STE WILLIAMS

A worrying number of VPN apps for Android mobile devices are rife with malware, spying, and code injection, say researchers.

A study [PDF] from the University of New South Wales in Australia and the University of California at Berkeley found that Android apps advertising themselves as VPN clients often contain poor security protections, and in some cases engage in outright malicious activities.

“Many apps may legitimately use the VPN permission to offer (some form of) online anonymity or to enable access to censored content,” the researchers write. “However, malicious app developers may abuse it to harvest users’ personal information.”

That sort of malicious activity is shockingly common, the researchers found. They studied the activity of 283 VPN apps on the Google Play store and catalogued the various risky and malicious activities they found:

• 82 per cent of the VPN apps requested permission to access sensitive data on the device, such as SMS history.
• 38 per cent of the apps contained some form of malware.
• 16 per cent routed traffic through other devices, rather than a host server.
• 16 per cent use in-path proxies to modify HTML traffic in transit.
• Three of the 283 analysed apps specifically intercept bank, messaging, and social network traffic.

“Our results show that – in spite of the promises for privacy, security and anonymity given by the majority of VPN apps – millions of users may be unawarely subject to poor security guarantees and abusive practices inflicted by VPN apps,” the researchers noted.

The study concluded that, in addition to users being wary in their choice of VPN apps and keeping a close eye on permissions, Google should look to help remedy the situation by setting stricter limits on what VPN apps are able to do in Android.

“The ability of the BIND_VPN_SERVICE permission to break Android’s sandboxing and the naive perception that most users have about third-party VPN apps suggest that it is urging [sic] to re-consider Android’s VPN permission model to increase the control over VPN clients,” they said.

“Our analysis of the user reviews and the ratings for VPN apps suggested that the vast majority of users remain unaware of such practices even when considering relatively popular apps.”

Before picking a VPN provider/app, make sure you do some research https://t.co/vuQ0drVZPN – or consider Algo https://t.co/J145Z8XMsv

— The Register (@TheRegister) January 27, 2017

So, if you’re shopping for a VPN client, what should you do? Well, a little research goes a long way: check reviews and recommendations, and steer clear of overreaching applications.

“Always pay attention to the permissions requested by apps that you download,” said Professor Dali Kaafar, a senior researcher at CSIRO, the Australian government’s boffinry nerve center. “This study shows that VPN app users, in particular, should take the time to learn about how serious the issues with these apps are and the significant risks they are taking using these services.” ®

Sponsored:
Customer Identity and Access Management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/28/vpn_on_android_means_voyeuristic_peeper_network/

How to have a productive conversation with business leaders and get your security budget approved.

(Image: Jirsak via Shutterstock)

‘Tis the season for building budgets, and security managers are under pressure to get the funds they need to protect their organizations. Of course this is easier said than done.

The road to budget approval is paved with difficult conversations between infosec professionals and business executives. If security leaders don’t convey their needs in an understandable way, they risk disapproval from decision-makers and, as a result, less security spend.

Businesses’ risk of cyberattack will only grow higher in 2017. As they create their security budgets, managers need to consider a few points that will help prepare them for productive conversations with executives.

Here, experts share their advice for security leaders creating and discussing their budgets for this year. Bear these in mind while navigating the budget approval process. Are there any tips you would add to this list? Let’s keep the conversation going.

 

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she’s not catching up on the latest in tech, Kelly enjoys … View Full Bio

Article source: http://www.darkreading.com/risk/7-tips-for-getting-your-security-budget-approved/d/d-id/1328004?_mc=RSS_DR_EDT

IT security is one of those odd industries: everybody wishes it were not necessary,  but accepts it has to be there. This is why, if you’re a specialist in it, your skills are going to become increasingly prized in 2017. Recruitment consultancy Robert Walters is therefore predicting a payrise for specialists in security and analytics.

So, more jelly babies for everybody. The reasons cited by the recruiter include the high-profile security breaches in the news in recent years and even months; people are becoming well aware that stuff can go wrong.

Todd Thibodeux, CEO of global IT industry body CompTIA, which has a major interest in building IT skills, confirmed that the picture is reflected across the Atlantic.

