STE WILLIAMS

A California court is forcing Pornhub – the vastest porn site on the porn-stuffed internet – to expose the names, IP addresses, phone numbers and viewing history of users who’ve uploaded pirated videos.

Pornhub’s been given a deadline of May 1.

The company is no stranger to Digital Millennium Copyright Act (DCMA) takedown requests. Its parent companies, Mansef Productions and Interhub, were sued in 2010 for copyright infringement of 95 videos produced by the porn production house Pink Visual.

As Forbes reported at the time, the suit didn’t pull any punches when it came to describing the way that Pornhub and other YouTube-like porn sites that run on videos uploaded by users – known as “Tube sites” – are ripping off the adult entertainment industry.

They’re the Napster of the adult film world, the suit said:

These Tube Sites maintain the fiction that they offer a forum for consumers to upload and share their own original “user-generated” adult video content; however in reality, they function as repositories for an extensive collection of infringing adult videos.

The settlement terms for that 2010 case weren’t disclosed, with the exception of this: the parties agreed that Pornhub would implement digital fingerprinting on all its sites.

That’s certainly a sound approach: it’s the one that’s used to locate child abuse imagery. Digital hash values are how companies – including Microsoft, Google, Verizon, Twitter, Facebook and Yahoo – sniff out that type of illegal content.

The hash values, which, in the case of child abuse, are provided by ISPs, enable such companies to check large volumes of files for matches without those companies themselves having to keep copies of offending images or to pry open people’s private messages.

So why, if Pornhub implemented digital fingerprinting after that 2010 settlement, are we now looking at a subpoena – a huge subpoena, 91 pages long – that lists more than 1,000 copies of pirated videos produced by Foshan Ltd?

I reached out to Pornhub to ask. I’ll update the story if anybody gets back to me.

Here’s the subpoena. Issued at the end of March, it’s fairly broad: it compels Pornhub to hand over all the information it has available on the uploaders, including names, email addresses, IP addresses, user and posting histories, physical addresses, telephone numbers, and any other identifying or account information.

Take note: the video titles, starting on page 3, are very NSFW!

As it is, the presence of all this pirated material fits into a pattern of Pornhub acting reactively instead of proactively on copyright infringement, according to those in the industry.

According to Torrent Freak, Pornhub claims it “[Takes] claims of copyright infringement seriously.” It has a content takedown request site that directs copyright complaints over to [email protected] or to a DMCA takedown request form.

Pornhub has also said that it reserves the right to terminate the accounts of repeat infringers, according to TorrentFreak, which quoted the company:

Responses may include removing, blocking or disabling access to material claimed to be the subject of infringing activity, terminating the user’s access to [Pornhub], or all of the foregoing.

But that’s all a bit disingenuous, according to sex blogger, journalist and “#sextech enthusiast” Girl on the Net (GOTN).

GOTN has spoken to Pornhub about what she considers a parallel issue to that of piracy: that of racism. Pornhub does have a policy against racism, just like it has a policy forbidding copyright infringement. But are the anti-racism and anti-piracy policies worth the pixels they take up on its site?

In order to get content taken down, “people have to report a specific video”, GOTN said. There doesn’t appear to be any technology in place to automagically churn through piles of porn like there is with child abuse imagery, at least not that’s obvious from a user perspective (or from the perspective of there being more than 1,000 pirated videos from just one single production company on the site).

It doesn’t have to be that way: other sites have monitoring policies in place, GOTN noted. Pornhub isn’t doing much to fight it, she said:

Any site that’s running on the free Tube model, where users can upload their own content, is always going to have a certain level of pirated material. Even if the sites don’t strictly encourage it – or have terms that forbid it – the fact remains that they have created a model that gives users an expectation that porn is (or should be) free.

And here’s another thing: why are the pirating Pornhub users being pursued, as opposed to the vast, lucrative porn behemoth that is Pornhub?

