STE WILLIAMS

British telcos and academics have told a Parliamentary enquiry the UK needs to get on with allowing Huawei equipment into the heart of its future 5G networks.

In submissions to an ongoing consultation entitled Ensuring access to “safe” technology: the UK’s 5G infrastructure and national security inquiry, business and academia alike have largely rubbished US-led concerns over the security of the Chinese firm’s 5G network hardware.

Industry was also clear: despite Brexit, Britain ought to get on board with the EU’s plans for regulating 5G – on the grounds that this “provides a good initial opportunity for international cooperation”, in Huawei’s own words to the enquiry.

On top of that, Britain should hold its nose on the thorny Huawei security issue and instead concentrate on the large number of varying (but invariably positive) economic growth predictions for countries with mature 5G deployments.

As think tank RUSI said in its submission, “For certain functions like the radio access network, only Huawei, Ericsson, and Nokia, or the ‘Big 3′, produce equipment with the necessary capabilities at sufficient scale.” That rather typified the tone of the telcos’ submissions.

Infosec biz NCC Group said in its submission to the enquiry that the “small” size of the British 5G market meant the UK would have limited ability to “counter adversarial dominance in global standard setting bodies and fora”. This, it claimed, would see British telcos being left “unable, or unwilling, to refuse deployment in UK markets and infrastructure” of equipment that doesn’t meet British security standards.

While plenty of Huawei equipment currently serves 3G and 4G networks in Blighty, the theory behind prior inspection by organisations such as HCSEC is that their vulns are at least known quantities before live deployment.

Drink deep, customers

Huawei itself knows full well where it sits on the issue of UK 5G security; it is one of the three firms capable of selling and supporting 5G mobile network gear at scale. Telling the committee that “all three of the UK’s main suppliers are international companies, in their ownership,” the Chinese firm said: “There is currently no domestic alternative that could meet the UK’s deployment targets.”

Translation: you can’t beat us, you’ve already joined us, why change that?

Huawei 5G customer Three agreed, saying it is “important for any decision about the future of 5G supply and in particular a decision in relation to the role of Huawei in the UK is taken as soon as is practical.”

“Any unnecessary delay,” Three thundered, “in reaching this decision risks the UK 5G leadership ambitions as well as significant cost to Mobile Networks who [have] already started to deploy 5G technology and offer 5G services.”

Nothing to do with having to re-rip-and-replace its network kit, having swapped Samsung kit out in favour of Chinese gear over the past few years.

BT, meanwhile, the country’s largest telco, echoed NCC’s point about how the UK “remains a relatively small market for global vendors” but differed on our ability to punch above our weight, saying “the commercial and regulatory decisions taken here do and will resonate strongly across Europe and around the world.”

EE by gum, didn’t know that

“For example,” it said, “EE is a global reference network for the industry’s biggest companies, including Apple, Samsung, Qualcomm and Nokia.”

The one-time state monopoly is also in favour of keeping Huawei, telling the Parliamentary enquiry that it must prioritise “ensuring national security assessments of the role of foreign actors in UK companies” while making sure they “do not unduly limit the UK’s access to innovation and investment.”

Just to make it clear, BT also said: “We do not view a ban on using Huawei in access networks as a proportionate response, given the range of protections in place.”

Meanwhile Huawei 5G competitor Nokia said “it is important that regulation is kept as light as possible so that innovation is not stifled,” before adding: “However, the development of security regulation, as a part of national security, is an important area, and although government has made progress in the involvement of vendors in policy development, a deeper engagement would be welcomed.”

The Finnish firm suggested a dedicated cyber security ministerial post be created, working “across Cabinet Office and DCMS to coordinate policy and reflect the importance of the sector.” ®

Sponsored:
How to get more from MicroStrategy by optimising your data stack

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/10/5g_security_review_parliament_submissions/

A Dutch vBulletin forum for sex workers and their clients has reportedly been hacked using that infamous RCE vuln, baring the privates (and data) of a quarter of a million people.

The forum, named Hookers.nl in an endearingly Dutch way, currently has its user data for sale for just €300 on a cybercriminals’ forum, according to local broadcaster NOS.

“In addition to email addresses, this includes usernames, IP addresses and passwords. The passwords are protected and cannot be cracked just like that, but the email addresses of users are legible,” said the broadcaster, which viewed some of the data itself to verify the data blab.

