STE WILLIAMS

Federal agencies reportedly had improper access to Social Security data belonging to 3,200 license holders.

The California Department of Motor Vehicles has confirmed that Social Security data belonging to 3,200 driver’s license holders was improperly accessed by federal agencies, including the Department of Homeland Security, Internal Revenue Service, Small Business Administration, and district attorneys in San Diego and Santa Clara counties, the Los Angeles Times reports.

Over the past four years, seven federal agencies could access drivers’ Social Security data, including whether or not an individual had a Social Security number. Some of this information was accessed as part of investigations into tax law compliance or criminal activity, the report states. Affected license holders were notified this week if their data had been compromised.

DMV officials detected the issue granting access to this data on August 2 following a legal compliance review and removed the agencies’ ability to obtain it. The DMV reports federal agencies did not need to hack its systems, nor did they share information with private citizens.

Read more details here.

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/california-dmv-leak-spills-data-from-thousands-of-drivers/d/d-id/1336284?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Proactive defense and automation can help your company deal with scale and prioritize risks in order to more efficiently fight cyber espionage.

The number of corporate espionage attacks is increasing. From advanced persistent threat attacks siphoning off proprietary research and intellectual property to fake social media accounts used for social engineering attacks to launch malware, enterprises’ valuable information and trade secrets are being compromised.

Corporate espionage tactics have evolved with the digital revolution; criminals no longer need to break into a physical building to steal a company’s crown jewels. The threat landscape for businesses has expanded alongside the adoption of new social media and digital channels. Social media platforms and channels have now become business essentials, and bad actors have taken notice.

Many of these social media platforms lie outside the traditional cybersecurity perimeter, enabling bad actors to more easily access an individual’s, enterprise’s, or government’s information without having to worry about getting caught by traditional network security protections. For example, credible reports show that WeChat has been involved in cyber espionage campaigns, with the Chinese government using the platform to collect intelligence, monitor activity, and recruit potential spies. Beijing has even developed Trojan spyware to be distributed through WeChat, and the app has been used as a backdoor to hijack user’s phones.

We’ve also seen damaging corporate cyber espionage campaigns conducted through LinkedIn. Last December, Operation Sharpshooter was found to be targeting nuclear, defense, energy, and financial companies, with the ultimate goal to penetrate security defenses and steal intellectual property. One of the ways the bad actors behind this campaign approached their targets was by posing as job recruiters and using messaging apps for outreach. The Iranian-linked APT34 group recently conducted a similar attack through LinkedIn. Hackers phished employees at target industries with malicious documents, delivering them through LinkedIn mail. These efforts obtained industry insider information and data. 

These threats are so severe that this summer the FBI warned government contractors that foreign intelligence officers may target them using social media  to gather information and conduct espionage campaigns. 

Why There Is More Risk for Cyber Espionage Through Social Media

People are more trusting online. The risks that email poses to businesses are well established. Companies regularly educate their employees about phishing emails, have monitoring systems in place, and penetration test their employees. However, user behavior is different online; individuals tend to trust more and overshare when they’re using social media. Without proper awareness and security measures in place, it’s easier to leverage social engineering to target victims with personal attacks. 

Expanded attack surface creates gaps in cyber defense. Social media platforms lie outside the traditional cybersecurity perimeter. This is problematic because security and compliance teams have limited visibility into the social channels that employees are using. Even if they block channels such as Facebook through a firewall, employees can get around that by logging in on their phones.

Attacks are difficult to detect. Many enterprises lack visibility into the accounts and pages that extend their attack surface. If an employee’s personal LinkedIn account is compromised because that person clicks on a malicious link while on the mobile app, he or she can compromise the entire company’s network and the security team will have no idea. The bad actor that injected the malicious code could gain access to the company network and siphon off trade secrets without detection.

Steps to Combat Corporate Espionage and Mitigate Risks

Gain visibility into known and unknown social media assets. You can’t protect what you can’t see. The first step is to gain full visibility into your organization’s assets. Identify every brand account, including both accounts and pages for the company, individual departments, executives, and personnel. A clear inventory of social pages and accounts will clarify your company’s potential attack surface.

