STE WILLIAMS

An American bloke has been jailed for breaking into the online accounts of 30 or so celebrities (and 270 other people) and swiping their most intimate snaps and secrets.

Edward Majerczyk, 29, of Orland Park, Illinois, sent out hundreds of messages masquerading as legit emails from Apple and Google technical support. These fake alerts convinced victims to type their usernames and passwords into a website controlled by the miscreant, allowing him to ransack their iCloud and Gmail accounts.

Majerczyk, the son of two retired Chicago cops, was eventually collared by FBI agents probing “Celebgate” – the moment in 2014 when private nude photos of Kate Upton, Jennifer Lawrence, Ariana Grande and other stars were plastered across 4Chan and Reddit. The pictures and videos were stolen from the victims’ cloud accounts.

During questioning, Majerczyk told the Feds he just wanted to “see things through other people’s eyes.” In a deal with prosecutors last July, he pleaded guilty to one count of unauthorized access to a protected computer to obtain information. He faced up to five years behind bars.

“[Majerczyk] not only hacked into email accounts – he hacked into his victims’ private lives, causing embarrassment and lasting harm,” said the FBI’s Deirdre Fike. “As most of us use devices containing private information, cases like this remind us to protect our data. Members of society whose information is in demand can be even more vulnerable, and directly targeted.”

In addition to his sentence, handed down on Tuesday this week, Majerczyk was ordered to pay $5,700 to foot one celebrity victim’s therapy bills. The FBI also confiscated the hacker’s Gateway computer, another desktop system, his iPhone, and various items of storage media.

“At the time of the offense, Mr Majerczyk was suffering from depression and looked at pornography websites and internet chat rooms in an attempt to fill some of the voids and disappointments he was feeling in his life,” his lawyer, Thomas Needham, told the court [PDF].

“After accessing the personal information and photographs for his personal viewing, he learned that others were distributing these private images on the internet. Mr Majerczyk did not realize the extent of this crime and was deeply affected by it. He immediately began seeing a therapist.”

According to his lawyer, there is no evidence that Majerczyk leaked any of the purloined pictures online. US prosectors did not charge him with the distribution of the images. Meanwhile in October last year, Ryan Collins, 36, of Pennsylvania, was jailed for 18 months for stealing similar snaps from people’s accounts. Neither he nor Majerczyk have been directly accused of spreading the swiped selfies on the internet – a devastating leak that became known as The Fappening.

Majerczyk’s lawyer said his client was wracked with guilt and had had panic attacks since raiding his victims’ private files. Since it’s said that he didn’t upload the pictures to message boards, was a first-time offender, and pleaded guilty early, he received a relatively light sentence. Still, the judge wasn’t happy.

“The conduct is abhorrent,” said US district judge Charles Kocoras during this week’s sentencing hearing in Illinois. “It’s a very, very trying time that we live in.” ®

Sponsored:
DevOps and continuous delivery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/26/celebrity_nudes_thief_gets_nine_months/

At least 15 Saudi government offices and private companies have been hit by another wave of attacks from Shamoon 2 malware that leaves hard drives completely erased.

Shamoon 2 first surfaced in 2012, when it was used in a highly targeted attack against Saudi Aramco, the desert state’s oil company that pumps 10 per cent of the world’s crude. A new and updated version, dubbed Shamoon 2 or Disttrack, cropped up last year and again earlier this month, but the new attacks on Monday are more widespread than before.

Aramco is still in the malware herder’s sights, with Sadara Chemical, a joint venture firm owned by the company and Dow Chemical, confirming that it had taken a hit from the malware. It says the incident has now been contained and it is investigating. State media also reports the Saudi Arabian labor ministry has been hit.

Sadara’s network disruption was a result of cyber attack experienced by multiple entities in KSA as announced by the regulatory authorities

— Sadara | صدارة (@Sadara) January 25, 2017

The motive for the attacks isn’t known, but the malware is thought to be the creation of Iranian state-sponsored hackers. There is speculation that this latest Saudi infection might be retaliation for hacking against Iranian petrochemical facilities.

Between July and September, there was a series of incidents at Iranian facilities, including a fire at the days-long inferno in July at the Bou Ali Sina Petrochemical Complex in Iran that caused $67m in damage. Brigadier General Gholam Reza Jalali, head of the Iranian cybersecurity division, said the damage was caused by hacking.

