Coachella, a popular music festival in southern California that features acts like Beyonce, Lady Gaga and Radiohead, revealed this week that its website had been breached, potentially compromising 950,000 accounts containing the personal details of concert-goers who had purchased tickets in years past or registered on the website’s user forums.
In an email to its registered users, Coachella said that:
We recently discovered that unauthorized third parties illegally gained access to the usernames, first and last names, shipping addresses, email addresses, phone numbers and dates of birth individuals provided to Coachella.
Coachella says that no financial or password information had been accessed during the breach; however, in an earlier story about this breach, Motherboard alleged that Coachella user details were being sold on the black market for $300, including user IPs and hashed passwords.
Either way, Coachella strongly encourages any registered users to change their passwords on their website and anywhere else they may have used the same password – although we always discourage you from reusing passwords anyway!
The email goes on to warn Coachella registrants that due to the breach, they could become targets for phishing campaigns from attackers posing as Coachella employees or other interested parties.
The takeaway is two-fold on a breach like this:
For users, this just goes to demonstrate that even on a “trivial” website – where it may not seem like security matters for much – a simple breach on a music festival website can lead to some headaches down the road. As always, we recommend using a unique password for every website where you need to register. If you find that to be a daunting task, a password manager can help.
For vendors, it’s a reminder that you’re the steward of any data you gather from your users. Make sure you’re truly prepared to protect that data, and only ask for data that you truly need. Perhaps Coachella needed its users’ date of birth to verify their identity, or perhaps it was just a nice-to-have. Either way, unfortunately, that information has now been exposed.
Howard A Schmidt, a security industry heavyweight who served two US presidents and was a CISO and CSO for Microsoft and eBay, died Thursday at his home in Wisconsin after a long battle with cancer. He was 67.
Friends and colleagues remember him as an industry giant who helped shape the cybersecurity profession as we know it today.
He’s also remembered as a devoted family man with a passion for the outdoors and motorcycles. He is survived by his wife, four sons and eight grandchildren.
Career
Schmidt served in the US Air Force during Vietnam, then transitioned into a civil service career in that branch of the military. He spent 11 years as a Chandler, Arizona police officer, and in 1994 he went to work for the FBI’s National Drug Intelligence Center, heading up the Computer Exploitation Team.
He joined Microsoft in 1997 and was its director of information security, chief information security officer (CISO) and chief security officer (CSO). During that time, he co-founded the Trustworthy Computing Security Strategies Group.
After the 9-11 attacks, President George W Bush appointed him vice chair of the President’s Critical Infrastructure Protection Board and as a special adviser for cyberspace security for the White House. There, he helped create the US National Strategy to Secure CyberSpace. He became chairman in January 2003 but retired in May 2003 to join eBay as a VP and CISO.
He returned to the White House in December 2009, when President Obama appointed him Cybersecurity Coordinator and Special Assistant to the President for National Security Affairs. He retired from the White House and government service in May 2012.
Schmidt is welcomed back to the White House by President Obama in 2009.
A humble giant
Though his industry contributions are significant, he remained down to earth, humble and approachable, friends and colleagues said.
Ben Rothke, principal security consultant at New York-based Nettitude Group, met him when they were at a security conference in Dubai:
Waiting for a ride to the airport, he invited me to share a cab with him. He had a genuine interest in people. He liked to hear what others had to say, and talk about shared experiences. Howard had a lot to be arrogant about, as a man who sat with presidents and heads of state, Fortune 50 CEOs and more. But unlike many highly successful people, he was quite a humble man.
Wim Remes, CEO and principal consultant at NRJ Security, served with Schmidt on the (ISC)2 board of directors. They met at a formal dinner with industry and government leaders in 2013:
This guy walked in dressed in jeans and a Harley Davidson t-shirt – not something you’d expect at a formal dinner. But it showed me at first glance who Howard is. He challenged me as a person, intellectually and professionally, but no matter what the circumstances were, you always got the real Howard – unfiltered and 100% focused on the big picture.
