STE WILLIAMS

We’ve written about so-called digital padlocks before, usually not very enthusiastically.

That’s because we’ve usually been reporting on some sort of cybersecurity blunder that has made these locks very much less secure than their owners probably thought.

To be fair, a lot of conventional padlocks and many door locks aren’t super-secure either, and can be picked fairly easily by a practised crook.

And many traditional locks can simply be chopped or smashed open with bolt cutters or a sledgehammer.

Safe enough?

Yet we carry on using old-school padlocks, bike locks and door locks because they’re generally “safe enough”.

One reason is that reputable vendors are generally willing to be honest about what “safe enough” means, and well-informed staff in reputable shops (your mileage may vary if you buy online) know enough to give you a frank assessment of how much effort a thief would need to put in to bypass the various products they sell.

Even if those assessments are anecdotal, they’re often easy to understand and useful.

For example, if someone advises you that a cheap wire lock will keep a 12-year-old bike thief with a decent pair pliers at bay for about a minute or two, while a hardened steel D-lock will defeat many small bolt cutters but yield readily to an adult with an angle grinder…

…well, that sort of information is pretty useful in assessing which brand and type of lock to use when and where.

If you know the sort of tools, time and strength a crook would need to cut your lock off, then you can envisage the sort of unwanted attention they might attract, the noise they might make, and the likelihood that they’d get away before you noticed and firghtened them off.

But when you add the moniker “smart” to a lock, meaning that it can be unlocked not only in a conventional sort of way using a physical key, but also by typing in a PIN or by using some sort of mobile phone app…

…well, then it’s much harder to decide if the lock provides a whole lot of extra security for the (often much) higher price, or if the extra money that you’re paying paradoxically leaves you with a lock that is significantly easier to open unlawfully.

As we reported last year in the case of a Canadian lock imaginatively called the Tapplock (it had a fingerprint sensor so you could literally tap-to-open), researchers were able to write an app that would silently open any Tapplock in just 2 seconds.

Even the genuine app needed 0.8 seconds to open a specific lock that it had been paired with.

Subsequently, another researcher found that you didn’t need to hack a Tapplock live in situ by figuring out its passcode – you could exploit a security bug in the company’s cloud service to download everyone’s personal data before you even set out.

You didn’t even need to extract someone else’s passcode because you could add yourself as an “authorised user” of other people’s locks – a trick that would make it much harder for anyone, including law enforcement or the legitimate owner, to challenge you if you were caught opening someone else’s lock.

Worse still, Vangelis Stykas found that the database that could be leeched from the company’s central servers often included geolocation data giving the places where the lock had recently been used – essentially telling you where to look, as well as letting you in when you got there.

Gone in N seconds

Pen Test Partners (PTP), the company that produced the “gone in 2 seconds” app we mentioned above, recently wrote up another story to reminds us all that more – as in price and features – may still mean less in the world of “smart” locks.

Not that this means you should avoid smart locks altogether, of course – we’re not that uncharitable – but that the security you see on the surface often gives you nothing much to go on.

Simply put, the “heft test” that gives you a hint of how robust an old-school lock is likely to be just doesn’t work in the digital era.

For example, PTP recently looked at a product called the Ultraloq, which is a door lock with a keypad, a fingerprint reader and a Bluetooth module added.

It’s promoted as a great way of dealing with doorways where you need to let guests or delivery people in and out on a regular basis, so they can get in today but not tomorrow, for example.

Digital locks are, if the truth be told, a great way of dealing with guest access, which is why almost every hotel in the developed world hands out card keys these days, instead of actual physical keys.

Guests don’t cost you money and reduce security if they forget to return their key; you don’t need to label every key with a huge privacy-sapping tag with the room number printed on it; and you can revoke access easily in the event of trouble.

But PTP found a number of blunders in the Ultraloq to suggest that programers in the the world of smart locks are still prone to making the sorts of coding blunder that the rest of us learned to avoid (or were forced to avoid because of public scrutiny) many years ago.

