STE WILLIAMS

Some aviation experts and security researchers are trying to foster closer alliances for securing airplane networks.

Aircraft control-system circuit boards and electronics littered a long table around which hackers tinkered with the mostly retired avionics equipment components, including cockpit display units and in-flight entertainment systems. The goal of this hands-on station — part of the inaugural Aviation Village at DEF CON 27 earlier this month in Las Vegas — was to give white-hat hackers a rare opportunity to learn how on-board airplane electronic devices operate and communicate.

“[The devices] are what a well-funded researcher could have access to,” says Ken Munro, a consultant with Pen Test Partners, whose embedded systems security team created and hosted the display and helped teach wannabe hackers about the components they had procured from eBay and electronic boneyards.

“We were not there just to hack planes,” says Munro, who is also a pilot. “We’re trying to build a bridge between industry, regulators, and security researchers. The last thing we want is consumer confidence to be damaged.”

The most high-profile participants in the Aviation Village were the US Air Force and the US Department of Defense Digital Service, which runs the department’s bug bounty programs. For fun the Air Force brought along an F-45 fighter jet simulator. Meantime, a team of researchers found major security holes in the F-15’s Trusted Aircraft Information Download Station, which gathers data from the jet’s video cameras and sensors in-flight.

Conspicuously missing from the Aviation Village, though, were major airplane manufacturers Airbus and Boeing, as well as big-name international airlines. Boeing said it was involved behind the scenes, however, and plans for “more active participation going forward,” a company spokesperson told Dark Reading.

The only commercial airline with a visible presence in the Aviation Village was Norwegian Air, whose CISO, Gerard Duerrmeyer, describes himself as a former cybersecurity researcher and longtime member of the DEF CON community. Duerrmeyer has been with the airline for about a year.

“I see the need to marry [my] two ‘families,'” says Duerrmeyer, who is responsible for all things IT at the airline, including the on-board airplane networks. “That’s something I have been spending a lot of time on,” working with the aviation industry to introduce it to security researchers, he explains.

Some participants privately bemoaned the lack of active involvement by airplane manufacturers and other commercial airlines. They noted the Aviation Village even had dropped the word “Hacking” from its original label, the Aviation Hacking Village, to appease aviation industry officials worried about public perception.

Boeing Front and Center
The Aviation Village debut landed on the heels of a big dustup from a major cybersecurity vulnerability disclosure earlier in the week about Boeing’s 787 airplane. At Black Hat USA, also held in Vegas, IOActive researcher Ruben Santamarta disclosed security flaws in an on-board network component on the Boeing 787 that he said could allow a remote attacker to reach the sensitive avionics network — aka the crew information systems network — on the plane.

Santamarta was able to reverse-engineer the firmware of the VxWorks 6.2-based Honeywell module, known as the Crew Information System File Server/Maintenance System Module, after discovering documentation of the device sitting on a Boeing server that was inadvertently exposed publicly on the Internet.

That firmware belongs to a core network component that segregates the on-board networks. Santamarta discovered harbor buffer overflow, memory corruption, stack overflows, and denial-of-service flaws that he said could allow a remote attack.

Boeing pushed back hard on the research just prior to the presentation at Black Hat, saying its existing network defenses would thwart the attack cases Santamarta posed, and that an attacker could not reach its avionics systems via those attack methods. IOActive had been in contact with Boeing for months after the initial findings, holding weekly teleconferences.

“IOActive’s scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems, like the avionics system,” a Boeing spokesperson said during Black Hat. “Our extensive testing confirmed that existing defenses in the broader 787 network prevent the scenarios claimed.”

Santamarta and IOActive stand by their findings, noting that Boeing had declined to provide additional information on its internal test results.

According to a Boeing spokesperson contacted last week, the company worked with IOActive to “understand” its research. “As part of the investigation, we tested in a representative Airplane Integration Lab and on a production 787 airplane to investigate the claims. We were not able to validate any of the claims and provided that feedback to IO Active. They wanted specific technical details of the protections, which we did not provide at the level desired,” he said.

But Santamarta maintains that IOActive merely was asking for more information to see why Boeing did not reproduce its findings. “It’s not like we were after technical details of their [security] protections. That’s not our interest. We were trying to understand what was going on and why they couldn’t reproduce [our findings],” he says.

