STE WILLIAMS

Your daily round-up of some of the other stories in the news

NASA tracks down two lost spacecraft

You might think that losing a spaceship would be tricky, given how big they are, but NASA has announced that it’s found not one but two errant spacecraft thanks to a new telescope technique.

The craft – the tiny and dormant Indian Chandrayaan-1 spaceship, launched in 2008, and a NASA Lunar Reconnaissance Orbiter, launched in 2009 (pictured) – were both orbiting the moon, which made it hard to spot them “hidden in the bright glare of the moon”, said NASA.

“Finding LRO was relatively easy as … we had precise orbit data where it was located,” said Marina Brozovic, a radar scientist at NASA’s Jet Propulsion Laboratory. “Finding India’s Chandrayaan-1 required a bit more detective work because the last contact with the spacecraft was in August of 2009.”

The scientists used a new application of interplanetary radar to detect and track small spacecraft, which could in future play a part in missions to the moon.

IBM stores data on a single atom

If you’ve been excited by the news that it’s possible to store data in DNA, it seems that even this exciting technology has been superseded: IBM has recently said that it has worked out how to store data on a single atom.

The team published their research in Nature last month, but for those whose physics chops don’t extend beyond high school level, how it works is well explained by Quartz, which says the researchers “found a way to magnetize individual atoms of the rare earth element holmium and use the two poles of magnetism … as stand-ins for the 1s and 0s”.

This is a proof of concept at the moment – we’re probably closer to being able to use DNA data storage in the real world. But both of these technologies are hugely exciting because they could sharply reduce the amount of expensive real estate that data storage facilities now occupy, and could also be significantly more reliable than old-fashioned hard drives and SSDs.

Viber adds time-limited chats

With various messaging apps and platforms jostling for attention and working to develop features to increase security, the news that Viber, one of the many apps, is introducing “secret chats” might have gone un-noticed.

Viber has some 800m registered users, with around 250m monthly active users in April 2015, according to Statista. By comparison, the mighty WhatsApp had around 800m monthly active users in April 2015, and now boasts 1.2bn monthly active users.

The secret chats feature is an addition to the secret messages feature Viber introduced in January. That allowed users to set a time limit on messages and other shared content, while secret chats adds the ability to set a self-destruct timer on group message conversations. Chats can be secured with a PIN, and on Android, screenshots are also blocked.

As with the other popular messaging apps, the chats offer end-to-end encryption.

We’re fans of secure messaging systems on Naked Security, and we’d always urge you to use encryption with your messaging apps – but remember that your phone needs to be kept up to date and protected from exploits, too.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EdAYX8hU5NI/

We typically think of malware as something used to steal data from corporations or knock down websites in politically motivated attacks. But if you’re a gamer, sometimes it’s simply a tool for winning.

SophosLabs threat researcher Tamás Boczán has been studying this trend, and recently gave a talk about it at BSides Budapest. This article reviews his findings and offers us a chance to share some of his presentation slides.

Anatomy of a cheat

In the presentation, Boczán explained his motivation for the gaming research:

I see a lot of different malware at Sophos, and I’ve also heard a lot about video game cheats. Then I started to dig into cheating, and I found that it’s very similar to malware. What I mean by cheat is a software for changing an online, competitive game in real time.

He shared video examples of what some of the cheating looks like, though we’ve chosen to only show still shots because advertising the behavior is illegal.

In one clip from Ghost Recon: Wildlands, he shows how the player can see things he shouldn’t. He can see from the frames where the enemies are behind the walls, and some data about them, like what weapon they are holding. The enemies here are other players:

 

In another video sample for GTA online, we see that the cheater does a huge jump, then goes invisible. He couldn’t do these normally in the game, Boczán said.

The security industry’s baby brother

He said games are similar to malware in that their methods are exactly the same. The difference is in the purpose. Their economy is also similar. There are cheat groups and companies creating anti-cheat solutions, and there has been an arms race between them for 15 years. He added:

Both attacks and defenses got pretty sophisticated over the years. They are behind the security industry about five years, but comparable. They are like a little brother to the security industry.

He described the basic set-up of the games, in which many players are connected by a server, a mutual game state is computed and the attacker – the cheater, in this case – is one of the players. The goal is to gain an unfair advantage.

