STE WILLIAMS

Those facial recognition trials in the UK? They should be banned, warns Parliamentary committee

The government should slap a “moratorium on the current use of facial recognition technology, with “no further trials” until there is legal framework in place, a Parliamentary committee has warned today.

In an excoriating report (PDF), the Science and Technology Committee expressed a series of concerns over the government’s approach to biometrics and forensics.

Norman Lamb MP, Chair of the Science and Technology Committee, said:

“The legal basis for automatic facial recognition has been called into question, yet the government has not accepted that there’s a problem. It must. A legislative framework on the use of these technologies is urgently needed. Current trials should be stopped and no further trials should take place until the right legal framework is in place.”

There is growing evidence from respected, independent bodies that the lack of legislation surrounding the use of automatic facial recognition has called the legal basis of the trials into question, said the committee.

An independent report from Essex University earlier this month, found that only eight out of 42 facial recognition matches trialled by the Metropolitan Police were accurate.

Although following its publication, Home Secretary Sajid Javid continued to give his backing to its highly controversial use.

In contrast, yesterday Oakland, in California became the third US city to ban the use of facial recognition technology.

MPs also found progress has “seemingly stalled” on ensuring that the custody images of unconvicted individuals are deleted. “It is unclear whether police forces are unaware of the requirement to review custody images every six years, or if they are simply ‘struggling to comply,'” said the report.

There are now around 21 million shots of faces and identifying features like scars or tattoos in the custody image database. This includes images of people who haven’t been charged with a crime.

It said: “Police forces should give a higher priority in the allocation of their resources to ensure a comprehensive manual deletion process of custody images in compliance with national guidance.

“In turn, the Government should strengthen the requirement for such a manual system to delete custody images and introduce clearer and stronger guidance on the process. In the long-term the Government should invest in automatic deletion software as previously promised.”

On the subject of the government’s 27-page biometrics strategy, the committee repeated its concerns that it “was not worth the five-year wait.”

It said: “Arguably it is not a ‘strategy’ at all: it lacks a coherent, forward looking vision and fails to address the legislative vacuum that the Home Office has allowed to emerge around new biometrics.”

Ultimately, the strategy represents “a missed opportunity” to create proper oversight of the technology.

“Simply establishing an oversight board, with no legal powers, is not good enough given the highly intrusive nature of the technologies. Further, the development and use of biometric technologies must be transparent and involve as much public awareness and engagement as possible, to ensure that there is public trust in the technologies. Unfortunately, public engagement has been sorely missing from the Home Office’s approach to date.

“Its ongoing ‘consultation’ on the governance of biometrics has no published terms of reference and there is no obvious way for interested parties to participate. This is not good enough.”

The Register has asked the Home Office for a comment. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/18/gov_should_ban_facial_recognition_trials_immediately_warns_parliamentary_committee/

Slide Show

Don’t give it away, give it away, give it away now, bot busting biz tells reCAPTCHA data serfs

Analysis Internet companies depend on free labor. Companies like Amazon, Facebook and Google rely upon content creators who give their work away for the sake of platform participation or perhaps naive altruism.

A startup called Intuition Machines believes there’s a better way, one that involves machine learning (software) and a blockchain (of course).

Google pioneered the art of harnessing latent labor online with its PageRank algorithm, which captures the work that goes into linking to favored websites and uses it to improve the relevance of its search results.

A decade ago, the Chocolate Factory acquired reCAPTCHA from computer scientists at Carnegie Mellon University and began turning the clicks of people trying to prove they’re not bots into data that improves text digitization, image annotation and machine learning projects. Everyone benefits, but none more than Google.

Intuition Machines contends that the value of what’s been euphemistically called mass collaboration, which it estimates to be 100 person-years of crowdsourced labor every day, could be better allocated through an auction-based system called hCaptcha, released earlier this year.

Internet users shouldn’t get too excited – they won’t be able to monetize their nearly worthless labor. But websites could turn these collected pennies into a bit of revenue with enough users solving CAPTCHA (completely automated public Turing test to tell computers and humans apart) puzzles. And companies in need of efficient data labeling could have access to a more efficient market to tackle such tasks.

