STE WILLIAMS

Cisco has released the 10th of its annual cybersecurity reports, leading some publications to scream that security breaches can cost businesses 20% of their annual turnover.

If you burrow into the headlines, however, it becomes apparent that only a third of the companies questioned in the (admittedly substantial) survey claimed such a loss. Other reports place the value much, much lower – but nobody is denying it’s a problem or that it’s increasing.

The Cisco survey takes in 3,000 respondents at chief executive level. It found that 50% of companies face public scrutiny after a breach, leading to reputational risk, and 20% reported that they lost customers as a result. Additionally, 23% of them had identified lost business opportunities from prospects as a result.

Budget constraints, incompatible systems and inadequately skilled staff were the main reasons for breaches, the company said. Detection of breaches, however, had sped up considerably, offering some source of cheer.

The overall cost of a data breach is harder to pin down. A third of companies told Cisco they’d lost 20% of revenues following an incident, whereas other reports disagree. IBM‘s report on the cost of a breach says the average consolidated cost of a data breach had moved from $3.8m to $4m in the last year, although it doesn’t break this down as a percentage of sales. Meanwhile Bluecoat said that whatever the numbers, companies were anticipating fewer breaches this year than they had last year.

The exact value of a breach is all but impossible to calculate. Only yesterday we had an instance in which third-party forums for Xbox and Playstation had their data compromised (reported in our News in Brief section); those forums will never know how many people were considering signing up but will now not do so.

In the same way, companies in the Cisco survey confirmed that they had lost prospective customers but they can’t know about instances in which they had fallen off the shortlist prior to contact.

The only thing most of the estimates, no matter what substantiations they use, agree on (with Bluecoat going a little rogue) is that data breaches are growing – and the results aren’t pretty.

Follow @NakedSecurity
Follow @GuyClapperton

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cwU9QbX2PO4/

Your daily round-up of some of the other stories in the news

Czech government emails attacked

Email accounts at the Czech foreign ministry have been the victims of cyberattacks, including his own email account, foreign minister Lubomir Zaorale said on Thursday.

The ministry’s internal communications organisation wasn’t compromised, said Zaorale, and no confidential information was lost. However, he said the attack was “very sophisticated” and that it must have been 2conducted by some foreign state, from the outside”.

The foreign minister added “the way the attack was done very much resembles the character of attacks against the system of the Democratic party in the United States”.

Dutch to hand-count vote over ‘meddling’ fears

As concerns mount about the risk of cyberattacks on the upcoming elections in European countries, Dutch officials have said that they will be reverting to hand-counting votes in the general election there on March 17.

Interior minister Ronald Plasterk told parliament in a letter on Wednesday: “I cannot rule out that state actors may try to benefit from influencing political decisions and public opinion in the Netherlands.”

Plasterk said that fears over the security of the software used to manage elections meant that the election committee had decided “to calculate the results based on a manual count”. The poll will elect a new lower house of parliament, and the far-right Freedom Party, led by Geert Wilders, has been leading opinion polls for months.

Facebook rolls out useful/creepy (you decide) update

Facebook, with its aim of connecting people, is rolling out a new feature that basically suggests you make friends with strangers. This could of course be useful for business networking or dating, which suggests that the Menlo Park giant is looking to stake claims in LinkedIn and Tinder’s territories.

Users are familiar with the existing “People you may know” feature, which suggests friends of friends. The new feature, Discover People, will suggest you friend people who are going to the same event as you, or who work for the same company as you.

Techcrunch reports that when you tap on the new section (if it’s been rolled out to you – it hasn’t made it to the entire user base yet), you’re prompted to craft a short introduction to yourself, and then when you click on an event you’ve been invited to, you’ll be shown the profiles of others who are also planning to go.

However, that feels downright creepy to us, as it not only seems a gift to stalkers, but it seems you can’t choose which events your profile would show up in. Nor, it seems, can you tweak the bio for individual events.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/2mCMtZvNF4M/

Researchers testing the security state of 20 common office network printers have discovered that almost every model is susceptible to a range of disarmingly simple attacks.

As the authors admit, printers are “considered rather unspectacular devices,” which might explain why research into their security remains a bit of a backwater.

Undeterred, the team from Ruhr University Bochum in Germany used their own custom-written tool called PRET (Printer Exploitation Toolkit) to hit the printers with a range of local, network and internet-based attacks on two common software interfaces, PostScript and Printer Job Language (PJL).