Familiar Story
The apparent standoff between Santamarta and Boeing is reminiscent of a story that has played out over and over again, since Microsoft first squared off against security researchers poking holes in Windows in the early 2000s: Researchers start digging around for vulnerabilities in software and firmware, the affected vendor or industry initially ignores it or pushes back, but it ultimately relents as it’s forced to work more closely with researchers to find and fix flaws before the bad guys do.

Automakers, medical device manufacturers, and industrial control systems industries all are in various stages of this evolution right now. The auto industry has begun to accelerate its security research posture: Tesla now headlines the Car Hacking Village at DEF CON and has brought its vehicles onto the conference show floor for local inspection over the past few years.

Then there’s Toyota, which was one of the first public subjects of car hacking in 2013 when famed car hackers Charlie Miller and Chris Valasek were able to take control of the electronic smart steering, braking, acceleration, engine, and other features of the 2010 Toyota Prius and the 2010 Ford Escape. The carmaker recently released a car hacking tool of its own called PASTA, or the Portable Automotive Security Testbed, along with an open source version of the software — this after the carmaker in 2013 initially and for the most part dismissed Miller and Valasek’s work, saying its focus was on remote attacks and that Miller and Valasek’s research did not constitute hacking since it required physical access to the vehicle. 

Aviation experts say their industry’s hesitation to go all in with security researchers has a lot to do with its heavy emphasis on physical safety and concern for public perception if a vuln became publicized. Organizers of the Aviation Village emphasized over and over that the purpose of the demonstrations and workshops was not about hacking planes, and that aviation systems remain the safest, with layers of redundancy to ensure safety.

Even so, security researchers point to increasingly networked airplane systems and components, which also encompass ground networks that connect to the aircraft. They worry that aviation industry players are relying too heavily on security by obscurity and avoiding the intersection of cybersecurity and public safety.

Jen Ellis, vice president of community and public affairs at security firm Rapid7 and one of the organizers of the Aviation Village, says the airline industry has a strong history of prioritizing safety. “They collaborate and are very safety-focused. Where there’s a challenge and perhaps where they are a little behind is they haven’t necessarily yet connected the dots between safety and cybersecurity.”

Bringing the two communities together is key to starting conversations and ultimately building trust relationships. In an interview at DEF CON with Dark Reading, DHS Cybersecurity and Information Security Agency director Christopher Krebs noted that the aviation industry is undergoing a trust-building process.

“This is a community that is continuing to mature and understand what the implications are and the benefits, and sometimes the drawbacks, of engaging openly and collaborating on research,” Krebs said. “It takes time to build trust … it doesn’t happen overnight,” and there will always be some friction between the vendors and researchers, he noted.

Rapid7 researcher Patrick Kiley, who recently found and reported vulnerabilities on the CAN bus of a general avionics system used mainly in small private aircraft, had a less contentious experience than IOActive. His firm decided not to publicly name the affected vendors since it was an underlying CAN bus issue not specific to the vendors’ equipment Kiley had hacked. Even so, he doesn’t know whether the vendors actually fixed the flaws he found.

“I let the vendors know what I did with the equipment, and they didn’t indicate what they would do or change. They thanked us and sent us along our way,” Kiley says.

He hopes aviation vendors will get more comfortable with letting third-party researchers and others analyze their code before they deploy it. “We want to get ahead of this problem,” says Kiley, who showed a demo of his research at the Aviation Village. “We want to work with the industry instead of work against them.”

The Problem With Plane-Patching
Like other industrial system operators, the aviation industry’s software and firmware patching practices are complicated. Safety and availability of plane systems are prioritized over a new feature or bug fix.

Retired US Air Force pilot Steve Luczynski, CISO at TRex Solutions and an organizer of the Aviation Village, says the goal is to find vulnerabilities and issues in components in systems or in the supply chain in advance. Cybersecurity in aviation should learn from the industry’s physical safety redundancies. “It would be nice not to relearn” this with cybersecurity, according to Luczynski, but rather build it in. {Continued on Next Page}

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/risk/aviation-faces-increasing-cybersecurity-scrutiny/d/d-id/1335610?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft remains the favorite brand to spoof in phishing campaigns, but more attackers are impersonating Facebook.

Cybercriminals often exploit victims’ familiarity with popular brands to manipulate them into falling for phishing campaigns. Microsoft is the most common brand to spoof, researchers report, with PayPal in second place and Facebook rapidly catching up in a close third.

