STE WILLIAMS

Hackers have unleashed a new malware strain that targets Linux-based systems.

The Linux/Shishiga malware uses four different protocols (SSH, Telnet, HTTP and BitTorrent) and Lua scripts for modularity, according to an analysis of the nasty by security researchers at ESET.

Shishiga relies on the use of weak, default credentials in its attempts to plant itself on insecure systems through a bruteforcing attack, a common hacker tactic. A built-in password list allows the malware to try a variety of different passwords to see if any allow it in.

The latest Linux-system targeting nasty could still evolve and become more widespread, but the low number of victims, together with the constant addition, removal, and modification of the components, code comments and even debug information, clearly indicate that it’s a work in progress, according to ESET.

Shishiga is similar to other recent nasties in abusing weak Telnet and SSH credentials, but the usage of the BitTorrent protocol and Lua modules separates it from the herd, according to ESET.

Eset advises that “to prevent your devices from being infected by Shishiga and similar worms, you should not use default Telnet and SSH credentials.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/25/linux_malware/

A Hertfordshire man has been jailed for two years after netting nearly £400,000 from the malware he wrote as a 15-year-old student.

Adam Mudd, now 20, was sentenced to two years in a young offenders’ institute this afternoon. He had pleaded guilty to two charges under the Computer Misuse Act and one charge of concealing criminal property.

The Old Bailey heard how Mudd, of Toms Lane, Kings Langley, Hertfordshire, carried out 595 DDoS attacks against 181 IP addresses, including his own college, West Herts College, having written Titanium Stresser all those years ago.

He went on to rent the use of the malware to anyone who cared to pay for it. His prices, according to court reporters from the Central News Agency, ranged between $3 for up to 100 seconds per month to 30,000 seconds over five years for £309.99, echoing popular as-a-service cloud pricing models.

Mudd had even offered free 60-second DDoS attacks in a “try before you buy” scheme.

In total, he was paid more than £386,000 – mostly in US dollars through Paypal but also including 249.81 Bitcoins – by people using Titanium Stresser. The autistic teenager went to huge lengths to evade Paypal’s attempts to shut him down, setting up no fewer than 328 separate accounts, each using fake details.

“The defendant also used sophisticated techniques to disguise the source of the funds he was receiving, including peer blocking and the use of other websites as payment gateways. Attempts were also made to block PayPal from accessing the sites,” said Crown prosecutor Jonathan Polnay QC.

It was keeping a log of the DDoS attacks that helped the police’s Eastern Region Special Operations Unit’s (Regional Cyber Crime Unit track Mudd down. He had a total of 112,298 registered users who carried out 1,738,828 attacks between them against 666,532 IP addresses. Jagex, the company behind MMORPG Runescape, reportedly spent £6m trying to fend off Titanium Stresser attacks. Mudd himself attacked the site 593 times.

As we noted when he pleaded guilty in November last year, Mudd’s work became the basis of the Lizard Stresser, as used by hacking crew Lizard Squad to take down Xbox Live and the Playstation networks during Christmas 2014.

Mudd initially claimed that he had created Titanium Stressor for stress testing Minecraft servers and that it had got out of hand. He later admitted its true purpose. Ben Cooper, his defence barrister, blamed his behaviour on the relentless bullying he had suffered at school as a result of his Asperger’s Syndrome.

“He was looking to form friendships in the community which he couldn’t do in real life, but he was very successful in doing it in the online community,” Cooper told the Old Bailey on Mudd’s behalf.

Mudd’s sentencing was delayed from the original December date to allow the defence to prepare reports into his autism – and for the prosecution to assess how much damage Titanium Stresser had done.

Judge Michael Topolski, QC, said in his sentencing remarks:

“It’s probably of little comfort to the victims of crime like this that the person responsible may not be motivated by money but by revenge, bravado, a wish to feel big, important or impressive.”

He added:

“I’m satisfied that, [not] withstanding the defendant’s condition, he knew full well he was committing serious crime and that in doing so he was taking a risk with his liberty.”

Detective Inspector Martin Peters of ERSOU’s Regional Cyber Crime Unit said in a statement issued when Mudd was originally found guilty: “Adam Mudd’s case is a regrettable one, because this young man clearly has a lot of skill, but he has been utilising that talent for personal gain at the expense of others.”

