STE WILLIAMS

Earlier today, we went live on Facebook to answer your questions about “scams that know too much”…

…like the one we wrote about last week when the crooks emailed thousands of people in the UK claiming to be in possession of personal data that had somehow come their way.

As “proof” of the claim, the crooks included full names and home addresses for the victims.

As it happened, that’s the only data they had – the plan was to frighten you into looking at the document they’d attached to see what else they knew about you, at which point they hit you up with malware.

Here’s our online discussion, with advice about this scam and much more:

(Click here if the video window doesn’t appear above.)

We’d still love to take your questions and hear your comments, either under the video on Facebook, or by posting right here on Naked Security (you may post anonymously).

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3aUF7ZvQwWc/

The man thought to be behind one of the most notorious cases of cyber bullying may finally face trial in Canada – after a Dutch court approved his extradition from the Netherlands.

Aydin Coban is alleged to have persuaded 15-year-old Canadian Amanda Todd to send compromising pictures of herself to him via webcam, and then demanded more from her or he would share her snaps with the world. The teen’s half-naked photos were later spread across the web.

Consequently, Todd was bullied and intimidated to such a degree that in October 2012 she killed herself, and in doing so shone a spotlight on the horrifying abuse of the internet and webcams to extort young and impressionable girls.

Coban is serving 11 years behind bars in the Netherlands for online abuse and for blackmailing 34 girls under the age of 18, having been found guilty last month. The Canadian authorities are confident he also tormented Amanda Todd, who was living in British Columbia. They want him on a range of charges that stretch from extortion, to stalking, to possession of child abuse images.

The 38-year-old Dutchman persuaded and pressured dozens of girls to perform sexual acts on their webcams and then blackmailed them by threatening to send the footage to their friends and family. If they refused to post more images, he warned them he would drive them to suicide. In Amanda Todd’s case, that’s what she did.

Coban was arrested during a completely different fraud investigation but investigators discovered when they searched his laptop that he had approached dozens of girls in a chat room in just a few minutes, and they started inquiring further. In the lead-up to his trial, he refused to undergo a psychiatric assessment, and was ultimately jailed.

While that trial was ongoing in June last year, the Canadian authorities asked for Coban to be extradited, and a judge at the Amsterdam extradition court agreed. But the handover was held off until his Dutch court case was completed.

Now that he has been found guilty, a second judge confirmed that the extradition still holds. It is unclear however when or if that extradition will occur. He is still in a position to appeal his conviction in the Dutch courts and any extradition would require the personal approval of the Dutch justice minister.

Either way, it looks as though the blackmailer and abuser is going to spend most of the rest of his life behind bars. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/04/webcam_blackmailer_faces_extradition/

Analysis President Donald Trump has rescinded America’s digital privacy protections over what ISPs can do with their subscribers’ data, signing into law on Monday a joint resolution of Congress.

The resolution passed a controversial vote in the House last week by 215 votes to 205, which followed a vote in the Senate a few days earlier that passed 50 to 48.

The president’s action makes official the “congressional disapproval” of rules passed by US consumer watchdog agency the FCC that were due to take effect last month. Those rules would have required ISPs to obtain users’ consent before selling their personal data – including location, browser history, health and financial data and other sensitive information – to advertisers.

As has become increasingly common in American politics, however, the issue was decided almost entirely along partisan lines. That, combined with its high-profile nature – it was the lead topic for most late-night chat shows following the vote – meant that we were all subjected to a wave of misinformation masquerading as truth, and even to documents purporting to counteract “myths” that are themselves carefully worded works of fiction.

And so, since it is now the law, we have brought out The Register‘s patented bullshit detector to wade through the execrable arguments of the past few days and highlight the most significant and/or most inaccurate.

Let’s start with the FCC

It was the FCC that had passed the rules, under the chairmanship of (Democrat) Tom Wheeler. And it was also the FCC that stopped them just days before they were due to take effect, under the chairmanship of (Republican) Ajit Pai.

Pai has this to say about the president’s signing the joint resolution: “President Trump and Congress have appropriately invalidated one part of the Obama-era plan for regulating the Internet. Those flawed privacy rules, which never went into effect, were designed to benefit one group of favored companies, not online consumers.”

We call BULLSHIT on the last part of that sentence, that the rules were “designed to benefit one group of favored companies, not online consumers.”

