STE WILLIAMS

US Secretary of State Rex Tillerson has ordered a “mandatory social media check” for any visa applicants who’ve ever visited territory controlled by the Islamic State (IS).

Reuters has obtained and published four diplomatic cables sent by Tillerson to American diplomatic missions over the past two weeks, with the most recent issued on March 17.

The memos are examples of the “extreme vetting” of foreigners that President Donald Trump has promised since his campaign days, Reuters notes. Making promises a reality is going to be tough, though: two former US officials told the news outlet that the mandatory checks will present logistical and administrative hurdles, as they’ll constitute a “labor-intensive expansion” of the fairly rare social media screening that consular officials are already doing.

Anne Richard, assistant secretary of state in the Obama administration, said:

There’s so much social media out there. It’s not something you can do on a timely basis.

Broadening the screening could also lead to profiling visa applicants on the basis of nationality or religion as opposed to their actual potential for threatening the US, advocates and immigration lawyers told Reuters.

Jay Gairson, a Seattle-based immigration attorney who represents clients from countries covered by Trump’s travel ban, said:

Most [consular] posts already have populations that they look at for fraud and security issues.

What this language effectively does is give the consular posts permission to step away from the focused factors they have spent years developing and revising, and instead broaden the search to large groups based on gross factors such as nationality and religion.

The series of memos issue edicts that Tillerson has had to subsequently dial back as the courts have blocked Trump’s travel bans. That includes a set of questions for visa applicants from Iran, Libya, Somalia, Sudan, Syria and Yemen, as well as members of populations identified as security risks. Trump’s first travel ban had included Iraq on that list, but a revised ban exempted the country.

The set of new vetting questions, set out in a March 15 memo, would have required visa applicants to provide prior passport numbers and all phone numbers, email addresses and social media handles used in the previous five years.

Tillerson’s March 16 and March 17 cables told consular posts to disregard those questions, pending approval from the Office of Management and Budget (OMB).

But while it backpedalled on those questions, Tillerson’s memo left in place the requirement for a “Mandatory social media check for applicants present in a territory at the time it was controlled by [IS]”.

If post determines the applicant may have ties to [IS] or other terrorist organizations or has ever been present in an [IS]-controlled territory, post must/must refer the applicant to the Fraud Prevention Unit for a mandatory social media review.

We’ve already seen US Customs and Border Patrol (CBP) demanding access to travelers’ social media accounts. According to the American Immigration Lawyers Association (AILA), border agents have been doing it for several years, despite doubts over whether it’s constitutional.

While it seemed to have ramped up within hours of Trump’s initial travel ban, it was reportedly still being done ad hoc, on a case-by-case basis, as if agents didn’t have much in the way of guidelines. Tillerson’s March 17 memo apparently provides at least the start of guidelines on who to demand social media accounts from.

The Department of Homeland Security’s (DHS) Customs and Border Protection (CBP) agency in June 2016 had concocted a plan to collect travelers’ social media details: a plan that was quietly enacted in December, in spite of scathing criticism from tech giants and advocates for human and civil rights.

The CBP’s program was supposed to be opt-in, as opposed to mandatory, but as critics pointed out at the time, not many travelers would likely know that they had the right to refuse such a request. Nor would they be likely to have the confidence to deny anything to US officials who hold their fate in their hands.

Now, at least if you’re a visa applicant who’s traveled to one of the White House’s list of six countries that require extreme vetting, the answer is here: it’s mandatory… at least, it is until any ensuing or ongoing court battle plays out.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mgvtyACz_os/

Mobile malware is at the highest level yet recorded, infecting 1.35 per cent of all mobile devices in October, according to a study by Nokia out today. The high water mark in October compares to figures of 1.06 per cent in April 2016.

While Android smartphones and tablets remained the top mobile target (81 per cent), iOS-based devices were also affected, particularly through spyphone applications, in the second half of the last year (4 per cent). Spyphone surveillance software (sometimes marked as spousal or child monitoring tech) tracks a user’s calls, text messages, social media applications, web searches, GPS locations or other activities.

Issued twice per year, Nokia’s Threat Intelligence Report examines general trends and statistics for infections in devices connected through mobile and fixed networks around the world. The figures come from deployments of the Nokia NetGuard Endpoint Security (NES) network-based anti-malware kit. Windows/PC systems accounted for 15 per cent of malware infections in the second half of 2016, down from 22 per cent in the first half of the year.

While moderate threat level adware activity decreased in the second half of 2016, high-level threats (eg, bots, rootkits, keyloggers and banking Trojans) remained steady at approximately 6 per cent.

