STE WILLIAMS

Fifteen members of US Congress have asked the House Oversight Committee to investigate whether President Trump is putting national security at risk by using an insecure phone and holding sensitive meetings in public.

In a letter to the committee, the congressfolk say [PDF] they were inspired by reports that the Commander in Chief is using a four-year-old Samsung Galaxy S3 to emit – and this is our technical term, here – borderline incoherent Twitter spouting. It’s not clear if this particular Android gadget is his only handset, but some in Congress are concerned that it’s putting the country at risk.

“Cybersecurity experts universally agree that an ordinary Android smartphone, which the President is reportedly using despite repeated warnings from the Secret Service, can be easily hacked,” said Representative Ted Lieu (D-CA). “This behavior is more than bad operational security – it is an egregious affront to national security.”

It was traditional for incoming presidents to be fully outfitted with Secret Service-provided communications gear, but Trump looks to be hanging onto his trusty handset. Obama refused to give up his beloved Blackberry when taking office. He also wasn’t allowed by NSA staffers to use an iPhone.

The letter also refers to Team Trump’s OPSEC comedy performance art at the President’s Mar-a-Lago Club in Florida where he was having a public dinner with the Japanese Prime Minster when the North Koreans fired off a test missile.

Trump took phone calls on the matter within earshot of other people, looked on as his aides used their camera-fitted smartphones to illuminate government documents, and allowed the soldier carrying the nuclear football to pose with guests for Facebook snaps. The White House has since said that there was no classified information made public at the meal.

Finally, the signatories of the letter want an investigation into claims that Republican staffers aren’t using the official secure White House email system (which is kept as a record), and instead are using an email server run by the Republican National Committee.

Having a private email server was a stick used to beat Hillary Clinton like a red-headed stepchild in the election, but it wouldn’t be the first time the Republicans have set up a shadow email server. In 2007 it came out that the RNC was running its own email system – it was shut down and 22 million emails were deleted before investigators could see them.

The request to the House Oversight Committee is unlikely to yield much of a result. The chances of the Republicans investigating one of their own in this manner are slight, especially considering the group is refusing to even consider investigating claims that Russian hackers might have influenced the last election. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/17/congress_calls_for_investigation_trumps_samsung_s3/

A sacked system administrator has been jailed after hacking the control systems of his ex-employer – and causing over a million dollars in damage.

Brian Johnson, 44, of Baton Rouge, Louisiana, US, had worked at paper maker Georgia-Pacific for years, but on Valentine’s Day 2014 he was let go. He didn’t take that lying down, and spent the next two weeks rifling through the firm’s systems and wreaking havoc from his home.

We use the term hacking loosely: Johnson was still able to connect into Georgia-Pacific servers via VPN even after his employment was terminated. Once back inside the corporate network, he installed his own software, and monkeyed around with the industrial control systems. His target was the firm’s Port Hudson, Louisiana, factory, which produces paper towels and tissues 24 hours a day. In a two-week campaign, he caused an estimated $1.1m in lost or spoiled production.

However, the timing of the attacks aroused the suspicions of his former employer, which has 200 facilities across America and employs 35,000 people, we’re told. On February 27, 13 days after he was fired, the FBI raided Johnson’s home. They found a VPN connection into the company’s servers on his laptop, and a subsequent forensic investigation of his hard drive and broadband router got enough evidence to bust him.

Johnson pleaded guilty to hacking and willful damage charges [indictment PDF] on February 4 last year. On Wednesday this week, the Louisiana district courts determined he had caused $1,134,828 of damage, which he must repay. But he’ll have to get out of prison first, since he’ll be spending the next 34 months in the Big House.

“This case is a powerful reminder of the very real threat and danger that businesses and individuals face from cyberattacks and other cyber-related criminal activity,” said United States Attorney Walt Green on Thursday.

“Thanks to the victim’s quick response and cooperation with our office and the FBI – as well as the excellent work by the prosecutors and law enforcement agents assigned to this matter – we were able to stop Mr Johnson’s malicious attacks and bring him to justice.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/18/it_admin_/

A judge in a Scottish court has just taken a privacy ruling from cyberspace and applied it to the real world as he fined a couple for videoing their neighbours through a webcam ostensibly set to monitor his back garden.

