STE WILLIAMS

NSA hacking crew bossman Rob Joyce is set to join US President Donald Trump’s National Security Council as a cybersecurity adviser.

Joyce headed up the NSA’s Tailored Access Operations division, the spy agency’s elite computer exploitation squad.

Whispers have been sloshing around since the weekend that Joyce was tapped to shape cybersecurity policy for the Trump administration. On Wednesday morning, at the Cyber Disrupt 2017 conference in Washington DC, White House aide Thomas Bossert went on stage and confirmed the rumors are true.

“I’d like you to welcome Rob Joyce as he joins the White House National Security Council team … We will welcome Rob as soon as the process works its way through,” said Bossert, who advisers the President on homeland security and counterterrorism. You can watch the conference unfold live here, by the way.

The US National Security Council is supposed to brief the president on foreign policy and, well, national security issues. It’s chaired by the prez, has the secretaries of state, defense and energy on board, plus military and intelligence advisers. The council is at the center of ongoing political drama: the Chairman of the Joint Chiefs of Staff and the Director of National Intelligence were relegated from the council’s Principals Committee, and White House Chief Strategist Steve Bannon was controversially installed by Trump. Now Donald has overruled a move to sideline an intelligence operative from the council – an operative backed by Bannon and Jared Kushner, Trump’s real-estate investor son-in-law.

All in all, Joyce joins a group that should be strictly business but instead finds itself snagged again and again in political chess games. It’s still not clear where ex-New York City major Rudy Giuliani fits in all of this: he was supposed to be a cybersecurity tsar to the president.

“It’s a big responsibility,” said Fleming Shi, SVP of advanced technology engineering at Barracuda, of Joyce’s appointment, “but critical to our national security to create a true partnership between private industry and the government. Not just consulting and regulating, but real collaboration.”

Meanwhile, former Senator Dan Coats (R-IA) today got the green light from the US Senate to take up the role of Director of National Intelligence. He was handpicked by Trump for the position. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/15/white_house_cyberczar/

Two Russian spies and two hackers were the miscreants who broke into Yahoo!‘s servers and swiped at least 500 million user account records.

That’s according to the US Department of Justice, which today indicted [PDF] four men – including two senior officers in the FSB, the Russian Federal Security Service born from the Soviet-era KGB.

In a joint statement, Attorney General Jeff Sessions and FBI Director James Comey claimed Russian agent Dmitry Dokuchaev and his boss Igor Sushchin “protected, directed, facilitated and paid” two hackers to ransack Yahoo!‘s systems. The team then used information purloined from the US biz’s servers to spy on American and Russian government officials, journalists, and computer security professionals, we’re told.

(Slightly bafflingly, Dokuchaev was arrested in December last year, and charged with high treason. He allegedly leaked files to the CIA. The plot thickens.)

“Today we have identified four individuals, including two Russian FSB officers, responsible for unauthorized access to millions of users’ accounts,” Sessions said today. “The United States will vigorously investigate and prosecute the people behind such attacks to the fullest extent of the law.”

The indictment states that in 2014, Dokuchaev and Sushchin hired Latvian hacker Alexsey Belan, aka “Magg,” 29, who was already on the FBI’s Most Wanted list with a $100,000 bounty on his head, and Karim Baratov, aka “Kay,” 22, a Kazakh national and resident of Canada, for the Yahoo! incursion.

According to the charges, in November and December 2014, Belan penetrated Yahoo!‘s corporate security and stole at least a chunk of its user account database that included enough information to mint account authentication cookies for Yahoo! email inboxes – meaning the miscreants could use these cookies to log into Yahoo! accounts, rifle through their documents and messages, and masquerade as strangers, without having to crack or type in a login password.

Belan is also accused of gaining unauthorized access to Yahoo!‘s internal account management tool, which is used to create, manage, and log changes in accounts.

The FSB officers are accused of monitoring and advising on the operation using information from their own government hacking teams and telling Belan what accounts they wanted access to. The indictment says 6,500 targeted accounts of Russian and US government officials, foreign intelligence and law enforcement service staff, journalists, and “employees of a prominent Russian cybersecurity company” were accessed by the FSB.