The hCaptcha team estimates that the cost to break reCAPTCHA v3 puzzles via hacking services is about $1 per 1,000 solves or less, or $0.001 or less per answer. And it puts the cost of labeling an image – using Amazon Mechanical Turk, for example – significantly higher, at $0.03 to $1 or more per image.

The difference in those two costs translates into billions of dollars in value collected by Google over the years via reCAPTCHA clicks, at least by the calculations of the hCaptcha team.

Intuition Machines claims it can help web publishers share in that bounty by auctioning click labor to the highest bidder. The company says large publishers that serve a lot of hCaptcha puzzles can generate a thousand dollars a month or more in Ethereum tokens.

“Behind hCaptcha lies the HUMAN Protocol, an open decentralized protocol for human labor that runs on the Ethereum blockchain,” the company explained when it announced its beta test last year.

“This has many advantages: allowing ‘open books’ to prove we’re fairly distributing bounties, efficient micro-payments via Human Tokens (an EIP20-compatible token with a custom Bulk API), providing a novel mechanism to scale a two-sided market in a capital-efficient way, and more.”

Winning bidders get to present website visitors with hCaptcha puzzles for tasks that benefit the bidder’s data-gathering goals, such as object recognition, attribute detection, relevance ranking, boundary detection and identifying text in images. And even users get something out of the exchange in the form of better human-bot disambiguation, or so the company suggests.

Carrots and sticks

Google, according to Intuition Machines, has a disincentive to make its bot detection really good because doing so would reduce its ad revenue.

“If Google officially determines that a user seeing an ad or clicking a link was in fact a bot, it cannot charge for ads shown to that user,” the company explains in a blog post on Wednesday. “This conflict of interest has severely limited the scope of Google’s anti-bot ambitions.”

Robot hands holding reCAPTCHA image

Google’s reCAPTCHA favors – you guessed it – Google: Duh, only a bot would refuse to sign into the Chocolate Factory

READ MORE

The firm claims that Google hasn’t developed a retroactive bot detection system – which could comb through log files to spot ad fraud and issue refunds – and says that’s a sign that the ad biz isn’t interested in making reCAPTCHA the best that it can be.

“Offering retroactive bot identification would open Google up to thorny questions of how to retroactively refund advertisers who spent money on that fraudulent traffic,” the company says. “The reCAPTCHA product has thus stagnated for a decade.”

To support that claim, the company notes that the cost charged by services solving reCAPTCHA challenges has not changed since 2016. So whenever improvements Google has made since then have not made its puzzles harder to crack, at least from a monetary standpoint.

The Register asked the company to provide more specific data about how hCaptcha and reCAPTCHA perform. We’re told there are terms of service limitations that make this difficult so the company is waiting for a third-party to provide these numbers.

Along similar lines, clients have yet to give Intuition Machines clearance to talk about their use of hCaptcha. As we understand the situation, companies don’t want to be seen relying on external vendors to improve internal machine learning competency.

What’s more, CAPTCHA system comparisons, we understand, can be tricky. Simply switching from reCAPTCHA to hCaptcha can lead to a sharp reduction in bots creating fake accounts but that’s not necessarily due to superior technology. It may be because the bot scripts hitting the site have been tuned to attack reCAPTCHA. Specific adjustments to target hCaptcha might reduce its bot bounce rate.

The Register asked Google for comment but we’ve not heard back. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/18/recaptcha_replacement_google/

Fresh stalkerware crop pops up on Google’s Android Play Store, swiftly yanked offline

Seven new stalkerware apps have been spotted for sale on the Android Play Store, despite Google’s policy against the invasive monitoring tools.

By stalkerware, we mean applications scumbags can install on their spouse’s or partner’s device, or dodgy bosses on staffers’ handhelds, to silently track their whereabouts, web browsing, messaging, and other activities. It can also be installed on kids’ gadgets by watchful parents.

The mobile research team at Avast Threatlabs told The Register on Wednesday it believes as many as 130,000 people already downloaded the Android tools, which allow snoops to quietly hoover up contacts, texts, and call histories, and other private details, from devices they are installed on.