The rules were developed entirely and absolutely to protect online consumers. They required ISPs to get an opt-in from customers for sensitive information, to offer an opt-out for other uses of that data, and to ensure that they appropriately protected that data.

Now, the end result of those rules is that ISPs were put under stronger privacy rules than others. But not at the FCC. In fact the rules were developed from FCC rules covering telephone calls. Your telephone company cannot sell your personal data or who you called to advertisers.

The plan was to extend that to ISPs since the FCC decided that in 2016, the internet had become a utility rather than a service.

What the ISPs were upset about was that companies like Google and Facebook – who offer services on top of internet provision – would not be included in these rules but only the weaker rules run by consumer watchdog agency the FTC.

Now, there is a good argument to be had – and The Register has repeatedly made it – that Google and the FCC got far too chummy with one another, and that many of the FCC’s decisions at the tail-end of the Wheeler FCC benefited Google to the detriment of Comcast, ATT et al.

But that is a wholly different argument to claiming that the FCC privacy rules were “designed to benefit one group of favored companies, not online consumers.” They weren’t.

Pai Part 2

FCC chair Pai also said in response to Trump’s signing: “In order to deliver that consistent and comprehensive protection, the Federal Communications Commission will be working with the Federal Trade Commission to restore the FTC’s authority to police Internet service providers’ privacy practices. We need to put America’s most experienced and expert privacy cop back on the beat. And we need to end the uncertainty and confusion that was created in 2015 when the FCC intruded in this space.”

That is largely TRUE, albeit a little misleading.

The FCC does in fact have very limited experience in consumer issues and the FTC is a much better bet in that sense. However, by deciding that the internet was effectively a utility, the FCC had little choice really but to pull ISPs under its privacy rules, which it did, largely using the rules it already had on the books.

That decision did create uncertainty (although “confusion” is pushing it a bit – who exactly was confused?). And, yes, Pai has announced that the FCC will work with the FTC to come up with “consistent and comprehensive protection.”

But. Pai is being disingenuous about what is going to happen and how long it will take. First the FCC will have to unravel its legal authority over net neutrality, and then it will have to figure out how to persuade the FTC to adopt new rules.

The reality is that the FCC is going to have a hard time legally defining ISPs. It will be literally the third time that the regulator has tried to do so: the first was struck down by the courts, and the second was upheld, but the FCC itself has now decided to dismantle it.

Any change will have to go through another lengthy and painful process and the idea that the FCC will be able to forge a new data privacy agreement with the FTC at the same time is pure fantasy and everybody knows it.

Pai simply made the decision that it was better to kill off the privacy rules and give himself more room to play with than let them take effect and be boxed in. He made that decision in the full knowledge that every internet user in the US was losing regulatory oversight of what ISPs can do with their personal data.

Fellow FCC Republican take on things

The other Republican commissioner on the FCC, Mike O’Rielly, had his own statement that, unfortunately, layered bullshit upon bullshit.

“I applaud President Trump and Congress for utilizing the CRA to undo the FCC’s detrimental privacy rules,” he said. “The parade of horribles trotted out to scare the American people about its passage are completely fictitious, especially since parts of the rules never even went into effect. Hopefully, we will soon return to a universe where thoughtful privacy protections are not overrun by shameful FCC power grabs and blatant misrepresentations.”

What O’Rielly does, however, is pinpoint the beating heart of the bullshit: the claim that since something hasn’t happened yet, it means that it won’t happen.

For someone who is a commissioner at a federal regulator, this willful blindness over how the real world works is borderline obnoxious.

Here is the absolute solid reality of what this decision to scrap the FCC rules means:

• ISPs were previously able to do what they can do now, ie, sell their customers’ private data.
• But they were previously at risk of being investigated by the FTC and then, later, the FCC.
• If they had been found to have broken data privacy rules, they faced huge fines and most likely the requirement to get prior approval from the FTC/FCC before doing anything similar in future.
• Now, however, there is no backstop. The FTC does not have jurisdiction. And nor does the FCC. The ISPs currently exist in a regulatory-free world.

What this means is significant and it is the source of (Democrat) claims that ISPs will soon be selling your private data and the counter-claims (by Republicans) that people are fear-mongering and inventing problems.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/04/fcc_privacy_rules_myths/

Savvy CISOs would do their companies a favor by broadly integrating security across the organization, a move that can yield greater revenues, cost savings and an entry into new markets.

