STE WILLIAMS

Yahoo! is set to get a spanking under European Union data protection laws for the biggest of the many megabreaches it copped to last year.

The Irish data protection commissioner has stated that a probe by the office into Yahoo!‘s megabreach of 2014 – the one in which more than a billion user accounts were affected – has almost concluded; and when it does it will recognise the European unit’s culpability for the incident, and as such will be applying “remedial action”, likely to be a monetary penalty.

According to Bloomberg, which interviewed the Irish DPC herself, Helen Dixon, Yahoo! said it “has been co-operating with the Commissioner’s Office on its investigation and will closely review the findings when available”.

Dixon said her office was “of the view that [the breach] could have been detected sooner and the risks mitigated sooner” before adding that the probe was “at the point of concluding” and the office will “impose remedial action where the findings need us to do that”.

Of course, whatever those findings are, from May next year the pain that comes with that remedial action could be much more severe. Under the EU’s new General Data Protection Regulations, companies found in breach of European privacy laws could face fines as significant as 4 per cent of their global annual turnover.

For companies like Facebook and Apple, this will mean dealing with Dixon, whose Irish office is the European lead on their compliance with EU data regulations.

Dixon was also quoted as stating that she wouldn’t be shy of making full use of the new GDPR sanctions. “Clearly, talking about fines of 20 million or 4 per cent of global turnover, we could anticipate they’re not going to be everyday type fines,” she told Bloomberg. “But there are going to be cases where there simply are mass-scale breaches that have significant effects on millions of users. The only way to start driving a better compliance culture is to have those types of enforcement tools in our toolkit.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/13/irish_data_protection_commissioner_yahoo_report/

Free health tracker apps pose a severe privacy risk, security researchers warn.

Developers frequently neglect data protection and, worse, intentionally lure in users with free health gimmicks in order to monetise their data. Other sharp practices uncovered by the researchers include unsecured data transmission and ad tracking.

Experts at the AV-TEST Institute discovered that more than 80 per cent of 60 tested apps lacked a proper privacy policy despite handling unusually sensitive data.

Thousands of health and fitness tracker apps for Android smartphones have been created. Some help users organise and log their exercise regime by counting kilometres run or walked, calories ingested or pulse rate. Others remind patients to take their medicine on time or record high blood pressure alongside various more medical functions.

Apps can motivate users to get more exercise, eat healthier, record and interpret their own body and vital signs, and optimise their own behaviour accordingly. The downside is that that data collected by the apps can be used by advertisers, health insurance providers and other companies.

The 60 apps evaluated by AV-TEST cover a cross section of the eHealth apps offered free of charge in the Google Play store. They included Android programs for diagnosing diseases, search apps for medical information, pharmacies and physicians, and fitness trackers such as apps that monitor vital signs.

eHealth app permissions stray beyond core functionality [Source: AV-TEST blog post screenshot]

In addition to access to the user and device data, many apps also demanded access to photos and other data stored on mobile devices. GPS data as well as device IDs and call information were not infrequently requested, 12 apps demanded direct access to the camera, seven wanted to freely use the microphone, and three even required full telephony functions of the smartphones. Much of the slurped data was irrelevant to the core function of the app, AV-TEST reports.

More details on the research can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/13/ehealth_app_privacy_concerns/

Leaked HackingTeam spyware was used by a cyber-spy group to collect intelligence.

The Callisto Group cyber-spies collected intel on foreign and security policy in eastern Europe and the south Caucasus using spyware developed for law enforcement agencies, according to F-Secure Labs. The group – which remains active – has targeted military personnel, government officials, journalists and think tanks since at least 2015.

An investigation [PDF] published by F-Secure on Thursday reports that the Callisto Group’s infrastructure has links with entities in Russia, Ukraine and China. F-Secure is not saying who is behind the Callisto Group other than to suggest the sponsor is probably a nation state.

“They act like nation-state attackers, but there’s also evidence linking them with infrastructure used by criminals,” said F-Secure’s security advisor Sean Sullivan. “So they could be an independent group that’s been contracted by a government to do this work, or possibly doing it on their own with the intent of selling the information to a government or intelligence agency.”

The Callisto Group’s tradecraft typically relies on highly targeted phishing attacks and malware. The malware used by the group is a variant of the Scout tool developed by Italian surveillance firm HackingTeam.

The Scout tool was part of a spyware toolset HackingTeam sold to government agencies that was stolen and leaked online two years ago.

