STE WILLIAMS

Brilliant Boston boffins blow big borehole in Bluetooth’s ballyhooed barricades: MAC addy randomization broken

A team of US academics have proposed a simple method to defeat the Bluetooth LE standard’s anti-tracking measures.

David Strobinski, David Li, and Johannes Becker at Boston University told The Register how they found that the MAC randomization system of Bluetooth LE, designed to thwart the tracking of devices, transmits packages of data that can still be used to uniquely identify, and thus track the location of a mobile phone or PC.

As Bluetooth SIG explains, the randomization allows Bluetooth devices to wirelessly communicate (via data transmissions known as advertising packets) while still staying anonymous:

This feature causes the MAC address within the advertising packets to be replaced with a random value that changes at timing intervals determined by the manufacturer. Any malicious device(s), placed at intervals along your travel route, would not be able to determine that the series of different, randomly generated MAC addresses received from your device actually relates to the same physical device. It actually looks like a series of different devices, thus, it will not be possible to track you using the advertised MAC address.

In order to allow connections, however, the device still has to be able to identify itself with other hardware. To do this, it sends a string of unique data along with the MAC address in the advertising packet

“The payload sent here is information only relevant to the device,” Becker told El Reg today. “We are just interested in how unique this information is.”

Titan

Titan-ic disaster: Bluetooth blunder sinks Google’s 2FA keys, free replacements offered

READ MORE

More importantly, like the MAC address, the unique payload can be set by the vendor to refresh itself at regular intervals.

And here, the researchers found, was where the fundamental weakness of the system was exposed. Starobinski, Li, and Becker discovered that because the MAC address and the payload do not change over at the same time, each could be used to continue identifying the gadget or computer.

In other words, as long as the listener knows either the MAC address or the unique payload, they can keep identifying the device even when one of the strings changes. Thus, the listener can keep tabs on a nearby gizmo, knowing it is still within range even as the MAC or payload changes.

In a series of tests spanning several months, Starobinski, Li, and Becker passively eavesdropped on mobile phones (Android and iPhone), PCs (Windows 10 and MacOS) and smartwatches (BlackBerry) to monitor when and how both the MAC addresses and payloads changed over time.

While the time intervals depended on the vendor, in most cases the researchers said they could reliably identify a device over readings taken minutes, and sometimes hours, apart. In the field, this means a listener with one or more devices could still track the movements of a device over time even if its MAC address kept changing.

“The experiments were done listening continuously, but what we found is these addresses change in minutes or hours depending on the devices,” Becker explained. “It is enough to listen in periodically, as long as we don’t miss any changes, then piece them together.”

Fixing the design flaw will not be a simple task, however. While having both the MAC address and the unique payload change at similar times would close the overlap period that allows identification, even that could be predictable if not properly implemented.

“If everybody does this in a predictable manner you can see when they change,” noted Starobinski, “so the second component is to randomize the change.”

What is perhaps even more concerning, say the Boston Uni trio, is the message Bluetooth vendors are putting out to the public when they advertise Bluetooth LE as being an untrackable standard.

“The fact is this protocol allows this behavior and doesn’t point out these issues,” said Becker. “The Bluetooth specification allows bad behavior, or just negligence, to defeat the anti-tracking measure.”

Starobinski, Li, and Becker plan to present their paper [PDF], Tracking Anonymized Bluetooth Devices, at the 19th Privacy Enhancing Technologies Symposium in Sweden on July 17. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/12/untraceable_bluetooth_exposed/

Competing Priorities Mean Security Risks for Small Businesses

Small business IT professionals are trying to balance multiple priorities and finding that the balance often leaves the company with serious security risks.

IT professionals at small businesses face a number of competing priorities. They’re generally individuals or small teams charged to “to it all,” from great customer user experience to company security. And 98% think the employees at their companies could be doing more to help on the security front.