Separately security firm Skycure reports that 71 per cent of mobile devices remain highly susceptible to breaches because they are two months or more behind on the latest patches. Six per cent of devices run patches that are six or more months old. The figure is based on an analysis of the patch updates among the five leading wireless carriers in the US. Skycure reports a six-fold increase in mobile malware infections between Q1 2016 and Q4 2016.

Almost half of Android vulnerabilities logged last year allowed excessive privileges, while others allowed other bad effects, like leakage of information, corrupted memory, or arbitrary code execution. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/27/mobile_threats/

UK government ministers calling for increased surveillance abilities in the wake of last Wednesday’s terrorist attack have encountered opposition from a somewhat unexpected quarter.

Home Secretary Amber Rudd went on TV at the weekend to say it was “completely unacceptable” that authorities were unable to look at the encrypted WhatsApp messages of Westminster terrorist attacker Khalid Masood. There should be “no place for terrorists to hide”, she added.

Not so, according to the Ministry of Defence’s former cybersecurity chief. The case for increased surveillance powers following is “weak”, especially just months after the Investigatory Powers Act became law, according to Major General Jonathan Shaw.

“There’s a debate in Parliament about the whole Snooper’s Charter and the rights of the state and I think what they are trying to do is use this moment to nudge the debate more in their line,” Shaw told BBC Radio 4’s Today.

What the Home Secretary seems to want is for services such as Facebook, WhatsApp and Apple’s iMessage to shift their approach from using end-to-end encryption to something that (at least) allows them to hand over messages in response to a warranted request. Such a move would make it easier for authoritarian governments, foreign spies and criminals to access communications. And such a move would not make it easier to foil future terrorist attacks. For one thing terrorists would likely move to more secure methods of communication.

“The problem will mutate and move on,” Shaw argued. “We are aiming at a very fluid environment here. We are in real trouble if we apply blunt weapons to this, absolutist solutions.”

Some tech firms have also weighed in against Rudd’s call for security services to have access to decrypted WhatsApp messages.

Tony Anscombe, senior security evangelist at Avast, said: “We understand why governments want to be able to access the content in these messages but, unfortunately, banning encryption in order to get to the communications of a select few opens the door to the communications of many, and renders us all less secure and our lives less private.

“If you build a back door, it’s there for everybody to access. And if you store that data you collect, even in encrypted form, how secure is it? All these data breaches we hear about show our privacy is regularly being breached by hackers, so the action suggested by the Home Secretary would only open us all up to further invasions of privacy.”

Homebrewed jihadist crypto apps have been shown to be weak. Alternatives, such as Telegram, to mass-market Western message utilities have also had heir share of flaws. Pushing terrorists towards crypto alternatives is still not necessarily a good idea, according to Anscombe.

“It would be naïve of us to think that by removing the public methods of encryption which we use to protect our identity, our freedom of speech and to keep us safe from persecution, that those terrorist organisations will not develop alternative methods to encrypt their communications. If this were to happen, we’d only be pushing these people further underground, presenting a greater challenge to security intelligence services.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/27/whatsapp_crypto_row/

Users are clicking on dubious links to stream matches and exposing confidential data to hackers, says Zscaler.

With March Madness into the sweet sixteen round and basketball fever reaching its peak, online malicious activities appear to have increased, too, reports Infosecurity. The last 15 days of the annual NCAA basketball tournament has seen heightened malicious activity involving phishing pages, adware downloads and mishandling of user data.

Official statistics have described the opening weekend of this year’s NCAA tournament as the most watched in 24 years, and this popularity has spilled over into the social media like Twitter, Facebook, and Instagram. As a result, more and more sports enthusiasts are streaming games and unknowingly clicking on dubious links to watch their favorite matches.

Zscaler researchers say these links are redirecting viewers “to a site that installs a browser hijacker, which prompts users to install toolbars and change the homepage to search.searchliveson[.]com to continue watching the game.”

Additionally, phishing webpages are being hosted by domain-squatted addresses and login credentials created to allow sniffing attacks in order to steal user credentials and other personal information, they add.

Read more on Infosecurity.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/endpoint/cybercriminals-exploit-march-madness-frenzy/d/d-id/1328488?_mc=RSS_DR_EDT

NAID study of 250 devices in resale markets found tablets contained the most recoverable personal information.

An eye-opener of a study by the National Association for Information Destruction (NAID) has found that 40% of digital devices available in second-hand markets for resale carry personal identifiable information (PII) unintentionally left behind by the user. Of the over 250 devices examined, tablets contained 50% of recoverable PII; hard drives, 44%; and mobile phones, 13%.

