STE WILLIAMS

With GDPR enacted and the California Consumer Privacy Act on the near horizon, companies have to sharpen up their responses. Start by asking these six questions.

Image Source: Adobe Stock: Yury Zap

 

Companies don’t have the luxury of waiting days and even weeks before they report a data breach to the public. Many global firms do business overseas and are subject to GDPR, and California’s data privacy law goes into effect Jan. 1, 2020. There are other such measures on the way in India and Brazil.

All these new measures require that companies report a breach within 72 hours.

That means it’s more important than ever for companies to know how to respond once they learn that they’ve been breached. The M-Trends 2019 report released by FireEye Mandiant found that 59% of breaches are self-detected, while 41% are reported to breached companies by external sources.

Charles Carmakal, strategic services CTO for FireEye Mandiant advises companies to start by validating that a breach took place and if you haven’t already, develop a comprehensive incident response plan.

“It’s really important to know what the attack was and why the bad threat actors broke in,” Carmakal says. “Do your due diligence and have this information because it will really help you from a legal perspective if the case gets turned over the law enforcement and there’s an indictment.”

While some companies have clear processes and procedures in place, many companies (especially SMBs) are not at all prepared to handle a breach. Start by asking the following six questions.

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/6-questions-to-ask-once-youve-learned-of-a-breach--/d/d-id/1335799?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A Fin7 sysadmin has pled guilty – the first higher-up to be found guilty of hacking in a US court.

The long back story begins like this: Once upon a time, there was a cybercrime wolf syndicate who pulled on the sheepskin of a penetration testing company, calling itself Combi Security and offering absolutely zero services or protection… but lots of penetration.

We know it better as Fin7, also known as Carbanak Group or Navigator Group, among many other names. Starting in at least 2015, the notorious cybercrime network carried out a highly sophisticated malware campaign targeting more than 100 US companies. Those companies included big retailers like Lord Taylor and Saks Fifth Avenue but were predominantly in the restaurant, gaming, and hospitality industries: all victims of Fin7’s hacking into thousands of computer systems and theft of millions of customer credit and debit card numbers.

The Feds arrested three high-ranking members of Fin7 in August 2018. All were Ukrainian nationals. And on Wednesday, one of those three – Fedir Oleksiyovich Hladyr – pled guilty to being the sysadmin who ran the group’s IT operations.

Each of those three had been charged with 26 felony counts alleging conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft. But in the plea agreement filed in the US District Court for the Western District of Washington in Seattle on Wednesday, prosecutors dropped it down to just two charges: conspiracy to commit wire fraud, and conspiracy to commit computer hacking. All together, Hladyr’s looking at a prison sentence of no more than 25 years, plus fines of up to half a million dollars.

This makes Hladyr the first member of Fin7 to be found guilty of hacking-related crimes in a US court.

Same old admin duties, but for crooks

Fin7 employs dozens of computer experts in multiple countries, as the plea agreement describes. And in August 2015, it hired Hladyr to be a systems administrator.

He thought he was hired by a legitimate computer security outfit called Combi Security: one that supposedly provided pen-testing services to a variety of companies around the world. On its public website, Combi presented itself as “one of the leading international companies in the field of information security.”

Nothing could have been further from the truth. Hladyr soon figured out that he’d been hired by a cybercriminal network that carried out attacks primarily through phishing emails and social engineering to encourage victims to click on malware sent as attachments in boobytrapped emails.

That malware connected compromised computers to a network of command and control (CC) servers located around the world. Through that network, Fin7 uploaded additional malware onto victim computers, conducted surveillance, and maintained remote control.

Fin7 uses these breached computers to move laterally through networks, locating sensitive financial information such as payment card data that it can steal and sell. The syndicate also seeks out point-of-sale (POS) systems, through which it can remotely upload malware onto POS terminals used to process payment card transactions at thousands of retail and commercial locations across the US.

He didn’t know all this at first, but it didn’t take Hladyr long to find out that Combi wasn’t legit. One of his duties was to provide dozens of Fin7 members with access to communication and CC servers, including Jabber, JIRA, HipChat, and custom botnet control panel servers, among many others.

No, Combi wasn’t legit. It was a front company for Fin7 – an organization trying to, and succeeding at, breaching network security of victim companies.