A new report, based on a survey sponsored by LastPass and conducted by Vanson Bourne, finds competing priorities lead to competing objectives for improving security. Among their security objectives for the coming year, more than 50% of the 700 professionals who responded to the survey cited securing data (75%), securing new technologies as they’re adopted (68%), reducing risk (66%), and upgrading identify access management (65%).

All of those, and especially identity management, are made more difficult because of all the other requirements these all-purpose IT professionals need to balance. Forty-seven percent say they have to balance ease of use against security, while 37% cite employee demands for greater ease of use as a competing requirement.

The critical nature of finding the proper balance is illustrated by another finding, that 82% of respondents say their businesses have been exposed to a risk as a result of poor identity and access practices.

Read more here.

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/operations/competing-priorities-mean-security-risks-for-small-businesses/d/d-id/1335238?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

German Schools Ban Office 365, Cite Privacy Concerns

The ruling follows years of debate over whether German schools and institutions should use Microsoft tools and services.

The German state of Hesse has ruled it’s illegal for its schools to use Office 365 after years of debate over whether the country’s schools and institutions should use Microsoft tools at all.

The Hesse Office for Data Protection and Information Freedom says the standard configuration in Office 365 could potentially make students’ and teachers’ personal data available to US officials, ZDNet reports. In addition to the information that users provide when they’re working in Office 365, the platform sends telemetry data back to the US. Germany’s Federal Office for Information Security also has expressed concern about telemetry data sent by the Windows OS.

European concerns about data transmitted to the US are not new. The Dutch government has already found Microsoft software in violation of the General Data Protection Regulation (GDPR) and published a report citing concerns about data collection in Microsoft Office ProPlus. Germany’s federal association of municipal IT service providers also has complained that citizen information recorded in Office 365 could fall under surveillance when in the US.

It’s difficult for Germany to abandon Microsoft products because there aren’t many alternative options. Government officials are calling for the development of domestic cloud services, and ongoing lawsuits will determine the future of rules regarding the transfer of data to the US.

While those move through the courts, and while the German government works with Microsoft on a potential solution, German schools will not be using Office 365. Hesse’s privacy commissioner suggests they instead adopt similar tools with on-premise licenses.

Read more details here.

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/german-schools-ban-office-365-cite-privacy-concerns/d/d-id/1335239?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

UK Home Secretary doubles down on cops’ deeply flawed facial recognition trials

As if further indication was needed of Britain’s slide into a surveillance state, Home Secretary Sajid Javid has backed highly flawed police trials of facial recognition cameras.

Speaking at the launch of tools to be used to combat online child abuse, he said it was right for forces to “be on top of the latest technology”.

“I back the police in looking at technology and trialling it,” he told the BBC. Javid added that “different types of facial recognition technology is being trialled especially by the Met at the moment and I think it’s right they look at that,”

“If they want to take it further it’s also right that they come to government, we look at it carefully and we set out through Parliament how that can work.”

However, a report by researchers at the University of Essex into the Met’s facial recognition trials last week found that just eight correct matches were made out of 42 suggested.

The researchers were granted unprecedented access to the final six tests and concluded that not only is the technology highly inaccurate but its deployment is likely to be found “unlawful” if challenged in court.

An individual in Cardiff has already mounted a legal challenge to the use of facial recognition tech in public areas by South Wales Police – this was the first such case to be launched in the UK.

Javid’s comments come hot on the heels of remarks by the head of London’s Metropolitan Police union that the authoritarian Chinese government’s use of facial recognition was “spot on”.

Speaking on the BBC Essex Breakfast Show, Ken Marsh said: “Although China is a very intrusive country and I don’t agree with a lot of what they do, they’ve got it absolutely correct. They’re recognising individuals per second and they’ve got it spot on.”

The Information Commissioner, the UK’s data watchdog, has also raised concerns about the technology, saying forces have to demonstrate that it is effective and less intrusive alternatives are not available.

Javid was speaking at the launch of new tools costing £1.7m designed to counter online child abuse.

They include a fast-forensic tool to analyse seized devices and find images already known to law enforcement; an image categorisation algorithm to assist officers to identify and categorise the severity of illegal imagery; and a capability to detect images with matching scenes to help identify children in indecent images in order to safeguard victims.

