STE WILLIAMS

Promo To many Internet users it must look as if ransomware arrived out of the blue. Pioneers such as Cryzip started circulating at very low levels in the UK as early as 2006 and yet it wasn’t until 2013 that this type of malware suddenly spiked with the appearance of its first big global superstar, CryptoLocker.

CryptoLocker, and its follow-up rival CryptoWall, were an object lesson in what made ransomware potent. Delivered using simple attachment and eschewing fancy evasion techniques, the modus operandi wasted no time finding and encrypting its victim’s data. The social engineering was brilliant – did the user want their data back badly enough to pay a Bitcoin ransom?

At first, the targets were consumers but the genius of ransomware was that anyone could be a victim, including SMEs and even departments in larger organisations. Unfortunately, a lot of security companies were caught as unawares as their customers, stuck in a reactive model of security that made assumptions about how malware was evolving.

For ransomware makers, it’s been too easy. Profits have soared, reaching a total ransom figure according to FBI estimates of $1 billion in 2016. If defences have improved and awareness risen, ransomware shows no signs of slowing down as the public body count of small businesses, hospitals, libraries, police departments, hotels, and uncounted lone consumers continues to grow.

Take time to understand the enemy

If it sounds as if the world is falling off a cliff, James Lyne, head of security research for security company Sophos, is keen to demystify the dread of ransomware. After analysing numerous samples of ransomware in his day job, he comes bearing an urgent message of hope: ransomware can be stopped as long as defenders take the time to understand the enemy.

“Everyone is a potential target. It doesn’t matter whether you are a large enterprise, an SME or a consumer – everyone is being affected by this,” explains Lyne. This universality has turned out to be a clever innovation for the criminals who no longer need to think about who they are attacking so much as how much victims value their data.

Technically, the payload is the bit of the malware that finds and encrypts the victim’s data. But another way to understand the payload is to see it as the psychological ratchet in which the price is increased to match the pain and inconvenience the extortion gang thinks it is inflicting.

In extortion, then, the payload is as much the mental state it engenders in victims as lines of code. The social engineering is to make paying the ransom look like the easiest way out.

Lyne mentions having conversations with businesses which have pondered whether it might not simply be easier to hold funds back to pay off ransomware attackers as if it were another transaction. Bad idea, argues Lyne.

“There is the obvious moral and ethical question of whether you want to be paying money to a cybercriminal. But if you show yourself as someone who will pay, you are all the more likely to be targeted again,” he warns.

Permanent lockware

He recalls the case of a company that paid to stop an attacker releasing personal information stolen from a website by exploiting an SQL flaw. Although not involving ransomware, the strategy typified the direction extortion crimes are heading.

“They did a deal and the attacker came straight back, found another flaw, and repeated the attack with higher prices. Remember you are dealing with criminals and can’t expect honour among thieves.” Lyne also cites the growing unreliability of the payment mechanisms used by cyber criminals, either because police have shut them down or the criminals have had to abandon them to avoid detection.

“There might not be any way to pay and that ransomware has inadvertently become permanent lockware. It isn’t safe to say ‘I will be able to pay to get my data back’. There are instances where you won’t be able to do that.”

The idea that victims could be attacked twice or more in succession using the same tactic seems counter-intuitive until you grasp the trick of all social engineering is to impose a degree of control in the minds of its victims. When criminals write the rules of the game, it is the captive who must adjust their understanding of reality. So where should companies and individuals look for salvation?

Ransomware: The first defensive layer

Before even mentioning anti-ransomware technologies, Lyne reels off a list of simple protections that should form the first defensive layer. These range from obvious suggestions such as comprehensive backup routines and more rapid software patching (“patch early, patch often”) to more careful network segmentation (keeping servers and workstations apart), and limiting overly-permissive user rights to network drives. Some admins block executables in attachments but forget to do the same for document macros, he says.

The best tweaks are often the simplest and cheapest: install Microsoft Office viewers so that recipients can see what documents look like before opening them and always enable file extensions so that recipients have visual information on an attachment. Microsoft has made specific, more granular controls available for Macros, which are one of the prime ways ransomware gangs get their malware deployed within well-constructed office documents.

Always set JavaScript (.JS) files to open by default in Notepad and make sure Office 2016’s ‘protected view’ is set up to automatically stop Office macros running when documents are received from the Internet.

But dedicated anti-ransomware protections also have their place even if working out which one is often not straightforward. Some traditional anti-virus vendors were caught out by ransomware’s sudden rise from obscurity, which caused blocking rates to drop.

Customers started asking themselves whether their expensive licenses were worth the annual retainers. Although protection has improved a lot in the last three years, confusion still reigns. With numerous fancy technologies hyped up to stop ransomware, which ones are worth investing in?

“It is hard to see through the mass of marketing and conflicting advice. Figuring out which technology is effective isn’t that easy,” accepts Lyne. “The first thing I’d do is ask my security vendor what they do in this area.”

Intercepting extortion

For business customers, Sophos’s response to tricky threats such as ransomware is Intercept X, a modular endpoint security product launched in late 2016 that integrates multiple protections and boosts the ransomware protection already available in its existing endpoint products.

Intercept X includes exploit prevention (watching for the techniques that indicate ransomware such as opening lots of files), the detection of zero-day attacks and the sort of forensic analysis that can strip a malware event back to its source.

