STE WILLIAMS

Your daily round-up of some of the other stories in the news

US, UK ban laptops, tablets in carry-on bags

Passengers travelling from a number of Middle Eastern airports to the US and to the UK face sweeping bans on bringing electronic devices into the cabin with them, although the two countries’ bans are not consistent with each other.

Nine airlines including Emirates (pictured) were told on Tuesday by US authorities that their passengers from 10 airports in Saudi Arabia, Jordan, UAE, Qatar, Kuwait, Turkey and Morocco, would have to check their electronic devices.

The UK government’s ban affects direct flights from Turkey, Lebanon, Jordan, Egypt, Tunisia and Saudi Arabia. UK carriers operating from airports in those countries are covered by the British restrictions, including British Airways, the flag-carrier, as well as no-frills carrier EasyJet and charter airlines Monarch, Thomas Cook and Thomson. US airlines do not operate direct flights to the US from the affected countries, and so aren’t covered by the ban.

Both US and UK authorities said that the move was the result of a credible security threat, although there was speculation that the US ban was in part driven by political and commercial considerations.

The ban means any electronic device – laptops, Kindles, tablets – larger than an iPhone Plus can’t be carried into the cabin. It wasn’t clear how the ban on carrying lithium-ion batteries in the cargo hold of aircraft would be applied in the face of the new restrictions.

Google launches Android O preview

Google has released the first developer preview of its next version of Android, codenamed for now “Android O”. This is the second time that Google has launched a preview ahead of the official announcement of a new version of its mobile operating system, which has in previous years launched in the autumn.

The preview is available for those who like to get their hands dirty and don’t mind the risk of messing up a Nexus 5X, Nexus 6P, a Nexus Player, a Pixel or Pixel XL or a Pixel C – though you can also run it in the official Android Emulator.

New features in Android O include moves to improve battery life, adaptive icons and a picture-in-picture feature. It’s not available yet as an over-the-air update: you’ll need to be comfortable with manually flashing a device to use it.

Will you be tinkering with this new version? Let us know what you find if you do.

Hawking set for flight into space

Professor Stephen Hawking, known for having a brain the size of a planet, may be confined to a wheelchair, but he’s all set to go into space thanks to an offer from entrepreneur Richard Branson.

Hawking told a British TV programme that Branson had offered him a seat on a future Virgin Galactic flight, and, said Hawking, “I said yes immediately.”

Hawking, who has ALS and relies on a computer to speak to people, has already experienced zero gravity: he joined a special flight in 2007 that gives passengers a few seconds’ experience by flying parabolic loops.

No date has been set for the Virgin Galactic flights, for which some 700 people have paid around $250,000 to reserve a place, but when they do get off the ground, they’ll be heading into suborbital space for five minutes of weightlessness.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/IsRMLksE4e8/

A lot of people say you shouldn’t write headlines that contain questions.

Either you already know the answer, in which case you might as well say it outright, or you don’t, which means that your article isn’t going to help your readers figure it out.

But sometimes there isn’t much choice, as happened a month ago when we wrote an article entitled Global spam drops by more than half – now what?

What indeed?

Last month’s story documented a dramatic drop in spam that seemed to be down to a well-known botnet going silent, causing global spam volumes to fall dramatically:

LEARN MORE: How botnets and zombies work ►

That sounds like an unequivocal outcome, so why the question, “What next?”

The reason we asked is that the drop-off in spam didn’t seem to be down to anything that we had done as a community to diminish the size of the botnet:

Why [this botnet, known as Necurs] has gone quiet this time, and how long the “outage” will last, is unknown, as of course is when or if it will return to its former volume. [. . .]

We also know that the Necurs botnet isn’t completely dead, just very much quieter than it was. In other words, if your computer is part of the Necurs botnet, it’s still infected, it’s still awaiting instructions, and it could receive a command to wake up and start sending spam again in the future.

As far as we could tell, most of the people who had been infected just before the spam volume plummeted were still infected afterwards, leaving the crooks free to come back for more at any time.

In other words, the drop in spam rate seemed to be down to the crooks themselves.

Apparently, they took a break from spamming for an as-yet unknown reason that could range anywhere from going on vacation to lying low from law enforcement or some rival gang.