These accounts were mined for information and passwords that could be of use to the FSB, according to US claims. But Belan is also accused of running a little side business of his own while romping through Yahoo!‘s poorly protected servers.

“The indictment unequivocally shows the attacks on Yahoo! were state-sponsored,” said Chris Madsen, assistant general counsel and head of global law enforcement at Yahoo!. “We’re committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cybercrime.”

The indictment states that Belan dug into accounts on his own, looking for credit card and gift card details. As many as 30 million accounts were scanned in this way and he was also able to “earn commissions from fraudulently redirecting a subset of Yahoo!‘s search engine traffic,” the US claims. The contacts were then sold to a spammer service for an additional profit for Belan.

That would certainly fit with FBI information on Belan. In 2013 Belan made it to the FBI’s Most Wanted list after accusations that he hacked three major US e-commerce companies in California and Nevada and used the information for fraud and identity theft. The FBI put a $100,000 bounty on his head but found no takers.

Today’s statement claims that Belan was arrested in Europe in June 2013 but “was able to escape to Russia before he could be extradited.” Since then he has been operating in Russia under the protection of the FSB, Sessions said.

“Today we continue to pierce the veil of anonymity surrounding cyber crimes,” said Director Comey. “We are shrinking the world to ensure that cyber criminals think twice before targeting US persons and interests.”

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/15/fsb_agentsindicted_yahoo_megahack/

Two of the most technically literate US politicians want to know why America’s Homeland Security is dragging its feet over SS7 security flaws in our mobile phone networks.

The Signaling System 7 protocol is used to, among other things, interconnect cellphone networks. It was developed in the 1980s and has virtually no security defenses built in. Exploiting its design weaknesses to obtain a victim’s location, harvest their messages, and listen in on calls was demonstrated in 2014 – although, like similar attacks, it requires access to a telco’s internal infrastructure.

That raises the barrier of entry for attackers, but not high enough to shut out state-level spies, determined miscreants with similar resources, or corrupt insiders. It essentially means, for example, a carrier in Africa or the Middle East could compromise networks in Europe and America, and vice-versa.

Last year, a security firm successfully demonstrated how SS7 could be manipulated using a low-cost Linux-based computer and a publicly available SDK – although, again, you need to be inside the telecoms infrastructure to do this [white paper PDF p5].

On Wednesday, Senator Ron Wyden (D-OR) and Representative Ted Lieu (D-CA) sent an open letter [PDF] to Homeland Security Secretary John Kelly asking for an update on its progress in addressing the SS7 design shortcomings. It also asks why the agency isn’t doing more to alert the public about the issue.

“We suspect that most Americans simply have no idea how easy it is for a relatively sophisticated adversary to track their movements, tap their calls, and hack their smartphones,” the letter states. “We are also concerned that the government has not adequately considered the counterintelligence threat posed by SS7-enabled surveillance.”

One good reason not to put the frighteners on the public is because there’s not much people can do about it. This is a network-level problem, and it doesn’t matter if you’re running a super-hardened phone or a cheap Chinese knockoff – they are equally vulnerable. There have been no mass hacks using SS7 reported, so it’s not as though script kiddies are running around listening to strangers’ calls and stealing two-factor authentication tokens.

Network operators complain that fixing SS7 is a very difficult and expensive process but they are working on it. Some have suggested that the reason SS7 is still around is because the intelligence community loves it and wants to keep the surveillance opportunities it affords.

Speaking of spying

Senator Wyden also took to the floor of the US Senate today to ask why he’s still waiting to find out how many Americans have been caught up in the surveillance dragnet being run by the NSA, six years after he first asked for the information.

The issue is with the use of Section 702 of America’s Foreign Intelligence Surveillance Act (FISA), which is up for renewal at the end of the year. Section 702 allows the security services to monitor any non-US citizen’s communications in the US national interest, but Wyden is concerned at how many Americans are being spied on under the auspices of the legislation.

“Congress and the American people deserve a fully informed debate about this reauthorization. And we can’t have that debate unless we know the impact of Section 702 on the privacy and constitutional rights of Americans,” Wyden said.