As cases of cheating have risen, so have the examples of anti-cheat technology from various companies. As various sides have upped the ante, both sides have drawn in people of greater skill. He said:

Hacking an online game is not that easy any more. In the old days, script kiddies could to do it, but now hacking is a serious game that requires a skilled attacker. So why would a skilled attacker waste their time and skill on a video game?

He mapped out the sequence of events this way:

• All this was originally about having fun.
• Then the gaming industry grew.
• The games went online.
• People began to cheat for profit, just as hackers often do when targeting companies.
• In response, an anti-cheating movement has sprouted up that mirrors security companies.

Evolution of cheating tactics

Boczán told his audience that the oldest cheating method is file injection. He mapped out the process:

• The cheater modifies game data or code in memory.
• They access memory through DLL injection.
• They find relevant structure and go to town.
• The goal is either to override some part of game data or code in memory.

Nowadays both cheat and anti-cheat developers are focused on this method, he said. Anti-cheat solutions heavily obfuscate the memory contents and try to detect injections.

A second method is the use of bots, which he mapped out in this slide:

The wild cards

Spam and phishing are the wild cards in the world of game cheating. They don’t require technical skills, and they are the easiest way to steal accounts or advertise. He said:

Spamming can happen on the chat in-game, where there are no anti-spam solutions, and attacks are not mitigated at all.

In the following example, the window on the left is a spambot advertising a website. On the right is someone impersonating an admin of the game in a phishing attack:

Defensive measures

In a couple of slides, Boczán mapped out the defensive measures that are either in use or under development:

For the client side:

 

For the server side:

He said the anti-cheat software developers are following a similar trajectory as that of anti-malware software. Despite its  problems, he said, behavioral analysis is taking more of a role in the defensive tools under development, and he has hope that such tools will work better in the near future. He also has hope for the tools under development that incorporate machine learning. He said:

About two weeks ago someone representing Valve announced that they’ll be doing machine learning as part of their anti-cheat solution, stepping on the same road some security companies have.

Though anti-cheating software developers have some work to do in improving their tools, Boczán said there are immediate actions users can take in the event they’re targeted by cheaters, though none of the options are perfect:

• Report the cheater to the game company, who will likely review it and ban the offender. Such a process does take weeks, though.
• The usual password and authentication rules apply here, specifically the use of complex passwords and two-factor authentication in games where it’s possible.
• If someone’s account gets stolen, they can report that too, and it will be restored in its current state after some time.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/t0f4aSu4Q_g/

Remember those 1990s MS-DOS computer games that had a “Boss” key?

You could only run one application at a time back then, so if someone came past while you were playing the game on work time you needed a quick way to pop up a fake business app – usually a stripped down spreadsheet program – to act as your “cover story” so you wouldn’t get caught.

(Yes, you recognised it correctly: the Boss screen above is from the original Tetris.)

Fast forward 25 years, and recent revelations from Wikileaks suggest that the CIA has its own modern take on the Boss key.

Apparently, the CIA maintained a list of plausible “cover story” apps that it recommended for field agents who would be working inside a target organisation.

They’re all apps that people might recognise if they saw them running – the sort of app that wouldn’t arouse suspicion, chosen from the list below to blend in best with the field agent’s cover:

VLC Player Portable                  Libre Office Portable             
Irfan View                           Prezi                             
Chrome Portable                      Babel Pad                         
Opera Portable                       Notepad++                          
Firefox Portable                     Skype                             
ClamWin Portable                     Iperius Backup                    
Kaspersky TDSS Killer Portable       Sandisk Secure Access             
McAfee Stinger Portable              U3 Software                      
Sophos Virus Removal Tool            2048                              
Thunderbird Portable                 LBreakout2                        
Opera Mail                           7-Zip Portable                     
Foxit Reader                         Portable Linux CMD Prompt         

Rather than modify the application files themselves, the CIA recommended a trick known as DLL hijacking, which is where you put a specially named DLL into the same folder as an app, so that Windows loads the alternative DLL in preference to the one in the Windows system folder.

DLL is short for dynamic link library, a program component that is stored in a separate file from the main executable.

DLLs exist so that programs can share common “library code”, thus saving disk and memory space, and making updating easier.

As long as the imposter DLL links through to the real DLL, thus duplicating its usual functions, the cover app will run as usual…

…but the imposter DLL will also be running, with the cover app acting as a believable decoy.