Under current British sentencing laws Mudd will spend one year behind bars and the second year of his sentence out on licence. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/25/british_malware_author_2_years_jail_titanium_stresser/

When it comes to 77% of global ransomware attacks, these four industries take the greatest hit, according to a global threat trends report released today.

Ransomware is rapidly on the rise and four industry sectors are taking the largest hit, accounting for 77% of the action, according to NTT Security’s 2017 Global Threat Intelligence Report released today.

The business and professional services sector accounted for 28% of the ransomware attacks, followed by government at 19%, and healthcare and the retail sectors both coming in at 15%, the report noted.

Phishing was the most popular vehicle used to spread ransomware, and 73% of all malware attacks in general began with phishing messages sent to organizations. And when it comes to phishing attacks, the U.S. took the brunt of the abuse, capturing 41% of the nefarious action, while the Netherlands accounted for 38% and France a mere 5%.

NTT Security also found that only 25 passwords accounted for one-third of all authentication attempts made last year against the security firm’s honeypots.

Read more about the 2017 Global Threat Intelligence Report here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/4-industries-account-for-majority-of-global-ransomware-attacks/d/d-id/1328712?_mc=RSS_DR_EDT

There’s been a big divide between IT and OT, but that must end. Here’s how to make them come together.

There has been a lot of talk recently about the convergence of information technology (IT) and operational technology (OT). Much of the discussion has centered on the opportunities for improving efficiency and availability by integrating the two environments. IT-OT convergence enables better monitoring of operational processes and analysis of data from complex industrial control systems from anywhere in the world. However, it also introduces new cybersecurity risks.

For most organizations, dealing with these new risks is a big challenge because of the need to overcome the longstanding divide between IT and OT teams. This is because these two environments have very different requirements, budgets, objectives, people, and technology. Delivering successful IT projects is nothing like delivering projects in the OT world. The two disciplines have their own equipment, requirements, goals, regulations, standards, project management teams, and so on.

The primary reasons for the deep divide between IT and OT teams are contrasting cultures and mindsets, different technologies, and a long history of a lack of collaboration.

Disparate Technologies: A Barrier to Convergence
IT people work on Windows, Unix, and Linux-based systems, virtual machines, and storage systems. They implement firewalls, network intrusion detection solutions, access controls, and endpoint security solutions. As such, they’re used to working in highly dynamic environments that change frequently with the introduction of newer solutions and technologies. Systems are constantly patched, upgraded, or replaced. And when doing so, it’s OK to restart a server.

In contrast, industrial control devices don’t run Windows, Unix, or Linux. Instead, they’re based on proprietary technologies designed by specialized OT manufacturers such as GE, Honeywell, Siemens, and Schneider Electric. These devices were designed to last for decades. This explains why industrial environments mostly use older technologies that are still operational and won’t be easily replaced. Many of these systems predate the Internet era.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

The general mindset of OT staff is to maintain the stability and safety of the environment at all costs. As a result, industrial networks are much more static and changes are infrequent. Restarting a system isn’t always possible, and patching or upgrading is much more difficult and dangerous. Consequently, OT teams are often unwilling to download updates to firmware and software. If the plant is operating as intended, why threaten its stability with new software?

Clashing IT and OT Cultures
The cultures of IT and OT staff are vastly different. IT is responsible for maintaining and securing the data center. IT teams monitor and fix network issues, help users with their data availability and usability problems, and protect corporate assets and networks from cyberattacks. They are guided by the CIA triad: to protect data “Confidentiality, Integrity, and Availability.” They’re less familiar with the OT space, and often display little interest in knowing what their counterparts do to keep it safe and operational.

In contrast, OT engineers are trained to monitor and fix issues in highly complex and sensitive industrial plants such as oil refineries, chemical plants, and water utilities. Their top priorities are to maintain operational safety, reliability, and continuity. They don’t deal with IT or work with the IT staff, and certainly don’t want them to get involved in their operational issues.

Each group is concerned that the other side will wreak havoc in their environment. When there is a need to secure OT against cyberthreats, plant engineers worry that if IT team members get involved, they’ll compromise system safety and stability. Unsanctioned changes to these systems might cripple the plant, cause an explosion, or worse. These concerns are justified. After all, when it comes to OT, IT staff members are in uncharted waters.

At the same time, there’s also a concern that vulnerable OT networks will introduce new threats into IT networks, threatening corporate assets, data, and systems.