If ransomware manages to execute and start encrypting files, Intercept X’s CryptoGuard protection immediately engages its remediation. “It keeps state of what has happened to files and has the ability to roll back, enabling you to undo any damage,” Lyne says.

This underlines the way tackling ransomware has become as much about response as simple detection and blocking. Having an automated system on hand to help with this is a major advantage.

And the future? With the recent growth of targeted ransomware, ransomware-as-a-service, and the mass encryption of poorly-secured MongoDB databases, it doesn’t seem over-anxious to worry about where ransomware might be heading.

“We haven’t launched into the world of super-targeted ransomware yet. But we are dancing on the edge of it,” concedes Lyne, who remains surprisingly optimistic. Defenders simply need to overcome their fear and adapt.

“The majority of campaigns that we see are still opportunistic,” says Lyne, who downplays the issue of sophistication. For sure, ransomware is improving but what will make the difference in the end is how rapidly defenders adapt to stop it.

Technology will only take defenders so far – in the end it is the mental battle that will sort those who will resist ransomware from those who will succumb.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/29/the_evolution_of_ransomware_how_a_nuisance_turned_into_a_business_menace/

Apple’ latest batch of updates is out, including macOS Sierra 10.12.4 and iOS 10.3.

There’s also an update to Safari 10.1, installed automatically if you update Sierra, but provided as a separate download for OS X El Capitan (10.11) and OS X Yosemite (10.10), which get Security Update 2017-001 rather than a full-on point release.

Lastly, the iWork suite, consisting of Pages, Keynote and Numbers (Apple’s equivalent of Word, Powerpoint and Excel), were updated too.

The iWork updates were mainly about form and function, but also included a security patch dealing with an intriguing vulnerability, about which more later.

Importantly, the iOS and macOS updates close a number of security holes revealed at the recent Pwn2Own contest held alongside the CanSecWest conference in Vancouver, Canada.

All software on the target computer is patched immediately before the contest, so even an attack that worked fine in the lab the week before might end up stymied on competition day

In other words, Pwn2Own isn’t just about spotting vulnerabilities that might be exploitable, but also about exploring exploitation techniques to come up with genuine zero-day security holes that will work even on properly-updated systems.

Prizes run to hundreds of thousands of dollars each.

Not everyone approves of the competitive “winner-takes-all” approach, in which vulnerabilities may be kept secret for weeks or even months until showtime arrives.

But whether you like it or not, high-stakes bug bounty contests like Pwn2Own have become part of today’s responsible disclosure scene.

The “responsibility” comes from the fact that to claim the prize, the bug finders have to give the affected vendor full details of the attack and keep those details confidential until the vendor has had time to fix the hole.

The high payout for many Pwn2Own bugs reflects that they would be similarly valuable if crooks were to find them instead, so fixes typically follow as quickly as is practicable.

The TL;DR version of this story is this: as Apple patches go, treat these as “first among equals” and make sure you get them as soon as you can.

If you wait for your turn to come around in Apple’s staggered autoupdate process, you might end up several days behind, so we recommend checking for updates manually right away.

On a Mac, click on Apple Menu | About This Mac | Software Update… and then click on the blue “update arrow” in the App Store app. On an iPhone or iPad, use Settings | General | Software Update to make sure you have the latest version. When we updated, the download sizes were about 1.5GB for macOS 10.12.4 and 650MB for iOS 10.3. As is typical for Apple security updates, a restart was required, and the update completed over a 15 to 20 minute period as part the reboot, during which time we couldn’t use our Mac or our phone. Just so you know.

If you’re still not convinced about the value of getting into the patch queue as early as you can, here are some statistics from Apple’s official Mac security announcement:

65 fixes listed.
127 CVE-numbered vulnerabilities listed.
23 fixes deal with arbitrary code execution with kernel privileges.
42 system components affected, from AppleGraphicsPowerManagement to tiffutil.

Some of the vulnerabilities can be triggered by viewing booby-trapped files as diverse as images, fonts and iBooks files, all of which can be unexceptionably embedded in or linked to from otherwise innocent-looking web pages.

And if that’s not enough, consider this one.

We’ve written about Thunderbolt-related memory probing and firmware hacks before; this time the flaw could theoretically allow an attacker with physical access to your Mac to find your hard disk decryption password in memory:

Component:     EFI (macOS Sierra 10.12.3)
Impact:        A malicious Thunderbolt adapter may be able to 
               recover the FileVault 2 encryption password
Description:   An issue existed in the handling of DMA. 
               This issue was addressed by enabling VT-d in EFI.
CVE-2016-7585: Ulf Frisk (@UlfFrisk)

One way to mitigate memory-probing attacks against your Mac, or any other computer for that matter, is to shut down your computer completely instead of relying on hibernation or sleep mode. When powered off, the decryption password is lost from RAM, so there’s nothing to recover until you’ve booted up and typed the password in again. Especially if you travel a lot, when you can’t guarantee to have your computer in sight and under your own control at all times, get into the habit of doing a full shutdown instead of simply closing the lid. It requires a bit more discipline, and takes longer than simply ‘sleeping’ and ‘unsleeping’ your computer, but it’s an orderly thing to do, and breaks the risky habit of leaving loads of applications alive with interesting documents open in them.

