STE WILLIAMS

Sure, Brian Dutcher admitted, he had said, in a Facebook post, that he was planning to assassinate then President Barack Obama.

But that didn’t mean the 56-year-old Wisconsin man was really going to do it, he claimed, after driving 45 minutes to attend an Obama speech in La Crosse, Wisconsin.

It was just a lot of hot air, he said, after being detained by Secret Service and questioned for two hours, convicted on two counts of threatening the president, and sentenced to three years in prison.

True, he did in fact back up the Facebook post by candidly repeating his assassination plan… over. And over. And over, to several people once he got to La Crosse, including a security guard, the police, the Secret Service, a nurse, a doctor, and (again) to the police and Secret Service together.

The assassination was, after all, his biblical and constitutional duty, Dutcher said. Some of his Facebook posts leading up to the day of Obama’s speech and his drive to La Crosse:

thats [sic] it! Thursday I will be in La Crosse. hopefully I will get a clear shot at the pretend president. killing him is our CONSTITUTIONAL DUTY!

I have been praying on [sic] going to D.C. for 3 months and now the usurper is coming HERE. … pray for me to succeed in my mission.

But those posts were all hot air, he argued, or in his own words, “overheated rhetoric”. How could it be otherwise? He was obviously unable to carry out the threats, Dutcher said. After all, he didn’t even have tickets to Obama’s speech. Plus, all he had in his van for weaponry was a slingshot (technically, it was a high-powered Wrist Rocket, and granted, he’d bragged about being able to kill small animals, or even a man, with just a slingshot, going so far as to compare himself to David).

But in spite of Dutcher’s arguments that his Facebook threat was a load of hooey, on Wednesday, the 7th US Circuit Court of Appeals dismissed Dutcher’s claim that there was insufficient evidence to support the charges against him.

This guy just doesn’t get it, the court more or less concluded. “Dutcher is missing the point. He was charged with threatening the President… not with the separate crime of attempting to assassinate him.”

Here’s the thing about social media posts: threats are not OK. They’re not protected speech under the First Amendment. In its decision on Wednesday, the court made that abundantly clear.

As the three-member Illinois-based appellate panel noted in its decision, the First Amendment defines a “true threat” as “a serious expression of an intent to commit an act of unlawful violence to a particular individual or group of individuals”.

From the decision:

A true threat does not require that the speaker intend to carry it out, or even that she have the capacity to do so.

The prohibition against true threats protects us against not just the risk that they’ll be carried out, but also against the fear they engender, the court said.

Dutcher had been convicted on two counts of “knowingly and willfully threatening the president”. The jury, in a two-day trial, had been instructed that it could find “willfulness” if the prosecution proved that Dutcher either actually intended his statement to be a true threat, or that he knew that “other people reasonably would view his statement as a true threat but he made the statement anyway.”

Nobody took that Facebook post seriously, Dutcher had argued. If they had, they would have informed the police. (In fact, his post got two Likes.)

But, the appeals court noted, some of Dutcher’s readers had in fact taken the post seriously. Some responses:

[t]ry voting

how will killing the pres change anything then??

Stay calm my friend. Please!

The jury used those apprehensive responses to the Facebook post, on top of Dutcher’s behavior, to find that the threats were genuine.

Let it be a lesson to us all: when it comes to serious threats of violence on social media, it’s not just a case of getting hot under the collar and blowing off steam. Our social media utterances can and will be used against us in a court of law, particularly if we pack up a van, head to a presidential appearance, and calmly tell everybody we meet that we’re off to murder the POTUS.

Think of it this way: there doesn’t have to be a literal fire in the theater. If we yell fire, it’s reasonable to assume that people are going to believe us and starting looking – or stampeding – for the exits.

Follow @NakedSecurity
Follow @LisaVaas

Image courtesy of Evan El-Amin / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EsTBG7tq8I8/

Almost 1.4 billion data records were compromised worldwide during 2016, a whopping increase of 86 per cent compared to the year before.

The collective spill occurred across 1,792 data breaches last year, according to security firm Gemalto’s latest Breach Level Index (BLI) report. Identity theft was the leading type of breach in 2016, accounting for more than 59 per cent of all break-ins. Malicious outsiders were the leading source, accounting for 68 per cent of breaches.