So, “what next” depended on whether we, as a community, took the trouble to check whether we ourselves were amongst the zombified users whose computers could well come back to haunt the internet in the future.

Back to the future

That future might now have arrived, with global spam volumes in the past 24 hours bouncing back up to about half the level of the peaks shown in the graph above.

Yesterday, the hourly spam rate topped out more than five times higher that what you might call the background spam rate above, making it look as though the “resting” Necurs zombies still out there and undetected have been called back into service.

Interestingly, this time it isn’t malware that’s being blasted out, but an old-school type of scam that we’ve haven’t seen for a while, mainly because it didn’t work very well in the past: pump-and-dump.

Instead of phishing recipients into clicking malicious links, taking dodgy surveys or opening booby-trapped attachments, you talk them into buying shares:

The theory is that if you pick a cheap stock, concoct a believable story to talk it up, and buy in just before your victims start receiving their emails…

…then your initial bulk purchase will push the stock up a bit, add veracity to your claims that the stock will soon be flying, and encourage more and more victims to buy into the scam, pumping up the stock further and further.

When you’ve waited as long as you dare (you need to get out before word gets around amongst either the community or the regulators!), you dump your stocks for a tidy profit and leave your victims to find out whether their shares will hold their value or, more likely, settle swiftly back to their former levels or worse.

Did it work?

The timing of this scam was interesting.

InCapta, Inc (INCT), the company targeted in this scam, is what is often called a “penny stock”, listed by an alternative securities company in the USA called OTC, formerly Pink Sheets.

OTC’s most informal market is called OTC Pink, and it comes with some clearly-labelled risks:

The Pink Open Market offers trading in a wide spectrum of securities through any broker. With no minimum financial standards, this market includes foreign companies that limit their disclosure, penny stocks and shells, as well as distressed, delinquent, and dark companies not willing or able to provide adequate information to investors. As Pink requires the least in terms of company disclosure, investors are strongly advised to proceed with caution and thoroughly research companies before making any investment decisions.

But even a tiny amount of research into INCT would reveal it claims to be a media company that makes TV shows, amongst other things, and that on the day of this spam campaign, it apparently issued a press release of its own announcing a new weekly programme it would be doing.

Not a word about drones, or about cloud computing, or indeed about anything to corroborate the spammers’ claims at all.

At first sight, it looks as though the scam worked: the share price rose steeply at the start of 2017-03-20, closing at 13 cents on Friday but hitting 24 cents by 09:30 on the Monday morning

The price then wandered back down to about 15 cents over the day’s trading:

With more than five million trades on Monday, the INCT shares were busier that they have been for the past year; ironically, however, only a small number of those trades happened at the peak price of 24 cents, which would have limited the amount of “dump money” that anyone could have extracted at that peak.

We suspect that spam recipients were also influenced by a dramatic 17-fold rise in INCT’s price just three months ago, where about two million trades happened at a price point of just 7.5 cents, followed by a rise over Christmas until the price had reached $1.31, very close to the spammers’ recent promises:

Someone may well have cashed out fairly tidily in January 2017 (we haven’t found evidence of an INCT stock spam at that time, in case you were wondering), and that part of the stock price graph may very well have convinced people that this week’s third-party claims offering 100% returns were legitimate after all.

What to do?

• If it sounds too good to be true, assume that it is.
• It if sounds illegal, assume that it is.
• If it’s an unsolicited bulk email that swears you to secrecy…

…you and the other 30 million recipients, then, please…

Stop. Think. Before you connect. (Or, in this case, don’t connect.)

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ze4i0gyW6Fo/

Updated Nest’s Dropcam and Dropcam Pro security cameras can be wirelessly attacked via Bluetooth to crash and stop recording footage. This is perfect for burglars and other crooks who want to knock out the cams moments before robbing a joint.

The three vulnerabilities are in camera firmware version 5.2.1, and no patch is publicly available, we understand. Security researcher Jason Doyle, based in Florida, US, spotted the holes, and alerted Google-stablemate Nest about them in October – but there’s been no software updates to correct the programming cockups. This month, Doyle went public with details of the flaws, including example exploits.

