STE WILLIAMS

When Sean Spicer became White House press secretary, he acquired a very large bullseye on his back for cybercrooks to take aim at.

Understandably, Spicer’s personal website, SeanSpicer.com, has been made private since he got his new gig. You need to ask for an invitation to get in, according to a message from WordPress.

But while you can’t see the content of his website, you can still [2017-02-09T13:12Z] see Spicer’s phone number, email address and home address, through the registration record for his seanspicer.com domain name:

That’s because whoever made Spicer’s site private neglected to make his WHOIS data private as well. All his personal details are out there, like so many pieces of laundry flapping on the public laundry line of the internet.

Spicer’s personal site is hosted with GoDaddy. You can keep personal information “safely locked away” when you register your domain with GoDaddy (and other domain hosts, of course), for $7.99 per year.

That helps to protect you against identity theft, GoDaddy assures customers in its advertising, as well as against domain-related spam.

GoDaddy could have chosen to make this ad longer. If you don’t make your domain registration private, and you’re not registering with a business address, you’re leaving your personal information out there for all sorts of creeps to see and abuse. Think SWATters who make crank calls to emergency hotlines with phony bomb threats or bogus reports of shooters at a given address.

In short, you’re leaving yourself open to armed police banging on your front door, guns pointing at you, your family, or any other residents of your home, like has happened to many public or semi-public figures who’ve caught a SWATter’s eye: the gamer who was SWATted while he live-streamed on Twitch.TV, for example, or the well-known security journalist Brian Krebs, or GamerGate critic Grace Lynn.

Another GamerGate target was Brianna Wu, who was driven from her home after someone posted her address online and threatened to rape, kill and mutilate her.

As those cases show, there can be extreme repercussions from leaving your personal details available online.

As an individual gains in celebrity, be it through gaming, journalism or conducting prickly press conferences as the White House’s chief media liaison, locking down privacy becomes ever more crucial.

That doesn’t make it any less important for us non-celebs, of course.

Is your domain private? If not, why not? If you want to stop reading this and go make it private right this very minute, have no fear: we’ll wait for you to get back and tell us your thoughts about it in the comments section below.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ESCtdocYxwo/

Twitter is going to tighten up its safety controls, it has announced on its blog. The move follows numerous reports (for example this one) of the company looking for a buyer and failing to attract one.

Some commentators have seen the new safety mechanisms as a direct response to the search for a new owner; it’s entirely possible that they’re just new safety mechanisms.

There are already new ways of reporting abusive tweets and managing what you can see. These will now be joined by:

• Stopping the creation of abusive accounts by flagging people who have already been barred and preventing them setting up again under a new identity;
• Increasing the safety of search results so that sensitive tweets don’t come up as frequently as they sometimes have
• Possibly most contentiously, the promotion of high quality tweets – or as Twitter puts it, “identifying and collapsing potentially abusive and low-quality replies” so that only the better ones appear in searches. This doesn’t mean deleting them, just de-prioritising them so that they don’t come up first in someone’s search.

The idea is to make the network a safer and more informative place. There are potential issues, though: for example, in theory the collapse of low quality Tweets is good and there will be some examples in which the quality is beyond dispute. However, there will also be the more contentious sort, and the question of who gets to decide what is “high quality” is an important one not addressed by Twitter’s blog post.

Presumably some of these new strictures will be a worry if you’re president of the USA – yes, we know everyone else has said more or less the same thing but we couldn’t resist it. Seriously, though, if you call someone a “so-called judge” who’s going to say that’s high-quality debate?

Follow @NakedSecurity
Follow @GuyClapperton

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8HD-d3WL18s/

The head of US Marine Corps aviation wants to buy more F-35Bs per year than the UK will receive in the next five.

At a press conference yesterday, Lieutenant General Jon Davis, USMC deputy commandant for aviation, said he wants the service to increase its purchase rate to 37 F-35Bs per year.