“So the key question is, and has always been: how many law-abiding Americans are having their communications swept in all that collection? Without even an estimate of that number, there is no way to judge what Section 702 means for the civil liberties of Americans.”

Wyden and other senators first asked for this information back in 2011, then again in 2012 and 2014, but have heard nothing back. Based on past experience, he shouldn’t hold his breath expecting a response from the new political administration. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/15/ss7_cellphone_spying_flaw_still_unfixed/

Experts advise users to be more aware of the potential downside of third-party apps.

Turkey’s rift with Holland and Germany became worldwide technology news today when it was reported that thousands of Twitter accounts – some of them high-profile such as Forbes’, Amnesty International’s and even Justin Bieber’s – were hacked via a compromise of the third-party analytics app Twitter Counter.

Experts speculate that the attacks are a reprisal for recent moves by both countries to deny permission for Turkish ministers to speak about a forthcoming Turkish referendum on presidential powers at local rallies of Turkish expatriates in those European countries.

According to The Guardian, the attackers used Twitter Counter’s permissions to post anti-Fascist tweets in Turkish that used hashtags such as #NaziGermany, #NaziNetherlands and “see you on #April16,” the date when Turkey plans to hold the referendum. The tweets also linked to a pro-President Tayyip Erdoğan video on YouTube.

Security experts were not surprised by the hack, and warned users that they need to be more careful about using third-party social media applications.

“People have to be careful about the ability of third-party apps to post on your behalf because you can’t assume that the third-party app is as secure as the mother ship,” says Michael Patterson, CEO of Plixer International. “Consumers have to understand that by gaining big data analytics they are giving up the privacy of their information.”

Patterson says users should log off social media apps such as Facebook, Twitter, and LinkedIn after every session, pointing out that even though they could still be hacked in the event of a major push by an attacker, logging off still “hedges their bets in case your account is compromised.”

Nathan Wenzler, chief security strategist at AsTech, adds that many hacks follow this type of attack sequence, saying that it’s easier to break into something less defended, which already has access to where you want to ultimately break in than it is to go after the well-protected application directly.

“Using a flaw in Twitter Counter to then gain access to accounts which live in Twitter absolutely follows an attack chain I would expect,” he explains.

Wenzler says users need to review which applications they have connected to their Twitter account, adding that they should remove any they don’t use or trust. He also advises making sure users review their Twitter feed regularly to ensure that no tweets are being posted that they are not aware of.

“Unusual messages are an immediate [sign] that someone has gotten control of your account,” Wenzler says. “And be sure you use a strong, complex password for your account that isn’t the same password that you use elsewhere and change it on a regular basis.”

In response to the news, Twitter issued the following statement: “We are aware of an issue affecting a number of account holders. Our teams worked at pace and took direct action. We quickly located the source which was limited to a third party app. We removed its permissions immediately. No additional accounts are impacted. Advice on keeping your account secure can be found here.”

Related Content:

• The 6 Riskiest Social Media Habits To Avoid At Work
• Social Media Impersonators Drive Security Risk
• NFL Tackles Twitter Account Hijack

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/twitter-counter-hack-uses-familiar-attack-mode/d/d-id/1328410?_mc=RSS_DR_EDT

In today’s distributed environment, cloud and communication service providers can play a key role in providing organizations with a scalable and secure platform for the connection of everything to everything. Here’s how.

At which network layer should we handle security of in-flight data? Some argue the application layer is most appropriate because this is where the user’s personal data, semantics and security requirements reside. Others argue that security should start in the network and physical layers, protecting even the protocol information involved in moving data — implementing encryption as deeply as possible, even at Layer 1. This is particularly true for Internet of Things (IoT) traffic where data generated is never at rest.

Depending on security requirements, both are correct. Security at different levels can be complementary and collectively enhance security. Cybercrime is now costing companies over $400 billion annually. According to Gemalto’s breach level index, since 2013, security breaches have resulted in the loss or theft of an estimated 5.9 billion data records from enterprises worldwide. That’s about 47 records every second. Of course, if records are encrypted, stolen information is useless. But that is only happening 4%  of the time! So, while application layer security is a great idea, other layers of protection are also needed.

