STE WILLIAMS

Mobile (In)security: Dark Reading Cartoon Caption Contest Winners

Clever word play on mobile ransomware, cloud and the Internet of Things. And the winners are …

Wacky humor and clever word-play were on display – yet again – in Dark Reading’s latest cartoon caption contest. More than 100 of you submitted hysterical entries on topics ranging from mobile ransomware, cloud apps and a biblical reference to the Internet of Things.

So without further ado, kudos to our first-place winner BrookC827 for the winning caption, penned below by cartoonist John Klossner.

Honorable mentions – and there were too many to mention – and $10 Amazon gift cards go to two runners-up: binaryblogger, who in real life is Drew Koenig, a senior security solution architect at Magenic for “When I said we should throw the mobile apps in the cloud I didn’t think they’d take me literally,” and PsophosThey’ve had to update the bible. It used to be a plague of locusts now it’s the internet of things.”

Many thanks to everyone who entered the contest and to all our loyal readers who cheered the contestants on. Also a shoutout to our judges, John Klossner, and the Dark Reading editorial team: Tim Wilson, Kelly Jackson Higgins, Sara Peters, Kelly Sheridan, and yours truly. If you haven’t had a chance to read all the submissions, be sure to check them out today.

Related Content:

 

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting … View Full Bio

Article source: http://www.darkreading.com/perimeter/mobile-(in)security-dark-reading-cartoon-caption-contest-winners/a/d-id/1328358?_mc=RSS_DR_EDT

Attacks Under Way Against Easily Exploitable Apache Struts Flaw

Enterprises urged to upgrade now to more secure versions of Web application framework.

Security experts today urged enterprises using Apache Struts2 for Web applications to upgrade to either versions 2.3.32 or 2.5.10.1 as soon as possible after researchers from Cisco Talos disclosed an easily exploitable bug in all other versions of the open-source framework.

Exploits for the flaw are already available in the wild and attackers are using them to actively look for and target vulnerable Web servers. Most of the attacks appear to be taking advantage of a proof-of-concept exploit that was released publicly, Talos said in an advisory.

The remotely executable flaw exists in something called the Jakarta Multipart parser in Struts. It allows attackers to inject malicious commands into certain HTTP requests, which are then executed by the Web server. What makes the vulnerability especially dangerous is that it allows attackers unauthenticated remote access to insert malicious commands and payloads of their choice into HTTP requests.

Researchers from Talos as well as other security vendors have observed numerous attempts by attackers to probe Web servers for the vulnerability using simple, seemingly harmless commands. In many cases, attackers are seeking to use the flaw to distribute malware, including DoS bots and IRC bouncers, according to Cisco Talos.

Many enterprises use Apache Struts because it enables much easier development of Java applications, says Johannes Ullrich, head of the Internet Storm Center at the SANS Institute. Not all Struts versions are automatically vulnerable, but many of them are even if they do not use the specific feature that triggers the vulnerability, he says.

“An attacker will be able to execute arbitrary commands on the Web server,” Ullrich says. “The attacker is only limited by the permissions of the Web server.”

Attackers typically will be able to read code and configuration files accessible to the Web server and thus likely will be able to connect to a database used by the Web application, Ullrich cautions.

 More on Security Live at Interop ITX

“A typical compromise would first use the Struts vulnerability to install a back door. This will give the attacker a command prompt as the user running the web server,” he notes. The attacker can then execute arbitrary commands, or use a privilege escalation exploit to obtain root or admin privileges.

Tom Sellers, threat analyst and security researcher at Rapid7, says the Jakarta Multipart parser where the flaw exists is basically a tool for processing Web requests that have multiple parts—which would be the case when uploading multiple files or different data types.

An attacker that leverages the vulnerability could execute operating system commands on the target and create, modify, and delete files, as well as modify system configuration, and run any system command for which the Web server software has access, Sellers says.

Rapid7 has observed attackers using multiple simple commands to determine if a particular Web server is vulnerable. One of them is the ifconfig command that returns the target’s network configuration information, and another is the whoami command that provides the name of the user account used by the Web server. “This may allow the attacker to determine the level of system access that the software has,” Sellers says.

WAF It

One stopgap measure that organizations can use to mitigate their exposure until they update the software is to use a Web application firewall, adds Craig Young, principal security researcher at Tripwire.

“A WAF would work by monitoring incoming requests before they are processed and looking for unexpected values in the affected HTTP header,” Young says. “Alternatively, Apache has advised that Struts2 applications can be reconfigured to filter the content within Struts before it is processed.”

“Organizations must be prepared for the possibility that vulnerabilities can go from [being] unknown to being widely exploited very quickly, leaving little to no time for patches to be deployed,” he says. “This is why it is crucial for organizations to have security controls in place to recognize if a system has been compromised as well as to recognize when there is unpatched software in their environment.”