Before we go…

We mentioned a security patch for iWork at the top of the article.

The iWork fix is small and simple, but nevertheless a serious reminder of how “forgotten history” can come back to bite us all.

According to Apple, the password protection feature in the Export To PDF… option of the Numbers, Pages and Keynote apps could sometimes leave you with a 40-bit RC4-encrypted file, instead of the 128-bit AES encryption that today’s encrypted PDFs are expected to use.

We’re guessing that this was a long-forgotten hangover from the days when the US regulated cryptographic exports as if they were munitions, requiring export versions of US software to use carefully weakened encryption versions so that US intelligence typically could crack selected files, but less well-funded adversaries couldn’t quite.

Of course, 40-bit keys that were “just about” crackable by the NSA 20 years ago are crackable by everyday computer hardware now…

…a reminder, given that the UK government this week called for deliberate cutbacks to the encryption strength used by services such as WhatsApp, that you can’t strengthen security by weakening it.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/HNcyYi9_JJY/

MIT experts issue recommendations to the president, urging him to take elements of the electric grid and gas pipeline offline – but other security experts say that ship has sailed.

Experts from the Massachusetts Institute of Technology and stakeholders from US critical infrastructure companies weighed in today with a host of recommendations for the Trump administration on how to take meaningful action to protect the nation’s vital systems. In addition to the usual advice to quit delaying a decision, the experts’ report took a stand by suggesting that critical components of the electrical grid and gas pipeline need to be taken offline.

The advice comes by way of a major report out from MIT’s Internet Policy Research Initiative at the Computer Science Artificial Intelligence Laboratory. The report is the culmination of a year’s worth of work reaching out to stakeholders across four major economic sectors: electricity, finance, communications, and oil and natural gas. Written by a group of luminaries headed by principal author Joel Brenner, a former inspector general for the National Security Agency, the report offers a handful of pointed recommendations to the president about how critical infrastructure security coordination needs to be expeditiously advanced.

As the Trump administration starts to float proposed executive actions in regard to improving federal cybersecurity, there’s been very little said about bolstering the protection of privately owned critical infrastructure. The authors of the report warn that this could be to the country’s great detriment. They say that coordinated improvement of national cybersecurity interests must include privately owned critical infrastructure if the US is going to make meaningful headway in improving the national risk posture.

“The nation can no longer afford a pattern of uncoordinated executive action and scattershot research,” the authors say. “Total security is not achievable. But a materially improved security environment for the infrastructure on which virtually all economic and social activity depends can be created with sufficient resources and political will.”

One of the biggest technical bones of contention the authors have regards the widespread access by critical control components of the US electrical grid and gas pipelines to the public Internet. The report states that security pros overwhelmingly believe at least certain aspects of their systems need to be air-gapped from public networks. The problem is deciding which aspects.

“There are significant differences of opinion about appropriate degrees of isolation,” the authors admit. They recommend to the president that his administration expedite in coordination with the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation, a conference of state electricity regulators, to “explore the feasibility and expense of isolating key elements of electricity generation and delivery from public networks.”

It’s an interesting debate because, in many instances, the industrial control system (ICS) environment is growing more connected to public networks than ever.

“It seems counterintuitive, this recommendation, because the myth of the air gap disappeared years ago,” says Phil Neray, vice president of industrial cybersecurity for CyberX. “And it’s getting even more unfeasible to do an air gap now when we’re moving towards smart grids and smart manufacturing, when there’s an even bigger need to connect the [operation technology] to the IT network in order to do analytics and real-time intelligence.”

According to Lane Thames, software development engineer and security researcher with Tripwire’s vulnerability and exposure research team, the security community must face these facts with planning that takes into account the convergence of the cloud, the industrial Internet, and the Internet of Things, which is already happening now. Companies are moving forward with it to not only improve the efficiency of the essential infrastructure but also to improve reliability.

“Newer industrial control systems will, indeed, have connections to the cloud for applications such as big data analytics and such. For example, predictive maintenance, which is key for advanced smart manufacturing, requires such technology,” he explains. “These cloud-based applications will also come with communication paradigms that essentially break, as a minimum, our current standard views and best practices of security in terms of perimeters and segmentation.”

These aren’t trends that can easily be stemmed, and air-gapping systems with increasingly complex interconnections will not only be unrealistic from a business sense but also technically difficult to do. Neray says that there are better way of mitigating the risks, namely through continuous monitoring for anomalies and continuous assessment for vulnerabilities in critical systems, as well as improving information sharing between public and private sector stakeholders.

More Than Technology
Whatever the technical solutions look like, experts seem to agree that it will take more than just technological advancement to move forward on critical infrastructure security.

“The challenges we face are not merely technical. They are also economic, managerial, behavioral, political, and legal. Indeed, the technical challenges may be the easiest to address. For example, aligning economic, tax, and liability incentives with the goal of higher security is not a technical challenge,” the report said. “Realigning incentives would be a daunting task, but our critical infrastructure cannot be made reasonably secure unless we do.”

Richard Clarke, for one, believes that it’s going to regulation — a dirty word in Washington — to really make a dent in thing. At the S4 conference earlier this year, he suggested that the country needs to set regulatory deadlines industry by industry for rolling out security enhancements to new and legacy systems that affect critical infrastructure. He believes that the research for the right technical solutions will only follow this kind of hard-and-fast regulation, because significant investments need to be made.