The cybersecurity analyst is one of the fastest growing job roles in the US workforce. The Bureau of Labor Statistics project growth of 18% from 2014 to 2024, much faster than the average for all occupations, not just in technology but across all categories.

This, accordingly, is matched by spend. Thibodeux added:

Worldwide spending on cybersecurity is predicted to top $1tn for the five-year period from 2017 to 2021, according to the Cybersecurity Market Report, published by Cybersecurity Ventures. The same firm predicts cybercrime will cost the world in excess of $6tn annually by 2021.

We allocate more resources to cybersecurity than ever before. Yet attacks occur more often, and their impacts are getting worse. It’s no longer just PCs housed within a secure perimeter. With mobile devices and the Internet of Things we have evolving endpoints. With so many cloud services outside the firewall there is no longer a perimeter to secure.

This suggests that although resource is welcome, it’s not just a matter of throwing money at it.

The challenge for organisations in 2017 and beyond it to invest their money, time and resources in the right areas. One message from industry is coming through loud and clear: in 2017 we have to be more proactive to find potential intrusions before they happen. The emphasis on analytics and visualisation is increasingly important, especially when there are so many more access points connected to the network.

And his conclusion? “We need more security analysts.”

Follow @NakedSecurity
Follow @GuyClapperton

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/TWNmKK31gWM/

Nominee US attorney-general senator Jeff Sessions has said the new administration will seek to “overcome encryption” in remarks that have been interpreted as a veiled reference to backdoors.

It’s worth stressing that at no point during his recent confirmation hearings did Sessions not actually mention the term although he is on record as strongly supporting efforts by law enforcement to bypass encryption during police investigations.

Answering a question about the importance of encryption in protecting the US from cyberattack, Sessions wrote:

Encryption serves many valuable and important purposes. It is also critical, however, that national security and criminal investigators be able to overcome encryption, under lawful authority, when necessary to the furtherance of national-security and criminal investigations.

It’s a response that leaves Sessions trapped in the same contradictory world as his predecessors: he must simultaneously extol encryption as a security virtue but also rail against it as a vice that thwarts law and order.

It sums up the orthodoxy built up by over recent US administrations that the world’s leading tech superpower can have it both ways by unlocking fundamental security protections at its convenience.

The high point of this thinking was the NSA’s 1993 Clipper chip, a hardware backdoor that allowed eavesdropping on conversations sent over any telecoms networks using it. Every device containing Clipper was to have a symmetric encryption key assigned to it and stored in a secure system called an escrow. If the Feds fancied a wiretap, the key would be sent to them – and only them.

The idea eventually imploded as critics pointed out the absurdity of a backdoor the entire world knew about. How stupid would a criminal have to be to use such as system? By the time experts started worrying about criminals finding vulnerabilities in its makeup – unintended backdoors in the official backdoor, if you will – the idea had flatlined.

Today, the mere suggestion of encryption backdoors alarms tech companies who market themselves on security. This is one reason why many of them are today busily building layers of end-to-end encryption into the software their customers use.

As was seen during the 2016 court case between the FBI and Apple for access to the encrypted storage on the iPhone of the St Bernardino shooter, it also shifts the focus from them to the individual user.

According to reports, the FBI eventually found a way around the iPhone’s encryption by exploiting a software vulnerability in the way encryption had been implemented.

With mandated backdoors discredited, this is probably how intelligence services now approach the issue of backdoors. It’s not perfect because finding flaws big enough to give complete access are bound to be rarities, more so as software development improves.

But this doesn’t mean that the US government under Sessions will give up on the intellectual and legal arguments still seen as essential to lend credibility to whichever techniques they choose to use to bypass encryption.

It is the battle of ideas that will define the future for both the attackers and defenders of encryption. As Sophos says in its argument against backdoors:

Backdoors in encryption would undermine freedom of speech and the freedom to conduct our affairs without interference or fear.

For now at least, the world can’t be sure whether the next US attorney-general agrees.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ece0T8UUoNI/

This isn’t a security article… but today’s Friday, Wine’s cool and I’ve been waiting a while for this update, so indulge me!