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/attacks-under-way-against-easily-exploitable-apache-struts-flaw/d/d-id/1328362?_mc=RSS_DR_EDT

Facebook to listen out for posts from people vulnerable to suicide

Facebook plans to update its algorithms so that it can “listen” for people who are in danger of suicide, in a move planned to roll out initially in the US. The idea will be to look out for certain key phrases and then refer the matter to human beings on the Facebook staff, who will then ask whether the writer is OK.

The move follows a similar attempt by the Samaritans in 2014, on Twitter. This received criticism for its design and the organisation later canned the whole idea due to privacy concerns – it was criticised for enabling stalking as users couldn’t opt out.

Facebook founder Mark Zuckerberg had already announced that the organisation would be using artificial intelligence to root out terrorist posts in his much-publicised blog entry last month, but this appears to be the first time the company has used AI in anger since he wrote this.

Stephen Buckley, head of information at mental health charity Mind, gave the move a cautious welcome:

People in crisis may ask for help in places where the help they need is not readily available. Signposting people to appropriate sources of support can be a really important step in helping people to access the help they need.

The nuts and bolts are relatively straightforward. For the moment at least the idea covers generally viewable areas and not (for example) Facebook Messenger, so if you’ve set something to be private it should remain that way.

The tips and advice that will be offered have been developed in conjunction with professional and clinical bodies including the Samaritans and many others, and Facebook staff handling the issues won’t be cut adrift – the company recognises the difficulty of this sort of work and will offer psychological support and wellness resources to these employees, and it proposes to review this support annually.

The company is also teaming up with external organisations to handle suicidal behaviour on its Facebook Live broadcast system in the US.

Any UK readers who are affected by the issues raised in this article are encouraged to call the Samaritans on 116 123


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dDNZtIHAthM/

China mulls national cryptocurrency in race to digital money

Eight years ago, bitcoin was an experimental technology of interest only to a handful of enthusiasts. Today, China – which contains one in every five internet users – is mulling the idea of a national cryptocurrency.

The People’s Bank of China (PBOC) has been trialling a national digital currency based on the same underlying technology as Bitcoin. Here’s a description of how the blockchain works, but in summary – it’s decentralized, transparent and secure.

Governments worldwide have had a problematic relationship with Bitcoin. The US has held federal hearings on it, while at a state level New York has heavily regulated the cryptocurrency with its Bitlicense. Ecuador, Bolivia and Russia have all moved to ban Bitcoin outright, while other countries have taken their time working out what to do with the cryptocurrency.

China has been among the more aggressively anti-Bitcoin regimes. Over the past few years, PBOC has pressured exchanges and banks over Bitcoin, and the government turned up the heat again this year.

It’s not surprising that countries have found it difficult to tackle cryptocurrencies. People exchanging things on peer to peer (P2P) networks used to be the music and video industry’s problem. Now, suddenly, people were exchanging money with them.

When used properly, P2P money offers true anonymity, which creates problems for authorities trying to track the flow of cash to terrorists and organized criminals. Left unchecked, it’s also a great tax evasion tool. Where governments are regulating, they’re typically making sure that anyone trading bitcoins registers their identities so that authorities can follow the money.

It’s a tricky line for policymakers to walk. Governments need to control cryptocurrencies, but if they squash them altogether, they risk missing some of its best innovations. These include fast payments, micropayments, integration with the Internet of Things, and the ability to secure transactions using permission from multiple parties.

Governments could digitize payments using a centrally controlled digital currency, sans blockchain, but then people might not trust it. Many people would find the idea of government-tracked money unpalatable.

Could a cryptocurrency-based national currency satisfy everyone, providing convenience and privacy, while giving governments enough visibility to avoid fraud and criminal financing? That’s what China seems to be hoping for.

PBOC said as far back as January 2016 that it was exploring a digital national currency, arguing that it would reduce the cost of distributing money, also also help curb financial fraud. It released several working papers, and trialled a blockchain-based trading platform that also supported currency issuance.

Fan Yifei, PBOC’s vice-governor, has emphasised the differences between privately issued currencies (like Bitcoin) and other cryptocurrencies issued by central banks. The former is volatile, with limited acceptance, he has said, while sovereign credit backs the latter.

PBOC deputy director Yao Ago last autumn described a digital currency that could be issued by China’s central bank, but through commercial banks that distribute it to the public. PBOC seems to recognize the need for anonymity, and wants to preserve that through the use of cryptography, but also wants to analyze data at a macroscopic level to understand where it’s going.

In short, he seems to be saying “you can trust us”.  Bitcoin’s original ethos, though, was that you didn’t have to trust anyone.

Still, tighter currency controls will be more attractive to many countries wanting to understand where the money goes – and nowhere more than China, which faces a hefty shadow banking problem.