Some people are calling this a “vulnerability”, and the attack an “exploit”, but that’s a huge stretch. This method for creating cover-story apps relies not only on how Windows itself handles DLL loading, but also on having field agents who are already in a position to bring in and run any programs they like. Note also that this attack doesn’t require any collusion with programmers inside the companies that make the above products, as some people seem to have assumed. The cover app has to look like the real thing, and the easiest way to do that is simply to start with the real thing. If you can’t find a DLL to hijack, you can just modify the original program instead, or write a “wrapper app” to load your imposter code in the background and run the decoy software on top at the same time.

As it happens, not all system DLLs can be used as imposters: Windows maintains a list of what it calls KnownDlls, such as KERNEL32.DLL and USER32.DLL, that are always loaded from the system directory for performance reasons.

One of the CIA’s favorite imposters seems to be MSIMG32.DLL, a DLL that isn’t common enough to be in the KnownDlls list in any current version of Windows, but is nevertheless common enough to be used by plenty of popular software products.

For this to work, the field agent already needs to be working at a computer inside the target organisation (and in the case of the Sophos Virus Removal Tool, to be logged in as an administrator), running software they brought in themselves.

Why the disguise?

In this “attack”, the field agent already needs the power to do pretty much whatever they want on their computer, including running malware or system snooping tools directly.

So why the subterfuge?

The reason for putting so much effort into the concept of “cover apps” is simply one of blending in, in much the same way that a successful agent would dress, talk and behave in a way that made them fit into the environment where they were working.

This is not about breaking in, it’s about not breaking cover.

Indeed, the CIA called this project Fine Dining, and we’re guessing that’s because most fine dining restaurants have a dress code, so it matters what you look like while you’re there.

So the name is probably a metaphor for eating your fill of other people’s data but looking good while doing it.

The irony here is that it’s almost a backhanded compliment to be on the list: the above apps are there because they’re widely known, trusted and appreciated, so they fit right in.

What to do?

This story is about much more than hacked executables and imposter DLLs: it’s about how to deal with people in your midst who have network powers they don’t deserve, and who aren’t what they seem.

Many organisations quite rightly have a policy of “if you see something, say something”, but to make that work, you also need to have a single IT destination where staff can report potential trouble.

A good place to start is a memorable internal email address such as [email protected] or [email protected].

Whether one of your colleagues wants to report a phishing site, a tailgater, or someone who looks as though they’re dining out in a fancy restaurant on the company dime, make it easy for them to remember where to send the information!

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/AXsu2IbAIIg/

Julian Assange follows up leak of alleged CIA cyber espionage hack tools with promise of assistance against these.

Julian Assange of WikiLeaks says he will help tech companies defend themselves against the cyberespionage tools used by the CIA whose existence he disclosed in a leak recently, CBS News reports. Speaking in an online press conference from his refuge in the Ecuadorian Embassy in London, Assange said “we have decided to work with them, to give them some exclusive access to some of the technical details we have, so that fixes can be pushed out.”

WikiLeaks recently published supposedly secret CIA files which had details regarding hacking tools used by the US government intelligence agencies to compromise computers, cell phones and smart TVs as part of cyberespionage. These tools are designed to overcome security features, codes and antivirus software, WikiLeaks alleges.

While the FBI is checking the authenticity of the leaked documents, the CIA pointed out it was “legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and the CIA does not do so.”

WikiLeaks is suspected of working with Russia and Senator John McCain has questioned “whether it’s a leak from an individual, or whether it’s Russian capabilities.”

Click CBS News for more.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/wikileaks-says-it-will-help-firms-thwart-cia-hack-tools/d/d-id/1328366?_mc=RSS_DR_EDT

To avoid a lawsuit, your company needs to better understand the state of your infrastructure and the devices and applications within it. Here are five areas on which to focus.

The number of devices with IP connectivity continues to grow at a breakneck pace. In the next few years, it’s expected that we’ll see tens of billions of devices with some sort of networking ability. The problem is that the number of skilled security professionals available for organizations to monitor and manage these devices will not scale to match. There just aren’t enough people in the world to actively monitor all the bits flowing through networks.