Windows OS users, this article isn’t really for you either.

If you’re a long-time Linux or Mac user though, this announcement is welcome news: Wine, the popular open-source Windows compatibility layer for Unix operating systems, just announced the availability of Wine 2.0 stable release.

Version 1.0 was released in 2008 (though the Wine project started back in 1993) with many incremental updates since then, so this big update has been a long time coming.

Wine is popular among Linux and Mac users who need or want to run Windows-exclusive programs without needing to spin up a virtual machine, boot into another operating system, run an emulator or pay a Windows license fee.

The benefit of using Wine over, say, dual booting or virtualization, is that you can run the Windows application in your computer’s native operating system as a regular app, rather than as nearly integrated app inside a special window.

Or, if you prefer (in a light edit of its own words):

Wine is a compatibility layer capable of running Windows applications on several POSIX-compliant operating systems, such as Linux, macOS and BSD. Instead of simulating the internals of Windows like a virtual machine or emulator, Wine translates Windows functions into POSIX calls on-the-fly, eliminating the performance and memory penalties of other methods and allowing you to cleanly integrate Windows applications into your desktop.

It can be bit faster than dual booting and a more seamless experience if you just need to quickly run a single application, which is why Wine can be a popular tool for Mac and Linux users in software development and video gaming, but also for anyone who needs to run specialty software now and then.

Of course, given that Windows is a closed-source operating system, and that its internals and behaviour are updated, extended, enhanced and altered all the time, it’s a bit of a moving target. Wine’s compatibility requires lots of ongoing reverse engineering and some apps don’t work at all, some work intermittently or unreliably, and yet others work but possibly in visually weird ways.

Wine version 2.0 comes with a slew of new features, bug fixes and supported programs, including Microsoft Office 2013 and 64-bit application support for MacOS. While there are already Office ports for the Mac, this expanded support means Linux users have another option for working with Office file formats, and Mac users can instead run the Windows-native version of Office if they prefer.

At the time of this writing, the 2013 versions of Excel and Word still have a “garbage” rating on Wine’s application database, which means:

Application cannot be installed, does not start, or starts but has so many errors that it is nearly impossible to use it.

But we must note that this rating is self-reported by Wine users, and these apps don’t have enough new user ratings yet to boost their scores (if such a boost is merited). For example, the Microsoft Word 2013 AppDB entry currently has zero votes and rests at its “garbage” rating, so watch this space to see if there’s any improvement as users update to version 2.0 and give Word 2013 another try.

In addition to the expanded Office 2013 support, a lot of the new features shipping with Wine 2.0 including support for Retina displays for Macs and expanded graphical capabilities, such as Direct 3D 11.

As Wine is quite popular for running Windows-only games on Mac and Linux boxes, the additional graphic support will be likely appreciated by the gaming set. (Nine of the top 10 “Platinum” rated applications on Wine’s AppDB are video games.)

Wine users: have any of you tried 2.0? What did you think?

Follow @NakedSecurity
Follow @mvarmazis

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/rz3-HJOslNk/

Your daily round-up of some of the other security stories in the news

Fancy Bear behind attack on TV network

Fancy Bear, the Russian hacking group allegedly behind the attacks on the US Democratic National Convention, infiltrated the systems of a UK television network, according to SecureWorks, the cybersecurity researchers.

The researchers told Channel 4 News that Fancy Bear had had access to the TV network – which was not named – for up to a year, and suggested that, as the attackers hadn’t actually tampered with the network, it could have been a dry run for a future operation.

Fancy Bear is also thought to have been behind the attack in 2015 on France’s TV5Monde broadcaster, and security experts say that this latest revelation fits with analysis from GCHQ that linked that attack to others happening during the UK’s 2015 general election.

In his official report, released last year, David Anderson QC wrote: “… media organisations were briefed to enable them to protect their networks. Since then, a particular UK media company has been alerted to a compromise by the same attackers and has been able to clean up its networks.”

Lavabit comes back from the dead

Lavabit, the secure email service that was used by Edward Snowden to leak details of the NSA’s mass surveillance programme and which subsequently shut down, is to relaunch.

