STE WILLIAMS

In today’s call-home from the RSA Conference 2017, our roving reporter Bill Brenner has some cool news!

(If you haven’t listened to our previous reports yet, why not catch up on Day 1 [6’51”] and Day 2 [8’33”] first?)

Paul Ducklin talks to Bill about the event so far:

If you enjoy the podcast, please share it with other people interested in security and privacy and give us a vote on iTunes and other podcasting directories.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/F6Z8XV60H-w/

RSA USA There’s no need to panic about the threat of a major online terrorist attack, since ISIS and their allies are all talk and no trousers. That’s according to the former head of the US National Counterterrorism Center.

Matt Olsen, who has also served as the NSA’s top lawyer, told the RSA security conference today that the levels of online terror we’ve seen have been limited to propaganda and the occasional script-kiddie-level attack that can quickly get them caught. Having said that, the terrorists are trying to up their game, he noted, and may be willing to buy in outside help.

“I want to avoid hype, it’s really important not to overstate the nature of online attacks,” Olsen said. “Their skill level remains low relative to nation states, but on an upward trajectory. It’s not that hard to imagine their efforts to increase their skills bearing fruit.”

Al-Qaeda is no longer a serious force, he said, both on and offline. But since 2014 ISIS had “changed the game” in terms of online propaganda, and Olsen said the group’s ability to get on the internet and inspire attacks was of serious concern to law enforcement.

The group also seems a bit Judean People’s Front. It claimed to have its own online army in early 2015 called the Islamic State Hacking Division, but this body morphed into the Islamic Cyber Army by September and then the United Cyber Caliphate last April.

And rather than operate as a team, it appears it’s just a few individuals going around breaking into some Twitter accounts and other low-level hacking. Olsen cited the case of British teen Junaid Hussain, who slipped into an email account of an aide to Tony Blair, was jailed, and then moved to Syria to join the Daesh-bags – where he “found justice at the end of a Hellfire missile,” as Olsen put it.

A similar case in the US is Kosovan-born Ardit Ferizi, who hacked into the servers of an American firm, nicked records on 1,300 US service personnel from its database, and published the info online. He was quickly caught and sent down for 20 years.

Right now all the medieval terror bastards are doing is talking a mean game online. Olsen said the US is monitoring hacking forums set up by terrorists and their sympathizers to plan attacks. They discuss carrying out an attack on critical infrastructure, but show little evidence of any ability to do so, other than using publicly available exploits and tools.

It may be that the terrorists will hire expert hackers to do the job for them, he speculated. ISIS may be lacking computer skills but it isn’t short of money and could conceivably hire mercenaries.

Deciding how to deal with tracking the terrorists online is a balancing act, he explained, and the age-old question facing intelligence agencies: on the one hand, it’s useful to collect information on the holy rollers online, but sometimes it’s better to take them out before they can do damage.

The key thing, he said, was not to panic. At some point, there will be an online attack and the media – and parts of Washington DC – are going to go nuts about it, he suggested, but saner heads should prevail.

“I think we are very resilient as a country,” Olsen said of America. “We are less resilient politically in how we react.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/16/online_terrorism_isnt/

A newbie congressman has floated his first ever US law bill – one that demands visitors to America hand over URLs to their social network accounts.

House Rep Jim Banks (R-IN) says his proposed rules – dubbed the Visa Investigation and Social Media Act (VISA) of 2017 – require visa applicants to provide their social media handles to immigration officials.

Right now, at the US border you can be asked to cough up your usernames by border officers. You don’t have to reveal your public profiles, of course. However, if you’re a non-US citizen, border agents don’t have to let you in, either. Your devices can be seized and checked, and you can be put on a flight back, if you don’t cooperate.

Banks’ proposed law appears to end any uncertainty over whether or not non-citizens will have their online personas vetted: if the bill is passed, visa applicants will be required to disclose their online account names so they can be scrutinized for any unwanted behavior. This includes people who apply for tourist visas. For holidayers on visa-waiver programs – such as Brits arriving with ESTA passes – revealing your social media accounts is and will remain optional, but again, being allowed into the country is optional, too.