As of yesterday morning, four of the surveillanceware applications had been taken down after Avast tipped off Google; the rest have since been pulled. The apps are being pitched under the names “Track Employees Check Work Phone Online Spy Free,” “Spy Kids Tracker,” “Phone Cell Tracker,” “Mobile Tracking,” “Spy Tracker,” “SMS Tracker,” and “Employee Work Spy.”

The Avast team noted the programs are not being pitched outright as stalking tools, but rather as parental control or monitoring kit, perhaps helping them to sneak into the Play Store.

“These apps are highly unethical and problematic for people’s privacy and shouldn’t be on the Google Play Store, as they promote criminal behavior, and can be abused by employers, stalkers or abusive partners to spy on their victims,” said Nikolaos Chrysaidos, Avast head of mobile threat intelligence and security.

After blitzing FlexiSpy, hackers declare war on all stalkerware makers: ‘We’re coming for you’

READ MORE

“Some of these apps are offered as parental control apps, but their descriptions draw a different picture, telling users the app allows them to ‘keep an eye on cheaters’.”

For those who are able to get their hands on the creepware, the installation is a multi-step process.

Avast says that, first, the stalker must first install the setup app on the target’s phone and configure it with the email address where the harvested data is to be sent. From there, a second payload is installed and hidden, after which the setup app is deleted and the software can run without the target’s knowledge. To do this, the snooper has to get their hands on the phone unnoticed for at least a few minutes. Not difficult for a trusted employer or partner if a handheld is left lying around.

The Threatlabs team believes the apps are all the work of a Russian developer, as the apps dial back to a Russian server with an IP address previously associated with Russian domains.

The Chocolate Factory’s developer policies strictly forbid stalkerware and other covert tracking tools, and once alerted Google is usually quick to remove offending apps.

Security software firms are also increasingly classifying such apps as malicious, thanks in part to a concerted campaign by Eva Galperin, the EFF’s Director of Cybersecurity, and others. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/18/android_stalkerware/

Dutch cops collar fella accused of crafting and flogging Office macro nasties to cyber-crooks

A 20-year-old man from the Netherlands accused of building and selling Office macro malware was arrested Wednesday.

The Dutch National Police’s Office of the Team High Tech Crime (THTC) unit claimed the unnamed bloke, cuffed while on his computer as cops swooped on his home, was responsible for building, selling, and supporting the Rubella, Cetan, and Dryad malware kits.

The toolkits allowed criminals to build Office files with malicious macro code embedded in the documents. When the victim opened the file, usually delivered by spear-phishing or spam, the macro code would then proceed to download and open the malware payload.

While macro attacks are relatively old-school and don’t generate headlines the way more exotic exploits and other forms of infection do, the poisoned documents remain a tried-and-true way for criminals to sneak malicious code onto victim machines, particularly at the enterprise level where workers are used to opening documents without much scrutiny. In this case, the macro kits were every bit as polished and professional as other crimeware packages, police said.

“The toolkit was marketed with colorful banners on different underground forums,” said John Fokker and Thomas Roccia, two McAfee engineers who helped Dutch police track own the man.

“For the price of $500 per month you could use his toolkit to weaponize Office documents that bypass end-point security systems and deliver a malicious payload or run a PowerShell Code of your choice.”

malware

Recruiters considered really harmful: Devs on GitHub hit with booby-trapped fake job emails

READ MORE

Despite the seemingly sophisticated offering, the McAfee team said the developer left some very big clues that helped investigators track him down. Specifically, his obvious ties to the Netherlands.

Fokker and Roccia said they had a breakthrough when the author posted to a forum a screenshot of his malware bypassing the anti-malware tools in a localized version of Windows.

“Being a Dutch researcher, this screenshot immediately stood out because of the Dutch version of Microsoft Word that was used,” the pair explained. “Dutch is a very uncommon language, only a small percentage of the world’s population speaks it, let alone an even smaller percentage of cybercriminals who use it.”