It’s not a hopeless battle, but organizations need to take steps to better understand the state of their infrastructure and the devices and applications within it. When the next Mirai-style attack occurs, you can bet there will be a team of lawyers ready to hold somebody responsible for their company’s resulting loss of revenue, data, and reputation.

Take e-commerce as an example: When a retailer’s website goes down for a couple of hours, it loses millions of dollars in sales and take a hit in customer trust. If the company discovers hundreds of hijacked Internet of Things (IoT) devices on your organization’s network were partially responsible for its loss, a lawsuit will follow.

To prevent this scenario and adequately manage risk, IT teams need visibility into every IoT device on their company network, just like any other endpoint, including everything from Internet-connected coffee machines and security cameras to smart watches and exercise trackers. IoT devices aren’t manufactured with security in mind, so it’s the organization’s responsibility to fill the accountability gap.

This increased level of visibility is no longer optional — it is a de facto requirement in today’s networks to ensure you have the full risk picture and to prove compliance obligations in an increasingly regulated environment. It must include a comprehensive plan to collect and analyze event data, as well as monitor, discover, and react to assets as they appear on your network.

To make sure lawyers’ fingers are never pointed at you, here are the five top areas on which to focus when making sure your organization is holding itself accountable:

1. Effective asset and vulnerability management: You must be able to identify each device as well as its current status and state, including all the applications residing on each device. Both actively and passively scanning devices allows you to have a much better picture of the current state of your infrastructure.
2. Monitoring applications: It’s essential that you have a way to monitor the health of your applications and can respond immediately at the sign of an incident. Is your endpoint antivirus client still functioning? Has it been tampered with or uninstalled? Being able to see something (or someone) meddling with your endpoint applications can be a telltale sign of malware infection or attack, or a malicious insider attempting to do “bad things.”
3. Monitoring traffic: Keep an eye on traffic, applications, and devices for unauthorized connections to cloud services. While not always a sign of malicious or nefarious behavior, this can be an indication of “bad things” happening. This kind of monitoring can alert you that a device has been subverted and is being used to exfiltrate sensitive data — or worse, an employee who is exfiltrating the information themselves. This will allow your security teams to react in minutes instead of days or weeks after the damage has spread beyond the single device.
4. Employee monitoring: It can be tough to convince employees that this level of monitoring is required, but the consequences of an incident can be catastrophic. A good baseline is a commitment that monitoring is only done by automated tools, and never viewed by an actual person unless absolutely necessary or in an emergency. Let your employees know that the monitoring is strictly for the protection of your assets, your data, and your customer information. It takes only one inappropriate incident by your trusted security staff to destroy the fragile trust of your staff, and it may take years for it to be earned again.
5. Effective log management: Your log data at all levels often contains a wealth of useful information that can add color and clarity to your current security posture. If you’re not currently using a modern solution to collect, scrub, analyze, and respond to anomalous log events, then start small. Focus on building solutions that target your most critical assets: devices belonging to C-suite executives and their assistants, your privileged accounts and devices belonging to administrators, and various system accounts that often have rarely changed credentials.

Life is filled with risks — and those risks can never be completely eliminated. No one lives in a bubble. No network exists in a vacuum. The single best way to minimize your organization’s losses and liability is having the resources in place to mitigate risk and quickly respond when something does happen.

Related Content:

• Threats Converge: IoT Meets Ransomware
• Zones of Trust: A New Way of Thinking about IoT Security
• Tunneling Through The “Walls” Of IoT In The Enterprise

Richard Henderson is global security strategist at Absolute, where he is responsible for spotting trends, watching industries and creating ideas. He has nearly two decades of experience and involvement in the global hacker community and discovering new trends and activities … View Full Bio

Article source: http://www.darkreading.com/iot/iot-and-liability-how-organizations-can-hold-themselves-accountable-/a/d-id/1328324?_mc=RSS_DR_EDT

A RAND Corp. study of more than 200 zero-days shows that benefits of disclosure can often be more modest than perceived.

The practice by US intelligence agencies and presumably of other governments to stockpile zero-day vulnerabilities for use in offensive cyber operations may not always pose as much of a risk to general technology users as once thought.

In fact, the tactical and strategic benefits that governments can gain from stockpiling vulnerabilities sometimes outweigh the security benefits of public disclosure, according to a new report by RAND Corp.