“The viruses had contaminated petrochemical complexes,” he told the state-run IRNA news agency. “Irregular commands by a virus may cause danger.”

If this latest attack on Saudi Arabia is retaliation, then it appears we could be seeing the first nation-to-nation cyberwar. Iran is at the cutting edge of this technology – having been the victim of Stuxnet, the first virus designed specifically to destroy its nuclear processing equipment.

As we saw with Stuxnet, the malware did appear in non-Iranian systems. If Shamoon 2 follows a similar path, a lot of computer users are going to face an unexpected disk wipe. ®

Sponsored:
DevOps and continuous delivery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/26/shamoon_2_hits_saudi_arabian_targets/

The big security issue of the week is a remote code execution hole related to the Cisco WebEx service.

WebEx is a popular collaboration tool for online events such as meetings, webinars and videoconferences.

Like many services of this sort, you access online events via your browser, augmented by a special-purpose browser extension.

Browser extensions and plugins allow web developers to extend the software features inside your browser with a mixture of scripts and program code, for example to add configuration options or to support new audio and video formats.

Of course, when you add another layer of programmatic complexity on top of an already-complex browser, it’s easy to add new security holes, too.

Perhaps the best known example of a problematic plugin is Adobe Flash, which has provided cybercrooks with such a fruitful source of exploitable security holes over the years that we have long been urging you to try to live without Flash altogether.

The latest security scare of this sort has been dubbed CVE-2017-3823, and it applies to Cisco’s special-purpose WebEx browser extension.

In oher words, if your organisation uses WebEx, you probably have the browser extension installed, and if you have it installed, you may be at risk.

According to Tavis Ormandy at Google’s Project Zero, who discovered and documented the bug, there are more than 20 million WebEx users worldwide.

So here is our quick checklist to help you decide what to do.

Q. What is the WebEx extension CVE-2017-3823 bug?

A. Opening a web link that contains a special “magic string” (cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html) automatically activates the WebEx extension inside your browser.

As part of this activation process, the web link can feed executable code to the WebEx extension (essentially, it can tell WebEx to run an arbitrary Windows program), which will run it automatically without any sort of “Are you sure” or “OK/Cancel” dialog.

That’s what is known as Remote Code Execution (RCE) or a drive-by install, one of the most serious sorts of vulnerability, commonly used by cybercriminals to break into your computer and plant malware on your network.

Q. Can I simply look out for the giveaway text of the magic string in my browser?

A. Not really.

If the booby-trapped WebEx URL were a regular clickable link, you would be able to hover over it before clicking on it and thus you could probably spot the subterfuge.

But a savvy attacker would embedded the link in an invisble IFRAME, or activate it by a web script, in such a way that the RCE would be kicked off automatically and invisibly.

Q. Is this bug being actively exploited in the wild?

A. Not that we know of. [2017-01-25:23:59Z]

Q. Which browsers are affected?

A. According to Cisco, Internet Explorer, Chrome and Firefox on Windows are affected.

Microsoft Edge on Windows and all browsers on Mac and Linux are safe.

Q. Is there a patch from Cisco?

A. The most recent update for Chrome was Cisco WebEx extension 1.0.5.

This update added various mitigations to the Chrome extension so that the magic string trick only worked automatically if the URL was hosted on a server with a name that ended in webex.com or webex.com.cn.

Any other attempt to use the magic string in any other URL was blocked until the user answered an “OK/Cancel” dialog.

However, as at 2017-01-25T23:59Z, Cisco’s official Security Advisory page has reverted to stating:

[N]o fixes are currently available. Previous release of the WebEx Plugin for Chrome version 1.0.5 was incomplete.

Q. What can I do while I wait for a fix?

A. Using Microsoft Edge on Windows or any browser on Mac or Linux will shield you from this bug because it doesn’t apply on those platforms.

You can also turn off WebEx support in your browser temporarily, thus preventing the Cisco extension or add-on from activating unexpectedly.

In Internet Explorer 11, click on the Tools cog in the top right corner and choose the Manage add-ons option:

Select the Cisco WebEx LLC add-on and choose Disable to turn it off:

In Chrome, click on the vertical three dots in the top right corner and choose the Settings option:

Go to the Extensions pane and untick the Enabled box to turn off the Cisco WebEx extension:

Q. Can I block the magic string in my web filter?

A. Many web filtering products, such as the Sophos UTM, can be configured to block access to any URL that includes the magic string that activates the WebEx extension:

cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html

This will provide an additional layer of protection on top of disabling the buggy extension in your browser, until a full patch is available from Cisco.