Regulated industries, such as healthcare and financial services, suffer the most costly data breaches due to fines and a higher-than-average rate of lost business. Last year, the average cost per incident was $4 million, according to a 2016 Poneman Institute study. Organizations recognize that the longer it takes to detect and contain a data breach the more costly it becomes to resolve.

Enterprises have traditionally relied on perimeter security in the form of firewalls, DMZs and other technologies. However, as they turn increasingly to cloud-based enterprise services, perimeter security is no longer sufficient. Their enterprise-critical data is distributed far beyond the organization’s boundaries. But doesn’t this evolution from enterprise perimeter security to wide-area networking and cloud services increase the degree of risk for enterprises?

Contrary to some opinion, this move to the cloud is likely to make most enterprises more secure. It is important to remember that Layer 1 security starts with ensuring the physical security of all the various network elements and facilities. Communication Service Providers (CSPs) and cloud providers are better equipped than most enterprises to ensure the physical security of their infrastructure, yielding an improvement to overall security. CSP network elements, for instance, are more tamper-resistant and difficult to deactivate or bypass than their enterprise counterparts. Also, the CSP can ensure the availability of network services with a robust assurance function that can provide the enterprise customer with much greater security than the typical enterprise network provides. It is a similar situation in cloud data centers.

With better physical security for network infrastructure and higher availability and uptime for network resources, the next level of protection is through network traffic encryption. Best practices call for a holistic security approach that includes a multi-layered, “defense-in-depth” strategy.

Encryption is costly at higher network layers. Layer 1 encryption reduces the cost per encrypted bit by integrating the encryption function into the transport system. Encryption at higher layers also adds significant overhead and data stream latency. In contrast, Layer 1 encryption adds almost no additional overhead or latency to the transport process. Hardware-based Layer 1 encryption solutions enable very high bandwidth with encryption of 10 or 100 Gbps wire speeds and higher. This is especially critical for services that require real-time traffic management to uphold service level agreement (SLA) requirements for application disk access and rich content delivery such as video and voice calls.

Of course, the encryption algorithm must rely on strong, quality keys. For “top secret” data requiring 256-bit strength, a strong AES-256 algorithm with 256-bit key size should be used. And the keys should come from a key generator that produces a truly random, quality key to match the strength of the encryption algorithm.

Key management, exchange and authentication can be labor-intensive and cumbersome when there are many separate encryption devices and encryption streams to manage. By centralizing key management, the CSP can ensure a single point of trust and consistent policy enforcement. It also streamlines administration by allowing updates to be made once, and cascaded automatically across the network. This enables single-point key revocation and one-point-to-force, multi-tenant synchronized key rotations.

Enterprises should feel more confident about distributing their applications across the wide area and utilizing cloud-based services. The new distributed, cloud model is changing many aspects of our digital world, perhaps none more so than the key role that CSPs play to provide a global, scalable and secure platform for the connection of everything to everything. Layer 1 security is the foundation for confidence and trust in securing data while in-flight.

Related Content:

• There’s No One Perfect Method For Encryption In The Cloud
• Securing Today’s ‘Elastic Attack Surface’
• Trust, Cloud the Quest for a Glass Wall around Security

Hector is focused on optical networking solutions. In this role, he develops and markets service provider solutions on topics including mobile fronthaul, mobile backhaul, and secure optical transport. Hector has over 25 years of telecommunications experience and has held a … View Full Bio

Article source: http://www.darkreading.com/perimeter/trust-begins-with-layer-1-encryption-/a/d-id/1328388?_mc=RSS_DR_EDT

Career development and mentorship programs make women in cybersecurity feel more valued, increase women’s success.

The global cybersecurity workforce remains stagnant at just 11 percent, according to the 2017 Women in Cybersecurity Report, co-authored by The Executive Women’s Forum on Information Security, Risk Management and Privacy (EWF) and the Center for Cyber Safety and Education, which partnered with (ISC)2. The report is based on survey responses from over 19,000 information security professionals in 170 countries.

Report co-author and EWF founder Joyce Brocaglia says the most important finding of the report is that “it isn’t just one thing” causing the persistent shortage of women in information security, but rather a “confluence of events.”