Establish control over brand assets. After you’ve brought your social media assets under your protection, establish control. A robust cybersecurity strategy starts with the principle of least privilege, by which users only have access to the systems and data that are necessary for their jobs. The same principle should apply to social media.

Respond to threats in real time. Conflict can escalate in seconds on social media. Whether an attacker attempts to take over a Twitter account, a botnet is summoned to downvote videos on YouTube, or a bad actor steals an employee’s credentials to gain access to other channels, you need a security protocol to stop the attack before it happens. Real-time detection of malicious content or account takeover attacks is the first step. Ensure you can lock down accounts, quarantine malicious content, or revert account profiles when a  compromise happens. 

Protect assets with a proactive defense. Your enterprise should proactively monitor cyber threats or risks to your brand from bad actors and imposter accounts. This includes scanning the Dark Web and searching in overlooked areas such as app stores and e-commerce sites.

Businesses must extend their perimeter to include social media, which remains invisible to most security teams. To make it happen, you’ll need a way to monitor every bit of information that leaves your business through both private and public channels. Your goal is to reduce risk and mitigate attacks before they start.

Often the biggest challenge is coping with the scale of risks. Social media is vast. It’s impossible for administrators to monitor every post, share, like, and response manually. It’s imperative you know immediately when something’s amiss and can take action quickly with automation. Finding out your credentials were compromised yesterday is too late.

Proactive defense and automation can help your teams cope with scale and prioritize the risks that matter to stop cyber espionage.

Related Content:

• 8 Ways Businesses Unknowingly Help Hackers
• Social Media Platforms Double as Major Malware Distribution Centers
• FBI Plans to Monitor Social Media May Spark Privacy Issues
• How China Russia Use Social Media to Sway the West
• More Than Half of Social Media Login Attempts Are Fraud

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How HR and IT Can Partner to Improve Cybersecurity.”

As the President, CTO, and Co-Founder of SafeGuard Cyber, Mr. Freire is responsible for the development and continuous innovation of SafeGuard Cyber’s enterprise platform, which enables global enterprise customers to extend cyber protection to social media and digital … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/social-media-corporate-cyber-espionages-channel-of-choice/a/d-id/1336250?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A recent US Commerce Department blacklist of several Chinese entities leaves a looming question: What happens if your products are now prohibited?

Steve Surfaro wants to make something clear: The recent blacklisting by the US Department of Commerce of several Chinese technology companies is what he calls “an absurd overreaction” — and one that will impact technology markets for years to come.

“The black eye that [artificial intelligence] has suffered is probably one of the worst,” says Surfaro, reacting to a move last month in which 28 organizations – including eight technology providers – were placed on a US government entities list. “We won’t realize until we start seeing the amount of money that investors are spending on AI overseas, in India, Israel, mainland China, Hong Kong, but not in the United States. Some of these are AI IPOs and are going to say, ‘Thanks, but we will take our business elsewhere.'”

The entity list bars the companies included from buying parts and components from US firms without US government approval. Although the list is not an outright embargo, they’ve been placed on the blacklist because the Trump administration accuses them of involvement in human rights violations against Muslim minorities in the China’s far-western region of Xinjiang.

Among the companies named are two of the world’s largest video surveillance manufacturers, Hikvision and Dahua Technology, and several startup firms that specialize in AI, voice recognition, and data. The US government accuses them all of playing a role “in the implementation of China’s campaign of repression, mass arbitrary detention and high-technology surveillance,” the Commerce Department filing states. In the case of Hikvision and Dahua, their addition to the entity list also takes place because of a 2017 ban that prohibits federal agencies from purchasing their products.

In recent year, the US has banned a variety of popular technology products on the basis that they might pose threats to national security. In September 2017, the administration ordered the removal of all Kaspersky Lab products from federal systems, citing concerns that the Kremlin could influence the Russian cybersecurity company. This May, the US government prohibited the use of Huawei technologies, citing national security concerns over the tech giant’s alleged ties to China’s government and intelligence apparatus. Huawei currently offers a broader range of technology products than almost any other company.

These prohibitions are causing complications for IT and physical security professionals, especially those with government contracts. They need to weigh the security risks of using these tools versus the risk of not using them. A complex international supply chain also makes it hard to evade all these potential entrapments.