Its founder, Ladar Levison, said last week on the day that Donald Trump was inaugurated as US president, that “as evidenced by recent jaw-dropping headlines”, email “remains insecure, unreliable, and easily readable by an attacker”.

Former users of the service can resurrect their old accounts and can now get access to the emails stored in those, and can start the process of moving to the new DIME standard. Those who would like to get started with Lavabit will have to wait a short while, but can pre-register, paying for 5GB or 20GB of space with either a card or – of course – bitcoin.

A lesson in ancient Geek

If you’re going to be in California this weekend, a new exhibition opens tomorrow at the Computer History Museum in Mountain View that celebrates software engineering.

Called Make Software: Change the World!, the exhibition includes lots of interactive exhibits in the form of tasks and games designed for kids to encourage them into software careers, and also exhibits built around themes that tell the story of software engineering.

The show picks seven “game-changing” technologies including the MP3 format and Photoshop as well as the seminal multiplayer game World of Warcraft to give visitors a hands-on introduction to basic concepts.

If you can’t get to Mountain View, there are some fantastic videos from the exhibition on the museum’s YouTube channel.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/YvLRITFN118/

Prague has become the centre of cyber cold war intrigue with both Russia and the US seeking the extradition of a Russian hacker.

Yevgeniy Nikulin, 29, is the target of extradition requests from both countries weeks following his arrest last October by Czech police during a holiday to the country. Local authorities acted on an Interpol arrest warrant issued by the US.

Nikulin faces US charges over high-profile hacks against LinkedIn, Dropbox and Formspring. The charges were unsealed on 21 October, two weeks after his 5 October arrest while on holiday with his girlfriend, as previously reported.

Formspring was the platform used for sexting by Anthony Weiner, the former New York congressman and husband of Huma Abedin, Hillary Clinton’s long-time personal aide. The discovery of emails linked to Clinton on Weiner’s laptop led to the controversial decision by the FBI to reopen an investigation into the former Secretary of State’s handling of sensitive emails just weeks before the US general election vote.

Nikulin’s arrest came just three days before the Obama administration formally accused Russia of hacking the Democratic National Committee and stealing emails subsequently turned over and released through WikiLeaks.

Nikulin has not been charged with anything directly related to the DNC hack, which US intel agencies have said was part of a Russian political influence campaign. Even if he’s not a (publicly named, at least) suspect he remains a person of interest in the case. US authorities have filed separate charges against him that remain under seal.

Russia has responded to the American extradition request against Nikulin by asking the Czechs to ship him back home to face an $2,000 bank hacking charge dating back to 2009.

“He was never formally accused at that time. I think the reason is that he was recruited [by the Russian security services],” said Ondrej Kundra, political editor with the Czech weekly magazine Respekt, told The Guardian.

Russia reportedly offers hacking suspects immunity from prosecution in exchange for their assistance.

Adam Kopecky, Nikulin’s Czech lawyer, told The Gaurdian that his client – who denies all charges – was being treated as a political pawn. “He is unhappy about being detained for a long time in a foreign country and about the accusations against him. He wants to return to Russia – but as a free man,” Kopecky said.

Prague’s chief prosecutor is expected to make a determination on the twin extradition requests by early February, a spokeswoman for the city’s municipal court said. ®

Sponsored:
Achieving rapid delivery of high quality software with continuous delivery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/27/extradition_fight_over_linkedin_hack_suspect/

Google has launched its own root certificate authority.

The move, announced Thursday, will stop Google relying on an intermediate certificate authority (GIAG2) issued by a third party in its ongoing process of rolling out HTTPS across its products and services.

“As we look forward to the evolution of both the web and our own products it is clear HTTPS will continue to be a foundational technology,” Google explained in a blog post. “This is why we have made the decision to expand our current Certificate Authority efforts to include the operation of our own Root Certificate Authority.”

The newly established Google Trust Services will operate these Certificate Authorities on behalf of Google and parent company Alphabet.

