STE WILLIAMS

Experts have been warning for years about security blunders in the Signaling System 7 protocol – the magic glue used by cellphone networks to communicate with each other.

These shortcomings can be potentially abused to, for example, redirect people’s calls and text messages to miscreants’ devices. Now we’ve seen the first case of crooks exploiting the design flaws to line their pockets with victims’ cash.

O2-Telefonica in Germany has confirmed to Süddeutsche Zeitung that some of its customers have had their bank accounts drained using a two-stage attack that exploits SS7.

In other words, thieves exploited SS7 to intercept two-factor authentication codes sent to online banking customers, allowing them to empty their accounts. The thefts occurred over the past few months, according to multiple sources.

In 2014, researchers demonstrated that SS7, which was created in the 1980s by telcos to allow cellular and some landline networks to interconnect and exchange data, is fundamentally flawed. Someone with internal access to a telco – such as a hacker or a corrupt employee – can get access to any other carrier’s backend in the world, via SS7, to track a phone’s location, read or redirect messages, and even listen to calls.

In this case, the attackers exploited a two-factor authentication system of transaction authentication numbers used by German banks. Online banking customers need to get a code sent to their phone before funds are transferred between accounts.

The hackers first spammed out malware to victims’ computers, which collected the bank account balance, login details and passwords for their accounts, along with their mobile number. Then they purchased access to a rogue telecommunications provider and set up a redirect for the victim’s mobile phone number to a handset controlled by the attackers.

Next, usually in the middle of the night when the mark was asleep, the attackers logged into their online bank accounts and transferred money out. When the transaction numbers were sent they were routed to the criminals, who then finalized the transaction.

While security experts have been warning about just this kind of attack – and politicians have increasingly been making noise about it – the telcos have been glacial at getting to grips with the problem. The prevailing view has been that you’d need a telco to pull off an assault, and what kind of dastardly firm would let itself be used in that way.

That may have worked in the 1980s, but these days almost anyone can set themselves up as a telco, or buy access to the backend of one. To make matters worse the proposed replacement for SS7 on 5G networks, dubbed the Diameter protocol, also has security holes, according to the Communications Security, Reliability and Interoperability Council at America’s comms watchdog, the FCC.

This first publicly confirmed attack will hopefully ginger up efforts to fix issues with SS7, at least in Europe, where Germany has a leadership position. As for the US, it might take a series of SS7 assaults before the telcos get their backsides into gear. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/

Updated If you get an email today sharing a Google Docs file with you, don’t click it – you may accidentally hand over your Gmail inbox and your contacts to a mystery attacker.

The phishing campaign really kicked off in a big way on Wednesday morning, US West Coast time. The malicious email contains what appears to be a link to a Google Doc file. This leads to a legit Google.com page asking you to authorize “Google Docs” to access to your Gmail account.

Except it’s not actually the official Google Docs requesting access: it’s a rogue web app with the same name that, if given the green light by unsuspecting marks, then ransacks contact lists and sends out more spam. It also gains control over the webmail account, including the ability to read victims’ messages and send new ones on their behalf.

Apparently no one at Google thought to block someone calling their app Google Docs.

@zeynep Just got this as well. Super sophisticated. pic.twitter.com/l6c1ljSFIX

— Zach Latta (@zachlatta) May 3, 2017

If the permissions are granted, the software will immediately spam out the same message to all the people on your contacts list, bypassing two-factor authentication if you have that set up on your account. Here at Vulture West we’ve been getting bombarded with these emails, including some from journalists at other publications.

“There’s a very clever phishing scam going around at the moment – originally thought to be targeting journalists given the sheer number of them mentioning it on their Twitter feeds, it’s also been slinging its way across unrelated mailboxes – from orgs to schools / campuses,” explained Christopher Boyd, malware intelligence analyst at Malwarebytes, today.

“This doesn’t mean it didn’t begin with a popped journo mailbox and spread its way out from there, or that someone didn’t intentionally send it to a number of journalists of course – but either way, this one has gone viral and not in a ‘look at the cute cat pic’ fashion.”