The findings, says Brocaglia, show that women are underrepresented, are paid less than their male colleagues, feel undervalued, and feel discriminated against. “That’s what’s leading to this stagnation.” 

The shortage is severe in North America, with only 14 percent of the infosec workforce composed of women, but even more striking elsewhere; women only claim 7 percent of the workforce in Europe, 8 percent in Asia, and 5 percent in the Middle East, according to the report.  

“Common sense should tell you we should be doing more about this,” says co-author and EWF executive director Lynn Terwoerds, noting that in order to solve the cybersecurity skills shortage, the industry must do a better engaging the female population.

In general, the underrepresentation extends to cybersecurity management, but women were beginning to fare better when it comes to obtaining positions at the very top: while men are nine times more likely to hold managerial positions, they are only four times more likely to hold C-level or executive positions. 

However, those high-level positions for women come at a price; the survey found that the higher a woman rises in an organization, the more discrimination she experiences in the workplace, rising from 35% at entry-level to 67% at C-level.( This could also be a result of respondents providing answers that reflect experiences accrued over the entirety of longer careers, as opposed to only answering about experiences of the past year.) 

Overall, 51 percent of female respondents reported at least one type of discrimination, as compared to 15 percent of male respondents. Of these women, 87% reported unconscious discrimination, 19% overt discrimination, 22% tokenism, 53% unexplained delay or denial of career advancement, and 22% exaggerated highlighting of mistakes. 

The wage gap also persisted, with women earning less than men at every level – $5,000 less at non-managerial positions, $4,630 less for managers, and $4,530 for executive management. Over the past two years, the gap has narrowed for senior positions, but widened for non-managerial positions.

“You look at all of these statistics,” says Brocaglia, “and say ‘well maybe that’s why'” the number of women in infosecurity has not increased.  

The study also unearthed ways to better retain and encourage women in infosec. The report showed that women respondents who underwent leadership training, executive coaching, mentorship, or had “sponsors” who recommended them for high-profile projects, recommended them for promotions, or introduced them to people in their professional networks felt far more valued in their careers.  

“There’s a huge issue of developing and advancing these women so they don’t opt out,” says Brocaglia. “We have to stop losing them mid-career.”  

The report also found that while more millenial women are pursuing degrees in computer science and engineering fields, older women are highly educated, but in a wider range of fields. Brocaglia advises employers to remember that there are many, many influential roles in cybersecurity that don’t require technical degrees.

Will the women in infosec needle not move upward, however, simply because women are not interested in the job?

“It’s a very dubious comment to make,” says Terwoerds, noting that throughout history women have “embraced and excelled in” other fields they were presumed to be uninterested in before. “I would consider that Exhibit A of an unconscious bias.” 

Related Content:

• Is Mentorship the Key to Recruiting Women to Cybersecurity?
• Closing The Cybersecurity Skills Gap With STEM
• It’s Time To Address The Cybersecurity Gender Gap Before It’s Too Late

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/careers-and-people/women-still-only-11--of-global-infosec-workforce/d/d-id/1328409?_mc=RSS_DR_EDT

Facebook and Instagram have turned off the data faucet for surveillance.

On Monday, Facebook, which owns Instagram, announced that it had updated its rules to clearly explain that developers can’t “use data obtained from us to provide tools that are used for surveillance”.

Rob Sherman, Facebook’s deputy chief privacy officer, said in the post that the goal is to make the company’s policy “explicit”. He framed it as the most recent enforcement action against developers “who created and marketed tools meant for surveillance, in violation of our existing policies”.

Developers have indeed created social media-mining surveillance tools in violation of Facebook’s policy, but they seem to have done it with Facebook’s blessing. And it’s not just Facebook and Instagram – Twitter has also fed data to surveillance companies.

In October, the American Civil Liberties Union (ACLU) published a report about police monitoring of activists and protesters with one particular app – called Geofeedia – that had been tapping into Twitter, Facebook and Instagram APIs to create real-time maps of social media activity in protest areas. Those maps have been used to identify, and in some cases arrest, protesters shortly after their posts became public.