When Roland Cloutier joined ADP seven years ago to focus on operational risk, he was tasked with helping the business outsourcing solutions and payroll giant adopt a security first mindset that would ultimately yield cost savings, new markets and revenue.

“I was brought in to specifically do this and [ADP] was ready to accept change to do it,” says Cloutier, senior vice president and global chief security officer at ADP.

Some of the steps Cloutier took included having senior-level practitioners placed in a group called the client security management officers (CSMOs), whose full-time job focused on quickly and accurately answering security questions raised by customers and potential clients about ADP’s protection of their data and funds.

“Why that is important is because this is not sales people answering security questionnaires, nor is it people in marketing. It’s a group of people who have access to the entire portfolio of our security program and can translate that to clients, give clients reports on our critical response center and be on the front end of sales opportunities with answers to security upfront,” Cloutier says.

He added that security can be an enabler for the sales team to close deals, because contract negotiations often hit a snag because no one has ever explained security to the customer.  

[Cloutier will be speaking about Managing Risks to Reap Rewards: How to Use Security as a Growth Advantage during Interop ITX, May 15-19, at the MGM Grand in Las Vegas. To learn more about his presentation, other Interop security tracks, or to register click on the live links.]

Another step Cloutier took included changing the timing of when a security engineer was brought into the software development life cycle. Previously, the process went from developing a product, then having it go to the security engineer for evaluation, only to have it returned back to developers for retooling before it was released to the market. Security engineers are now embedded into the development team, as well as quality assurance teams, which Cloutier says speeds the time to market.

More Tricks of the Trade

Cloutier also scored cost savings by reducing his customers’ password resets by 68% over an 18-month period. Applying a business process overview, he evaluated where password resets were frequently occurring and used security automation for password resets in those areas.

“Imagine hundreds and thousands and thousands of calls that come into our call centers from around the globe for password resets,” Cloutier says. “This takes our experienced human capital management client service representatives [out of the loop] to reset passwords.”

Other customer service issue he tackled with a business process approach included cutting the response time on security questions to within 24 hours, compared to the previous four to six weeks.

Transition Challenges

Although Cloutier has had success in overlaying a patina of security across ADP’s businesses, he notes some CISOs may find the move challenging.

“Security is often seen as a component of IT and there are still many companies where their security executives may not be security executives,” Cloutier notes. “They may have security leaders in the company, but they don’t have access to the C-suite to be able to drive those conversations.”

He added that security budgets are often designed as defensive cyber operations and budgeted in a way to only manage, maintain and use technology to defend the environment, rather than handle research and development, or go-to-market operations.

Until these things happen, it is difficult for companies to make it part of their digital go-to-market strategy and sales opportunity, Cloutier says. For instance, he does three client advisory board meetings a year and ADP’s global sales organization pays for those meetings. Cloutier also runs an organization that is fully focused on protecting ADP’s marketplace and the company’s chief strategy office pays for the organization’s costs.

“There are some responsibilities across the business that understand that security is a lever, as well as … a component of their cost of goods sold,” Cloutier says.

Risky Business

When it comes to operational risk management, Cloutier defines it as the ability to understand the issues that can potentially impact ADP’s business, its shareholders and clients and then make informed, contextual-based decisions to reduce the risk to acceptable levels.  

The company’s eco-system of risk programs begins with its enterprise risk management organization, a centralized program looking across 12 dynamic areas of risk, such as, financial risk, legal risk, regulatory risk, IT risk, strategy risk and others.

“ADP is extremely formulized in how they think about risk and develop programs to test and remediate,” Cloutier says, adding that it relies on a scientific formula called factor analysis for information risk (FAIR) to measure market risk and understand the data thresholds. He says FAIR gives him a consistent and measured approach to evaluate risks across all of ADP’s businesses, factoring in the company’s diversified market segments from human capital management platforms to technologies and services, and provides the means to look at all of these segments independently.

He believes other large, mature multinational corporations are also taking a similar approach to risk management and shifting away from a knee-jerk reaction to high-profile security breaches.

“Organizations have been able to look [at] their operations and critical assets and take more of a business operations protection approach, rather than a straight-line cybersecurity approach or a straight-line risk management approach,” Cloutier says. “They look at the operating process, their operating platforms, risks and issues and vulnerabilities associated with those and then measure them accordingly to make very informed decisions. So, I truly believe mature businesses are migrating away from that knee-jerk approach.” 