Last year’s attack on Adult FriendFinder exposing 400 million records scored a 10 in terms of severity on the Breach Level Index. Other notable breaches in 2016 included Fling, Philippines’ Commission on Elections (COMELEC) and Dailymotion. The top 10 breaches in terms of severity accounted for more than half of all compromised records. In 2016, Yahoo! reported two major data breaches involving 1.5 billion user accounts, but these do not factor in he 2016 edition of Gemalto’s BLI since they occurred in 2013 and 2014.

To evaluate the severity of breaches, Gemalto takes into account factors such as the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted. According to the BLI, more than 7 billion data records have been exposed since 2013 when the index began benchmarking publicly disclosed data breaches. The figure represents more than 3 million records compromised every day or roughly 44 records every second.

Password reuse is opening the door for hackers to mount so-called credential surfing attacks. The tactic involves making leaked ID/password combinations from the likes of the Yahoo! breach and trying them on more sensitive sites (e-commerce, webmail etc.)

“The Breach Level Index highlights four major cybercriminal trends over the past year,” said Jason Hart, vice president and chief technology officer for data protection at Gemalto. “Hackers are casting a wider net and are using easily attainable account and identity information as a starting point for high value targets. Clearly, fraudsters are also shifting from attacks targeted at financial organisations to infiltrating large data bases such as entertainment and social media sites. Lastly, fraudsters have been using encryption to make breached data unreadable, then hold it for ransom and decrypting once they are paid.”

Last year 4.2 per cent of the total breaches involved data that had been partially or fully encrypted. In some of these instances, the password was encrypted, but other information was not. Of the almost 1.4 billion records compromised, lost or stolen in 2016, 6 per cent were encrypted partially or in full (compared to 2 per cent in 2015).

“Encryption and authentication are no longer ‘best practices’ but necessities,” Hart said. “This is especially true with new and updated government mandates like the upcoming General Data Protection Regulation in Europe, US-based and APAC-based breach disclosure laws.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/28/breach_bonanza/

Apple has resolved a certification validation vulnerability affecting both macOS and iOS users.

The (CVE-2017-2485) vulnerability posed a remote code execution risk on affected systems, which created a potential mechanism for hackers to craft exploits that pushed malware on to otherwise patched iThings.

The flaw – discovered and responsibly disclosed by security researchers from Cisco Talos – stemmed from bugs in the X.509 certificate validation functionality of Apple macOS and iOS. Improper handling of X.509v3 certificate extensions fields created the code injection risk.

Possible scenarios where the flaw could be exploited include users connecting to a website which serves a malicious certificate to the client, Mail.app connecting to a mail server that provides a malicious certificate, or opening a malicious certificate file to import into the keychain.

More details on the resolved flaw can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/28/apple_cert_bug_fix/

Colleagues and friends are mourning the sudden death of distinguished antivirus industry veteran Raimund Genes last Friday.

Genes, 54, chief technology officer at Trend Micro, began as a distributor before joining the antivirus firm in the early days of the industry back in 1996. He served with distinction in a variety of senior business development and technology roles for the last 30 years.

I interviewed Genes for El Reg several times and found him to be technically knowledgable and a clear communicator, an antidote to the FUD and hyperbole sometimes found elsewhere. He’ll be missed, especially by his family.

Genes died unexpectedly of a heart attack at his family home in Germany last Friday. He is survived by his wife Martina and two sons.

A tribute to Genes from Eva Chen, chief executive officer at Trend Micro, can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/28/raimund_genes_obit/

Israeli authorities prepare to accuse two 18-year-olds for the online attack service, which caused $1.65 million in losses.

Investigation into the vDOS service, allegedly operated by 18-year-old Israelis Yarden Bidani and Itay Huri, is nearly over. Israeli authorities are preparing to press charges of extortion and computer fraud against the two, KrebsOnSecurity reports. They were briefly arrested late 2016 after a KrebsOnSecurity report pointed them out as likely owners of the four-year-old cyberattack service.