For the first bug, an attacker can trigger a buffer overflow in the camera by pinging it an overlong Wi-Fi SSID parameter via Bluetooth Low Energy (BLE). This causes the gadget to crash and reboot. The second flaw is similar, but in this case the miscreant sends a long Wi-Fi password parameter to the camera. This too will cause the camera to crash and restart, we’re told.

The third issue is more serious. The crook can send the camera a new Wi-Fi SSID to connect to, forcing it to disconnect from the current network, try joining the new SSID which presumably doesn’t exist, and reconnect to the previous wireless network about 90 seconds later. During this time, the device stops recording footage to its cloud-connected backend. Nest deliberately designs its cameras to use internet-hosted storage for video, not local storage, so any downtime is bad news.

By repeatedly exploiting these holes, a device is knocked offline and stops keeping a record of what it sees – thus rendering it rather useless as a remote security cam.

All of these flaws require the attacker to be in BLE range, but that’s not a problem for someone about to break into your house or office. The reported shortcomings highlight a serious design fault within the cameras that can’t be mitigated at the moment. Bluetooth is enabled by default in the cameras, and stays on at all times so the gadgets can be reconfigured over the air. This leaves them vulnerable to attack.

“As far as workarounds, since you can’t disable Bluetooth, I’m not sure there are any,” Doyle told The Register on Monday.

“There doesn’t seem to be any reason why [Nest] leaves Bluetooth on after setup unless they need it for future or current integrations. Some cameras like the Logitech Circle turn Bluetooth off after setting up Wi-Fi.”

Doyle said Google has acknowledged it had received his bug report, but unusually hadn’t let him know if they are patched. Nest had no comment at time of publication. A source familiar with the matter said a patch has been prepared and will be pushed out shortly. ®

Updated to add

Nest has passed on the following comment:

Nest is aware of this issue, developed a fix for it, and will roll it out to customers in the coming days.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/21/nest_security_cameras_bluetooth_burglar/

Updated Fears of terrorists smuggling bombs disguised as laptops onto airplanes has triggered a fresh crackdown on carry-on luggage.

From today, passengers are banned from flying into the US from specific overseas airports if their carry-on luggage contains any devices larger than a mobile phone. The clampdown – introduced by American security officials – is a result of counterterrorism intelligence that suggests mass killers are trying to slip explosives into airplanes, it is claimed.

Electronic gadgets bigger than smartphones – such as laptops and tablets – must be left behind, or stowed in the hold, if you’re arriving from one of the listed airports. Presumably these alleged bombs are rigged to explode by hand, rather than by a timer, otherwise there’s not much point stashing them under the cabin.

News of the device ban broke on Monday although details were scant. Now senior US Homeland Security officials, who asked not to be named, have told The Register the rules follow fresh “evaluated intelligence.” This intel points to terrorists targeting flights using bombs hidden in electronic devices, we’re told. Specific details about any possible threats were not provided.

These latest restrictions, which do not have a set end date and do not apply to crew members, were characterized as necessary to enhance security at specific airports. The rules do not, therefore, apply to internal flights in America, and only apply to non-US carriers. Cellular phones and essential medical devices are exempt. Laptops, tablets, cameras, DVD players, and game players are among the types of electronic devices no longer allowed in airplane cabins.

The 10 airports affected by the US-levied ban are spread across eight countries: Queen Alia International Airport in Jordan; Cairo International Airport in Egypt; Istanbul Atatürk Airport in Turkey; King Abdulaziz International Airport in Saudi Arabia; King Khalid International Airport in Saudi Arabia; Kuwait International Airport in Kuwait; Mohammed V International Airport in Morocco; Hamad International Airport in Qatar; Dubai International Airport, in the United Arab Emirates; and Abu Dhabi International Airport, in the United Arab Emirates. Contrary to previous reports, the crackdown affects only travelers flying to the US from these airports.

Airlines that must obey the new rules, because they run flights from the above airports to America, include: Royal Jordanian Airlines, Egypt Airlines, Turkish Airlines, Saudi Arabian Airlines (Saudia), Kuwait Airways, Royal Air Maroc, Qatar Airways, Emirates, and Etihad Airways.