According to John Benkert of CPR Tools, whose firm was commissioned to conduct the research: “Auction, resell, and recycling sites have created a convenient revenue stream in used devices; however, the real value is in the data that the public unintentionally leaves behind.”

Recovered data, from devices used in both commercial and personal environment, include usernames and passwords, credit card information, and company and tax details.

Interestingly, the researchers used very basic methods to recover the stored data and came up with this figure. “Imagine if we had asked our forensics agency to actually dig,” says Robert Johnson of NAID. “40 percent is horrifying when you consider the millions of devices that are recycled annually.”

Read full story here. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/endpoint/40--of-discarded-digital-devices-contain-personal-data/d/d-id/1328489?_mc=RSS_DR_EDT

Visualization can be one of the most powerful approaches a security team can use to make sense of vast quantities of data. So why does it end up as an afterthought?

Have you ever recognized someone but had trouble recalling their name? Or perhaps you’ve felt as if you had met someone before but couldn’t place where?  It turns out that this phenomenon is something that is quite common. It has to do with the way our brains are wired, and the ways in which we process visual information and non-visual information differently.

While I’m not a scientist, I do know from experience that the human eye can often identify  visual patterns quite quickly. As an example of this, consider a bar graph with one marked outlier. If you look at the bar graph, you will likely identify this outlier fairly quickly. But what if I gave you all the empirical data in table form? It would likely take you far longer to identify the outlier, right?

There is a lesson in here for security, but not the one you might think. Visualization is often something on an organization’s to-do list, and for good reason. Visualization is one of the most powerful approaches a security team can use to help make sense of vast quantities of data. But more often than not, organizations struggle to get the value out of visualization that they had hoped for. Instead of becoming one of the key tools for the security team, visualization often ends up as an afterthought relegated to a few monitors on the fringe of the Security Operations Center.

Why is this? To better understand what is going on here, we first need to take a step back and think about what we are trying to accomplish with visualization. In this context, visualization is essentially being used as an analytic. In other words, the human eye is being used as an analytical tool to better understand the data it is looking at, and to try and identify patterns or outliers in it. So what is causing the disconnect between the desired outcome and the reality of the matter?

As you might already know, analytics work best when focused on answering specific questions, or addressing specific use cases. For example, I’m sure you can appreciate the difference between trying to use analytics to find “something interesting” versus “privileged accounts that appear to be compromised.” And therein lies the reason that most visualization efforts are so underwhelming. They are simply not aimed towards answering any particular question or addressing any particular use case. 

What do I mean by this? Think about how most organizations approach visualization. Generally, these organizations take a bunch of raw, unprocessed data and represent it in any of a number of different types of graphs (e.g., time series, scatter plots, bar graphs, etc.). There is no focus here at all! If I were to ask these organizations the simple question, what are you looking to find with this visualization, they would most likely have no answer. Not surprisingly, the results of these visualization attempts almost always disappoint.

What’s missing from this approach to visualization are the right questions. Questions force us to pause and think about what we’re actually trying to accomplish. As an example, think about a case where we are interested in looking for callbacks to potential command and control sites that may not yet be online. When a system is infected with malicious code, it often calls back to a command and control infrastructure seeking further instructions. Sometimes, the command and control infrastructure is not yet online, or the attacker wants the malicious code to “sleep” for a period of time before activating it. If we look for this type of activity, we can sometimes identify malicious callback domains that may not yet be widely known (and thus will not match any known signature or intelligence source).

We will likely want to go to our DNS data for this example. Further, we need to filter the data to look for domain requests that return no answer over a period of time (say the last 24 hours).  Lastly, we’ll want to aggregate, by domain name, a count of the number of requests matching this criteria. If we visualize the data that results from asking this question of the data, we will likely have a wildly different visualization experience entirely. 

Let’s say we order by count descending and use a bar graph to visualize the data set. We may have some instances of a small number of requests for a given domain that return no answer.  These could be mistyped domain names, or perhaps some type of a misconfiguration. But if we have infected systems exhibiting this type of behavior, we will likely see a higher number of requests for one or more domain names that return no answer. Our human eye will be treated to something it can process quite easily and use to identify outliers very quickly. 

So you see, it’s all in how you interrogate the data. Visualization can be a powerful tool, but you have to know how to use it properly. When looking to leverage visualization, it is helpful to first ask yourself the question “What am I looking for?” The answer to this question can guide you to interrogate the data using a variety of queries and pivots to get it into a state where the actual visualization can be successfully leveraged. 