IT-OT Collaboration: The Key to Success
Neither OT team members nor IT team members are experts in defending OT systems against emerging cyberthreats. Because OT networks were previously disconnected from the external world, engineering staff never had to deal with such threats. Meanwhile, IT staff members who deal with cyberthreats on a daily basis don’t fully understand how these new threats will affect OT systems.  

Nevertheless, both sides must cooperate, because neither group can protect industrial systems singlehandedly. Given the divergent cultures, technologies, and objectives of IT and OT, the two groups must overcome a significant divide, including mutual suspicion.

To ensure IT and OT collaboration, business-level oversight and leadership is required. More and more organizations are taking senior, experienced engineers from OT business units, usually from under the COO, and moving them under the CIO hierarchy. This interdisciplinary model combines expertise and roles that straddle and unify both sides of the IT-OT fence.

Some organizations have taken this one step further. Instead of aligning IT roles under the CIO, they’re creating a new C-level role to facilitate this management strategy. For example, it’s not uncommon for organizations to have a chief digital officer, who helps bridge the gap between the CTO and COO.

The higher up the organizational ladder that IT-OT convergence decisions are being made, the better the chances for success in bridging the gap.

Related Content:

• Got an Industrial Network? Reduce Your Risk of a Cyberattack with Defense in Depth
• Should Trump Tackle Air-Gapped Critical Infrastructure?
• ‘Molecular’ Cybersecurity Vs. Information Cybersecurity

Barak Perelman is CEO of Indegy, an industrial security firm that helps critical infrastructure companies operate efficiently and reliably by protecting against cyberattacks. He is a graduate of Talpiot, the elite Israel Defense Forces (IDF) academy where he led several … View Full Bio

Article source: http://www.darkreading.com/it-ot-convergence-coming-to-an-industrial-plant-near-you/a/d-id/1328670?_mc=RSS_DR_EDT

Swarmed by bad press and unkind hashtags, has Uber finally gone too far?

If the allegations contained in a New York Times article hold water it might now be more a question of which annoyed parties will be first in the queue to answer in the affirmative.

Reportedly, Uber CEO Travis Kalanick (pictured) visited Apple’s Infinite Loop HQ in early 2015 to be told off in person by Apple chief executive Tim Cook for “secretly identifying and tagging” iPhones that had installed the Uber app in attempt to detect service fraud by the company’s drivers in China.

The tagging is described as “fingerprinting”, that is using the Uber app to plant something on the iPhone that couldn’t be erased, even potentially when the app was removed and the device refreshed to factory settings. Uber would always know it had encountered that iPhone before.

Problem one: Apple prohibits this behaviour, which is why Cook is said to have threatened to remove Uber from its app store. Problem two: Uber attempted to hide what it was doing from Apple by “geofencing” or obscuring its app code from anyone studying it from the location of within Apple’s Cupertino HQ.

Says the NYT story:

Mr Kalanick was shaken by Mr Cook’s scolding, according to a person who saw him after the meeting.

So much for Tim Cook and Apple’s ire. What about the privacy implications for iPhone users? And what about Android?

Terms like “fingerprinting” and “tracking” need careful qualification, because they are often used quite loosely. The former usually refers to ways of identifying a device, the latter to profiling a user.

Internet users are tracked in all sorts of ways, by advertisers, ISPs and app makers. However, companies are not supposed to relate this data to a real person without their explicit consent, without which it becomes a privacy concern.

On that score, Uber now says:

We absolutely do not track individual users or their location if they’ve deleted the app.

But it does still appear to track devices for anti-fraud purposes:

Being able to recognize known bad actors when they try to get back on to our network is an important security measure for both Uber and our users.

It’s not clear whether the way it does this is different than it was when Apple expressed its unhappiness in 2015. Nor does it enlighten us about Android devices, although if anti-fraud is the motivation, then not including Android would be illogical.

In a telling aside, the NYT story mentions a company called Unroll.me, a service for un-subscribing from mailing lists and newsletters. At some point, Uber started buying data from Unroll.me on how many customers of rival Lyft were ditching the app, culled from analysis of their inbox emails the company’s CEO now regrets.

While the data was anonymised, it reinforces the growing sense that when it comes to users, Silicon Valley knows few limits.  Nobody was any the wiser about this – or Uber’s tagging of iPhones – until a newspaper wrote about it.