Sure, those users are uploading pirated videos, GOTN said, and that’s wrong. Users are stealing subscription funding from the porn producers who should rightfully be compensated for their work.

But isn’t Pornhub the one to go after? After all, it’s the mechanism that enables all this piracy. GOTN:

I’m surprised that users are being pursued instead of Pornhub itself. Obviously, they shouldn’t be uploading pirated content … but effectively, I feel [that Pornhub] is contributing so much to the free porn model, [they should be a prime target for DCMA action].

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ThAxntxxWDo/

We are impressed by five prisoners in the US who built two personal computers from parts, hid them behind a plywood board in the ceiling of a closet, and then connected those computers to the Ohio Department of Rehabilitation and Correction’s (ODRC) network to engage in cybershenanigans.

Compliments are less forthcoming from the State of Ohio’s Office of the Inspector General, which published its 50-page report [PDF] into this incident yesterday, following a lengthy investigation.

The Inspector General was alerted to the issue after ODRC’s IT team migrated the Marion Correctional Institution from Microsoft proxy servers to Websense. Shortly afterwards, on 3 July 2015, a Websense email alert reported to ODRC’s Operation Support Center (OSC) that a computer operating on the network had exceeded a daily internet usage threshold. Further alerts, seven regarding “hacking” and 59 regarding “proxy avoidance,” reported that the user was committed to network mischief.

From there the search for the miscreant began, and once the login credentials used were found to be be illicit, the ODRC’s IT employees attempted to find the unauthorised computer by locating the network switch it was connected into.

An incident report filed on the discovery, included in the Inspector General’s, noted:

On the above date and time I was following up on information received from OSC IT department. I had been told there was a PC on our network that was being used to try and hack through the proxy servers. They narrowed the search area down to the switch in P3 and the PC was connected to port 16. I was able to follow the cable from the switch to a closet in the small training room. When I removed the ceiling tiles I found 2 PCs hidden in the ceiling on 2 pieces of plywood.

The computers were cobbled together from spare parts which prisoners had collected from Marion Correction Institution’s RET3, a program that helped to rehabilitate prisoners by getting them to break down old PCs into component parts for recycling.

Forensic analysis of the computers completed by the Ohio Inspector General revealed that the users exploited their access to the ODRC’s systems to issue passes for inmates to gain access to multiple areas within the institution. They also used the Departmental Offender Tracking System to steal the personal information of another inmate and use those details to successfully apply for five credit cards.

Additional forensics by a more technical team reported finding “a large hacker’s toolkit with numerous malicious tools for possible attacks. These malicious tools included password-cracking tools, virtual private network (VPN) tools, network enumeration tools, hand-crafted software, numerous proxy tools, and other software used for various types of malicious activity.”

In addition to the above, the forensics team found “self-signed certificates, Pidgin chat accounts, Tor sites, Tor geo exit nodes, ether soft, virtual phone, pornography, videos, VideoLan, and other various software,” in addition to evidence that malicious activity had been occurring within the ODRC inmate network.

They reported: “Inmates appeared to have been conducting attacks against the ODRC network using proxy machines that were connected to the inmate and department networks. It appears the Departmental Offender Tracking System portal was attacked and inmate passes were created. Findings of bitcoin wallets, stripe accounts, bank accounts, and credit card accounts point toward possible identity fraud, along with other possible cybercrimes.”

Ultimately, five inmates were identified as being involved with the hidden computers, and have been separated and moved to other correctional facilities. More details on their conspiracy and the others involved in it are again available in the Inspector General report. It’s a cracking yarn.

In response to the report, ODRC said it appreciated “the time the Inspector General’s office has taken to conduct these investigations and we have already taken steps to address some areas of concern. We will thoroughly review the reports and take any additional steps necessary to prevent these types of things from happening again.

“It is of critical importance that we provide necessary safeguards in regards to the use of technology while still providing opportunities for offenders to participate in meaningful and rehabilitative programming.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/12/prisoners_built_computer_connected_to_states_network/

Gordon Ramsay’s father-in-law has admitted conspiring to hack into the computer systems of businesses run by the celebrity chef.