How do you know when a pen-testing company isn’t really a pen-testing company? As the plea agreement outlines, at no time did Hladyr come across…

• Contracts for Combi to perform pen-testing for clients.
• Reports or recommendations from Combi to its purported clients explaining what vulnerabilities had been discovered in their network security and how they might be fixed.
• Any measures taken to safeguard “clients” from misuse of confidential information taken from their networks, such as network credentials, network maps, and sensitive business information.

Hladyr rose through the ranks quickly, taking on ever more responsibility. He became responsible for aggregating stolen payment card information, providing technical guidance to Fin7 members, issuing assignments to Fin7 hackers, and supervising teams of hackers. He’d also routinely relay orders from the head honchos to the group’s underlings.

Fin7 stole information for tens of millions of payment cards from US companies, then sold it on places such as Joker Stash – an underground carding shop that regularly sells batches of freshly ripped-off payment card details.

After carders buy those payment card details, they can then put all the legitimate card details onto the fresh magnetic stripe of a blank card, thereby cloning the card and using it to buy high-ticket items.

Hladyr took part in uploading and organizing all that stolen card data, and the malware that got it into Fin7 hackers’ hands. He created HipChat user accounts for Fin7 members, and he created the “rooms” where they shared and organized the card data.

While Hladyr was working as sysadmin for Fin7, a number of the companies they victimized went public about the data breaches.

Chipotle was one: the restaurant chain reported a data breach in 2017 that affected most of its 2,250 restaurants. Its POS devices had been infected with malware that scraped millions of payment cards from unsuspecting restaurant-goers. More than 100 fast food and restaurant chains were infected by that malware.

Jason’s Deli was another: in January 2018, it publicly disclosed a data breach that involved about two million payment cards.

Hladyr’s take: he made at least $100,000 for his participation. That’s how much his financial payback could reach, according to the plea agreement.

As far as how much Fin7 raked in, the Feds say that its criminal activities led to over $100 million in costs to financial institutions, merchant processors, insurance companies, retailers, and individual cardholders. Those costs include the fraudulent purchases made with the stolen card details, scrubbing Fin7 malware from compromised systems, and slogging through law enforcement investigations.

So that’s one chapter in the story, but it’s far from over. Fin7 is still going strong. In fact, as of last year, Gemini Advisory – a threat intelligence firm – estimated that Fin7 was pulling in at least $50 million a month. Given that they’ve been at this for years, they likely have at least a billion dollars on hand, according to Dmitry Chorine, Gemini Advisory cofounder and CTO.

That’s a lot of money to devote to staying hidden, he said.

Not to take away from the investigative and prosecutorial work that led to the first-ever Fin7 guilty verdict, mind you. But with money like that, these guys are playing the long game. There are many more chapters in the Fin7 book yet to wind up in the courts.

Stay tuned for the next two chapters: Already in hand are the two other alleged Fin7 members, Dmytro Fedorov and Andrii Kolpakov, arrested and indicted along with Hladyr in August 2018.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/DC2ee9v8THo/

Is this week’s test pilot launch of Mozilla Private Network the moment browser VPNs finally become a must-have privacy feature?

Available as a free beta extension for desktop Firefox, initially in the US only, its arrival is certainly promising.

It’s not the first browser to offer this feature – that honour goes to Opera – but it is the one with the largest user base that promotes privacy for its own sake.

All users need to do is download the extension and sign to their Firefox account (or create a new account). Then it’s a matter of clicking on the extension’s icon in the toolbar and toggling the VPN on or off as needed.

Turning it on routes and encrypts Firefox traffic through a proxy server run by Mozilla’s partner Cloudflare, which means that visited websites can’t see the user’s true IP address or location.

This doesn’t stop websites from ‘fingerprinting’ the user in other ways, however, Firefox recently added other features that make doing that more difficult.

Still, adding a VPN to Firefox is clever because it means the privacy protection is integrated into one application rather than being spread across different services. That integration probably makes it more likely to be used by people who wouldn’t otherwise use one.

There are times when users might want to turn it off, either because the site being accessed rejects VPN connections (streaming services can be fussy) or because using it is having an impact on performance (we don’t know that Mozilla Private Network will have this effect but it’s worth keeping in mind).