“In the absence of regulation, none of this is going to happen,” he said. “In the absence of regulation, no one company is going to say, ‘I’m going to do this.’ In the absence of regulation, no one sector is going to say, ‘We are going to do this.'”

For his part, Neray agrees with the MIT report that tax incentives could also help do the trick.

“Tax incentives would be a great way to do it,” he says. “Tax incentives are just generally more popular than more regulation. And incentives to spend more on continuous monitoring to protect our infrastructure — that sounds like a no-brainer to me.”

Related Content:

• Ukraine Blames Russia For New Virus Targeting Infrastructure
• Fixing Critical Infrastructure Means Securing The IT Systems That Support It

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/should-trump-tackle-air-gapped-critical-infrastructure/d/d-id/1328505?_mc=RSS_DR_EDT

Your daily round-up of some of the other stories in the news

Hong Kong voters’ details lost in laptop theft

Two laptops stolen in Hong Kong contained the data of the Chinese special administrative region’s 3.7m voters as well as the personal details of the 1,200 members of the Election Committee, according to the city’s Registration and Electoral Office, in what’s thought to be Hong Kong’s biggest ever data breach.

The laptops were stolen from a locked room at the AsiaWorld-Expo on Lantau island that had been designated as a backup venue for the elections for the chief executive that were held last weekend.

The South China Morning Post reported that the electoral office had told the Office of the Privacy Commissioner for Personal Data that the laptops’ hard drives are encrypted. However, committee member Charles Mok said he found it “puzzling” that the data had been stored on a laptop.

“Perhaps they didn’t put the voters’ data in a proper place after last year’s legislative elections and then the devices were used for the chief executive election,” he added.

Pushback against call to spy on WhatsApp

A call by the UK home secretary, Amber Rudd, for increased powers to access encrypted messages in the wake of last week’s attack on Westminster has run up against opposition from major-general Jonathan Shaw, the former head of cybersecurity at the Ministry of Defence.

He told the BBC that what Rudd was calling for would push extremists into finding other ways to communicate, adding: “There is a lot of politics at play here. What they are trying to do is use this moment to nudge the debate more in their line.”

UK officials are due to meet executives from the US tech companies on Thursday, said Reuters, to press them to help with monitoring communications by potential attackers. Downing Street said: “If there are circumstances where law enforcement agencies need to be able to access the contents, they should be able to do so. How that is achieved, I think, is matter for the talks later in the week.”

Google Home arrives in the UK

Britons who want to add to their collection of devices that collect data about them will be able to buy a Google Home from the end of next week, said Google today.

Much like Amazon’s Alexa-powered devices, the Echo and the Dot, the Google Home will be able to answer questions, deliver news briefings, play music and control smarthome devices.

The Google Home device, which will cost £129, is generally thought to be better at some tasks thanks to its use of the AI-driven Google Assistant, which debuted on the Pixel and Pixel XL phones, and the superior search capabilities of Google, but Amazon’s devices have a significant first-mover advantage in the UK having arrived at the end of last year.

We have written about some of the issues of how these smart devices collect data, but doubtless some gadget fans will want to add a Google Home to an existing Amazon Echo – which, if you set aside your concerns about data for a few moments, can provide some entertaining moments.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wR9zokrY1Es/

The number of data records breached soared in 2016 over the previous year, with the technology sector facing the brunt of the attacks.

Cybercriminals infiltrated some 1.4 billion data records last year – a whopping 86% increase over the previous year, according to a new report released today by digital security firm Gemalto.

This bounty of information was snagged in 1,792 incidents worldwide, which yielded a larger haul with fewer attempts, according to the report. The number of data record breaches fell 4% in 2016, compared with year earlier figures.

Identity theft accounted for 59% of the data breach incidents, a 5% increase from 2015. Account access-based breaches was next in line as the most prevalent type of data breach, even though this form of attack fell by 3% over the previous year. Account access-based attacks accounted for 54% of the 1.4 billion breached records, and the number of affected records rose by 336% over 2015.

“This highlights the cybercriminal trend from financial information attacks to bigger databases with large volumes of personally identifiable information,” the report states.

Outside malicious attackers accounted for 68% of the breaches, an increase of 13% from 2015. The most targeted industries included technology, which incurred 11% of the breaches and suffered the largest increase in attacks, with a 55% jump over last year. Healthcare was hit with 28% of all data breaches, with an 11% year-over-year increase in attacks, and financial services, 12% of data breaches, a level that constitutes a 23% decline in attacks compared with last year.

Read more in the Breach Level Index Report.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/14-billion-data-records-exposed-in-2016-breaches/d/d-id/1328501?_mc=RSS_DR_EDT

There are endless scenarios where hackers could wreak havoc on the industrial Internet of Things. There’s also a readily available solution called ‘HIP.’

It’s impossible to ignore the explosion of connected “things” today. Everywhere we turn there’s a new connected device. Hundreds to millions of unmanned devices and sensors are being deployed on everything from mining equipment and smart buildings to healthcare monitors and thermostats. By 2020, the Internet of Things (IoT) is projected to include somewhere between 20 billion and 50 billion connected things.