Police allege that Bidani and Huri were responsible for causing damages worth $1.65 million. Krebs says that in just two years, the duo reportedly made over $600,000. At the time of their arrests last September, they had tens of thousands of customers and had carried out several million cyberattacks. User logs obtained by Krebs showed 150,000 attacks in less than three months.

Their defense lawyers claim Bidani and Huri were merely involved in providing “stresser” or “booter” services to customers who wanted to test their sites’ ability to withstand cyberattacks. However, authorities consider such services to be illegal and last year, scores were arrested in the US and Europe on suspicion of using them.

Read more on KrebsOnSecurity.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/two-israeli-youths-may-be-charged-for-vdos-operation/d/d-id/1328498?_mc=RSS_DR_EDT

Ramon Batista and Farintong Calderon have been sentenced to 75 months and 36 months in prison, respectively.

A telecommunications fraud scheme, dubbed Operation Toll Free, has led to two more indictments following an investigation by US authorities and earlier arrests of two people. A US Department of Justice (DoJ) release says Ramon Batista of Florida, and Farintong Calderon of New York, have been sentenced to 75 months and 36 months in prison, respectively, in connection with the international cell phone fraud.

According to the DoJ, the two took part in a scheme that involved opening fraudulent cell phone accounts using stolen personal details of individuals in the US. They then used those accounts to operate thousands of international calls to countries with high calling rates like Jamaica, Cuba, and the Dominican Republic, and bill those calls to the victims. Batista allegedly carried out these activities using his telecom company, Arymyx, as a front.

The two defendants sentenced earlier in the same case are Edwin Fana and Jose Santana, who were sentenced to 48 and 52 months in prison, respectively.

Click here for details.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/jail-time-set-for-two-more-members-of-global-telecom-fraud-scheme-/d/d-id/1328499?_mc=RSS_DR_EDT

As scammers hone their skills, their handiwork looks more credible to intended victims, making a successful ransomware scam more likely.

We’ve become used to seeing criminals attempting to defraud people using social engineering methods. One cornerstone of these attacks is identity deception, the criminals’ way of establishing trust with their intended victims. Today, almost everybody with an email address has received phishing emails, many of which fraudulently claim to come from a trusted financial institution (or Nigerian prince!). The same techniques are used by criminals every day, whether to steal credentials, extort victims, or dupe people into sending data or funds — and identity deception is one of the most important tools in their war chest.

The danger begins when we no longer see the deception, but only the identity. As criminals hone their skills to make their emails credible, this increasingly is what’s happening. It’s all about context. When the context is right, it supports the deceptive identity and the intended victims become less likely to notice minor discrepancies. 

Email Identity and Deception
Before looking at context, let’s examine the different ways in which email-based identity deception is perpetrated. One of the most common ways is spoofing. A spoofed email is like a letter with a fake return address. You look at the envelope and think you know who it is from, but you’re mistaken. If you were to respond to a spoofed email, your response would go to the impersonated party.

A second, less common method is a look-alike domain. For example, a person receiving an email from [email protected] may believe this email comes from Wells Fargo Bank, as opposed to simply somebody having registered security1337.com and created a suitable subdomain and user.

A third way simply insinuates an identity by setting the display names accordingly. Say that the criminal determines that the name of his victim’s boss is Alex Adams, and that his or her email address is “Alex Adams [email protected]” — and sends an email to the target from “Alex Adams [email protected]” Many users wouldn’t notice the discrepancy between the display name (Alex Adams) and the user name (jamiedough014). And if the attacker were to choose a credible user name (such as [email protected]), matching the display name and the target of the impersonation, an even greater portion of users would fall for the deception.

For years, people have tried to push the boundaries of security awareness to ensure people don’t fall for attacks like this. Unfortunately, things are headed in the wrong direction. Increasingly, we’re reading our emails on mobile devices, where the only indication of identity is the display name — which means cybercriminals are having a field day! Today, more than 55% of emails are opened on mobile devices.

Email Context and Trust
Now, let’s return to context and how it’s used to make email messages deceptive. A recent example is from the day after the U.S. presidential election. A large number of credible-looking emails were sent to left-leaning nongovernmental organizations (NGOs) touting insights into election fraud and containing malware attachments. The attackers knew that a large number of recipients would be unable to resist clicking. It’s also interesting to note how these emails circumvented antivirus technologies; by placing the malware file in an encrypted ZIP file and enclosing the password in the email, the attackers effectively blocked automated filters from inspecting the email attachments.