Pros and cons

Turning on the VPN will give users a secure connection to a trusted server when using a device connected to public Wi-Fi (and running the gamut of rogue Wi-Fi hotspots and unknown intermediaries). Many travellers use subscription VPNs when away from a home network – the Mozilla Private Network is just a simpler, zero-cost alternative.

However, like Opera’s offering, it’s not a true VPN – that is, it only encrypts traffic while using one browser, Firefox.  Traffic from all other applications on the same computer won’t be secured in the same way.

As with any VPN, it won’t keep you completely anonymous. Websites you visit will see a Cloudflare IP address instead of your own, but you will still get advertising cookies and if you log in to a website your identity will be known to that site.

Cloudflare conundrum

Again, as with any VPN, it’s only as private and secure as the network offering the service, in this case, Cloudflare.

Cloudflare has moved into the privacy space recently, pioneering DNS resolution and privacy through its public 1.1.1.1 DNS resolution service, the 1.1.1.1 mobile app that uses it, and a proposed full VPN service called ‘Warp’ announced some months back.

These are also being used to trial a new privacy technology called DNS-over-HTTPS (DoH), which encrypts DNS traffic so that ISPs et al can’t easily see which websites users are visiting.

Not coincidentally, Mozilla has also just announced support for this in Firefox, with Google adding the same technology to Chrome too.

But it’s still important to check any VPN provider’s privacy policy, which in Cloudflare’s case amounts to limited logging which is discarded after 24 hours (see DNS resolution policy for Firefox).

Should users trust this?

There’s no reason to suspect Cloudflare isn’t acting in good faith (and presumably Mozilla has done its due diligence) but through its CDN (Content Distribution Network) and DNS services, it is in the box seat for an enormous amount of web traffic already.

There’s a small caveat, however – like Mozilla, Cloudflare is a US company. That could mean having to comply with US government demands for access to data on its users, backed by the force of law.

Assuming it disposes of data as quickly as it says it does (and Mozilla gathers very little), it’s hard to see that this would be useful to the feds, but it’s still worth mentioning.

And mobile?

Mozilla hasn’t said when the Mozilla Private Network will be available for mobile users although when it appears it will presumably look something like Cloudflare’s own 1.1.1.1 app, perhaps built into Mozilla’s mobile privacy browser, Focus.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/MYg9gnQyZ7o/

Having stumbled upon what initially looked like a bug in a ticket processing platform used by Groupon and other big online ticket vendors like Ticketmaster and TickPick, vpnMentor’s research team, led by Noam Rotem and Ran Locars, determined that it actually belonged to crooks who were ripping off those ticket sellers… and doing an #epicfail at locking down their database-o-fraud.

According to their report, published in a vpnMentor blog post several weeks ago, the researchers came upon a huge cache – 17 million publicly available emails and 1.2 terabytes of data – as part of a larger web-mapping research project. As part of that project, they’d scan internet ports looking for known IP blocks and use those blocks to find holes in a company’s web system.

They found the goodies publicly posted in an Elasticsearch cloud database that somebody forgot to slap a password onto.

It looked like the breach gave unrestricted access to the personal details of anyone purchasing tickets from a website using NeuroTicket, which appeared to be a mailing system linked to the database.

Initially, Rotem and Locar believed that the vulnerability compromised customers of a slew of small, independent performance venues – including a number of ballet spaces and theaters. They believed two of the biggest online ticket vendors were also affected: Ticketmaster and TickPick.

But the bulk of the database – 90%, or 16 million records – pertained to Groupon, the popular coupon and discounts website. They sussed that out by the presence of Groupon’s newsletters and promotional emails among the records.

Neuro-WHO?

But the researchers’ suspicions were aroused when they started to look around for information on that NeuroTicket email system attached to the Elasticsearch database. You’d be suspicious too, were you to do the same – among the top search results I found was a bizarre YouTube video with rally bed spahlling and turble gremar sintax and a “NOT SECURE” site with a bunch of other Neuro-somethings listed.

What I now consider to be an understatement from the researchers:

Finding any information on Neuroticket proved difficult. Considering it seemed a popular piece of software, it didn’t even have a website.

(…though its nonexistent website has been rated favorably by a “ScamAdviser” site… in spite of having 0 reviews …so, buyer beware if you use one of these reputation rating sites before you buy a domain!)

Rotem and Locar also began to question the validity of the email addresses in the database. To test whether they were fake or not, they randomly selected 10 of them and wrote to the supposed owners.