Javid said: “This game-changing tech will help us do this and will be vital in the fight against online child abusers.” ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/12/home_sec_backs_cops_use_of_facial_recognition/

Black Hat USA Arsenal Serves Up A Smorgasbord of Cybersecurity Tools

Visit the Arsenal this August to go hands-on with hackable gadgets and catch live demos of open-source security tools from some of the best in the business.

Black Hat USA is happening in Las Vegas this August, and all attendees are invited to check out the Arsenal to network with others in the cybersecurity community and catch live demonstrations of the latest open-source security tools.

To get the most out of the Arsenal check out Black Hat Day Zero, to get the inside scoop on what to see and do for both first time attendees and returning Black Hat veterans. There, you’ll have a chance to hear about how Arsenal tools are selected, how they benefit from attendee feedback, and what you should be spending your time seeing.

This year, at the all-new Arsenal Lab you can enjoy live demos and expert guidance from top hardware hackers while you build, test, and hack all sorts of gadgets and devices, including:

CQForensic: The Efficient Forensic Toolkit shows how to perform detailed computer forensic examinations. The Toolkit guides you through the information-gathering process, providing data for analysis and extracting the evidence!

Ghost in the Browser: Backdooring with Shadow Workers will help you implant a pseudo-backdoor in a browser and ghost through a victim’s browser session to sniff, manipulate, and even proxy data silently. See a demo of the various persistence mechanisms this tool provides to keep service workers alive, and check out a compendium tool that provides various mitigation mechanisms against such attacks!

Alexa HackerMode 2.0: Voice Auto Pwn Using Kali Linux and Alexa Skill Combo is an Alexa-driven auto-sploit tool designed for the cloud. Not only will it help with syntax and encodings, but it will go full hacker mode and exploit systems automatically for you. For example, if you say, “Alexa, ask HackerMode to hack IP address 192.168.1.135″ the tool will instruct Alexa to begin and manage the process of port scanning, fingerprinting, exploit selection, and smart brute forcing exploits through Metasploit 4 or 5.  Alexa will also entertain you with mood music or various other activities while it roots and dumps users and passwords from your target. If the exploit is taking a while you can check in on the progress by asking “How’s the hack going?”

Break out the Box (BOtB): Container Analysis, Exploitation and CICD Tool is the first tool aimed at hackers and developers to automate container exploitation. Not only does BOtB provide the user with a detailed analysis of identified vulnerabilities of the container, BOtB provides an autopwn feature which allows for the user to “automagically” exploit the vulnerabilities identified and break out onto the host.

Social Attacker: Automated Phishing on Social Media Platforms is the first open source, multi-site, automated social media phishing framework. It allows you to automate the phishing of social media users on a mass scale by handling the connecting to and messaging of targets.

For more information about these offerings and many more check out the Black Hat USA Arsenal page, which is regularly updated with new content as we get closer to the event. Black Hat USA returns to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/black-hat-usa-arsenal-serves-up-a-smorgasbord-of-cybersecurity-tools/d/d-id/1335220?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A Lawyer’s Guide to Cyber Insurance: 4 Basic Tips

The time to read the fine print in your cybersecurity insurance policy is before you sign on the dotted line.

These days, it seems that everyone has heard a cyber insurance horror story: a catastrophic cyber event followed by a swift denial of cyber insurance coverage. At a time when all companies are beginning to think in terms of cyber resilience, cyber insurance is an important part of any company’s cyber preparedness. As outside counsel, I’ve spent significant time reviewing cyber policies. Below are my top tips to consider when looking at your cyber insurance coverage. 

Tip 1. If you don’t know whether you have cyber insurance, you likely do not have it.
Why? Because cybersecurity events are a common exclusion across general liability policies and require their own standalone policy. Worse, not all policies are created equal and the cyber insurance industry is like the Wild West: Because of its relative newness, policies are not standard. So, while your directors and officers policy (DO) may look basically the same as the insurance company’s down the street, that is likely not the same for cyber coverage. Thus, it is important to carefully review your cyber insurance options and not just lock in whatever an insurance broker is selling as premium coverage.