Although users of the forum tended to sign up with pseudonymous usernames, apparently the email addresses registered to some accounts include real names – for example, [email protected].

vBulletin zero-day KOs Comodo user forums – that’s 245,000 accounts at risk of compromise

READ MORE

The forum currently has a thread running in which alarmed sex workers and clients alike are asking site admins to delete their accounts and all details associated with them.

A statement posted by an administrator said:

vBulletin has released a software patch that we have implemented after testing to address the leak.

Nevertheless, a data breach has occurred and the email addresses have been stolen from all users. Please note the passwords. These email addresses have been offered for sale online by hackers. Offering this information for sale is punishable by law and if possible we will take legal action against this.

One panicky user replied: “The email address with which I originally registered is an old address that is no longer in use. So I no longer have access to this email address. I also cannot change the email address associated with this account in my profile settings: if I click on the ‘Account’ tab in my profile, I will always be redirected to the Hookers homepage. I cannot view or adjust my settings and data. Because I therefore cannot change my email address, I can therefore no longer change my account password!”

Meanwhile, the person hawking the stolen data told NOS: “It’s only about three hundred thousand users… Tens of thousands of websites are hacked every day. I’m not the devil. It’s not a question of whether your website is hacked, but when.”

Naturally, the stolen data presents a severe blackmail risk for anyone using the site who wouldn’t want this known in their public life.

Inevitably the hack will draw parallels with the Ashley Madison breach of 2015, where a site promoting illicit hookups for married couples had its entire user database lifted. Its internal security was pretty poor, as later investigations found.

Dutch tech news site Tweakers reported that the attacker used the same vBulletin vuln that Comodo failed to patch after the zero-day was made public in September. ®

Sponsored:
How to get more from MicroStrategy by optimising your data stack

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/10/dutch_hooker_forum_hacked_250000_users_privates_bared/

Malware authors behind the Finfisher spyware suite, well beloved by dictators, have sent legal threats intended to silence a German news blog that reported them to criminal prosecutors over allegedly illegal malware exports.

“Our reporting on the criminal complaint [we filed] against the producers of the state trojan-horse spyware software FinFisher has resulted in mail from the law firm Schertz-Bergmann. We were urged to sign a cease-and-desist declaration,” said the site’s Markus Beckedahl in a recent post.

He told El Reg that Finfisher’s authors allege that Netzpolitik broke German media laws by not asking them to comment on the allegations against them. Beckedahl said that for years he and his colleagues had been asking Finfisher for comment, without reply, including for the disputed articles.

Netzpolitik has taken down two blog posts from 4 and 5 October about Finfisher. A placeholder on each page currently says: “This article is currently not available for legal reasons”.

Along with Reporters Without Borders and a couple of NGOs, Netzpolitik campaigners filed the criminal complaint (available in German PDF here) against Finfisher’s authors, the Gamma Group. This followed the discovery, so it is claimed by their supporters (PDF), of Finfisher’s surveillance malware on the devices of Turkish opposition politicians.

The German campaigning blog is not alone in its reporting: various national news media including broadcaster Deutsche Welle also covered the allegations. German export law prohibits malware from being shipped directly to Turkey, according to DW.

Beloved of dodgy sods

Finfisher is one of the nastier threats to people who speak out about political causes, as The Register has reported over the years.

Broadly speaking, the suite is planted covertly on targets’ devices in order to allow its operators to spy on them. It is written to evade detection by common anti-malware suites. In 2015 Finfisher (aka Finspy) was found in use by Bahraini officials targeting dissidents. At the time Finfisher was exploiting vulns in Apple iTunes, among other things, to install itself and eavesdrop on VoIP calls and other comms methods, prompting condemnation from the OECD.

Most recently the malware was discovered to be in use by Uzbekistani officials to spy on news agencies.

Netzpolitik campaigns vigorously against UK-style unrestricted mass surveillance. Evidently it is successful: a few years ago German spies convinced a local prosecutor to charge two of its journalists with treason for daring to expose their plans. Happily, this ended the prosecutor’s career when the news got out – and presumably a few senior German spies found themselves clearing their desks too.

One suspects the outcome of that case would have been very different in today’s Anglosphere.

We have asked Finfisher’s authors whether they wish to comment on or otherwise explain their legal threats. ®

Sponsored:
How to get more from MicroStrategy by optimising your data stack

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/10/finfisher_authors_legal_threats_german_journalists/

An integrated approach is the best way to provide organizations with the tools they need to decrease the attack surface and use strong security controls.