(If you rely on WebEx in your business, remember that blocking the magic string in your web filter for all users will also stop Mac, Linux and Edge browsers from connecting to WebEx, which may not be what you want.)

Q. How will I know when Cisco delivers a usable fix?

A. Keep your eye on Cisco’s cisco-sa-20170124-webex advisory page.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/XBY4vnKgI4U/

Senior members of the Trump administration have been accused of blatant hypocrisy after it was revealed they are continuing to use personal email accounts.

Key advisors to the president, Kellyanne Conway and son-in-law Jared Kushner, as well as press secretary Sean Spicer and chief strategist Steve Bannon, all have accounts on the Republican Party’s rnchq.org domain, and are continuing to use them in addition to their official government accounts, according to Newsweek.

It’s not known whether the top lieutenants are using the accounts to discuss White House business outside official channels, but the fact that the accounts exist and are being used is remarkable in the face of what was one of the most persistent attacks by the same group on presidential candidate Hillary Clinton – that she had used a personal email system to carry out government business.

In Clinton’s case, the Trump campaign made huge play of the fact that over 30,000 emails on the personal server were not handed over to a Congressional committee looking into the affair, with President Trump often leading chants of “lock her up.” Ultimately, no action was taken against Clinton.

We note that the same rnchq.org domain was used by members of the Bush Administration, who were heavily criticized for having “lost” no fewer than 22 million emails when asked to hand them over to the presidential archives. It is also strongly suspected that the same domain and email server were compromised by Russian hackers during the presidential campaign.

There is nothing illegal in White House staffers using personal email accounts, but they are expected to forward any that pertain to official business to their official government account within 20 days so they can be archived. The Obama Administration set firm guidelines on the use of such accounts, with staffers told to ensure, as far as possible, to only use official accounts for work purposes.

There are, basically, two issues at play here. One, it’s feared private systems are more open to attack by hackers, and two, work carried out for or on behalf of the American public must be open to public scrutiny, not locked away on secret servers.

Whether the current crop of White House staff has decided to be as conscientious or whether they consider email policy to be another of the official policies they are not obliged to follow, only time will tell. Either way, it is just one more ethical concern laid at the doors of the new administration. ®

Sponsored:
DevOps and continuous delivery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/25/trump_lieutenants_using_private_email_addresses/

The 4,149 data breaches reported in 2016 shattered the all-time high of nearly 1 billion exposed records in 2013.

Over the past year, 4,149 data breaches compromised more than 4.2 billion records, shattering the previous all-time high of about 1 billion exposed records in 2013.

This finding comes from the 2016 Data Breach QuickView report, released January 25 by Risk Based Security (RBS). Researchers discovered the number of data breaches was fairly consistent between 2015 and 2016, but their severity skyrocketed. 

In 2016, there were 94 reported incidents exposing at least one million records each, and 37 incidents exposing ten million or more records. Compared with 2015, this marks an increase of 63% and 105%, respectively.

It didn’t take many breaches to compromise a record-breaking amount of customer information. The top ten breaches of 2016, which included nine hacks and one web breach, led to the exposure of a combined three billion records.

RBS discovered businesses accounted for 51% of reported breaches, surpassing unknown (23.4%), government (11.7%), medical (9.2%), and education (4.7%) industries. Most (80.9%) exposed records also came from the business sector.

The number of breaches by industry sector roughly corresponds with economic activity, explains Inga Goddijn, EVP of Risk Based Security. RBS has the largest central collection of publicly disclosed breaches, she continues, which provides a broad view into where incidents happen.

“What our data shows is that really, no industry is immune to data loss,” Goddijn says. “Any organization that has sensitive data — which is every organization with employees or confidential business information — can be a target.”

Findings from the RBS data breach study are supported by further research from the Online Trust Alliance (OTA), which today released its 2017 Cyber Incident Breach Response Guide. “Cyber incident” encompasses events including corporate data loss, ransomware, unreported breaches, and incidents not involving covered information.