The emails do have some distinguishing characteristics. They are all addressed to the same [email protected] address, with the victims BCC’d, and sent from the last person to accidentally authorize the malicious app.

If you have fallen prey to the attack, there are steps that can be taken to ameliorate the situation. Simply go into your Google account permissions page and remove all the access privileges for the evil Google Docs account.

Google hasn’t released an official statement, however its Project Zero wunderkind Tavis Ormandy has confirmed that the security team is on the case. Gmail has also said it is aware of the issue.

@BigAlMahmoud Hi Ali. Our team is aware of this issue and working on it. You can report it as phishing here: https://t.co/O0OMLWxsvG.

— Gmail (@gmail) May 3, 2017

It doesn’t appear at this point that there’s a malware payload included with the messages, but it’s very early days yet. What is clear is that this messages are spreading like wildfire and the attackers are going to be harvesting email lists for future attacks – so let’s be careful out there.

For what it’s worth, the servers hosting the malicious app appear to be down at time of writing. Reg hacks who received the messages had to fish the phishes out of their spam folders. ®

Updated to add

Google has now issued a statement on the attack, saying it has locked down its systems to prevent any further spread of the emails.

“We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts,” said a spokesperson in an email.

“We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”

Cooper Quintin, staff technologist at the EFF, told The Register that he has now collected over 400 samples of the emails and it doesn’t appear to be carrying a malware payload. The attack bears some similarities to a nation-state attack earlier this year but he said that, in his opinion, this case was too noisy to be state actors.

“Nation state attacks prefer to stay under the radar,” he explained. “It was a hell of an attack, but may have been too successful for its own good.”

In the best case scenario the attackers would just have gained a shed-load of valid email addresses and a good idea of who is likely to click on such links. But, Cooper pointed out, the attacker would also have been able to scan emails for useful snippets of data for other attacks.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/05/03/google_docs_hit_phishing_email_campaign/

A Florida state court has ruled that suspected crims can be forced to hand over their smartphone passcodes to cops and other investigators.

Generally in America, you don’t have to hand over your passcodes and passwords to the police – because this information is considered personal knowledge, and divulging it is therefore self incrimination. Fingerprints, which can unlock modern mobes, are another story: you have to give those over if you’ve been collared by the cops because they are physically on you.

Well, maybe not in Florida. Judge Charles Johnson of the Miami-Dade Circuit Court said Wednesday that two people facing extortion charges do not have a constitutional protection against being forced to hand over the codes to unlock their phones.

Defendants Hencha Voigt and Wesley Victor had been accused of using stolen photos and videos to extort payment from SnapChat celeb Julieanna Goddard. Voigt and Victor’s smartphones – an iPhone and a Blackberry – are believed to contain evidence of the extortion plot.

Police had sought to force the pair to give them their passcodes, while defense lawyers had claimed giving up the codes would violate Fifth Amendment protections against forced self-incrimination.

According to the Miami Herald, the judge ruled in favor of the prosecution with the reasoning that the codes were not equivalent to being forced to testify, but were more like “turning over a key to a safety box.”

The defense now has two weeks to give up the passcodes or risk contempt of court charges.

The judge cited a precedent set last year when a state court of appeals ruled a man accused of voyeurism did not have legal protection against the unlocking of his handset.

Judge Johnson’s ruling today covers Florida, rather than the US as a whole, although courts in other states can cite this decision if they wish. And it can be appealed to a higher bench, of course. It is likely to trigger a debate across America over what extent law enforcement officials can go to when trying to unlock a mobile device.

The debate was pushed to the forefront last year, when Apple and the FBI clashed over a demand to unlock an iPhone used by San Bernardino shooter Syed Farook. The feds ultimately avoided a legal war by opting instead to obtain a software bypass. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/05/03/florida_passcode_unlock_phone_cops/

Attackers using threats of data exposure and DDoS disruptions to try and extort ransoms from organizations

The recent leak of 10 unaired episodes from Season 5 of Netflix’ hit series “Orange Is The New Black” shows that ransomware is not the only form of online extortion for which organizations need to be prepared.