Christopher Hutcheson, 68, and his sons Adam, 46, and Christopher, 37, all admitted conspiracy to unlawfully access Gordon Ramsay Holdings Limited’s computer systems at a hearing in London’s Central Criminal Court on Tuesday, the BBC reports. Christopher Hutcheson Snr’s daughter, Orlanda Butland, 45, denied the same charge. The prosecution subsequently dropped its prosecution against her, leading Judge Gerald Gordon to record a not guilty verdict.

Hutcheson Snr, father of Ramsay’s wife, Tana, and his sons were both charged under Operation Tuleta, a computer hacking-orientated investigation launched by the Met Police in the wake of the 2011 celebrity phone hacking scandal.

Hutcheson Snr, of Earlsfield, south west London, Hutcheson Jnr, of Welwyn Garden City, Hertfordshire, and Adam Hutcheson, of Sevenoaks, Kent, were all released on bail pending a sentencing hearing scheduled for 2 June.

The Michelin-star awarded TV cook fired his father-in-law in 2010 from a senior role managing his restaurant business in acrimonious circumstances. Prosecutors alleged in court that the hack was motivated by an attempt to discover whether Ramsay had been circulating a picture of Hutcheson Snr’s alleged mistress, Sara Stewart, a former employee, the Daily Telegraph reports. The offences took place between October 2010 and March 2011. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/12/ramsay_hack_plot_guilty_plea/

A committee of MPs has expressed concerns that foreign hackers might have had a hand in crashing the UK’s voter registration website last year shortly before the Brexit referendum.

The Public Administration Committee concluded that a foreign cyber attack remains a potential reason that the “register to vote” site crashed on 7 June last year, shortly after a televised debate and hours before a (subsequently extended) registration deadline. The Lessons learned from the EU Referendum report [PDF] also lists more humdrum explanations for the site’s failure, such as inadequate provision of resources to cope with last minute registration requests. The MPs faulted the government for a lack of contingency planning in their reports:

The Register to Vote website crashed on the evening of 7 June 2016. The Government has stated that this was due to an exceptional surge in demand, partly due to confusion as to whether individuals needed to register to vote. The Government should develop an online service to enable people to check whether they are already correctly registered. However, the Government clearly failed to undertake the necessary level of testing and precautions required to mitigate against any such surge in applications. The Association of Electoral Administrators criticised the government and the Electoral Commission for a clear lack of contingency planning.

We do not rule out the possibility that there was foreign interference in the EU referendum caused by a DDOS (distributed denial of service attack) using botnets, though we do not believe that any such interference had any material effect on the outcome of the EU referendum. Lessons in respect of the protection and resilience against possible foreign interference in IT systems that are critical for the functioning of the democratic process must extend beyond the technical.

The Cabinet Office, which also investigated the website crash, has ruled out actions of a hostile power. “We have been very clear about the cause of the website outage in June 2016. It was due to a spike in users just before the registration deadline,” the government department told the BBC.

“There is no evidence to suggest malign intervention. We conducted a full review into the outage and have applied the lessons learned. We will ensure these are applied for all future polls and online services.”

Ilia Kolochenko, chief exec of web security firm High-Tech Bridge, stressed the need for a thorough investigation while expressing scepticism that a foreign cyberpower such as Russia or China might have “taken out” the website.

“I doubt that a serious actor, such as a nation state for example, can be behind this particular DDoS attack. Governments have enough technical and financial resources to create smart botnets, simulating human behavior that would be hardly distinguishable from legitimate website visitors. Running a classic DDoS attack is too coarse, and would rather attract unnecessary attention to the external interference, trigger investigations and all other outcomes that smart attackers would [want to] avoid.”

Cyberattacks by foreign powers against UK government websites in general are becoming an everyday threat.