The report is based on a study of more than 200 zero-day flaws obtained from a vulnerability research group, many of whose members have worked for nation-state actors. The group, which RAND calls BUSBY to protect its anonymity, has also supplied exploits to nation-state actors, according to the think-tank.

RAND’s study revealed that arguments for or against the stockpiling of zero-days for defensive purposes like penetration testing or for use against adversaries, are not always clear-cut.

One major contention against stockpiling zero-days is that adversaries often may have knowledge about the same vulnerabilities, and therefore keeping the flaws secret would prevent the software from being patched, resulting in needless risks for users.

The recent dump of the CIA’s malware arsenal and exploit kits on WikiLeaks and the similar leak of the US National Security Agency (NSA) confidential hacking tools last year raised considerable concerns about government stockpiles of zero-day flaws in widely used network and security products. Some have argued the intelligence agencies have a responsibility to American business and citizens to disclose discovery of such flaws so technology users can be better protected.

But The RAND study showed that concerns about an overlap between US vulnerability stockpiles and those maintained by others are likely overstated.

For one thing, most zero-day vulnerabilities typically remain undetected for a long time. Based on the dataset that the RAND researchers inspected, the average life expectancy of a zero-day vulnerability—or the time between when it was first discovered privately and when it was publicly disclosed—is 6.9 years.

During that period, the chances of another researcher finding that exact same flaw were relatively low, at around 5.7% per year.

While that number is not insignificant, it also means the chances of two people finding the same zero-day flaw is lower that many might perceive. As a result, the gains from publicly disclosing a zero-day flaw may not be all that significant a majority of the time, the RAND report said.

“Looking at it from the perspective of national governments, if one’s adversaries also know about the vulnerability, then publicly disclosing the flaw would help strengthen one’s own defense,” said Lillian Albion, lead author of the RAND report and information scientist. “On the other hand, publicly disclosing a vulnerability that isn’t known by one’s adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability,” while still retaining their own.

Albion says that conversations with researchers show that in a majority of instances, vulnerabilities are discovered due to code churn – and less often by another vulnerability researcher performing a code audit.

“None we spoke to believed that their vulnerabilities or exploits died or were discovered due to use by a customer in some operational campaign, or by information leakage,” such as those by WikiLeaks or Shadow Brokers, Albion says.

In general, black hats and cybercriminals tend to focus more on known vulnerabilities rather than 0-day flaws, she says. “Only a very small portion of the black markets deals with zero-day vulnerabilities and exploits—which have little value for mass market malware, much less ordinary cybercrime.”

The RAND study also unearthed some other interesting nuggets. For instance, of the more than 200 vulnerabilities that RAND inspected, about 40% remain undisclosed. Fully functioning exploits for zero-day flaws tend to get developed very quickly with a median time of 22-days.

About 25% of all zero-day flaws get discovered within 18 months, while another 25% live on for more than nine years on average. Significantly, there were no specific characteristic or marker to indicate the longevity of a zero-day bug.

Related Content:

• ‘Entire Hacking Capacity Of CIA’ Dumped On Wikileaks, Site Claims
• Shadow Brokers Offers Database Of Windows Exploits For Sale
• Shadow Brokers Calls It Quits After Failing To Get Buyers For NSA Exploits

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/stockpiling-0-day-bugs-not-so-dangerous-after-all-rand-study-shows/d/d-id/1328379?_mc=RSS_DR_EDT

Queensland police have charged a Justin Bieber imposter with 931 offenses against children, including rape and producing imagery of child abuse.

They’re asking fans and their parents to be extra-vigilant online: coincidentally, Bieber is now on tour in Australia and New Zealand.

As well, on Saturday, Queensland Police’s child abuse taskforce plans to answer questions on keeping kids safe online: click here or see below for details, as well as our own tips if you can’t get to Queensland.

Police say the alleged predator has been operating since 2007, well before Bieber’s current Purpose Tour 2017 launched this month.

The accused is alleged to have reached out to victims via Facebook, Skype and other online platforms, police said in a statement on Thursday.

Australian news outlets, including News.com.au, have identified the suspect as Gordon Douglas Chalmers, a 42-year-old University of Technology law lecturer, whose home they raided after tip-offs from US and German authorities in November.

At the time, police alleged that Chalmers refused to provide access to his social media and messaging accounts and to cloud servers. They opposed granting him bail, citing the likelihood that he’d tamper with evidence and interfere with witnesses.