Still, many businesses haven’t quite wrapped their heads around the IoT. They know it is an opportunity that can’t be ignored—connecting our digital and physical worlds has the power to inform far better business decisions—but they see complexity and security red flags at the prospect of thousands of things talking to each other. They’re rightfully concerned.

Anything connected to the Internet has the potential to be exploited, whether it’s your refrigerator or an industrial control system. The sheer number of connected devices makes this complex for businesses.

Take a mining operation where 20 pieces of equipment each has hundreds to millions of sensors collecting and reporting real-time data. Each of these sensors is a connected “thing” that needs to deliver information to and from the network. One of these sensors may detect wear on the piece of equipment and report back the need for maintenance, or even control pausing its workload or shifting workload to another piece of equipment. Hacking this device could be used to send false instructions to physical equipment putting performance or safety in jeopardy.

There are endless scenarios where the industrial IoT, if accessed by hackers, could wreak havoc. Imagine the impact of a successful attack on the energy grid, chemical plants, medical equipment, oil fields or even traffic lights or ATMs. Then, there’s the scenario we saw last fall where unsecure IoT devices were used for a distributed denial-of-service (DDoS) attack on a massive scale.

A Hypermobile Protocol-Level Solution
In my opinion, IoT security needs to be solved at the protocol level. Current security methods, such as firewalls and VPNs, will fail as IoT grows; they are too expensive to deploy and manage in large numbers, and remember we’re talking about hundreds and thousands of IoT devices in a business.

At the same time, we can’t rely on the current IP protocol that runs the Internet today to secure the IoT. IP addresses are easily spoofed, which means an attacker could gain access to an IoT device by impersonating a trusted connection. The IP protocol was not designed as a secure protocol; even Vinton Cerf, co-inventor of TCP/IP  and widely known as the “Father of the Internet,” says he wishes they had done more in the beginning to secure the Internet. Unfortunately, we don’t get a do-over.

So, decades later, businesses need a way to secure the vast number of connected devices that the IoT network of the future requires. I’m a firm believer in an industry protocol called host identity protocol (HIP). HIP was specified in the IETF HIP working group about 15 years ago and has matured considerably since then. With HIP, all occurrences of IP addresses are eliminated and replaced with a unique, non-spoofable address that is invisible by default, making it resistant to man-in-the-middle and DDoS attacks.

In simple terms, you can think of HIP like your fingerprint. It’s unique to the device, and like your fingerprint travels with you always, a HIP address is recognized no matter where it accesses the network from—it’s hypermobile.

Just imagine the things enterprises could achieve when IoT security is no longer a barrier—intelligent buildings, remote patient monitoring, new business models we haven’t even thought of and the list goes on. Eventually, we’ll be able to stop talking about how we connect the IoT. We’ll take for granted the data we capture from our “things” and the focus will become what we do with it. That’s a day I’m looking forward to.

[Check out 5 ways to prepare your organization to address the security of the Internet of Things at Interop ITX. Click for regististration information.]

Related Content:

• IoT Liability: How Organizations Can Hold Themselves Accountable
• Threats Converge: IoT Meets Ransomware
• Zones of Trust: A New Way of Thinking about IoT Security

 

Stuart Bailey is the chief technology officer of Open Data Group. He founded and was most recently chief scientist of the leading global DNS solutions provider Infoblox, and is on the board of directors of Tempered Networks. Stuart is a career a technologist and an … View Full Bio

Article source: http://www.darkreading.com/endpoint/commercial-iot-big-trouble-in-small-devices/a/d-id/1328502?_mc=RSS_DR_EDT

Last week, a man deliberately ran over more than 50 pedestrians on Westminster Bridge in London.

Four of the victims have already died of their injuries.

The attacker then jumped from his car and charged into the area surrounding the Palace of Westminster – the UK’s Houses of Parliament, seat of the national legislature – and stabbed an unarmed policeman to death, before being shot dead himself.

The UK has had to come to grips with what was, in effect, a terrorist attack, albeit by a man who might well turn out to be a lone sympathiser with the so-called Islamic State.

Understandably, people want to know not only how this attack came about, but also how it might have been foreseen and prevented.

When news emerged that the attacker might have used WhatsApp shortly before the attack, anyone with an interest in computer security, privacy and encryption knew just what was coming next…

…an official call to regulate secure messaging services, and to force companies like WhatsApp to deliver its services in a way that makes surveillance and investigation easier.

And that call has come, loud and clear, from none other than Amber Rudd, the UK home secretary, the UK equivalent of American secretary of homeland security.

According to UK newspaper The Guardian:

The home secretary said it was “completely unacceptable” that the government could not read messages protected by end-to-end encryption and said she had summoned leaders of technology companies to a meeting on Thursday 30 March to discuss what to do.

What to do?

Strictly speaking, true end-to-end encryption can’t be intercepted in transit, at least not without the sender or recipient noticing, as a matter of terminology.

If you can decrypt an enciphered data stream along the way – whether for archiving, surveillance or even simply for scanning for risky content such as spam or malware – then you didn’t really have end-to-end encryption in the first place.

Indeed, many services we think of as “encrypted” are subject to what’s called lawful interception, which is supposed to mean that with the right sort of authorisation from the judiciary, supposedly confidential data that was sent or stored using the service can recovered.