In the aftermath of the ACLU report, the companies cut off the data streams they’d been sending the Geofeedia app for five years.

But by then, the ACLU’s report had already made clear that Geofeedia hadn’t been scraping data without permission from Twitter, for one.

As far as Facebook goes, in an email from May 2016, a Geofeedia representative touted a “confidential legally binding agreement” with the company.

The ACLU also discovered that Instagram had provided Geofeedia access to its API, which is a stream of public Instagram user posts. This data feed included any location data associated with the posts by users. Instagram terminated the access in September last year.

Facebook also provided Geofeedia with access to a data feed called the Topic Feed API – a tool intended for media companies and brand purposes – that allowed Geofeedia to obtain a ranked feed of public posts from Facebook that mention a specific topic, including hashtags, events, or specific places. Facebook terminated that access on the same day as Instagram, on September 19 last year.

Twitter didn’t provide access to its “firehose” but had an agreement, via a subsidiary, to provide Geofeedia with searchable access to its database of public tweets. In February 2016, Twitter added additional contract terms to try to further safeguard against surveillance. But ACLU records showed that as recently as July last year, Geofeedia was still touting its product as a tool to monitor protests. After learning of this, Twitter sent Geofeedia a cease and desist letter.

More recently, in February, police mined Facebook for data on inauguration protesters.

Police in Washington state last week also obtained a warrant to search a Facebook community page associated with the protest against the Dakota Access pipeline. The warrant, which the ACLU is challenging, is seeking what the group says is “private, sensitive information about people’s political views and opinions, images of political actions, and personal information, including locations”.

The ACLU has praised Facebook/Instagram’s policy reform, adding: “Written policies must be backed up by rigorous oversight and swift action for violations.” Nicole Ozer, technology and civil liberties director at the ACLU of California, had this to say:

Now more than ever, we expect companies to slam shut any surveillance side doors and make sure nobody can use their platforms to target people of color and activists.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wNF9A6OwwLU/

There’s good and bad news on the phishing front.

The good news: attackers don’t seem to be coming up with many new tactics to target their victims. The bad news: they don’t have to. They’re doing just fine hooking their prey with the same old tricks.

A recent Naked Security article outlined the bad guys’ efforts to infect their prey using scams centered around tax season, with the Internal Revenue Service (IRS) warning of fresh email schemes targeting tax professionals, payroll staff, human resources personnel, schools and average taxpayers. In another scam, attackers polluted Amazon listings with links that redirected victims to a very convincing Amazon-looking payment site.

Now come fresh reports that attackers are using malicious PDF attachments and messages that look like they’re from their company HR departments, as well as bogus Facebook friend requests.

Bad PDFs and friend requests

Microsoft Malware Protection Center team member Alden Pornasdoro warned of the malicious PDF files in a blog post. He wrote:

Unlike in other spam campaigns, the PDF attachments we are seeing in these phishing attacks do not contain malware or exploit code. Instead, they rely on social engineering to lead you on to phishing pages, where you are then asked to divulge sensitive information. One example of the fraudulent PDF attachments is carried by email messages that pretend to be official communication, for instance, a quotation for a product or a service, from a legitimate company. These email messages may spoof actual people from legitimate companies in order to fake authenticity. When you open the attachment, it’s an actual PDF file that is made to appear like an error message. It contains an instruction to “Open document with Microsoft Excel.” But it’s actually a link to a (malicious) website.

In the other case, reported by ZDNet, security company MWR Infosecurity reviewed 100 simulated attack campaigns for 48 of its clients and discovered that sending a bogus friend request was the best way to get someone to click on a link – even when the email was being sent to a work email address. From the ZDNet report:

Almost a quarter of users clicked the link to be taken through to a fake login screen, with more than half going on to provide a username and password, and four out of five then going on to download a file. A spoof email claiming to be from the HR department referring to the appraisal system was also very effective: nearly one in five clicked the link, and three-quarters provided more credentials, with a similar percentage going on to download a file.