Dr. Samuel Liles, acting director in the US Department of Homeland Security (DHS) Intelligence and Analysis Cyber Division, describes the time he was dispatched to fetch Schmidt for a meeting in 2011:
I was a faculty member at the National Defense University and we were hosting lots of dignitaries as cyberpolicy stuff was being worked out at an international level. I had met Howard a few times and in the middle of coordinating his visit from the White House it came to our attention that he was arriving via taxi and would have to walk (from the gate to the building). I got tapped to jump in my car and go pick him up at the gate. At that time I drove a rattle-trap, open-top, none-too-nice, covered-in-mud jeep. I picked him up up at the gate, apologized profusely for my jeep, and we chatted on the short drive in. We talked about motorcycles, jeeps, and the weather. That is how I rolled up to the front of an international delegation from Sweden with the top cyberguy in the nation.
From the author
Howard took this photo of my family and I the night he gave us a tour of the West Wing in May 2010:
I had interviewed Howard many times over the years, and as a reporter new to cybersecurity, he was the first high-level official I had spoken to. In a gesture that floored me at the time, he gave me his cellphone number and told me to call him anytime. One night in December 2009, word began to circulate that he would be joining the Obama Administration.
I dialed his cellphone and he picked up on the first ring, almost as if he was expecting my call. He confirmed the news and, knowing I was a White House history buff, invited me and my family to Washington for a West Wing tour.
He took us through the halls of the West Wing, stopping at the Cabinet Room, Roosevelt Room and Oval Office, as well as a walk out into the Rose Garden and an extended tour of the Eisenhower Executive Office Building next door. He took our picture in the press briefing room.
That’s the kind of guy Howard was – always welcoming and always giving. He gave us an experience we’ll never forget.
I had dinner with him on a return trip to Washington three months later and he had a good laugh over my getting in trouble with the Secret Service police earlier in the day (details on that here).
I’m sad to learn that he has passed on, but I’m grateful and inspired when I think of the great things he did in life. And I’m forever grateful for all he taught me about the world of cybersecurity.
Rick Deckard wouldn’t have had much trouble spotting the robots at this year’s Mobile World Congress (MWC). Instead of having to fire up the Voight-Kampff machine and tediously measure blush response and eye movement, he could surely have “retired” a whole show’s worth of these rather more obvious replicants in a morning’s work, traditional MWC hangover notwithstanding.
For rather than taking on an elegant, stylish and even sensual form – such as those seen in Ridley Scott’s Blade Runner or, more recently, Alex Garland’s Ex Machina – the robots on display at MWC are somewhat on the clunky side still, while also notably lacking in Roy Batty-style guile and intelligence. Typically shiny and white, like a big iPhone with round eyes, they stood out a mile and fooled no one.
The best of these glossy wheelie bins at MWC was undoubtedly Softbank’s Pepper. Originally conceived as a companion robot, Pepper is now more typically being used for marketing purposes in locations such as shops, hospitals, showrooms and banks.
There is some recognition of human emotions, and it has a fairly decent handshake; none of that bone-crushing nonsense you get from the humans at these trade shows.
There was another “dumb bot” also on the Ubuntu stand (pictured), though it paled in comparison with the seriously interesting and Ubuntu-assisted manned robot’ that was filmed recently in South Korea; that one would have really shaken the Fira up. And among the few consumer robotics companies to exhibit at the show was China’s Leju Robotics, which has been working in this area since 2015.
Of course, we cannot really complain about the lack of compelling robots at what is, after all, still a mobile show; the clue is in the name. However, it’s apparent that, as with many other technology categories, there is now a very great deal of overlap between robotics and the mobile sector, and that this convergence seems set to accelerate.
Just look at the way mobile phones are increasingly offering voice activation and AI, perhaps the two most significant technology trends in play today, and both until recently associated mainly with robotics.
Robotic solutions and mobile devices are also benefiting from the emergence of technologies such as image recognition, gesture control and context-aware computing. And both sectors also have the capacity to be greatly enhanced by new high-capacity networks.
