either being misinterpreted or manipulated to fit the agenda of certain individuals desperately wanting there to be inappropriate ties between the company, its CEO and the Russian government, but no matter what communication they claim to have, the facts clearly remain there is no evidence because no such inappropriate ties exist,” Kaspersky said in its response to the aforementioned explosive story. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/11/uncle_sam_says_nyet_to_kaspersky/

Trump Hotels has become the latest accommodation group to put its hands up as a user of the compromised Sabre SynXis Central Reservations system.

SynXis offers hotel-bookings-as-a-service to tourism operators and has contacted users to let them know that unauthorised parties had accessed its systems.

Trump Hotels’ letter [PDF] to guests says Sabre got in touch on June 5, 2017, with news that “an unauthorized party gained access to account credentials that permitted access to payment card data and certain reservation information for some of our hotel reservations”.

“The unauthorized party was able to access payment card information for some hotel reservations at certain properties listed here, including cardholder name, payment card number, card expiration date, and potentially card security code,” the letter says, adding that “In some cases, the unauthorized party also was able to access guest name, email, phone number, address, and other information. Information such as Social Security, passport, and driver’s license number was not accessed.”

Trump Hotels advises guests to “remain vigilant for incidents of fraud and identity theft by regularly reviewing account statements and monitoring free credit reports for any unauthorized activity.” The chain has also published a list [PDF] of hotels impacted by the breach and dates when guests’ data may have been accessed.

Hard Rock Hotels has already ‘fessed up as a SynXis user and warned its patrons to be vigilant. Google has also warned its staff about the incident, although Sabre disputes the ad-slinger’s assertion that its travel provider Carlson Wagonlit Travel was a SynXis user. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/11/trump_hotels_sabre_synxis_victim/

Researchers at Preempt uncovered two critical vulnerabilities in the Windows NTML security protocols, one of which Microsoft patched today.

Microsoft today issued a patch for a newly revealed critical vulnerability affecting its Windows NT LAN Manager (NTLM) security protocols.

Researchers at Preempt uncovered two zero-day vulnerabilities within the Windows NTLM, both of which handle the protocol improperly and could allow attackers to create domain administrator accounts. One flaw was fixed as part of Patch Tuesday; the other was not.

NTLM is a suite of protocols enabling authentication, and could put users at risk of unauthorized credential use and password cracking if the flaws are exploited.

The first NTLM flaw, which Microsoft patched in CVE-2017-8563, is “probably the best kept widely known secret of the hacking world,” according to Preempt. It allows an NTLM relay attack, where an attacker can create a parallel session with a target server, leverage a user’s encrypted password hash to authenticate via NTLM, and infect a target system with malware.

Windows’ Lightweight Directory Access Protocol (LDAP) is not protected from NTLM relay attacks, even with its built-in LDAP signing defensive measure, which protects against man-in-the-middle (MitM) attacks but not credential forwarding. So an attacker with system privileges could relay credentials to the domain controller, where they can create a domain account and take over the entire network.

Microsoft’s patch fixes this vulnerability “by incorporating enhancements to authentication protocols designed to mitigate authentication attacks,” the company explains. To make LDAP authentication over SSL/TLS more secure, it also advises administrators to create a LdapEnforceChannelBinding registry on a domain controller.

There are many ways hackers can access privileged credentials, from phishing to physical device access. Every connection to an infected machine (SMB, WMI, SQL, HTTP) with a domain admin could result in a full network attack. All versions of Windows Server are vulnerable.

“Once an administrator connects to your machine, he can use those credentials and create a new domain administrator,” explains Preempt senior researcher Yaron Ziner. “Once you have that one machine, you pretty much own the entire network.”

Preempt’s analysis revealed 50- to 60% of all networks have a high-privilege agent connecting to all machines. A device does not necessarily need to have domain administrator credentials to be used by an attacker to conduct a full network takeover. Anyone with enough privilege to create an account could enable this level of attack.

Shades of WannaCry, Petya

Ziner says the privileged escalation vulnerability is a serious threat and has similarities to the WannaCry and Petya threats, which wreaked havoc across the globe over the past couple of months. Once one device was infected with either attack, it spread rapidly in the network.

The second NTLM flaw Preempt discovered is considered a design flaw and affects Remote Desktop Protocol (RDP) Restricted-Admin mode. RDP Restricted-Admin mode lets users connect to a remote machine without giving their password to the remote machine. It could also let attackers connect to remote machines using techniques like pass-the-hash, according to Preempt.

Preempt researchers discovered that RDP Restricted-Admin lets authentication systems downgrade to NTLM. This meant attacks possible with NTLM, such as credential relaying and password-cracking, can be used against RDP Restricted-Admin – risking the credentials of anyone using elevated privileges to access remote machines.