At that point, McAfee said, the team focused on clues in the metadata in the attack files. The THTC also joined in, and eventually they were able to trace the clues and screen names back to one individual in Utrecht.

After arrest, police said the man had collected around €20,000 in cryptocurrency from malware sales. That money has been seized as the suspect awaits trial. He was also in possession of card skimming information and the logins for thousands of websites, it is claimed. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/18/dutch_cops_malware_arrest/

Sprint Reveals Account Breach via Samsung Website

The last-June breach exposed data including names, phone numbers, and account numbers.

Sprint has been informing customers of a data breach discovered on June 22 that came by way of their account credentials via Samsung’s “add a line” website. The number of customers impacted has not been disclosed.

Information exposed in the breach includes phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, upgrade eligibility, first and last name, billing address, and add-on services, according to Sprint’s notification. The notification also stresses information that might be used in financial fraud was not affected.

“Suggesting this breach does not put users at risk of fraud or identity theft strikes me as either ignorant or disingenuous,” counters Sam Bakken, senior product marketing manager at OneSpan. “Combining phone number, device type, and device ID, an attacker has the building blocks for an account-takeover scheme.”

And that could have significant financial ramifications, says Tim Mackey, principal security strategist at Synopsys CyRC. “If a malicious actor has access to the appropriate provider information, they can co-opt the user’s account either through the porting process or by simply obtaining a replacement SIM. These attacks are respectively known as ‘port-out scams’ and SIM-jacking,” he explains.

Once those steps are taken, he says, many two-factor authentication schemes become weapons rather than protections. “Once ported, the replacement device will receive all cellular messages, such as SMS,” Mackey says. “This can facilitate attacks where SMS is used as part of a two-factor identification strategy.”

The most important information about this breach, according to Bob Maley, chief security officer at NormShield, is it’s not the first Sprint has seen this year. “Earlier this year one of their subsidiaries, Boost Mobile, had a problem with a contractor,” Maley says. According to the notification Sprint sent customers for that breach, which occurred March 14, “Boost.com experienced unauthorized online account activity in which an unauthorized person accessed your account through your Boost phone number and Boost.com PIN code.”

“It sounds like [Sprint’s] process for risk assessment for third parties might be lacking,” Maley says. “As a CISO I’d want to know very early on when we engage a third party the sort of risk that engagement would bring to us. Are we sharing data with them? Will they have access to our systems or network? Is the service the third party providing critical to our operation?”  

Samsung would have said “yes” all three of those questions, Maley says, and so should fall under an enhanced schedule of monitoring and assessment for risk and security.

Many companies conduct risk assessment when a new third-party partner is onboarded but then fail to do regular reassessment of the risks, Maley says. “The ‘trust but verify’ model is good, but most people are just using the ‘trust’ part,” he says.

This breach is a reminder that risks should be assessed and security practices audited on a regular basis, Maley adds. In a dynamic world, he points out, security is not a one-time affair.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/sprint-reveals-account-breach-via-samsung-website/d/d-id/1335285?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

800K Systems Still Vulnerable to BlueKeep

Organizations with systems exploitable via the RDP flaw pose an increasing risk to themselves and other organizations, BitSight says.

New Internet scan data shows that if an exploit for the BlueKeep RDP vulnerability disclosed in May were to become publicly available this week, more than 800,000 systems would be at immediate risk of compromise.

The data reveals that organizations within the consumer goods, utilities, and technology industries have been the least responsive in addressing the threat, the legal, non-profit, and aerospace/defense sectors have been most responsive.

Security ratings firm BitSight earlier this month scanned the Internet looking for vulnerable systems with remote desktop protocol services exposed to BlueKeep. The scan showed that as of July 2, a total of 805,665 systems remain vulnerable to BlueKeep, a 17.8% decrease over the nearly 973,000 vulnerable systems that BitSight discovered in a scan it performed last month. Of the Internet-exposed systems that remain vulnerable to BlueKeep, about 105,170 are located in the US.

BitSight estimates that about 5,225 systems per day are becoming protected from the threat—about 850 of them via patching. The remaining ones are likely being configured so RDP is no longer being exposed to the Internet, according to the company.

