STE WILLIAMS

Twitter on Wednesday announced yet more tweaks to help tune down – or tune out – abusers and trolls.

For one thing, it’s developed new algorithms to automagically identify abusive accounts even before they’ve been reported as such – like, say, the kind that repeatedly tweets at non-followers.

After it spots bratty accounts, Twitter’s giving them a time-out by restricting their tweets to followers for a “set amount of time”. If the accounts keep breaking Twitter Rules, “further action” will be in the offing, Twitter VP of engineering Edward Ho said in the post.

The company actually began testing the new protocol last month, reducing the reach of abusive tweets in an attempt to to spare non-followers the eyeball pain of reading them.

Hopefully, by this point, the algorithms have been tuned finely enough that Twitter won’t be burying any non-deserving accounts. Or at least that’s the aim, Ho said:

We aim to only act on accounts when we’re confident, based on our algorithms, that their behavior is abusive. Since these tools are new we will sometimes make mistakes, but know that we are actively working to improve and iterate on them everyday.

Of course, mistakes do happen. February, a month full of Twitter safety tweaks, also saw a Twitter misstep: it announced that it would stop notifying people when they get added to a list.

Um, how about “Hell No?” How about “We would far prefer to know when we’ve been added to lists and targeted?” Within a day of being reminded that targeting would absolutely happen, Twitter rolled back the change. But users pointed out that the company could have gone further still:

Now can you add a button on your app to remove yourself from a list? @TwitterSafety https://t.co/syNBma4XcR

— Ellavescent ♿️ (@ellavescent) February 14, 2017

In other abuse-squashing news, Twitter’s introducing a filtering option that will help us crack some eggs. Eggs, as in, that standard profile icon that indicates a user hasn’t uploaded a photo yet and is still a bird embryo.

You can now filter out egg accounts. Ditto for accounts with unverified email addresses or phone numbers.

Twitter’s also expanding a mute feature, first introduced in November, that lets you mute certain keywords, phrases, or entire conversations. You’ll be able to mute from your home timeline. You can also decide how long to mute the content, be it a day, a week, a month, or until Hell freezes over. It recently allowed users to mute notifications for words and hashtags, as well.

Finally, Twitter’s planning to let us know when it’s received our abuse reports, and it will inform us if it takes further action, all of which will be visible in the app’s notification tab.

That’s the latest from the never-ending Twitter safety campaign. Please do let us know what you think should be next on its list in the comments below.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Zedf0Kmyd9c/

Sigaint, one of the largest dark web email providers, is approaching its third week of unavailability with still no clear signs about what’s happening to the service.

The site has been down since at least February 11, with no news about what’s happening as yet. In the absence of a clear explanation, speculation is, unsurprisingly, rife. Users have taken to Reddit and Twitter to voice their angst.

Sigaint allowed users to send and receive email without revealing their location or identity. The service operated through a Tor hidden service, available though a clear net proxy gateway, or directly on the dark web.

The service has run for years despite deanonymisation attacks by Federal agencies and other hostile parties. For example, hackers (possibly from intelligence agencies) targeted the service via the tactical deployment of 70 bad Tor exit nodes back in April 2015.

Other dark web email providers are available but Sigaint is one of the more (but far from universally) trusted and popular. One group of Sigaint email account holders is offering 20k to get back their emails. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/02/sigaint_goes_dark/

IoT devices from a Chinese vendor contain a hidden backdoor that the vendor is refusing to fix, according to security researchers.

The backdoor was discovered in almost all devices produced by VoIP specialist dbltek, and appears to have been purposely built in for use by the vendor, according to security firm TrustWave. The firm says that it followed a responsible disclosure process, but claims the vendor responded only with modifications that leave the backdoor open.

Trustwave claims the vendor then cut off contact with it. The security firm says it has since been able to write exploits that open both the old and new backdoors.

The vulnerable firmware is present in almost all dbltek GSM-to-VoIP devices, a range of equipment mostly used by small to medium size businesses, it claims. Trustwave researchers claimed they had found hundreds of vulnerable devices on the internet.