Lawful interception may lead to traffic being monitored in real time, or (given the sheer volume of data involved these days) recovered and decrypted later to help an investigation or prosecution.

Decrypting at the end

For example, your online banking transactions are typically encrypted end-to-end as you conduct them, but the bank needs to keep a permanent record of what you did – for its own rather obvious commercial reasons, as well as for regulatory purposes.

Likewise, you typically keep a record at your end, in case of disagreements.

If you’re wise you’ll store your bank statements on an encrypted disk or in an encrypted file, but you can recover them later if you choose.

Courts can, and often do, order the release of banking data for legal purposes: even if you don’t comply, the bank almost certainly will, using its own decryption keys to unlock the data unilaterally if needed.

Decrypting in the middle

Likewise, mobile phone networks are required to make technological provisions for lawful interception, so that they can comply with court-imposed orders to unlock both phone calls and SMS messages.

That way, even if both you and the recipient of a message covered by a court order refuse to co-operate, or claim you no longer have the relevant data, the mobile network operator can, in theory at least, step in and come up with the data you can’t or won’t reveal yourself.

Technically, the lawful interception process in the GSM and UMTS cellular networks isn’t a backdoor, because it’s not covert, or undocumented, or a regulatory secret.

Whether you approve or not, it’s a documented feature rather than a sneaky hole or a bug.

Mobile phone networks therefore don’t really use end-to-end encryption: the traffic is encrypted between each subscriber and the network, but is generally decrypted and re-encrypted in the middle, where it may be subject to lawful interception.

Cutting out the middleman

The “decrypt and disclose on due demand” regulations that apply to industries like online banking and mobile telephony don’t apply to services like WhatsApp, which is neither a financial institution nor a cellular network.

WhatsApp, and similar services, can and do provide a true end-to-end encryption system, implemented so that it’s not possible to decrypt the data in the middle.

All the service sees is that data is flowing – it can’t see what’s inside the traffic, even if it wants to – so there’s no point in a subpoena or warrant demanding services of this sort to reveal and decrypt messages, either in real time or after the fact.

That’s not a mistake – it’s a feature. (Indeed, it’s trickier to program proper end-to-end encryption via a middleman than it is to encrypt just from each end to the middle.)

It’s a feature because if you don’t collect the data in the first place, then you can never leak it by mistake, for example in the event of a data breach.

And you can never be forced to reveal it against your own moral compass, for example in the face of a hostile government, or as a result of an unexpected change in the law that you were unable to warn your users about.

Can Rudd’s will be done?

All of this raises the question, “Given the way that true end-to-end encryption works, is the home secretary wasting her time making her demand in the first place?”

Technically, no, because she isn’t asking for the impossible.

WhatsApp and other products of the “true encryption” sort could indeed be compelled by UK law to behave like mobile phone services, and forced to reimplement their software, regressing it to make lawful interception possible on demand.

Would it work?

Would this be a workable idea in practice, and would it be worthwhile?

We don’t think so, for several important reasons:

• UK law wouldn’t apply to services run by US companies and operated outside the UK, for example on servers hosted elsewhere in the EU. So the companies could simply do nothing, other than to close down any part of the business run inside the UK. That would leave everyone in the UK, including the vast number of law-abiding WhatsApp users, stuck with less secure communications than people in the rest of the world. It’s hard to see how this could end positively.
• The UK on its own wouldn’t have much of a stick to beat companies like WhatsApp with, nor much of a carrot to entice them to change. If the entire EU were to stand behind the UK, that might help, as it helped in squeezing Google to accept the so-called “right to be forgotten” rule. But the UK will soon be leaving the EU, and anyway, not all EU countries agree about the principle of weakening encryption in the hope of somehow making it stronger.
• Governments that have attempted to force secure messaging services to fall back to weaker encryption methods “for the good of the country” have typically lost face internationally as a result. Forced decryption may make a country look oppressive, backwards-looking, or a risky choice for future economic investment. This is especially true in an era of concerns about state-sponsored industrial espionage and other anti-competitive behaviour.
• Despite having apparently been radicalised in prison, and having come to the notice of the UK security services in recent years, the Westminster attacker wasn’t under scrutiny at the time of his murderous rampage. So no one in the intelligence community or in law enforcement would have been watching his WhatsApp messages anyway.

In other words, if the recent Westminster tragedy is the sort of case that Amber Rudd’s proposed cryptographic regression hopes to deal with…

…we’re talking about after-the-fact investigation of personal communications that were collected en masse “just in case”.

That means the nation-state scale accumulation of personal, private messages – data that will need to be collected from everyone in the UK, if the process is to be effective after the fact – and the concomitant need to store it securely for later, “just in case”.

Can you imagine what an appealing target all that data would make, especially to the very criminals and terrorists against whom it was supposedly collected in the first place?

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wK7RPKuCUC8/

This month, the Indian government has been busy ensuring people use their Aadhaar card to access all sorts of things – including the free school meals and uniforms, food subsidies and pensions that are a life line for so many vulnerable people. According to the Guardian, critics argue that this controversial biometric identity card both restricts fundamental rights and exposes more than 1bn people to privacy risks.

Hundreds of thousands of people in India could be left without essential government services and benefits … The potential of unmonitored and unregulated use of such linked data by the private sector is massive.