Joep Gommers, chief exec of EclecticIQ, commented: “The UK government recently announced that the National Cyber Security Centre (NCSC) had blocked 34,550 ‘potential attacks’ on government departments in the past six months – a rate of 200 a day. Many of them were believed to be state-sponsored or instigated by global crime outfits, all seeking information on what’s being discussed, what’s going to happen, and what it means for them.

“Persistent intelligence efforts and effective sharing with appropriate parties is required to stay free from external interference. The more governments can share information on attacks, the more intelligence can be gleaned and the greater the chance of finding and stopping the perpetrators.”

It would be wrong to overstate the impact of the Brexit voter registration website’s problems but that doesn’t mean that wider concerns about the security of electronic voting, for example, are misplaced. A few successful vote-tampering successes in just a few strategically planned areas can cause panic, suspicion and loss of faith in the integrity of the process, according to code security firm Veracode.

Paul Farrington, EMEA solution architects manager at Veracode, added: “Hacking an entire election is near impossible, but should digital elections be successfully implemented, any cybercriminal hoping to create suspicion and disrupt the result of an election could achieve this simply by affecting just a small number of votes.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/12/brexit_vote_website_wobble/

Karim Baratov awaits extradition hearing, likely on June 12.

A Canadian citizen whom US officials have tied to the 2014 data breach of 500 million Yahoo accounts has been denied bail by a Canadian court and remanded to custody until May 26, reports Reuters. A hearing on his extradition to the US is likely to take place on June 12.

Justice Alan Whitten agreed with prosecutors that suspect Karim Baratov was a flight risk if given bail.

“Why would he stick around?” the judge said. “He can continue his wealth-generating activities anywhere in the world.”

Baratov, who was born in Kazakhstan, and his alleged co-conspirator Alexsey Belan, who is on FBI’s most-wanted cybercriminal list, have been charged by the US with working for Russia and being paid to break into Yahoo and non-Yahoo accounts.

Read details on Reuters.                                                                                                                                                               

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/alleged-yahoo-email-hacker-denied-bail-in-canada/d/d-id/1328609?_mc=RSS_DR_EDT

Olusola Luke and accomplices allegedly committed identity theft to steal over $734,000 in tax refunds.

A Nigerian citizen has been arrested by US authorities in connection with a tax refund fraud scheme between 2013 and 2015 amounting to hundreds of thousands of dollars in losses. Olusola Luke was arrested recently at Dulles International Airport as part of a crackdown on ID theft and tax fraud by the Internal Revenue Service.

According to the US Department of Justice, Luke and his co-conspirators stole identities of taxpayers and used their credentials to file false tax returns. They then allegedly sought more than $734,000 in refunds.

Luke has been transferred to St. Louis for answering the charges.

Read details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/nigerian-citizen-arrested-for-alleged-tax-fraud/d/d-id/1328610?_mc=RSS_DR_EDT

A mix of back-to-basics security and a set of new, data-centric best practices is key to defending against a future of growing and sophisticated cyberattacks.

In digital businesses, data is the fuel driving companies toward new business models and better business outcomes. Data plays both offense and defense at these companies, keeping them ahead of their competitors. No longer a bench warmer, data’s profile of high value, large volume, and vulnerability quotient is getting the attention of hackers like never before. These three components are at the root of why cyberattacks on business assets are becoming more sophisticated and more frequent.

Data holds incredible value—both for digital businesses and for hackers. McKinsey Co. reported a $2.8 trillion GDP increase from data flows in 2014 as more trade and commerce shifts to online business models. According to the analysts, data flows of information, communication, transactions, and intracompany traffic is surging, and virtually every type of cross-border transactions has a digital component.  

The pace of data creation also impacts digital businesses. The combination of mobile data, Internet of Things data, and Big Data has created a very large and attractive data footprint for hackers. In fact, storage manufacturers are expected to ship 521,000 PB of enterprise storage capacity by 2020 to keep up with the rising volume of data.