Only one person replied to us.

Finally, they reached out to Groupon, and that’s when they discovered that what they’d uncovered wasn’t a run-of-the-mill database leak. Rather, they’d exposed what they called “a massive criminal operation that has been defrauding Groupon and other major online ticket vendors at least since 2016.”

Groupon’s three-year chase

After Groupon’s security team took a look at the database, cross-referencing it with information from their internal systems, they linked it to a criminal network they’ve been chasing for three years.

Back in 2016, the criminal network opened two million fraudulent accounts on Groupon. They used stolen credit cards to buy tickets through the Groupon accounts, and then they’d turn around and resell them to unsuspecting buyers.

Groupon had managed to close most, but not all, of the bogus accounts. Groupon’s Chief Information Security Officer (CISO) estimated that there were some 20,000 of these fake accounts in the network that the researchers helped to uncover.

How the ticket reselling fraud worked

The Elasticsearch database held emails that had been sent to the bogus accounts and filtered out for further analysis by the crooks. The researchers said that the crooks would extract tickets from the emails, which, for example, came in PDFs from Groupon.

Then, they’d sell those tickets, which are sometimes worthless when you show up at the event.

What do you mean, my ticket isn’t valid?!

CNET talked to Jack Slingland, vice president of operations at TickPick, who declined to comment on the researchers’ findings but who did say that the company is always on the lookout for fraud. Slingland said that customers who purchase tickets resold through TickPick are guaranteed comparable tickets if they find they’ve been sold a fraudulent ticket.

That guarantee is off the table, though, if the ticket comes from another ticket-selling site, he said.

The ransom note

The crooks’ database wasn’t just up on a website, visible to anybody with the right IP address. It was up on a website, unprotected, so that another bunch of crooks could come along and slurp up all the data… and then try to ransom it to the crooks who gathered it.

That’s exactly what happened. Embedded in the database, Rotem and Locar found a ransom note. The data kidnapper claimed to have extracted information from the database, and they demanded a ransom of $400 in Bitcoin, in exchange for not releasing the stolen data and subsequently deleting it.

It seems, at least one criminal hacker has already hacked the database. Not understanding what they discovered, they’re trying to extort its owners.

Rotem and Locar said that this is a known issue with many open databases and is usually triggered by automated scripts, as opposed to being an attack that was manually launched by humans.

In other words, it was a brainless attack, launched against a database run by crooks who were mud-dumb about infosec. Isn’t it refreshing to see a reminder that cybercriminals aren’t always all that slick?

The database is now offline.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GRSpDu39Kqg/

Updated Two men hired to assess a court record system’s computer security were arrested Wednesday – after they were caught physically sneaking into a courthouse.

According to the Des Moines Register today, infosec pros Gary Demercurio and Justin Wynn were cuffed by deputies in Iowa, USA, after they tripped an intruder alarm at a Dallas County courthouse.

The two men, who now face burglary charges, said they were attempting the break-in as part of a penetration test the county court had paid their employer, security biz Coalfire, to perform against the court’s electronic records system.

In other words, the ethical hacker duo were pen-testers just trying to get physical access to computers managing or storing court records as part of a planned security probe.

Here’s where things jump the tracks. The Dallas County court officials fully acknowledged they hired the two experts to test the security of their IT system. The bureaucrats were, however, unaware the tests could also involve physical break-ins, it is claimed.

“The two men arrested work for a company hired by [the state court administration, or SCA] to test the security of the court’s electronic records,” Iowa’s judicial branch said in a statement on the matter.

“The company was asked to attempt unauthorized access to court records through various means to learn of any potential vulnerabilities. SCA did not intend, or anticipate, those efforts to include the forced entry into a building.”

Those familiar with pen-testing procedures were quick to point out just what a colossal failure had to occur to create these sort of circumstances.

Perhaps they should’ve carried a copy of their contract in their back pocket. I learned that from a pentester 15 years ago. If they’re pentesters, this really sucks.

— Waffles b4 pancakes (@realmonsino) September 12, 2019

So, while it seems that the whole thing will be settled shortly, as of Thursday the two men remain in police custody – a court date is reportedly set for September 23 – on $50,000 bond. Coalfire has yet to respond to requests for comment. ®

Updated to add

“We have performed hundreds of assessments for similar government agencies, and our employees work diligently to ensure our engagements are conducted with utmost integrity and in alignment with the objectives of our client,” a spokesperson for Coalfire told us Thursday evening.