The same judgment arguably also transfers the obligations of a corporation to the individual, classifying the man doing the filming as a data controller.

The case was brought against Edinburgh’s Nahid Akram, who with her husband Sohail installed a set of cameras after applying to change the use of their house to a bail hostel. The application had been opposed by neighbours Debbie and Tony Woolley and according to press reports, relations between the families soured after that point.

The sheriff in the court agreed in the judgment that the Akrams – specifically Nahid, named in the case – had deliberately trained their cameras and microphones on the Woolleys’ home, compromising their privacy. They felt unable to go out and converse in their own back garden and their daughter felt unable to sunbathe because it would be filmed and the footage retained for up to five days.

The judge ruled against the Akrams, awarding £17,000 compensation to the Woolleys, in a move that is noteworthy on a number of grounds.

First, the judgment refers back to a case brought against Google for continuing to track Safari users when they had logged out of Google.

Second, reassuringly, it establishes absolutely that there is more to privacy than the financial implications; outside the legal costs, the Woolleys technically didn’t pay anything for this.

Third, and this is a key point, the Akrams claimed they weren’t actually keeping the recordings because the system kept it for five days only by default. This was comprehensively thrown out, so you could assume the “couldn’t be bothered with the settings” defence is from this point onward a non-starter.

Finally, as well as transferring the implications of the Google ruling into the “real” world, if that’s genuinely a distinction, we note it takes the effect from the corporate world and into the domestic arena.

Akram in effect became fully liable as a data controller and needed to implement all the due diligence that would have been needed in the corporate world once she’d done so.

Although this is a Scottish-only judgment for the moment, it  should send clear messages out to everyone using a recording device of some sort and assuming they’re probably covered because they’re such small fry.

Follow @NakedSecurity
Follow @GuyClapperton

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CWBika8lj68/

Your daily round-up of some of the other stories in the news

VR falters as it hits roadblocks

There’s been a lot of hype around virtual reality, and some concerns about the privacy implications of data-sharing between hardware and owner, but it seems that the first nail might have been hammered into the technology as a consumer thing.

Facebook is to close nearly half of its 500 Oculus VR demo stations at Best Buy stores across the US, Business Insider has reported. It added that staff at the stores had reported that they could go days without doing a demonstration.

That news comes hard on the heels of a court ruling that Facebook must pay $500m to game developer ZeniMax after Oculus breached a contract with the company. Meanwhile Gabe Newell, the CEO of game developer Valve, said that HTC’s Vive, the most expensive device on the market, is “barely capable of doing a marginally adequate job of delivering a VR experience”.

Smart doll ‘should be destroyed’

We have covered the concerns around some internet-connected toys on Naked Security, but while we’ve got reservations about many of them, we’ve never gone as far as Germany’s Bundesnetzagentur, the telecoms watchdog, which has warned parents that a “smart doll” called Cayla is an “illegal espionage apparatus” and that parents should destroy the toy.

The doll responds to questions asked by its child owner by connecting to the internet to supply the answer, which sparked concerns of security researchers. Stefan Hessel of Saarbrucken University warned that “access to the doll is completely unsecured – there is no password to protect the connection.”

Regulators decided after investigating that it can be used to illegally spy on children – under German law, it’s illegal to make, sell or own surveillance devices that are disguised as something else.

The UK Toy Retailers Association told the BBC that the doll “offers no special risk” and that “there is no reason for alarm”. However, Vera Jourová, the EU privacy commissioner, begs to differ. She said: “I’m worried about the impact of connected dolls on children’s privacy and safety.”

Europe warned on Russian election meddling

European countries must be willing to respond forcefully to Russian efforts to meddle in their elections, John Carlin, a former US assistant attorney-general has warned.

Carlin, who served in the Obama administration, said that the US had not done enough at the time to deter the theft of DNC emails during last year’s election: “What we did was too late,” he told the RSA security conference in San Francisco.