Get the picture?

[Find out more about collecting, correlating analyzing security data from leading threat intel experts during Interop ITX. For details on other Interop security tracks, or to register, click on the live links.]

Related Content:

• 20 Questions Security Leaders Need To Ask About Analytics
• Creating Your Own Threat Intel Through ‘Hunting’ Visualization
• Getting Beyond the Buzz Hype of Threat Hunting

 

 

 

Josh is an experienced information security analyst with over a decade of experience building, operating, and running Security Operations Centers (SOCs). Josh currently serves as VP and CTO – Emerging Technologies at FireEye. Until its acquisition by FireEye, Josh served as … View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/data-visualization-keeping-an-eye-on-security/a/d-id/1328493?_mc=RSS_DR_EDT

InfraGard.org is supposed to be on of the United States’ defences against online criminals. But the FBI-led service is currently the subject of a typosquatting and email attack that could see organisations seeking protection instead send their personal data straight to parties unknown.

As its name implies, InfraGard is all about protecting American infrastructure. The organisation does so by linking the FBI with “businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the U.S.”

The organisation boasts 84 chapters, more than 54,000 members and says more than 400 of the Fortune 500 have someone who works with InfraGard. Members get to share information security information in a closed environment, providing each other and the FBI with useful intelligence.

Phish sent to InfraGard members. Click here to embiggen

In other words, this is a serious organisation with an important mission.

But not serious or important enough to have acquired the infragard.com domain.

We know about this omission because over the last few days folks have been sharing emails luring them to the fake infragard.com, which offers a passable replica of the real InfraGard site and asks visitors to log in.

This website is impersonating the #FBI-run #InfraGard? – Change #Chrome to tell you – #cybersecurity #infosec https://t.co/LBHuuuaz2R

— Ivan Piacun CITPNZ (@IvanPiacun) March 26, 2017

The good news, according to security researched David Longenecker, is that the fake site appears not to be sharing data with any other. Even if it is not, it could be building a nice trove of logins. Infosec types should know better, but what’s the bet some of the IDs and passwords the fake site harvests will work elsewhere?

Others believe the fake site is winning users’ trust by actually logging them in to the real site, with bait-and-switch tactics.

Longenecker says the FBI is aware of the fake site. And so it should be: a Whois search shows it was first registered in 2002 and offers a contact at Lunacorp.com. Don’t visit that domain, dear readers, it offers only dodgy weight loss data. It also appears that the site changed hands quite recently, making the timing of the email campaign a fascinating co-incidence.

The deeper question is why the FBI hasn’t squashed the typosquatting site, even if it has long been dormant. Mechanisms exist to do reclaim domains. You’d think that the FBI, of all entities, would have sussed them out years ago.

For the rest of us, the attack is easy to defeat, as the fake site uses HTTP and the real thing uses HTTPS. The most recent versions of top browsers will therefore point out that the connection to the fake InfraGard.com is not secure. Once you notice that warning, feel free to flee, stylishly, in pursuit of the real thing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/27/infragard_typosquatting/

Don’t say you weren’t warned: Miele went full Internet-of-Things with a dishwasher, gave it a web server and now finds itself on the wrong end of a bug report and it’s accused of ignoring.

The utterly predictable bug report at Full Disclosure details CVE-2017-7240, “Miele Professional PG 8528 – Web Server Directory Traversal”.

“The corresponding embedded Web server ‘PST10 WebServer’ typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks.”

Proving it for yourself is simple: GET /../../../../../../../../../../../../etc/shadow HTTP/1.1 to whatever IP the dishwasher has on the LAN.

Directory traversal attacks let miscreants access directories other than those needed by a web server. And once they’re in those directories, it’s party time because they can insert their own code and tell the web server to execute it.

It’s unclear which libraries Miele used to craft the Web server, which means without a fix from the vendor – for a dishwasher – the best option is to make sure the appliance isn’t exposed to the Internet.

And because Miele is an appliance company and not a pure-play IT company, it doesn’t have a process for reporting or fixing bugs.

The researcher that noticed the dishwasher’s Web server (please, readers, ponder those three words in succession and tell us they don’t make you want to grab pitchforks), Jens Regel of German company Schneider-Wulf, complains that Miele never responded to his notification, first made in November 2016.

Appliance makers: stop trying to connect to the Internet, you’re no good at it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/26/miele_joins_internetofst_hall_of_shame/

US embassies have been told to examine social media accounts of visa applicants who have ever set foot in Islamic-State-controlled areas.