Related Content:

• The Human Firewall: Why People Are Critical To Email Security
• The Business of Security: How your Organization Is Changing beneath You
• To Gain Influence, CISOs Must Get Security’s Human Element Right

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: http://www.darkreading.com/risk/adp-ciso-offers-tips-to-leverage-security-to-grow-the-business/d/d-id/1328553?_mc=RSS_DR_EDT

Microsoft rolls out Advanced Data Governance and Threat Intelligence tools for Office 365, starting today.

Microsoft is making Office 365 Advanced Data Governance and Threat Intelligence tools generally available starting today, the company announced. Both have been in preview mode since they were first unveiled at RSA 2017.

Threat Intelligence takes data points from the Microsoft Intelligent Security Graph to gauge security risk. It provides alerts and tools to determine the prevalence and severity of threats, and an expanded management API to integrate with SIEM systems. 

Advanced Data Governance uses machine learning to retain critical data while weeding out trivial or obsolete information. It gives policy recommendations, identifies and alerts for anomalies (like unusual volume of file deletion), and applies compliance controls to on-prem data.

Effective today, Microsoft is also launching a new reporting interface for Advanced Threat Protection (ATP) reports, which is available in the Office 365 Security Compliance Center. The idea behind these reports is to provide data on insights, trends, and threats. 

Read more on the Microsoft blog. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/office-365-gets-data-governance-threat-intelligence-tools/d/d-id/1328557?_mc=RSS_DR_EDT

Three-quarters of IaaS and SaaS apps aren’t monitored.

Cloud usage continues to spread throughout some of the most critical parts of IT infrastructure, but even as the workloads grow in importance, the security practices are not necessarily improving at the same pace.

All evidence shows that there still remains a shocking lack of visibility into what enterprise data goes into the cloud, how it’s used, and what controls are in place to keep it safe. Several new reports released in the last week shed more light on the issue, including one out from Bitglass today, which shows fewer than one in four organizations regularly monitor cloud infrastructure for security risks.

“Enterprise cloud apps lack critical controls for data security that could significantly reduce the risk of a breach,” said Nat Kausik, CEO of Bitglass. “While some organizations can identify potential leaks after the fact, few organizations can remediate threats in real-time.”

According to a survey conducted on behalf of Bitglass by CyberEdge Group among 3,000 IT professionals, just 24% of them reported that their organizations routinely monitor SaaS and IaaS apps for security risks. That’s less than half the rate of those organizations that routinely monitor the network perimeter.

It’s no wonder that so many organizations list a lack of visibility as one of their number one concerns about cloud security, according to different survey results released by AlienVault last week. Among over 900 participants, 42% named visibility woes as their top security worry.

It’s particularly troubling given the types of data making it into the cloud these days. The industry is well beyond simply depending on SaaS for ticky-tack productivity software or simple document sharing. And as DevOps and Agile efforts gain steam, organizations increasingly depend on IaaS and PaaS to run the critical workloads that are at the heart of their application development and digital transformation efforts. According to a survey conducted by RightScale earlier this year, companies now run 79% of their workloads in the cloud, with 41% running in the public cloud.  

Meanwhile, a different study by Crowd Research Partners released last week found that 39% of organizations store customer data in the cloud, 35% store employee data, 22% store financial corporate data, and the same percentage store intellectual property. The top benefits cited by participants in the Crowd Research study were flexible scalability, improved availability, and cost reduction. The trouble is that too many organizations hear the siren call of cloud’s upside without even considering the risks.

“It’s not all sunshine and roses,” writes Javvad Malik in the AlienVault study from last week. “When improperly used and managed, the cloud has the potential to pose a serious security risk to enterprises, and these risks are barely understood by most organizations, and are often not considered at all.”

In many instances, organizations don’t attempt to fix the visibility problem because there’s an out-of-sight, out-of-mind attitude that permeates a lot of organizational cultures.

“There’s very much an attitude of ‘I don’t need to be as vigorous monitoring stuff as in my own data center because it’s in somebody else’s SAS 70,’ and if something goes sideways I’ll just hold my provider’s feet to the fire,” says George Wrenn, CEO and founder of CyberSaint Security and a research affiliate for MIT in its (IC3) Critical Infrastructure Protection Program. “There’s some plausible deniability and there’s a bit of a myth that (the provider) is taking care of everything. But that’s not the reality. You’re still on the hook for monitoring, measuring, and managing your risk posture in those environments.”