Now, imagine an email that appears to come from someone you trust and mentions things that are contextually relevant. You wouldn’t think twice about responding. This is why identity deception is enabling attackers to get rich. For example, consider an attacker who knows you’re taking a trip and finds information about your itinerary. He can send you an email that appears to come from your travel agent and contains a supposed itinerary modification. You need to know what has changed, so you open the file, and … oh, too bad, your hard drive has just been encrypted, but for $2,500, you can have the decryption key. And it’s easy for cybercriminals to find your itinerary and your contact email address using brute-force methods.

Ransomware
One of the ways in which criminals monetize identity deception is with ransomware. A recent report shows that attacks on businesses increased threefold between January and September of 2016, going from one attack every two minutes to one every 40 seconds. 

The objective of ransomware is to get activated — that is, getting a recipient to open an infected file, which typically encrypts the victim’s hard drive. The attacker then offers to provide the victim with the key to unlock the hard drive — for a price. As payments are made using Bitcoin, they can’t be traced or reversed, and the criminals securely collect the bounty.  

One of the most recent examples to make the news was the attack on the St. Louis Public Library in January. The cybercriminals used malware to infect approximately 700 computers at 16 different locations and demanded $35,000 in Bitcoins for the decryption of the infected files. Luckily, the library didn’t have any personal or financial information stored on these computers, and they had a backup system, so they chose not to pay the attackers. However, many other organizations aren’t so lucky. According to the FBI, cybercriminals collected $209 million in reported ransomware payments in the first quarter of 2016 alone.

As long as ransomware attacks are successful, we’re all at risk. In a recent article, Jeff Schilling suggests several good approaches toward mitigating the risk of ransomware. However, the level of complexity going into these attacks means that it’s increasingly unlikely they will be spotted, so it’s increasingly likely that the frequency of these attacks will continue to grow. As attackers get better at automating these attacks, and at creating better context that drives clicks, organizations will need to have a stronger understanding of identity deception, and develop more sophisticated ways of preventing these attacks from ever reaching their intended targets.

Related Content:

• Ransomware: How A Security Inconvenience Became The Industry’s Most-Feared Vulnerability
• Ransomware Has Evolved, And Its Name Is Doxware
• Why Ransomware Is Only Going To Get Worse

Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher, scientist, and entrepreneur, studying phishing, crimeware, and mobile security at leading organizations. In his role at Agari, he leads the company’s security research with a … View Full Bio

Article source: http://www.darkreading.com/endpoint/how-identity-deception-increases-the-success-of-ransomware/a/d-id/1328490?_mc=RSS_DR_EDT

What’s This?

We take another look at the current EK scene by going over RIG, Sundown, Neutrino and Magnitude.

A few months have passed since our Fall 2016 review of the most common exploit kits in our telemetry and honeypots.  Since then, there haven’t been any major changes. Exploit kit-related infections remain low compared to those via malicious spam. This is in part due to the lack of fresh and reliable exploits in today’s drive-by landscape.

Pseudo-Darkleech and EITest are the most popular redirection campaigns from compromised websites. They refer to code that is injected into – for the most part – WordPress, Joomla and Drupal websites, and automatically redirects visitors to an exploit kit landing page.

Malvertising campaigns keep fueling redirections to exploit kits as well, but can greatly vary in size and impact. The daily malverts from shady ad networks continue unchanged, while the larger attacks going after top ad networks and publishers come in waves.

In the following video, we do a quick overview of those exploit kits; if you are interested in the more technical details please visit Malwarebytes Labs for additional information on each of them.

Jérôme Segura is a senior security researcher at Malwarebytes Labs where his duties range fromstudying web exploits to tracking down online scammers. He spent over five years cleaning malware offpersonal computers using existing tools and writing his own … View Full Bio

Article source: http://www.darkreading.com/partner-perspectives/malwarebytes/exploit-kits-winter-2017-review/a/d-id/1328451?_mc=RSS_DR_EDT

From stock searches to map directions, any time a user queries a database, they tell the database owner something valuable.