Cloud and mobility have been driving transformative changes in the way we work for nearly a decade and continue to rank among the top macro trends affecting the IT landscape today. In fact, many organizations have begun to build their entire business strategy around cloud capabilities. Enterprise Strategy Group research found that 39% of organizations now follow a “cloud-first” strategy when deploying new applications, up from 29% just a year ago.

By its nature, cloud computing puts distance between users and resources, creating a strain on legacy network capabilities. This is especially true of a traditional hub-and-spoke networking model that incorporates siloed security technologies. This type of approach introduces three key issues:

1. Degradation of performance and user experience: When traffic destined for cloud applications is first routed back to the campus and through the on-premises security stack, quality of service is negatively affected.

2. Limited visibility: Security tools can’t control what they can’t see, and without a full understanding of applications, users, devices, data, and other context, proper enforcement cannot occur.

3. Inconsistent policies: Appliance sprawl and disparate management consoles have left many organizations with a siloed rather than unified approach to security, which can limit both efficiency and efficacy.

The traditional approach is now changing as network technology becomes more dynamic and intelligently manages traffic based on users, applications, connections, and locations. The growing adoption of SD-WAN to improve network efficiency and management, especially relative to remote office/branch office (ROBO) locations, is a good example of this.

As the network evolves, security controls and how they integrate into the new architecture (including SD-WAN) must also be reevaluated. Security solutions must plug seamlessly into network technologies and shift control points to the edge with centralized management and distributed enforcement. Specifically, ESG sees a logical convergence of security tools delivered via a cloud-native, microservices-based platform beginning to coalesce as an extensible architecture called elastic cloud gateways (ECGs). ECGs are multichannel, multimode, cloud-delivered security services built on a globally distributed platform; they provide end-user access, threat prevention, and content inspection at the network edge.

Because the architecture is extensible, the technologies that make up the multichannel aspect of ECGs can vary. However, to address the SD-WAN-enabled, direct-to-internet ROBO use case, there are some logical components. These include secure web gateway (SWG), cloud access security broker (CASB), data loss prevention (DLP), and firewall functionality. Additionally, with the amount of encrypted web traffic growing by the day, SSL decryption for full visibility is important now and will quickly become a prerequisite.

Other technologies may include DNS protection and advanced threat prevention capabilities or a software-defined perimeter (SDP) for zero-trust capabilities. The integration with SD-WAN technologies enables intelligent enforcement of policy based on who the users are, what devices they’re on, and what part of the network they’re connecting through. It also facilitates improved coordination between security and non-security stakeholders to drive consistent policies based on business needs. Depending on the context, either part or the entirety of the ECG stack may be utilized for traffic inspection. Regardless of the specific list of technologies, by integrating multiple capabilities into a single solution, management is simplified, policy becomes more consistent, and with fewer gaps in the security posture, efficacy is improved.

Integrating SWG, CASB, DLP, firewall, and other capabilities is difficult to do at scale in an on-premises deployment. In fact, this has been one of the main drawbacks to the traditional model of using unified threat management (UTM) devices at the branch. The static nature of on-premises solutions becomes a larger problem as the number of security services increases, especially compute-intensive ones such as SSL decryption.

However, the cloud-native architecture of ECGs provides elasticity through microservices, which automatically scale up or down based on demand. This can enable traffic inspection for content control (i.e., DLP), threat prevention, and SSL decryption to occur without degrading the user experience or overprovisioning capacity. Furthermore, the cloud-native aspect of ECGs better aligns security to the cloud from a consumption perspective — not only relative to the shift from capex to opex but also by utilizing metering based on a combination of users, traffic volume, applications protected, or security services so that organizations are only charged for the resources they use while protection dynamically scales up or down based on the current need.

Finally, the multimode aspect of elastic cloud gateways builds upon CASB capabilities and is important for full control and visibility over both sanctioned and unsanctioned cloud applications. ECGs can be deployed inline as a forward or reverse proxy for better threat protection and user experience. Alternatively, ECGs can utilize an out-of-band deployment through cloud application API integrations that provide ease of use and retrospective analysis and policy enforcement for sanctioned applications. This flexibility enables organizations to meet their specific needs and priorities, be it real-time enforcement or maintaining quality of service.