“It’s vital that not just the United States but partners like Germany, like France, make it clear where the red line is, that there’s going to be strong deterrence,” he said.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bqUsenMk-o0/

As of earlier this week, anyone who tries to send a .js (JavaScript) file attachment via Gmail will be out of luck, as they’re now on Google’s list of restricted file types for attachments.

That means that GMail users can’t send or receive emails with .js file attachments. Anyone sending a .js file to a GMail user will find their email bouncing back to them with an explanation of why it wasn’t delivered.

JavaScript joins an ever-growing list of file types, including .exe and .bat files, that Gmail won’t allow.

This change might prove to be a minor annoyance to a few website or JavaScript developers, but this is very good news for the rest of us. It seems that users might finally be getting wise to the threat of malicious Microsoft Office files and last year we saw a noticeable rise in malicious JavaScript email attachments.

Attackers switched to using JavaScript files because they know many Windows users’ computers are configured to run them by default using Windows’ Windows Script Host (WSH), granting the malicious script a lot of the same run privileges as an executable.

Regardless of the operating system you run, we strongly recommend enabling the view of file extensions (so often hidden by default!) so you can see exactly what kind of file type you’re dealing with, mitigating the risk of running a malicious file by accident.

For Windows users, we also recommend changing the Windows default behavior to open JavaScript files (.js, .jse) with Notepad, and not WSH. You can read instructions on how to make both these changes at the bottom of our article on ransomware in your inbox.

If you try to send an email with a .js attachment, Gmail will give you an error message letting you know that your file type isn’t allowed and was “blocked for security reasons”. As an alternative, Google will suggest using outside storage, like Google Drive or Dropbox, and linking to the file from within the email. (There’s no getting around this by zipping up your file either, as Google will take a look inside the compressed file to check.)

Don’t fall for malicious email tricks

With GMail users unable to receive malicious .js files attackers may switch tactics again so it’s important to stay wary of both emails with attachments and those without.

Remember that attackers cam control or fake almost every detail of an email so you can’t rely on any of the information you’ve been sent, whether it’s a link, a phone number or who the email’s from.

Some attackers will help you out by raising red flags with poor spelling, a sense of urgency (your account has been locked, your bill is overdue!), dodgy domains or suspiciously shortened links but some won’t. The crooks know that keeping it simple works and they how to copy and paste from legitimate emails.

If an email purports to come from an organization or person you know verify the email’s legitimacy by contacting the (apparent) sender directly.

If they want to talk to you find a number in your address book or on their website that you can call. If the email contains links that appear to go to their website, especially if it’s asking you to log in, don’t click on them. Ignore the links in the email and go directly to their website by typing their address in your browser or searching for them.

Follow @NakedSecurity
Follow @mvarmazis

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/u6lS3ntSNj8/

We are generally a modest crew at Naked Security, but today we’re thrilled to blow our own trumpet and announce that Naked Security has won the award for most educational blog at the Security Blogger Meet-up and Awards Wednesday evening, during RSA Conference 2017.

Judges for the 12^th Security Blogger Meet-up were Ericka Chickowski, George Hulme, Kelly Jackson-Higgins and Don MacVittie. They selected the nominees per category, and the winners were selected in an open online vote.

The blog faced some strong competition. The nominees were:

• Errata Security/Rob Graham
• Trend Micro Security Intelligence blog
• Stack Overflow – Security
• Tao Security
• WINNER: Naked Security Blog by Sophos

For a full list of categories and winners, check out the Info Security website.

The Naked Security team is honored and grateful to have won the award. We’ll keep striving to be the best in the years to come.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_Yx0wz-EkT4/

Britain’s latest military helicopter fleet has still not had a tactical data link capability fitted, two years after the aircraft entered service.

Although the new Leonardo Wildcat helicopters have already been deployed operationally aboard Royal Navy warships, including deployments as the sole helicopter aboard frigates patrolling overseas, they do not have a tactical data link (TDL) capability allowing them to transmit data to other units.