The “Phisher’s Favorites” report, released today by Vade Secure, ranks the 25 most impersonated brands in phishing attacks based on unique phishing URLs detected within each quarter. Microsoft has held the top spot every time, a trend it continued in the second quarter of 2019, when 20,217 unique Microsoft phishing URLs were detected — more than 222 per day. This marks a 6.8% decline from the first quarter but a 15.5% increase from Vade Secure’s first report. (The report is now in its fifth edition.)

Microsoft remains phishers’ favorite due to its size and the high value of Office 365 credentials, explains Adrien Gendre, chief solutions architect at Vade Secure. Its latest quarterly earnings reported more than 180 million active monthly enterprise users on Office 365; IDC estimates the platform makes up 47.6% of enterprise cloud email implementations. Office credentials offer a single point of entry to files, data, and contacts in SharePoint, OneDrive, and Skype.

“While hacked Office 365 credentials can certainly be used to access sensitive company information and files, the real driver is east-west movement via insider attacks,” says Gendre of attackers’ motivation. “Detecting display name spoofing or close cousin domains is relatively easy; detecting attacks coming from legitimate email accounts is much harder.”

It’s easy to manipulate employees with fake Microsoft emails because the Office 365 platform “is the lifeblood of businesses,” he continues. Most can’t do their jobs without access to email, chat, and other productivity and file management tools, which is why they’re compelled to take action when an email appears notifying them their Office 365 account has been suspended. Other phishing attacks may contain links to OneDrive or SharePoint documents, Vade analysts found.

Microsoft beat PayPal by more than 4,300 phishing URLs in the second quarter, but emails impersonating the payment service were up nearly 112% year-over-year. A global user base makes it a popular target, and stealing PayPal credentials leads to quick payback for attackers. Most PayPal phishing emails claim a recipient’s account has been blocked or suspended, prompting them to go to a fraudulent page to confirm or restore their account.

Phishers Get Social
Facebook isn’t far behind: After a consistent decline in the second half of 2018, URLs spoofing the social media giant spiked 155% in the first quarter of 2019 and 175.8% in the second quarter. “The fact that Facebook phishing has increased significantly for two straight quarters is indication to me that these attacks are working,” Gendre says. Headlines about Facebook’s privacy issues, and communications from the company about updates to its terms of use and privacy policies, also give attackers opportunity to strike.

The increase may also be attributed to Facebook Login, or the social sign-on using Facebook accounts. With Facebook credentials, attackers can see which other apps a user has authorized with Facebook Login and compromise those accounts. With access to Facebook Messenger, they may also target a victim’s contacts with additional phishing scams, Gendre points out.

Still, he doesn’t think the growth will last. “The reason is that the potential payback isn’t as direct as it is for Microsoft and PayPal,” he says. “There also isn’t a strong corporate angle, which is where most hackers are increasingly setting their sights.”

Social media also saw the most quarter-over-quarter growth of all industries; phishing in this sector accelerated from 74.7% in the first quarter of 2019 to 130.7% in the second, entirely driven by Facebook phishing URLs. Still, social media phishing campaigns only made up 16% compared with other industries, putting the industry in third. Cloud is still in the top spot (37%), followed by financial services (33%).

Amazon Rises Up the Ranks
One of the findings that surprised Gendre most was the growth in Amazon phishing, which increased 182.6% throughout the first quarter and 411.5% year-over-year. But the spike wasn’t what stood out to him — it’s the fact Amazon wasn’t a popular target sooner.

“Amazon is one of those brands that straddles the consumer and corporate worlds and could thus be an effective lure for both audiences,” he explains. “No one wants to have an order canceled because of a declined payment, or they want to know immediately about a delay with their shipment.”

There was a spike in Amazon phishing URLs on May 5, around the time reports surfaced of a new Amazon phishing kit. Another spike occurred on June 19 after Prime Day was announced. Analysts noticed a wide variety of Amazon phishing emails, which manipulate victims with messages about Amazon rewards, loyalty vouchers, “exclusive product,” or “special surprise.”