OTA concluded there were about 82,000 cyber incidents in 2016, affecting 225 organizations around the world each day. However, given that the majority of cyber incidents go unreported, it believes the actual number of annual events could exceed 250,000.

Businesses can learn from the consequences of high-profile attacks. Aside from financial loss, organizations are vulnerable to security threats and reputational damage. The OTA report cites research from the Internet Society, which discovered 59% of users would likely not do business with a company that had suffered a data breach.

While some incidents are unavoidable no matter how strong your security, many can be stopped with the right measures. OTA found more than 90% of cyber incidents could have been prevented.

The threat of data breaches will continue to grow so long as hackers’ motivations remain the same, says Goddijn.

“As long as there is money to be made out of unauthorized access and data theft, malicious actors will continue to refine and improve their attack methods,” she explains. “The wave of targeted phishing scams, seeking W2 details, that took place early in the first part of the year is a good example.”

Phishing is not a new business threat, she says, but scammers successfully refined their approach by targeting HR personnel during the height of tax data preparation season. More than 100 companies and their employees were victims of this type of attack, which led to data being used in fake tax return schemes.

“Early indications look as if we might see a repeat of this in 2017,” Goddijn notes. “We’ve already captured half a dozen such events this year and expect more to follow in the coming months.”

While it’s difficult to predict the future, Goddijn is “certain” data breaches will continue. It’s no longer enough for busiensses to solely focus on prevention.

“Given where we are with the state of breach activity today, organizations need to also be thinking about response and recovery as integral components of security management,” she says.

Related Content

• Security Training 101: Stop Blaming The User
• 4 Reasons Why You Should Take Ransomware Seriously
• ‘123456’ Leads The Worst Passwords Of 2016

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she’s not catching up on the latest in tech, Kelly enjoys … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/data-breaches-exposed-42-billion-records-in-2016/d/d-id/1327976?_mc=RSS_DR_EDT

Incident is believed to be first time threat actors have snuck ransomware into Google’s official mobile app store.

A ransomware sample that was recently discovered embedded in an Android application on Google Play Store suggests that threat actors may have found a dangerous new way to get extortion malware on mobile devices.

The malware, dubbed Charger, is believed to be the first instance of ransomware being successfully uploaded to Google’s official mobile application store. So far there have been no reported incidents of similar uploads on Apple’s App Store.

Security vendor Check Point software found Charger embedded in an Android batter- saving app called EnergyRescue when inspecting a quarantined device belonging to an employee of one of its enterprise clients.

Google has since purged the rogue application from Play Store so it no longer poses a threat to Android users. Still, the incident is a reminder that official mobile app stores, while considered much safer than third-party stores, are not immune from security risks and that enterprise users downloading apps from such stores cannot automatically assume the software will be malware free.

In an alert, Check Point described Charger as malware designed to surreptitiously steal SMS messages and contact information from an infected device, lock up the device, and then demand a ransom in return for unlocking it.

The extortion note threatened victims that all personal data extracted from their phone would be sold to cybercriminals if they didn’t pay a ransom of 0.2 Bitcoin, or around about $180. The note reassured victims that their locked files would be restored after payment was received and warned them that it was futile to power off and restart their phone.

“TURNING OFF YOUR PHONE IS MEANINGLESS, ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS! WE STILL CAN SELLING IT FOR SPAM, FAKE, BANK CRIME etc…,” the note said.

The ransom amount that the authors of Charger want is considerably higher than the $15 ransom demanded by those behind DataLust, another recent and prolific Android ransomware sample that targeted users of porn apps, Check Point security researchers Oren Koriat and Andrey Polkovnichenko wrote.

Malware previously uploaded to Google Play typically only contained a dropper for downloading the real payload from elsewhere on victim devices. EnergyRescue, on the other hand, contained all the malicious code for Charger with it, making it bulky and somewhat easy to spot, the researchers said. So in order to compensate, the authors of the malware employed multiple advanced techniques to evade detection, they added.

For example, the malware encoded strings into binary arrays making it harder for researchers to inspect them. The malware also dynamically loaded code from encrypted resources, preventing detection engines from inspecting it. Charger also checked to see if it was being run in an emulator before beginning malicious activity.

In a statement, a Google spokesman thanked Check Point for noticing the problem and disclosing it. “We’ve taken the appropriate actions in Play, and will continue to work closely with the research community to help keep Android users safe,” the statement noted.