Instead, crews must use a USB stick after landing to transfer data collected by the Wildcat’s radar and camera systems to its host ship. The only other alternative, at present, is for the crew to call out contacts over the radio by voice – just as Fleet Air Arm observers did during the Second World War.

Air International magazine reported in its February issue that although Wildcat HMA2s are fitted with the Bowman secure voice radio system, the helicopters still lack the TDL capability fitted to other frontline naval and military helicopters such as the Merlin and Puma.

Lieutenant Commander Anthony Johnson of 825 Naval Air Squadron told the magazine: “At present, we have to download everything our systems produce on to some form of media and present this when we land. We cannot currently transfer this data electronically whilst airborne, so we continue to use voice communication.”

The magazine commented: “An uplink is considered essential for preparation of the battlefield, analysing patterns of life and delivering a kinetic effect in a littoral situation if required” – meaning smiting Her Majesty’s enemies at sea after first making sure no innocent passers-by will get caught in the crossfire.

The Wildcat is fitted with a modern radar and electro-optical sensor suite, with the Seaspray 7400E radar including air-to-air, air-to-ground and air-to-surface modes. The Wescam electro-optical system, mounted in a turret on the helicopter’s nose, can capture hi-res stills and video and also includes a laser range-finding capability – such as would be used in conjunction with the TDL.

The vital data link capability was deleted in 2008 as part of a cost-cutting exercise by the Ministry of Defence. At the same time, the total number of helicopters on order was cut from 70 to 62, along with a host of other vital capabilities, in the infamous phrase “fitted for but not with”.

The export version of the Wildcat is fitted with a Link 16-compatible TDL.

The Ministry of Defence insists its £178bn equipment programme will create thousands of jobs over the next few years.

The Wildcat HMA2 helicopter, built by the company formerly known as Westland, is the replacement for the venerable Lynx helicopter flown by the Royal Navy’s Fleet Air Arm and the Army Air Corps. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/17/lynx_wildcat_has_no_tactical_data_link_royal_navy/

Account holders in the US are more likely to switch banks in the aftermath of fraud, according to a new study.

Researchers at Carnegie Mellon University found that people who had their information compromised were more likely to terminate their relationship with the bank within six months of a fraudulent event, even if they were fully compensated and did not lose money.

Customer churn was especially prevalent when the bank was not able to trace the fraud to a specific party or explain what happened.

The study, Security, Fraudulent Transactions and Customer Loyalty: A Field Study [PDF], was put together by a team led by Professor Rahul Telang and analysed data from 500,000 anonymised financial services users over five years. The researchers observed actual user behaviour rather than quizzing them about their intentions.

Some of these customers (close to 20,000) were affected by unauthorised transactions on their account. These fraudulent charges were often the result of debit card fraud, social engineering or phishing. In most cases customers were reimbursed for any losses.

The researchers found that consumers were up to 3 per cent more likely to terminate their relationship with a bank following fraud.

“Our results suggest that even when the bank is not directly responsible for a fraudulent transaction, users may hold the bank responsible and terminate their relationship,” the researchers conclude. “Further, this effect is much larger when users are not compensated because the bank determined that the charges might be legitimate.”

Customers who have are either young or have been with a bank for a long time are more likely to quit following an incident of fraud, the study found. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/17/us_post_bank_fraud_churn_study/

Germany’s Federal Network Agency, or Bundesnetzagentur, has banned Genesis Toys’ Cayla doll as an illegal surveillance device.

“Items that conceal cameras or microphones and that are capable of transmitting a signal, and therefore can transmit data without detection, compromise people’s privacy,” said agency president Jochen Homann in a statement. “This applies in particular to children’s toys. The Cayla doll has been banned in Germany.”

Calya’s deportation and exile comes two months after privacy advocacy groups urged US and EU regulators to deal with the potentially privacy-infringing doll.

The Bluetooth-enabled toy comes with a microphone and is designed to capture children’s speech so it can be analyzed using Nuance’s speech recognition software, in conjunction with mobile apps.

Privacy and consumer protection groups have complained that the doll has been programmed to advertise to children, lacks security, and provides insufficient privacy guarantees about how captured data and personal information will be used.