Good and bad news

One of Ultraloq’s blunders has, happily, now been fixed: according to PTP, you could use the company’s cloud service to pull off the same sort of attack that Vangelis Stykas found last year in the Tapplock case.

User IDs could be extracted via the company’s web interface without any authentication, and, worse still, those IDs seemed to be sequential numbers, so you could not only guess a valid user ID but then “calculate” all or most of the rest simply by adding (or subtracting) 1.

Ultraloq has updated its API to avoid these mistakes, but guessable or sequential IDs and unauthenticated access to personal data are coding blunders that no web programmer should be making in the year 2009. (Sorry, 2019.)

Another problem that PTP found is that although Ultraloq used encryption on the contents of Bluetooth traffic between the user’s app and the lock itself, and although the encryption kept plaintext PINs out of radio sight, it didn’t actually provide the security it was supposed to.

Encrypting authentication traffic is important to prevent passwords leaking directly into the ether, but in the case of a digital doorlock, encryption must also protect the door against unauthorised access, whether the crooks has figured out your actual password or not.

According to PTP, the Bluetooth encryption relies on a secret that the unlocking app has to request from the lock, combined with a secret baked into the app itself.

The app’s secret is hardwired and can be read out from the app (PTP listed it; we shan’t repeat it here), so it’s not actually a secret at all.

The other half of the key – PTP calls it “the token” – can be obtained from the lock via a special Bluetooth request.

The problem with this sort of approach is that if you’re nevertheless relying on authentication packets that contain a six-digit PIN, there are still only 1,000,000 different PINs to try, and 1,000,000 different encrypted authentication packets will run through them all.

If you make the Bluetooth-requestable token the same for every lock, then the task is trivial – a crook could generate all 1,000,000 possible “let me in” packets up front, and anyone could use them any time they liked.

If you make the token different for every lock, but constant once the lock is in service, the task is still trivial – a crook could generate all 1,000,000 possible “let me in” packets for a specific lock after requesting the lock’s unique token.

From PTP’s description, which suggests that the packet encryption uses AES on a 6-digit PIN with a lock-specific token, this pre-calculation would typically take seconds.

And even if you make the token different for every authentication request, a naive implementation that relies on straight packet encryption still only has 1,000,000 different PINs to check.

What to do?

We’ll stick to short and simple advice here: if you’re keen on adopting smart locks, use your own web search smarts to find a device that has not only been subjected to reputable, independent penetration tests, but also come out with a positive recommendation.

Don’t rely on “positive reviews” on the vendor’s own website; avoid any “reviews” that are posted on the site where you got the smart lock’s app; and avoid “reviews” from lifestyle publications that review cool products if they make any cryptographic claims. (Being a cryptanalyst is hard!)

Smart lock vendors mean well, but at the price points they’re typically aiming for, many of them just aren’t cutting the cryptographic mustard yet, and are cutting cryptographic corners instead. (Being a cryptographer is hard.)

Don’t be afraid to vote with your chequebook – or your NFC-enabled credit card – and treat cybersecurity as something that is a value to be maximised, not a cost to be kept as low as possible.

---

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9QgpiLjpWVg/

UK businesses have reported a significant fall in cyber attacks over the last 12 months.

The proportion identifying breaches or attacks in the least year was 32 per cent, compared with 43 per cent in 2018 and 46 per cent in 2017, according to a survey of 1,566 businesses by the Department for Digital, Culture, Media and Sport (DCMS) (PDF).

Those figures echo the Crime Survey for England and Wales, which found that between September 2017 and September 2018, the number of computer misuse incidents among individuals fell from 1.5 million to 1 million.

This was driven, according to Office for National Statistics data, by a significant reduction in computer viruses (down by 45 per cent over the same period).

However, the DCMS report said other factors could be at play such as more investment in cybersecurity, better compliance due to GDPR, or a change in attack behaviour.

For example, those carrying out cyber attacks could be focusing on a narrower (though still numerous) set of businesses.