And just as data value and the volume increases, so does its vulnerability. Digital businesses store data across hybrid infrastructures—on premise, in the cloud, and on endpoints. Each of these comes with risks, especially with the influx of mobile devices and the fast approaching IoT devices. Hackers view these endpoints as vulnerable and an easy entryway to business and personal data. Not surprisingly, they have already been testing the waters.

Attacks have become increasingly more sophisticated and persistent. In 2015, 65% of companies experienced a targeted attack and an average of 1.9 million records was breached every day. The increase of attacks is easily correlated back to the increase in the value of data, the volume of data and the vulnerability of endpoints.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

For digital businesses, the threat watch is real and the calls to protect data are coming from throughout the company. Conversations have changed from being a “bottom up” conversation to a “top down” one within organizations. Executive management is talking about security in terms of business impact—not technology. Something else that is unique in these businesses is that the individuals voicing concerns about security threats are not solely from the IT side of the company, they are also being voiced by the business side. CEOs and chief data officers want a security strategy that protects their brand and reputation. CFOs want protection from spear phishing. CMOs and HR managers are asking about multi-factor authentication and encryption. Security is as much a business discussion as it is a technical conversation.

A Mix of Old and New
Companies that are carving out a niche as digital leaders are finding the best approach to securing their business assets is to revisit proven security practices and throw in a set of new best practices born out of the current emphasis on data. The network perimeter still needs strong protection, but digital companies realize that mobile devices and IoT devices perpetually create holes in that very expensive wall as they connect to the Internet. With that in mind, security needs to move closer to the business apps, and in them.

Other security basics are also getting dusted off. Security teams are renewing efforts to prevent default passwords, weak encryption protocols, incorrect authorizations, and disabled whitelists, which are still common weaknesses that open businesses to successful exploits. On top of these steps, digital businesses are taking this back-to-basics approach to protect their business apps:

• Ensuring that a consistent and regular process is in place for patches and updates. Unpatched software poses the highest serious security risk for businesses.
• Encrypting communications between business systems with SSL/TLS and SNC.
• Checking the interfaces to business systems to see if they are adequately secured.
• Revisiting data backup plans and disaster recovery strategies.
• Reviewing the business systems platform’s security configurations.  

There’s no new news here. These are fundamental to practicing good security, but still too many companies ignore them. A return to these basics is essential for companies going digital because in the next phase more processes will be automated, more services cloud-based, and more devices will be connected. Companies will need to add in these digital best practices to continue their transformation:  

• Identify and prevent attacks from within the apps
• Protect data with an all-encompassing strategy that covers the cloud, on premise, and mobile devices
• Apply 360-degree correlation analytics across the network, endpoints, application, and data
• Accelerate threat detection with real-time incident response and forensics to limit threat impact
• Respond to threats in an adaptive manner with deep-learning powered cybersecurity analytics

Security Cornerstones: Products, Operations and Culture
To secure products, security must be incorporated into the applications, delivering the ultimate protection of content and transactions. Secure operations meets the security principles of “Confidentiality, Integrity and Availability,” providing a comprehensive end-to-end cloud and IT operations security framework. To create a secure company also means nurturing a well-established security culture and a secure environment with end-to-end physical security of business assets and business continuity for operational resilience, including employee training programs that teach everyone in the company about the latest threats and how to avoid them.

During the next few years companies will embrace new technologies such as predictive analytics, machine learning, and cognitive intelligence to keep their business assets secure. Companies that combine these future-oriented tools with tried-and-true best practices of the past will have the security they need to be a data-centric, automated digital business. 

Related Content:

• The Business of Security: How your Organization Is Changing beneath You
• ADP CISO Offers Tips to Leverage Security to Grow the Business
• In Cyber, Who Do We Trust to Protect the Business?