Increasingly, cyber criminals have begun attempting to extort money from organizations by threatening to leak corporate and customer data, trade secrets, and intellectual property.  Instead of encrypting data and seeking a ransom for decrypting it, criminals have begun using doxing as a leverage to try and quietly extort bigger sums from enterprises.

“Targeted attacks are the new cybersecurity threat and are on the rise,” says Nir Gaist, CEO and co-founder of security vendor Nyotron. “Organizations, regardless of industry or size, can be targeted with cyber extortion or espionage as the hackers’ goal.”

The reason why there isn’t more noise over such incidents is that victims often like to keep quiet about them, he says. “Unless the company is regulated to report the attack, they will keep it quiet to keep brand and reputation intact,” Gaist says.

Even in the case of the Netflix leak, for instance, it was the hackers themselves who announced the attack. “There was no monetary loss due to the early release of the ‘Orange is the New Black’ episodes, but there was reputation loss and brand damage,” he says.

A malicious hacker or hacking group calling itself TheDarkOverload earlier this week claimed responsibility for publicly posting several episodes of the Netflix series after apparently stealing them from Larson Studio, a small post-production company, back in December.

The hackers first tried to extort money from Larson Studio before going after Netflix directly. When Netflix refused to acquiesce to the extortion demand, the hackers released the unaired episodes. The hackers claimed to have stolen several more unaired episodes of TV programs from Netflix, Fox, and National Geographic and have threatened to release them as well. It is not clear if the hackers have made any extortion demands from the various studios.

The Netflix incident is an example of the growing threat to organizations from extortion scams, says Moty Cristal the CEO of NEST Negotiation Strategies, a firm that specializes in helping organizations negotiate with online extortionists.

Cyber extortion can include the threat of DDoS attacks and data exposure. The goal of attackers is to find a way to threaten targets with the most damage, either financial or from a brand reputation standpoint, Cristal explains.

Any decision on whether to pay or not to pay should be based on an assessment of the potential damage, both real and perceived, that the attacker could wreak, and the company’s ability to withstand such damage, Cristal says.

In the Netflix incident, the fact that the attackers demanded just around 50 bitcoin for the stolen episodes suggests they were likely motivated more by the need to be recognized and professionally acknowledged than by financial gain, Cristal adds.

Surprisingly, targeted extortion attacks do not always have to be sophisticated to be successful, although sometimes they can very sophisticated Gaist says. “In a targeted attack, the hacker will attempt to find a simple vulnerability to get in,” he says. “Unfortunately for most companies, basic security hygiene is simply not attended to properly – leaving them completely vulnerable to a targeted attack.”

While attacks that result in potential exposure of customer and corporate data can be scary, there are a couple of good reasons not to pay, security analysts say. One of course is that paying off a ransom or extortion is only likely to inspire more attempts. An organization that shows its willingness to pay to get data back or to prevent something bad from happening will almost certainly be attacked again.

The other reason is that not all extortion scams are real. In fact, a lot of times attackers will attempt to scare money out of an organization with false threats.

Last year for instance, a malicious hacking group calling itself the Armada Collective sent extortion letters to some 100 companies threatening them with massive distributed denial of service attacks if they did not pay a specific ransom amount. Security vendor CloudFlare, which analyzed the Armada Collective’s activities, estimated that the group netted hundreds of thousands of dollars in ransom payments from victims, without carrying out a single attack.

Meg Grady-Troia, web security product marketing manager at Akamai, says paying a ransom doesn’t necessarily guarantee a chosen outcome. “So doing separate analysis of the request for payment and the real threat is critical for any organization.”

Akamai’s customers have seen a lot of extortion letters, threatening a DDoS attack if a specified amount of bitcoin is not deposited to an identified wallet by a certain time, she says. These letters have come from a number of groups, including DD4BC, Armada Collective, Lizard Squad, XMR Squad, and others. Often though, there is very little follow-through.

“Some of these DDoS extortion letters are merely profit-making schemes, while some are serious operations with the resources to damage a business,” says Grady-Troia.

Paying a ransom is no guarantee that your data still won’t be leaked, she says. “Once data has been exfiltrated from your system, the blackmail may or may not continue after the requested payment, or it may still be leaked.”