This fits with another broad trend in the survey showing that, among the 32 per cent of businesses that did identify breaches or attacks, the median number they recall facing has gone up, from two attacks in 2017 to six in 2019.

Of those targeted, phishing attacks were the most common, with 80 per cent having been subject to email scams, while 27 per cent said they had been hit by viruses, spyware or malware.

However, Ken Munro of Pen Test Partners said there are too many variables to make the findings conclusive.

“Are the number of antivirus reports down because organisations (rightly) don’t consider them to be attacks/breaches or incidents? Or is it because the antivirus products aren’t detecting the types of malware that are being used now?”

He added: “Without analysing the quality of phishing attacks, the data is also meaningless. Are untargeted phishing attempts being filtered out upstream?

“I don’t think anything can be concluded from the report other than that ‘cyber stuff is still happening and some businesses are taking it more seriously’.” ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/04/reports_of_cyber_breaches_fall_due_to_less_virus_nasties/

Austin Thompson, aka DerpTrolling, who came to prominence in 2013 by launching Distributed Denial of Service (DDoS) attacks against major video game companies, has been sentenced to 27 months in prison by a federal court.

Thompson, a resident of Utah, will also have to pay $95,000 to Daybreak Games, which was owned by Sony when it suffered at the hands of DerpTrolling.

Between December 2013 and January 2014, Thompson also brought down Valve’s Steam – the largest digital distribution platform for PC gaming – as well as Electronic Arts’ Origin service and Blizzard’s BattleNet. Disruption lasted anywhere from hours to days.

The most famous episode, described at length in The Graun, involved DerpTrolling taking down two popular online games, League of Legends and Dota 2, in a sequence, in real-time, while negotiating with a Twitch streamer.

Thompson was aged 18 at the time he carried out the attacks. He would usually announce the next victim on Twitter using the handle @DerpTrolling, and would then post “scalps” – screenshot evidence that services were taken offline.

This impressed no one: gamers were unable to play, causing financial distress to publishers, and everyone was angry.

Thompson was promptly doxed by unknown vigilantes, and reportedly arrested by New York cops in January 2014. The Twitter profile disappeared, and the next time his name surfaced was when he pleaded guilty in November 2018.

“Denial-of-service attacks cost businesses and individuals millions of dollars annually,” said US attorney Robert Brewer. “We are committed to prosecuting hackers who intentionally disrupt internet access.”

The DoJ insists on calling Thompson a hacker, but launching DDoS attacks isn’t actually “hacking” in the classic sense of the term – i.e. gaining unauthorized access to data in a system or computer.

DDoS attacks are some of the easiest to execute: as Reg readers know only too well, these flood the target network with requests from multiple infected machines and overload the servers, bringing them down. All you need to start with a DDoS is a sizeable botnet, and while you can build those yourself quite easily, they are also widely available for hire. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/04/gamebusting_ddos_wielder_derptrolling_sentenced_to_two_years_in_the_clink/

In February, the US hit the kid-addicting TikTok video-sharing app with the biggest-ever fine for violating the nation’s child privacy law.

Now, it’s the UK’s turn. On Tuesday, information commissioner Elizabeth Denham told a parliamentary committee that the US Federal Trade Commission’s (FTC’s) fine of $5.7 million had triggered a UK probe into how TikTok handles the safety and personal data of underage users, the Guardian reports.

The FTC fine against Musical.ly – now known as TikTok – was for its alleged failure to notify parents that it was collecting and using the personal information of users under the age of 13, that the app never got parental consent before doing so, and that it failed to delete the kids’ information at parents’ request. All of that is illegal under the country’s Children’s Online Privacy Protection Act (COPPA).

Denham told the Guardian that the UK’s probe is investigating whether TikTok has violated the General Data Protection Regulation (GDPR). The investigation is ongoing, she said:

We are looking at the transparency tools for children. We’re looking at the messaging system, which is completely open, we’re looking at the kind of videos that are collected and shared by children online. We do have an active investigation into TikTok right now, so watch this space.