 

Justin Somaini joined SAP from cloud provider Box, where he was chief trust officer, having previously held a number of senior positions at both Yahoo and Symantec, and has accrued more than 20 years’ professional experience in the IT security sector. View Full Bio

Article source: http://www.darkreading.com/endpoint/how-innovative-companies-lock-down-data-/a/d-id/1328589?_mc=RSS_DR_EDT

What’s This?

If you work at a company that allows you to use your mobile device to login to email, access company data, or connect to company Wi-Fi, you’re more of a security risk than you think.

Whether you are a government employee with sensitive data stored on your mobile device or a casual user who can’t lose his precious cat pictures, turning on security settings to keep your privacy secure on an Android device is important.

But in an era of having to keep track of multiple complex passwords, policies to reset passwords as soon as you just started remembering the last one, and taking two or more steps of authentication to login to most things these days, it’s easy to see why people get lax with security on their personal mobile device. It’s a case of convenience vs security. Leave your device unlocked, and you make it easy for your private data to be stolen. Lock things down tight, and you may find yourself ready to chuck your device at the ground when it locks itself (again) when you’re in the middle of an important task. 

Let’s look at some of the common security settings available on Android devices.

Screen Locks: The Basics
Most Android devices come with these basic screen lock settings, listed least to most secure:

• Pattern – Draw a pattern on dots to unlock device
• Minimum 4 dots, max 9 dots
• PIN – Enter a number to unlock device
• Minimum 4 digits, max 17 digits
• Password – Enter a good old password to unlock device
• Minimum 4 characters, max 17 characters

Choosing which method, and how many elements used for that method, determines how secure it is. For example, a 6-character password will be more secure than an 8-dot pattern. No matter what you do with your mobile device, you should use at least one of these methods to secure it.

Screen Locks: Biometrics
It seems each new mobile device iteration comes with a clever new way to unlock your device, most of which involve biometric technology. Biometrics use your biology to recognize you and let you access your device, for example by fingerprint, retina (eye), or face.

The biggest concern with any biometric security method is that you can’t change your biology like you can with a password. As technology advances, we will see advances in the ability to hack these biometrics, and there are already several proof-of-concept hacks that can potentially exploit each. Still, it’s a lot easy to put your finger on a scanner than enter a PIN.

Sleep Timeout Auto Lock Timeout
The sleep timeout determines the length of time before your mobile device goes to sleep. The auto lock timeout is the length of time after the device is asleep that it will lock itself. You can even go a step further and set the device to lock when the power button is pressed.

Start with shorter timeouts and work your way to longer ones in order to find the right balance of security and convenience. Or put another way, figure out how many times you can unlock your device throughout the day before you can’t take it anymore! Just remember, the longer the timeout, the more time there is for personal data to be stolen.

What’s at Stake 
If you work at a company that allows you to use your mobile device to login to email, access company data, and/or connect to company Wi-Fi, you could be more of a risk than you think — especially if it’s a well-known company.  Targeted attacks are the easiest way for criminals to steal sensitive information from a company, and that device you carry around everywhere could easily be used against the company where you work.  If a mobile device is lost or stolen with no security settings, criminals could easily use it to gain access into sensitive business information, or information that is beyond the compromised user’s permissions.

There are other reasons to keep your mobile device secure. Stolen, unlocked devices can easily be factory reset and sold for profit. Criminals could do whatever they like with your personal information — like post those private pictures for all your followers to see on social media. So, it’s best to stay safe, turn on those security settings, and have a little piece of mind that your privacy is secure.

Full time mobile malware researcher, part time endurance mountain bike athlete and world traveler. As nerdy about biking as he is about mobile malware. View Full Bio

Article source: http://www.darkreading.com/partner-perspectives/malwarebytes/securing-your-privacy-on-android/a/d-id/1328606?_mc=RSS_DR_EDT

An infosec educator from the United States Military Academy at West Point have taken a look at Netflix’s HTTPS implementation, and reckons all he needs to know what programs you like is a bit of passive traffic capture.