Indeed, mobile operators and vendors, keen to make the case for network upgrades, stressed at MWC the low latency of 5G and its importance to emerging sectors such as robotics. By way of example, Deutsche Telecom, SK Telecom and Ericsson demonstrated a tele-presence-enabled robot prototype, noting that 5G’s ultra-low latency enabled it to provide exciting new real-time use cases.
SK Telecom also unveiled new AI robots powered by voice and image recognition technology, while Google announced a significant expansion in the availability of its AI-enabled Google Assistant across Android devices.
Thinking about it, this convergence of robotics and mobile could make Deckard’s job all the harder. For rather than being rare and expensive bio-engineered androids, it could be that the real replicants are already here in their millions, insidiously posing as mobile phones.
There are three types of Google’s prove-you’re-a-human reCAPTCHA tests, or what are also known as Completely Automated Procedures for Telling Computers and Humans Apart:
Image Challenge: when Google makes you select all the kitty pictures or whatever other images developers have had us click on to prove we’re real.
Audio Challenge: when you need to enter numbers that are read out loud.
Text Challenge: when you need to pick all the phrases that match a given category.
Now, if Google could only figure out how to keep researchers from using its own tools to skewer those challenges.
No. 1, the image challenge, was gamed about a year ago when researchers used Google’s own massive image search database in reverse, finding words to match an image, rather than images to match a word, to help them find images in a reCAPTCHA set that shared a particular characteristic.
Now, the audio challenge has purportedly fallen, and yet again, it stumbled on one of Google’s own services: this time, it was Google’s speech recognition API.
A security researcher identifying him-/herself only as East-Ee Security said on Monday that they’ve discovered what they’re calling a “logic vulnerability” that allows for easy bypass of Google’s ReCaptcha v2 anywhere on the web.
The researcher came up with a way to automatically exploit that vulnerability. Dubbed ReBreakCaptcha, it works in these three stages:
Challenge. Get to the right sort of reCAPTCH page where an audio challenge is offered, and download it.
Recognize. Convert the audio file to a suitable format and send it to Google’s Speech Recognition API.
Verify. Validate the Speech Recognition result and paste it into the reCAPTCHA, as though a human had figured it out.
In order to work, ReBreakCaptcha needs to make sure it gets an audio challenge every time, since that’s the type of challenge it knows how to game. It’s able to do that because when you’re presented with a text challenge, the dialog box offers a “reload” button. ReBreakCaptcha just keeps clicking that Reload Challenge button until it gets the audio challenge.
Likewise, when presented with an image challenge, ReBreakCaptcha selects the microphone icon at the bottom of the dialog box to select an audio challenge instead.
The controls on the audio challenge page are to play the audio, type in the answer, or download the audio challenge as a file.
The download button comes in handy. ReBreakCaptcha downloads the audio, converts it to WAV format (as Google’s Speech Recognition API requires), then feeds it into Google’s Speech Recognition. What the service sends back is a string: perfect for copying and pasting into the audio challenge’s text input box.
All these steps are automated through a Python script that relies on a library named SpeechRecognition that has support for several engines and APIs, online and offline.
The point of reCAPTCHA challenges is to slow down bots (software robots), so a bot that can solve a CAPTCHA automatically defeats the whole object.
The reason to determine if somebody’s human or bot is that bots do nefarious things, and they never get bored or tired when they’re doing them.
For example, bots harvest email addresses from contact or guestbook pages, scrape sites and reuse the content without permission on automatically generated doorway pages, take part in Distributed Denial of Service (DDoS) attacks, and automatically try to log into sites with reused passwords ripped off from breaches.
Of course, we saw reCAPTCHA fooled when researchers got around the image challenge with a success rate of 70% last April.
As it happens, Google’s been working on an even spiffier reCAPTCHA version, called Invisible reCAPTCHA, that won’t require us to click on anything at all. Rather, it will use advanced risk analysis technology that relies on clues as subtle as how a user (or a bot) moves the mouse in the brief moments before clicking the “I am not a robot” button to determine who’s human and who’s a bot.