Besides general concerns about how children’s data is collected, there are concerns about the fact that the open message system allows adults to contact kids – a potential violation of GDPR, which “requires the company to provide different services and different protections for children”.

TikTok is insanely popular, but most particularly so with young people. According to Mediakix, the app was downloaded more than 660 million times last year and is used by more than 500 million people globally per month.

It was the most popular app on Apple’s App Store for the whole year and fourth most popular on Google Play. In October, it was the most downloaded app on both Apple and Google’s stores – in other words, it was more popular, globally, than the powerhouses of YouTube, Facebook, and Instagram.

According to App Annie, as of February 2018, 75% of the iPhone user base in February was female and 50% was aged 13 to 24. On Android, those percentages go to 70% female and 60% aged 13 to 24.

There are those who worry that those numbers represent a lot of prey for sexual predators. That was highlighted in February, when Barnardo’s, a major children’s charity in the UK, found that children as young as eight are being sexually exploited online via social media.

When the FTC handed down its fine in February, it said the company had previously been aware that “a significant percentage of users were younger than 13” – the age stipulated by COPPA for strict data protection – and that it had “received thousands of complaints from parents that their children under 13 had created Musical.ly accounts”.

In spite of the complaints, FTC chair Joe Simons said that the company “still failed to seek parental consent before collecting names, email addresses and other personal information from users under the age of 13”.

TikTok’s parent company, Bytedance, is a private startup based in Beijing and is valued at $75 billion. Most of that is thanks to TikTok and its Chinese equivalent, Douyin. At least one Chinese doctor specializing in addiction has warned that young people are so hooked on social media approval that they’ve been risking their lives to garner likes with their 15-second Douyin clips, which have featured things like dancing in front of a moving bus or trying to flip a child 180 degrees… and then dropping her.

GDPR violations can lead to a company being fined up to €20m (£17.9m), or 4% of revenue, whichever is higher. Because it’s a private company, Bytedance doesn’t have to disclose revenue, so we can’t say for sure how big any potential fine that comes out of the UK probe would be.

TikTok sent this statement to the Guardian:

We cooperate with organizations such as the ICO to provide relevant information about our product to support their work. Ensuring data protection principles are upheld as a top priority for TikTok.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/u7hGh-m5okQ/

Many have highlighted the cybersecurity implications of Facebook’s forthcoming Libra cryptocurrency, but Congressional lawmakers in the US have an even greater fear: could the grand initiative undermine the security of the global financial ecosystem itself?

That’s what’s keeping members of the US House of Representatives Committee on Financial Services up at night. On Tuesday, Chairperson Maxine Waters sent a letter to Facebook and Calibra, the subsidiary developing the Libra digital wallet, fretting about the global dangers of the cryptocurrency and asking them to stop developing it for the time being.

The letter worries that Libra could compete with the dollar and US monetary policy. It warned:

This raises serious privacy, trading, national security, and monetary policy concerns for not only Facebook’s over 2 billion users, but also for investors, consumers, and the broader global economy.

The 29-page white paper that Facebook published on Libra doesn’t provide nearly enough information, warned the Committee. It called for time to consider the initiative’s implications:

If products and services like these are left improperly regulated and without sufficient oversight, they could pose systemic risks that endanger U.S. and global financial stability.

Senators are also worrying about Libra. The Senate Committee on Banking, Housing, and Urban Affairs had already written to Facebook, on 9 May, before the social media giant officially announced the project, asking it for more information. In the UK, the Financial Conduct Authority is also concerned about the cryptocurrency’s potential effects.

So what do we know about Libra? Facebook’s white paper says that the cryptocurrency, created by the Switzerland-based Libra Association, will run on an open source blockchain software developed by Facebook. Financial institutions including Mastercard, Paypal, and Visa will support it and doubtless profit from the venture, although Facebook is taking a leadership role for now.