Like Apple, Google has implemented a variety of measures over the past several years to prevent people from uploading malicious and potentially harmful apps to Play Store. The company uses a combination of automated and manual inspections and ratings systems to vet applications for security issues before permitting them to be uploaded.

Google also has a Google Play App Security Improvement (ASI) program under which it offers guidance to help developers avoid common security pitfalls so their apps cannot be maliciously exploited. Earlier this month, Google claimed that the ASI program has helped about 90,000 Android app developers fix security problems in some 250,000 apps over the past few years.

The fact that attackers are still able to upload malware like Charger indicates that even such measures as an ASI are not always enough.

“This incident indicates that attackers are getting better in developing and employing advanced evasion techniques that manage to bypass the ever improving security measures,” says Daniel Padon, a security researcher at Check Point.  

“Users should not rely on official app stores as their sole protection against malware,” he says. They should also consider other measures such as threat emulation and detection, he says.

Related stories:

• What To Watch For With Ransomware: 2017 Edition
• Ransomware Raises The Bar Again
• Ransomware: How A Security Inconvenience Became The Industry’s Most-Feared Vulnerability

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/mobile/google-removes-ransomware-laden-app-from-play-store/d/d-id/1327977?_mc=RSS_DR_EDT

Security firm says the case doesn’t affect its computer incidents investigation operations.

Kaspersky Lab confirmed today that one of its top cybersecurity investigators was arrested in December in Russia, reportedly amid charges of treason.

News of the arrest of Ruslan Stoyanov, head of Kaspersky Lab’s computer incidents investigations unit, as well as Sergei Mikhailov, deputy head of the information security department at the FSB, first came via Kommersant, a Russian economic newspaper, and word later spread to US news media outlets.

Stoyanov, who had been with Kaspersky Lab since 2012, led the firm’s cybercrime investigation that ultimately led to the 2016 arrests of 50 members of the so-called Lurk cybercrime gang that stole more than $45 million from Russian financial institutions. The case was said to be Russia’s largest-ever crackdown on financial cybercrime.

Stoyanov’s arrest sent a chill throughout the security research community, with speculation by some that his cybercrime investigative efforts may have somehow gotten a little too close to Russian nation-state hacking efforts. Russian hacking has been in the spotlight since the US intelligence community published an unclassified report that concludes Russia – under the direction of Vladmir Putin – attempted to influence the US presidential election via hacks and leaks of data from the Democratic National Committee and Clinton campaign manager John Podesta.

According to Kaspersky Lab, the nature of Stoyanov’s arrest predates his employment with the security firm. “The case against this employee does not involve Kaspersky Lab. The employee, who is Head of the Computer Incidents Investigation Team, is under investigation for a period predating his employment at Kaspersky Lab,” the company said in a statement.

Stoyanov, a former head of network security for Russian ISP OJSC RTComm.RU, also was with Ministry Of Interior’s Moscow-based Cyber Crime Unit in the early 2000s.

Security experts say his arrest underscores the sometimes-blurred lines between Russian cybercrime gangs and cyber espionage activity. “I think he flew too close to the sun as his recent investigations more than likely unearthed elements of the Pawn Storm campaign,” says Tom Kellermann, CEO fo Strategic Cyber Ventures. “This is a red flag to all security vendors who expose the nexus between the cybercriminal conspiracies and the Russian cyberespionage campaigns.”

Pawn Storm, aka Fancy Bear and APT 28, was one of the Russian state hacking groups implicated in election-related hacks against the US.

Researcher Business As Usual

While Kaspersky Lab said it had no information of the “details of the investigation” of Stoyanov and that no official information had been released by the Russian government on the case, the company also maintained that the arrest would not affect its current or future research into Russian cyber activities.

The company said that “as an IT security company, Kaspersky Lab is determined to detect and neutralize all forms of malicious programs, regardless of their origin or purpose.”

For now, Stoyanov is officially suspended from his post at Kaspersky Lab, according to the company. “The work of Kaspersky Lab’s Computer Incidents Investigation Team is unaffected by these developments.”

Stoyanov in 2015 authored a detailed report for Kaspersky Lab on how Russian financial cybercrime works. The report notes how the risk of prosecution is low for Russian-speaking cybercriminals: “The lack of established mechanisms for international cooperation also plays into the hands of criminals: for example, Kaspersky Lab experts know that the members of some criminal groups permanently reside and work in Russia’s neighbors, while the citizens of the neighboring states involved in criminal activity often live and operate in the territory of the Russian Federation,” he wrote.