China isn’t the only country to consider a digital version of a national currency. Singapore has been testing one. In the UK, a Bank of England economist at least toyed with the idea. In Canada, which for a while mulled its own digital payment system before selling it, the central bank has suggested that a digital currency would need its guiding hand to be truly successful.

“National” cryptocurrencies can come from other sources. In Iceland, where the economy suffered more than most during the financial crisis, anonymous cryptocurrency advocates released a cryptocurrency for the nation, called Auroracoin.

The blockchain isn’t a necessity for countries considering digitised national currencies, but if used, it does offer at least a shot at privacy. Detail is everything, though, and specialists focused on cryptocurrency and security will be taking a close look.


 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/VTFNt-UxCz8/

Honey, I Wiretapped the Kids [Chet Chat Podcast 259]

Sophos Security Chet Chat – Episode 259 – March 8, 2017

Join Sophos security experts Chester Wisniewsi and Paul Ducklin for the latest episode of our regular security podcast.

In this episode

If you enjoy the podcast, please share it with other people interested in security and privacy and give us a vote on iTunes and other podcasting directories.

Listen and rate via iTunes...
Sophos podcasts on Soundcloud...
RSS feed of Sophos podcasts...


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/iAgvMwibzwA/

Royal Navy’s newest ship formally named in Glasgow yard

The Royal Navy’s newest warship, offshore patrol vessel HMS Forth, has been formally named in a ceremony held in Scotland.

The 90-metre craft was christened by Rachel Johnstone-Burt, who broke the traditional bottle of alcohol across Forth’s bows – in this case, a bottle of whisky to reflect the ship’s Scotstoun, Glasgow origins.

She is due to enter service with the RN in 2018, and will spend the time between now and then on final fit-out and sea trials.

Forth, lead ship of the Batch 2 River-class OPV flotilla, mounts a 30mm cannon. Unlike the original Batch 1 Rivers she also has a flight deck over the stern capable of accepting a Merlin helicopter, though she has no hangar. Her top speed is “around 24 knots” according to the Navy.

“The naming is a significant milestone in the life of HMS Forth and in the wider Offshore Patrol Vessel programme, which is well on track to deliver all five of the new ships by the end of 2019,” said Vice Admiral Simon Lister, chief of defence materiel (fleet).

The four RN OPVs are used to patrol British territorial waters, typically on fisheries protection duties. One OPV is permanently stationed in the Falkland Islands, and a couple of years ago one was sent on Atlantic Patrol Task (North), which involves cruising round the Caribbean looking for drug smugglers and generally flying the flag in the Commonwealth states near that part of the world. They are not warfighting ships in the sense of frigates or destroyers: you won’t see a River-class squaring up to, say, a Russian or Iranian vessel unless something has gone seriously wrong.

The Batch 2 Rivers are the result of the infamous Terms of Business Agreement (ToBA) between the Ministry of Defence and BAE Systems, which owns large chunks of Scotland’s warship building yards. At its simplest, the ToBA ensures hundreds of millions of pounds of public money is paid to BAE Systems not to close the yards, dispersing vital skilled tradesmen, while the MoD dithers over the planned Type 26 frigate. The Type 26 has been delayed and delayed again over the last few years while bean counters, civil servants and naval officers argue over the ship’s specifications and costs.

In order to get some kind of return on this “investment” the MoD commissioned the Batch 2 River-class OPVs. They are nominally more capable than the Batch 1s thanks to their flight deck, though the lack of a hangar to protect the aircraft from the elements during maintenance may limit its usefulness. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/09/hms_forth_named/

TalkTalk blocks TeamViewer

TalkTalk has blocked remote desktop management tool TeamViewer from its network, following a spate of scammers using the software to defraud customers.

A spokeswoman from the ISP confirmed it had blocked “a number of sites and applications” including TeamViewer from its network to protect customers from phishing and scamming activities.

The company said it was working with TeamViewer and other third parties on implementing some additional security measures to enhance security.

TeamViewer is one of the most popular pieces of software to enable remote access. It was also used by hundreds of scammers attempting to defraud TalkTalk customers by gaining remote access to their computers.

TeamViewer has previously said it takes the security and privacy of its customers “extremely seriously” and “condemns the use of TeamViewer to subvert systems and gain unauthorised access to private data.”

Customers complained on TalkTalk’s forum this afternoon they were unable to use the software.

One said they spent the whole morning trying to fix the problem, using three different computers which failed to connect to TeamViewer via TalkTalk’s SuperRouter.

“I tried to connect by tethering my computer to iPhone 4G – and it connected to TeamViewer straight away. [When I went] back to router [I] lost connection. Loads of reports on the internet about no connection via TalkTalk – why are they blocking it?”