Under current plans, the USMC would buy 20 aircraft per year until 2021, according to American military news website Defense News.

“We have the infrastructure in place,” said Lt Gen Davis. “Bottom line is we’ve had a very anaemic ramp, so we’ve been holding onto the older airplanes longer. If asked by the American people to get the airplanes faster, I guarantee we’d put them into play very, very quickly.”

The F-35B will replace the Harrier and F/A-18 Hornet fast jets in USMC service. Currently the marines own 50 F-35Bs, against the UK’s seven jets – all of which are based in the US.

Deliveries of British F-35Bs are proceeding at a drip-feed pace, the idea being to get just enough aircraft delivered by 2021 for new aircraft carrier HMS Queen Elizabeth to deploy with a part-British, part-USMC air wing. The carrier’s maiden operational deployment will see her sailing to the South China Sea, where the UK has had minimal military involvement over the past few years.

By 2023 the British intention is to have a bare minimum of 24 F-35s on strength, though informed sources have whispered to The Register that the Ministry of Defence hopes it will get its hands on up to 40 aircraft by then. In total the UK will buy 138 F-35s.

In the meantime, the seven British-owned aircraft are being used on flight and weapons trials. Oversight and control of the trials programme by the UK is minimal, with Lockheed Martin reporting to the US F-35 Joint Project Office on all matters. A number of Royal Air Force personnel are currently posted in the US learning how to fly and maintain the jets. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/09/usmc_wants_faster_f35b_deliveries/

Cardiff University’s Social Data Science Lab has been awarded a £250,000 grant to set up a centre to monitor “Brexit-related hate crime” on Twitter.

The centre, which has been dubbed the Centre for Cyberhate Research and Policy, will be developing “a monitoring tool that displays a live feed of the propagation of hate speech as it happens on Twitter.”

Cyberhate, a term coined by Cardiff’s Dr Peter Burnap, co-director at the Social Data Science Lab at Cardiff University, refers to a form of antagonism without reference to the legality of the speech, he told The Register. He added that the ultimate aim of the research is to help the government identify areas that require policy attention and improve “interventions to stop hate crime from spreading”.

The grant of £250,000 will help it do this, and comes thanks to the UK’s Economic and Social Research Council, one of the nation’s seven research councils which funnel taxpayers’ cash to academics.

Professor Matthew Williams, the principal investigator on the project and co-director of the Social Data Science Lab at Cardiff University, said: “Hate crimes have been shown to cluster in time and tend to increase, sometimes significantly, in the aftermath of ‘trigger’ events. The referendum on the UK’s future in the European Union has galvanized certain prejudiced opinions held by a minority of people, resulting in a spate of hate crimes. Many of these crimes are taking place on social media.

“Over the coming period of uncertainty relating to the form of the UK’s exit, decision makers, particularly those responsible for minimising the risk of social disorder through community reassurance, local policing and online governance, will require near-real-time information on the likelihood of escalation of hateful content spread on social media. This new funding will provide the system and evidence needed to achieve this,” concluded Williams.

The team are collecting data over a 12-month period, from 23 June 2016, the data of the UK’s referendum on whether to leave the European Union. It will be using “state-of-the-art machine learning technologies to classify, analyse, and evaluate tweets in real-time” with a particular focus on geolocated tweets to examine the spread of hateful chatter.

The focus on Twitter does narrow the view for the researchers, although the group has expertise in its analysis, having previously examined the platform as part of a $800k grant into pre-crime from the US Department of Justice. Dr Burnap admitted as much to The Register, saying “this is the issue,” but explained that the use of geolocation data to track the popularity of malicious tweets would enable the group to “zoom out” on the phenomenon.

The tool that the team will be developing is intended to include a dashboard for policy makers and analysts that will provide details of “precursors to hate speech, such as type of social media user, characteristics of their network, the type of hate expressed, the content that is posted (such as URLs and hashtags) and external factors such as mass media reporting.”