Surfaro, an Arizona-based independent security consultant and chairman of the Public Safety Working Group for the Security Industry Association (SIA), says regardless of where one’s political standpoint on the issue lies, the move leaves many organizations who use equipment from the listed companies reeling and trying to understand what it may mean for their security strategies going forward.

“This is significant for a lot of K-12 schools that rely on government funding for their security,” he says. “And this does make a difference for small industries doing cutting edge things with AI.”

Questions About Supply Chain Security Now in Play
Danielle VanZandt, ananalyst specializing in security, aerospace, and defense for Frost Sullivan, says Dahua’s and Hikvision’s positions within the overall global digital surveillance market makes their blacklisting somewhat of a shock, with the immediate effects touching off significant questions among US partners, end users, and supply chain partners about the state of the security products supply chain.

“I think much of the market would prefer tensions to settle in order for supply chains to figure out what the new normal is,” she says. “There was never an opportunity to understand what the 2017 ban meant for security supply chains, and now with this 2019 blacklisting, supply chain participants need to work together to strategize with how best to proceed.”

VanZandt notes both Dahua and Hikvision have never considered the US a primary market, despite the country being the largest market for security products. Both vendors not only had a solid customer presence in their domestic markets, but their growth in other regional markets, including the Middle East, Asia, and Europe, is enough to negate any economic effects they might feel from the blacklisting. However, for other vendors on the list, this could prove detrimental.

“Seeing how the blacklist hits the start-up vendors who were included could give us key insights into this over the next few months,” she says.

The Path Forward if You’re Impacted
What if you are using products from an impacted entity? The instructions for how to proceed are murky. VanZandt says she only recommends rip-and-replace to end users who were already considering updates to their systems. It is unnecessary to incur the huge expense that a total system replacement would require based solely on the blacklist. However, she does not recommend that end users or systems integrators just “hope for the best” either when it comes to the security products they are using. The list could present an opportunity for a fresh evaluation of systems in place.

“I think this is a great opportunity for end users to take stock of their data security policy when it comes to their surveillance systems and identify any potential security vulnerabilities,” VanZandt says. “If that does involve potentially replacing equipment, then it will then be their prerogative to take next steps with their integrator partners.”  

Adds Surfaro: “You will likely have to stay the course and keep using this equipment if you have. You don’t have a choice. If you rip and replace, you screw yourself two ways: What you buy is going to cost you more, and, two, your budget to buy is going probably going to be to less. It’s a lose-lose.”

Related Content:

• Fed Kaspersky Ban Made Permanent by New Rules
• Executive Order Limits Certain Tech Sales, Hits Huawei Hard
• Kaspersky Lab Seeks Injunction Against US Government Ban
• Glitching: The Hardware Attack That Can Disrupt Secure Software

(Image: zeleniy9 via Adobe Stock)

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How HR and IT Can Partner to Improve Cybersecurity.”

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/what-a-security-products-blacklist-means-for-end-users-and-integrators/b/d-id/1336288?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The industry partnership will scan apps for malware before they’re published on the Google Play Store.

Google, in partnership with ESET, Lookout, and Zimperium, has announced the creation of the App Defense Alliance, which intends to analyze apps for security before they can be published on the Google Play Store.

According to a blog post announcing the alliance, the Google Play Protect detection systems will be integrated with each of the partner’s scanning engines. Google wrote that it “hand-picked these partners” based on their success and technology and will use the aggregate combination of machine learning and static/dynamic analysis to detect malicious or abusive behavior in new apps.

Any App Defense Alliance partner can send an app analysis request to the Google Play Protect scanner service. The results of that scan will then be sent back to the requesting partner for further analysis. Decisions on publication or quarantine will be based on the combination of intelligence.

Read more here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What a Security Products Blacklist Means for End Users and Integrators.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/mobile/google-announces-app-defense-alliance/d/d-id/1336289?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The US Commodity Futures Trading Commission (CFTC) on Friday announced that it’s fining the founders of a “worthless cryptocurrency” that ran a $4.25m, so-called “binary options” scam involving a virtual currency known as ATM Coin.