Over time, ECG capabilities and SD-WAN functionality will likely collapse even further. Some vendors with stronger networking backgrounds (Cisco, for example) or that have shown themselves to be on the early side of the innovation curve (such as Palo Alto Networks) may be quicker to move down a consolidated network and security path. However, there will be a multiyear period in which technology networking and security partners integrate these solutions as a core route to market.

These innovations represent an important step in advancing network security into the cloud era. The foundation has been laid through the initial shift to cloud security services. However, a true cloud-native architecture is the only way to fully scale an ECG architecture, and an integrated approach is the best way to provide organizations with the tools they need to decrease the attack surface and use strong security controls while enabling user productivity.

Related Content:

• 7 Biggest Cloud Security Blind Spots
• Controlling Data Leakage in Cloud Test-Dev Environments
• 5 Common Cloud Configuration Mistakes
• Cloud Vulnerability Could Let One Server Compromise Thousands

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Can the Girl Scouts Save the Moon from Cyberattack?“

John Grady is an Analyst covering network security at Enterprise Strategy Group. He leverages more than 15 years of analyst and cybersecurity vendor experience to help clients identify and quantify key market trends to facilitate data-driven business decisions. He previously … View Full Bio

Article source: https://www.darkreading.com/cloud/network-security-must-transition-into-the-cloud-era/a/d-id/1335978?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Attackers compromised Volusion’s Google Cloud environment to load malicious skimmer code onto more than 6,500 customer sites.

Magecart attackers have infiltrated cloud-based e-commerce provider Volusion to successfully infect at least 6,500 customer websites with malicious code designed to lift payment card information. To do this, they had to first break into Volusion’s Google Cloud environment.

Volusion is the latest target of Magecart, a threat that was first spotted a decade ago but has been ramping up over the past couple of years as attackers explore new vectors for compromise and it becomes easier to rent a skimmer kit, track malicious activity, and automate attacks at scale. Skimmers have been detected on more than two million sites, RiskIQ reports.

“During our investigations of Magecart, we have found that the attackers seem more experienced and thoughtful than many other skimmer groups,” Trend Micro researchers say in an interview with Dark Reading. “There are multiple Magecart actor groups who continually shift their tactics to improve their infection rates and revenue opportunities.”

An attacker could launch a Magecart operation by purchasing an exploit and injecting malicious JavaScript onto a vulnerable e-commerce website. In the case of Volusion, attackers targeted the infrastructure of one company to compromise thousands of online stores’ checkout pages.

Marcel Afrahim, a security researcher with Check Point, first spotted a red flag on his virtual shopping trip to the Sesame Street Live Store. The store is built with Volusion’s All-in-One E-commerce Website Builder; Volusion also provides the store’s name servers. During checkout, he noticed a JavaScript file being loaded from storage.googleapis.com with the bucket name “volusionapi.” It was the only external JavaScript being loaded from a random storage site.

As Afrahim explains, storage.googleapis.com is a Google Cloud Storage domain name for a file storage web service. Anyone can register, pick a bucket name, and serve their own content.

A closer look at this code revealed a script that was posting credit card information from the checkout page to another domain name and calling it “JavaScript Cookie.” The code was masked as a simple API for handling cookies, but analysis revealed additional code with two sections. One reads the values entered in Credit Card fields; after a series of checks, it’s encoded in Base64 and stored in “sessionStorage,” which is cleared when a page session ends.

The second part of the script reads the stored data and posts it to the attackers’ primary server: hxxps://volusion-cdn.com/analytics/beacon. As Afrahim points out, even an analyst may look past a domain name like this, designed to blend in with Volusion. A GET request to Volusion-Cdn[.]com redirects to a legitimate Volusion CDN. However, he discovered the domain was only registered on September 7 and has nothing in common with Volusion infrastructure or name servers.

“While it is not overly sophisticated, the actors behind this operation went through some lengthy steps to make the traffic look normal,” Afrahim writes in a blog post on his findings. Further analysis revealed the Sesame Street Store is not the only one affected by the malicious JavaScript. Most likely, Afrahim says, any e-commerce website hosted on Volusion is running malicious code and sharing credit card input with the external attacker-controlled domain.

The Volusion incident can most likely be attributed to Magecart Group 6, also known for last year’s attack on British Airways, says Jerome Segura, head of threat intelligence at Malwarebytes. “They target sites that generate a lot of transactions, which helps them maximize their attack in a short time frame,” he explains.