Related Content:

• 7 Online Safety Tips for College Students
• ‘Box Shield’ Brings New Security Controls
• Silence APT Group Broadens Attacks on Banks, Gets More Dangerous
• New FISMA Report Shows Progress, Gaps in Federal Cybersecurity

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “You Gotta Reach ‘Em to Teach ‘Em.“

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/microsoft-tops-phishers-favorite-brands-as-facebook-spikes/d/d-id/1335615?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Bad actors move faster than threat intelligence feeds and the infosec pros who monitor them, notes Joakim Kennedy, Threat Intel Manager for Anomali Research. Organizations need to establish a dedicated team to manage threat intel, and an adequate budget. Kennedy also encourages intelligence sharing as part of a stepped-up protection strategy.

Article source: https://www.darkreading.com/time-to-get-smarter-about-threat-intel/v/d-id/1335605?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

After last week’s heated debate about whether Google Nest owners should be able to turn off their webcam’s recording LED, this week they have something more conventional to worry about – security flaws.

The list of vulnerabilities recently discovered by Cisco Talos researchers relate to one model, the Nest Cam IQ Indoor camera.

As $249 webcams go, this one has plenty of features, including a 4K resolution sensor, facial recognition, noise and echo cancellation, and Google’s Voice Assistant integration to control other Nest products.

There are eight CVE-level vulnerabilities in total, five relating to the Weave protocol binary built into the camera (used to set it up), and three in the Openweave interface (this being the open source version of Weave).

Three (CVE-2019-5043, CVE-2019-5036, CVE-2019-5037) could be used to bring about denial-of-service, two allow code execution (CVE-2019-5038, CVE-2019-5039) two make possible information disclosure (CVE-2019-5034, CVE-2019-5040) and one (CVE-2019-5035) is described as a “pairing brute force vulnerability.”

However, the two with the highest severity scores are CVE-2019-5035 and CVE-2019-5040 – the first potentially allowing device takeover, the second potentially allowing data from the device to be intercepted.

It’s unlikely that these flaws could be exploited remotely and a few of them would require some effort even from the local network.

Updating

According to Google, the Nest Cam IQ will update itself automatically as long as it is connected to the internet, but users should bear in mind that:

We push updates to Nest cameras in batches. Because we don’t push the update to all Nest cameras at the same time, you might not get it immediately.

While updating can’t be initiated manually, it is possible to check the firmware version by selecting a camera using the Nest app, tapping on Settings in the top right corner, selecting Technical Info and looking for the current version.

The updated version is 4720010. If you see anything earlier than this, that means updating hasn’t happened yet.

And don’t forget, if you’re using a second-hand Nest webcam – make sure the previous owner can’t use it to spy on you either.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/b8ycfMnDE9o/

The Silence crew is making a lot more noise. The Russian-speaking hacking group, which specialises in stealing from banks, has been spreading its coverage and becoming more sophisticated, according to a new report from cybersecurity company Group-IB.

It follows a report from the company last year which was the first to identify and analyse the Silence group. You can find both reports here.

Group-IB characterises Silence as a young and relatively immature hacking group that draws on the tools and techniques of others, learning from them and adapting them to its own needs. It has been traditionally cautious, waiting an average of three months between attacks.

That hasn’t stopped it profiting, though. A string of heists has bought the group’s total ill-gotten gains to $4.2m as of this month. As it evolves, the group has been broadening its geographical reach and developing new malware to refine its techniques, the report says.

It has also added a new step to its hacking process: a reconnaissance mail. Since late last year, it has started sending emails to potential targets containing a benign image or link. This helps it update its active target list and detect any scanning technologies that the victims use.

Then, armed with a list of valid addresses, it sends them a malicious email. It can carry Microsoft Office documents with malicious macros, CHM files (Compiled HTML, often used by Microsoft’s help system) or .LNKs (a link to an executable file). Successful exploits install the group’s malware loader, Silence.Downloader (aka TrueBot). It has rewritten this loader to build encryption into some of the communication protocol with the command and control (C2) server.

More recently, the group has begun using a fileless loader called Ivoke, written in PowerShell. Silence began using fileless techniques later than other groups, showing that they are studying and then modifying other groups’ techniques, Group-IB said.

These loaders send information about the infected system to a C2 server, which prompts a manual command from the operator. They install either Silence.Main, a modular trojan that controls the victim’s computer and is updated from a Windows C2 server, or another newer trojan called EDA. EDA illustrates the group’s willingness to stand on the shoulders of giants – it is based on two open-source projects, Empire and dnscat2, which are both tools designed for penetration testing.