According to News.com.au, police also said that they feared that if they let him out, he’d continue to contact children, given what they called Chalmers’ “rapacious appetite” for child abuse.

He was charged with using Facebook and Skype to allegedly impersonate Bieber, with using a carriage service to allegedly procure and groom children for sex and to access child abuse imagery, and with allegedly possessing such images. Police believe he’s been carrying out the alleged offenses since at least the past decade.

This week’s allegations and the stunning number of new charges against Chalmers are a result of material allegedly discovered after warrants were issued in November and police had a chance to examine his computer.

Police allege that Chalmers used multiple online platforms besides Facebook and Skype to communicate with his victims.

Queensland, in northeastern Australia, has been at the center of many investigations into online child exploitation and abuse. The Queensland Police Service has a branch dedicated to such investigations, called Taskforce Argos, which was responsible for the investigation into Chalmer’s activities.

Detective Inspector Jon Rouse said in the police statement that the investigation into Chalmers’ alleged abuse shows both how vulnerable children are when they use social media and how sex offenders can use online means to groom and seduce victims on a global scale.

The fact that so many children could believe that they were communicating with this particular celebrity highlights the need for a serious rethink about the way that we as a society educate our children about online safety.

Amen to that, DI Rouse. There’s a vital need for education. Children are still falling for imposters, in spite of valiant efforts to educate them about the dangers of trusting someone online just because they claim to be a celebrity or that they’re the same age as a child, and in spite of laudable efforts to cooperate internationally in investigations and prosecutions.

How to keep your kids safe

When it comes to education, bear in mind that it’s not enough to warn kids about the dangers of Facebook. Practically any social media platform is a hunting ground for pedophiles. They pose as celebrities, or they pose as girls – whatever works to help them find victims to “befriend”, to coax sexual images out of, or even to meet in real life.

One example is Brian Caputo, a then-25-year-old California man who, the FBI claimed, used Facebook, Kik Messenger, Text Me, Yahoo and Dropbox to communicate with dozens of minor females while posing as an underage girl.

Upon executing a search warrant, agents reported that they found that Caputo had amassed hundreds of images over the course of eight years.

More than 660 sexually explicit images were coerced out of one underage girl alone – a girl whom Caputo allegedly convinced to upload images of herself to a Dropbox account that he controlled.

Bear in mind that predators also use malware to gain control of victims’ webcams, in order to stealthily record videos or take photos.

This tactic was used by the sextortionist who antagonized Miss Teen USA and others in 2013. He had taken videos of them without their knowledge by using a Remote Access Trojan (RAT).

Because online sexual predators use both social engineering and malware to target victims, staying safe requires both a healthy dose of suspicion regarding people trying to cozy up to us online, and an equally healthy amount of due diligence when it comes to security defenses on our devices.

Here are some of the lessons we must teach our children, along with some steps we can take to keep monsters from getting at them through security holes in our devices.

• Watch out for messages from strangers via email or social networking sites. Never click on any links in such messages. Remember, just because somebody says he’s Justin Bieber doesn’t mean the heart-throb is really looking for love with random internet strangers.
• Advice for all of us, not just the kids: cover your webcam – or any other internet-connected camera, be it on your phone, your tablet, or a baby monitor – when you’re not using it. No need to get fancy: a sticky note will do fine.
• Don’t let your children have a computer in their bedroom. Keep it someplace like the living room where you and others can keep an eye on what’s going on.
• Protect your devices with appropriate security software.
• Use a strong password. Ditto for your kids. Here’s how to pick one.
• Don’t trust a password alone to keep your family’s devices safe. Always use multifactor authentication (MFA) whenever possible. MFA, or two-factor authentication (2FA), is a good stumbling block for identity thieves. To read more about the hows and whys of 2FA, check out our Power of Two post.
• Keep all your software and applications up to date with the latest patches.
• Tell your kids that if they, or somebody they know, gets contacted by a sextortionist, immediately tell a parent, a trusted adult, or law enforcement.
• Make sure your kids know that giving the cretins what they want won’t make them go away. It will only make matters worse. The guy who extorted Miss Teen USA is a case in point: Jared James Abrahams told his victims he’d delete nude photos and videos if they did what he said, but he admittedly did nothing of the kind, even if his victims gave him what he wanted – which was, of course, more explicit material.
• Use a web filter. Consider using Sophos Home: it’s free, it has 28 filter options, and it lets you block adult or potentially inappropriate content with categories ranging from blogs and chat sites to gambling and pornography.