Group 6 was recently identified as the FIN6 APT. Part of their tactics, techniques, and procedures involves creating exfiltration domains that mimic their victim, which aligns with their efforts to blend in and evade detection.

Service Providers Are Hot Targets
This isn’t the first time that attackers have taken advantage of legitimate service providers to spread malicious code. Back in May, attackers injected obfuscated JavaScript into three marketing services to scrape information, including login data and credit card details, from thousands of websites. Anyone who visited a website that used the three tools was affected in the attack.

A September Magecart attack targeted the booking websites of chain-brand hotels, marking the second time Trend Micro saw attackers hitting e-commerce service providers instead of individual shops. In May, another skimming campaign hit the online stores of college campuses.

Adversaries are after the most accessible entry point. Many have targeted misconfigured AWS accounts because they’re the most obvious opening that will likely be unnoticed, but ultimately they’ll go after the vector that will give them the highest payout with the fewest resources.

Related Content:

• Utilities’ Operational Networks Continue to Be Vulnerable
  
• 7 Considerations Before Adopting Security Standards
• Beyond the Horde: The Uptick in Targeted Attacks (And How to Fight Back)
• 6 Active Directory Security Tips for Your Poor, Neglected AD

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Can the Girl Scouts Save the Moon from Cyberattack?“

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/magecart-attack-on-volusion-highlights-supply-chain-dangers/d/d-id/1336053?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

One in four malicious URLs employed a legitimate domain, making it more difficult for potential victims to spot possible dangers, a mid-year report finds.

Attackers attempting to dodge more advanced security defenses increasingly are adopting more sophisticated techniques to fool victims with their malicious e-mail messages and websites.

A new midyear report from security firm Webroot found that one in four malicious URLs used a legitimate domain in an attempt to improve the success rate of an attack. In the vast majority of cases — 94% — the attacker used an URL shortener to mask a malicious domain in order for it to appear legitimate. In the first half of the year, the company found 1.5 million phishing URLs, accounting for about one in 50 URLs encountered by its customers.

The overall effect is that users are losing one of the most significant signs of a potentially malicious attack: a URL that appears suspicious, says Tyler Moffitt, security analyst for Webroot.

“Attackers’ tactics are reducing (consumers’) ability to tell the difference between what is a scam and what is not,” he says. “Attackers know that many consumers do a mental check on any domain, and they are trying to fool them.”

As companies continue to improve the security of modern operating systems and applications, cybercriminals and online attackers are likewise searching for ways to defeat both software security and fool targeted users. Using trusted domains is one way that attackers are attempting to limit the ability to victims to discern an attack. Another method: employing secure HTTP to give visitors a false sense of security, and nearly a third of phishing domains use HTTPS now.

“[W]hen you see that little lock icon in your browser, it just means that the information you transmit on that site is encrypted and securely delivered to where it’s going,” Hal Lonas, chief technology officer at Webroot, said in the report. “There’s no guarantee that the destination is safe.”

In addition, attackers are targeting older operating systems, with malware targeting Windows 7 rising 71%, according to Webroot.

Countries that have older devices tend to have a greater share of attacks, Webroot found. About half of the computers in the most infected regions — the Middle East, Asia and Africa — ran Windows 8 or an older operating system. Computers running Windows 7 were more than twice as likely to become infected than computers running Windows 10, according to the company. 

“While some of these countries have used the technology longer, the key factor is that those which have newer version of the operating system, tend to have fewer infections,” Moffitt says. “The main fact is that older devices with older hardware are more vulnerable to attacks.”

Over the past decade, attackers have created ways of camouflaging their malware using techniques that create variants to evade signature-based antivirus scanning. The strategy has now become ubiquitous, with 95% of all malware samples encountered by Webroot’s software having a unique signature, up from 92% last year, the company said.

Other companies have seen similar trends. Network security firm WatchGuard, for example, saw a significant increase — 64% — in the number of malware variants blocked by its two detection services. The company also saw attacks using content delivery networks (CDNs) to host malware on legitimate-seeming domains.

Two previously popular attacks, cryptojacking and cryptomining malware, have largely subsided as the value of cryptocurrency remains off its peak, but Webroot continues to see attackers attempt to install the payloads as a passive way to monetize otherwise low-value compromises.

“Because they can make money off people’s computers by mining, and most people have no idea their system is infected, it continues to be a popular attack,” Moffitt says. “It may only be 60 cents a day, but over tens of thousands of compromised systems — that adds up.”