What organizations need to be focusing on is DDoS attack resilience and the operational agility of their systems, particularly access controls, backup procedures, and digital supply chain.

“The importance of online extortion depends immensely on the nature of the threat and the enterprise’s risk tolerance,” Grady-Troia says. “Businesses should have a security event or incident response process that can be invoked in the case of any attack, and that process should include subject matter experts for systems and tools, procedures for all kinds of hazards.”

Related stories:

• Ransomware Surveys Fill In Scope, Scale of Extortion Epidemic
• California May Soon Treat Ransomware As Extortion
• FBI Alerts To Rise In Extortion Email Schemes

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/netflix-incident-a-sign-of-increase-in-cyber-extortion-campaigns/d/d-id/1328794?_mc=RSS_DR_EDT

Phishing messages appear nearly identical to legitimate requests to share Google documents, because in many ways, they are.

Google users today were hit with an extremely convincing phishing spree launched by attackers who manipulated Google Docs’ legitimate third-party sharing mechanism.

Targets received messages with the subject like “[Sender] has shared a document on Google Docs with you” often from senders they knew. The messages contained links, which led to a page that clearly requested access to the user’s Gmail account. If the target user provides access, the attack begins sending spam to all the user’s contacts. Theoretically, the attacker could also access the victim’s messages and steal sensitive data, but thus far there have been no reports of such activity.

Because it takes advantage of Google’s legitimate third-party sharing mechanism, the phishing message is much more difficult to identify as malicious. The icons and messaging are familiar to Google users. Gmail itself did not filter the messages as phishing or flag them as spam, but rather sent them to Gmail users’ “Primary” inbox mail folders. The senders were familiar enough to have the target in their contact lists. One way to spot the attack: some targets report that the message includes a recipient with an address that begins “hhhhhhhhhhhhhh” and ends with the domain “mailinator.com.”  

Google responded with a fix and issued a statement: 

“We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail. If you think you were affected, visit http://g.co/SecurityCheckup“

Those who have already fallen victim to this attack should also go to their Google account permissions settings and revoke access to the false “Google Docs” application. They’re also advised to set up two-factor authentication.

Read more here.

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/google-docs-phishing-attack-abuses-legitimate-third-party-sharing-/d/d-id/1328797?_mc=RSS_DR_EDT

Following a privacy kerfluffle, Tinder told a developer to remove a dataset of 40,000 of its users’ images that he had published in six downloadable zip files and released under a CC0: Public Domain License.

The dataset was called People of Tinder.

The developer, Stuart Colianni, who not-so-charmingly referred to the Tinder users as “hoes” in his source code, was using the images to train artificial intelligence.

The Kaggle page where he published the dataset now returns a 404. But, you can still get at the script Colianni used to scrape the data: he uploaded TinderFaceScraper to GitHub.

Before the dataset came down, Colianni said that he had created it with the use of Tinder’s API to scrape the 40,000 profile photos, evenly split between genders, from Bay Area users of the dating app.

Tinder’s API is notoriously vulnerable to being exploited. Not only has it been used to promote a movie, it’s also been abused to expose users’ locations and to auto-like all female profiles. (That last one evolved from homemade hack into an actual, full-fledged app for the devotedly indiscriminate.)

Then too, there was the guy-on-guy prank: the one where a programmer rigged the app with bait profiles, identified men who “liked” the phony female photos, and set them up to fling lust-filled come-ons at each other.

At any rate, Colianni’s Tinder face grab isn’t the first time we’ve seen developers make off with large facial image datasets without bothering to ask whether the people behind those images actually want to be involved in their research project.

Earlier mass face grabs include one from February, when we learned about a facial recognition startup called Pornstar.ID – a reverse-image lookup for identifying porn actors – that trained its neural network on upwards of 650,000 images of more than 7,000 female adult performers.

Did those performers consent to being identified and listed on the Pornstar.ID site? Did they agree to having their biometrics scanned so as to train a neural network? Is there any law that says their published images, which are presumably published online for all to see (or purchase) aren’t up for grabs for the purpose of training facial recognition deep learning algorithms?