But for now, while we wait for reCAPTCHA version 3 to come out, there’s apparently one more way to break version 2. East-Ee Security said that at the time the vulnerability was posted, the vulnerability hadn’t yet been patched.
The researcher didn’t mention whether s/he’d reported the bug to Google. I reached out to ask that of Google and to find out the status of a fix, and I’ll update the article if I hear back.
UK surveillance laws could be an obstacle to the creation of a US-Europe Privacy Shield-style arrangement post-Brexit.
The issue came up during testimony by Sir Julian King, EU Commissioner for the Security Union, at a Home Affairs select committee hearing on Tuesday.
Once Brexit happens, the UK will have to set up something similar to recently established US-Europe agreements to allow UK-based firms to process EU citizens’ data.
The UK will have have to convince the EU that there will no indiscriminate mass collection of data, among other measures, Sir Julian King said. An SNP MP asked how this squares with the the Investigatory Powers Act, the UK’s recently updated surveillance law.
Independent infosec consultant Brian Honan, the founder and head of Ireland’s CERT, told El Reg that a UK-Europe Privacy Shield will “probably be necessary” following Brexit.
It will take time to get it right unless the UK is deemed an approved third-party country, according to Honan, who added that the “IP Bill could scupper that”.
Intelligence sharing will continue in a framework outside of Brexit, Sir Julian King told the Home Affairs Select Committee.
Shared threat and shared benefit means that co-operation on security and counter-terrorism are likely to continue after Brexit, he added. ®
The Prime Minister has today appointed Lord Justice Fulford as the first Investigatory Powers Commissioner, who will be the chief overseer of the UK’s new surveillance laws.
The role of the commissioner was established by Section 227 of the Investigatory Powers Act 2016, which allows the Prime Minister to appoint the commissioner. He will authorise and oversee the use of snooping powers by public authorities.
Lord Justice Fulford, who is currently the Senior Presiding Judge for England and Wales, will immediately begin to serve his three-year term. He was a judge of the International Criminal Court in the Hague from 2003 to 2012.
Prime Minister Theresa May said: “I’m pleased to announce the appointment of Lord Justice Fulford as the first Investigatory Powers Commissioner. He brings a wealth of experience in the judiciary and expertise in matters of law which will be crucial to his vital role scrutinising the use of investigatory powers, as part of a world-leading oversight regime.”
His appointment is the first of the many moves necessary as the UK rejigs its oversight of state surveillance, although some parties stressed that it could still have been better.
The Interception of Communications Commissioner’s Office, which has now been replaced by the new Investigatory Powers Commissioner’s Office, recommended — as explained in its evidence to the Bill’s Joint Committee [PDF] — that an Investigatory Powers Commission, rather than just a commissioner, would be necessary for the purpose of providing a “clear legal mandate for the oversight body”.
At the time, the IOCCO explained that: “The reality is that the Judicial Commissioners will only be performing a very narrow part of the oversight – the prior authorisation of some of the more intrusive investigatory powers.
“The bulk of the oversight will actually be carried out by inspectors and staff within the Commission who need a clear legal mandate to require information from public authorities, to launch and undertake audits, inspections, inquiries, investigations and react in real time when non-compliance or contraventions of the legislation are discovered during an inspection.” ®
A Royal Air Force pilot has been cleared of perjury – but will be sentenced at court martial today after admitting he allowed his digital camera to jam his military airliner’s controls, sending it into a 4,000ft plummet.
Flight Lieutenant Andrew Townshend was taking photos while flying an Airbus A330 Voyager from RAF Brize Norton to Afghanistan in 2014. The court martial heard he put his Nikon DSLR down between the armrest of his captain’s chair and the airliner’s main control stick, mounted on the side of the cockpit.
When Flt Lt Townshend moved his seat forward a couple of minutes later the camera was rammed into the stick, sending the aircraft into a sudden dive where the peak rate of descent was 15,000 feet per minute. The aircraft descended 4,400ft in 33 seconds, Bulford Camp Military Court Centre was previously told.