The cryptocurrency will start on a ‘permissioned’ blockchain using a known list of organizations that can validate transactions, but Facebook seems set on relinquishing control within five years, creating a ‘permissionless’ blockchain on which anyone can play. Bitcoin’s blockchain is also permissionless. Another similarity with bitcoin is Libra’s pseudo-anonymity. Even in its initial incarnation, it will let people use addresses not linked to their real-world identities.

Unlike bitcoin, though, Libra will rely on a reserve of bank deposits and short-term government securities for its value. This should make it more liquid and less volatile than bitcoin.

Are the authors right to worry? Dr Jay Zagorsky, senior lecturer at Boston University and a Libra sceptic, thinks so. He pointed out to us that US consumers traditionally enjoy deposit insurance. In the US, the Federal Deposit Insurance Corporation does that. In the UK, it’s the Financial Services Compensation Scheme. He told Naked Security:

Libra offers no explicit insurance but investors might expect the US Gov. to implicitly back up the system.  If investors implicitly expect the US gov. to step in when a problem occurs then Facebook should allow Congress to think about the issue.

The Committee’s letter worries that the government might have no choice but to bail out Facebook if Libra went off the rails, because it would be too big to fail.

Another question is whether Libra could become too big to stop. Is Congress powerful enough to nobble Libra if it thinks Facebook is moving too quickly? The governing body is a foundation in Switzerland. Incidentally, that’s the approach that the open source Ethereum blockchain project took when setting up its Ether cryptocurrency to avoid any blowback from the SEC.

Zagorsky has this to say:

Congress in my opinion has great power, especially in controlling money and the banking system. Congress can bar any bank from dealing with Libra.  This would prevent US consumers from putting money into or out of the new currency system. Libra could continue growing in the rest of the world but if Congress and the EU together decide Libra is too great a risk, the project is dead.

It’s worth remembering, though, that Facebook is touting Libra as a mechanism to bring financial services to the ‘unbanked’, not served by traditional financial services institutions. Many of those are in emerging markets outside the US and Europe, which are still growth opportunities for a social media market that is stagnating in more developed economies.

There isn’t long left for Congressional leaders to thrash this out. Facebook wants to launch the cryptocurrency in the first half of next year and wouldn’t agree to put the brakes on it (did anyone really expect that it would?). It told us:

We look forward to working with lawmakers as this process moves forward, including answering their questions at the upcoming House Financial Services and Senate Banking Committee hearings.

The House Committee hearing is coming up on 19 July. In the meantime, we can only recall the slogan that Facebook quietly swept under the carpet in 2014: “Move fast and break things”. It replaced that phrase with “Move fast with stable infra”. But what happens if the stable infrastructure is the economic system itself, and Facebook is piggybacking on it?

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Mw43IQiSlaw/

Facebook has come up with a miracle page-ranking-loss pill that combines the metabolically enhanced powers of its 100% African mango extract-free algorithms to torpedo posts that use spammy, misleading language like that.

On Tuesday, Facebook product manager Travis Yeh said in a post that the platform made two ranking updates to reduce posts with “exaggerated or sensational health claims” and posts “attempting to sell products or services based on health-related claims.”

The first update addresses posts that make sensational claims about miracle cures. The second update tackles posts that promote products or services based on health-related claims, such as pills that claim to help you lose weight.

Here’s Yeh:

People come together on Facebook to talk about, advocate for, and connect around things like nutrition, fitness and health issues. But in order to help people get accurate health information and the support they need, it’s imperative that we minimize health content that is sensational or misleading.

We know that people don’t like posts that are sensational or spammy, and misleading health content is particularly bad for our community.

Fake health news

Hyperventilating health/fitness/nutrition posts are yet another fold in the wrinkly face of fake news. With this move, Facebook will be treating miracle-cure misinformation or misleading posts similar to how it’s recently been dealing with other types of bogosity, be it a fake video of House Speaker Nancy Pelosi depicting her drunkenly slurring her words that went viral in May, the deepfake of CEO Mark Zuckerberg that implied that he was in total control of billions of people’s stolen data and ready to control the future, or the flaming rubbish that fake news writers churn out for ad revenue.

Namely, Facebook has, of late, been employing the decide for yourself strategy.