[Need advice on how to hold your cloud computing service providers accountable without relying on them to rescue your whole security program? Then don’t miss “Herding Vendors and Implementing Third-Party Risk Programs,” and other sessions at the Interop ITX conference in Las Vegas, May 15-19.]

One of the difficulties that organizations face in establishing better visibility and control over systems residing in the cloud is that they can’t simply port over old security technologies to cloud infrastructure. The Crowd Research survey shows that 78% of respondents report that their traditional security solutions don’t work or have limited functionality in the cloud. However, that’s not to say they don’t have any options for improving the situation. That may have been true five years ago, but at this point there’s a growing ecosystem of third-party monitoring options available for bridging the visibility gap between on-premises data centers and cloud infrastructure. Not only that, but cloud providers themselves are offering more built-in tools than ever – organizations just need to learn to use them.

“The great news is that cloud providers like AWS, are doing great things in the security space to help their users understand better what is going on. If you are running on AWS, you can get tools such as CloudTrail to audit all the API calls on your account, you can use AWS Config in order to audit your systems and ensure they meet your compliance rules,” Pete Cheslock, head of operations and support teams at Threat Stake, told software development site InfoQ recently. “In many cases, the tools are there to be more secure running in the cloud, users just need to learn what they all are.”

Related Content:

• Half of Security Pros Ignore Some Important Security Alerts
• Cloud Security: New Research Says IT Pros Still Skittish 
• National Security, Regulation, Identity Top Themes at Cloud Security Summit 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/cloud/as-cloud-use-expands-so-do-security-blind-spots-studies-show-/d/d-id/1328555?_mc=RSS_DR_EDT

Concerns over the action are sending VPN sales soaring, some vendors say.

The Trump administration’s move to repeal a Federal Communications Commission (FCC) rule that would have prevented ISPs from selling customer data to third parties has widespread security implications for users and organizations, industry experts warned this week.

The Obama-era FCC rule was to have gone into effect later this year. It would have prevented Internet service providers from collecting and selling data such as a customer’s Web browsing history, location data, and other data related to the user’s online activities without explicit permission.

The White House, FCC chairman Ajit Pai, and others wanted the bill repealed on the grounds that it unfairly favored one set of companies on the Internet over another. The main argument was that the bill would have restricted carriers including ATT, Verizon, and Comcast from collecting and selling data on a user’s online activities, even as Internet giants such as Google, Facebook, and Twitter were free to do so.

In a statement following President Trump’s signing of an executive order formally repealing the FCC rule Monday, Pai said what is needed now are “consistent and comprehensive” rules for protecting consumer data, that apply to all players equally.

“Those flawed privacy rules, which never went into effect, were designed to benefit one group of favored companies, not online consumers,” Pai said. Going forward, the FCC will work with the Federal Trade Commission on efforts to police the privacy practices of ISPs equally, he said.

The repeal has triggered widespread security concerns. One of the biggest has to do with the fact that ISPs now can collect and retain a vast amount of private customer data, including browsing habits, geolocation data, and financial and health information.

New America’s Open Technology Institute lists others categories of customer information that ISPs would be able to collect and sell as a result of the repeal, including text messaging history, video-on-demand history, and history of visits to an addiction forum or an online gambling site.

“ISPs are clear to warehouse sensitive Internet use data for all users on their networks in order to monetize it,” says Scott Petry, CEO of Authentic8. Unlike a social media site or a shopping site collecting data on a single user, ISPs have the ability to collect and warehouse all data pertaining to an individual’s digital identity and activities.

“The potential for expanded surveillance is scary enough, but combine that with the fact that the data is in a single location means it will be very attractive to hackers,” Petry says. “ISPs don’t have a particularly good track record of protecting data.” 

Enterprises should be equally as worried as consumers, adds David Gorodyansky, CEO of VPN maker AnchorFree. Data thieves and foreign governments will now have an easier time buying data that can be used to track employees online and keep tabs on an organization’s online activities, Gorodyansky says.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

The FCC rule repeal also could have an impact on companies that handle personal data that belongs to EU residents. The EU’s General Data Protection Regulation is set to go into effect next year and requires all organizations that handle EU customer data to commit to stringent data handling requirements. The rule was put in place to protect EU user privacy following Edward Snowden’s revelations about the U.S. government’s ability to access customer data stored by US cloud companies.