F-Secure’s chief information security officer Erka Koivunen said the snoopers’ use of spyware designed for law enforcement illustrates the dangers of surveillance technologies.

“This should remind governments that we don’t have monopolies on these technologies, and that mercenaries, hostile nation states, and other threats won’t hesitate to use these surveillance powers against us,” Koivunen said.

F-Secure’s report provides indicators of compromise and mitigation strategies for any potential targets concerned about the Callisto Group or other threat actors (i.e. cyber-spies) that take to using similar tactics. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/13/apt_crew_abuses_leaked_hackingteam_spyware/

Cerber eclipsed Locky as the most common ransomware pathogen doing the rounds in the first three months of 2017.

Cerber’s control of the cybercrime market rose from 70 per cent market share in January to 87 per cent in March, according to the latest cybercrime tactics report by Malwarebytes Lab.

The success of Cerber is down to its features (robust encryption, offline encryption etc) combined with the adoption of a Ransomware-as-a-Service business model, whereby the ransomware can be modified or leased. “It’s also very easy for non-technical criminals to get their hands on a customised version of the ransomware,” Malwarebytes reports.

Malwarebytes’ findings follow reports from Microsoft that Cerber was topping its Windows 10 ransomware chart.

By contrast, the Locky ransomware (last year’s number one) has dropped off the map, likely due to a switch in tactics by the cybercrooks behind the Necurs spam botnet. No new versions of Locky have appeared throughout the year to date, Malwarebytes reports.

Looking beyond Windows, the Mac threat landscape saw a surge of new malware and backdoors in Q1 2017, including a new ransomware (FindZip). Elsewhere two Android nasties – HiddenAds.lck, which locks the device and prevents the removal of an ad slinging nuisance, and Jisut, a mobile ransomware family – have been causing all sorts of problems, according to Malwarebytes.

The cybersecurity firm has built up a solid reputation for exposing the operations of tech support scammers. This form of fraud normally starts with a pop-up ad or phone call claiming that a prospective mark’s machine is infected or underperforming. Once victims respond, the scammers use a variety of social engineering tricks to coax victims into installing ineffective crudware or subscribing the worthless (or often damaging) services.

Tech support scammers, finding difficulty working with North American payment processors, have begun accepting alternate forms of payment, such as Apple gift cards and Bitcoin, it reports. Some scammer groups have started to scam each other. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/13/ransomware_trends/

Akamai Networks since October has detected and mitigated at least 50 DDoS attacks using Connectionless LDAP.

Over the years, threat actors have abused a variety of services including DNS, SNMP, and NTP to enable and amplify distributed denial-of-service (DDoS) attacks against their targets.

A new method that appears to be gaining favor among attackers involves the abuse of Connectionless LDAP, a version of the Lightweight Directory Access Protocol that many organizations rely on for directory services such as accessing usernames and passwords from Microsoft’s Windows Active Directory.

In an advisory Wednesday, content delivery network and cloud services provider Akamai Networks reported encountering and mitigating at least 50 CLDAP reflection-attacks against its customers since last October.

About 33% of those were single-vector attacks, meaning they relied solely on CLDAP reflection to try and disrupt or knock their targets offline.

What makes the new technique dangerous is the extent of the amplification that can be achieved by abusing Internet-exposed CLDAP services, says Jose Arteaga, a member of Akamai’s security intelligence response team.

“CLDAP reflection works in the same way as any other UDP-based reflection attack,” Arteaga says. “[But] the amplification of the response is impressive compared to most other vectors,” he says. On average, Akamai observed CLDAP-enabled DDoS attacks achieving amplifications of over 56%.

The largest attack using CLDAP as the sole vector that Akamai has mitigated so far had a peak bandwidth of 24 Gigabits per second, or about two million packets per second. “These attacks are averaging around 3 gigabits per second—a pretty impressive number considering the limited number of available reflectors,” Arteaga says.

“It’s enough to bring smaller sites offline and potentially cause latency issues on others.”

CLDAP uses the User Datagram Protocol (UDP) instead of the Transmission Control Protocol (TCP) for communication. UDP does not validate source IP addresses, thereby making application-layer protocols that rely on it—such as CLDAP—good vectors for launching DDoS attacks.