BitSight studied the proportion of companies within each industry that had vulnerable systems exposed externally and compared that with data from the last scan. The comparison showed the number of vulnerable systems within the consumer goods sector decreased by just 5.3% over the last month, while that within the utilities and technologies industries decreased by 9.5% and 11.7%, respectively. In contrast, the number of vulnerable systems within the legal, nonprofit/NGO, and aerospace/defense sector dropped by 32.9%, 27.1%, and 24.1%, respectively.

Telecom and Ed Fail

The telecommunications and education sectors had the highest percentage of unpatched systems found online. But that’s likely because organizations in these industries often provide “transit” services to customers, and thus many of the vulnerable systems might belong to consumers and students, BitSight said in its report.

“There could be many reasons why organizations still have unpatched systems exposed, but they are incurring an ever-increasing risk of business disruption and data loss,” warns Dan Dahlberg, director of security research at BitSight. “Most importantly, these organizations not only pose risks to their own operations and their customer data, but their third parties are also indirectly exposed.”

BlueKeep (CVE-2019-0708), a remotely executable bug in RDP in older versions of Windows including a couple that have been discontinued, allows attackers to grab complete control of vulnerable systems and steal or destroy data on them. An attacker also could exploit it to spy on users or pperform other malicious activities.

Microsoft has described the vulnerability as “wormable” and allowing malware to spread autonomously from one vulnerable system to another in much the same fashion as WannaCry did worldwide in 2017. The company issued patches for BlueKeep in May, including for versions of Windows that it no longer supports.

Since then, Microsoft, the DHS, NSA, and numerous security experts have warned organizations about the severity of the threat and urged them to patch against it or take other steps to reduce their exposure. The DHS last month successfully tested a remote code exploit for BlueKeep against a legacy Windows system. There have also been numerous reports of proof-of-concept code and exploits for BlueKeep, though none are known to be publicly available so far.

EternalBlue Repeat

The new data suggests that while many companies have taken the threat seriously, others still remain exposed. In a sense, the picture is no different than that of the WannaCry pandemic, Dahlberg says. EternalBlue, the vulnerability that WannaCry exploited, became public knowledge in March 2017 and a month later an NSA-developed exploit for it had leaked. It wasn’t until May when the attacks began.

The same thing could play out now as well. “There were still a notable number of systems vulnerable to EternalBlue by the time the WannaCry attack occurred which shaped the magnitude of its impact,” Dahlberg says. Significantly, BlueKeep poses individualized risks to organizations that are not predicated on the availability of a widespread exploit. Actors can use it to perform targeted attacks as well, he warns.

Richard Gold, head of security engineering at Digital Shadows, says BlueKeep’s ability to give an unauthenticated attacker system-level privileges over the network makes it a major threat. “That is the highest level of privilege possible and if you think back to EternalBlue, the basis for WannaCry and NotPetya, this kind of access can cause major havoc.”

Gold says his conversations with customers show that one major issue for many of them is simply finding all the vulnerable systems on a network. “Then, secondarily, is the issue of taking those machines offline to patch, particularly in the cases where there is not a hot standby.”

But overall, many security teams appear to have learned from the WannaCry and NotPetya outbreaks and have been working to get a handle on BlueKeep before it gets exploited. “The community is also being particularly guarded about releasing a functioning exploit, even though multiple researchers have developed one independently of one another,” Gold notes.

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/800k-systems-still-vulnerable-to-bluekeep/d/d-id/1335286?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Bluetooth Bug Enables Tracking on Windows 10, iOS & macOS Devices

Researchers discover a third-party algorithm in multiple high-profile Bluetooth devices exposes users to third-party tracking and data access.

A team of Boston University researchers has discovered a vulnerability in several modern, high-profile Bluetooth devices that can make location and other sensitive data available to third parties.

The vulnerability exists in devices running Windows 10, iOS, and macOS, as well as Fitbit and Apple Watch smartwatches, reports David Starobinski, professor of electrical and computer engineering in the Boston University College of Engineering, and Johannes Becker, a Ph.D. candidate and graduate researcher. They discovered the bug while exploring ways to capture Bluetooth traffic.