Attacks methods covered denial-of-service (making printers go offline or into a programming loop), a protection bypass (resetting to factory defaults), print job manipulation (interfering with what is printed), and information disclosure (accessing document content).

Printer models tested covered a cross-section of major vendors, including HP, Lexmark, Brother, Dell, Oki, Samsung Kyocera and Konica, all of which were running the latest firmware.

Every model tested could be taken offline by a malicious PostScript file, while print jobs could be intercepted or manipulated on almost all of them.  Other issues included that data from print jobs could be retrieved after compromising a user’s browser, and the security of PostScript passwords overridden.

It was even possible to remotely vandalise printers using the simple trick of writing to their memory lots of times: “Physical damage could be caused to about half of the tested device within 24 hours of NVRAM stressing.”

Many of these problems seem to have been known about for years, which draws attention to the first unusual aspect of printers as computing devices that many of the technologies they use (PostScript for example) go back years and even decades.

They also seem to hang around inside organisations for a long time, which means that their vulnerabilities remain live too. And while the print drivers – the software that sits between a PC and the printer – might be upgraded several times, how often firmware is updated is unclear.

It’s a hidden software complexity that will only increase with the introduction of new standards such as HP ePrint and Google Cloud Print, which has prompted the researchers to set up a Wiki to disclose vulnerabilities.

Tellingly, when contacted about these findings, only Dell and Google (which offered a bug bounty of $3,133 in connection with the team’s Cloud Print research) seemed interested. As long as vendors are this disinterested, patches probably won’t be forthcoming until a real-world attack emerges.
Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GSstIFnfCdU/

Schneider Electric has issued a patch for its StruxureWare Data Center Expert industrial control kit following the discovery of a flaw that could allow remote access to unencrypted passwords.

The product is designed to monitor physical infrastructure at data centres handling everything from cooling to backup generators. The flaw – discovered by Positive Technologies – meant an attacker can recover passwords from RAM on the client side of the platform, where they are held in unencrypted form.

“A hacker could use this flaw to penetrate the internal network at a data centre, obtain confidential information, or even cause physical harm,” said Ilya Karpov, head of the ICS Research and Audit Unit at Positive Technologies. “A vulnerability such as this threatens the functioning of critical systems on which data centres depend: video surveillance, fire suppression, backup generators and generator control units, switches, pumps, UPS systems, and precision cooling.”

Fortunately, Schneider Electric has developed an update that resolves the vulnerability, rated 7.6 on the CVSS v3 scale. The vendor is urging its customers to upgrade all installations of StruxureWare Data Center Expert to version 7.4.

In a statement, the vendor told El Reg: “Schneider Electric has become aware of a vulnerability in StruxureWare Data Center Expert 7.3.1.114 and 7.2.4 and earlier versions of the product. The vulnerability identified is related to the storage of the product passwords. It has been discovered that some passwords are stored in cleartext in random access memory (RAM). We issued a security notification that shares mitigation recommendations.”

Schneider Electric systems have thrown up similar unencrypted password flaws in the past, which has to be a concern, even though both vendor and security researchers collaborated successfully to resolve the latest vulnerability. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/02/data_centre_control_kit_flaw_resolved/

Anti-malware firm Webroot has apologized after an update pushed out this week borked computers at unlucky companies, leaving the PCs unbootable.

El Reg learned of the issue through reader Andrew, who reported that the Webroot 9.0.15.43 update for enterprises has “shit the bed,” creating all sorts of problems on corporate networks. Windows systems crash with the following memory access error:

0x50: PAGE_FAULT_IN_NONPAGED_AREA

“It causes boxes to BSOD [Blue Screen of Death] in an unrecoverable state,” Andrew explained. “Webroot have acknowledged the issue and are currently investigating it.”

We’re told affected machines struggle to boot up properly. There are workarounds described here, which involves disabling antivirus protection. Webroot confirmed to The Reg that there was an issue but said that only a minority of its customers are hit:

Webroot released a routine update on Tuesday 31 January, containing general fixes and minor feature enhancements. For most of our millions of customers, the service has run as normal. However, some customers have experienced a problem with the update, so Webroot’s 24-hour support team has been working with them directly to remedy this quickly. If you are one of those customers, we sincerely apologize.

Essentially, the problem isn’t fixed.