It’s not going to slap “disputed” flags on fishy fitness news. It doesn’t do that anymore, since it just made things worse.

One imagines that it has no plans to take down any deepfakes of fitness gurus, either, given that it didn’t take down the video of Pelosi having been artificially induced to slur her words, nor the Instagram-disseminated video of the Zucker-borg.

Sniffing out clickbait verbiage

Rather, as Yeh described it, Facebook will be handling fake health content much as it’s handled “low-quality content” such as clickbait: by picking out phrases commonly used in such posts to predict that they might include sensational health claims or attempts to peddle products with health-related claims. If it hits on something sensational or misleading, Facebook will push the content lower in News Feed.

Most pages won’t see much change in News Feed distribution because of the tweaks, Yeh said. If pages with sensational health claims or solicitation with health-related claims do see reduced distribution, there’s one way to fix that, he said: stop it.

Pages should avoid posts about health that exaggerate or mislead people and posts that try to sell products using health-related claims. If a Page stops posting this content, their posts will no longer be affected by this change.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/sEKY8FwsKQU/

Ever wanted to lock and unlock your front or garage doors remotely?

Zipato’s ZipaMicro Z-Wave smart hub controller offers a simple and relatively cheap way of doing that with the added benefit that it works with all sorts of smart home products  – security cameras, sensors, heating controls, light bulbs, and IoT-enabled locks – from third parties.

Unfortunately, according to Black Marble researchers Chase Dardaman and Jason Wheeler, there’s a catch – the Zipato controller has three critical security flaws which could be used together by hackers to open your home’s doors for you.

Security flaws in IoT sounds like a routine story until you read that the headline vulnerability uncovered by Black Marble during a February 0DAYALLDAY Research Event (CVE-2019-9560) allowed the researchers to recover the device’s private Secure Shell (SSH) key from the Zipato’s onboard SD Card.

That’s bad news because SSH is a security protocol making possible secure communications between the device and the local or remote user (i.e. you, when you’re instructing the hub to unlock a door).

According to the researchers, an attacker armed with this private key – stored in a password-protected sub-directory called ‘/etc/dropbear/’, cracked without much difficulty, and with the hard-to-guess name dropbear_rsa_host_key’ – would be able to login to the hub as ‘root’ to poke around in its inner workings.

(Almost incidentally, the researchers say they discovered that every Zipato hub had been hard-coded with the same private key, a bizarre security oversight.)

After using this to attempt to find and unscramble the device’s access password, the researchers discovered the hub was using a ‘pass-the-hash’ design that allowed them to log in simply by passing the Zipato API the object.json file – in other words, without knowing the plaintext password, only its hash (CVE-2019-9561).

With that, the researchers could log in posing as the homeowner, complete with the power to control any devices connected to it after running up a proof-of-concept script that demonstrated that this was possible.

It gets worse

In a private home, this would be bad enough, but Zipato’s hub might also be used to secure numerous apartment addresses under one account. Cracking the Zipato using a second remote pass-the-hash authentication API vulnerability (CVE-2019-9562) would give local attackers the ability to open all of their front doors.

The one barrier to exploiting these flaws is that attackers would need to be on the same Wi-Fi network as the Zipato, which might not be hard in a setting where the same security password was being handed out to large numbers of people.

A remote hack would only be possible if the hub is directly connected to the internet – which barely any of the 100,000+ hubs sold appear to be judging from the tiny number found through the Shodan search engine.

Nevertheless, one concerning part of this story is how smart hubs such as the Zipato seem to be spreading to apartment complexes. That’s not an issue when they work as advertised but means that one unpatched hub could potentially be used to expose numerous homes as a single point of security failure.

Zipato claims it has issued patches for the three CVEs mentioned above, which as far as we can tell means applying v1.3.60 or later, which appeared in March after the company was told of the issues.

The company’s advice on the updating process can be found here.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ksgROso69pQ/

An ongoing Iranian government-backed hacking campaign is now trying to exploit a Microsoft Outlook flaw from 2017.