The group also uses a range of tools enabling it to move laterally across the victim’s network and to control ATM machines.

Silence began by targeting Russian organisations but then shifted to former Soviet countries. Since Group-IB’s first report, Silence has turned its attention to the rest of the world. Last November, it hit targets in 12 Asian countries, leading with Taiwan, Malaysia and South Korea. It also sent recon emails – although in smaller numbers – to British targets in October, followed by a malicious mail campaign against financial institutions in the UK on 4 January 2019.

However, it is still active in Russia and the former USSR, sending out 84,000 emails in Russia alone between 16 October 2018 and 1 January 2019.

In February, it managed to pilfer 25m roubles ($400,000) from the IT Bank in Omsk, Russia. This followed a phishing campaign in which it mailed malicious attachments to bank employees inviting them to the International Financial Forum.

In May, seven men wearing masks took $3m from ATMs at Dutch-Bangla bank in Bangladesh. That was a landmark heist for the group, because it was the first time that it had used Ivoke. They made phone calls when at the ATM, prompting a third party to send a command that dispensed cash from the machine, indicating that the machines were remotely controlled using Atmosphere, an ATM malware tool that has become Silence’s stock in trade.

Police arrested six of these mules, all Ukranian, who had flown in the previous day. Group-IB said:

The arrests of their money mules in Bangladesh did not slow the group down, and the hackers continued to expand their geography.

Most recently in July, the group successfully attacked banks in Chile, Bulgaria, Costa Rica, and Ghana. This was the first time it used the EDA trojan.

One significant nugget from the report is that the group was able to impersonate a real bank when testing its Russian addresses in a mass reconnaissance email campaign on 18 October 2018. This was because the real bank wasn’t using the sender policy framework (SPF), a key technology that helps prevent phishing. The moral of that story? Implement SPF for your domain. It’s like a vaccination – it’s for the good of the herd.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/harEaJXHeBo/

Last year, MoviePass CEO Mitch Lowe gloated about how the company was using subscribers’ data…

…or, rather, how MoviePass could use that data, as a company spokesman hastened to point out in the uproar that followed Lowe’s remarks at an Entertainment Finance Forum session titled, appropriately enough, “Data is the New Oil: How Will MoviePass Monetize It?”

Media Play News quoted Lowe at the time:

We know all about you.

Well, to put a rancid cherry on top of that gritty little cupcake, MoviePass didn’t just know “all about you.” It also apparently knows how to let all that knowing flop around, unprotected, on the internet.

As TechCrunch reported on Tuesday, Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, recently stumbled across a massive database – TechCrunch’s Zack Whittaker reported that it contained 161 million records “and growing” as of the time he published his report – on one of the movie ticket subscription service’s subdomains.

Up for grabs were mundane logging messages, but the exposed records also included critical data, including customer card numbers and personal credit cards of some subscribers. There were 58,000 subscribers’ cards exposed as of Tuesday, and the number was growing.

And as Whittaker explains, MoviePass customer cards are similar to normal debit cards: issued by Mastercard, they store a cash balance, which subscribers can use to pay to watch a catalog of movies. Subscribers pay a monthly fee, and then MoviePass uses this debit card to load the full cost of the movie. The subscriber then uses that MoviePass card to pay for the movie at the cinema.

All for want of a… password?!

Was it an esoteric hack that got the database there? A hole in cybersecurity defenses? Not really, Hussein said. It was because somebody neglected to protect a critical server with a password.

To make matters worse, none of the sensitive data was encrypted. Hussein:

We keep on seeing companies of all sizes using dangerous methods to maintain and process private user data. In the case of MoviePass, we are questioning the reason why would internal technical teams ever be allowed to see such critical data in plaintext – let alone the fact that the data set was exposed for public access by anyone.

It’s unfortunate that a company that knows “all about you” can somehow forget to know that it should lock up all that it knows.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/I_WpJujTJuc/

Microsoft has added its Android Remote Desktop Protocol (RDP) app to the list of client software that needs updating to fix a security flaw first made public as part of July’s Patch Tuesday.

The flaw, tracked as CVE-2019-1108, was described as an information disclosure issue that could allow an attacker “to connect remotely to an affected system and run a specially crafted application.”