Another tipster, a sysadmin in the UK, wrote in today to tell us: “I’m currently dealing with some of the fallout from this, and scared about tomorrow as we have 700-plus installs of Webroot – including 130-plus in the US where we don’t have any IT staff.”

It sounds like a low-level component used by Webroot is touching memory it shouldn’t, causing the kernel to stop. Typically, antivirus tools break computers by removing crucial operating system files, believing them to be malicious. This latest screwup is unusual in that not every customer appears to be affected. We’re keeping a close eye on it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/02/webroot_snafu/

The history of social networking for children is somewhat chequered. Facebook, the biggest network of all, has a rule about nobody under 13 being allowed in, but it’s based on self-certification so a lot of children bypass it quite openly.

Habbo Hotel, a social site for children and young teens, fell foul of poor moderation and was accused of harbouring predators (there is no suggestion that this has happened for several years) – and pundits continue to debate the good and the bad in terms of how social networking affects children’s development.

So it’s presumably to be welcomed that an established children’s brand, Lego, is introducing Lego Life as a safe place for children to present their designs to each other.

The idea is that it’s visual only, there is no free text, just kids showing each other what they’ve made. They also can’t put pictures of themselves online, there will be no personal information requested and there is no ability to track people involved. Users will have Lego mini-avatars and there will be people as well as machines monitoring it.

The real-time monitoring will be reassuring for many people. Naked Security has previously reported on child predators playing Pokemon Go with children, children’s chat logs being kept and child abusers using Facebook. Lego appears determined to keep children safe in the social environment.

Parents’ groups broadly welcomed the new network. Holly Hawkins of Washington-based Ikeepsafe.org said:

It is exciting to see Lego has built safety and privacy protections into their new social networking product for kids. It’s important for parents talk to their children about their use of the Internet – start earlier  with simple messages and build as their child’s use of technology grows. Lego Life provides the opportunity to start that early discussion in a controlled environment.

And she urged parents to familiarise themselves with the parental controls of any network, but above all, to communicate with their children.

Follow @NakedSecurity
Follow @GuyClapperton

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tArnhqqYGK8/

Want to have your face e-glued on to that of LeBron James for a little toe-to-toe virtual basketball? You can do it with Take-Two’s MyPlayer feature of its NBA 2K15 and NBA 2K16 games.

Gamemaker Take-Two Interactive has some pretty magical* face scanning technology. One thing it doesn’t have, though, is a court injunction that would force it to stop storing your face print biometric data forever, privacy laws or no.

Federal judge John Koeltl of the Southern District of New York on Monday dismissed a proposed class action suit that’s been in the court for years.

It was filed by brother and sister video basketball players Ricardo and Vanessa Vigil, who admitted in their lawsuit to giving consent to have their faces scanned in the game’s terms and conditions, but who said that they didn’t know Take-Two would make their images available, unencrypted, online, stored indefinitely and shared.

Their suit maintained that Take-Two failed to meet several provisions of the Illinois Biometric Information Privacy Act.

Take-Two, for its part, argued that the avatars gamers create with facial scans are a “far cry” from the kind of personal identifiers protected by the law, according to Law 360.

This lawsuit attempts to misuse an Illinois state statute, designed to safeguard legitimate biometric identifiers, to attack a video game feature that lets a user make a cartoon-like NBA player that may (or may not) look like the user, solely for the user’s entertainment.

In a 51-page opinion, Judge Koeltl wrote that the Vigils failed to show that Take-Two’s scanning technology harms their privacy.

The gamers had claimed that they could have suffered “informational injuries” from an “enhanced risk of harm” that their face scans might have been subject to a data breach; apprehension about engaging in future transactions using biometrics; misappropriation; intrusion on seclusion; and a diminished benefit associated with buying NBA 2K15.

Nope, the judge said, none of that is concrete enough:

At best, the plaintiffs’ allegations are that Take-Two’s storage and dissemination practices have subjected their facial scans to an “enhanced risk of harm” of somehow falling into the ‘wrong hands’, which is too abstract and speculative to support standing.

Do you own the rights to your face? Can you copyright it? As biometrics become more prevalent, that’s going to be a pressing question.