Their pie-in-the-sky financial promises were rigged with software that put a finger on the scale to tip it away from a customer’s chance to make a profit on their binary-options gamble. Add a dollop of “Let’s stash your money in St. Kitts and Nevis where it’s conveniently tough to trace funds,” and the equation balances out to that $4.25m fine for fraud and misappropriation of client funds.

Binary options give the buyer the right to buy or sell an asset for a specified price on or before a certain date. See below for the CFTC’s detailed explanation of how they work. TL;DR: suffice it to say that these financial contracts tend toward the slimy, right along with initial coin offerings (ICOs).

Facebook banned ads for both ICOs and binary options back in 2018, on top of ads for cryptocurrency in general, or, really, anything that combines exclamation marks, full capitals and/or deceptive financial promises, like, say, these real-world examples:

• “Start binary options trading now and receive a 10-risk free trades bonus!”
• “Click here to learn more about our no-risk cryptocurrency that enables instant payments to anyone in the world.”
• “New ICO! Buy tokens at a 15% discount NOW!”
• “Use your retirement funds to buy Bitcoin!”

This is what Facebook product management director Rob Leathern had to say at the time:

There are many companies who are advertising binary options, ICOs and cryptocurrencies that are not currently operating in good faith.

Clearly, the ATM Coin lot were not operating in good faith. Rather, they were operating in something about as valuable as pocket lint.

According to the CFTC’s complaint, to be legal in the US, binary options have to be traded on a registered board of trade. The complaint said that none of the defendants were registered to make transactions, nor have they ever been registered with the CFTC at all, whatsoever, in any capacity.

On Friday, a default finding was entered against founders Blake Harrison Kantor and Nathan Mullins, both from New York, and against the companies Blue Bit Banc (UK); Blue Bit Analytics (Turks and Caicos); and the two New York companies Mercury Cove Inc. and G. Thomas Client Services.

As the CFTC tells it, customers could either trade for themselves or have a Blue Bit Banc rep do it for them. One thing the defendants failed to mention: Blue Bit Banc was using a computer software program that altered binary options data in order to tip the scale toward “you lose, sucker!”, leaving Blue Bit Banc more likely to turn a profit.

Part of the alleged scheme was to tell most investors to send their funds to a bank account in the island nation of St. Kitts and Nevis, making it all that much more difficult to trace the funds. The defendants also converted Blue Bit Banc investments into ATM Coin, a cryptocurrency that Kantor told investors was worth $beaucoup bucks but was actually worth $bupkus.

This is how the punishments got divvied up in a federal court on 23 October 2019:

• $846,405 order of restitution and a civil monetary penalty of $2.5 million against Kantor and the corporations.
• $300,000 penalty against Mullins.
• Kantor and Mullins have been forced to pay back $515,759 and $89,574 in ill-gotten gains, respectively.
• The order also found that Kantor, Blue Bit Analytics, and G. Thomas Client Services had accepted customer funds and illegally acted as Futures Commission Merchants without being registered with the CFTC. They’ve been permanently banned from engaging in such conduct, which violates the Commodity Exchange Act.
• Blue Wolf Sales Consultants, a New York company owned by Kantor, was ordered to disgorge $463,097.

The CFTC says that in a related case, Kantor also pleaded guilty to conspiracy to commit wire fraud and admitted to obstructing an investigation into his fraudulent scheme. He’s been sentenced to 86 months in jail.

Binary options: the “all-or-nothing” options

The CFTC issued a fraud advisory about these binary options, sometimes referred to as “all-or-nothing options” or “fixed-return options and the platforms they trade on.

The CFTC:

The yes/no proposition typically relates to whether the price of a particular asset that underlies the binary option will rise above or fall below a specified amount. For example, the yes/no proposition connected to the binary option might be something as straightforward as whether the stock price of XYZ company will be above $9.36 per share at 2:30 pm on a particular day, or whether the price of silver will be above $33.40 per ounce at 11:17 am on a particular day.

You can see where the risk comes in: as the ATM Coin scam shows, the yes/no coin flip can be weighted against an investor with rigged software, for one thing, but that’s just one of a number of risks.

According to the CFTC’s advisory, internet-based trading platforms that deal in binary options have been proliferating like spring bunnies in recent years. As the number of platforms has increased, so too have the related frauds.