As usual, beyond the PR statements and the lawyerly TCs, the customers are the last to be told what is really happening on their expensive smartphones.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ujBCnK6w66E/

As US President Donald Trump closes in on his 100th day in office, he faces plenty of scrutiny over things that didn’t get done in that all-important period of any new administration. One big criticism in the media last week was that he’d blown his self-imposed 90-day deadline to unveil a tough new cybersecurity plan for the federal government.

But it’s worth noting that things have in fact happened on the cybersecurity front. Last month, for example, Trump hired Robert Joyce as his White House cybersecurity coordinator. Meanwhile, work has continued behind the scenes on an executive order that could finally be signed by Friday.

Who is Robert Joyce?

Joyce once ran the National Security Agency’s hacking division and has received praise across the defense community, including from Michael Daniel, his Obama-era predecessor.

“He has long experience in the cyber realm, knows the interagency process very well, and has proven himself as a leader at NSA,” Daniel told FCW writer Sean Carberry in an interview last week.

Daniel also told FCW that Joyce is “well versed in both offensive and defensive cyber, having worked both in the NSA’s office of Tailored Access Operations as well as the former Information Assurance Directorate, which was focused on protecting US systems and networks from cyberthreats”.

Executive order might be signed on Friday

Some might remember that day in late January when Trump was expected to sign an executive order on cybersecurity, but canceled it and instead promised a comprehensive plan to improve security in the federal government’s IT infrastructure in 90 days.

Though the deadline passed without a plan, Joyce himself told attendees at Georgetown University’s International Conference on Cyber Engagement Monday that the executive order was just about ready to sign.

He said the president’s son-in-law, Jared Kushner, was working with White House tech policy aides Chris Lidell and Reed Cordish on “a major effort” to create “approaches for the president’s consideration to modernize federal IT systems, retire outdated systems and move to shared services”. Joyce told the audience:

We must make sure that innovation and cybersecurity are intertwined.

Asked by a member of the audience if those provisions would be in an executive order Trump is expected to sign this week or if it would be spliced into a separate EO down the road, Joyce replied: “A little bit of both.”

Modernization provision tossed out?

That question was likely based on multiple media reports that the cybersecurity executive order to be signed this week won’t include the bit about modernizing federal IT systems.

Politico cited “multiple people familiar with the White House’s plans” who said the order will no longer contain the section on modernizing federal IT systems. Specifically, Politico said, it will “kick off reviews of each federal agency’s digital defenses and direct agency heads to adopt specific cyber standards”.

The federal IT modernization part now falls to Kushner and his new Office of American Innovation.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3XRUB8Bixf4/

Immuta, a data governance startup in Maryland run by former US National Security Agency technicians, has developed a method to govern how data is used by machine learning algorithms.

Dubbed “Projects,” the new addition to Immuta’s data governance platform embeds what the company considers “key GDPR [EU’s General Data Protection Regulation] concepts, such as purpose-based restrictions and audits on data,” which will allow data scientists to run complicated algorithms on data without breaching privacy laws.

After announcing the conclusion of its Series A funding round back in February, pulling in $8m, Immuta’s CEO Matthew Carroll has stressed that governance now requires data controllers to know “who is working on what and what the outcomes of that work are,” as well as needing to “automate complex reporting – which is critical for GDPR compliance – that documents which data sources have been used, for which purposes, and by whom.”

Citing work by Nicolas Papernot – a Google PhD Fellow in Security at Pennsylvania State University who has worked on privacy within machine learning, especially regarding preventing bias and achieving higher accuracy in the output of algorithms – Immuta noted that the governance issue with non-interoperability CNNs (convolutional neural networks) is that the CNNs are “arbitrarily making decisions in a hidden layer. We don’t know how it weights certain values.”

Speaking to The Register back in March, University College London’s Dr Hannah Fry warned we needed to be wary of algorithms behind closed doors. The issue, she noted, is that without access to seeing how such algorithms function, “you can’t argue against them” when they provide dodgy results.

“If their assumptions and biases aren’t made open to scrutiny then you’re putting a system in the hands of a few programmers who have no accountability for the decisions that they’re making,” Fry said.

In Immuta’s words, it is the lack of interoperability within these algorithms that increases the risk that the data controllers face, as they are not able to audit what data was used and how.