Related Content

• Phishers’ Latest Tricks for Reeling in New Victims
• Malware: The Next Generation
• Beyond the Horde: The Uptick in Targeted Attacks (And How to Fight Back)
• When Every Attack Is a Zero Day
• Mass Customized Attacks Show Malware Maturity 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Can the Girl Scouts Save the Moon from Cyberattack?“

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/attackers-hide-behind-trusted-domains-https/d/d-id/1336054?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

We’re thrilled to pass along the findings of a new report that says that job seekers are doing what we’ve been begging them (as well as those people who are just fine with their current jobs, thank you very much) to do for years: button down privacy on their social media accounts, and mop up the splatter tracks of their nonprofessional galivanting if they want to keep it from squashing their career opportunities.

After all, while we’re all for free speech, those rights don’t stop bosses from firing us if we publicly diss them or the company, and they don’t mean that recruiters are required to consider your candidacy if you do something like bad-mouth a previous employer on social media.

The finding comes from JDP, a candidate screening company in the US that surveyed 2,007 US participants about what they’re hiding from employers and how far they’ll go to keep it hidden.

According to its latest study, 43% of respondents enable privacy settings to keep material hidden from current employers and from whatever social media screenings future employers might run on them. In fact, one in four have every platform set to private. Forty percent of respondents say they’ve gone so far as to create alias accounts.

It’s not that they’re not posting career landmines: one in five admit to posting material that could jeopardize a current or future opportunity, JDP found.

Where employees are hiding their stuff the most

Facebook was the place that most respondents – 45% – sought to hide their personal posts. It was also the platform where the most respondents – 27% – are using alias accounts. The full results:

What employees consider none of your business

While unprofessional behavior mixed with public social media posts and a dash of “you’re fired!” leads to countless scintillating headlines, it’s actually not the top content type that employees strive to hide. Rather, it’s their personal lives, and the numbers break down like this:

• 70% are trying to keep their personal lives private
• 56% are working to obscure unprofessional behavior
• 44% seek to hide their political views

That’s yet more excellent news. From an online security standpoint, keeping your personal life private on social media is a fine idea. After all, the more fraudsters know about us, the more convincing they can make their phishing attempts, or romance scams, or any other number of confidence scams.

One in three respondents say that they refuse to connect with coworkers on social media, even after accepting a job, JDP found.

Fifty percent said that they’ve scrubbed their posts to protect their professional reputation or removed old profiles. That’s a vast improvement over the 57% of college students who thought, at least back in 2013, that their Facebook posts weren’t vile at all.

What to scrub

Hopefully, people have gotten hip to the findings of a CareerBuilder survey of some 2,300 hiring managers, which found that those responsible for hiring were turned off by these categories of social media missteps:

• Candidate’s provocative/inappropriate photos/comments: 49%
• Candidate drinking or using drugs: 45%
• Candidate had “poor communication skills”: 35%
• Candidate bad-mouthed a previous employer: 33%
• Candidate made discriminatory comments related to race, gender or religion: 28
• Candidate lied about qualifications: 22%

Here are other good tips on what to avoid on social media when you’re looking for a new job.

The JDP study also found that when it comes to scrubbing their social media accounts, respondents are most likely to do so on Facebook: in fact, 66% said that that’s where they’re most likely to pull out the mop.

Where we pose

Finally, there’s the material that we don’t want to hide from recruiters or employers. Rather, we want to buff it to a sheen. Fittingly, JDP found that 25% of respondents actively present themselves to attract employers by liking, posting, or following industry-relevant material, and they’re most likely to do so on the professional network, LinkedIn. Here’s the breakdown on how likely we are to posture on other platforms:

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/eFV3-DLwZNg/

The US National Security Agency (NSA) is warning admins to patch a set of months-old security bugs that have recently come under active attack.

The NSA’s bulletin, issued earlier this week, says that state-sponsored hacking groups are now actively targeting the remote takeover and connection hijacking flaws in VPNs that were first publicized in April of this year.

“These vulnerabilities allow for remote arbitrary file downloads and remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways. Other vulnerabilities in the series allow for interception or hijacking of encrypted traffic sessions,” the NSA warned.

“Exploit code is freely available online via the Metasploit framework, as well as GitHub. Malicious cyber actors are actively using this exploit code.”