Social engineering is alive and well

Recent developments show that the ancient technique of social engineering is alive and well. Understanding it is the first step in mounting a better defense. Sophos described it this way in the corporate blog a few months ago:

Social engineering is the act of manipulating people into taking a specific action for an attacker’s benefit. You might think it sounds like the work of a con artist – and you’d be right. Since social engineering preys on the weaknesses inherent in all of us, it can be quite effective. And without proper training it’s tricky to prevent. If you’ve ever received a phishy email, you’ve seen social engineering at work. The social engineering aspect of a phishing attack is the crucial first step – getting the victim to open a dodgy attachment or visit a malicious website.

As the Sophos Blog post noted, phishing can’t work unless the first step – the social engineering – convinces you to take an action.

To help raise awareness, security vendors have offered a number of products and services companies can use to launch simulations – essentially phishing fire drills — which can show employees up close how easy it is to be duped by social engineering. Sophos offers a simulator called Phish Threat for that purpose.

Other defensive tips

Though such simulations are an effective way to raise awareness, companies need to follow that up with concrete instructions to help employees stay above the fray. Here are a few helpful tips:

• Be careful what you click. This one is painfully obvious, but users need a constant reminder.
• Check the address bar for the correct URL. The address bar in your web browser uses a URL to find the website you are looking for. The web address usually starts with either HTTP or HTTPS, followed by the domain name. The real websites of banks and many others use a secure connection that encrypts web traffic, called SSL or HTTPS. If you are expecting a secure HTTPS website for your bank, for example, make sure you see a URL beginning with https://before entering your private information.
• Look for the padlock for secure HTTPS websites. A secure HTTPS website has a padlock icon to the left of the web address.
• Consider using two-factor authentication for more security. When you try to log into a website with two-factor authentication (2FA), there’s an extra layer of security to make sure it’s you signing into your account.

To defend against the poisoned Amazon listings described above:

• Trust your gut and be on guard: If that deal is too good to be true, it likely is
• Don’t pay for anything on Amazon outside of Amazon.com or the official Amazon app
• If you’re in doubt about a deal by an “affiliated retailer” ask Amazon’s official customer service

For more on how to avoid phishing attacks, we also suggest reading Don’t fall for phishing and spear-phishing.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/AakpevLiKXQ/

Fingerprint. Voice. Face. Today’s smartphones already include a wide variety of biometrics features that allow you to unlock your phone, access apps and even authorize payments. Now, researchers at Hong Kong Baptist University have come up with a new identity authentication system – using lip reading.

You’re probably asking yourself why we need yet another biometric technology. After all, biometrics have been touted as the replacement for passwords for years now with their promise of exceptional security and outstanding usability. But passwords are still here.

Biometrics have had challenges and these have significantly slowed progress, with cost and accuracy being the main two. But costs have reduced dramatically over recent years since biometrics shifted from being hardware-based and dependent on expensive specialist technology to software- and cloud-based and reliant solely on standard smartphone features such as cameras.

On the accuracy side, biometrics still have some challenges. First, they have to cope with changes in our body, such as when we are ill, injured – or simply getting older, as this Digital Trends report reveals. While accuracy has improved in recent years, biometrics will never give you the definitive “yes” or “no” a password can.

Biometrics also faces another significant obstacle: you can’t reset them if they’re compromised. But lip-reading biometrics have overcome that by combining biometrics with passwords, as project leader Cheung Yiu-ming explained to the South China Morning Post:

While the technology is similar to other types of biometric recognition systems, such as fingerprint reading, it adds an extra layer of protection by allowing users to modify their passwords – in the form of lip-syncing a phrase – in the event of a security breach.

The system works by visually analyzing the user’s lip sequence when they utter a short phrase in front of their smartphone’s camera. It tracks lip shape, movement and even texture, according to Gizmodo.

As with other biometric technologies, the lip-reading tech has to learn to recognize the user’s identity – in this case their lip sequence. To do that, the user simply repeats a phrase – or even mimics a bird song – 10 times. This learning process also allows the system to build the threshold it needs to help it decide whether to accept or reject an identity.

The system is still a prototype with an overall accuracy of around 90%.  It also has no dependence on language, which makes it great for people with speech disabilities. Cheung hopes to see the US-patented technology rolled out within a year, stressing that it was not mutually exclusive to other authentication systems.