A group of researchers from MIT’s Computer Science and Artificial Intelligence Laboratory is offering a way that queries can be made private, but breaking them into pieces and having different (identical) databases handle each piece of the query.

The idea will be presented at next week’s USENIX Symposium on Networked Systems Design and Implementation.

With the right design, says MIT student Frank Wang, lead author of this paper (PDF), only one of the data providers needs to be honest to protect a user’s privacy.

It’s based on what Wang’s paper calls Function Secret Sharing (FSS), a cryptographic feature that “allows the client to split certain functions into shares that keep parameters of the function hidden unless all the providers collude”, without imposing too heavy a load on the CPUs in the system.

FSS was first described in 2015 by Israeli researchers Elette Boyle and Shafi Goldwasser (who partnered with Wang on the new paper).

The group’s work takes advantage of modern multicore processors that implement AES-NI (advanced encryption standard, new instructions); and second, the paper presents protocols that “let Splinter support a subset of SQL that can capture many popular online applications.

In Splinter, each provider in a system hosts a copy of the same database. The client splits a query into a “share” that are submitted to different providers, and the responses are recombined to provide the answer.

In academic language, FSS which accomplishes this “lets a client divide a function f into function shares f1, f2,…, fk so that multiple parties can help evaluate f without learning certain of its parameters.”

Taking a COUNT query as an example, assume the user wants to keep the value of count secret (eg: SELECT COUNT(*) FROM items WHERE ItemId = ?) – only the user knows the “?” value is 5.

FSS works out how to send different queries to the target database, so that the client can work out from their answers what ItemId=5 would have returned.

As MIT explains: “a database query is converted into a set of complementary mathematical functions, each of which is sent to a different database server. On each server, the function must be applied to every record in the database; otherwise, a spy could determine what data interests the user.

“Every time the function is applied to a new record, it updates a value stored in memory. After it’s been applied to the last record, the final value is returned to the user. But that value is meaningless until it’s combined with the values reported by the other server.”

In the MIT article, Wang describes applications for Splinter: “When people were searching for certain kinds of patents, they gave away the research they were working on. Stock prices is another example: A lot of the time, when you search for stock quotes, it gives away information about what stocks you’re going to buy. Another example is maps: When you’re searching for where you are and where you’re going to go, it reveals a wealth of information about you.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/28/function_secret_sharing/

Apple today released iOS 10.3, watchOS 3.2 and tvOS 10.2 (14W265), the first two of all of which bring some pleasing extra functionality to iThings, But the main attraction in the new release is Apple File System, because it adds comprehensive encryption to the iPhone and Apple Watch.

Apple’s been very shy about the Apple file system (APFS), which it revealed with little fanfare at last year’s Worldwide Developers Conference (WWDC) and doesn’t even mention it in the list of features in iOS 10.3.

Modernisation was the company’s motivation for creating the file system: at launch it pointed out that the HFS+ file system it used was designed in the age of the floppy disk and therefore wasn’t very good at handling flash memory or large file sizes. Writing its own filesystem is therefore expected to improve performance markedly, as file reads and writes should be substantially faster.

Which will be lovely. But APFS’ encryption is far more interesting. Characterised by Apple as “strong full-disk encryption” for both files and metadata, with optional “Multi-key encryption with per-file keys for file data and a separate key for sensitive metadata”. That’s an improvement on the file-only encryption offered on older versions of iOS.

“Multi-key encryption ensures the integrity of user data,” Apple tells us. “Even if someone were to compromise the physical security of the device and gain access to the device key, they still couldn’t decrypt the user’s files.”

Now recall, dear readers, the case of the San Bernardino killer’s iPhone and the furore around whether or not law enforcement officers should enjoy access to its disks. Note, also, this weekend’s call by UK interior minister Amber Rudd , for governments to enjoy access to encrypted communications. And now consider the hundreds of millions of APFS-capable iPhones and iPads in the world, most soon to get encryption that makes their innards unknowable.

Other features in iOS 10.3 include a “Find my AirPods” function, the ability to find a user’s parked car and an upgrade for Siri so that she’s aware of cricket scores and statistics.

APFS is expected to come to MacOS later in 2017. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/28/apple_file_system_debuts/