“However, we cannot comment on this situation or any specific client engagements due to the confidential nature of our work and various security and privacy laws. Additionally, we cannot comment on this specific case as it is an active legal matter.”

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/13/pentest_arrest_coalfire/

Promo The internet is full of powerful, fast-changing hacking tools and malicious actors who know how to use them. That makes the regular training events held by IT security specialist SANS Institute an essential destination for technology professionals keen to sharpen their defensive skills and protect their organisation against today’s ever-more ingenious attackers.

The SANS London 2019 event taking place from 14-19 October offers a choice of ten immersive training courses aimed at all skill levels.

Attendees are also welcome to attend two additional evening talks that dive into the latest threats and tools to defend against them. Who is in your wallet? Capital One debrief and postmortem with Eric Johnson, and CYA by using CIA correctly for a change with Keith Palmgren, will be held in the evening after training. These talks are a great opportunity to network with like-minded individuals and get a detailed look into topics led by industry leading practitioners.

All the training courses are led by experienced practitioners and prepare students for valuable GIAC certification. Attendees are assured they will be able to use their newfound knowledge as soon as they return to work.

Here’s a summary of the scheduled courses:

Introduction to cyber security

A hands-on course for IT-aware students with no cybersecurity experience. Learn the basics of terminology, networks, security policies, incident response, passwords, and cryptographic principles.

Security essentials, bootcamp style

Would you be able to find compromised systems on your network? Do you know if all your security devices are configured correctly? Are proper security metrics set up? This uses a bootcamp-style format reinforced with hands-on labs.

Hacker tools, techniques, exploits and incident handling

A survey of criminals’ hacking tools and techniques, from cutting-edge attack vectors to the golden oldies. Follow a step-by-step process for responding to incidents and explore the legal issues.

Securing Windows and PowerShell automation

How to use PowerShell to automate Windows security management across an Active Directory enterprise, with damage control built in from the beginning.

Securing Linux/Unix

In-depth coverage of security including real-world examples, tips, and tricks. Discover the vulnerabilities in common Linux and Unix applications.

Cloud security and devops automation

Building secure infrastructure and software using devops and cloud services. Practise using popular open-source tools such as Puppet, Jenkins, GitLab, Vault, Grafana, and Docker to automate configuration management, continuous delivery, containerization, micro-segmentation, compliance, and continuous monitoring.

Web app penetration testing, and ethical hacking

Web app flaws play a major role in breaches and intrusions. Learn a repeatable process to spot them and how to ensure your organisation is aware of the risk.

Network penetration testing, and ethical hacking

A course on conducting high-value penetration-testing projects, with more than 30 hands-on labs. It covers planning, scanning, password attacks, and web app manipulation. Learn how to mine blogs, search engines, and social networking sites using best-of-breed tools.

Implementing and auditing critical security controls

Delve deep into the techniques and tools needed to implement and audit Critical Security Controls, a comprehensive security framework based on actual attacks documented by the US Center for Internet Security. The course covers a wide range of known attacks, and how to identify and stop them.

Auditing and monitoring networks, perimeters, and systems

Performing enterprise IT security audits can be daunting. Find the answers to questions such as which systems should you audit first? How do you assess the risks? What settings should you check?

If you are not able to make the SANS London October training event, there is another training event in London taking place in November, and SANS has also announced its training dates for the first part of 2020. Pro tip: keep your agendas free for November 25 26th for CyberThreat: the highly technical and inspiring Summit co-hosted between SANS and the NCSC is returning to London with a mind-blowing program.

Read the full details and register right here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/13/sans_london/

Updated We have a new twist on the “researchers find unprotected public-facing cloud-hosted database” story, as one recently uncovered archive turned out to be at the heart of a years-long fraud operation.

The folks at VPNmentor said they were confused when first encountering a mystery database that contained details on scores of accounts on ticket purchasing sites. The profiles were all seemingly interested in events at small, independent theaters and music venues.

Essentially, a bunch of crooks had assembled their own database of online accounts they had created to use for fraud – and then accidentally left that database facing the public internet.