“The biggest concern for US companies and ISPs will be the reaction of the EU under the new GDPR regulation,” says Tom Kellermann, CEO of Strategic Cyber Ventures. “Enterprises must ensure that they deploy technologies that improve the privacy and cybersecurity for the benefit of their constituencies.”

Concerns over the privacy and security implications of the FCC rule repeal appear to be driving surging interest in VPN technologies. The end-to-end encryption offered by VPN tunnels can make it hard for ISPs to track little more than a user’s IP address.

AnchorFree’s Gorodyansky says that the company has seen US installations of its iOS VPN technology surge 27% between February and March this year, from a shade over 653,000 to around 817,400. The company’s VPN installations in March 2017 were more than five times the 150,347 installations from last March.

Another VPN vendor, Panama-based NordVPN, this week too claimed it had seen a 200% increase in inquiries from US-based users in just the past week.

In addition to VPNs, consumers can also use encryption, such as PGP, to make it harder for ISPs to track them, Gorodyansky says. Turning off location data is helpful as well. “To be really anonymous, consumers can disable JavaScript,” he adds.

Browser extensions are available that let users manage which domains have permission to run JavaScript in the browser, so they can enable JavaScript only for those websites they trust.

“Consumers should know what their browser is disclosing,” Gorodyansky says. Tools such as BrowserLeaks.com are available that give users the ability to see all the data being collected and shared by their browsers, he says.

Related Content:

• Senate Votes to Gut Broadband Privacy Rules
• 5 Tips For Making Data Privacy Part Of The Company’s Culture
• EU’s General Data Protection Regulation Is Law: Now What?

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/endpoint/fcc-privacy-rule-repeal-will-have-widespread-security-implications/d/d-id/1328559?_mc=RSS_DR_EDT

Farmers have historically spent a lot of time swearing at tractors, but at least they got to fit their own parts while they did it. Now, that’s all changing, according to a report over at Motherboard.

Owners of John Deere tractors have been severely restricted in how they repair their vehicles, thanks to the heavy use of software diagnostic tools, says the report. Instead of simply going to a local independent mechanic and having them replace a part, or simply doing it themselves, farmers must go to an authorized service mechanic or dealership. The tractors use diagnostic software that can only be unlocked by an authorized party to validate the repair work.

If you try and get cousin Bob to replace the transmission in a John Deere tractor independently with a third-party or aftermarket part, the tractor won’t work, say critics of this policy – even if the repair was mechanically sound. Unless Bob can authorize himself with the software, the repair will be, quite literally, a non-starter.

Your equipment is not your own

This idea of preventing users from tinkering with equipment that they own isn’t new. Back in 2011, Apple switched to “pentalobe” screws with non-standard designs to stop people opening its devices. Then, a year ago, it deliberately bricked iPhones that unauthorized technicians had serviced with new home buttons, citing security concerns around rogue Touch ID fingerprint readers as the cause.

Then there’s the printer cartridge racket. HP reportedly rolled out a firmware update for select printers a year ago that ordered the machines to reject any cartridges without an embedded “genuine HP” chip.  And Keurig forced users to buy another kind of black gold when it introduced tech that made customers buy its own K-cups. It only gave up the policy when enough people complained.

The manufacturers will all doubtless have good arguments about why they should control your equipment after you bought it. Tractors have to be safe. Hackers or poor service technicians could compromise or damage your phone. Third-party printer ink could damage your device. Other people make, um, bad coffee. It should be your choice, though, shouldn’t it?

The digital content industry has been pulling this kind of stunt for decades. In the early 1980s, toy company Galoob sold the Game Genie, a “game enhancer” device that enabled people to modify games for the Nintendo NES, adding extra lives and such. Nintendo tried suing Galoob, which would have in effect stopped customers from remixing games on their own devices. Not pirating them – just changing them. Nintendo lost. Tedium explains the story in more depth.

Then there was the time when Amazon killed books on the Kindle. As if relishing the irony, it wiped copies of 1984 and Animal Farm from customer Kindles, arguing that they shouldn’t have been published. It has subsequently wiped a customer’s Kindle clean with only a cursory explanation and no subsequent discussion.

This is the downside of everything-as-a-service. With the cloud, and the Internet of Things, we’ve become used to the idea that the devices we’re buying aren’t ours, as such, but rather portals for the delivery of other services and content.