The same questions apply to the Tinder face grab. And the answers are the same: there are indeed laws concerning face recognition.

The Electronic Privacy Information Center (EPIC) considers the strongest of them to be the Illinois Biometric Information Privacy Act, which prohibits the use of biometric recognition technologies without consent.

In fact, much of the world has banned face recognition software, EPIC points out. In one instance, under pressure from Ireland’s data protection commissioner, Facebook disabled facial recognition in Europe: recognition it was doing without user consent.

When Tinder users agree to the app’s Terms of Use, they thereby grant it a “worldwide, transferable, sub-licensable, royalty-free, right and license to host, store, use, copy, display, reproduce, adapt, edit, publish, modify and distribute” their content.

What isn’t clear is whether those terms apply here, with a third-party developer scraping Tinder data and releasing it under a public domain license.

Tinder said that it shut down Colianni for violating its terms of service. Here’s what Tinder said to TechCrunch:

We take the security and privacy of our users seriously and have tools and systems in place to uphold the integrity of our platform. It’s important to note that Tinder is free and used in more than 190 countries, and the images that we serve are profile images, which are available to anyone swiping on the app. We are always working to improve the Tinder experience and continue to implement measures against the automated use of our API, which includes steps to deter and prevent scraping.

This person has violated our terms of service (Sec. 11) and we are taking appropriate action and investigating further.

Indeed, Sec. 11 describes two relevant actions that are verboten:

You will not:

• …use any robot, spider, site search/retrieval application, or other manual or automatic device or process to retrieve, index, “data mine”, or in any way reproduce or circumvent the navigational structure or presentation of the Service or its contents.
• …post, use, transmit or distribute, directly or indirectly, (eg screen scrape) in any manner or media any content or information obtained from the Service other than solely in connection with your use of the Service in accordance with this Agreement.

So sure, yes, turning off Colianni’s access makes sense: he was scraping/data mining for purposes outside of Tinder’s terms of use.

My question: why has Tinder taken this long to shut off this type of activity?

I’m thinking here of Swipebuster: the app that promised to find out – for $4.99 – if your friends and/or lovers are using/cheating on you with Tinder… including letting you know when they used the app last, whether they’re searching for women or men, and their profile photo and bio.

It’s a year ago that Swipebuster was in the news. At the time, Tinder was just fine with developers lapping at the faucet of its free-flowing API. Hey, if you want to shell out the money, it’s up to you, Tinder said. After all, it’s all public information, it said at the time:

… searchable information on the [Swipebuster] website is public information that Tinder users have on their profiles. If you want to see who’s on Tinder we recommend saving your money and downloading the app for free.

What’s changed between then and now? How is using the face dataset to train facial recognition AI different from Swipebuster’s catch-the-cheaters pitch? It’s all still public information, after all.

Is access to the API now restricted to prevent apps from scraping users’ images? Or did Tinder just shut down this one researcher? What’s the thinking, here, on how Colianni’s use of Tinder users’ faces was egregious, but Swipebuster’s use was just fine?

I asked. Tinder responded by sending the same statement that it sent to TechCrunch.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/g50u1_hGVsU/

The details of more than 100m Indians’ Aadhaar ID cards have leaked from four government portals, according to a report from the Centre for Internet and Society (CIS).

Based on the numbers available on the websites looked at, [the] estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million

If you’re not familiar with the Aadhaar numbers, we’ve previously reported on the history of and concerns surrounding this biometric ID card. Now a fundamental part of Indian society, anyone that has not signed up faces being denied access to many government and private-sector services and schemes.

As the government presses on with intertwining the card into everyday life, concerns about the security of the vast amounts of personal data being stored and the potential for its misuse by cyber-criminals continue to mount.

The disclosures came as part of a report entitled Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information, which focuses on just four of India’s numerous government portals:

• The National Social Assistance Programme (NSAP): which provides supports unemployed, elderly, sick and disabled citizens.
• The National Rural Employment Guarantee Act (NREGA) scheme: which provides households in rural areas at least 100 days of guaranteed wage employment each year.
• The Chandranna Bima Scheme, Govt. of Andhra Pradesh: which provides relief to families if a worker is disabled or killed.
• Daily Online Payment Reports of NREGA, Govt. of Andhra Pradesh: which tracks progress and payments under the NREGA scheme.