Tip 2. Read the actual policy, not just the summary of coverage.
Cyber insurance coverage can diverge drastically from insurance provider to insurance provider, so it is incredibly important to review the actual insurance policy. Some of you may be rolling your eyes at this basic suggestion but you’d be surprised how often I’ve seen a client provided with a summary of coverage without a copy of the actual underlying policy and think that may be all that they need. Why does this matter? Because inevitably there will be terms that govern the policy that are legally defined terms in the policy itself. So, if a dispute arises as to whether an event is covered in an insurance policy, a court is going to look at the four corners of the actual insurance policy and will not likely consider evidence of what you were told at the time you bought the policy. An insurance policy is a contract between you and the insurance company. And, just like a breach of contract action, if there is a dispute later, a court will look to the written agreement between the parties. Therefore, the time to read the policy is now — not during an event.

Often, I see a summary of coverage that lists a “social engineering exclusion.” These social engineering exclusions can encompass phishing and sometimes even ransomware. But if you only have the summary of coverage without the related definitions, you won’t know what may or may not be covered.

It’s also important that your CISO, or someone in your organization with cybersecurity intelligence, reviews the cyber insurance policy, which typically incudes technical language and definitions. For example, I recently read a policy that only provided coverage for a claim made by someone for incidents that rose to the level of “technology wrongful act” and “privacy and security wrongful act.” But when you read the policy, technology wrongful act covered only the hosting of data. The coverage for “privacy and security wrongful act” covered what the policy described as “the failure to prevent a breach that resulted in the inability of the user to gain access to a network, malicious deletion of data on the network, and transmission of malware to third parties.” Notably missing from this definition was the concept of a financial loss related to social engineering, phishing, ransomware, or wire transfer fraud.

Tip 3. Exclusions can be brutal.
Cyber-risk translates into big dollar risk and insurance companies recognize this. Phishing and ransomware can both be common exclusions along with business email compromise events. Wire transfer fraud is often not covered. Because of this, it is important to look at your policy to determine what it really and truly covers. I once had a CEO ask if their policy only covered someone breaking in and stealing a server rack. Unfortunately, in that instance, the answer was “basically.”

I have also started to see policies that contain a summary of coverage page that lists out a set sum for coverages (for instance, a chart that shows $5 million worth of first-party coverage to protect the company being insured). Then, hidden deep in the policy is the actual sublimits and exclusions. In one egregious review, the social engineering sublimit of $100,000 was buried on page 54 of a 66-page PDF. It also contained a $50,000 “retention” or, essentially, deductible, to be paid out of pocket by the company before coverage is triggered. If the client had only the summary coverage provided by the broker, they would have thought they had $5 million in cyber coverage because the exclusion was not listed front and center but was instead hidden deep in the PDF.

Knowing that exclusions exist as a common part of cyber insurance, it is important to ask your broker for several cyber insurance policies to compare at the time of binding coverage. Look at your business operations and determine what coverage you need. Is your organization a software company? Managed service provider? Brick and mortar with a lot of employees? A public utility or a financial institution? Hospital? Tailor your cyber insurance to your business and be aware that the typical broker may be fantastic at selling DO coverage but is not a cyber insurance guru. No matter your industry or business model, having a cybersecurity lawyer help navigate the insurance coverage matrix and negotiate coverage.

4. Negotiate before, not after a breach
You can always try to negotiate better coverage. At minimum, ask for lower retentions and higher sublimits.

If you have a favorite forensic team, ask that members be included as your chosen provider in the event of a breach. Often, insurance companies provide “panel” counsel and “panel” forensics teams. I have seen fantastic firms listed as panel counsel in the marketing materials provided to a client. Then, when the breach hits, they are assigned counsel not from the elite Manhattan firm but from somewhere else.