“The breach seemed to give access to personal details of anyone purchasing tickets from a website using Neuroticket,” explained the VPNmentor team, headed up to Noam Rotem and Ran Locar, on Wednesday. “Initially, we believed this vulnerability compromised customers on these websites.”

Even more curious, when the team tried to track down the owners of the email addresses listed in the database, they got few responses, indicating the vast majority were fake accounts created by crims for mischief and fraud.

When efforts to tie the records to a breach of Neuroticket, Ticketmaster, or Tickpick all resulted in dead ends, the team noticed that around 90 per cent of the records also referenced Groupon.

When the VPNmentor crew got in touch with Groupon, they had their breakthrough. It turns out the accounts had all been used to purchase tickets for gigs, plays and concerts that were on offer through Groupon deals. What’s more, Team VPNmentor claims, Groupon immediately recognized the purchases as being the work of a fraud ring it had been tracking since 2016.

The fraudsters in this case used an army of fake accounts and stolen credit card numbers to make bulk purchases of tickets being offered at a discount on Groupon. Those tickets were then resold by the fraudsters at full price (or at a markup) to turn a quick profit.

“Groupon had been able to close most of the accounts, but not all of them. The operation has remained resilient, despite excellent work by the company,” VPNmentor’s team said in their write-up.

“Groupon’s Chief Information Security Officer (CISO) estimates the number of fraudulent accounts in the network we helped uncover to be as high as 20,000.”

Cybercrook hands cops £923k in Bitcoin made from selling phished deets on the dark web

READ MORE

It gets even more bizarre. When combing through the records in the database, the VPNmentor crew found a note from another hacker who had stumbled on the exposed silo.

“Claiming to have extracted information from the database, it demanded a ransom of $400 in Bitcoin, in exchange for not releasing the stolen data to the public and subsequently deleting it,” the team notes.

“It seems, at least one criminal hacker has already hacked the database. Not understanding what they discovered, they’re trying to extort its owners.”

UK-based bug-hunter Oliver Hough also says he came upon the database a while ago, but was unable to connect the dots with Groupon.

Ha no way! I found this last year, reported it to Groupon, tried tracing the owners, in the end I gave up

Nice work! https://t.co/WAw1ugVzJ6

— Oliver Hough Esq. (@olihough86) September 11, 2019

The moral of the story is, as always, keep track of your cloud database instances and always make sure public access is disabled. Even if you’re a crook. ®

Updated to add

Since publication, Groupon has dropped us a line to stress its own systems were not compromised by criminals, and that the exposed database appears to be full of marketing emails. No more that 673 purchases were made by the crooks, Groupon added.

Furthermore, Groupon says it doesn’t know if database is related to its 2016 investigation, as claimed by VPMmentor. “There are some similarities, but we have no evidence they’re related or connected,” a spokesperson for the voucher biz said.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/12/database_groupon_scam/

Five people have been arrested by the Metropolitan Police for threatening to fly drones around London’s Heathrow airport this Friday to protest climate change.

The group announced at the end of August that they were planning to disrupt the airport – one of the world’s busiest – this coming Friday and would meet with the police and airport authorities to discuss their plan. On Tuesday, they reiterated that plan, stating that they were prepared to go to jail to carry out the action.

Predictably enough, the police arrested them. “Earlier today (Thursday, 12 September), three men and two women aged between their 20’s and 50’s were arrested on suspicion of conspiracy to commit a public nuisance in relation to operations at Heathrow Airport on Friday, 13 September,” reads the Met’s official statement.

It continues: “Two men were arrested on Pritchard’s Road, Bethnal Green, E2. Two women and one man were arrested on Hornsey Lane, N6. They have been taken to a London police station.”

The group, which calls itself Heathrow Pause, claims not be interested in self-promotion but its members have gone to some lengths to appear on TV, actively and repeatedly contacting journalists and posting their subsequent appearances on its webpage.

The group also appears to believe that its approach of telling the police when it intends to carry out an illegal act, and offering to meet with police to discuss the illegal act, should prevent the police from arresting them before they did so.

Seemingly unaware that the police’s job is to prevent illegal activity rather than provide PR to attention-seeking buffoons, the group said it was “disappointed” that the authorities hadn’t warned the public that Heathrow was likely to be shut down because of their action. They had even given six weeks’ fair warning and picked a date that they felt would cause least disruption, they complained.