Not that Take-Two’s games are doing anything creepy with our faceprints, mind you. But it’s worth asking whether we want our faceprints floating around publicly for anybody to grab. After all, there are good reasons why so many people said they preferred passwords to biometrics in a recent survey:

• 42% said they worry about not being able to access online accounts through biometric authentication in case of a malfunction.
• 42% don’t want companies to collect, save and use their personal data for logging on to online services. (Note: you’re pretty much out of luck if the Feds want to use it after you’re dead!)
• 33% worry that third parties could access their biometric data if they lost a device. (Or, say, if a judge forces you to unlock the iPhone of your boyfriend/alleged Armenian gang member. Bear in mind that courts nowadays consider passwords to be covered by Fifth Amendment rights against forced self-incrimination because passwords are something you know. However, biometrics aren’t protected by the Fifth Amendment, since they’re considered to be something you are.)
• 32% worry that hackers could overcome biometric authentication methods to log on to their online accounts. (They’re right! We’ve seen fingerprints, facial recognition and iris recognition all fooled by hackers.)
• 30% don’t think the technology is fully developed to support these biometric authentication methods. (Which is quite likely why we keep seeing ever more new biometrics tested as authentication methods, including, for example, brainprints.)

*Or pretty horrifying. Following a link in Engadget’s coverage to a gallery of NBA 2K15 face scanning gone horribly melty, I am at least a little reassured that not all facial recognition is going to cause subjects to lose their face biometrics for all time.

Not, that is, unless the people who’ve used the facial scanning technology really do have two mouths, an eye that’s melted down into their chin, and/or flesh that looks suspiciously like pepperoni pizza.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/pqRvQxcyYTA/

The next edition of the well-regarded ‪PasswordsCon‬ conference is in doubt as an indirect result of the Trump administration’s controversial travel ban.

Organiser-in-chief and founder Per Thorsheim is a Norwegian who would face no issues in visiting Las Vegas to run the conference in July. He has, however, “decided not to go… this year due to what is happening in the US right now”, as an explanation of his position uploaded to Pastebin explains.

As a Norwegian I can pretty much go anywhere in the world without fear based on my country of origin. It troubles me deeply that people – refugees – are excluded solely on their country of origin. Or religion, as this #MuslimBan EO really seems to be about. My belief in democracy and the United Nations’ Universal Declaration of Human Rights takes priority over my work, hobby and general obsession into passwords and digital authentication.

‪PasswordsCon‬ debuted in December 2010, evolving over the six years since towards becoming a biannual event (Las Vegas in July and somewhere in Europe in December). An event in RUB university in Bochum, Germany, back in December marked the eleventh conference.

In Las Vegas, PasswordsCon has been a separate two-day track at BSides for three editions since 2014. Between 150 to 200 people visited the conference in Las Vegas last year, according to Thorsheim.

The conference brings together “hackers”, industry experts (CISOs, pen-testers, etc) and academics to share, improve and attack solutions for passwords and related topics. “Common feedback from first-timers is that they had never imagined the width and depth of passwords/authentication and what we are covering with this conference,” Thorsheim said.

‪PasswordsCon‬ sets out to advance the state of the art within password cracking, password protection and continued development of best practices in all related areas. The event is designed to be free of sales and marketing pitches, with top speakers from around the world within their respective areas. The focus is on high-quality, no-nonsense research and practical talks.

Thorsheim paid tribute to those who have made the conference a success and expressed hope that he’ll be able to return soon. In the meantime, the future of the conference is up in the air. Thorsheim suggested it might be possible to hold it in either Mexico or Canada. Either is less desirable than the Las Vegas gig, which occurs as an adjunct to BSides (BSidesLV) and just before Black Hat and Defcon, meaning a big crowd of hackers and security researchers is already in town.

“The travel ban itself affects people in a way I personally find impossible to accept,” Thorsheim told El Reg. “I also think that it will influence the attendance and quality of not just my own conference track, but most security conferences in the US with an international audience.”

Some people won’t be able to get into the US while others may not want to travel to the US in order to submit talks. Still more won’t want to go to the US to participate, according to Thorsheim.

“I have told my co-host Jeremi Gosney and BSidesLV that if they still want to do the password track in July they are free to do so. I won’t be there, and I won’t try to get any speakers or participants for it.

“If they drop doing the passwords track, I might end up doing PasswordsCon as a separate event either in July, or shortly afterwards in another country. Canada is high up on my list, as it makes it rather easy for Americans to attend, while also allowing people in from most countries around the world,” he concluded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/02/travel_ban_protest_passwordscon/