“We must have confidence that those entering our country do not intend us harm,” Banks said on Thursday. “Directing Homeland Security to review visa applicants’ social media before granting them access to our country is common sense. Employers vet job candidates this way, and I think it’s time we do the same for visa applicants.”

Banks did not say how his bill would prevent hopefuls from deleting or simply not listing any accounts that may be unfavorable. This bill is Banks’ very first attempt at crafting legislation, as the congressman was eager to point out. That also means it’s unlikely to go anywhere, and will probably be quietly discarded by Congress.

In addition to forcing every visa applicant to hand over their social media footprint, the bill will mandate that:

• The DHS personally interviews every visa applicant over the age of 11.
• A “fraud prevention check” be completed for each applicant’s documentation.
• The applicant provides an English translation of all documents.

El Reg has asked whether Irish, Canadian, Australian, New Zealand, and UK applicants will need to translate their documents to US English, but we have yet to hear back at the time of publication. You may want to take out your extra “U’s” and add a few “Z’s” just to be sure.

The bill also would require that a DHS employee be stationed at any consulate or embassy that issues visas to the US. Separately, the federal government is way ahead of Banks. Homeland Security Secretary John Kelly wants to extract online account passwords from visitors from certain countries – particularly some Muslim-majority nations – that have drawn the White House’s ire. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/17/us_visitors_social_media/

At the RSA Conference, Chad Skipper, vice president of industry relations and product testing for Cylance, discusses the customs and controversies of third-party testing and verification of security products.

Article source: http://www.darkreading.com/cylance-talks-third-party-testing/v/d-id/1328190?_mc=RSS_DR_EDT

At RSA, Mordecai Rosen, SVP and general manager of security business for CA Technologies talks machine learning, analytics, and identity management.

Article source: http://www.darkreading.com/ca-technologies-views-on-how-machine-learning-is-powering-the-next-generation-of-security/v/d-id/1328192?_mc=RSS_DR_EDT

Individuals and groups from Russian-speaking countries responsible for a lot of ransomware activity, Kaspersky Lab says.

A study by security vendor Kaspersky Lab shows that Russian-speaking individuals and cybercrime groups are responsible for a major proportion of ransomware development and distribution activities globally.

Nearly 80%, or 47 out of the 60 or so crypto-ransomware families that Kaspersky Lab discovered in the last 12 months, were from these sources, as evident by command and control infrastructure and underground forums studied by the security firm.

At least some of the activity appears tied to the availability of educated and skilled code developers in Russia and within neighboring countries, Kaspersky Lab said in a blog this week.

Also contributing to the situation is a fine-tuned and constantly evolving Russian-speaking ransomware ecosystem that makes it possible for anyone, from highly-skilled developers to script kiddies, to participate in and profit from cyber extortion.

Some of these groups are making tens of thousands of dollars a day from their extortion campaigns. Those participating in the ecosystem appear to be doing so with impunity and with little fear of being caught apparently because they assume the use of crypto-currencies for ransom payment makes them impervious to tracking, says Anton Ivanov, a senior malware analyst at Kaspersky Lab.

“Criminals are living in an illusion of safeness,” Ivanov says. “In reality, even though they use crypto currencies, they leave lots of different artifacts behind. These artifacts often help us to understand how they operate and to collect enough valuable information,” to help identify individual participants, he says.

“It is not hard to catch them,” Ivanov says. “It just takes time.”

The Russian-speaking ransomware ecosystem gives those with code-writing and cryptographic skills a ready market for their wares.  

Ransomware samples with features like Blowfish and RSA-2048 encryption and emulation techniques and functions that allow for the removal of backups and shadow copies on an infected system can fetch thousands of dollars. Developers of such code rarely participate directly in ransomware campaigns; they instead make money by selling their tools to individuals and groups that do.

In some cases, the code developers sell only the “builders,” or tools that allows almost anyone, including those without formal programming skills, to quickly assemble ransomware with specific functions. Such builders, which can sell for hundreds of dollars, often come with tools that allow criminals to communicate with infected systems and maintain statistics on them.