In this sense, the first NTLM vulnerability makes the second vulnerability more dangerous, says Zilner. When combined with the LDAP relay problem, the RDP flaw means each time an admin connects with Restricted-Admin, an attacker can make a fake domain admin account.

“If you don’t patch the first one, you definitely shouldn’t use restricted admin,” he notes. “It’s not safe at all.”

Ziner says Microsoft told Preempt that this was a known issue when the security firm shared both vulnerabilities with the software giant in April 2017. “They did acknowledge the issue and said it’s by design,” he notes, and they will not be providing a patch for it.

That said, he continues, simply applying patches is not enough to protect against either threat. If companies want to be completely safe, they should stop using NTLM or use it in a very restricted manner. They should also keep tabs on privileged accounts; namely, when they were created, who created them, and whether they should actually be privileged.

Regarding today’s full Microsoft Patch Tuesday release, Qualys director of product management Jimmy Graham advises businesses prioritize CVE-2017-8589, a flaw in the Windows Search service that could be exploited remotely via SMB to assume control of a system, and Windows Explorer vulnerability CVE-2017-8463.

Related Content:

• How Code Vulnerabilities Can Lead to Bad Accidents
• NotPetya: How to Prep and Respond if You’re Hit
• IoT Devices Plagued by Lesser-Known Security Hole
• New Google Security Controls Tighten Third-Party Data Access

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/microsoft-patches-critical-zero-day-flaw-in-windows-security-protocol/d/d-id/1329332?_mc=RSS_DR_EDT

WhiteHat Security’s annual Web app report shows the average number of vulns in a Web app is down from four to three.

Despite the number of vulnerabilities found in a single Web application falling by 25% in 2016 over the previous year, the number of exploitable flaws remains too high, according to WhiteHat Security’s 12^th Annual Application Security Statistics Report released today.

The average number of vulnerabilities found in a Web application fell to three from four, says Ryan O’Leary, vice president of WhiteHat Security’s Threat Research Center and Technical Support. Ideally that figure should be zero, however, he says.

“Three sounds like a low number but even one vulnerability can be exploited and give attackers access to your credit card information or other personal information. It only takes one vulnerability to create a huge issue for a company,” says O’Leary.

WhiteHat, which gleaned the data from 15,000 Web applications it monitors and more than 65,600 mobile apps, also crunched the numbers on the days it takes to fix critical and high-risk vulnerabilities as well as the types of vulnerabilities that are the most prevalent on mobile devices and on the Web.

According to the report, the average time it takes to fix a high-risk vulnerability after its discovery is 196 days – 25 days longer than the average of 171 days in 2015.

The reason it’s taking longer to fix high-risk vulnerabilities is likely due to software developers switching over to an Agile software development process from the older, traditional waterfall method, O’Leary says. While there’s typically a chunk of time at the end of a waterfall project to fix vulnerabilities, there are smaller slivers of time to fix exploitable flaws under the Agile method, O’Leary explains.

As a result, software developers tend to want to fix the easiest vulnerabilities first under an Agile method and that usually means the more complex vulnerabilities get left behind, and those are usually also high-risk flaws, O’Leary says.

But critical vulnerabilities, such as those that can lead to a total compromise of a server, database, or sensitive information, are usually slotted in and addressed at the prompting of a CISO or business leader — even under an Agile software development process, says O’Leary.

Fixing critical vulnerabilities improved in 2016, taking an average of 129 days, compared with 146 days in the previous year, the report found.

Where the Vulns Are

When it comes to mobile apps, the top three Android app categories where vulnerabilities were found included news, games, and lifestyle apps, according to the report. And for the iOS platform, vulnerabilities were the most prevalent in news, music, and finance apps.

The most common type of vulnerability for mobile apps, whether Android or iOS, is the communication that occurs between the mobile device itself and the backend server, O’Leary says. The vulnerability resides in the secure transportation of the data from the device to the backend server.

For Web apps, approximately 60% of applications are “always vulnerable” in the utilities, education, accommodations, retail, and manufacturing industries, the report found. The “always vulnerable” status means that WhiteHat was able to find at least one vulnerability in the app every minute of the day during the 12 months it collected data for the report.

Web apps continue to suffer from two major vulnerabilities that seem to have existed “forever,” O’Leary says, cross-site scripting (XSS) and information leakage.

The most common type of Web app is XSS, regardless of the industry. “People have known about it forever but can’t seem to fix it,” he says.

Information leakage, meanwhile, often is the result of software developers leaving comments in their code, for example, he says. That information is made public when the app is launched and can ultimately provide attackers with enough information to aid them to launch an attack, O’Leary says.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

One of the new vulnerabilities that has emerged over the last couple of years is insufficient transport layer security (TLS) protection, says O’Leary. He noted Heartbleed was the first to take advantage of the open TLS handshake that occurs as information is passed from the browser to the server.