The Aadhaar card’s roots, I understand but cannot verify, lie in a desire to curb illegal immigration in border villages in the aftermath of the 1999 Kargil War with Pakistan. The idea took its first steps with the Citizenship (Amendment) Act, 2003, which made some significant amendments to India’s Citizenship Act, 1955, including the addition of the clause:

The Central Government may compulsorily register every citizen of India and issue national identity card to him.

The Unique Identification Authority of India (UIDAI) was established six years later, in 2009, to issue Unique Identification numbers (UID), or “Aadhaar”, to all residents of India. UIDAI issued its first Aadhaar on September 29 2010 and has, according to official figures, issued more than 1.127bn since then – to 88.2% of India’s population.

Over the years, the Aadhaar has created a great deal of controversy. In 2010, The Hindu described the project as “Orwellian” and cited four major concerns:

1. The violation of people’s privacy and civil liberties
2. Whether the database was up to retaining the biometric information of more than 1bn people
3. No cost-benefit analysis or feasibility study
4. Whether it would be able to deliver the benefits promised, including India’s Public Distribution System (PDS) to the social sector.

In December 2011, the Parliamentary Standing Committee on Finance rejected the National Identification Authority of India Bill, 2010, raising a number of concerns. These included:

Although the scheme claims that obtaining Aadhaar number is voluntary, an apprehension is found to have developed in the minds of people that in future, services / benefits including food entitlements would be denied in case they do not have Aadhaar number.

India’s Supreme Court issued an interim in 23 September 2013 stating that “the government cannot deny a service to anyone who does not possess Aadhaar, as it is voluntary”. Yet, earlier this month, the Guardian report highlights, India’s government sent schools a notification that, from July, children will need to show their Aadhaar cards to get free school meals.

After facing intense criticism from opposition concerns that the government has made Aadhaar mandatory under the mid-day meal scheme and activist concerns that this will lead to some children losing out on vital nutrition, minister Prakash Javadekar refuted their suggestions saying, according to Indian Express:

All beneficiaries will get mid-day meal and the government will ensure that all the beneficiaries get the 12-digit unique identification number also.

Reading between the lines, it seems the card will soon become – whether the government admits it or not – compulsory for kids receiving free school meals. More than that, this “voluntary card” will also soon become mandatory for many everyday aspects of all Indians’ lives:

• Filing an income tax return
• Getting a new Sim card
• Renewing a driving license
• Getting a pension
• Insuring crops
• Receiving PDS food rations
• Getting foodgrain subsidies
• Receiving free LFG cooking gas
• Booking train tickets online
• Verifying property ownership
• Playing sport

In fact, earlier this month, the Times of India reported that the card is already mandatory for three dozen schemes with more on the horizon:

Aadhaar will soon be mandatory for all 84 schemes covered so far under direct subsidy benefit transfer programme.

While those without an Aadhaar can apply for the identity card by June 30 and get benefits till then by furnishing alternative documents, it’s not clear what will happen from July 1. Will Indians without a card be denied access to services and schemes?

India now finds itself in quite a situation that many will of you will find quite alarming. The Huffington Post India highlights a number of key concerns, many linked to India’s lack of privacy laws: “In India, the right to privacy still doesn’t exist.”

• There are no safeguards to prevent inappropriate profiling, meaning patterns of citizens’ behavior could be studied as more and more private organizations link their data to Aadhaar.
• Any legal action against any misuse or theft of Aadhaar data can only be initiated by UIDAI, leaving citizens with no legal recourse should a breach occur.
• UIDAI is at liberty to collect biometric information beyond iris and fingerprint scans, for example DNA.
• Private agencies can also use Aadhaar, which contradicts an earlier stated objective of the scheme restricting the use of Aadhaar to government expenditures.

HuffPost also raises concerns about the security of the data and the potential for its misuse by cyber criminals, noting in particular that the “personal data of online consumers can never be fully secure” and “many third-party apps using Aadhar data may not be screened or audited for security”.

Aadhaar with its many connections is, without doubt, the world’s most ambitious project of its type, as Paul Romer, the World Bank’s chief economist told Bloomberg. He added:

It should be part of the policy of the government to give individuals some control over the data that the private firms collect and some control over how that data is used.

Other countries are watching the Aadhaar project intensely, especially since the World Bank has given it the thumbs up by saying in its World Development Report 2016:

A digital identification system such as India’s Aadhaar, by overcoming complex information problems, helps willing governments to promote the inclusion of disadvantaged groups.

For good or for bad, the Aadhaar will remain and will remain controversial. It will definitely face some difficult tests over the coming months and years:

• How easy is the system to use?
• How robust is the technology?
• How secure is the data?
• Will breaches/compromises be dealt with adequately?

It also continue to raise some longer-term concerns:

• Will some people be left out?
• Has it gone too far?
• Will access to the data be abused?
• How will the data be used in the future?

I think, however, the key question has to be: will Aadhaar promote the inclusion of disadvantaged groups, or simply leave them out or open to abuse?

Follow @NakedSecurity

 

 

 

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/E9v9GaOg0yc/

London’s Metropolitan Police have released a recording of an emergency call made by a four-year-old boy that saved his mother’s life.