A UDP reflection and amplification attack is one where an attacker sends specially crafted packets that appear to originate from their intended target’s IP address, to numerous UDP servers that are exposed on the Internet. Responses from the UDP servers are sent to the victim’s IP address creating denial of service conditions. By sending certain requests, attackers can get the UDP servers to respond with packets that are multiple times the size of the original packet, thereby amplifying the volume of the DDoS traffic. The attacks that Akamai observed had amplification factors of over 50% on average.

Corero Network Security was among the first vendors to warn of the new attack vector when it reported encountering CLDAP-enabled amplification attacks against a small number of its customers last October. At the time, the company had reported seeing an average amplification factor of 46 and a peak of 55.

Such amplification attacks are possible because of the many open CLDAP services on the Internet that respond to queries for spoofed IP addresses, the company had noted in an advisory at the time.

The Shadowserver Foundation’s Open LDAP Scanning Project currently lists 73,380 distinct IP addresses around the world belonging to devices running CLDAP that are openly accessible over the Internet via port 389. Over 16,700 of those devices are based in the US.

Other countries with a relatively large number of exposed CLDAP services include Brazil, with 5,411; France, with 3,459; and the United Kingdom, with 3,354.

Each of these devices has the potential of being used in an amplification attack. The Shadowserver Foundation’s goal in identifying them is to try and alert their network owners about the issue.

The discovered hosts are not filtering port 389,” Arteaga says. “In other words, these hosts have port 389 open and listening.”

Unlike DNS or NTP, there is likely little reason to expose CLDAP over the Internet, Arteaga says. “We aren’t sure this is a common or best practice approach,” he says.

The key takeaway for enterprises is to make sure they don’t contribute to the problem themselves. CLDAP is in fact the thirteenth protocol that Akamai has discovered being used as a DDoS amplification vector due to organizations not securing the protocols, Arteaga says.

“Have a clear understanding of services that are UDP-based and exposed over the Internet and weigh out the pros and cons of having those,” he says.

Related Content:

• DDos On Dyn Used Malicious TCP, UDP Traffic
• DDoS, Web Attacks Surge; Repeat Attacks Become the Norm
• Poorly Configured DNSSEC = Potential DDoS Weapon

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/new-breed-of-ddos-attack-on-the-rise/d/d-id/1328620?_mc=RSS_DR_EDT

British MPs suggest cyberattackers may have used DDoS attacks to bring site down before EU referendum.

A report by a UK parliamentary Public Administration Committee on Lessons learned from the EU Referendum says foreign cyberattackers may be responsible for the Brexit voter registration website crash on June 7, 2016, BBC News reports. The committee said the crash “may have been caused by a DDoS (distributed denial of service attack) using botnets” but adds this conclusion is from “circumstantial” evidence only.

This theory is not supported by the Cabinet Office whose report cites “a spike in users” as the reason behind the freeze just before the EU referendum.

“There is no evidence to suggest malign intervention. We conducted a full review into the outage and have applied the lessons learned,” the Cabinet Office report said.

Cybersecurity experts are skeptical, too, and one suggested checking traffic reports prior to the crash to ascertain whether a botnet was involved.

The panel has asked for a new Cyber Security Center to monitor future incidents, noting that Russia and China use cyber to influence public opinion.

Read details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/hackers-may-have-ddosed-brexit-vote-site-report/d/d-id/1328621?_mc=RSS_DR_EDT

A total of five Eastern Europeans were arrested for conspiracy involving cyberattacks and fraudulent purchases.

A Russian national has been arrested in connection with a payment card fraud scheme between 2014 and 2016 that led to $5 million in losses to businesses including an airline and two healthcare administrators. The fifth person to be arrested in the case, Irina Fedoseeva, was allegedly responsible for cheating victims out of $225,000 through illegal use of their payment cards, the US Department of Justice (DoJ) said.

Fedoseeva is the fifth suspect to have pleaded guilty to the conspiracy, which involved illegal access to payment card data through a series of cyberattacks with help from computer hackers believed to be based in Russia. The stolen information was used by the defendants to make purchases from stores, cash withdrawals and purchase money orders.

At their arrests, the defendants were allegedly found to be in possession of over 1,000 payment cards in others’ names.

Click on DoJ release for details.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/fifth-person-pleads-guilty-in-$5-million-id-theft-case/d/d-id/1328622?_mc=RSS_DR_EDT

While the thrill of crafting attention-grabbing stunt hacks may seem like the coolest job on earth, what our industry needs more of are strong defenders who can fix things as well as break them.