But, but, but…

“We gave the Heathrow Authorities six weeks’ notice of our intentions, with full details on our plans, the safety of the Action, our desire for an open dialogue with the Police, and all the precautions we’ve put in place. The response was, to say the least, disappointing,” he said.

“To our knowledge Heathrow has done nothing to warn passengers or airlines yet, or put in place any contingency plans, even though we strongly recommend it. Furthermore, we deliberately chose a date after the summer holidays, to minimize the disruption to families and holidaymakers.”

Continuing on this line of ‘innovative’ thinking, even though the sole intention of their action was to ground all flights in and out of Heathrow by flying drones in its airspace, they claim that it’s not their fault if Heathrow grounds all flights in response to them flying drones in its airspace.

“We’re not the ones who will be cancelling flights or grounding aircraft. Our Action is designed to be completely safe,” they stated with a monumental lack of self-awareness. “If any planes are grounded, it will be Heathrow Airport’s decision, probably thanks to pressure from their insurers.”

Aside from highlighting in an almost satirical fashion the dangerous limits to individualism, the group hopes its stupendously stupid actions and arguments will bring an end to climate change.

Police costs for Gatwick drone fiasco double to nearly £900k – and still no one’s been charged

READ MORE

One of them quoted herself in a press release as saying: “I feel at the end of knowing what else to do. We know the science, we know what’s already happening to communities around the world. Unprecedented extreme weather is ripping through regions and destroying lives. The breakdown of our environment spells disaster for billions. I can’t with good conscience not act. I don’t want to get arrested, but it feels like it’s the last resort for our Government to take notice. I’m a grandmother and I care deeply about…”

I think we’ll stop it there.

Another one of the idiots had this to say about himself in a press release: “I’m mainly doing it because I’m trying to be a human being. And I’m 53. In a few decades I’m not going to be here anymore. Maybe in a few years. And when I die, I want to know I haven’t lived a lie. And for me, I cannot pretend I don’t know what needs to happen.”

Just a bad idea

The issue of drones in the airspace around airports is a serious problem: at the end of last year, Gatwick was closed for more than a day after drones unexpectedly appeared. Two weeks later, the same thing happened again. That followed on from what authorities suspect was a drone collision between it and an A320 landing at Heathrow back in April 2016 and further drone-related chaos the following year.

Of course, climate change and politicians’ failure to act in a sufficient fashion to limit it is a serious issue; one that can and should be tackled in a multitude of different ways and which will require the general public to provide the impetus.

Spouting idiotic nonsense and promising to disrupt the lives of thousands of people just to get yourself on the telly is not one of those ways. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/12/activists_drones_heathrow/

After months of speculation about who exactly was behind a series of eavesdropping fake cell towers in Washington DC, it appears the answer is Israel.

According to three anonymous senior US officials, cited in a report by Politico, the FBI carried out a counterintelligence investigation into who was behind the mobile spying installations – following a number of news reports of unusual cell activity – and concluded pretty quickly that the US ally was behind them.

“It was pretty clear that the Israelis were responsible,” a former senior intelligence official told the publication. Two other officials confirmed that official conclusion that other nation states – including China and Russia – had been ruled out and Israel was almost certainly responsible. The conclusion appears to have been reached through observation of how the data was pulled from the devices.

But despite that conclusion, and pressure from lawmakers, it appears that the Trump Administration actively decided not to push the issue, even though the target of the surveillance effort was almost certainly the president himself. President Trump has been criticized for using insecure communications – namely, his personal cell phone – to communicate with people outside the White House.

A president’s communications are usually strongly shielded from others’ ears, for obvious reasons, with calls made on secure lines and operators ensuring direct connections. But President Trump appears to revel in ignoring presidential protocol and, alongside his controversial Twitter use, frequently uses a personal cell phone to call people to ask their advice.

The cellphone simulators work by announcing themselves as cell phone towers and then pass the information on to real towers, while recording the phone’s information that passes through them.

Opaque

They have been used extensively by the FBI and local police forces but their functioning and use has been fiercely protected for years, with law enforcement repeatedly dropping criminal cases rather than provides details of how they are deployed.

That level of secrecy is likely to have contributed to the decision to deploy them: with everyone refusing to acknowledge their existence, it might pass under the radar. Plus, of course, gaining direct access to the president’s, or his advisers, private phone calls could yield hugely valuable intelligence.