But it’s not just the ID numbers that the report is worried about; it also claims that the leaks contain “personally identifiable information of beneficiaries or subjects of the leaked databases”, putting the estimated number of bank accounts leaked at around 100m.

I followed the report’s suggestion that people are highlighting the leakages of Aadhaar numbers on Twitter under the hashtag #AadhaarLeaks. I didn’t find many examples, but here’s one from @rayshr:

The Unique Identification Authority of India (UIDAI), which issues the Aadhaar numbers, claims that there have been no leaks, according to The Times of India. The paper also quotes one official as saying something rather different

While Aadhaar numbers are available, the biometric information is not … The leaked databases do not pose a real threat … because the Aadhaar number cannot be misused without biometrics.

And another that another official as saying that the “Aadhaar number is not confidential just as bank account number which is mentioned in cheque books and shared with lot of people”.

With virtually the entire Indian population now enrolled in the Aadhaar program:

And many day-to-day public and private services now entwined:

It seems that, despite the official line, Aadhaar numbers are getting out into the public domain.

The question has to be whether the personally identifiable information that is being published alongside them is enough for fraudsters to steal someone’s identity. I haven’t yet seen any reports of fraud being committed on the back of a stolen Aadhaar number. Only time will tell.

While this new, controversial ID system beds itself in, the world will be watching closely to see where the cracks in security are, how fraudsters take advantage and how the government reacts to plug any holes. We’ll certainly be keeping a close eye on developments.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wybdx69ImjM/

The venerable BASIC programming language is 53 this week.

(If you reverse the decimal number 53, you get its hexadecimal equivalent 35 – and there aren’t many two digit numbers [*] with that property!)

Strictly speaking, BASIC already existed by the start of 1964, but it was on 01 May 1964 that Dartmouth College in New Hampshire, USA, made it available interactively via its timesharing terminals.

By “interactively”, we mean that you could sit down at a terminal, go into the BASIC environment and start programming as you went along, trying out commands one at a time, adding them into your program, running it, fixing bugs, running it again, tweaking it, saving it…

…and then coming back later on and picking up where you left off.

If you’re looking for quasi-religious moments in computer programming, this was a bit like rending the veil of the temple in twain.

Dartmouth BASIC, as it became known, was a huge step in breaking down the barrier between those who used computers and the white-coated clerics and acolytes who operated them behind glass screens and double-door airlocks.

The new language was called BASIC because it was meant to be easy to learn, easy to use, and effective.

Indeed, BASIC was even stretched out into a backronym to convey the message that this was computer programming for everyone, not just for a high priesthood: Beginners’ All-purpose Symbolic Instruction Code.

You no longer needed to learn an unforgivingly esoteric language like FORTRAN, or a verbosely Joyceian beast like COBOL, or a robotically blocky dialect of ALGOL.

You didn’t need to punch your program onto 80-column cards or paper tape and hand it in through a grille at the abbey gate, or to write it out by hand in pencil on coding sheets and put it in a pigeon hole where someone else would type it in for you.

You didn’t even have to come back later to find out whether your program had run properly, or run at all, or even compiled successfully in the first place.

This ritualistic batched mode of operation explains why early COBOL compilers would do crazily unsafe things like blindly ignoring catastrophic errors and ploughing on anyway – leaving you with a worrying cascade of build-time warnings like INCOMPLETE STATEMENT, PERIOD ASSUMED, or SYNTAX ERROR, STATEMENT OMITTED, or THIS WON'T WORK, BUT WHY STOP NOW? The hub of the programming wheel turned so slowly that it was worth seeing what your code would do anyway, even after you knew it was glaringly incorrect. As the compiler said, WHY STOP NOW?

Dartmouth BASIC let you program as you went along, and though early BASIC applications must be considered to be miles away from today’s so-called literate programming, they were much more readable than most other programming languages of the day.

For an applied mathematician, a statistician or any other scientist with data to make sense of, BASIC made it easy to get useful results without climbing a learning curve that was as steep as any cliff.