El Reg invited dbltek to respond to Trustwave’s accusations on Wednesday but we’ve yet to hear back from the manufacturer. We’ll update this story as and when we hear more.

Trustwave went public with its findings on Thursday. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/02/chinese_iot_kit_backdoor_claims/

Report from Intel Security and CSIS discovers 93% of businesses have cybersecurity strategies, but only 49% fully implement them.

A recent survey by Intel Security and the Center for Strategic and International Studies (CSIS) discovered a disconnect between strategy and implementation for business cybersecurity programs. While executives are happy in the belief that their security measures are effective, executioners have a different story to tell.

The report says there are three basic misalignments in the current corporate world that give cybercriminals an edge. These involve bureaucracy, strategy implementation and disparity between executives and implementers. While 93% of businesses claim to have a strategy in place, only 49% report its implementation. Even though 60% of IT executives believe their strategy execution is complete, only 30% of the implementers agree.

“It’s not a matter of ‘what’ needs to be done, but rather determining ‘why’ it’s not getting done, and ‘how’ to do it better,” says Denise Zheng of CSIS.

Despite recognizing the seriousness of cybersecurity, around 54% executives say reputation is more important to their organizations.

Candace Worley of Intel Security explains: “For IT and cyber professionals in government and business to compete with attackers, they need to be as nimble and agile as the criminals they seek to apprehend, and provide incentives that IT staff value.”

Read full survey here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/risk/survey-finds-disconnect-between-security-strategy-and-execution/d/d-id/1328300?_mc=RSS_DR_EDT

The Chrome Settings API for Mac will give developers tools to ensure users have full control of their settings and know about intrusions.

Users of macOS devices will now experience safer browsing on Chrome because of its Chrome Settings API, says Google. The company recently launched this API to keep users in full control of their Chrome settings and alert them when they encounter suspicious files or sites.

From this point forward, developers will use only Settings Overrides API when making changes to Chrome settings on Mac OSX. No changes can be made to settings without going through the Chrome Web Store.

Google claims to have strengthened its Safe Browsing through this initiative by making it easier to tackle unwanted ads and attacks on Chrome user settings by macOS-specific malware.

From March 31 onwards, users will be alerted when software attempts to change their settings without using the API.

Read here for more.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/google-enhances-safe-browsing-for-chrome-on-macos/d/d-id/1328302?_mc=RSS_DR_EDT

You may have a problem lurking in your open source components and not know it. Start making a list…

Three years ago, the Heartbleed vulnerability in the OpenSSL cryptographic library sent the software industry and companies around the world into a panic. Software developers didn’t know enough about the open source components used in their own products to understand whether their software was vulnerable — and customers using that software didn’t know either.

Unfortunately, the majority of today’s software companies aren’t any less vulnerable today than they were three years ago. To prevent future Heartbleeds, companies must put in place processes and automation to scan, track, and manage the open source components they use in their products. Doing so will let them responsibly understand where the open source components reside within their software products, which of these components are vulnerable, and which customers are exposed. 

Today’s Reality
Ten to 20 years ago, a VP of engineering could turn around, look at the bookshelf, and see the product boxes of the libraries the company licensed. Maybe there were a few digital downloads, or some code from a famous book. Slowly at first, then seemingly overnight, the development model changed from mostly homegrown software with a few commercial libraries to projects that are at least 50% open source, all digitally delivered, and not always in well-defined locations in the source tree. To answer the question “Are we affected by this latest vulnerability?” requires a current listing of dependencies or bill of materials (BOM).

Although most companies believe that such a list is being managed, the vast majority of software companies would be hard pressed to produce a list like that, even post-Heartbleed. Research shows that typical software companies can’t create such a listing, and if they can, the average percentage of known components is only 4%! What this means is that for every known component, there are 24 other unknown and unmanaged components that are being used and delivered to customers.

A Quick Review
I recommend that you see if you can produce a current BOM and determine when it was last updated. If this list was created only using self-reporting by developers, it’s almost certainly only a small percentage of reality. Perform some sampling of the codebase to check if the version numbers reported are still current, and do a quick review of library names; a quick search on copyright strings and licenses; and a review of file extensions that are likely third party (.JAR or .DLL, for instance). Even a quick review will uncover large amounts of previously unknown third-party software.