Although the rating made it sound less urgent, attackers are known to be very interested in RDP weaknesses, hence Microsoft’s caution that that exploitation was “more likely.”

The fix? To apply the relevant patch for the Windows version in question (KB4507453 in the case of Windows 10 64-bit version 1903).

In a quiet update this week, Microsoft now says the same applies to its popular Android RDP app too, which can be fixed by downloading the latest version from Google’s Play Store.

It’s the sort of issue that would be easy to overlook until the app eventually updates itself, possibly days later.

RDP pain

Microsoft has found itself with a large amount of RDP-related patching work during 2019.

Only last week, August’s Patch Tuesday fixed two ‘wormable’ Remote Desktop Services (RDS, which uses RDP) vulnerabilities with a critical rating, CVE-2019-1181 and CVE-2019-1182.

Before that, of course, was the big RDP flaw of the year so far, CVE-2019-0708, better known as BlueKeep.

As far as we know, no exploits for that are in use but most people think it’s only a matter of time before criminals make their move.

And all this is before you factor in the general problem of brute-forcing attacks on machines running poorly secured RDP. (For background data on this see Sophos’s recent research, RDP Exposed – The Threat That’s Already at Your Door.)

And this isn’t just for businesses, as Pro versions of Windows used by some home users come with remote desktop as a standard feature.

You can check whether this is running in Windows 10 by visiting Settings System Remote Desktop. If it is for some reason and you aren’t using it, our advice is to turn it off.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fJThaqiOYmw/

Post-Cambridge Analytica/Cubeyou/et al. privacy-stress disorder, privacy advocates, members of Congress and users told Facebook that we wanted more than the ability to see what data it has on us.

We wanted a Clear History button. We wanted the ability to wipe out the data Facebook has on us – to nuke it to kingdom come. We wanted this many moons ago, and that’s kind of, sort of what Facebook promised us, in May 2018, that we’d be getting – within a “few months.”

Well, it’s 15 months later, and we’re finally getting what Facebook promised: not the ability to nuke all that tracking data to kingdom come, which it never actually intended to create, but rather the ability to “disconnect” data from an individual user’s account.

The browsing history data that Facebook collects on us when we visit other sites will live on, as it won’t be deleted from Facebook’s servers. As privacy experts have pointed out, you won’t be able to delete that data, but you will be getting new ways to control it.

Facebook announced the new set of tools, which it’s calling Off-Facebook Activity and which includes the Clear History feature, on Tuesday.

Facebook Chief Privacy Officer of Policy Erin Egan and Director of Product Management David Baser said in a Facebook newsroom post that the new tools should help to shed light on all the third-party apps, sites, services, and ad platforms that track our web activity via Facebook’s various trackers.

Those trackers include Facebook Pixel: a tiny but powerful snippet of code embedded on many third-party sites that Facebook has lauded as a clever way to serve targeted ads to people, including non-members. Another tool in Facebook’s tracking arsenal is Login with Facebook, which many apps and services use instead of creating their own login tools.

It’s tough for users to keep track of it all, the Facebookers said:

Given that the average person with a smartphone has more than 80 apps and uses about 40 of them every month, it can be really difficult for people to keep track of who has information about them and what it’s used for.

So as of Tuesday, we’ve got Off-Facebook Activity to help. It lets users see a summary of the apps and websites that track you online and report back to Facebook. You can “clear” the information from your account if you want to, Facebook says, which is “another way to give people more transparency and control on Facebook,” along with recent updates to Ad Library, updates to “Why am I seeing this ad?” and the launch of a new feature called “Why am I seeing this post?”.

Using the Clear History tool, you can “disconnect” that data from your Facebook account. Doing so will mean that the company will no longer be able to use that information for targeted ads, including on its other products, such as Instagram or Messenger.

But that won’t stop Facebook from squeezing that data – including your browsing history, search terms, and online purchases – for other business purposes. A spokesperson told Consumer Reports that Facebook may still use the data in analytics reports for other websites, for example, and for providing advertisers with information about the effectiveness of their campaigns.

Even though you won’t be able to entirely wrestle your data out of Facebook’s maw, the Off-Facebook Activity controls are still going to usher in an unprecedented view of the information Facebook collects about us and what tools – Pixel or Login, for example – that it uses to get it, regardless of whether you actually interact with a given entity or not.