The US Cyber Command has issued an alert that hackers have been actively going after CVE-2017-11774. The flaw is a sandbox escape bug in Outlook that allows an attacker who already possesses the victim’s Outlook credentials to change the user’s home page. That page, in turn, can have embedded code that downloads and executes malware when Outlook is opened.

USCYBERCOM has discovered active malicious use of CVE-2017-11774 and recommends immediate #patching. Malware is currently delivered from: ‘hxxps://customermgmt.net/page/macrocosm’ #cybersecurity #infosec

— USCYBERCOM Malware Alert (@CNMF_VirusAlert) July 2, 2019

The timing of this alert raised eyebrows in the security community, as exploitation of CVE-2017-11774 is a favorite technique of APT-33, the Iranian backed hacking group that has re-emerged with a vengeance amidst rising tensions between Washington and Tehran.

“For at least a year, APT33 and APT34 have used this technique with success due to organizations’ lack of proper multi-factor e-mail access controls and patching e-mail applications for CVE-2017-11774,” the FireEye Advanced Practices Team said in a statement to El Reg.

The attribution of APT33 is particularly important here as the group has a particular way of exploiting the flaw – the attackers will select their target organization and attempt to brute-force as many email accounts as possible with commonly-guessed passwords, then plug those credentials into the CVE-2017-11774 exploit script.

“If Outlook launches something malicious, a common assumption is that the impacted user has been phished – which is not what is occurring here,” the FireEye team explains.

“The organization may waste valuable time without focus on the root cause.”

Fortunately, the bug was patched by Microsoft in October of 2017, so fixing this vulnerability should be easy enough, provided you can access and run updates on all of your exposed PCs. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/03/outlook_flaw_iran/

A settlement with the FTC should mean comprehensive security upgrades for D-Link routers and IP camera.

D-Link Systems, manufacturer of local area networking and smart home products, has agreed to implement a “comprehensive software security program” to settle litigation with the Federal Trade Commission.

According to allegations made by the FTC, D-Link claimed that its devices were secure, while in reality vulnerabilities in the company’s routers and Internet-connected cameras left sensitive consumer information, including live video and audio feeds, exposed to third parties and vulnerable to hackers.

The FTC action stemmed from a 2017 complaint specifically mentioning D-Link routers and IP cameras. Specifically, the FTC complaint pointed out hard-coded login credentials for IP cameras and storage of mobile app credentials in clear text.

As part of the settlement, D-Link will implement security planning, threat modeling, and vulnerability testing before releasing new products. In addition, the company will monitor existing systems for security flaws, push automatic firmware updates, and create a program for accepting vulnerability reports from researchers.

For more, read here.

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/perimeter/d-link-agrees-to-strengthen-device-security/d/d-id/1335141?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Updated YouTube, under fire since inception for building a business on other people’s copyrights and in recent years for its vacillating policies on irredeemable content, recently decided it no longer wants to host instructional hacking videos.

The written policy first appears in the Internet Wayback Machine’s archive of web history in an April 5, 2019 snapshot. It forbids: “Instructional hacking and phishing: Showing users how to bypass secure computer systems or steal user credentials and personal data.”

Lack of clarity about the permissibility of cybersecurity-related content has been an issue for years. In the past, hacking videos in years past could be removed if enough viewers submitted reports objecting to them or if moderators found the videos violated other articulated policies.

Now that there’s a written rule, there’s renewed concern about how the policy is being applied.

Kody Kinzie, a security researcher and educator who posts hacking videos to YouTube’s Null Byte channel, on Tuesday said a video created for the US July 4th holiday to demonstrate launching fireworks over Wi-Fi couldn’t be uploaded because of the rule.

“I’m worried for everyone that teaches about infosec and tries to fill in the gaps for people who are learning,” he said via Twitter. “It is hard, often boring, and expensive to learn cybersecurity.”