The NSA’s update comes on the heels of an earlier alert issued in the UK by the National Cyber Security Centre (NCSC), warning of attacks that it had spotted against both private and government sector firms in the UK ranging from military and academic institutions to business and healthcare providers.

A Nord VPN bug, a(nother) bad Microsoft patch, Zynga data farmed out, and more

READ MORE

“An attacker can use these stolen credentials to connect to the VPN and change configuration settings, or connect to further internal infrastructure,” the NCSC’s warning reads.

“Unauthorised connection to a VPN could also provide the attacker with the privileges needed to run secondary exploits aimed at accessing a root shell.” David Stubley, CEO of security firm 7 Elements, told The Register that his firm has already found tens of thousands of servers vulnerable one of the outlined bugs, and provided a video showing just how easy the process of exploiting the flaws and stealing VPN user data is.

Youtube Video

“Trivial to extract user names and passwords, 60k passwords were identified,” Stubley of one test run.

“Over 800 were based upon the dictionary word ‘password’, 4k based on this year as in 2019, we even saw passwords based on 2009 with the password of ‘Sep-09’.”

Admins who use VPNs for remote connections are being advised to test and install the patches as soon as possible. ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/10/nsa_ncsc_vpn_warnings/

A former BAE Systems defence contractor has appeared in court accused of leaking “highly sensitive” secrets to foreign governments.

Simon Finch, 49, of Swansea, Wales, is charged under the UK’s Official Secrets Act with making a “damaging disclosure” of information last October, according to top newswire Court News UK.

He appeared at Westminster Magistrates’ Court yesterday wearing a black suit and yellow shirt with a patterned tie, speaking only to confirm his name, age and nationality.

Prosecutors and police claimed the offence happened “on or around 28 October 2018” and was followed by a year-long investigation by a counter-terrorism unit.

Finch is said to have “unlawfully disclosed highly sensitive information relating to UK defence without lawful authority to do so,” as barrister Sam Main, prosecuting, told the Chief Magistrate of England and Wales.

“During the course of the investigation the police seized electronic devices from the defendant’s home address,” continued Main, adding: “He refused to provide the access codes for three of the devices despite an order from the judge to do so.”

Finch is also charged with one count of failing to make disclosure of information that would facilitate access to three electronic devices, under the Regulation of Investigatory Powers Act.

Sky News reported that he disclosed the information because he “held a grievance against Merseyside Police”.

He was released on bail ahead of a preliminary hearing at the Old Bailey on 6 November. The Chief Magistrate, Emma Arbuthnot, made a contempt of court order limiting what can be said about the case and banning the publication of Finch’s image, according to the BBC. ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/10/simon_finch_ex_bae_systems_charged_official_secrets_act/

A man from Singapore has been indicted in the US for impersonating a game developer in order to steal time on cloud compute systems and mine cryptocurrency.

Ho Jun Jia, AKA Matthew Ho, was indicted for eight counts of wire fraud, four counts of access device fraud, and two counts of aggravated identity theft. He could face charges in the Seattle US Western District court if extradited.

The indictment (PDF) claims that from October 2017 to February 2018 Ho used a combination of stolen identities and social engineering to get massive amounts of virtual compute power through AWS. He’s accused of then using that power to crunch numbers to mine himself a number of different currencies, including Bitcoin, Litecoin, and Ethereum.

The stolen accounts, it is said, were from an unnamed LA-based games developer and eSports organizer. By using the identities and accounts from the developer, then contacting Amazon to grant him additional admin privileges, police believe Ho was able to reserve millions of dollars worth of VM instances with which he could mine the digital money.

Now Uncle Sam would like a word with Brit teen TalkTalk hacker about a huge crypto-coin heist

READ MORE

“In the few months his scheme remained active, Ho consumed more than $5 million in unpaid cloud computing services with his mining operation and, for a brief period, was one of Amazon Web Services (AWS) largest consumers of data usage by volume,” prosecutors said.

“Some of the bills were paid by the California game developer’s financial staff before the fraud was detected.”

In addition to spoofing the tech company, prosecutors also say Ho took the identity of a man in Texas and a business owner from India and used those accounts to reserve additional machines both on AWS and Google Cloud.

Ho was arrested by police in Singapore in late September. No trial date has been set, although the US does have an extradition treaty with the city state. ®

Sponsored:
Beyond the Data Frontier

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/09/singapore_coin_miner_charged/