The problem, writes Michael Kranch (with collaborator Andrew Reed), is information in TCP/IP headers are enough to leak content information.

In this paper (PDF) delivered at the CODASPY’17 conference in March, Kranch explains that the TCP/IP headers of a Netflix HTTPS stream provide a 99.5 per cent content fingerprint.

Yes, HTTPS is meant to provide privacy, and no, Netflix isn’t doing anything dumb like putting movie titles in headers: the variable bitrate (VBR) encoding happens to yield up predictable behaviour, particularly in how the byte-range portion of HTTP GET commands perfectly aligns with individual video segment boundaries.

For the paper, Kranch wrote a crawler to create the fingerprints and ended up with a database of more than 42,000 Netflix videos, each represented by 7-plus fingerprints per video.

With a database indexing the content metadata (harvested by setting up a server to automatically “watch” videos) against the fingerprints, it’s pretty straightforward to capture the fingerprint on someone else’s connection and use it to look up the video.

The server Kranch used in his work was hardly a monster: he used a decade-old box with two quad-core Xeon 2.0 processors running at 2 GHz, with Linux Mint 17.3 MATE as the OS.

Even that kit loaded the 184 million fingerprints in 15 minutes, and their assessment found that 99.9989 percent of the “windows” were unique.

Two movies out of the whole database had oddities that meant they’re hard to fingerprint: 2001: A Space Odyssey and The Gospel Road: A Story of Jesus, “both of which have lengthy periods where the screen is completely dark, thereby resulting in ‘flat’ windows that consist of 30 identically-sized segments.”

To test their work, Kranch and Reed then set up a couple of MacBook Pros to stream 20 minutes of video from a random list of 100 flicks, and captured the Internet traffic from each.

On average, they write, the algorithm identified the videos within three minutes, 55 seconds, with more than half of the videos identified before 2:30.

Kranch offers a couple of ideas to fix the issue. For example, he says, “the browser could average the size of several consecutive segments and send HTTP GETs for this average size. As an alternative approach, the browser could randomly combine consecutive segments and send HTTP GETs for the combined video data.”

Code for the project is at GitHub. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/12/breaking_bad_privacy_protection_boffin_beats_netflix_https/

The World Wide Web Consortium might want to take another look at its habit of exposing too much stuff to application interfaces: a UK researcher has demonstrated a JavaScript app can spy on smartphone sensors to guess the codes users employ to unlock the devices.

The attack, published in the International Journal of Information Security, wouldn’t be possible if it weren’t for a convenient API to motion sensors.

What the researchers, led by Dr Maryam Mehrnezhad of Newcastle University in the UK, found is that a JavaScript app can get enough information from motion sensors to crack 70 percent of four-digit PINs at the first try.

By the third attempt, Mehrnezhad’s “PINlogger.js” script is correctly guessing 94 percent of PINs.

As he explains in the Newcastle University media release, “mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords”.

If a user was tricked into loading the PIN-logger into one tab of a browser, and ran a banking app in another tab, Mehrnezhad reckons the script can also snoop on their bank logins.

The paper explains that vendors probably didn’t think in-browser access to motion sensors would be so revealing because of their low sampling rates.

Mehrnezhad’s team had already identified single digits from smartphone sensors, including “click, scroll, and zoom and even the numpad’s digits”. With PINlogger.js, the group extends their work to capturing 4-digit sequences.

“W3C specifications do not specify any policy and do not discuss any risks associated with this potential vulnerability,” the paper notes.

The Register has previously noted the W3C’s aggressive attitude to exposing new and intrusive interfaces to Websites. Privacy researcher Lukasz Olejnik has highlighted potentially harmful Web APIs for battery charge and Bluetooth devices.

Mehrnezhad doesn’t call for review or removal of the APIs, but says browser providers haven’t yet come up with a solution. ®

Youtube Video

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/12/uk_boffins_steal_smartmobe_pins_with_motion_sensors/