Google’s techies warn that the process of embedding root certificates into products that go on to be broadly deployed will take time. To hasten the process, Google has purchased two existing root certificate authorities, GlobalSign R2 and R4. “These Root Certificates will enable us to begin independent certificate issuance sooner rather than later,” according to Google. “We intend to continue the operation of our existing GIAG2 subordinate Certificate Authority. This change will enable us to begin the process of migrating to our new, independent infrastructure.”

As well as operating root certificates, Google has secured the option to cross-sign its CAs, in order to ease potential rollout snags. Google advises third-party developers working on code designed to connect to a Google property to include a wide set of trustworthy roots including but not limited to those offered through Google Trust Services. ®

Sponsored:
Achieving rapid delivery of high quality software with continuous delivery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/27/google_root_ca/

Military kit costs are going to skyrocket, according to the National Audit Office, which claims the Ministry of Defence now needs to slash an extra £5.8bn from its budget over the next 10 years.

“The affordability of the Equipment Plan is at greater risk than at any time since its inception,” intoned Sir Amyas Morse, the head of the NAO.

The 2015 Strategic Defence and Security Review (SDSR) added £24.4bn of extra commitments to the MoD equipment budget, according to the NAO, including commitments to buy the P-8 Poseidon maritime patrol aircraft, the new Mechanised Infantry Vehicle and speedier purchases of F-35Bs.

Over the next ten years the Equipment Procurement Plan commits the UK to spending £82bn on buying new ships, submarines, vehicles and complex weapon systems, with a further £92bn earmarked for the Equipment Support Plan.

NAO beancounters reckon the MoD’s allocated “headroom” of £10.7bn isn’t enough to fund the increases in the core equipment plan.

The NAO also said the defence equipment budget was “vulnerable to changes in foreign exchange rates”, with £18.6bn to be paid over the next ten years in US dollars along with a further $28.8bn within the current equipment plan which is exposed to forex fluctuations.

“Planning assumptions are currently based upon rates set before the result of the EU referendum, and the recent exchange rate fluctuations threaten to impact significantly upon the affordability of the Plan,” warned the NAO.

Minister for Defence Procurement Harriett Baldwin icily acknowledged the report in a rival MoD paper made available yesterday: “The National Audit Office (NAO) is publishing in parallel their independent assessment of the affordability of our equipment plan. Its report notes the size and financial complexity of the defence equipment programme, and indicates the challenges ahead. I am grateful that the NAO also points out where we must continue to improve and refine our work in the future.”

What are we getting for all these shekels, then?

£19bn of the equipment plan is being spent on surface warships, including the Queen Elizabeth-class aircraft carriers, the Type 26 frigate, the new Tide-class fleet tankers and the Offshore Patrol Vessels. £44bn is being spent on submarines, mainly the Astute-class hunter-killer boats and the new Dreadnought-class nuclear deterrent boats, which will replace the Vanguard boats currently carrying the UK’s nuclear missiles.

A further £19bn is being spent on land equipment projects, including life extension programmes for the elderly Challenger 2 main battle tank, the Warrior armoured fighting vehicle, and other new armoured vehicles.

Missiles for the Royal Air Force and Royal Navy account for £13bn, including the Brimstone 2 air-to-ground weapon – which won’t be cleared for use on the UK’s new F-35B fighter jets – and various other systems, mostly bought from EU missile conglomerate MBDA.

Although a very compelling analysis by Marcus Weisgerber of American website Defense One reckons the price of an F-35A has dropped to around $100m (down from initial flyaway costs of $279m in 2007) the MoD is still spending about £44bn in total on new aircraft, drones and support projects for them.

This includes buying F-35s as well as putting the finishing touches on the Eurofighter Typhoon, which will take over the RAF’s ground attack role from the venerable Tornado. In addition, the RAF will be buying more of Airbus’ answer to Lockheed’s Hercules, the A400M, and nine P-8A Poseidon aircraft. In addition, various helicopters will be upgraded, including the Chinook with its fully digital cockpit and the Lynx Wildcat from the artist formerly known as Westland, AgustaWestland, Leonardo, Leonardo Marconi.

Hey look, the Ministry of Defence does “big gov (IT) procurement” too!

Significantly, the MoD is spending £23.5bn over the next ten years on “Information Systems and Services”, which includes the bringing back in-house of “core ICT strategy, policy, architecture, standard-setting and customer service functions that had been outsourced.”