Entire business models are built on this premise. Inkjet manufacturers frequently sell their devices for below what it costs to make them, so that they can capitalize on cartridge sales after the fact. Amazon lost money on the Kindle Fire, on purpose, because it needed to claw in market share, and because it was a conduit for online book, music and movie sales.

The downside of everything-as-a-service

This concept of constant connection and access to the latest services is shiny and new. It makes us feel as though we’re always ahead of the curve, at the forefront of tech. The downside is that it puts us entirely in the vendor’s control. If a company changes its terms and conditions, then you automatically have to comply, or risk a functional downgrade.

Perhaps you’re confident that your vendor’s responsibility is to you, rather than its shareholders, but that doesn’t stop it being purchased by another company with different values. Let’s not forget Google, focused on its own Nest IoT infrastructure, which purchased IoT hub company Revolv and summarily bricked the products that the company’s customers had paid for and installed in their homes.

In most cases, the law is on the vendor’s side. The Digital Millennium Copyright Act (DMCA) prevents people from circumnavigating security mechanisms, which would have made it illegal for people to develop a workaround for Revolv.

John Deere customers would seem to be exempt from this act, following an amendment to the DMCA issued by the Copyright Office in 2015 that allowed people to modify the software on cars, tractors, heavy equipment and 3D printers. The caveat is that the owner has to do it, meaning that cousin Bob still can’t fix that transmission on your John Deere. Unless you majored in software engineering with a minor in farming, neither can you.

One thing stands out here: by switching from a model of customer ownership to a model of customer permission, vendors are making it harder to repair or otherwise modify equipment. It’s a direct attack not only on maker culture, but on the “mend and make do” mentality that got us through the war years and beyond. It mandates built-in obsolescence, which is an environmental nightmare, because when a product reaches what the vendor deems end of life, there is no way for a customer to innovate and extend it.

There’s a group lobbying against all this – the Repair Association – which is helping right to repair legislation work its way through eight states in the US.

In the meantime farmers are hunting for off-market unofficial hacks that they hope will unlock the codes on John Deere vehicles and allow them to swap out parts quickly so that they can seed their fields.

How’s that for security?

Follow @NakedSecurity
Follow @DannyBradbury

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/oYBCEiwNg8Q/

As we’ve been telling you, the US Congress (or more precisely, these specific members of the House of Representatives and US Senate) recently voted to kill the FCC’s new ISP privacy rules before they took effect.

If, as expected, President Trump signs their bill, massive internet service providers like Verizon and Comcast will get more leeway in profiting from data they collect about you and your browsing habits – some of it potentially downright creepy. (“Exhibit A” might be Verizon’s AppFlash.)

But the US is more than its federal government: it’s 50 states, too. And there are rumblings of rebellion in the hinterland, starting with those allegedly nice and above-average revolutionaries in Minnesota. It’s not a done deal yet, but Minnesota’s legislators seem to be moving towards tightening the state’s ISP privacy rules, no matter what Trump and the Republican US Congress do.

According to the Twin Cities Pioneer-Press, Minnesota’s state senate has voted to “bar internet service providers from selling their users’ personal data without express written consent”.

To earn quick approval by the state senate, the bill needed to escape the conventional committee process. One Republican, Senator Warren Limmer of Maple Grove, broke with the rest of his party to make that possible. Calling the amendment urgent, he said:

We should be outraged at the invasion that’s being allowed on our most intimate means of communication.

Like the US Congress, Minnesota’s legislature has two houses who must both agree on a bill to send it to the executive for signature. (If you need a refresher on any of this, there’s always the famous Schoolhouse Rock video.) Minnesota’s other house has already voted for a similar measure in a different bill, so some reconciling still must happen before the bill goes to Democratic governor Mark Dayton.

If it becomes law, Minnesota’s provision would prevent telecoms or ISPs that have…

…entered into a franchise agreement, right-of-way agreement, or other contract with the state of Minnesota or a political subdivision, or that uses facilities that are subject to such agreements, even if it is not a party to the agreement, [from collecting] personal information from a customer resulting from the customer’s use of [their services] without express written approval from the customer.

The provision would also prohibit ISPs from refusing to provide services to customers who won’t allow data collection.

As DSL Reports’ Karl Bode writes:

Granted the rules don’t go nearly as far as the FCC rules would have… The rules also don’t address ISPs looking to charge users more money to opt out of data collection, which the FCC’s rules were supposed to tackle on a ‘case by case basis’.