Justin Brookman, Consumer Reports’ director of privacy and technology policy, is one of the experts Facebook consulted about the tools as it was developing them over the past year. He said that the new tools aren’t perfect, but at least they’re a step in the right direction – as in, a step away from third-party tracking, which he called “the original sin of the web.”

There are some shortcomings here, but giving consumers the ability to separate that tracking from their real names is a major step in the right direction.

What would make this more of a real leap instead of a baby step: giving users the ability to wipe the slate clean. Brookman:

You should be able to delete this data entirely and stop Facebook from collecting it in the first place.

…which is why there’s still plenty of room and plenty of reason for regulators and lawmakers to take action, he said.

Consumer Reports also spoke with Casey Oppenheim, co-founder of data security firm Disconnect, who had a particularly salient comment: namely, don’t rely on the fox in the hen house to “disconnect” from the hens. It’s our data, and it’s on all of us to protect it. But how many of us ever bother to change our settings?

Facebook isn’t making any changes to what it does with your information by default, and that’s a big deal. Most people don’t log on to Facebook just to monkey around with their settings. Each additional step users have to take makes it less likely that they’ll actually use these tools.

What to do?

Not much, unless you’re in Ireland, South Korea or Spain. Facebook is gradually introducing Off-Facebook Activity in those countries and plans to keep rolling it out everywhere “over the coming months to help ensure it’s working reliably for everyone.”

Months? Is that Facebook speak for “Over a year?”

Whatever! Why wait? If you want to sharpen your privacy lockdown skills, please do head on over to this walkthrough Naked Security’s Maria Varmazis put together a few months ago.

It’s for those of us who still haven’t joined Team #DeleteFacebook. It’s a nicely comprehensive look at the important settings you can change and behaviors you can implement to lock down your privacy on the social network.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/OzZW7zidE7Q/

Episode 5 of the Naked Security Podcast is now live!

This week, host Anna Brading is joind by Ben Jones and Matt Boddy to discuss whether big tech companies like Apple, Google and Facebook are spying on you [1’43”], and to dig into the murky world of phishing [15’57”]. This week there’s also a longer QA section [31’04”] to answer your burning cybersecurity questions.

Do you have a question for next week’s epiosde? Comment below or ask us on social media.

Listen now and share your thoughts with us!

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/zjk5iFHuftQ/

The Linux Foundation has signed up the likes of Microsoft and Google for its Confidential Computing Consortium, a group with the laudable goal of securing sensitive data.

The group – which also includes Alibaba, Arm, Baidu, IBM, Intel, Red Hat, Swisscom and Tencent – will be working on open-source technologies and standards to speed the adoption of confidential computing.

The theory goes that while approaches to encrypting data at rest and in transit have supposedly been dealt with, assuming one ignores the depressingly relentless splurts of user information from careless vendors, keeping it safe while in use is quite a bit more challenging. Particularly as workloads spread to the cloud and IoT devices.

Confidential Computing is therefore all about processing that encrypted data in memory without having it exposed to the rest of the system. After all, who would want a rogue process peeking into places it shouldn’t? Right, Intel?

Chipzilla and Arm have signed up to the consortium, with Intel contributing its Software Guard Extensions (SGX) SDK to the project. SGX is aimed at keeping code and data safe from prying eyes or sticky fingers at the hardware layer thanks to protected enclaves.

Microsoft, in line with its caring, sharing open-source image, is also lobbing in some of its software, in the form of its Open Enclave SDK. The open-source framework allows developers to build Trusted Execution Environment (TEE) applications using a single enclaving abstraction.

The Linux Foundation expects the results of the consortium’s efforts to lead to “greater control and transparency for users”.

Microsoft, of course, has what could be charitably described as a challenging relationship with transparency and control, lurching from eye-searing frankness in what it is slurping and how to stop it in PowerShell 7, to the shenanigans surrounding Skype, Cortana and its Speech Services.

Azure CTO Mark Russinovich was chuffed that the Windows giant was to be part of the consortium. He highlighted data at rest and data in transit as challenges that already enjoy standards, before going on to describe the possible exposure of data in use as “the critical third leg of the stool”.

Notable missing members from the gang include Apple. We contacted the fruity firm to get its take on the Confidential Computing Consortium, but have yet to receive a response. There’s a surprise. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/22/microsoft_intel_google_and_more_sign_up_for_the_confidential_computing_consortium/