Equally significantly, in the table on the very last page of the MoD Equipment Plan are some downright weird figures.

The F-35 project (under “Lightning II”) is projected to come in £699m under budget – and while prices per aircraft may be falling, there’s no indication of what costs are associated with the delayed ALIS logistics software bundled with the jets. Similarly, the new aircraft carriers were projected to cost just over £3.5bn when ordered – and, so far, that figure has almost doubled to £6bn.

If military equipment costs skyrocket in the coming years – as they probably will do, thanks to the SDSR not unreasonably basing its costings on a stable relationship between sterling and the dollar – the MoD will be left with a rather large black hole to fill. Despite ministerial platitudes designed to smooth over the fact that the UK only meets its “two per cent of GDP spent on defence” target from NATO, that spending level is only being met by including pensions liabilities and other non-frontline spending in the figures.

In two years’ time, once Brexit – rather than just the vote for it – actually happens, we will almost certainly need a new SDSR to figure out just what the country can afford in defence terms. All those shiny new ships and aircraft will be of no use if they’ll just end up in mothballs. ®

Sponsored:
Achieving rapid delivery of high quality software with continuous delivery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/27/military_equipment_budget_unaffordable_warns_nao/

Cockrell Hill, Texas has a population of just over 4,000 souls and a police force that managed to lose eight years of evidence when a departmental server was compromised by ransomware.

In a public statement, the department said the malware had been introduced to the department’s systems through email. Specifically, it arrived “from a cloned email address imitating a department issued email address” and after taking root, requested 4 Bitcoin in ransom, worth about $3,600 today, or “nearly $4,000” as the department put it.

It was at this point that the cops’ backup procedures were tested and found to have failed to account for the mischief. When recovery was attempted, they realised they had only managed to back up the encrypted files.

The cops then spoke to the FBI “and upon consultation with them it was determined there were no guarantees that the decryption file would actually be provided, therefore the decision was made to not go forward with the Bitcoin transfer and to simply isolate and wipe the virus from the servers”.

Guarantee or not, the criminals operating ransomware schemes often do indeed decrypt the hijacked files if victims pay up. This is simple economics: if the criminal has a reputation for receiving money without decrypting the files, then their victims will be discouraged from paying up, and this is all about the money.

The ransomware is described as having “affected all Microsoft Office Suite documents, such as Word documents and Excel files. In addition, all body camera video, some in-car video, some in-house surveillance video, and some photographs that were stored on the server were corrupted and were lost.”

While the police state that the malware “was determined to be an ‘OSIRIS’ virus” no such virus actually exists. Instead, the police seem to have been confused by a new extension being used by the Locky ransomware, which renames the files it encrypts and gives them a .osiris extension.

According to news channel WFAA, which broke the story, the department initially discovered the infection back in December, but had not gone public with the information. Instead, the news began to emerge “when the department began alerting defense attorneys that video evidence in some of their criminal cases no longer exists”.

Stephen Barlag, Cockrell Hill’s police chief, said of the encrypted docs: “None of this was critical information.”

WFAA quoted J Collin Beggs, a criminal defence lawyer in Dallas, who said: “That depends on what side of the jail cell you’re sitting,” referencing a client of his, charged in a Cockrell Hill case involving some of the lost video evidence.

Beggs bemoaned the loss of the video evidence, stating it was significant to his client and to others that the department has charged. “It makes it incredibly difficult if not impossible to confirm what’s written in police reports if there’s no video,” Beggs said. “The playing field is already tilted in their favor enormously and this tilts it even more.”

Beggs said he has asked the FBI for proof that the computer virus incident happened. An FBI spokeswoman on Wednesday told News 8 that the bureau does not “confirm or deny the existence of an investigation.”

The Register has enquired of Cockrell Hill’s chief Stephen Barlag whether any criminal cases would be discontinued due to the evidence loss. We will update this article if and when we receive a response. ®

Sponsored:
Achieving rapid delivery of high quality software with continuous delivery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/27/texas_cops_lose_evidence_going_back_eight_years_in_ransomware_attack/