In a time when the computer security industry is over a million people short of full employment, we need to be encouraging everyone who is interested in protecting our data to get into the game. You could argue that the best way to do this is to make the job sound like it’s super cool; that it’s all about moving fast, breaking stuff, and going to wild parties. But in the end, this tactic may be a self-defeating one.

When I think about the possibility of being a rock star, one of the defining features is the rarity of success. There wouldn’t be shows like American Idol or The Voice if everyone who put a serious effort into being a rock star became one!

Long Odds vs. Steady Gig
Out of all the children learning to play guitar right now, how many will be a household name some day? If they keep at it until adulthood, the odds of them eventually becoming well known as a musician are probably somewhat greater than that of being killed by a crocodile, but less than the odds of being killed by a venomous spider. Out of all the kids learning to code right now, the odds of them earning a living in technology are probably quite close to 100% if they keep at it until adulthood.

Security people are not and should never be a rarity, and not all are extroverts who even want to be shining stars. It seems to me that a better-than-average number of people who have a career in security are somewhat introverted; those who favor a cozy cube outnumber those who seek the spotlight. Infosec jobs offer very good odds of finding a solid, and fairly stable career path that pays a living wage for you to learn for a living.

Humble vs. Inflated Ego
Most people who work in this industry for long enough will have the unfortunate experience of working with someone who chose this career with the hope of being a shining star within the halls of padded, grey cubicles. Pejoratively, this person is usually called a “cowboy” (or at least that’s the G-rated version). And where you find cowboys, you’ll usually find other people who end up with the unfortunate task of cleaning up after them.

The cowboy may get stuff done – and quickly – by shooting first and asking questions later, but it’s usually by running roughshod over established protocols and procedures. While this habit may win them approval from higher-ups within the organizational food chain, working alongside them is usually described as painful, at best.

In practice, effective security people tend to be the ones who are able to build consensus with other groups, as well as with the people who are in charge of assigning budgets. They don’t seek glory and ego-inflation as much as they seek to help other people do their jobs effectively, in a secure way.

Breaking Stuff vs. Fixing Stuff
There are people in security circles who are famous (or perhaps “infamous” is a more apt term) for breaking other people’s products. While attention-grabbing stunt hacks may be a necessary evil in some cases, most of what we have a dearth of is defenders who can help fix security problems. Strategically correcting errors made by other people is decidedly less sexy than smashing things, but provides more security in the long run by helping people make safer choices. And helping others brings its own kind of satisfaction.

I’m sure we can all think of a job title or two where the pay is low, the hours are long, and the conditions are challenging, yet there is a crowd of skilled people in line for every vacant position. Most, if not all, of those jobs are ones in which people are able to make a positive difference in the lives of others. Security is also an industry where we can use our skills to affect others positively. It’s not just about breaking things for fun and profit, or about free booze and partying, though it can certainly include those items. A career in security can also be a stable and rewarding pursuit; financially, intellectually and emotionally.

[Get tips from short-handed CISOs on how to attract, cultivate and retain talented cybersecurity staff when there are so few to go around – at Interop ITX, May 15-19, at the MGM Grand in Las Vegas.] 

Related Content:

• How Security Pros Can Bridge The Skills Shortage
• Cybersecurity User Training That Sticks: 3 Steps
• Small Changes Can Make A Big Difference In Tech Diversity

 

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all … View Full Bio

Article source: http://www.darkreading.com/careers-and-people/so-you-want-to-be-a-security-rock-star-/a/d-id/1328618?_mc=RSS_DR_EDT

Miscreants can remotely turn off and on posh Aga ovens via unauthenticated text messages, security researchers have warned.

All the hijackers need is the phone numbers of the appliances, apparently.

The vulnerable iTotal Control models of the upmarket cookers contain a SIM card and radio tech that connects to cellphone networks. This allows the Brit-built roasters to receive texted commands: these messages can be sent directly to appliances from phones, or via an app or Aga’s website, from anywhere in the world.

This means you can order your fancy baking oven to get it heated up well before you leave from work, for instance. According to UK IT security consultants Pen Test Partners (PTP), this feature can be hijacked by villains to meddle with the slow cookers without the owners’ permission.

The iTotal Control ovens pick up messages using a Tekelek-branded comms module and a GSM SIM card from UK cellular network EE – which costs £6 ($7.50) a month to keep active. Controlling an Aga by text is a rather odd approach because many of the hefty ovens are out in the sticks without decent cellular reception. The design was implemented by an Irish outfit called Action Point, it appears.