But, hey, if you’re concerned about ISP privacy, it’s a solid start.

And it might not be the end. As the New York Times reported last week, the Illinois state legislature is considering a raft of privacy-related bills, including a European-style “right to know” bill that would…

…let consumers find out what information about them is collected by companies like Google and Facebook, and what kinds of businesses they share it with… [and bills that would] regulate when consumers’ locations can be tracked by smartphone applications… [and] limit the use of microphones in internet-connected devices like mobile phones, smart TVs and personal assistants like Amazon’s Echo.

The Times quotes ACLU lawyer Chad Marlow as noting that online privacy offers an unusual opportunity for local coalitions between “progressive Democrats and libertarian-minded Republicans, who see privacy as a bedrock principle”.

IANAL (I am MOST ASSUREDLY not a lawyer), but it’s worth noting that the federal government has sometimes been able to override state laws related to the FCC’s jurisdiction. For example, a key court allowed the FCC to override state regulation of VoIP (in the self-same Minnesota). The Obama era FCC also overrode state laws preventing cities from building their own municipal broadband networks to compete with private ISPs.

Those cases each have their own patterns of fact and law, so those outcomes don’t presage a similar result here. They’re just a helpful reminder that huge ISPs didn’t get that way without plenty of lawyers.

Follow @NakedSecurity
Follow @BillCamarda

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3WD8xqa_wl4/

It’s only been five days since Apple’s last security update for iOS, when dozens of serious security vulnerabilities were patched.

As we mentioned last week, the recent iOS 10.3 and macOS 10.12.4 updates included numerous fixes dealing with “arbitrary code execution with kernel privileges”.

Any exploit that lets an external attacker tell the operating system kernel itself what to is a serious concern that ought to be patched as soon as possible – hesitation is not an option.

After all, it’s the kernel that’s responsible for managing security in the rest of the system.

Take this analogy with pinch of salt, but an exploit that gives a remote attacker regular user access is like planting a spy in the Naval corps with a Lieutenant’s rank.

If you can grab local administrator access, that’s like boosting yourself straight to Captain or Commodore; but if you can own the kernel (this is not a pun), you’ve landed among the senior Admiral staff, right at the top of the command structure.

So make sure you don’t miss the latest we-didn’t-quite-get-this-one-out-last-time update to iOS 10.3.1:

iOS 10.3.1

Released April 3, 2017

Wi-Fi

Available for: iPhone 5 and later, 
               iPad 4th generation and later, 
               iPod touch 6th generation and later

Impact:        An attacker within range may be able to 
               execute arbitrary code on the Wi-Fi chip

Description:   A stack buffer overflow was addressed 
               through improved input validation.

CVE-2017-6975: Gal Beniamini of Google Project Zero

This is rather different from the usual sort of attack – the main CPU, operating system and installed apps are left well alone.

Most network attacks rely on security holes at a much higher level, in software components such as databases, web servers, email clients, browsers and browser plugins.

So, attacking the Wi-Fi network card itself might seem like small beer.

After all, the attacks that won hundreds of thousands of dollars at the recent Pwn2Own competition went after the heart of the operating system itself, to give the intruders what you might call an “access all areas” pass.

Nevertheless, the CPU of an externally-facing device like a Wi-Fi card is a cunning place to mount an attack.

It’s a bit like being just outside the castle walls, on what most security-minded insiders would consider the wrong side of the moat and drawbridge.

But with a bit of cunning you may be able to position yourself where you can eavesdrop on every message coming in and out of the castle…

…all the while being ignored along with the many unimportant-looking peasants and hangers-on who’ll never have the privilege of entering the castle itself.

Better yet, once you’ve eavesdropped on what you wanted to hear, you’re already on the outside, so you don’t have to run the gauntlet of the guards to get back out to a place where you can pass your message on.

What to do?

As far as we know, this isn’t a zero-day because it was responsibly disclosed and patched before anyone else found out about it.

Cybercrooks have a vague idea of where to start looking now the bug that has been described, but there’s a huge gap between knowing that an exploitable bug exists and rediscovering it independently.

We applied the update as soon as Apple’s notification email arrived (the download was under 30MB), and we’re happy to assume that we’ve therefore beaten even the most enthusiatic crooks to the punch this time.

You can accelerate your own patch by manually visiting Settings | General | Software Update to force an upgrade, rather than waiting for your turn in Apple’s autoupdate queue.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/XklKglTar6s/