“Kaspersky Lab is doing everything possible to terminate the activity of cybercriminal groups and encourages other companies and law enforcement agencies in all countries to cooperate,” he wrote.

Aleks Gostev, chief security expert for Kaspersky Lab’s Global Research and Analysis Team, in a tweet today said that Stoyanov “never worked with any APT stuff,” dismissing some online speculation that the arrest was somehow related to cyber espionage research.

He tweeted that the case wouldn’t stop the security firm from its work. Kaspersky Lab is “an international team of experts. It’s impossible to prevent us from releasing data.”

Related Content:

• Putin Directed Cyberattack, Propoganda Operation To Influence US Election
• DHS-FBI Report Shows Russian Attribution’s A Bear
• Russian Cyberspies’ Leaked Hacks Could Herald New Normal
• FBI, DHS Report Implicates Cozy Bear, Fancy Bear In Election-Related Hacks

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/kaspersky-lab-incident-investigations-head-arrested-in-russia-for-treason--/d/d-id/1327979?_mc=RSS_DR_EDT

Most Twitter users are familiar with them: followers with odd names and avatars, following far more than they are being followed. Automated fake accounts known as bots.

People often dismiss them as harmless clutter. But one UK researcher thinks there may be more here than what we see on the surface – a Phantom Menace, if you will. (Cue the John Williams Star Wars film score…)

The bots are with you

Juan Echeverria, a computer scientist at UCL, has published a paper on a network of 350,000 Twitter bots he calls the Star Wars botnet. Some of the accounts are used to fluff up follower numbers, send spam and boost interest in trending topics. From the paper:

A large number of Twitter users are bots. They can send spam, manipulate public opinion, and contaminate the Twitter API stream that underline so many research works. One of the major challenges of research on Twitter bots is the lack of ground truth data. Here we report our discovery of the Star Wars botnet with more than 350k bots. We show these bots were generated and centrally controlled by a botmaster. These bots exhibit a number of unique features, which reveal profound limitations of existing bot detection methods.

He said the work has significant implications for cybersecurity, not only because the size of the botnet is larger than those studied before, but also because it’s been well hidden since its creation in 2013. He said more research is needed to fully grasp the potential threat such a large, hidden botnet poses to Twitter.

His research began by sifting through a sample of 1% of Twitter users to better understand how people use the medium. But along the way, the research seemed to reveal many linked accounts, which means an individual or group is running the botnet. These accounts didn’t behave like the more garden-variety bots out there.

Scum and villainy?

In the report, he describes what his team saw as the work unfolded:

Although the tweet distribution is largely coincident with the population distribution, there are two rectangle areas around North America and Europe that are fully filled with non-zero tweet distributions, including large uninhabited areas such as seas, deserts and frozen lands. These rectangles have sharp corners and straight borders that are parallel to the latitude and longitude lines. We conjectured that it shows two overlapping distributions. One is the distribution of tweets by real users, which is coincident with population distribution. The other is the distribution of tweets with faked locations by Twitter bots, where the fake locations are randomly chosen in the two rectangles – perhaps as an effort to pretend that the tweets are created in the two continents where Twitter is most popular. The blue-color dots in the two rectangles were attributed to 23,820 tweets. We manually checked the text of these tweets and discovered that the majority of these tweets were random quotations from Star Wars novels. Many quotes started or ended with an incomplete word; and some quotes have a hashtag inserted at a random place.

For example:

Luke’s answer was to put on an extra burst of speed. There were only ten meters #separating them now. If he could cover t

That passage is from the book Star Wars: Choices of One. Echeverria and his colleagues found quotations from at least 11 Star Wars novels.

Here’s a wider look at the Force-infused activities:

• They only tweet random quotations from the Star Wars novels.
• Each tweet contains only one quotation, often with incomplete sentences or broken words at the beginning or at the end.
• The only extra text that can be inserted in a tweet are (1) special hashtags that are associated with earning followers, such as #teamfollowback and and (2) the hash symbol # inserted in front of a randomly chosen word (including stop words, like ”the” and ”in”) in order to form a hashtag.
• The bots never retweet or mention any other Twitter user.
• Each bot has created = 11 tweets in its lifetime.
• Each bot has = 10 followers and = 31 friends.
• The bots only choose ‘Twitter for Windows Phone’ as the source of their tweets.
• The user ID of the bots are confined to a narrow range between 1.5 × 109 and 1.6 × 109 . See Figure 7.