Neither Genesis Toys, the Hong Kong-based maker of the doll, nor Nuance responded to requests for comment.

Germany’s network watchdog said any toy capable of transmitting signals and surreptitiously recording audio or video without detection is unlawful. The danger, the agency claims, is that anything a child or someone else says in the vicinity of the doll can be transmitted without parents’ knowledge. Also, lack of network security could allow the toy to be turned into a listening device, the agency suggests.

UK-based security research group Pen Test Partners has demonstrated that the toy’s local database can be hacked. It also suggests the doll is vulnerable to man-in-the-middle attacks, a backdoor attack, and pairing with an arbitrary Bluetooth device. The firm refers to Cayla as “a bluetooth headset, dressed up as a doll.”

Along similar lines, other tech-enabled toys, like Mattel’s Hello Barbie doll in 2015, have been shown to lack adequate cybersecurity controls.

The agency’s rules state that buyers of unlawful espionage devices may be required to destroy them and to provide proof of destruction in the form of a confirmation letter from a waste management facility.

In what might be read as an effort to encourage parents to destroy the doll, the Bundesnetzagentur says it assumes that “parents will take it upon themselves to make sure the doll does not pose a risk.” However, its product notice also makes clear that the agency has “no plans at present to instigate any regulatory proceedings against the parents.”

So any violence against Cayla is strictly discretionary. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/17/cayla_doll_banned_in_germany/

Apple iOS users upgrading to the latest beta of the famous Signal secure messaging app should consider disabling CallKit integration if they want to preserve maximum privacy, its developers have warned.

Ostensibly, the big feature in this week’s Signal release for Android and iOS is encrypted video calling, something mass-market app WhatsApp (which uses Signal’s technology) announced in November.

The feature is enabled via Settings menu Advanced and, of course, users at both ends must have configured it for video to work.

Video is one part of a larger overhaul that sees Edward Snowden’s favourite communication app integrate open source Web Real-Time Communications (WebRTC) while phasing out the old Phil Zimmermann ZRTP protocol previously used for authenticated key exchange.

The Speex VoIP audio codec has also been replaced with Opus, considered more resilient for smartphones. In short, Signal is evolving from its origins as an app built from bolted-together parts into something altogether more sleek.

Nevertheless, Apple iOS users should pay careful attention to the settings around the app’s new integration with iOS 10’s native CallKit framework.

The purpose of CallKit is that VoIP apps work in a more “native” way, offering behaviours such as the ability to answer calls from the lock screen and storing conversations in the “recent calls” list.

The downside is that some of this metadata will be synchronised to Apple’s iCloud, including who was in the conversation and how long it lasted. For anyone bothered by this, Signal’s developer Open Whisper Systems advises:

If you decide that’s not for you, you can opt-out of the CallKit features at any time in Settings Advanced Use CallKit, while continuing to use the rest of the new calling system.

Open Whisper Systems’ grand wizard Moxie Marlinspike told Wired that the company has yet to decide what do in the next version: “There are a bunch of things we can do other than just having it on by default.”

After pioneering encrypted messaging, Signal has become the yardstick by which the whole sector is judged. But which features matter most when choosing a secure app?

The market divides into mass apps (WhatsApp, Facebook Messenger) which have lots of users but have been accused of taking privacy shortcuts, and challengers with stronger privacy but few users. Numbers matter because it increases the chances of finding contacts.

Beyond that, it depends how far the user is prepared to go to get more privacy:

• Good privacy means end-to-end encryption with forward secrecy at all times (so no confusing mixed mode such as Google Allo’s incognito mode)
• Software should be peer or independently reviewed for security flaws
• Defending against man-in-the-middle attacks requires user/session verification. Signal has this feature but many don’t
• Apps that erase messages after they are read, such as Confide, offer an alternative model with some caveats

Notice that no single app solves every problem, which suggests that the smartest approach might be to use several. But, finally, never forget that the best app encryption in the world will fail if the device running it isn’t well secured too.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/iind-POK8ls/