Here’s an example, adapted from a fiftieth-anniversary article about the Dartmouth BASIC phenomenon:

1000 PRINT "0.0       0.1       0.2       0.3       0.4"
1010 PRINT "-+---------+---------+---------+---------+-"
1020 FOR X = -2.25 TO 2.25 STEP 0.25
1030   LET Y = EXP(-(X*X/2)) / SQR(2*3.142)
1040   LET Y = INT(100*Y)
1050   PRINT " ";
1060   FOR Z = 1 TO Y
1070     PRINT " ";
1080   NEXT Z
1090   PRINT "*"
1100 NEXT X

Try to figure out what it does and how it works – the formula and the way we’d visualise it today are shown below.

In fact, you can see for yourself what it does by copying-and-pasting it into a suitable online BASIC emulator, such as the one we used at a website called Quite BASIC.

In case you are wondering, the first LET Y statement does the main normal distribution calculation for the various values of X, which peaks at just under 0.4 when X = 0.

The second LET therefore scales the Y value up to a maximum of 40 (100 x 0.4), and 40 spaces just happen to fit nicely across the width of the output window in the Quite BASIC emulator.

(40 columns was the usual screen width of early home computers, with lower-case letters a luxury offered only by the more expensive models.)

The nested FOR Z loop prints Y spaces (the trailing semicolon tells the PRINT inside the loop to stay on the same line) and the final PRINT statement positions a * as a graphical dot.

This may seem tame, or even feeble, by today’s standards, but stop to think how unbelievable this sort of simplicity and flexibility must have seemed more than half a century ago.

The idea that you could print a graph in moments to visualise an equation was amazing; the fact that you could interactively tweak parameters like the range of X on line 1020 or the scale of Y in 1040 and then try running the program again right away was all but revolutionary.

BASIC today

Sadly, BASIC was a product of its age, and was quickly usurped and trampled by all the upstart languages that came later – by the Modulas, the Oberons, the Erlangs, Haskells, Pascals, Perls, Pythons, Bashes, Rusts, Swifts and Clojures; by the Valas, the Scalas and the Befunges; by B, C, C++, D, F#, J, m4, R, S, T and, last but not least, Z (which is a notation, if the truth be told, but it’s a nice one to end on).

By the year 2000, BASIC was dead and buried, cast away into the dustbin of the last millennium along with shag-pile carpets, shoulder pads, mullets and Imperial weights and measures.

Hang on…

…that’s not right!

BASIC isn’t dead – not by a long shot: it’s alive and well, as a look at any Office document with macros in it will show you.

Word and Excel macros are written to this day in VBA, short for Visual Basic for Applications.

Although VBA looks very grown up compared to the stripped down syntax of 1960s-style Dartmouth BASIC, there’s no mistaking that it’s BASIC at heart.

Sadly, what’s good for the goose is good for the gander, and cybercrooks still love BASIC, too.

The first-ever ransomware, back in 1989, was the AIDS Information Trojan, written in Microsoft’s GWBASIC dialect; fast forward nearly 30 years, and we’re still seeing VBA used as a distribution vector for ransomware and other malware attacks today.

Plus ça change, plus c’est la même chose.

---

[*] If you use Quite BASIC, this should do the trick, old-school style:

10 FOR X = 10 TO 99
20   LET H = INT(X/10)
30   LET L = X - H*10
40   LET N = L*16 + H
50   IF X  N THEN 90
60     LET R = L*10 + H
70     PRINT X + " IN DEC IS " + R + " IN HEX"
80     LET T = T + 1
90 NEXT X
100 PRINT "FOUND " + T + " OF THEM"

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/L8Ua39cbHTM/

Your daily round-up of some of the other stories in the news

China cracks down on news publishers

Online media platforms can only be managed by Communist-party approved staff under China’s latest move to tighten its grip on news, and news publishers will need a government licence, the BBC reported on Wednesday.

The rules, announced by the Cyberspace Administration of China, come into effect on June 1 and are part of President Xi Jinping’s move to tighten up on media regulation, and follows the announcement that China would publish its own state-approved version of Wikipedia.