You can also ask for your chosen team to be included when you “bind” coverage. As part of the insurance application process, make a specific request for the people you know and trust. Then, when the worst hits, you know you have your A team at your back versus a crew arriving from out of your market.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she … View Full Bio

Article source: https://www.darkreading.com/risk/a-lawyers-guide-to-cyber-insurance-4-basic-tips/a/d-id/1335205?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Apple Watch’s Walkie-Talkie app goes radio silent due to vulnerability

Apple’s shut down its Watch Walkie-Talkie app after somebody reported a bug that could have allowed an eavesdropper to surreptitiously listen in on somebody else’s iPhone, the company told Tech Crunch on Wednesday evening.

The app works like, well, a walkie-talkie. You can list yourself as available to chat, and then you can hold down the Talk button on your Apple Watch while you issue important voice messages to friends of your choosing, like, “Whoa, check out the snow storm! Got lift tickets, you up for it?”

Release the button, and if your friend was available and up for it, you’ll hear their voice immediately as they respond with a hearty “Hey-ho, a-skiing we will go!”

What’s the bug?

Apple didn’t give details on the nature of the eavesdropping bug. Nor did it give a timeline for when a fix would be available. Until then, it’s radio silence for people who like to talk into their wrists via their Apple Watch’s Walkie-Talkie app.

The bug was reported directly via Apple’s report a vulnerability portal. Apple said that as far as it knows, the vulnerability hasn’t been exploited in the wild.

Apple apologized for the inconvenience. Here’s the statement it sent to Tech Crunch:

We were just made aware of a vulnerability related to the Walkie-Talkie app on the Apple Watch and have disabled the function as we quickly fix the issue. We apologize to our customers for the inconvenience and will restore the functionality as soon as possible.

Although we are not aware of any use of the vulnerability against a customer and specific conditions and sequences of events are required to exploit it, we take the security and privacy of our customers extremely seriously. We concluded that disabling the app was the right course of action as this bug could allow someone to listen through another customer’s iPhone without consent. We apologize again for this issue and the inconvenience.

January’s FaceTime bug

This is the second embarrassing snooping bug Apple’s had to deal with this year. In January 2019, it had to scramble to fix a dangerous bug in its popular FaceTime app. Then, as is the case now, it chose to inflict a service outage of the Group FaceTime feature rather than leave an exploitable privacy hole flapping wide open.


LEARN MORE ABOUT THE FACETIME BUG IN OUR VIDEO

(Watch directly on YouTube if the video won’t play here.)


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0zQbqaJQvjU/

Windows 7 users upset by unwanted Patch Tuesday telemetry

Has Microsoft just been caught trying to sneak a compatibility assessment tool into July’s supposedly security-only Patch Tuesday update for Windows 7?

Some users who signed up for ‘security-only’ updates for Windows 7 have taken to Twitter and even emailed journalists to voice their suspicions after noticing the inclusion of something called the Compatibility Appraiser tool into KB4507456 patch.

Depending on your interpretation of Microsoft adding a non-security component to what is advertised as a security update, this is either a minor controversy that is being blown out of proportion, or the latest example of Microsoft’s disregard for its users’ wishes.

The technical roots of the issue date back to 2016 when Microsoft tried to simplify its patching for older Windows versions by offering Windows 7 and 8.1 users two types of update – the first a ‘Monthly Rollup’ of all security and non-security patches (i.e bugs and reliability), the second a security-only update relating to that month’s fixes.

Individual security patches were no longer available with the security-only update which made it an all-in-one.

Ominously, in advance of Windows 10’s launch the year before, Microsoft hit a controversy bump when it started pushing an update, KB 2952664, with diagnostics designed to, in Microsoft’s words:

Evaluate the compatibility status of the Windows ecosystem, and help Microsoft to ensure application and device compatibility for all updates to Windows.

According to Windows expert Woody Leonhard, Windows 7 SP1 had added a new task, ‘DoScheduledTelemetryRun’, set to fire up at 3am every day, which didn’t go down well with everyone.