Royal Jordanian Airlines jumped the gun on Monday by advising passengers via Facebook that “carrying any electronic or electrical device on board in the flight cabins is strictly forbidden.” The carrier said the new rules will be enforced on Tuesday, March 21, 2017. A staffer reached by phone yesterday confirmed the ban. “We received an email from the TSA,” the worker told El Reg.

Saudi Arabia’s Saudia Airlines has also acknowledged the ban with a notice to passengers that specifically mentions Kindles and iPads, as well as laptops. The affected airlines were given 96 hours to get up to speed with the new policy. ®

Updated to add

The UK has joined the US ban, applying similar device restrictions to flights into Blighty from all airports in these six countries: Turkey, Lebanon, Jordan, Egypt, Tunisia and Saudi Arabia.

Meanwhile, America’s Homeland Security has published online an FAQ about the new luggage rules.

“The US Government is concerned about terrorists’ ongoing interest in targeting commercial aviation, including transportation hubs over the past two years, as evidenced by the 2015 airliner downing in Egypt, the 2016 attempted airliner downing in Somalia, and the 2016 armed attacks against airports in Brussels and Istanbul,” the document states.

“Evaluated intelligence indicates that terrorist groups continue to target commercial aviation, to include smuggling explosive devices in various consumer items.”

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/21/tsa_laptop_ban_latest/

Cybercriminals behind the Necurs botnet have reactivated the zombie network and returned to their original business of using compromised machines as conduits for spam distribution.

In January, Cisco Talos reported that the Necurs botnet had gone offline, taking the typical volume of Locky ransomware-tainted spam emails with it.

Security researchers have once again detected an uptick of spam email from the Necurs botnet over recent days. Rather than distributing malware in the form of malicious attachments, it has shifted back to sending high volumes of penny stock pump-and-dump messages.

Necurs was abused to run a similar campaign in December 2016, shortly before the botnet went offline for an extended period. “This strategic divergence from the distribution of malware may be indicative of a change in the way that attackers are attempting to economically leverage this botnet,” according to Cisco Talos.

A complete analysis of this Necurs activity can be found in a blog post by Cisco Talos here. Necurs is reckoned to be the largest spam botnet in the world, so changes in its behaviour can have a big effect in the type and volume of junk hitting inboxes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/21/necurs_botnet_spam_surge/

The UK has banned airline passengers on direct inbound flights from six countries in the Middle East and North Africa from taking a range of electronic devices into the cabin due to fears of a terrorist attack.

The decision, which mirrors a ban by the US Homeland Security from today and which was also based on intelligence that radicals are allegedly targeting flights, is being relayed to UK and foreign carriers.

“The safety of the travelling public is our highest priority,” a UK Government spokesman told The Register. “That is why we keep our aviation security under constant review and put in place measures we believe are necessary, effective and proportionate.”

Under the arrangement, any phones, laptops or tablets larger than a “normal sized mobile or smart phone” – 16cm (6.3in) length, 9.3cm (3.6in) width and a depth of 1.5cm (0.6in) – will need to be placed in hold luggage and checked in before a passenger goes through central security.

Inbound direct flights to the UK from Turkey, Lebanon, Jordan, Egypt, Tunisia and Saudi Arabia will be impacted by the restriction.

UK carriers affected include British Airways, EasyJet, Jet2.com, Monarch, Thomas Cook and Thomson. Foreign carriers include Turkish Airlines, Pegasus Airways, Atlas-Global Airlines, Middle East Airlines, Egyptair, Royal Jordanian, Tunis Air and Saudia.

“The additional security measures may cause some disruption for passengers and flights, and we understand the frustration that will cause, but our top priority will always be to maintain the safety of British nationals,” the UK Government spokesman said.

He added the British authorities had been in “close touch” with their US counterparts to get a handle on their position.

The restrictions in the US also cover DVD and game players, as well as cameras. Cellular phones and medical devices are exempt.

The US administration voiced concern about ongoing threats to commercial aviation, using the Russian plane that was downed in Egypt and one in Somalia as cause for concern, along with the attacks at airports in Belgium and Istanbul.

El Reg asked the UK Government to detail when the ban starts and ends and we will update the story when we hear from them. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/21/uk_bans_devices_from_six_countries/

Password vault LastPass has patched critical security flaws that malicious websites could exploit to steal millions of victims’ passphrases.