Another way for cybercriminals to participate in the ransomware market is via so-called affiliate programs where people attempt to make money by distributing ransomware tools on behalf of the owners of the programs. All it takes to participate in such programs is a few bitcoins in partnership fees to the owners who then supply partners with the infection tools.

Some affiliate programs are available only to “elite” partners, or trusted individuals in the ransomware ecosystem. Members of such programs often need to have a proven track record in distributing ransomware and end up making more money than members of regular affiliate programs.

Elite partners can make as much as 40- to 50 bitcoin per month, or between $41,000 and $51,000 at current rates. One individual made $85,000 per month, according to Kaspersky Lab’s findings.

Ivanov says that in one case, the ransomware creator was also the head of the gang and had an organized distribution infrastructure consisting of a manager and at least 30 partners.

Worryingly, some ransomware gangs have begun shifting their focus from individual victims and small businesses to larger businesses. According to Ivanov, Kaspersky Lab responded to one incident in which a company with more than 200 computers was attacked, and another involving a company with more than 1,000 systems.

“Without diving a lot into details, due to ongoing investigations, I can say that we are aware of some groups demanding as much as a hundred thousand dollars for decryption,” Ivanov says.

Related stories:

• Shock Awe’ Ransomware Attacks Multiply
• Ransomware: How A Security Inconvenience Became The Industry’s Most-Feared Vulnerability
• Ransomware Raises The Bar Again

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/ransomware-growth-fueled-by-russian-speaking-cybercriminals/d/d-id/1328188?_mc=RSS_DR_EDT

Cyberattacks by nation states are becoming so unrestrained that civilians urgently need the protection of an internet version of the Geneva Convention, Microsoft’s chief legal officer Brad Smith told an audience at this week’s RSA conference in San Francisco.

According to Smith, the lack of international norms over how nations should behave on the internet was leading the world, little by little, into dangerous territory.

A warning light was the massive hack of Sony in 2014, widely seen as a revenge attack by North Korea. By 2016, the Russians were being accused of undermining democracy itself by hacking and leaking data during the US presidential election, he said.

With attacks plausibly connected to nations multiplying, mostly out of sight, tech companies were struggling to respond to something much bigger than them. In only a few years, civilians and public infrastructure had become fair game, he said:

We suddenly find ourselves living in a world where nothing seems off limits to nation-state attacks.

Heading off trouble would require a digital version of the Fourth Geneva Convention, agreed in 1949 to protect civilians from harsh treatment during wartime, he added:

The time has come to call on the world’s governments to come together, affirm international cybersecurity norms that have emerged in recent years, adopt new and binding rules and get to work implementing them.

Under this, governments would agree to avoid attacking critical infrastructure, or hacking and stealing intellectual property to undermine economies.

The idea of writing down cyber-rules goes back at least to 2012, when Britain’s then Foreign Secretary William Hague used the Budapest Conference on Cyberspace to sketch out some first principles.

Despite a follow-up UN-brokered agreement covering 20 nations agreed in 2015, events in the real world suggest most of this has ended up as fine words. Attacks have accelerated dramatically, leaving well-behaved nations to wonder whether they shouldn’t be joining in order to dodge the bad side of a zero-sum game.

Imposing rules on cyberspace is inherently difficult, starting with the slippery issue of attribution.  If you can’t be certain who was behind an attack, how can a nation be held to account under a convention?

In Smith’s view, this is why the rules would have to be administered by an independent global body with enough power to “investigate and share publicly the evidence that attributes nation-state attacks to specific countries”.

It’s a suggestion that aims a side-swipe at the consensus that internet security is best left to the private sector under the supervision of nations and government agencies – a status quo backed, of course, by the US.

But what if these same government agencies are part of the problem? It’s like the old adage of gamekeepers who enjoy a bit of poaching on the side. The lure of cyberwarfare is simply too great for some nations because it is a cheap, low-risk way of evening up economic, military and geopolitical disadvantage. Covert cyberwarfare has become the great leveller.