Since then, Microsoft has continued to add this Compatibility Appraiser (which sends Microsoft technical data about the ability of a computer to run Windows 10) to updates.

Normally, Compatibility Appraiser should only run on the machines of users who are part of the Windows Customer Experience Improvement Program (CEIP), which has been turned on by default on all Windows versions since Vista (i.e. users need to turn it off).

That said, users signing up for security-only updates on Windows 7 shouldn’t be part of that group if they’ve opted out.

Non-communication

Regardless of Microsoft’s intentions and the data that is or is not being collected by the Compatibility Appraiser, Microsoft has at the very least failed the communication test about why it was included.

Was this a harmless mistake made by Microsoft in advance of Windows 7’s end of support in January 2020? Or another example of Microsoft not paying attention to the fact that a sizeable minority of Windows users want to remain in control of what happens on their computers?

The unmistakable lesson: Microsoft’s focus might have shifted to Windows 10 and the need to control the upgrade cycle, but no user is as enthralled by that top-down world view.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WQsD_5e_3X8/

Hey, Google, why are your contractors listening to me?

Thanks to how your Google Home voice assistant records our conversations, which are sometimes triggered by mistake, audio clips – both those recorded on purpose and otherwise – are being sent to engineers working on Google Home voice processing.

How it’s supposed to work: Google Home should only be activated when someone says the triggers “OK, Google” or “Hey, Google.” But it’s not hard to flip that switch accidentally: if someone nearby says “Google,” or even a word that sounds like “Google,” the speaker often starts recording.

The audio clips have included people’s bedroom sound symphonies, their kids’ or grandkids’ voices, payment information from transactions, medical information they divulge when searching on their ailments, and far more.

This all comes from a new report from Belgian broadcaster VRT News that relied on input from three Google insiders.

Listening in on the kids

With the help of a whistleblower, VRT listened to some of the clips. Its reporters managed to hear enough to discern the addresses of several Dutch and Belgian people using Google Home, in spite of the fact that some of them never said the listening trigger phrases. One couple looked surprised and uncomfortable when the news outlet played them recordings of their grandchildren.

The whistleblower who leaked the recordings was working as a subcontractor to Google, transcribing the audio files for subsequent use in improving its speech recognition. They reached out to VRT after reading about how Amazon workers are listening to what you tell Alexa, as Bloomberg reported in April.

They’re listening, but they aren’t necessarily deleting: a few weeks ago, Amazon confirmed – in a letter responding to a lawmaker’s request for information – that it keeps transcripts and recordings picked up by its Alexa devices forever, unless a user explicitly requests that they be deleted.

VRT talked to cybersecurity expert Bavo Van den Heuvel, who spotted potential dangers in the prospect of humans listening to our voice assistant recordings, given that they can be made just about anywhere: in a doctor’s office, in a business meeting, or where people deal with sensitive files, such as police stations, lawyers’ offices or courts.

It’s not just Dutch and Belgian contractors who are listening to Google Home requests, though those are the only recordings VRT listened to. The whistleblower showed the news outlet a platform with recordings from all over the world, meaning that there are likely thousands of contractors listening in on Assistant recordings. From VRT:

That employee let us look into the system in which the employees have to listen to recordings from the Google Assistant. There must be thousands of employees worldwide; in Flanders and the Netherlands, a dozen employees are likely to hear recordings from Dutch-speaking users.

‘Anonymous’ data?

Google’s well aware that its contractors can listen to these recordings, and it’s aware of the privacy questions that raises. To keep those contractors from identifying the people they’re listening to, Google strips identifying data from the recordings.

Of course, it’s common for data-gorging companies to point to a lack of identity details and equate that lack to a privacy shield. But in these days of Big Data, the claim has been proved to be flawed. After all, as we’ve noted in the past, data points that are individually innocuous can be enormously powerful and revealing when aggregated. That is, in fact, the essence of Big Data.

Take, for example, the research done by MIT graduate students a few years back to see how easy it might be to re-identify people from three months of credit card data, sourced from an anonymized transaction log.