“It came by accident when we started to analyze the data,” Starobinski says. While researching wireless security and privacy using software-defined radio, they discovered they could track devices that were supposed to be anonymizing their identity to protect the user’s location.

Bluetooth Low Energy (BLE), a fairly recent variant of Bluetooth, uses nonencrypted advertising channels to announce a device’s presence to other Bluetooth devices. The use of these public channels initially sparked privacy concerns; to address those, devices may use a randomized, periodically changing address instead of their permanent Media Access Control (MAC) address. Manufacturers can decide when, and how often, to randomize the unique address of a device.

“It’s a new feature Bluetooth LE introduced to prevent tracking,” says Becker. Because BLE lets devices continuously broadcast their presence, randomization is intended to ensure third parties don’t track a single address. But researchers found an oversight in this methodology that would allow attackers to track the device type or other data from a manufacturer. Even as randomization changes the device’s address, some identifiers of a device don’t change with it.

When two Bluetooth devices connect, the “central” device — an iPhone, for example — scans for signals sent by a peripheral device to see if it’s available to connect. These signals, or advertisements, contain the device’s random address and information about the connection. Researchers found this data updates at a different rate than the random address; as a result, attackers could potentially detect a pattern in the communication between Bluetooth devices.

“In this data that is typically sent in these advertising messages, we found that even without trying to reverse engineer what is in this data, or what this data is for … we can identify chunks in the advertising data that we can abuse as secondary identifiers, whether or not they were meant as identifiers,” Becker explains. Data unique to the device could appear random to a bystander but if it remains persistent, it can be treated as an identifier by a cybercriminal.

“If the advertising address is randomized but payloads aren’t randomized at the same time, we can use these payload pieces as identifiers to jump to the next random address,” Becker says, explaining how a specific device can be tracked over time.

To test their findings on third-party devices, the team used a modified version of a BLE “sniffer” algorithm, which passively listens to Bluetooth advertisements and doesn’t actively engage in communication. They found Android devices aren’t vulnerable to this type of exploitation as they don’t transmit advertising messages containing suitable identifying tokens. However, people using iOS, macOS, Windows 10, and Fitbit devices are exposed, they report.

“We don’t exploit any flaws in randomization, but we exploit the fact that some payloads stay constant while the address changes are unique enough to jump to the next address,” Becker adds. “For some devices we can extend trackability well beyond what the manufacturer intended.” The bug doesn’t put personal data at risk; however, researchers warn of the feasibility of BLE-based botnets or large-scale tracking via compromised Wi-Fi routers.

This vulnerability affects different devices in different ways. Windows devices, for example, randomize the address regularly and the content of advertising messages changes every hour or so, says Becker. iOS and macOS devices structure their signals in a different way and can have different types of content. Wearables and Internet of Things devices like Fitbits and smart pens don’t show address randomization, a sign that attackers wouldn’t need the algorithm to track them.

Becker says researchers did responsible disclosure with Microsoft and Apple in the fall. Both acknowledge this as a problem but have not yet addressed it.

From a technical perspective, this is “actually pretty easy to exploit,” says Becker. While researchers were able to test their methodology on devices in their natural state, they couldn’t detect whether this is happening in the wild because “it’s an entirely passive attack,” he adds. It’s impossible for people to tell whether their devices are being tracked in this way.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/bluetooth-bug-enables-tracking-on-windows-10-ios-and-macos-devices/d/d-id/1335287?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

MITRE ATT&CK Framework Not Just for the Big Guys

At Black Hat, analysts from MITRE and Splunk will detail how organizations of many different sizes are leveraging ATTCK’s common language.

Biology, zoology, and related sciences have a tool to help scientists around the world communicate with one another: scientific names. These scientific names, generally rooted in Latin, provide a common set of terms for animals, plants, virii, and other living things. When it comes to cybersecurity, though, things are a bit less rigorous, and creativity can be the enemy of precision. That’s where the MITRE ATTCK framework comes in.