As appealing as a Digital Geneva Convention sounds, it is more likely that bad internet behaviour by nations will eventually be curbed by real-world events. Someone will eventually miscalculate and a price will be paid. All we can be sure of is, should that day arrive, nobody will emerge unscathed.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/VnWENAzc80Y/

Your daily round-up of some of the other stories in the news

Yahoo users warned on forged cookies

Yahoo has warned some of its users that their accounts might have been hit by a further breach, in addition to the two huge breaches it revealed last year. Yahoo had in fact notified the breach in an SEC filing in October last year, but has apparently only just started to let its unfortunate users know.

These latest breaches could have happened as late as last year according to Yahoo, which said in an email to some users: “We believe a forged cookie may have been used in 2015 or 2016 to access your account.”

This latest revelation of a security failure at Yahoo comes hard on the heels of yesterday’s news that Verizon had negotiated a discount of $250m on its agreed purchase price for Yahoo of $4.8bn.

Yahoo wouldn’t say how many users were affected in this latest breach, which it suggested was the work of a “state actor”.

Spammer hit with fine after firing off 5m SMSs

Credit broker Digitonomy has been hit with a fine of £120,000 by the UK’s Information Commissioner’s Office after sending out more than 5m of unsolicited texts offering loans via affiliate marketing companies.

Those texts sparked 1,464 complaints between April 2015 and February 2016, the ICO said, adding that the crux of the problem was because Digitonomy hadn’t sought specific consent for the texts.

One example of its consent wordings said: “You consent to us and our trusted partners contacting you by SMS, mail, email, telephone and automated message.” The clear problem with that is not providing customers with any form of opt-out.

Steve Eckersley of the ICO said: “Businesses that rely on direct marketing must be able to confirm that people have given their permission … Digitonomy is paying a hefty price for not meeting its responsibilities.”

Lost Churchill essay ponders biggest question of all

Winston Churchill, Britain’s iconic wartime prime minister, is best known for stirring speeches and his leadership during the dark days of the second world war.

But it seems that he had also devoted some time to some of the biggest questions of our existence, including the one that the Drake equation seeks to answer: are we alone in the universe?

Writing in the journal Nature, astrophysicist Mario Livio describes how he uncovered last year, in a museum in Missouri, an 11-page essay written by the great man in 1939, as Britain was poised on the brink of war with Germany.

Livio writes: “It was a great surprise last year, while I was on a visit to the US National Churchill Museum in Fulton, Missouri, when the directory Timothy Riley thrust a typewritten essay by Churchill into my hands. In the 11-page article, ‘Are We Alone In The Universe?’, he muses presciently about the search for extraterrestrial life.”

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/kCJh2jIV4ZE/

Yahoo! is reminding folks that hackers broke into its systems, and learned how to forge its website’s session cookies. That allowed the miscreants to log into user accounts without ever typing a password.

In warnings emailed out this week, the troubled web biz said accounts were infiltrated in 2015 and 2016 using forged cookies. It quietly admitted this security blunder back in December, although only now is drawing more attention to it. At the end of last year, it told investors:

The company believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. Yahoo is notifying the affected account holders, and has invalidated the forged cookies. The company has connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.

That September, Yahoo! admitted personal account records of more than 500 million users may have been swiped by hackers. Three months later, it confessed that a separate network breach in 2013 may have exposed the account credentials of one billion users.

Yahoo!‘s security controls and its incident response handling have been the focus of intense criticism from third-party security experts, which has continued on in the wake of the latest revelations.

Chris Boyd, malware intelligence analyst at Malwarebytes, said: “It’s fair to say that many Yahoo! users must already be feeling ‘incident fatigue’, given the frequency these stories seem to crop up. The sense of confusion – ‘Haven’t I heard about this one and taken steps already?’ – can lead to people becoming complacent with regards updating login, or worse, simply not bothering to shore up defences.

“It’s essential all Yahoo users roll up their sleeves and continue to use secure passwords and enable two-step verification. While this clearly won’t save them in all circumstances, it is still certainly better than nothing,” he added.