The upshot: with 10 known transactions – easy enough to rack up if you grab coffee from the same shop every morning, park at the same lot every day and pick up your newspaper from the same newsstand – the researchers found they had a better than 80% chance of identifying you.

But we don’t need to go to Big Data science to identify the people in these recordings. They do it themselves. That’s how VRT managed to identify the people in the recordings they listened to. Here’s VRT:

By listening to the things the users themselves say, it is not rocket science to find out their identity…

In addition, employees who listen to the excerpts must search every word, address, name or company name [when] they are not sure how they are written, via Google or Facebook, to find out the correct spelling. In this way they often find out quickly who has spoken the piece in question.

Google: Yes, we’re listening. Just a little.

Google responded to VRT with an emailed statement in which it acknowledged that people are indeed listening to recordings… but not many.

Google said that humans listen to only 0.2% of all audio clips. And those clips have been stripped of personally identifiable information (PII) as well, Google said.

We’ve got to do this work to make the technology better, Google said:

We work with language experts around the world to improve speech technology by making transcripts from a small number of audio clips. This work is crucial for the development of technology that makes products such as the Google Assistant possible.

Heads will roll, ears and all

…and we’ve got to find that whistleblower, Google said:

We have recently learned that one of these language experts may have violated our data security policy by leaking Dutch-language audio clips.

We are actively investigating this and when we find a breach of our policy, we will take action quickly, up to and including the termination of our agreement with the partner.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qtYdit3R72M/

IT pros: we’re understaffed, under-resourced and under pressure

Companies feel they are losing the cybersecurity battle, according to research released by Sophos this week. IT managers are inundated with cyberattacks from all directions and struggling to plug all the security gaps.

In the survey, titled The Impossible Puzzle of Cybersecurity, Sophos surveyed 3,100 IT managers across 12 countries about their cybersecurity experiences. The respondents, who worked for organizations with between 100 and 5,000 users, reported difficulties in protecting their infrastructures, leading to a large number of successful hacks.

According to the survey, two out of three organizations (68%) suffered a cyber attack in 2018 that they were unable to prevent from entering their network. Nine out of 10 (91%) said they were running up-to-date cybersecurity protection at the time.

Why are companies still getting hit even though they are taking tangible steps to reduce their cybersecurity risk? The report muses that there are some security holes not being plugged.

For example, an up-to-date malware signature list won’t stop attackers hijacking your accounts, while rock-solid authentication won’t help if you’re not protecting your computers from ransomware. Good cybersecurity demands defense in depth and proper risk assessment so that you can protect your weakest spots from attack first.

The survey also revealed that companies are facing attacks via multiple channels, including email (highlighted as a source of attacks by 33%) and web (30%) among others. Software vulnerabilities and unauthorised USB sticks or other external devices were also common attack vectors. Perhaps even more worrying is that 20% of IT managers didn’t know how their networks were compromised.

In many cases, companies aren’t just dealing with one type of attack. 

According to Sophos’s report:

Respondents […] revealed that they had suffered a wide range of attacks over the last year.

Over half (53%) of the organizations hit suffered phishing emails; 35% reported malicious code; 35% pointed to software exploits; and 30% highlighted ransomware.

The third problem facing IT departments is a shortage of key skills – 26% of the IT team’s time is spent on cybersecurity issues, demonstrating the intensive effort involved in staving off attacks.

A large proportion of respondents (86%) said that they needed more skills to combat these threats. The problem is they can’t get them: 8 in 10 said that they struggled to recruit the right people.

Part of the problem is that they can’t muster the finances to pay what the market demands. Two-thirds of respondents said that their budgets for people and technology were too low.

The inability to fend off increasingly complex attacks worries companies because of its potential implications. Data loss was the number one concern for 31% of respondents, followed by cost and damage to the business, which were the biggest concerns for 21% of people.

To find out more about what IT managers think, read the full survey

If you work in IT, tell about the pressures you face. 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FkHS5WEKSw8/