Granted, some of these tips won’t work with teens, who more often than not have mobile phones and who aren’t as amenable to following adult guidance as are younger children.

So start kids on this early: experts say that the age of 4 isn’t too early to start teaching kids about online danger.

Taskforce Argos will have a booth at the Out of the Dark Expo on Saturday, March 11, between 10am and 3pm at the State Library of Queensland. Detectives will be on hand to answer questions from parents about the best way to keep their children safe online.

Here are still more tips: a collection of our Top 10 Tips to help you and your kids stay safe online.

If you’ve got more tips on how to help kids stay safe online, be they teens, preteens or even younger, please do share them in the comments section below.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/LIgKjhwwR3k/

WikiLeaks has promised to release software code of CIA hacking tools to tech firms.

The promise from chief Wikileaker Julian Assange – now ensconced in Ecuador’s London embassy for four and a half years – came on Thursday during a internet-streamed press conference on Vault 7, its recent CIA cyber-weapons documents dump.

“We have decided to work with them [manufacturers] to give them some exclusive access to the additional technical details we have, so that fixes can be developed and pushed out,” Assange said. “Once this material is effectively disarmed by us, by removing critical components, we will publish additional details.”

National security experts argued that the info should come from the source itself, rather than through WikiLeaks.

“Disclosure of ‪#Vault7‬ 0days should come from USG, not Wikileaks,” said former USAF officer turned cybersecurity expert Jason Healey. “WH should convene emergency VEP CIA should disclose ASAP to vendors.”

Computer science professor Matthew Green added: “Assange is personally going to see those Android 4.x phones get patched.”

Others were more supportive. “Actually, among the crap, this is reasonable,” said Rob Graham of Errata Security. Wikileaks should disclose the 0days to vendors to patch them.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/10/wikileaks_to_pass_cia_hack_code_vendor_patching/

James Comey stresses the need to address encryption challenges faced by law enforcement.

Describing cyber threats as “too fast, too big and too widespread for any of us to address them alone,” FBI director James Comey has called on a united fight against them urging for strong private and public sector partnerships. He was speaking at the inaugural Boston Conference on Cyber Security hosted by the FBI and Boston’s College’s Cybersecurity Policy and Governance master’s degree program.

Highlighting the measures taken by the FBI to counter this scourge, Comey talked about the “stack of bad actors” involved in cybercrimes including nation-state, cyber groups, insiders and even terrorists to some extent.

“They (terrorists) have not yet turned to using the Internet as a tool of destruction,” he explained, “in a way that logic tells us certainly will come in the future.”

The FBI chief spoke of the challenges faced by law enforcement owing to strong encryption and the “Going Dark” issue and stressed the need for a continuous dialogue on the subject.

Read detailed news here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/endpoint/fbi-chief-calls-for-united-fight-against-cybercrime/d/d-id/1328365?_mc=RSS_DR_EDT

Julian Assange follows up leak of alleged CIA cyberespionage hack tools with promise of assistance against these.

Julian Assange of WikiLeaks says he will help tech companies defend themselves against the cyberespionage tools used by the CIA whose existence he disclosed in a leak recently, CBS News reports. Speaking in an online press conference from his refuge in the Ecuadorian Embassy in London, Assange said “we have decided to work with them, to give them some exclusive access to some of the technical details we have, so that fixes can be pushed out.”

WikiLeaks recently published supposedly secret CIA files which had details regarding hacking tools used by the US government intelligence agencies to compromise computers, cell phones and smart TVs as part of cyberespionage. These tools are designed to overcome security features, codes and antivirus software, WikiLeaks alleges.

While the FBI is checking the authenticity of the leaked documents, the CIA pointed out it was “legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and the CIA does not do so.”

WikiLeaks is suspected of working with Russia and Senator John McCain has questioned “whether it’s a leak from an individual, or whether it’s Russian capabilities.”

Click CBS News for more.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/wikileaks-says-will-help-firms-thwart-cia-hack-tools/d/d-id/1328366?_mc=RSS_DR_EDT