Tony Pepper, chief exec and co-founder of data security company Egress, said: “Yahoo has clearly been under systematic attack for quite some time and, aside from questions about its historic ability – or lack thereof – to spot breaches, this incident raises a whole host of concerns about the state of data security in general.

“The fact that the hackers were able to access accounts without the need for passwords is a serious issue. We routinely rely on passwords to protect our data and privacy, and red flags are now being raised. Consumers and businesses alike must be encouraged to turn on things like two-factor authentication wherever possible and keep a close eye on their accounts,” he added.

Jason Hart, CTO of data protection at Gemalto, commented: “While it is ‘news’ that Yahoo is making another announcement about a breach, it shouldn’t be surprising. Opt-in security is not an option in this day and age.

“The company recommended that users consider adopting its Yahoo Account Key, an authentication tool that eliminates the need for a password. However, tools like this only work if the user remembers to activate them. Given the current security climate, all companies should have multi-factor authentication activated by default for all online accounts,” he added.

Andy Norton, risk officer EMEA at endpoint protection company SentinelOne, said: “Yahoo said in its announcement that an ongoing forensic investigation suspects that the attacker had access to proprietary code to learn how to forge cookies. This would show new behaviours other than just stealing user databases, the attackers have also looked at alternative methods to infiltrate Yahoo users accounts.”

“Yahoo – and other email providers – would be a target if they are providing services to regime dissidents or investigative journalists – essentially any user who poses a perceived threat to a current regime,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/16/yahoo_forged_cookie_hack_risk/

US Congressional lawmakers on Wednesday reintroduced legislation to establish rules limiting how American government agencies can obtain a person’s whereabouts.

The Geolocation Privacy and Surveillance Act (GPS Act), sponsored by Sen. Ron Wyden (D-Ore.), Rep. Jason Chaffetz (R-Utah), and Rep. John Conyers, Jr. (D-Mich), was first introduced in 2011 during the 112th Congress (2011-2013). The bill didn’t make it beyond the Judiciary Committee.

It was reintroduced during the 113th Congress (2013-2015), but again failed to advance through the legislative process. Another attempt was made during the 114th Congress (2015-2016), but the result was the same.

The 115th Congress will now consider the proposed legislation, or not, if history is any guide.

The GPS Act seeks to define when domestic law enforcement agencies can collect geolocation information about individuals without their knowledge, both through private companies and through cell-site simulators, also known as Stingrays or IMSI Catchers. It would also criminalize surreptitious use of electronic devices to track people’s movements and would prohibit commercial service providers from sharing customers’ geolocation data without customer consent.

Cell-site simulators are devices that masquerade as telecom company cell towers, in order to hijack communications flowing to and from nearby cell phones. The operator of the cell-site simulator – an authorized government agency or any rogue organization or individual in possession of one – can: calculate a phone user’s location data through triangulation; collect device data like IMSI numbers and phone call metadata; eavesdrop on calls; spoof communications; and even distribute malware.

In security parlance, cell-site simulators represent a man-in-the-middle attack.

“Outdated laws shouldn’t be an excuse for open season on tracking Americans, and owning a smartphone or fitness tracker shouldn’t give the government a blank check to track your movements,” Wyden said in a statement. “Law-enforcement should be able to use GPS data, but they need to get a warrant.”

In a phone interview with The Register, an aide to Senator Wyden explained that changing circumstances suggest the bill may fare better than it has in the past, pointing to the passage of the USA Freedom Act in 2015 as a sign that there’s broad support for reining in surveillance programs.

At the same time, Wyden’s staffer suggested that the need for clear rules is even greater than it was previously. Digital tracking has become far more widespread than it was in 2011, the aide said, and it’s also unclear that the Department of Justice will continue the Obama administration’s policy of seeking warrants to track people through cell-site simulators.

US courts have yet to agree on when the government needs a warrant to track people through their cellphones or other devices. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/16/corpse_of_location_privacy_bill_unearthed_and_reanimated/