“We can always go back into an application or business intelligence tool if we’ve made a mistake,” Carroll told The Register. “We can call the database administrator, we can admit we’ve screwed up, it’s fixable – because it’s interpretable. The problem is that goes away with machine learning.”

Once the data is inside the black box, data controllers would have to shut down their algorithm and retrain the whole model, with significant revenue impacts. Governance “was always the data,” said Carroll, “but no longer. Now it’s the model and how you’re trying to use it that’s equally as important as the data.”

Projects attempts to deal with these issues by forcing data controllers to think about “purpose-based” deployments of their data analysis and machine learning models. The idea is that, despite the differing data science platforms, users can tie data sources and scripts to a specific project and assign purpose to a project. Carroll says:

For example, say I can see A, B, and C rules on data. I may be using it for very different projects. How does it change? When data scientists are running queries and scripts we will know why, know intent. This is a whole new concept: tying code, data, and users together.

We’ve made it very simple through the UI to add data sources and scripts. Projects is embedded into our platform, made incredibly easy for any tool to leverage our governance layer.

Projects helps you understand INTENT first. You might choose to train a machine learning model that is 6 per cent less accurate than another but far more interpretable. That way if you do have an issue, you have a much better chance of being able to fix it quickly.

You can’t just go in and fix a model and everything updates. You need to make highly strategic decisions from the outset. The more precise you can be up front the higher your success rate.

“We’re particularly excited about Projects because it opens the door to purpose-based restrictions on data, which has never been done before,” said Andrew Burt, Immuta’s chief privacy officer and legal engineer, who formerly served in the FBI as special advisor for policy to the assistant director of the Fed’s cyber division.

“Many laws and regulations only allow certain data to be used for certain purposes. When dealing with complex machine learning projects that traverse multiple data sets, it’s incredibly inefficient – and borderline untenable – to rely on case-by-case determinations from compliance departments. What companies really need are automated purpose-based controls on each and every data set.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/25/immuta_data_governance_tool/

IRC-for-biz HipChat says a vulnerability in a software library used by its HipChat.com service allowed hackers to access private conversations and customer account information.

The ytalk-for-suits maker said on Monday an attacker was able to infiltrate a single server powering its cloud-hosted chat service, and, in the process, extracted account records – consisting of names, email addresses, and hashed passwords – and a number of chat logs and message exchanges.

The Atlassian-owned company wouldn’t say how it hashed its passwords, but has reset all of them just in case. The corp said it will notify all exposed users by email.

“As a precaution, we have invalidated passwords on all HipChat-connected user accounts and sent those users instructions on how to reset their passwords,” said HipChat chief security officer Ganesh Krishnan.

“If you are a user of HipChat.com and do not receive an email from our Security Team with these instructions, we have found no evidence that you are affected by this incident.”

While HipChat did not say exactly which programming blunder the attackers exploited to get into the HipChat cloud server, it did say “the incident involved a vulnerability in a popular third-party library used by HipChat.com.”

“While HipChat Server uses the same third-party library, it is typically deployed in a way that minimizes the risk of this type of attack,” said Krishnan. “We are preparing an update for HipChat Server that will be shared with customers directly through the standard update channel.”

Last month, there was one third-party library used by Atlassian products in particular that received a major security fix: Struts 2, which was patched to erase a remote-code execution vulernability that was being exploited in the wild. Atlassian rated the flaw as “critical,” and the bug was present in HipChat Server, the software you install to run your own HipChat service. Perhaps one of HipChat’s cloud boxes running HipChat Server was pwned by miscreants exploiting Struts 2? We think so.

Krishnan reckoned “less than 0.05 per cent” of HipChat.com “messages and content in [chat] rooms may have been accessed,” and that his team has found “no evidence of unauthorized access to financial and/or credit card information.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/25/hipchat_users_exposed/

Two famed car hackers claim they can save fellow tinkerers and security researchers a lot of time and money – by handing over their tools and blueprints for free. The pair boast the gear is worth over a million bucks.

Charlie Miller and Chris Valasek were both hackers of renown before they started working together to see if the hardware and software in modern vehicles could be easily compromised. (In short: Yes.) In 2013, the pair demonstrated their skills at the DEFCON security conference, and followed up with talks in following years.

The duo eventually found a way to gain remote access to a Jeep and crashed it off the road. That incident in 2015 sparked a 1.4 million vehicle recall by Chrysler, which cost the car biz some serious coinage.