Echeverria and his fellow researchers have started  a website and Twitter account  called “That is a bot!” where people can report samples and help to raise awareness of how prevalent they are.

May The Force Be With You.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/M3RB3SYwpo4/

The Chinese government has announced new restrictions on operating VPNs that in effect make it illegal to offer them without approval to anyone other than large organisations.

The officials who run the so-called Great Firewall of China have been experimenting with VPN-blocking for a couple of years,  but this is the first time a formal  legal clampdown has been put into effect.

VPNs are a popular way for users who want to bypass internet restrictions to create an encrypted tunnel between their computer and the site they want to visit that filtering systems in between can’t scrutinise.

In practice, the restrictions running from now until March 31 2018 will mainly test the small coterie of providers that offer connections to people trying to bypass the restrictions to reach a long list of foreign sites, including Google, Facebook, Twitter, and every dictator’s biggest peeve,  the New York Times.

The best-known providers include VyperVPN (Golden Frog), StrongVPN, Astrill, and ExpressVPN, all of which are based outside China. This raises the obvious question of how China can stop them.

Presumably, the answer is either by detecting their activity through the firewall or by strong-arming China’s myriad smaller ISPs to stop turning a blind eye to the traffic and get filtering. Whether this will actually work is difficult to assess.

VyperVPN already advertises its Chameleon VPN, which claims it “scrambles OpenVPN packet metadata to ensure it’s not recognizable via deep packet inspection (DPI)”. OpenVPN is the open-source alternative to the PPTP and L2TP/IPSec protocols.

With the effect on providers uncertain – disruption has been reported but it’s hard to say how much – this could be another case of a cat chasing an unexpectedly large mouse.

According to Golden Frog’s co-CTO, Phil Molter: “China has targeted VPN providers in the past but VyprVPN has been able to quickly and effectively update our service to defeat these blocks.”

Couldn’t Chinese users get hold of the Tor browser, or an equivalent such as I2P or Freenet?

Unfortunately, the Great Firewall’s deep-packet inspection also appears to probe for traffic patterns that betray these encrypted connections. When it finds one, it tries to talk to the entry or bridge relay and if it succeeds, it whacks another mole – the relay is blocked.

At least, this description approximates what is known about how Tor is blocked in China, which doesn’t exactly go out of its way to explain any of this.

More concerning is that China sees the relatively small number of people using VPNs as an issue in the first place. Sources suggest that the issue could be sensitivity about political rumours connected to Communist Party officials that might be circulating.

The VPN clampdown comes only days after China announced a similar tightening of restrictions on mobile app stores, which must now register with the country’s Cyberspace Administration.

Follow @NakedSecurity
Follow @JohnEDunn

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/yVhwjiwV5oU/

You might give quite a lot not to be in Yahoo!’s shoes just at the moment. Following the revelation in December of a second huge security breach in which  a billion accounts were compromised, not only is it under investigation by the Securities and Exchanges Commission (SEC) in the US but its acquisition by Verizon is going to be delayed.

It’s worth stressing, even if only to allay the fears of any onlooking lawyers, that there does not appear to be any suggestion that the deal will not go ahead. It’s not happening in the original time frame, however.

The idea was that Yahoo! would sell its core internet operation to Verizon for $4.8bn. It was supposed to happen in the first quarter this year but is now likely to take place in Q2, according to Yahoo!

The sticking point has to have something to do with Yahoo! admitting to a billion accounts being compromised last month. The SEC is obviously interested in this and in the breach earlier in the year, but it’s even more interested in the notion that it took the company three years to make the issue public.

There isn’t any legal obligation or time frame for companies to release information when there has been a breach like this, but the SEC was already looking into Yahoo! because of a hack in 2004 that wasn’t publicised until November last year.

All of which has to raise the questions: is it just Yahoo! that hasn’t disclosed large-scale hacks – and if not, how many more historical breaches of security are out there and damaging people right now, without the companies involved having disclosed it?

Follow @NakedSecurity
Follow @GuyClapperton

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/K4ERhvtbPKc/