At its heart, ATTCK is a database of the tools and techniques hackers use to attack, damage, and disrupt computer operations. Displayed as a grid, ATTCK shows the various stages of an attack and the tools that can be used for each one. It does so in a language that can be understood among researchers in different departments, on different continents, and who speak different languages.

Ryan Kovar, principal security strategist at Splunk, says he has seen companies around the world use ATTCK in their security work. “The people who are using it now are taking the taxonomy from ATTCK, changing it to meet their needs, and then using it to describe, across multiple teams, what’s going on,” he says.

The common language is critical, says Katie Nickels, MITRE threat intelligence lead. “The common framework can provide a way to talk about the threats among different groups and defenders,” she says. “With the common language, it can be used for red teams to decide what they’re going to be doing. They all kind of work together.”

One of the points both Nickels and Kovar stress is how ATTCK can be used by organizations of many different sizes. For example, Kovar says he worked with a small company in the Midwest whose CISO was concerned about APT10 targeting his organization. Using the ATTCK framework, “I was able to show him the names people came up with for the group, what they did, and who they went after,” Kovar says. “The CISO was able to take the information back to his board of directors and explain that APT10 was unlikely to target a company in their industry.”

Different types of organizations use ATTCK in different ways, Nickels says. Vendors tend to come at the framework from a tools point of view, while most companies will look at ways in which they can base operations on the framework. For those companies, she says, “You get the most power from ATTCK when you use it across teams. You can use it on the detection team and then pass what they learn to the red team for testing, using the same language.”

At Black Hat USA, Nickels and Kovar will present a briefing, “MITRE ATTCK: The Play at Home Edition,” during which they will show attendees how to use the framework in organizations of different sizes and types. Their goal is for attendees to “hit the ground running” when they get back from the conference.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/operations/mitre-attandck-framework-not-just-for-the-big-guys/d/d-id/1335288?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Email scammers extract over $300m a month from American suits’ pockets

While you’re sweating to make an honest crust, email scammers are counting at least $301m in untaxed takings every month in the US alone, according to research by the Financial Crimes Enforcement Network.

The FinCEN agency tallied the figures for 2018 (PDF) and found the number of suspicious activity reports describing business email compromises had more than doubled from around 500 per month in 2016, to over 1,100 per month last year.

Meanwhile, the number of scammers ballsy enough to impersonate a CEO or other members of the C-suite declined to 12 per cent, down from 33 per cent in 2017.

The total value of attempted scams more than tripled in the same period.

The agency revealed the favourite method of extracting payment information in 2018 involved fraudulent vendor or client invoices, with this method responsible for 39 per cent of incidents in 2018, up from 30 per cent in 2017.

American manufacturing and construction businesses were the top targets for business email fraud, in both 2017 and 2018.

FinCEN is a bureau of the US Department of the Treasury, established in 1990 to combat money laundering, terrorist financing and other financial crimes. In recent years, it has assumed a more active role in the cybercrim arena and cryptocurrency markets.

One of its specialist subjects is email scams, mostly involving fraudulent payment instructions sent to financial institutions or businesses in order to help criminals get their hands on corporate funds.

FinCEN said that, working with law enforcement agencies, it had managed to stop misappropriation of more than $500m via email to date – including $200m since 2017.

The agency has issued an updated advisory on email fraud schemes detailing red flags — developed in consultation with the FBI and the US Secret Service — that financial institutions may use to identify and prevent popular methods of email fraud.

The advisory also suggests that financial institutions could share information about accounts affiliated with email compromise schemes to identify risks of fraudulent transactions and money laundering – FinCEN can’t force them to do this so it’s asking nicely.

“FinCEN has been a global leader and innovator in countering BEC [Business Email Compromise] breaches and their devastating effects on businesses, individuals, and national security,” said FinCEN director Kenneth Blanco.

“The Bank Secrecy Act data is a critical resource in combatting all types of financial crime. We hold, safeguard, and analyse that data and we share our expertise with law enforcement and our industry partners to help make America safer.” ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/17/email_scammers_earn_more_than_300m_per_month_by_targeting_us_businesses/