The programming cockup was spotted by Tavis Ormandy, a white-hat hacker on Google’s crack Project Zero security team. He found that the LastPass Chrome extension had an exploitable content script that evil webpages could attack to extract passwords from the manager.

LastPass works by storing your passwords in the cloud. It provides browser extensions that connect to your LastPass account and automatically fill out your saved login details when you surf to your favorite sites.

However, due to the discovered vulnerabilities, simply browsing a malicious website would be enough to hand over all your LastPass passphrases to strangers. The weak LastPass script uncovered by Ormandy could be exploited by tricking it into granting access to the manager’s internal data. It can also be potentially abused to execute commands on the victim’s computer – Ormandy demonstrated this by running calc.exe simply by opening a webpage.

“This script will proxy unauthenticated window messages to the extension. This is clearly a mistake,” Ormandy explained in a bug report today.

“This allows complete access to internal privileged LastPass RPC [remote procedure call] commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc).”

All that’s needed to exploit the vulnerability are two simple lines of JavaScript code, which Ormandy supplied:

win = window.open("https://1min-ui-prod.service.lastpass.com/");
win.postMessage({}, "*");

LastPass’s fix for the Chrome extension issue was to quickly disable 1min-ui-prod.service.lastpass.com. The password manager developer has experience with Ormandy after he found another flaw in its code last year that could compromise a punter’s passwords just by visiting the wrong website.

“We greatly appreciate the work of the security community to challenge our product and uncover areas that need improvement,” said Joe Siegrist, cofounder and VP of LastPass, told The Register.

“We have made our LastPass community aware of the report made by Tavis Ormandy and have confirmed that the vulnerabilities have been fixed. We were notified early on – our team worked directly with Tavis to verify the report made, and worked quickly to issue the fix. As always, we recommend that users keep their software updated to the latest versions.”

And now its Firefox add-on

It has been a busy weekend for LastPass software engineers. Late last week, Ormandy found another LastPass vulnerability, this time in its Firefox extension. Again, the vulnerability could be exploited by malicious webpages to extract passwords from the manager.

Wrote a quick exploit for another LastPass vulnerability. Only affects version on https://t.co/lGcefN9YXM (3.3.2), report on way. ¯_(ツ)_/¯ pic.twitter.com/AgjASiQMfJ

— Tavis Ormandy (@taviso) March 16, 2017

That extension bug has been addressed, we’re told, but the security patch won’t be pushed out to people until the update is approved by Firefox-maker Mozilla. “The team has already issued a patch to fix [version] 3.3.2 and that updated version is currently in the Mozilla review process,” a LastPass spokeswoman said. She also said the 3.x branch of the add-on is being retired, and people should move onto the version 4.x family.

As we’ve said in the past, keep your password managers up to date. They’re like any other software, and all software is exploitable. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/21/lastpass_vulnerabilities/

RFTransceiver extension for the Metasploit Hardware Bridge API will let organizations detect and scan wireless devices operating outside 802.11 spec.

Enterprise security teams and penetration testers now have a new tool for evaluating the risks posed to their networks from Internet of Things (IoT) devices that are operating on radio frequencies outside the standard 802.11 specification.

Rapid7, the owner of the Metasplot Project, has released an extension to its recently introduced Hardware Bridge API for conducting pen tests on network-connected hardware.

The new RFTransceiver extension for the Metasploit Hardware Bridge is designed to let organizations identify and assess the security state of multi-frequency wireless devices operating on their networks more effectively than current tools permit.

The RFTransceiver gives security pros the ability to craft and monitor different RF packets for identifying and accessing a company’s wireless systems beyond Ethernet-accessible technologies, said Craig Smith, a research lead at Rapid7 in a blog post.

It allows pen testers to create and direct “short bursts of interference” at such devices to see how they respond from a security standpoint.

Many organizations already have devices and systems operating on radio frequencies outside 802.11 on their networks. Examples include RFID readers, smart lighting systems using the Zigbee communication protocol and network-enabled alarm, surveillance, and door control systems.

The RFTransceiver extension is designed to help organizations with such devices answer vital questions, such as the operating range of the devices, whether they are encrypted, how they respond to outside interference, and how they fail.