Flt Lt Townshend was cleared of two counts of perjury – service prosecutors having alleged he lied to the formal Service Inquiry about the cause of the incident – and of making a false entry in the aircraft’s tech log after landing.
A reconstruction of the camera’s position between the Airbus’ side stick and the captain’s armrest (at left) before the seat was moved forward. Crown copyright
During the February 2014 incident the A330’s flight control computers automatically pulled it out of the dive as Flt Lt Townshend and his co-pilot, Flt Lt Nathan Jones, frantically struggled with the controls, believing the autopilot had caused the plummet. Airbus control logic automatically disengages the autopilot if the control stick is pushed to its limits.
Flt Lt Jones suffered a number of injuries as a result of being flung against the cabin roof during the dive, including a prolapsed disc in his back and nerve damage – and discovered a year after the flight that his back was actually broken. He was medically downgraded after the flight and is now captain of the Great Britain Invicta Games team, a sports team reserved for disabled armed forces personnel.
Fourteen other military passengers aboard the Voyager – a militarised version of the A330 airliner, fitted with air-to-air refuelling equipment – were so badly injured or shaken up by the incident that they were unable to continue to Afghanistan, where they were due to deploy on military operations.
Voyager ZZ333 was returned to RAF service after exhaustive tests, including X-rays of the captain’s stick assembly and assessments of cosmic radiation measurements to see whether factors other than the camera had affected the aircraft’s fly-by-wire computers. ®
Slack quickly squashed a potential account hijack bug hours after it was reported.
Frans Rosén, a security researcher at Detectify, discovered a vulnerability in Slack that created a means for a malicious website to steal a user’s Slack token, potentially seizing control of their account in the process. Slack fixed the bug in five hours after Rosén reported it through bug bounty outfit HackerOne last Friday. The security researcher earned $3,000 for his work.
In a statement, Slack said subsequent inquiries revealed that the flaw was never actually abused.
@fransrosen [Rosén] discovered a vulnerability which would allow an attacker running a malicious site to steal XOXS tokens. We resolved the postMessage and call-popup redirect issues, and performed a thorough investigation to confirm that this had never been exploited.
Veteran security expert Graham Cluley praised Slack’s prompt response to fix a flaw that, left unresolved, might have been abused in targeted attacks but not in mass compromises. “[A potential attack] methodology really requires a Slack user to be specifically targeted, and for that targeted user to click on a link or deliberately visit a booby-trapped webpage, containing the code that begins the attack,” he said. ®
Marissa Mayer will be denied her annual bonus of around $2 million and also forgoes annual stock award worth millions.
Yahoo CEO Marissa Mayer will pay a penalty for the two breaches the company suffered in 2013 and 2014 by being denied her annual bonus of around $2 million and forgoing her annual stock award worth millions of dollars, Fox News reports. Yahoo’s general counsel Ronald Bell too was punished, having to resign without getting his severance pay.
An internal investigation into the breaches has held the executives responsible for failing to conduct a deep probe into the security lapses once revealed, alleging the executives “failed to act sufficiently.” The report also called out the legal department for failing to act immediately, which caused the breaches to not be “properly investigated and analyzed at the time.”
The data breaches, reported by Yahoo in 2016, compromised over 1 billion user accounts and cost the company $350 million after Verizon reduced its takeover deal price. Over 40 lawsuits have been filed against the company and the SEC and FTC are investigating the incidents.
In her defense, Mayer says she tried to set things right as soon as she learnt about the breaches.
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
Service aims to provide efficient security programs but projects must meet certain rules to qualify for it.
HackerOne has announced free professional service for open-source projects aimed at providing support to project developers for running efficient and productive security programs. Called HackerOne Community Edition, this service will help open-source projects with “vulnerability submission, coordination, dupe detection, analytics, and bounty programs.”
To qualify for this service, projects should meet certain requirements, says HackerOne. They must be open-source projects with OSI license, active and at least three months old, willing to provide a link to the HackerOne profile from their website, willing to add SECURITY.md in project root and be active in response to new reports.
There is however no customer-success support available.
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