Another said: “This is completely unsatisfactory. If this can’t be resolved then I’ll have no alternative but to switch ISP and also recommend that my main clients do also.”

In the forum, TalkTalk noted the number of complaints it receives from customers regarding these tools through fraudulent activities “is significant” but said it hoped to resolve the issue with TeamViewer and the other third party wares affected.

The mobile network’s spokeswoman said: “We constantly monitor for potentially malicious internet traffic, so that we can protect our customers from phishing and scamming activities.

“As part of this work, we have recently blocked a number of sites and applications from our network, and we’re working hard to minimise the impact on our customers.

“We would also urge our customers to visit our Beat the Scammers website to find out more about how they can keep themselves safe online.”

The Register has asked TeamViewer for a comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/09/talktalk_blocks_teamviewer/

9 Phishing Lures that Could Hijack your 2017 Tax Refund

Scammers are taking an aggressive approach to tax season this year, packing attachments and links with banking Trojans, and fairly new strains of ransomware. PreviousNext

Image Source: Flickr

Image Source: Flickr

Tax season has arrived – and so have the scammers. Unfortunately, crooks either prey on people’s sense of fairness and willingness to comply with authority, or appeal to a taxpayer’s fear of paying late or not complying with the law.

Patrick Wheeler, director of threat intelligence, for Proofpoint, says social engineering is increasingly common and very effective, plus fraudsters are packing attachments and links with banking Trojans and fairly new strains of ransomware.

“In the past, the tax lures were laggards,” Wheeler says. “But not this year. They’ve been adopting more of the phishing trends and tactics that we see all year ‘round.”

Carl Leonard, principal security analyst at Forcepoint, says scammers also use various phishing scams to collect a victim’s personal financial information.

“The scams range from a letter from the IRS promising a $7.5 million refund, to a promise from Her Majesty’s Revenue and Customs in the UK that says people can pay their taxes in the form of iTunes vouchers.”

While it can get silly, the results can be serious. Proofpoint’s Wheeler says most of these scams were discovered in February and will be active through the end of tax season.

For more information, check out the research reports from Proofpoint and Forcepoint. The nine slides are based on research from both reports.

Organizations that receive a phishing email scam involving the IRS or a W-2 form should forward it to [email protected] and place “W2 Scam” in the subject line. Organizations that fall victim to these scams should also file a complaint with the FBI’s Internet Crime Complaint Center (IC3). 

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full BioPreviousNext

Article source: http://www.darkreading.com/perimeter/9-phishing-lures-that-could-hijack-your-2017-tax-refund-/d/d-id/1328334?_mc=RSS_DR_EDT

In Cybersecurity, ‘Sales Engineers’ Rake in Higher Salaries Than Tech Workers

Stop coding, start selling, and you could earn 50 percent more.

Cybersecurity is a trending occupation these days with good salary structure but the most in-demand profession in this field is that of a sales engineer (SE), reports CSO. And with the global cybersecurity industry looking to spend $1 trillion between 2017 and 2021, SEs are likely to get the biggest cut from this budget.

According to a US industry recruiter, SEs are paid annual salaries ranging between $180,000 to $220,000. A sales engineer, writes CSO, not only needs technical knowhow, but must be adept at soft skills. For a cybersecurity engineer, moving from writing code to giving demos, could mean a pay boost – for an expert, it could be a jump of 50 percent in salary.

While security engineers draw an annual salary ranging between $110,000 and $150,000 and cloud security engineers are paid between $160,000 and $190,000, engineers specializing in healthcare industry take in more than the average salary.

Read the full story here

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/careers-and-people/in-cybersecurity-sales-engineers-rake-in-higher-salaries-than-tech-workers/d/d-id/1328354?_mc=RSS_DR_EDT

Trojan Android App Bullies Google Play Users Into Giving It 5 Stars

Users who download “Music Mania” get pounded by ads until they say uncle.

IT security company ESET has spotted an ad-displaying Trojan mobile app on Google Play which is tricking users into give it five stars in exchange for a false promise of ceasing the app’s aggressive flood of ads, reports ZDNet.

This Android/Hiddad.BZ app is similar to a number of malicious ad-displaying apps which are using the technique of accumulating five star ratings to boost future downloads. Android/Hiddad.BZ was found present in seven versions of Google Play and had been installed by around 5,000 users.

Once downloaded, it is launched as Music Mania and asks for installation of a plugin Android. From then on, using several deceptive methods it takes command of the screen and floods it with ads, not allowing the user to close the screen unless given five stars.

Despite Google Play’s Developer Policy, these malicious apps made it onto the legitimate Google Play store. Music Mania apps were pulled out, once the store was alerted to the Trojan.

Read more on ZDNet.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/mobile/trojan-android-app-bullies-google-play-users-into-giving-it-5-stars/d/d-id/1328353?_mc=RSS_DR_EDT