Doing a search for the string “OpenSSL” can be even more eye-opening. It’s pretty much guaranteed you’ll find multiple copies of previously unknown instances of OpenSSL in open source components and embedded in commercial components. Both source and binary inclusions will be found.

These self-tests can quickly show that either your BOM is incomplete or out of date. Although this isn’t a happy thing to find out, at least you’ll have lots of company.

Use Cases
There are a few main use cases where you will find open source components that may be affected by published vulnerabilities. The most common will have been brought in as top-level components, often in clearly named files or directories. The next case to be found will be subcomponents of these top-level components. This type of open source software use is harder to discover and is often overlooked. Versions of these components that have been compiled and linked into other larger packages are almost invisible to the typical developer when trying to create a complete list of dependences. Lastly, codebase owners will want to review the remaining source files to find cut-and-pastes, refactorings, or rearrangements of a larger open source package. This last category can be almost impossible to account for by eyeballing the codebase alone.

Once a current BOM is created, it should be compared against components with known vulnerabilities. Expect multiple vulnerable components to be found, especially on the first review cycle. Some of these may be easily exploitable, while others may not have such a clear path to exploit. It’s common to triage these results. Steps to fix this problem include upgrading to the latest version, patching, blocking access, and, in some cases, removing the component and product features affected.

You may find that a vulnerability was introduced because of a subcomponent of a larger component that was delivered via your software supply chain. If you’re lucky, you may find that your open source and commercial suppliers have already patched the affected component and it’s ready for download. It’s also common to find out that they are not aware, or not ready to remediate the issue. 

Defect Logging Process
Familiarizing yourself with the defect logging process for your open source and commercial components is an important part of participating in the vulnerability life cycle.

Once a new version of your product is delivered, the process of keeping a valid current BOM, and checking this list against known vulnerabilities, should continue as long as the product is developed and used. This should be done for all versions used by your user community. Although your development team may have moved to the latest version, you may have significant numbers of users happily using much older versions of your software.

Until the software industry puts into place processes similar to the ones detailed above, it will continue to be unprepared to quickly respond to new Heartbleed-style vulnerabilities.

Related Content:

• Heartbleed the Long Tail of Vulnerabilities
• The 10 Worst Vulnerabilities of the Last 10 Years
• Cloudflare Leaked Web Customer Data For Months

Jeff Luszcz is the Vice President of Product Management at Flexera Software, the leading provider of next-generation software licensing, compliance, security, and installation solutions for application producers and enterprises. Prior to Flexera, Jeff was the Founder and CTO … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/three-years-after-heartbleed-how-vulnerable-are-you/a/d-id/1328293?_mc=RSS_DR_EDT

Federal indictments charged 19 people for participating in international fraud and money laundering operations including the use of BEC schemes, which led to $13M in losses.

Nineteen people were charged today for participating in international fraud and money-laundering schemes, which led to the loss of $13M from more than 170 victims primarily based in the US.

Of the 19 defendants, 16 were arrested last night and today as part of an FBI operation. One was arrested beforehand, and two remain at large. These arrests, conducted by more than 50 law enforcement agencies, are the result of a multi-year effort by federal and international law enforcement to find fraud and money-laundering operations conducted by an organized crime network.

Today brought a total of four indictments for the following schemes: online vehicle fraud, business email compromise (BEC), unlicensed money transmitting network, and international money laundering conspiracy.

“These indictments and today’s arrests followed an international investigation into an interconnected web of money launderers, fraudsters and individuals that aided and abetted their criminal activities,” said US Attorney Channing Phillips. “The defendants in the cases being unsealed today are accused of taking part in schemes in the United States and abroad, costing victims millions of dollars.”

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/doj-indicts-19-people-in-global-fraud-money-laundering-schemes-/d/d-id/1328303?_mc=RSS_DR_EDT

Yahoo!‘s board has decided CEO Marissa Mayer should not be paid her bonus, after investigating the 2014 hack that has so besmirched the company’s reputation and finding the company knew about the gravity of the situation but failed to act properly to address the situation. Mayer has also decided to forego an award of equity due to her this year.