After all, to achieve the strongest security, you need to combine authentication solutions together. And multi-factor authentication is fast becoming the norm. While one of those factors is often a biometric, the other is often something we know such as a password, PIN or even a pattern.

What that biometric is depends on the situation. For lip reading, the researchers expect it to be primarily used to verify a user’s identity when their in a public place, as Gizmodo notes:

Even if someone overhears what you’ve said, it should be impossible for them to fool a device.

While Business Insider highlights lip reading’s potential use “at ATMs instead of a PIN code or to authenticate purchases and financial transactions”, the South China Morning Post sees it also being used in customs clearance situations.

As biometrics become part of our everyday lives, lip reading isn’t the only new kid on the block. Google has been talking about ongoing passive authentication for some time and the behavioural biometrics described in this article in The Telegraph last year fits that bill. Continually monitoring your behaviours – such as your typing pattern and location – to ensure you are who you say you are, we can expect behavioural biometrics to also have a key role to play in tomorrow’s security landscape.

Follow @NakedSecurity

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NR5HnQk4A7w/

The Silicon Valley giants are voicing support for Google as it resists a warrant to seize email stored on overseas servers.

Apple, Microsoft, Amazon, and Cisco filed an amicus brief after a Pennsylvania court ruled that the company had to hand over the emails in response to an FBI warrant.

Contrary to what a magistrate judge had decided, this is no Fourth Amendment privacy infringement search and seizure, the companies argued in the brief. As has been decided in earlier court cases, law enforcement agencies…

…may not execute search warrants for property in foreign countries at all: Any warrant issued by a judicial officer in this country ‘would be a dead letter outside the United States’ [United States v Verdugo-Urquidez].

From the amicus brief:

When a warrant seeks email content from a foreign data center, that invasion of privacy occurs outside the United States – in the place where the customers’ private communications are stored, and where they are accessed, and copied for the benefit of law enforcement, without the customer’s consent.

According to the Register, the Feds are demanding the “contents of three separate Google ‘Gmail’ email accounts”, though the nature of the crime being investigated isn’t clear.

Déjà vu? Déjà indeed. Last time, it was Microsoft the US government pulled the Heimlich maneuver on, trying over the course of years (and ultimately failing) to get the company to cough up private email stored on servers in a data center in Ireland.

At the time, Microsoft general counsel and executive vice-president for legal and corporate affairs Brad Smith argued that in spite of the US having a warrant to secure the emails in a narcotics trafficking investigation, well-established case law holds that such search warrants can’t reach beyond US shores.

In spite of the court refusing to hear an appeal from the government on that case in January, a Pennsylvania federal judge ruled in early February that Google had to turn over data from its overseas servers, arguing that the suspects’ data would be “searched” on US soil. Hence, there would be no problems with extraterritoriality with Google’s complying with the Stored Communications Act warrants.

The tech companies wrote in their amicus brief that in Google’s case, handing over foreign data would be seen by “our sister nations” as an affront to their sovereignty. From the brief:

Our sister nations clearly view US warrants directing service providers to access, copy, and transmit to the United States data stored on servers located within their territory as an extraterritorial act on the part of the US government.

Indeed, they view this as an affront to their sovereignty in much the same way that physically conducting law enforcement activity on foreign soil would violate their sovereignty and territorial integrity.

According to the companies, it’s up to Congress, not the courts, to decide whether the SCA applies overseas.

The Register quoted a Google spokesman who said Google’s planning to fight:

The magistrate in this case departed from precedent, and we plan to appeal the decision. We will continue to push back on over-broad warrants.

This certainly isn’t the first time that Silicon Valley tech companies have chimed in to help each other out. It’s not hard to see why. They are, after all, in this together: if one of them is forced to hand over users’ private email, the precedent could be used to force any or all of them to do the same.

When Microsoft was on the hot seat, defending email on its Irish servers, its challenge to the lawfulness of the warrant was supported by a deluge of support, with more than 75 civil liberties groups, technology companies, trade associations and computer scientists filing legal briefs in support of the company.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ehYEb3CQ9xc/