The edict was sent out earlier this month by Secretary of State Rex Tillerson in diplomatic cables. These memos, leaked to journalists and revealed on Friday, direct officials to identify “populations warranting increased scrutiny” and perform a “mandatory social media check” on anyone who has visited lands that have been under Islamic State rule.

Given that social media is apparently rarely reviewed by consular staff, this move will result in significant upheaval for background checkers.

Tillerson’s instructions are tied to President Trump’s most recent executive order that clamps down on immigrants from selected Muslim-majority nations. That’s the executive order he issued after US judges halted an earlier version.

The courts froze the revised order, too, forcing the Secretary of State to revise edicts sent to embassies earlier this month: in his latest cable, dated March 17, he insisted visa applicants disclose their social network accounts so they can be searched for any troublemaking.

Rights lawyers say this means people will be scrutinized depending on where they are from, who they worked for, and what they worship, rather than whether or not they actually pose a security risk.

“Most [consular] posts already have populations that they look at for fraud and security issues,” Jay Gairson, a Seattle-based immigration attorney, told Reuters.

“What this language effectively does is give the consular posts permission to step away from the focused factors they have spent years developing and revising, and instead broaden the search to large groups based on gross factors such as nationality and religion.”

Some have questioned this social media crackdown, considering a would-be terrorist is probably going to hand over a URL to a dummy profile rather than one they’ve used to rave against America. Then there’s the fact that poring over social media wittering is immensely time-consuming. You could use computers to do the job, but software tools have proven ineffective during tests.

So it’s going to be up to embassy staff to go through certain people’s social media accounts: that’ll take time and ultimately keep those folks out of America, which is what the Trump administration ultimately wants, we suspect. “There’s so much social media out there,” said Anne Richard, a former US assistant secretary of state in the Obama administration. “It’s not something you can [review] on a timely basis.”

Last month, senior officials, energized by President Trump’s tough stance on immigration, said they wanted the usernames and passwords to accounts – from Facebook and Twitter to online banking – from certain unlucky visa applicants. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/25/social_media_passwords_mandatory/

Your daily round-up of some of the other stories in the news

US probes North Korea’s role in bank heist

US prosecutors are probing what role North Korea might have played in last year’s theft of $81m from Bangladesh Bank – a possible involvement we noted on Naked Security at the end of last year.

Researchers spotted what the New York Times calls “a rare piece of code” that was used both in the heist that saw $81m transferred from Bangladesh Bank’s accounts via the Swift banking system to accounts in the Philippines and in the 2014 Sony Pictures breach. Speaking at an event in Colorado earlier this week, Richard Ledgett of the NSA said that the two attacks had been linked “forensically” and added: “This is a big deal.”

Reuters reported that a source has said that the FBI believes North Korea is responsible for the heist, using Chinese middlemen to help pull it off.

EU raises questions about laptops ban

EU officials plan next week to discuss the US and UK ban on most electronic devices in the cabins of aircraft flying directly from several Middle Eastern and north African countries, with EU transport commissioner Violeta Bulc wanting to speak to Britain’s transport secretary Chris Grayling about the move.

Other countries including Germany, Spain and Switzerland have decided not to follow the US and the UK with the ban, while The Times reported that France is looking at following suit but had made no decision.

The UK didn’t consult with the European Commission before imposing the ban, choosing to follow the US’s advice. The Commission said: “We actively encourage member states to share intelligence and coordinate their actions. We have called for a security coordination meeting next week with all member states to assess new bans.”

Meanwhile, Bloomberg reported this week that European airports are discussing the relaxing of the restrictions on liquids in carry-on luggage, which date back to 2006. At present, passengers are prohibited from carrying bottles of liquid of more than 100ml into the cabin.

Social media ‘must do more’ on terrorism

Social media companies “can and must do more” to prevent the spread of extremist material, the British government said on Friday. The call comes two days after four people died and dozens were injured in a terrorist attack in Westminster, the location of London’s Houses of Parliament.

Theresa May’s spokesman said that “the fight against terrorism and hate speech has to be a joint one”.

British lawmakers have been focusing on the big tech companies’ role in disseminating hate speech and information that fuels crime for some time: Yvette Cooper, a member of the opposition Labour party, recently told a committee of MPs that YouTube’s enforcement of community standards was “a joke”, and said that Twitter and Facebook “are incredibly powerful organisations … it’s time they used more of that power, money and technology to deal with hate crime and keep people safe”.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/97Fjr8M5OXU/