In an email to The Register, Kinzie clarified that YouTube had problems with three previous videos, which got flagged and are either in the process of review or have already been appealed and restored. They involved Wi-Fi hacking. One of the Wi-Fi hacking videos got a strike on Tuesday and that disabled uploading for the account, preventing the fireworks video from going up.

The Register asked Google’s YouTube for comment but we’ve not heard back.

Security professionals find the policy questionable. “Very simply, hacking is not a derogatory term and shouldn’t be used in a policy about what content is acceptable,” said Tim Erlin, VP of product management and strategy at cybersecurity biz Tripwire, in an email to The Register.

“Google’s intention here might be laudable, but the result is likely to stifle valuable information sharing in the information security community.”

Erlin said that while it may be reasonable to block content that shows actual illegal activities, like breaking into a specific organization’s systems, instructional videos play an important role in cybersecurity education.

“In cybersecurity, we improve our defenses by understanding how attacks actually work,” said Erlin. “Theoretical explanations are often not the most effective tools, and forcing content creators onto platforms restricted in distribution, like a paid training course, simply creates roadblocks to the industry. Sharing real world examples brings more people to the industry, rather than creating more criminals.”

Tyler Reguly, manager of security RD at Tripwire, said censorship has been a concern among YouTube video makers for some time. In an email to The Register, he expressed sympathy for the challenge YouTube faces as a business.

“If YouTube wants advertisers to pay, they need to be aware of the content they are allowing,” he said. “We tend to forget that these websites exist to make money, not for the betterment of society.”

But he noted that YouTube’s policies aren’t easy to interpret and there may be reasons Kinze’s video got flagged, such as the fact that it deals with fireworks.

“The YouTube system, based on reports that I’ve seen in the past, is quite arbitrary and difficult to understand, even as a YouTuber working directly with the company, nothing is as straightforward as it seems,” he said.

Dale Ruane, a hacker and penetration tester who runs a YouTube channel called DemmSec, told The Register via email that he believes this policy has always existed in some form. “But recently I’ve personally noticed a lot more people having issues where videos are being taken down,” he said.

YouTube supremo says vid-streaming-slash-piracy giant can’t afford EU’s copyright overhaul

READ MORE

While he said he hasn’t seen Kinzie’s video and can’t say for certain why it was removed, the video removals he’s dealt with have tended to involve the metadata provided when uploading videos to the site.

“It seems adding video tags or titles which could be interpreted as malicious results in your video being ‘dinged,'” he said. “For example, I made a video about a tool which basically provided instructions of how to phish a Facebook user. That video was taken down by YouTube after a couple of weeks.”

Similarly, he said, if he were to attempt to make a Wi-Fi penetration test video more easily discoverable via search, by adding a tag like “hack neighbors Wi-Fi,” it would be demonetized (denied ad revenue) or taken down.

Ruane said he somewhat agrees with that policy but notes that YouTube’s recent algorithm changes mean videos have to be “click-baity” to appear in the Suggested Videos list.

“I’ve had around 5-10 videos removed in total and they all tend to follow this trend where I have included metadata with the goal of making the video more ‘clickable,'” he said. “However when I post videos now, I ensure that I don’t include company names and always include a disclaimer in the video and metadata. This hasn’t stopped some videos being automatically demonetized but most of them get reinstated after I appeal the decision.”

Evidently, YouTube doesn’t want to get rid of hacking videos altogether. Ruane said in phone conversations with YouTube advisors – charged with helping video creators grow their audiences – no one has expressed reservations about the hacking videos he discussed.

“I think the way in which this policy is written is far too broad,” said Ruane, allowing that it would be better if it were more narrowly tailored to forbid showing people how to compromise specific systems, like the Facebook phishing video he made. “I also find the policy extremely hypocritical from a company (Google) that has a history of embracing ‘hacker’ culture and claims to have the goal of organizing the world’s information.” ®

Updated to add

After this story was filed, a YouTube spokesperson replied with some talking points on background. Per the company’s request, we won’t repeat them. If we receive attributable comments, we’ll pass them along.

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/03/youtube_bans_hacking_videos/