“The most obvious threat is the unauthorized access to the information that those devices have access to,” says Tod Beardsley, director of research at Rapid7, in comments to Dark Reading.

A smart lighting system, for instance, may have both a custom RF component and a traditional WiFi component, and therefore may be subverted by an attacker on the RF side to get access to the WiFi side, he says.

“In addition, many RF-enabled devices fail to serialize or otherwise make sure that each request and response is unique,” Beardsley says. This makes them vulnerable to issues like replay attacks where an attacker records a command sent out over RF and then plays it back. “When the device controls a physical lock, that’s bad news,” he says.

With organizations expected to connect a constantly growing range of wireless IoT devices to the network over the next few years, RF testing capabilities have become vital.

“It’s an area of focus that is still pretty specialized, so the idea was that if we could package this up in a familiar Metasploit context, we could bring more researchers into the world of RF assessments,” Beardsley says.

With so many pen testers and security professionals already familiar with Metasploit, the learning curve for using tools like the new extension is considerably flattened as well, he says.

John Kronick, a director at cloud services company Stratiform, says there are a few products currently available that are designed to sniff out IoT devices operating at different frequencies.

As one example, he pointed to Bastille, a company that sells products to help organizations sense RF devices on the network, to identify them and accurately determine the location of such devices on the network. Bastille touts its technology as being capable of identifying devices operating on frequencies ranging from 60MHz to 6GHz.

“Adding another tool that has penetration testing capabilities would be a huge boost to the security practitioner’s arsenal,” Kronick says.

The new extension further broadens the use cases for Metasploit, a tool that vulnerability researchers and penetration testers have long used to probe for software flaws, to execute exploits and simulate attacks.

The Hardware Bridge API that Rapid7 announced last month made Metasploit the first general-purpose pen-testing tool that can also be used to test for vulnerabilities in hardware and physical devices.

Related Content:

• Metasploit Can Now Be Directly Linked To Hardware For Vulnerability Testing
• Hacking A Penetration Tester
• So You Want To Be A Penetration Tester

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/new-metasploit-extension-available-for-testing-iot-device-security/d/d-id/1328452?_mc=RSS_DR_EDT

Do you really need more than 60cm of toilet paper to do your business?

You do? Really… Really? Well, you better get ready to register as a potential exploiter of the free public utility that is toilet paper if you plan to visit Beijing’s Tiantan Park anytime soon.

As the International Business Times reports, the park has installed six wall-mounted machines in its public bathrooms.

The machines are equipped with high-definition cameras to scan people’s faces for three seconds before rolling out a limited strip of paper. The purpose: to thwart toilet paper thieves.

According to the Guardian, the automated facial recognition dispensers were installed due to elderly residents removing large amounts of toilet paper for use at home.

After a two-week trial period, the park has enjoyed a 20% reduction in daily toilet paper use. The saving has reportedly meant that visitors are now enjoying an upgrade from one- to two-ply tissue, Euro News reports.

Face detector rations toilet paper in Beijing park https://t.co/6rgCRc3adE pic.twitter.com/LONZ5VQwYc

— People’s Daily,China (@PDChina) March 20, 2017

The park’s loo is one of the busiest in Beijing. Tiantan Park is where emperors of the Ming Dynasty (1368-1644) and Qing Dynasty (1644-1911) held the Heaven Worship Ceremony. As such, the park is home to the Temple of Heaven, considered the largest and most representative existing masterpiece among China’s ancient sacrificial buildings, according to Travel China Guide.

And of course, like all public toilets, the park’s restroom is just as important a temple to those in need. But if your digestive system isn’t behaving with decorum, you’ll have to wait nine minutes until the machines allow you to reapply for another facial scan – sans hats and glasses – and another 60cm of relief.

Serial paper requesters will be denied. There are no details readily available about exactly what cumulative length of paper constitutes “too much”.

Euro News quoted one user on Sina Weibo – a Chinese version of Twitter – who wasn’t too happy about the privacy implications.

I thought the toilet was the last place I had a right to privacy, but they are watching me in there too.

…while IBT quoted another Weibo user with the understatement of the week:

I am a bit uncomfortable about being watched in such places.