The FTC and the Securities and Exchange Commission (SEC) have seen three main fraud types:

• Refusal to credit customer accounts or reimburse funds to customers.
  Brokers encourage investors to deposit funds into their accounts. But when those customers try to withdraw their original deposit, or the return they’ve been promised, the trading platforms turn the cold shoulder, allegedly cancelling withdrawal requests, refusing to credit accounts, or ignoring customers’ calls and emails.
• Identity theft.
  The CFTC and SEC say that they’re hearing complaints about binary options trading platforms that allegedly collect sensitive customer information – such as credit card and driver’s license data – for “unspecified uses.” If one of these trading platform requests photocopies of your credit card, driver’s license, or other personal data, keep your cards in your wallet and just say no!
• Manipulation of software to generate losing trades.
  In these scams, the trading platforms manipulate the trading software to distort binary options prices and payouts. For example, when a customer’s trade is “winning,” the countdown to expiration is extended arbitrarily until the trade becomes a loss.

The CFTC is looking for reports about these cryptoscams: in the US, customers can report suspicious activities or information, such as possible violations of commodity trading laws, to the Division of Enforcement via a toll-free hotline 866-FON-CFTC (866-366-2382), or file a tip or complaint online.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/oHkWV_OUw7w/

A ransomware attack has ransacked at least two Spanish companies, leaving their employees without computer access.

The ransomware hit radio broadcaster Sociedad Española de Radiodifusión (Cadena SER), which released a statement about the attack. The company said that it was maintaining its radio service from its Madrid headquarters with the help of autonomous teams. A technician there said that the company was in “hysteria mode”, according to local media.

Local press also reported that the Radio Systems Department at SER’s parent company PRISA issued a circular to staff which reads (translated):

We are immersed in a computer security incident. It is mandatory to comply with the following guidelines:

• Under no circumstances can PRISA computer equipment be used (neither desktops nor laptops)
• Under no circumstances can the Wi-Fi network be accessed.

There is no problem in using Outlook 365 email from your mobile phone and from private computers (desktops or laptops) and connecting to your One Drive, Share Point applications…

Please extend this statement to all your colleagues. We will keep you updated with any news.

The ransomware also hit IT services and consulting company Everis, which is a subsidiary of Japanese telco NTT. It came with a €750,000 ransom demand, according to Spanish site bitcoin.es.

Both companies have reportedly warned staff to switch off computers.

Although media reports to the contrary, both KPMG and Accenture confirmed they had not been hit with ransomware or cyberattacks. Spanish airline AENA said that it was taking preventative measures but had also not been affected by the ransomware.

Reports varied as to the nature of the malware. An advisory from the Spanish CERT said that it had been delivered via a file attached to an email.

Spain’s INCIBE-CERT said that it was helping affected companies mitigate and recover from the incident.

LEARN MORE ABOUT THIS ATTACK

Ransomware section starts at 19’06”.
Click-and-drag on the soundwaves below to skip ahead in the podcast.

How to protect yourself from ransomware

• Pick strong passwords. And don’t re-use passwords, ever.
• Make regular backups. They could be your last line of defence against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
• Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
• Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
• Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

For more advice, please check out Sophos’s END OF RANSOMWARE page.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/m_1Nziw6xLQ/

Mozilla on Friday posted a letter urging Congress to take the broadband industry’s lobbying against encrypted DNS within Firefox and Chrome with a grain of salt – they’re dropping “factual inaccuracies” about “a plan that doesn’t exist,” it says.

Both of the entities behind those browsers – Mozilla and Google – have been moving to embrace the privacy technology, which is called DNS over HTTPS (DoH). Also backed by Cloudflare, DoH is poised to make it a lot tougher for ISPs to conduct web surveillance; to hoover up web browsing activity and, say, sell it to third parties without people’s consent; or to modify DNS queries so they can do things like inject self-promoting ads into browsers when people connect to public Wi-Fi hotspots.

Those are just some of the ISP sins that Mozilla listed in its letter, which urged the chairs and ranking members of three House of Representatives committees to examine the privacy and security practices of ISPs, particularly with regards to the domain name services (DNS) ISPs provide to US consumers.

DoH isn’t a panacea – you can check out Paul Ducklin’s explanation of the issues it raises in the Naked Security podcast below – but it promises to at least seriously gum up tracking and monetization of data.