Workers on news publications will also have to undergo officially approved training as part of the crackdown, and the rules apply very widely – to reporting and opinion pieces about politics, economics, military or diplomatic matters on blogs, websites, forums, search engines and all platforms that share and edit news, said Reuters.

Intel patches vulnerability

Intel has patched a vulnerability that has been lurking on many of its processors since 2010 that could have allowed an attacker to take control of the devices running on vulnerable networks.

Intel says the vulnerability doesn’t affect consumer devices – it’s found in Intel’s AMT, ISM and Small Business Technology firmware versions 6.x through to 11.6.

An advisory from Intel includes the recommendation that if you’ve got an affected system, you should check with your system OEM for updated firmware.

Facebook to nearly double moderating team

Facebook is to hire 3,000 people around the world over the next year to review content in the wake of criticism after users had livestreamed incidents of rape and murder, its founder and chief executive Mark Zuckerberg pledged in a Facebook post on Wednesday.

The wave of hirings will nearly double Facebook’s 4,500-strong community operations team and the aim is to help Facebook respond more quickly to reports of hate speech and abusive behaviour.

Zuckerberg said: “We’ll keep working with local community groups and law enforcement who are in the best position to help someone if they need it – either because they’re about to harm themselves or because they’re in danger from someone else.”

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

 

 

 

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cFubUyMw0AY/

Over the weekend FreePBX and PBXact users were warned of a security breach that spilled SIP credentials, potentially opening the door for fraudsters to make phone calls at the expense of small businesses that rely on the technology.

Sangoma, the Canadian firm behind the tech, warned in an updated customer advisory that around a month ago users of its SIP trunking service, SIPStation, were targeted by a hacker who gained “access to some users’ randomly generated SIP credentials”. These credentials were reset and reissued as soon as the incident was discovered.

The firm, which has already updated its SIPStation platform and tightened up access restrictions, decided it also needs to notify its FreePBX and PBXact users as a precaution after discovering that a small percentage of its small office telephony users may have been exposed to toll fraud.

About a month ago we had one of our trunking servers attacked, resulting in an illegal hacker getting access to some users’ randomly generated SIP credentials. At the time of that incident, we promptly communicated via email to all of our SIPStation customers about the issue, and worked with them to obtain new SIP credentials. Our investigation into that attack resulted in a suite of new improvements to our platform as outlined in our SIPStation wiki, more specifically the section on notifications and access restrictions.

Through our investigation we were able to track where in our infrastructure the hacker obtained access. Although we have found no trace or evidence of them accessing our customer data, we have been notified of 14 systems that have been affected out of thousands of deployed systems. Based on this we have determined that it’s theoretically possible that these unlawful hackers could have gained access to some PBX data and left no trace. Given this possibility we are sending this update to our broader group of PBX users beyond just our SIPStation subscribers.

Sangoma uses an unaffected third party to handle customer payments, meaning it can assure customers that their payment details are still safe.

Frederic Dickey, VP of marketing and product management, confirmed that last weekend’s breach notice advisory was genuine. “A few clients out of hundreds of thousands, report[ed] to us that their PBX had been hacked, and Sangoma thus decided to be proactive with our customers,” he told El Reg.

SIPStation provides North American SMEs and enterprises with a telephony services using a standard internet connection.

Dickey explained the potential impact of the hack against the service: “If a malicious party were to gain access to a customer’s SIP credentials, that party could be able to make calls using the customer’s account (sometimes referred to as toll fraud). To protect our customers, Sangoma notified our users promptly, worked with them to reset their SIP credentials (rendering any stolen SIP credentials invalid), made further changes to strengthen our security, and even refunded any SIPStation toll charges that occurred at the time (whether due to this incident or not, just to be safe).”

To further strengthen security for its PBX customers, Sangoma will no longer store SSH and Web GUI credentials for PBX systems in its portal. “This was previously available as a result of our customers asking for it, so that Sangoma could  offer easier and more expedient responses to your requests for technical support, but the security implication to you is no longer worth the potential risk, in our judgment,” Sangoma said in its advisory.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/05/03/sangoma_freepbx_breach/