The research papers the pair have written up over the years, plus all their collected knowhow, documentation and software tools, are now online for all to download, read, use, and build upon. They should be interesting for those who might want to tweak their car’s controller area network (CAN) and other systems.

Anyone who wants to drop 1MM+ USD for car hacking research should save their money and hit up: https://t.co/9ChVoJ4DZH.

— Chris Valasek (@nudehaberdasher) April 23, 2017

The files were uploaded earlier this year, although many missed that they were available – until Valasek’s tweet over the weekend.

As those who go through the archive and attended the talks will know, hacking a car may be complex, however, protecting against hackers is actually relatively simple. Back in 2014 Miller and Valasek demonstrated the Can-no-hackalator 3000, a simple intrusion-detection system that could, allegedly, defeat most hacks. Then there’s the old trick of just simply physically cutting off the CAN bus from the outer world.

The fact of the matter is that the car companies just didn’t take vehicle hacking seriously. Miller told your humble Reg hack that he has since been thanked by programmers at automakers for enabling them to get the budgets to do some serious penetration testing.

This is also probably going to be the last published research by the pair. Their Black Hat presentations ended last year with a final show on how to defeat the patch Chrysler had put out for their previous talk. The duo said that this would be their last such public foray into the field.

The reason is that they were both hired by car-hailing bad boy Uber last year to harden up its in-car systems, and the firm wasn’t keen for them to talk about their work. Since then Miller has joined the exodus of senior staff from the troubled taxi-wannabes and has been concentrating more on his forthcoming appearance on the NBC game show American Ninja Warrior. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/25/car_hacking_research/

Geez, LinkedIn, you are one pushy app! If you’re not spamming users’ contacts (and getting sued for it), you’re pawing our Bluetooth – even after we thought you’d gone home for the night!

News of LinkedIn’s latest market-the-beejezus-out-of-us stunt came on Thursday, when security researcher Rik Ferguson spotted a proclamation from LinkedIn about wanting to make data available to nearby Bluetooth devices, “even when you’re not using the app”.

Ferguson tweeted a screenshot of the mobile app change notification, accompanying it with a “You want to do WHAT?!” message:

LinkedIn would like to WHAT?! pic.twitter.com/29uja6SEC2

— Rik Ferguson (@rik_ferguson) April 20, 2017

Ferguson said that the pop-up sprang up following an update that billed itself as only offering “general bug fixes and performance improvements”.

According to people who responded to his thread, both iOS and Android users were replicating the message. That’s in spite of LinkedIn’s claim, in a statement sent to the Register, that the prompt was sent out in error, to just to a handful of iOS users:

In order to help our members more easily connect with one another, we’re exploring an opt-in “find nearby” feature that will help them find other members nearby.

This will be an opt-in experience and members will have control of when their location is used for this feature. A prompt to enable Bluetooth on our iOS mobile app went out in error to a small group of LinkedIn members. We are working on a fix immediately and we apologise for any confusion.

A small group, eh? An “error”, you say? Ferguson said that that fish didn’t smell quite right:

Plenty of people on Twitter were able to replicate and I replicated it on three phones all running 9.1.25 of the app. … as if by magic, it looks like 9.1.26 came out this morning.

Should we care that LinkedIn, which did say it was working on a fix for the issue, wants to let us see other Linkees nearby? It is, after all, opt-in. The business networking app says it’s all about getting in more elbow rubbing when we’re at a conference, for example, or out getting some grub at the pub.

Opt-in or no, we’re always a bit leery of always-on Bluetooth, or near-field communication (NFC), for that matter. They’re great for connectivity, enabling us to use accessories such as wireless keyboards and headsets, or to make payments with a wave of our smartphones.

But it does open a door to your device and to your data, so we recommend either switching such features off or putting your device into “not discoverable” mode whenever possible.

Also, be careful when pairing: never accept requests from unknown devices.

You might want to check out our 10 tips to secure your smartphone, or our practical advice for handling smartphones in the workplace.

Oh, and LinkedIn? It’s great that you mea-culpa’ed your ham-handed “I will schmooze via Bluetooth even when I’m not running” message. After all, some of us were interpreting that message in a very UnLinkMe way:

@rik_ferguson All I read is “LinkedIn would like to be uninstalled from your device”

— Matteo Bertello (@Corralx) April 20, 2017

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CEmOBVv2Q18/