News of the decisions and Yahoo!‘s investigation into the hacks emerged today with the publication of the company’s Form 10-K, the warts-and-all documents US public companies are required to file each year to disclose just about any risk they face.

The 10-K summarises the results on and Independent Committee’s investigation of the 2014 hack and the news isn’t good for Yahoo! because the investigators “… concluded that the Company’s information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016.”

“In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool,” the 10-K says, explaining that while the company “took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement” those efforts weren’t sufficient.

The filing offers this observation about Yahoo!‘s conduct:

…it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team.

It gets worse, as the 10-K also offers the following analysis:

Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team.

There’s a tiny ray of sunshine in that the Independent Committee “did not conclude that there was an intentional suppression of relevant information.”

But the investigators did find “… that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident.”

And those risks were substantial, because the 10-K reveals that the forensic experts it hired to look into the creation of forged cookies that could allow an intruder to access users’ accounts without a password has found that “an unauthorized third party accessed the Company’s proprietary code to learn how to forge certain cookies.”

“The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016,” the 10-K filing states.

The good news is that Yahoo! has “invalidated” those cookies “so they cannot be used to access user accounts.”

The bad news is that the investigation found “… failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident. The Independent Committee also found that the Audit and Finance Committee and the full Board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters.”

Marketers for information security companies and governance educators probably want to have those remarks framed.

The rest of us won’t: Mayer’s bonus is US$2m and her equity grant is usually about $12m of stock. That’s peanuts compared to the US$350m Verizon has trimmed from its offer to buy Yahoo!. Mayer’s lost haul is probably also well below the company’s bill for lawyers to fight the “approximately 43 putative consumer class action lawsuits” the form 10-K says have been filed to date regarding the 2014 security breach.

Yahoo! doesn’t think they will amount to much: the filing says “… the Company does not believe that a loss from these matters is probable and therefore has not recorded an accrual for litigation or other contingencies relating to the Security Incidents.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/02/yahoo_internal_hack_investigation_is_daming_marissa_mayer_loses/

The critical transatlantic data agreement, named Privacy Shield, is worthless, gives intelligence agencies complete free reign, and should be discarded, according to Human Rights Watch and the American Civil Liberties Union.

In a letter to European Union leaders responsible for overseeing the agreement, the two organizations outline in some detail why they believe President Trump’s recent executive order on immigration undermines the agreement, and highlights that the accountability structures intended to make it effective are non-functional.

In direct contrast to US officials – who have argued that Privacy Shield is unaffected by Trump’s order – the letter argues that the order does in fact directly impinge on the agreement.

The key aspect is Section 14 in Trump’s Enhancing Public Safety in the Interior of the United States, which explicitly stated that the US Privacy Act would “exclude persons who are not United States citizens or lawful permanent residents.”

That would appear to undermine the main tenet of Privacy Shield – that European citizens have a right to sue if their data is misused by US companies or authorities.

But acting head of the US Federal Trade Commission Maureen Ohlhausen and former FTC Commissioner Julie Brill have both argued that the existence of the Judicial Redress Act and an accompanying list of countries the Act covered, signed by the Attorney General – both of which became law on February 1 – means that Privacy Shield remains unaffected.

Not so, say Human Rights Watch and the ACLU, who argue:

• The Judicial Redress Act provides a much smaller range of protections than the Privacy Act. As a result, EU citizens can bring legal action only if their data is “willfully and intentionally” misused rather than spread accidentally or inadvertently.
• The data protection under the Judicial Redress Act covers only some federal agencies, but not all. The letter gives as an example the Department of Health, which would effectively be exempt from any misuse of personal data.
• The US security services – who stand at the heart of the argument – would get a free pass and any information they gather and possess would not be covered.
• The Judicial Redress Act requires individuals to file claims and does not obligate federal agencies to provide a clear process for dealing with complaints, which would likely make any challenges extremely time-consuming and expensive.

The letter also points out that the many thousands of non-EU citizens living and working legally in the EU would not even get the protections under the Judicial Redress Act.