Back in April, several senior Congressmen demanded “immediate action” over the mysterious fake cell towers and sent a letter to FCC chair Ajit Pai asking him to “address the prevalence of what could be hostile, foreign cell-site simulators, or Stingrays, surveilling Americans in the nation’s Capital.”

The FCC, as ever, did nothing. But Homeland Security did hold a briefing with the lawmakers and, according to a subsequent letter [PDF], provided them with a confidential briefing about what it had discovered.

It’s not clear why the information claiming Israel being behind the hacking effort has come out now, although it is notable that two days ago President Trump fired his national security adviser John Bolton and the next day was followed out the door by a number of his staff.

One of the anonymous sources, named as a “former senior intelligence official” was critical of the Trump Administration’s response to the conclusion that the Israelis were behind an effort to bug the president.

Calculations

“The reaction was very different than it would have been in the last administration,” they were quoted as saying. “With the current administration, there are a different set of calculations in regard to addressing this.”

Hold the phone: Mystery fake cell towers spotted slurping comms around Washington DC

READ MORE

Normally capturing a foreign government’s spying efforts would result in a formal reprimand but apparently that didn’t happen in this case. “I’m not aware of any accountability at all,” the former official said.

Of course Israel has denied any involvement, with even the prime minister Benjamin Netanyahu being forced to answer to the allegation. “We have a directive, I have a directive: No intelligence work in the United States, no spies,” he told reporters on Thursday. “It is a complete fabrication, a complete fabrication.”

Based on his reaction to similar denials by people like Russian president Vladimir Putin, President Trump no doubt believes – or chooses to believe – that Netanyahu is telling the truth. But back in the real world, Israel is renowned for its intelligence services’ aggression and willingness to cross lines that most other security services will not.

In the meantime, if you’re not in the DC area, you can still have your private communications intercepted by the cops in Boston or – if you are a fried chicken thief – in Maryland. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/12/washington_stingray_israel/

Video Apple’s very latest version of iOS appears to have the same sort of lock-screen bypass that plagued previous versions of the iThing firmware.

Researcher Jose Rodriguez told The Register that back in July he discovered how the then-beta-now-gold version of iOS 13 could be fooled into showing an iPhone’s address book without ever having to unlock the screen.

The procedure, demonstrated below in a video, involves receiving a call and opting to respond with a text message, and then changing the “to” field of the message, which can be accomplished via voice-over. The “to” field pulls up the owner’s contacts list, thus giving an unauthorized miscreant the ability to crawl through the address book without ever needing to actually unlock the phone.

To be clear, you need to have your hands physically on a victim’s device, and call it from another phone, to exploit this shortcoming. You can also prevent this all from happening, apparently, by disabling “reply with message” in your iDevice’s Face ID Passcode settings, under the the “allow access when locked” section. By default, this feature is enabled, leaving iOS 13 users at risk out of the box.

Youtube Video

Similar unlock workarounds have been demonstrated by Rodriguez and other researchers in the past.

These sort of information-disclosure bugs are generally considered low-risk security flaws, and are not quite at the level of critical vulnerabilities that allow remote code execution or one-touch pwnage flaws that bring seven-figure payouts from some platforms.

Still, you would think the discovery would at least net some sort of acknowledgement and reward from Apple. Rodriguez tells The Reg that when he contacted Apple staff about the find, he was given the cold shoulder – because researchers can’t claim bug rewards on beta builds of the operating system, apparently.

Breaking news: Apple un-breaks break on jailbreak break

READ MORE

“I contacted Apple asking for a gift in thanks for reporting a passcode bypass, Apple agreed to give me a gift,” Rodriguez recounts.

“I reported the security problem and then Apple retracted, apologized and told me that it was not allowed to thank by giving gifts for security reports during beta period.”

The “gift” in question? A $1 Apple Store card to keep as a trophy. It was not the monetary payout Rodriguez was interested in, rather the recognition from Apple for his latest find.

Not only that, but Rodriguez says that, despite sounding the alarm on the blunder months ago, his bypass method still works on the most recent gold builds of iOS 13, which will be officially released later this month and power Cupertino’s forthcoming iThings. We’ll have to see if shipping gear still suffers the issue.

Apple has yet to comment on the matter. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/12/apples_ios_lock_workaround/