Rather than using an SMS-based remote-control system, Aga should have used a secure Wi-Fi-enabled module, according to PTP, which criticized the appliance manufacturer’s “bizarre unauthenticated text messaging process.”

“Aga’s choice of mobile comms costs customers more than £70 extra per year and doesn’t help customers in poor mobile reception areas,” PTP’s Ken Munro noted in an advisory shared with The Register earlier this week. “A Wi-Fi module done right, with a conventional mobile app and API, is unlikely to have cost them much more to develop.”

To control someone’s Aga, you need the phone number associated with the roaster’s SIM card, we’re told. The control system makes no attempt to authenticate whoever sent the command texts. This shortcoming clears the way for all sorts of mischief: these electric-powered machines can draw 30 amps tops, so you could run up a small chunk of change on a victim’s power bill as well as wasting energy while they are away – or ruining dinner by switching the thing off.

Aga’s “register my cooker” webpage generates a different error message depending on whether or not if you enter a number that’s previously recognized as one assigned to an iTotal Control cooker. You can exploit this and a similar shortcoming that enumerates owners by their email addresses to, over time by brute force, build up a list of known Aga cellphone numbers.

With these digits, you can start taking over strangers’ ovens from the other side of the world. It’s not, admittedly, a gigantic security risk – brute-forcing the list will be time consuming, for one thing – but it’s a situation that could have been avoided all together.

“All you have to do is simply send a text message to the Aga. No authentication. Turn other people’s Agas off,” Munro told us. “We didn’t, but it would be trivial for less-ethical culinary threat actors to do so.”

The format of the comma-separated command messages is simple, it seems: a string followed by a sequence number and then the order, eg:

WebtextPass,35257,Baking Oven On

The official mobile app and Aga’s website also use unencrypted HTTP, with no option for HTTPS, which leaves customer information open to eavesdropping on the ‘net. For what it’s worth, the app talks to the website’s backend via an API, which sends the text messages to registered ovens.

Headaches

PTP had all sorts of problems in getting in touch with Aga to report the design flaws, prior to publishing its findings on Thursday. The oven maker’s representatives initially told the consultants that “we’ve had no reports of customers having their Agas hacked” – a response that rather missed the point.

Following proddings from El Reg, Aga’s PR folks told us the oven maker is confident its IoT partners have the issue in hand:

Aga Rangemaster operates its Aga TC [Total Control] phone app via a third-party service provider. Security and account registration also involves our M2M [machine-to-machine] provider. We take such issues seriously and have raised them immediately with our service providers so that we can answer in detail the points raised.

PTP told Aga it ought to take down the www.Agatc.co.uk website and address the weaknesses it had identified. El Reg asked Aga if it was going to take this advice, and we’ve yet to get a substantive response.

Aga owners should note: this issue only affects you if you have the latest Total Control cooker and bought the remote control option.

The issues discovered by PTP in Aga’s ovens add to a growing list of kitchen-related IoT security failings – from insecure kettles to pwnable industrial dishwashers used in hospitals and restaurants. Now you can add smart home ovens to the pile. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/13/aga_oven_iot_insecurity/

Inter-bank data comms biz SWIFT says it has introduced mechanisms to better protect money transfers from tampering.

We’re told the fresh defenses will make it easier for banks to track movements of money. The payment controls are part of SWIFT’s Customer Security Programme, a set of mandatory IT and physical security protections that member banks must put in place in order to use SWIFT.

SWIFT hopes the beefed-up security will help banks scan transfers between accounts and more easily spot fraudulent activity. In particular, SWIFT says, the new service will be pitched for smaller banks and credit unions that have yet to employ sophisticated fraud detection tools.

“The new payment controls service is a direct response to our community’s request for additional services to complement and strengthen existing fraud controls,” said chairman Yawar Shah.

Used by banks around the world, the SWIFT system allows banks to handle data transfers for money transactions. The group claims its network is used by more than 11,000 banks globally.

SWIFT was thrust into the public eye last year when it was targeted by hackers. They were able to steal login credentials for the service and use the access to pilfer accounts for tens of millions of dollars.

Following the hacks, SWIFT has faced pressure from its members to step up security protections, particularly as ex-employees have slammed the organization for lax protections that allowed the attacks to take place. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/13/swift_antifraud_payments_service/