In addition to the loss in legal protections and process caused by the Trump executive order, the letter also points out the dire state of the oversight and accountability structures that are supposed to provide confidence in the system.

One key organization in that process is the Privacy and Civil Liberties Oversight Board (PCLOB), which is supposed to have the independent authority to examine records, hear testimony and issue reports with recommendations.

Thank you for your service

However, after the PCLOB took issue with the US government’s spying programs brought to light by Edward Snowden’s revelations, its independence and even its ability to function have been fatally undermined.

The PCLOB, for example, concluded in 2014 that the NSA’s Section 215 phone surveillance program was unconstitutional.

Less than two years later, Congress passed legislation that formally prohibited the board from reviewing covert activity, gave Congress budget control over the board, and required it to report directly to legislators. The result was a slew of resignations of both staff and board members.

In March 2016, chair David Medine unexpectedly resigned. Following the results of the presidential election, former judge Patricia Wald resigned from the board on January 7 this year; James Dempsey left a week earlier on January 3. Rachel Brand’s term ended on January 29 and was not renewed. And the PCLOB’s executive director Sharon Bradford Franklin also stepped down.

None of their positions have been filled, meaning that the PCLOB has just one of five board members and no executive director. And, legally, that means it cannot carry out any work.

“Given these recent changes to US policies and oversight structures,” the letter from the ACLU and Human Rights Watch argues, “we believe that the assurances that the European Commission relied on as part of the Privacy Shield and US-EU umbrella agreement are no longer valid. Thus, we urge you to examine whether these agreements are consistent with the protections enshrined in the EU Charter of Fundamental Rights.”

Or, in other words, kill it before the European Court of Justice forces you to do so for a second time. ®

PS: The UK’s Investigatory Powers Act appears to be gift-wrapped for the NSA.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/01/privacy_shield_not_worth_paper_written_on/

Shoppers of 40 online stores have had their bank card numbers and addresses slurped by a malware infection at backend provider Aptos.

The security breach occurred late last year when a crook was able to inject spyware into machines Aptos used to host its retail services for online shops. This software nasty was able to access customer payment card numbers and expiration dates, full names, addresses, phone numbers and email addresses, we’re told.

Rather than being alerted to the infiltration by Aptos itself, instead we were warned this week by Aptos’ customers – the retailers whose websites were infected by the malware on the backend provider’s servers.

According to these stores, which have had to file computer security breach notifications with state authorities, the malware was active on Aptos systems from February through December of 2016.

A spokesperson for Aptos – based in Atlanta, Georgia – told The Register the biz had been working with the FBI and US Department of Justice to investigate the ransacking, and was required to keep quiet about the infection for two months before notifying its customers.

“As the 60-day period expired on Sunday, February 5, we contacted impacted retailers starting on Monday, February 6 to provide a synopsis of the situation,” Aptos said.

“We are working closely with the specific digital commerce customers who were impacted by this incident to ensure affected consumers are notified in a transparent, accurate and timely manner in accordance with US-based state disclosure laws for data security incidents.”

Among the affected companies is Liberty Hardware, which told the state of Montana that it was notified of the breach on February 7.

“Aptos has informed us that they discovered the intrusion in November 2016,” Liberty Hardware said. “We understand that Aptos then contacted Federal law enforcement agencies and the US Department of Justice, and law enforcement requested that notification to businesses (including Liberty Hardware) be delayed to allow the investigation to move forward.”

Some of the customers, such as sweets site Affy Tapple, are footing the bill for a year’s credit monitoring for customers exposed by the breach. “Aptos has advised us that the unauthorized person(s) potentially had access to the payment card transaction records of 19 of Affy Tapple’s customers with billing addresses in Washington,” the site says.

Other businesses will likely be following with their own disclosures. Aptos said it is letting the companies affected handle the notifications on their own and will not name them individually. So if you shopped online around November last year, and you get a note from one of the 40 affected websites confessing your payment card details were stolen, you know who to blame.

Aptos, its CEO Noel Goggin, and his team. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/01/aptos_craptos_security/