Dr Burnap, who is the computational lead on the project, said: “To date the information available to government on topics such as hate speech around Brexit has been post-hoc and descriptive. What is needed are open and transparent methods that are replicable, interpretable and applicable in real-time as events are unfolding. We will be enhancing our existing language models using cutting edge computational methods to mine massive amounts of public reaction and provide meaningful insights into hateful and antagonistic commentary within minutes of an event occurring.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/09/cardiff_researchers_get_250k_to_monitor_brexit_hate_crime_on_twitter/

There’s a new branded bug in town, but thankfully it only hurts kit made by F5 Networks.

“Ticketbleed” (so named for a similarity to the notorious 2014 Heartbleed) is specific to F5’s Big-IP appliances and can strike when virtual servers running on those boxes are configured with a Client SSL profile that has the non-default Session Tickets option.

Such servers can be tricked into leaking 31 bytes at a time of memory. As F5 explains in the post announcing its patch, “A remote attacker may exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs from other sessions. It is possible that other data from uninitialized memory may be returned as well.”

Depending on the software versions a system is running, there are ten Big-IP configurations that could be vulnerable, and patches are available for all. If you can’t patch immediately, you can disable Session Tickets.

Cloudflare crypto engineer Filippo Valsorda explains its its discovery here.

Trying to resolve a Cloudflare customer issue, Valsorda writes, he and a colleague found themselves looking into Session Tickets to try and resolve what looked like an incompatibility between F5 TLS and Go TLS.

After gathering a bunch of stack traces, he says: “It looks like the client offers a Session Ticket, the server accepts it, but the client doesn’t realise and carries on.”

Valsorda has posted a site that will test hosts for vulnerability to Ticketbleed.

In that post he explains: “When a client supplies a Session ID together with a Session Ticket, the server is supposed to echo back the Session ID to signal acceptance of the ticket. Session IDs can be anywhere between 1 and 31 bytes in length.

“The F5 stack always echoes back 32 bytes of memory, even if the Session ID was shorter. An attacker providing a 1-byte Session ID would then receive 31 bytes of uninitialised memory.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/09/f5s_bigip_leaks_lots_of_little_chunks_of_memory/

UK magazine publisher Future’s FileSilo website has been raided by hackers, who have made off with, among other information, unencrypted user account passwords.

FileSilo.co.uk is a website Future’s mag subscribers can log into to download materials, such as Photoshop templates and graphics, for tutorials published in its print titles. Future is responsible for things like Edge, Digital Camera World, and ImagineFX.

A notice sent to FileSilo users on Wednesday advises everyone to change their passwords for the site, and any other website with the same password, “as a matter of urgency,” due to the astonishingly bad decision to store the passwords without encryption. Yes, in plaintext.

“In the last 24 hours it has come to our attention that FileSilo.co.uk’s user registration database has been compromised,” customers were told.

“Unfortunately users’ email addresses, usernames, passwords (stored in plaintext), name and surname may have been stolen in the process.”

FileSilo has been shut down as a result of the attack and the site’s administrators say it will relaunch once “we are satisfied that the breach has been fully rectified.” Hopefully that includes not storing passwords in plaintext.

“We take the security of our registered users extremely seriously and we are investing in implementing advanced systems that enhance that security,” said the company that just lost user passwords it kept in plaintext. “These efforts continue to proceed on track.”

In the meantime, users should make a point of reviewing their stored passwords and changing those for any site that shared the FileSilo password, which was stored in plaintext and then stolen.

This might also be a good time to ask the operators of those sites if, like FileSilo, they have left passwords sitting around in plaintext for hackers to steal.

El Reg asked Future for some comment on the breach and the reason why the passwords were stored in plaintext and not encrypted. In accordance with FileSilo’s security policy, we sent the request in plaintext.

We have not heard back. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/09/filesilo_lost_plaintext_passwords/