“In 2012, you didn’t see much of vulnerabilities in the transport layer but after Heartbleed, it set off a bunch of these types of vulnerabilities, he notes.

Software developers, who have increasingly relied on third-party and open source librarie, should double-check for patches for those libraries before using them in their apps, O’Leary advises.

“Before, development was about building code from start to finish. But now, developers use open source and third party libraries and it’s scary to think that they don’t even know the [security level] of what they are importing,” O’Leary says.

Related Content:

• SSL After The Heartbleed
• A Temperature-Check On The State Of Application Security
• The New Shadow IT: Custom Data Center Applications
• Android Security Apps for BYOD Users

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/application-security/web-app-vulnerabilities-decline-25--in-12-months/d/d-id/1329333?_mc=RSS_DR_EDT

Police in the US state of New Mexico are crediting a voice assistant with saving the life of a woman by calling the sheriff at her command during an alleged assault.

According to ABC News, a crisis team – including a SWAT team – were sent to the house and managed to take the man into custody after an hours-long standoff.

That man was Eduardo Barros. He was house-sitting with his girlfriend and her daughter on July 2. The couple reportedly got into an argument that turned violent, according to the Bernalillo County Sheriff Department.

As ABC News tells it, Barros allegedly held up a firearm and threatened to kill the woman, asking her: “Did you call the sheriffs?”

The utterance triggered a smart speaker – we don’t know what type; the police had initially and erroneously said it was a Google Home device, but a press release subsequently said that the emergency call recording indicated that the alleged victim was telling Amazon’s Alexa to dial 999. The question was interpreted as a voice command and a call was placed to the emergency services, presumably by an always-listening device such as an iPhone with Siri.

Bernalillo County Sheriff Manuel Gonzales III said in a statement to ABC News that the device’s mistake possibly saved the woman and her child:

The unexpected use of this new technology to contact emergency services has possibly helped save a life. This amazing technology definitely helped save a mother and her child from a very violent situation.

Barros is facing charges of possession of a firearm or destructive device by a felon, aggravated battery against a household member, aggravated assault against a household member and false imprisonment. He’s being held without bond.

This isn’t the first time that voice assistants have been credited with life-saving calls.

In March, Apple’s Siri voice assistant was credited with saving a London woman’s life. When she fell to the floor, unconscious, her four-year-old son unlocked his mother’s mobile phone by pressing her thumb to it. Then, he asked Siri for help. Siri dialed 999: the British emergency number. With life-saving first aid, she survived and was taken to the hospital.

Also, in June 2016, an Australian mother, rushing to the nursery when a baby monitor showed her one-year-old had stopped breathing, dropped her phone while she was turning on the light. She still managed to tell Siri to call for help while she performed CPR. Both she and her husband credited the few precious seconds that Siri gave them for potentially making all the difference.

The outcome of that particular story is one of the upsides of the fact that recent iPhones can be set to always be listening for commands. That new feature came about in iOS 9, when Apple enabled activation of the built-in personal assistant at the sound of your voice, rather than waiting for you to hold down the Home button.

If that’s turned on, Siri can not only open music and send text messages, it can also make hands-free phone calls on its own while you drive, or, while you’re in critical situations. Note that Siri in hands-free mode only works on newer models when not plugged in to a power source. Older models – at least back to 5s – need to be plugged in to a power source to enable Siri to work in hands-free mode.

Other phone brands can also be set up for hands-free voice assistance, of course. These stories illustrate one good reason why people might want to activate the feature. Police have urged parents to teach children their home address, as well as how to unlock a phone and how to summon help, whether it’s through a voice assistant or by pressing an emergency services number like 999 in the UK or 911 in the US.

It’s worth noting that you can make an emergency call on a locked phone. The feature is available on the Lock screen of every iPhone: press the Home button to trigger the passcode screen, after which you can bypass the lock to either make an emergency call or access someone’s Medical ID information.

Ditto for Androids: Tap Phone (if your phone is locked, tap Emergency Call). If that doesn’t work, swipe to get to the login screen, which will offer an option of placing the emergency call. Android allows you to set up four emergency contacts, and it presents a number pad to call for emergency services and an icon for emergency medical information.

We’ve reported on the privacy implications of always-on listening technologies, but rarely do we get a chance to point to something as positive as lives being potentially saved due to the relatively recent emergence of this technology.

It’s a welcome departure from our always-on-listening-devices norm, which has otherwise been taken up with things like all the internet-connected, artificially intelligent and very scary toys that listen to your kids!

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/aBlznlg3MOo/