The machines, which have slowed things up as it is, have already broken down. Software malfunctions have reportedly forced users to wait over a minute to get what they need: a predicament for those whose need is urgent.

But a park spokesman has assured visitors that staff are on hand to provide paper for people experiencing emergencies.

Should we worry about yet more facial recognition being foisted upon us, when we have little choice but to subject ourselves to it?

As it is, London is notorious for its plethora of CCTV coverage. Police in Dubai at one point added facial recognition to Google Glass to connect a Glass-wearing cop to a database of wanted people.

But at least when law enforcement or spy agencies hoard data, they’re more or less accountable to laws stipulating how data can be stored and used. We’ve seen private companies get in on the game as well, though, and they’re not subject to the same oversight.

For example, we saw a company called Placemeter offer New Yorkers up to $50/month to keep their phones attached to their apartment windows and to keep the Placemeter app running, so that it could use the real-time data to collect and deliver information such as how crowded a place is, how long the wait is, and whether it will get more or less crowded in the next hour.

And that’s not all. We’ve also seen spying rubbish bins in London: rubbish and recycling bins set up to identify and remember people’s smartphones, and thereby the movements and habits of their owners as they walked by – rather like how web pages monitor site traffic.

Yet again, Beijing’s facial recognition in exchange for toilet paper is surveillance run amok. So much for the sanctity of the throne in the Temple of Heaven.

Want to avoid the whole thing? When in Beijing, turn to the Temple of the Large Purse with the Stash of Your Own Paper!

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xShhGIBoW2o/

If you find the phenomenon of fake news dizzying, try “fake traffic” for size.

Last year nobody gave either much thought: now, they have starring roles in the increasingly serious stand-off between the US and Russia about the latter’s connections to an alleged hacking-for-Trump campaign.

In a strange new plot twist, Russia’s Alfa Bank last week released a furious statement that claimed someone “using an identified US-based service provider” has been generating spoofed traffic between its servers and those of the Trump Organization to foment suspicion:

Alfa Bank believes that these malicious attacks are designed to create the false impression that Alfa Bank has a secretive relationship with the Trump Organization. In fact, there is not and never has been such a relationship.

Specifically, hackers recently directed a stream of DNS lookups to Trump Organization servers spoofed to look as if they’d come from Alfa Bank. Those requests were then incorrectly “returned” to Alfa Bank, whose security systems marked them as bogus.

The fake traffic was also caused by manual intervention, unusual for a DNS system that functions automatically:

Indications of human intervention include the fact that the queries occurring in these logs included mixed uppercased and lowercased letters.

Alfa’s statement comes only months after the FBI was first reported to have investigated the same “mysterious” back channel server chatter between the company’s and Trump’s servers. Annoyed, Alfa Bank hired cyber-sniffers Mandiant to comb its logs for incriminating evidence. The US company concluded:

The information presented is inconclusive and is not evidence of substantive contact or a direct email or financial link between Alfa Bank and the Trump campaign or Organization.

The cry of a bystander caught in crossfire or a canny attempt to pre-empt further embarrassing revelations?

With supposed links to Vladimir Putin, Alfa is certainly a good target for anyone wanting to create a false flag that might help discredit a President Trump already fighting a stream of Russian-themed accusations.

But DNS traffic is pretty weak evidence that could just as easily been generated by innocent activities such as, say, employees at Alfa Bank visiting the campaign website of a man who was at the time running for president.

Even traffic in the other direction – from inside the Trump Organization to Alfa banking servers – would hardly be conclusive without an independent forensic investigation at both ends of the exchange. Phrases like “DNS traffic” are meaningless without context.

Clearly, though, the idea of cyber-attribution is suddenly back on the table. Spooks, cybercriminals and some security vendors normally dislike this because it’s hard to be certain who carried out an attack. On rare occasions where evidence points to a culprit, there are often national intelligence reasons to keep quiet.

The Trump and Russia controversy seems to have changed the calculus. Blaming someone in gory detail is suddenly worth the hassle – as is deflecting blame, talking up false flags, and fake traffic. The Alfa affair looks set to be a rerun of the tedious Cold War Russian doll metaphor where no-one can ever be sure they’ve reached the final piece.

Follow @NakedSecurity
Follow @JohnEDunn

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/MwULz6ucy50/