The boy, who identified himself as Roman, told the emergency service call handler that his mother was dead. She was, in fact, unconscious, lying on the floor.

To make the call, Roman had unlocked his mother’s mobile phone by pressing her thumb to it. Then, he used Apple’s Siri voice assistant to ask for help. Siri dialed 999: the British emergency number.

Police were dispatched after the call handler stayed on the phone talking with Roman long enough to piece together his address in Kenley, south London. They arrived 13 minutes after the call and forced their way in to find Roman and his two brothers inside with their mother, who was lying unconscious on the floor.

Paramedics were able to give what the Met’s Command and Control Unit (MetCC) called life-saving first aid to the woman. She regained consciousness, after which she was taken to the hospital.

Police released this audio of the call in the hope that people teach their kids what their home address is and how to call police or emergency services in an emergency:

Chief Superintendent Ade Adelekan, from the MetCC, where 999 calls are handled:

If you do nothing else today, then I’d implore any parents of young children to sit down with them and make sure they know what to do in this kind of situation and that they know how to contact police or other emergency services in an emergency. As this case demonstrates so poignantly, it could really be the difference between life and death.

It’s an amazing story, and thanks to his quick thinking and by asking Siri for help, this little boy saved his mum’s life, and it means she is still here and can be extremely proud of him and his brothers.

It is an amazing story, but it’s not the first of its kind.

In June last year, an Australian mother, rushing to the nursery when a baby monitor showed her one-year-old had stopped breathing, dropped her phone while she was turning on the light. She still managed to tell Siri to call for help while she performed CPR. Both she and her husband credited the few precious seconds that Siri gave them for potentially making all the difference.

The outcome of that particular story is one of the upsides of the fact that recent iPhones can be set to always be listening for commands. That new feature came about in iOS 9, when Apple enabled activation of the built-in personal assistant at the sound of your voice, rather than waiting for you to hold down the Home button.

If that’s turned on, Siri can not only open music and send text messages; it can also make hands-free phone calls on its own while you drive, or, obviously, in critical situations like that faced by the Australian family last year. Note that Siri in hands-free mode only works on newer models when not plugged in to a power source. Older models – at least back to 5s – need to be plugged in to a power source to enable Siri to work in hands-free mode.

Other phone brands can also be set up for hands-free voice assistance, of course. This story illustrates one good reason to activate the feature.

But your kids don’t need to know all that. What they should know, as the MetCC said, is their home address. Another part of their training should be how to unlock a phone and how to summon help – be it through a voice assistant or pressing an emergency services number like 999 or 911.

Roman’s mother is probably thanking her lucky stars that Roman knew how to do just that.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/iP3wDMuQVEs/

For a decade, eBay customers who wanted extra-strong security have been able to use two-factor authentication (2FA) involving a Verisign-manufactured key fob that generated a unique six-digit code only the user would see. As we complained last year, setting up 2FA on eBay has never been a piece of cake. But those concerned about the growing risks of SMS-based 2FA have welcomed the option of using a separate “hardware token”. (And people aware of such concerns tend to be more capable of acquiring and setting up such a contraption.)

Now, however, eBay’s hardware 2FA option is going away.

KrebsOnSecurity reports that eBay is asking key fob users to start receiving their 2FA security codes via SMS text message instead. As Brian Krebs writes, “eBay, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is now essentially trying to downgrade my login experience to a less-secure option”.

Krebs found eBay’s timing ironic: security experts at the US National Institute for Standards and Technology (NIST) recently began actively discouraging the use of SMS-based 2FA in government systems:

NIST said one-time codes that are texted to users over a mobile phone are vulnerable to interception… thieves can divert the target’s SMS messages and calls to another device (either by social engineering a customer service person at the phone company, or via more advanced attacks like SS7 hacks).

NIST says using the public switched telephone network to deliver an authentication code via SMS or voice “is being considered for removal in future [guidelines]”. But organizations that must do so should take multiple precautions, and

SHALL verify that the pre-registered telephone number being used is associated with a physical device. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. Verifiers SHALL use known and verifiable routes to deliver the secret, for example, by using Class 2 SMS. Verifiers SHOULD be aware of indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret.)

(You can check out NIST’s latest draft digital identity guidelines yourself. Through March 31, you can also comment on them through GitHub before they become official. Occasionally it’s a good thing the government’s listening to you!)

eBay certainly isn’t the only company that has sought to move away from hardware tokens, which traditionally had a reputation for being costly to provide and manage. (Though, as Network World notes, recent innovations may be making them somewhat more appealing.) It’s also worth mentioning the ongoing debate about whether any form of authentication truly qualifies as a second factor if it’s delivered via the same device you’re using to access secure resources.

eBay told Krebs it is:

… constantly working on establishing new short-term and long-term, eBay-owned factors to address our customer’s security needs… We look forward to sharing more [2FA options when they’re] ready to launch.

That suggests eBay plans to offer choices that limit their payments to third parties. Perhaps a smartphone app (similar to Sophos Authenticator)? Or biometrics? Or both, or something else? For now, if you’ve already got a hardware fob, Krebs says it still works – for now. And if you’re not using 2FA at all, eBay’s SMS-based 2FA is still much better than nothing.

Follow @NakedSecurity
Follow @BillCamarda

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cp4Sy-GwPkw/