In September, Mozilla announced that it would turn on DoH by default for users of the Firefox browser’s desktop version in the US. Within days, Google issued a me-too, officially announcing its own DoH experiment in Chrome.

Unsurprisingly, the ISPs have sputtered, and not without some good reasons. For example, it’s been argued that law enforcement can do less surveillance if they can get at histories of what potentially sketchy IP addresses people have sniffed at X years ago. Things have gotten pretty testy: Mozilla has drawn flak from the UK Internet Service Providers Association (ISPA), which called it an ‘Internet Villain’ for helping to block internet filtering policies in the UK and interfering with the government’s internet filtering laws, particularly when it comes to age verification requirements to view porn.

(To help with cases such as that of the UK and its internet filtering requirements, Mozilla’s DoH by default can be turned off.)

Mozilla says it’s not surprising that the work it’s been doing on DoH has prompted the ISPs to try to throw up roadblocks. One such was a letter sent to Congress by Big Telecom associations in September that, Mozilla said, was full of “factual inaccuracies.”

In September, Ars picked apart the ISPs’ claims, which were mostly about Google’s DoH experiment with Chrome. The ISPs claimed, wrongly, that Google plans to automatically switch Chrome users to its own DNS service.

It’s not. Its plan is: “check if the user’s current DNS provider is among a list of DoH-compatible providers, and upgrade to the equivalent DoH service from the same provider.” If the user-selected DNS service isn’t on that list, Chrome wouldn’t bump that user and instead would just leave their setup as is.

Mozilla’s default DNS provider is Cloudflare, but given its small market share, that apparently isn’t much of a concern to the ISPs.

Mozilla Senior Director of Trust and Security Marshall Erwin, who authored Mozilla’s letter to Congress, told Ars that the arguments ISPs made to lawmakers – specifically, their claims about Google’s plans – are “premised on a plan that doesn’t exist.” The intent is to sow fear, he said:

The focus of the lobbying effort has been on using Google as a boogeyman, given a lot of the antitrust concerns that exist today, to drive a lot of uncertainty about the potential implications of DNS over HTTPS.

To soothe some of that fear and doubt, Mozilla has published this FAQ about DoH.

For more details about the complexities and issues behind the new privacy technology, please do listen in as Paul Ducklin explains it in this Naked Security podcast (DNS-over-HTTP section starts at 31’36”. Click-and-drag on the soundwaves below to skip ahead):

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/L0V0e9wwPL4/

As keen tech adopters know, Google Assistant, Amazon Alexa, Apple Siri, and Facebook Portal are AI-powered internet platforms that users control by issuing voice commands through smartphones or home ‘smart’ speakers.

Or at least that’s what we thought until this week when a US-Japanese team published a research paper which confirms an interesting and under-estimated possibility – these devices will also accept “signal injection” commands sent to them using pulses of laser light over distances of a hundred metres or more.

Hitherto, hacking such systems has been about sending them audible commands without their owner’s knowledge. Now the research confirms that it’s possible to achieve the same result over considerable distances in ways that might allow attackers to unlock “smartlock-protected front doors, open garage doors, shop on e-commerce websites at the target’s expense, or even locate, unlock and start various vehicles” that are connected to the victim’s Google account.

It’s a point worth remembering – voice assistants aren’t just gimmicks or conveniences and a growing volume of security-sensitive technology is now hooked up to them.

The shining

But voice-controlled devices accepting commands by way of light?

It sounds unlikely but what makes it possible is the photo-acoustic effect which has been around since 1880 when the scientist Alexander Graham Bell invented an optical communication device exploiting it.

He discovered that shining light on to an object causes it to heat up very slightly in a way that generates sound waves, which microphones, including today’s MEMS (micro-electromechanical systems) diaphragms, turn into electrical signals.

The researchers summarise this:

Thus, by modulating an electrical signal in the intensity of a light beam, attackers can trick microphones into producing electrical signals as if they are receiving genuine audio.

Engineers, including those designing voice-controlled devices, should know this. Unfortunately, Graham Bell’s discovery lost out to radio communications, and photo-acoustics were sent to the back burner.

The principle is explained in a video made by the researchers.

What’s possible

According to the researchers, as long as the light signal is carefully aimed using a telephoto lens with the correct amount of light, any MEMS-based microphone used in popular devices is vulnerable.

The distances at which communication is possible varies by device, ranging from up to 110 meters for the Google Home and Echo Plus 1st Generation to just above 20 meters for the Apple iPhone XR and sixth-generation iPad.

The equipment used to carry out the tests was a cheap five-milliwatt laser pointer, a laser driver, sound amplifier, and basic telephoto lens, together costing less than $600 combined.

An objection that voice assistant manufacturers might make is that this kind of laser attack still needs a line of sight, for example from one building to another. It’s not clear how often this would be possible under real-world conditions. The obvious mitigation is to keep these devices away from windows.

However, the researchers believe that making assumptions is the wrong way to understand vulnerabilities in this expanding class of gatekeeper devices.

Currently, the stock microphones that receive voice commands perform no authentication beyond checking wake phrases such as “OK Google” are in the owner’s voice and even this can be spoofed using voice synthesis.

The authentication problem could be mitigated in different ways – for example, by requiring that more than one microphone detect the same command simultaneously, something a laser attack would find difficult to overcome.

In the end, what matters to the large numbers of consumers buying voice assistants is that makers start taking their security more seriously by assuming the worst, rather than hoping for the best.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_7WhfQGzceQ/

Exclusive A man has pleaded guilty to hacking low-cost airline Jet2, including an attempt to compromise the CEO’s email account.

Scott Burns, of 37 Queen Street, Morley, Leeds, had been charged with eight crimes under the Computer Misuse Act (CMA) 1990.

The 27-year-old, formerly an IT project manager working for Blue Chip Data Systems, targeted the systems of Dart Group plc, the holding company that owns Jet2, travel agency Jet2holidays and logistics business Fowler Welch Coolchain.

During a three-week spree in January 2018, Burns accessed the inbox of Dart Group CEO Steve Heapy from various IP addresses resolving to companies including Servatech Ltd as well as “a Plusnet account in the name of Neil Leslie”.

Burns sealed his fate when he eventually accessed Heapy’s inbox from a Virgin Media account in Burns’ own name, as was laid out in the indictment against him at Leeds Crown Court.

Investigators were able to trace that illegal access back to a named desktop computer, with Burns having used two specific accounts to “secure unauthorised access to the computer hosting the domain of Dart Group… from a remote work station”.

A Linkedin account in Burns’ name has a project entry listed under Accomplishments referring to his carrying out an Office 365 migration for the Dart Group, including “preparation of back end systems to ensure a smooth migration for both the user and for reduced impact to system administrators and helpdesk consultants” for 5,000 users.

Last year Jet2 flew 12.1 million passengers, making it the UK’s fourth most popular airline – though it was fifth place behind Thomas Cook before the latter’s demise in September this year.

Blue Chip Data Systems refused to confirm whether or not Burns had ever worked for the firm, though he lists it as an employer on Linkedin.

Four years ago Blue Chip carried out a successful movement of Dart Group’s physical IT infrastructure from Bournemouth to its current Leeds base, taking on “the future management of Dart Group’s IT system” as noted in a 2015 case study.

A Jet2 spokesperson told The Register: “As legal proceedings are still ongoing, it would be inappropriate for us to make any comment at this stage. However it is important to note that at no point was any personal data or other customer, supplier or Group data compromised, and there was no impact on our distribution or leisure travel operations.”

Burns pleaded guilty to six offences under section 1(1) of the Computer Misuse Act 1990 (CMA), one attempted offence under section 1(1) and one offence under section 3(1) of the CMA. He will be sentenced in December and faces a potential 10-year prison sentence and fine, though statistically speaking, he is unlikely to end up behind bars. ®

Sponsored:
Technical Overview: Exasol Peek Under the Hood

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/06/scott_burns_jet2_guilty_plea/

Should you get an e-mail with the subject ‘stinky cheese’…

Source: alyankovic 

What security-related videos have made you laugh? Let us know! Send them to [email protected].

Beyond the Edge content is curated by Dark Reading editors and created by external sources, credited for their work. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/a-warning-about-viruses-from-weird-al/b/d-id/1336281?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple