STE WILLIAMS

Facebook CEO Mark Zuckerberg has either 1) written a Microsoft-esque, Trustworthy Computing-inspired call for the company to perform an about-face on privacy and security, or 2) he’s managed to pull a brand-healing move by infusing Thursday’s headlines with a bunch of words that include “privacy-focused” and NOT “disaster,” “breach,” or “dumpster fire.”

…or, then again, maybe 3) both.

At any rate, on Wednesday, the CEO unveiled what he framed as a major strategy shift that will involve developing a highly secure private communications platform based on Facebook’s Messenger, Instagram, and WhatsApp services.

The redesign entails streamlining communication between the three messaging services – something that Facebook announced in January. At the time, sources told the New York Times that the plan was to keep the three as standalone apps but to stitch their technical infrastructure together so that users of each app can talk to each other more easily.

Tightly connecting the messaging networks could help Facebook fend off being forced by US antitrust regulators to divest one or more of its messaging services. It would, at any rate, make divestiture a lot tougher to do.

While Facebook enables people to connect with everyone they know, Zuckerberg said, the future of online communications is going to see people moving toward a “simpler” platform that’s “focused on privacy first.” That means that Facebook will keep its nose out of our conversations, he said:

I believe the future of communication will increasingly shift to private, encrypted services where people can be confident what they say to each other stays secure and their messages and content won’t stick around forever. This is the future I hope we will help bring about.

And we should trust Facebook, of all companies, to bring this about? Look, Zuckerberg said, I get it. A lot of you don’t think this is our thing. But really, we can change:

I understand that many people don’t think Facebook can or would even want to build this kind of privacy-focused platform – because frankly we don’t currently have a strong reputation for building privacy protective services, and we’ve historically focused on tools for more open sharing. But we’ve repeatedly shown that we can evolve to build the services that people really want, including in private messaging and stories.

What a long, strange trip it’s been

Saying that Facebook doesn’t currently have a strong reputation for building in privacy is like saying that a tornado-flattened house needs a touch of paint.

The privacy crises at Facebook include letting Cambridge Analytica get at the personal information of tens of millions of users (by design, according to internal emails that came out of the Six4Three case against Facebook), and the data breach in which hackers stole data on millions of Facebook users.

After all that and more – the news never seems to stop – Facebook is hurting. Roger McNamee, an early Facebook investor and author of “Zucked” – a book that’s highly critical about the company – told the Boston Globe that Facebook’s brand is getting “crushed.”

McNamee:

They need a PR win.

Zuckerberg said that in Facebook’s new, privacy-focused future, its messaging services would use end-to-end encryption to ensure that nobody – not even Facebook – will be able to view the contents except senders and recipients. That would make it impossible for Facebook to use the information for marketing purposes. The obvious question that arises: how, then, will Facebook make payroll?

How will Facebook make money if it doesn’t sell our privacy?

Could any of these changes herald a shift away from Facebook’s core business model – i.e., data-mining the smithereens out of the masses of “dumb f**ks” who’ve trusted Zuckerberg with their data?

Well, maybe. If Facebook integrates all its apps, it could become a financial titan, for one thing. For a while, signs have been pointing to Facebook becoming an international currency exchange system: by having its own cryptocurrency, the company could enable its enormous, global user base to instantly shift money anywhere in the world as it makes interest on the deposits or charges fees.

It’s a step that would help Facebook to get its fortunes back on track in an emerging market and put its brand on the path to recovery after being damaged by its privacy missteps.

But critics say that better private messaging won’t change the fact that Facebook has plenty more ways to follow us around. One such was Jeremy Burge, the Emojipedia founder who earlier this week publicly criticized Facebook for its most recent privacy faux pas – that of allowing users to look up other users’ profiles by using the phone number they thought they were only providing for 2FA (two-factor authentication).

Burge said that putting “privacy-focused” in a headline is an empty gesture, given practices like that one:

Putting “Privacy-focussed” in the headline is a great strategy, but none of the things mentioned stop Facebook know… twitter.com/i/web/status/1…

—
Jeremy Burge 🐥🧿 (@jeremyburge) March 06, 2019

McNamee said pretty much the same thing to the Globe:

They track people everywhere. So until they stop tracking people everywhere, they’re going to remain a huge challenge for consumers.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1QJTnDimNak/

Firefox users will soon get yet another privacy feature to help them avoid snooping advertisers – and the measure comes straight from its cousin, the Tor browser.

The new privacy protection will help Firefox users avoid a long-used snooping technique called fingerprinting. Browser cookies are not the only way to track users as they visit different websites. Even with cookies turned off, advertisers can still identify you across multiple sites.

They do this by looking at other characteristics that your computer reveals when visiting a website such as the size of your browser window.

Many people resize browser windows by manually dragging their corners around. This creates random window sizes that few people will share. The chances are you’ll visit several websites in that window, which communicates its size to each one. Advertisers can use that data to track you across multiple sites.

To combat this, Firefox has borrowed a technique called letterboxing from Tor as part of a bigger, more structured program to transfer features between the browsers.

The Tor browser is based mostly on Firefox code, but its developers add additional features to make it more anonymous. A project called Tor Uplift takes many of these patches and applies them to the original Firefox browser as experimental functions that are turned off by default.

Letterboxing in Tor manipulates the page content in a window, introducing a tiny delay in loading it. During that time, it adds grey space to the size of the webpage, adjusting its width and height to multiples of 100 pixels. This creates a generic window size that will be common among hundreds of thousands of browsers, making it more difficult for advertisers to uniquely identify yours.

The letterboxing patch is now available in Firefox Nightly, which is the pre-release version of the browser designed for early adopters. The feature will make it into version 67 of the mainstream Firefox browser in May, but it won’t be enabled by default. Instead, users will have to set it to ‘true’ in the Firefox configuration page.

This isn’t the first anti-fingerprinting measure that has landed in Firefox courtesy of Tor Uplift. Firefox 58 integrated another feature that stopped advertisers tracking users via the HTML 5 canvas element.

The latest feature will help to bring more protection to an already privacy-conscious browser. Other measures have included a redesigned content blocking section that makes it easier for users to switch off cross-site trackers.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5Xqz4H7y32s/

Something for the Weekend, Sir? It’s important – and responsible – to use adequate protection. My own helmet, for example, is wrapped in tin foil.

I have done this on doctor’s advice. Well, indirectly anyway. I was feeling a little under the weather and booked to see my GP. Naturally, by the time my appointment came around three weeks later I was feeling much better but felt it was too rare an opportunity to miss. So I made up a few illnesses to make her feel appreciated.

At least, I think it was my GP. She spent the entire seven-minute consultation with her back turned as she jabbed away at a computer and replied to WhatsApp messages on her mobile, so it could have been a locum.

It is possible that she was not listening as intently as I had hoped as I recounted how progressive multifocal leukoencephalopathy had played havoc with my cyclic vomiting syndrome after I developed symptoms of scurvy. Without turning round, she updated my health file on-screen and said the AI was reporting that my prosthetic limb would be delivered on Monday. “Goodbye Mr Gadds-Allison!” she sang as I shuffled out, wondering how I might teach myself to walk on three legs now that all the Rolf Harris videos have been removed from YouTube.

Evidently I overdid it in the surgery and the doctor was hinting that I was a hypochondriac who needed to focus my attention on more important things. Too damn right: now I’m worried about the security of my health file. Well, mine and Mr Gadds-Allison’s, who will be hopping mad when he gets handed his scurvy tablets on Monday.

It would appear that no matter how careful I am with my login credentials and personal data, there’s absolutely nothing I can do to stop other people who have legitimate access to it from cocking it up. In how much danger am I?

My first port of call is the world cyber security rankings posted last month to the Comparitech website. These provide a good few minutes of entertainment if you’re interested enough to copy the table into a spreadsheet and play around with the sorting order.

It’s fascinating, for example, to see how France is ranked as the safest country for cyber security second only to Japan, while its ex-colony Algeria is the absolute worst. From this, I extrapolate that Algeria’s IT criminals are probably targeting French computer users but the French know it. Indeed, the French government and businesses very effectively keep the populace safe and the enemy at bay with a a wall of incoherent, hideous and thoroughly impenetrable user interfaces that make MySpace look like the Louvre. Try and book a train ticket on the SNCF app and you’ll understand.

Walk into an Algerian house with three computers in it and statistically one of them will already be infested with malware. Here in the UK, it’s one in 10. Not to worry, though, it’s only a matter of time before we catch them up.

Perhaps the answer is to invest in smarter security at home. You know, like Amazon’s Ring Video Doorbell. That’s right, the smart security product that a bloke from Dojo by BullGuard hacked into during a demonstration at MWC.

The vulnerability could, in one suggested scenario, allow mischievous chancers to press the doorbell while you’re out and all you see in your smartphone app is a pre-recorded video stream of your aunt wanting access to drop off a chocolate cake (again). Talk about a schoolboy error. Honestly, IoT developers should spend less time wooing venture capitalists and more time watching heist movies.

Or you could get one of those special edition Sony Aibos that are supposed to map out your rooms by themselves and patrol your house autonomously.

Well, the effectiveness of Aibo as a patrolling guard dog depends upon on how much protection you expect with a $3,000 toy beagle. The friendly little robot’s approach to security is the equivalent of you waddling around your own house at night, encountering a burglar and muttering “Hmm” before moving off to the next room.

Even if a firmware update enabled Aibo to bark at an intruder, the latter could just swipe it aside with a gentle nudge of a toe. What Sony needs to do is get someone in from Boston Dynamics to redesign Aibo to be the size of a pony with huge fucking razor teeth. Now that would be security.

Until then, I am re-reading the only HM Government-issued advice I have to hand on the topic of personal security. I bought it during a visit to Kelvedon Hatch.

Unfortunately, some of the advice is outdated as it was printed in 1980. This page, for example, suggests you brick yourself indoors, stuff your fireplace with bagged kittens and do sexy-sexy with a wardrobe in the unlikely event that you happen to be Ben Gazzara.

The following page feels more contemporary. In fact, I’m pretty sure there’s a guy down my road whose house already looks like this indoors. It certainly looks like it from the outside, anyway.

I doubt I’ll be able to do the same as him: I have nowhere nearly enough kittens. However, I’m making a start by putting aside some magazines (I’m downloading as many as I can) as advised on page 16, and ensuring there’s a bucket of water on each floor as per page 19.

It might not stop cyber attacks in their tracks but at least it’ll be as effective as an IoT security device.

Youtube Video

Alistair Dabbs is a freelance technology tart, juggling tech journalism, training and digital publishing. He hadn’t intended to be old-school, he just ended up that way by being too lazy to do anything. In fact, he only got around to applying for an EU driving licence last month, just weeks before it will become automatically redundant. @alidabbs

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/08/what_happens_when_security_devices_are_insecure_choose_the_nuclear_option/

A cybersecurity professor has insisted he was not hunting for a vulnerability when he found a denial-of-service bug on an in-flight entertainment screen during a long-haul flight. His findings could affect a number of airliners running Thales-made equipment.

But Hector Marco, an associate cybersecurity professor at the University of the West of Scotland, has received a kicking on social media from some in the security industry over his research method.

At the start of a commercial transatlantic flight he took in February, Marco pasted long strings of text into an in-flight chat app using a USB wireless mouse.

“Although I was very tired, and it was a night flight, I couldn’t resist to do some basic security checks in the entertainment systems,” he originally wrote in a LinkedIn post explaining the in-flight entertainment (IFE) system vuln, which was assigned CVE-2019-9109 by the MITRE Corporation. That blog post was edited shortly after The Register contacted Marco.

In an email to The Register (Marco refused to discuss his findings over the phone), the cybersecurity prof insisted he was “not probing for vulnerabilities”, before insisting that during his flight he “wanted to send a long message to another chat seat” and decided to use the mouse. “After copying and pasting many times the chat application surprisingly disappeared in front of me.”

A YouTube video Marco published and linked to from his original LinkedIn post shows someone operating the mouse on the IFE screen, repeatedly copying and pasting what appears to be a lengthy and unbroken string of characters including the letters “fdkfdkfdkfdkfdhhhhhhhh”. The app later froze but did not appear to affect any other screens aboard the Boeing.

Youtube Video

“I didn’t know that the application will crash,” he said when we asked what he would have done if his actions had crashed the entire IFE system shortly after takeoff on a nine-hour flight, “so I was not probing any vulnerability because I didn’t know the existence of any vulnerability at that time.”

Copying and pasting long strings of text into an input field is a well-known penetration-testing technique. It is most commonly associated with triggering buffer overflows in software that does not implement memory protections such as address space layout randomisation (ASLR). A few years ago, Marco and a fellow researcher found that it was possible to bypass boot authentication in Linux bootloader Grub2 by pressing backspace 28 times.

Marco appeared to admit he wasn’t entirely sure what he found aboard his transatlantic flight, telling us: “The most likely in this case is a buffer overflow but a memory exhaustion or similar can not be discarded. Assigning ‘unknown’ as vulnerability type [in the CVE notice] will force us to ask for a change for sure. Using the most likely one can give a better context and likely avoid future changes about the kind of issue.”

The affected vendor here is not British Airways

The US NIST entry for CVE-2019-9109 refers to the vulnerability only as affecting “The British Airways Entertainment System, as installed on Boeing 777-36N(ER) and possibly other aircraft”. The Register can reveal that the affected software is in fact made and maintained by Thales Group under the trade name Thales TopSeries i5000. BA is a Thales customer.

Marco told El Reg that he “immediately contacted the affected stakeholders” once he had found the bug. Thales declined to comment. Boeing told us: “Multiple layers of protection, including software, hardware, and network architecture features, are designed to ensure the security of all critical flight systems. Boeing’s cyber-security measures are subjected to rigorous testing, including through the FAA’s certification process, and our airplanes meet or exceed all applicable regulatory requirements.”

BA itself told us that the vuln as described would not let anyone get their digital mitts on the aircraft’s flight control systems, adding: “We are already aware of this issue and our investigations have not identified any safety or security risk to our operation. IFE systems on board our aircraft are isolated from critical operating systems. The safety and security of our customers is always our priority.”

Marco published a blog post showing a picture of the aircraft he used as his vuln-hunting testbed: a British Airways Boeing 777-300 registered G-STBD, which, according to plane-spotters’ site The BA Source, was operating flight BA287 from San Francisco to Heathrow on Friday 8 February 2019. This fitted the flight details alluded to in Marco’s original LinkedIn post, where he posted on 12 February that he had taken a flight from California to London on the preceding Friday.

The BA Source lists G-STBD’s IFE equipment supplier as Thales. A Flickr photo of the IFE fitted in an economy seat (World Traveller, as BA brands its long-haul cattle-class seats) aboard G-STBD can be compared to this video of a Hong Kong Airlines Airbus A330, labelled as featuring a Thales i5000 IFE system, which shows a near-identical handset and screen to the BA IFE gear. It also appears identical to the photos and video published by Marco himself.

Items such as USB ports in IFE equipment are typically specified by airlines themselves and vary in position and fitment, though the handset and screen do not differ significantly.

Vuln has worldwide impact

BA’s Boeing 777-300 fleet numbers 12 aircraft, all of which appear to be fitted with Thales i5000 IFE equipment; the airline flies a total of 58 777-200 and 777-300 aircraft. A frequent flyers’ website claimed that Thales i5000 gear is installed aboard a number of BA airliners, including its Airbus A321 and A380 fleets, as well as some of the 777s and all of its Boeing 787 Dreamliners.

Some of the other airlines that use Thales TopSeries i5000 IFE equipment include Oman Air, which flies a total of 18 long-haul capable Boeings and Airbuses. Hong Kong Airlines, which also uses Thales i5000 IFE kit, flies 27 Airbus A330 and A350 airliners.

It is unknown whether the vuln affects other IFE equipment produced under the TopSeries brand.

When we asked Marco for his thoughts on the online commentary about his findings and the way in which he presented them, he said that people were commenting based on incomplete information “and part of it describes an hypothetical scenario. Those thoughts aloud were intended to avoid this issue to go unnoticed, that’s all, because I really think this should be addressed and we are supporting stakeholders on this.”

Infosec industry veteran Ken Munro believed Marco had been a bit thoughtless, saying: “Research is a valuable part of advancing security, but there are important boundaries that separate researchers from hackers. [Marco] knew the potential consequence of his actions and also is hopefully aware of the UK Computer Misuse Act. There are potential safety implications here, so testing an IFE in an airplane with passengers on board is unwise.” ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/08/thales_topseries_vuln/

Researchers have discovered that “smart” alarms can allow thieves to remotely kill your engine at speed, unlock car doors and even tamper with cruise control speed.

British infosec biz Pen Test Partners found that the Viper Smart Start alarm and products from vendor Pandora were riddled with flaws, allowing an attacker to steal a car fitted with one of the affected devices.

“Before we contacted them, the manufacturers had inadvertently exposed around 3 million cars to theft and their users to hijack,” said PTP in a blog post about their findings. The firm was inspired to start looking at Pandora’s alarms after noticing that the company boasted their security was “unhackable”.

Auto manufacturers are asleep at the wheel when it comes to security

READ MORE

Thanks to an unauthenticated corner of the service’s API and a simple parameter manipulation (an indirect object request, IDOR), PTP said they were able to change a Viper Smart Start user account’s password and registered email address, giving them full control over the app and the car that the alarm system was installed on.

All they had to do was send a POST request to the API with the parameter “email” redefined to one of their choice in order to overwrite the legitimate owner’s email address, thus gaining access and control over the account.

PTP said that in a live proof-of-concept demo they were able to geolocate a target car using the Viper Smart Start account’s inbuilt functionality, set off the alarm (causing the driver to stop and investigate), activated the car’s immobiliser once it was stationary and then remotely unlocked the car’s doors, using the app’s ability to clone the key fob and issue RF commands from a user’s mobile phone.

Even worse, after further API digging, PTP researchers discovered a function in the Viper API that remotely turned off the car’s engine. The Pandora API also allowed researchers to remotely enable the car’s microphone, allowing nefarious people to eavesdrop on the occupants.

They also said: “Mazda 6, Range Rover Sport, Kia Quoris, Toyota Fortuner, Mitsubishi Pajero, Toyota Prius 50 and RAV4 – these all appear to have undocumented functionality present in the alarm API to remotely adjust cruise control speed!”

Both Pandora and Viper had fixed the offending IDORs before PTP went public. The infosec firm noted that modern alarm systems tend to have direct access to the CANbus, the heart of a modern electronic vehicle.

A year ago infosec researchers wailed that car security in general is poor, while others discovered that electronic control units (ECUs), small modular computers used for controlling specific vehicle routines that were done mechanically years ago, were vulnerable to certain types of hack even with the engine off and the car stationary. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/08/ptp_smart_car_alarm_research_pandora_viper_smart_start/

An IT contractor for a US government fraud and abuse watchdog pleaded guilty on Thursday to stealing 16 US government computers.

According to prosecutors, Andrew Cheveers, 31, served as a techie for the State Department’s Office of Inspector General (State OIG), where he held a security clearance and set up PCs for government employees.

The State OIG helps assess and mitigate risks to State Department personnel and facilities abroad. It also oversees contracts, grants, and foreign assistance programs; and it advises the State Department on IT security and management.

Justice Department prosecutors say Cheveers, between July 2016 and February 2017, stole as many as 16 Microsoft Surface Pro laptops belonging to Uncle Sam, and sold them online at sites like Craigslist and eBay.

An affidavit [PDF] from State OIG Special Agent Lloyd Rawls describes how the crime was revealed. In May 2016, State OIG bought 440 Microsoft Surface Pro tablet devices (512GB SSD; 16GB RAM; Windows 10 Enterprise) for $2,021 a piece.

State OIG’s Information Technology Division began configuring the devices for distribution to OIG personnel and Cheveers was one of the contractors brought on to assist with the task, during the period between July and November 2016.

In February 2017, the State OIG conducted its annual equipment inventory, and found 16 devices that had been configured, but not yet assigned to anyone, were missing. After searching its offices, the agency opened an investigation.

‘Inability to track IT assets’

According to the State OIG’s 2018 report on management challenges and performance challenges, inventory management has been a problem at the State Department for years. “The Department’s inability to track its IT assets prevents adequate oversight and puts the Department at risk of purchasing duplicate or unneeded software,” the report says. “This is a longstanding and ongoing issue for the Department.”

In his affidavit, Rawls said he interviewed an OIG IT manager in April 2017 who said Cheveers had been questioned about the missing tablets and denied knowing their whereabouts.

The State OIG then turned to trying to track the devices through their serial numbers, issuing a subpoena to Microsoft for any account information associated with the missing computers. The company provided data on two individuals, identified only by initials in court documents, who turned out to be unaffiliated with the government or its contractors.

Rawls recounts talking to one of the individuals, M.C., via telephone and being told the Surface Pro tablet in question had been purchased through Craigslist with cash.

Data-nicking UK car repairman jailed six months instead of copping a fine

READ MORE

After presenting subpoenas to Craigslist, eBay, Google, PayPal, and Sprint, Rawls came to the conclusion M.C. hadn’t been entirely truthful. His findings indicate that Cheveers received multiple electronic payments from M.C. who did business on eBay under the username surface_store using a virtual storefront named The Surface Store. Several of the devices sold bore State OIG property numbers and Microsoft serial numbers associated with devices purchased by the agency.

The surface_store eBay account was last active in early 2018 and its listings have since been removed from the site.

Having admitted his crimes in an Alexandria, Virginia, federal district court, Cheveers now faces up to a decade behind bars. He will be sentenced in June. No mention is made in the court filings of whether M.C. will face charges. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/08/it_contractor_steals_microsoft/

Credit-rating monitor Equifax ignored years of warnings and red flags before it was thoroughly ransacked in 2017 by hackers, who made off with the personal information of roughly 150 million Americans, Brits, and Canadians, according to another congressional probe.

An investigation [PDF] by the US Senate Committee on Homeland Security and Governmental Affairs found that the credit agency was negligent in both the periods before and after it was hacked. The publication of the committee’s findings this week follows a similarly scathing report issued late last year by House reps.

According to the Senate panel, Equifax staff knew their systems were not tightly secured and open to attack in 2015, yet failed to properly secure their networks, and were eventually pwned two years later via a hole in an Apache Struts 2 installation – a security hole that a patch was publicly available for but had not been deployed.

The senators report painted a sprawling picture of the information-security dysfunction at Equifax in the lead up to the database breach, including a lack of communication among the security team. The admin in charge of the Struts application was not included on the security mailing list, and senior managers from the security teams did not attend monthly meetings that would touch on vulnerability risks.

As a result, the report noted, Equifax wasn’t able to patch the Struts vulnerability until August of 2017, one month after the data theft had occurred. Even when patches were in place, the committee noted, the process was chaotic and disorganized.

“Equifax’s system for vulnerability scanning was a global process that was disconnected from the company’s regional patch management process,” the study stated. “Equifax’s former Director of the global threats and vulnerability management team told Subcommittee staff that in some cases, patching was regional, and some cases it was global.”

The patching problems were not a new phenomenon, either. Back in 2015, an internal audit found that Equifax had thousands of unpatched vulnerabilities in its internal software.

“The audit revealed that Equifax did not fix vulnerabilities in a timely manner,” the senators stated. “For example, there were “over 8,500 [sic] medium, high or critical vulnerabilities existing with a large percentage of those being over 90 days outstanding.”

And it’s go, go, go for class-action lawsuits against Equifax after 148m personal records spilled in that mega-hack

READ MORE

Not surprisingly, the company that the committee declared “negligent” in its handling of cyber security was also scolded for its response to the massive data theft. The report once again pointed out how an expired SSL certificate in a network traffic monitoring device prevented Equifax from detecting and discovering the breach for months, and how the company waited six weeks to provide the public with any information.

Now, the committee is recommending that Congress take steps at the federal level to prevent such security disasters from ever happening again. The senators urge legislators write up and pass laws that would require companies to take basic security precautions, and follow a set process for notifying customers.

“Congress should pass legislation that establishes a national uniform standard requiring private entities that collect and store PII [personally identifiable information] to take reasonable and appropriate steps to prevent cyber-attacks and data breaches,” the committee insisted. “Congress should pass legislation requiring private entities that suffer a data breach to notify affected consumers, law enforcement, and the appropriate federal regulatory agency without unreasonable delay.” ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/08/security_equifax_senate/

Updated If Google Chrome is bugging you to update it right now, please stop what you’re doing, and get that upgrade.

The latest version fixes a security vulnerability (CVE-2019-5786) that can be potentially exploited by malicious webpages to hijack the software, and run spyware, ransomware, and other nasties on your device or machine.

According to Googler Abdul Syed, the ads giant is “aware of reports that an exploit for CVE-2019-5786 exists in the wild,” meaning criminals and other miscreants are leveraging the bug to infect victims’ computers. A mark just needs to be lured into opening a booby-trapped website from, say, an instant-messenger link or email, or viewing a malicious advert, using a vulnerable version of Chrome to potentially fall victim.

Meanwhile, Google Chrome lead Justin Schuh urged: “Seriously, update your Chrome installs… like right this minute.”

The vulnerability affects Windows, Linux, Android, ChromeOS, and macOS builds of Chrome: if you’re running version 72.0.3626.121 or higher (or 72.0.3626.122 or higher on ChromeOS) then you’re all good. Open the Chrome menu, click on ‘Help’, then ‘About Google Chrome’ to check the version. From there you can update as necessary, or use your favorite package manager to upgrade.

Normally, Chrome gets its updates automatically: you just have to restart it when it’s done.

Under the hood

The bug, discovered by Googler Clement Lecigne, lies in the FileReader API portion of Chrome, and is a use-after-free() programming blunder. This means the browser can be tricked into marking a block of heap memory as no longer needed, and then uses it again anyway as if it hadn’t freed the space.

In between a thread releasing the memory and reusing it, that memory space could by assigned to another part of the browser and altered, for example, while rendering a webpage. When a thread incorrectly reuses that memory space, the data will have been overwritten and significantly changed, leading to confusion and ultimately, potentially, remote code execution.

One way to achieve this would be to craft a webpage that, when loaded, causes a Chrome thread to free memory holding a block of function pointers, then render some HTML or fire up some JavaScript that causes the block to be reallocated, and those pointers overwritten with data contained in the page. Then you wait for the browser to access what it thinks are still valid pointers from the memory block, and jump to them. In reality, it will start running arbitrary code supplied by the attacker’s webpage.

Exact details of the flaw are being withheld until enough people are patched. The bug fix was emitted at the start of March, and word of exploitation in the wild emerged this week. ®

Updated to add

In a blog post today, Google has revealed a few more details, here. It also warns that it has discovered “a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape,” that primarily affects Windows 7. Security defenses in modern Windows editions block exploitation attempts.

“The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances,” the ad giant’s security team explained.

Google has spotted active attacks leveraging this privilege escalation flaw against 32-bit Windows 7 systems. Microsoft is still working on a patch for this bug, so stay tuned for an update soon. Or upgrade to Windows 10, ChromeOS, Linux… take your pick.

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/07/google_chrome_zero_day/

Rather than “trust but verify,” a zero trust model assumes that attackers will inevitably get in – if they aren’t already. However, several misconceptions are impeding its adoption.

For years, the popular security maxim was “trust but verify.” However, this mindset is no longer sufficient in today’s borderless, global, mobile, cloud-based threatscape.

According to Gartner, organizations are expected to spend $137 billion in IT security and risk management in 2019, yet 66% of all companies experienced security breaches last year. You’d think with that much money invested in security, we’d be several steps ahead of the bad guys. But hardly a week goes by without news of the latest high-profile cyberattack.

Zero trust security is an antidote for outdated security strategies because it demands that organizations never trust and always verify. Every business must recognize that attackers exist inside and outside the network — and that perimeter-based security no longer provides protection against identity-based and credential-based intrusion, which are today’s leading attack vectors. The solution now is to remove trust entirely from the equation by granting just enough privilege at just the right time.

However, several misconceptions are impeding zero trust adoption. Let’s take a look at the top five and set the record straight.

Myth 1: The Path to Zero Trust Security Starts with Data Integrity
Rest assured, encrypting sensitive data and assuring its integrity remains a best practice. No one denies that. But how does that limit attackers from exfiltrating data if they’ve already secured privileged access, including to decryption keys?

Forrester estimates that 80% of data breaches are caused by misuse of privileged credentials. Privileged credentials provide greater scope for stealing data than individual accounts do, so it only takes one compromised credential to impact millions of people and cause a massive amount of damage. It’s not surprising that Gartner recommends putting privileged access management (PAM) at the top of any list of security projects.

Until organizations start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect camouflage for data breaches. Thus, the path to zero trust should always start with identity.

Myth 2: Zero Trust Is Only for Large Organizations
Google was one of the first companies to adopt the zero trust model. As a result, many people still think it is only for the largest organizations. But the reality is, no one is safe from a cyberattack. In fact, 61% of all data breaches affected small businesses, according to the “2018 Verizon Data Breach Investigations Report.”

The good news is that zero trust security won’t break the bank. Your company’s size or budget should not be a deterrent because even the smallest business can get started with zero trust by taking a cost-effective, step-by-step approach. For example, many organizations can significantly harden their security posture with low-hanging fruit like a password vault or multifactor authentication. Spending a couple hundred dollars per system each year could be well worth it to avoid potential millions in fines, penalties, or brand damage.

Myth 3: I Need to Rip and Replace My Entire Network Security Environment
It’s true that when Google first established its zero trust security architecture, it decided to rebuild its entire security network from the ground up. But this is not the case for most organizations.

Zero trust can simply involve an augmentation of security controls that already exist within your environment. For instance, you can start by deploying an “MFA everywhere” solution, which is not overly complex and can deliver tremendous value. This first step can go a long way toward establishing identity insurance and dramatically reducing your attack surface, putting your organization firmly on a path to zero trust.

Myth 4: Zero Trust Is Limited to On-Site Deployment
Many organizations think zero trust can only work on-premises and can’t be applied to the public cloud. This becomes a concern when sensitive data resides outside the traditional network perimeter.

The fact of the matter is, zero trust can easily be extended to cloud environments, and it is increasingly important to do so as organizations across a broad range of industries move to hybrid, multicloud environments. Further, zero trust not only covers infrastructure, databases, and network devices, but it is extended to other attack surfaces that are increasingly becoming strategic requirements of modern organizations, including big data, DevOps, containers and more.

Myth 5: Zero Trust’s Only Benefit Is It Will Minimize My Exposure to Risk
Risk mitigation is clearly a major benefit of zero trust, but it’s definitely not the only one.

Forrester recently concluded that zero trust can reduce an organization’s risk exposure by 37% or more. But it also found that organizations deploying zero trust can reduce security costs by 31% and realize millions of dollars in savings in their overall IT security budgets.

Zero trust can also lead to greater business confidence. The Forrester study found that organizations deploying zero trust are 66% more confident in adopting mobile work models and 44% more confident in securing DevOps environments. As a result, they are able to accelerate new business models and introduce new customer experiences with a greater sense of assurance and success.

The bottom line is that today’s security is not secure. Rather than “trust but verify,” a zero trust model assumes that attackers will inevitably get in — if they aren’t already. With zero trust, you can minimize the attack surface, improve auditing and compliance visibility, and reduce complexity and cost.

Zero trust is truly the definitive approach to security for the modern hybrid enterprise. Remember: Never trust. Always verify. Enforce least privilege.

That’s no myth.

Related Content:

• 9 Years After: From Operation Aurora to Zero Trust
• Racing to Zero Trust: 4 Key Principles
• Establishing True Trust in a Zero-Trust World
• Trust: The Secret Ingredient to DevSecOps Success

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Torsten George is a cybersecurity evangelist at Centrify. He also serves as strategic advisory board member at vulnerability risk management software vendor NopSec. He has more than 20 years of global information security experience and is a frequent speaker on … View Full Bio

Article source: https://www.darkreading.com/cloud/debunking-5-myths-about-zero-trust-security/a/d-id/1334064?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

RSA panelists address the delicate technical challenges of combating information warfare online without causing First Amendment freedoms to take collateral damage.

RSA CONFERENCE 2019 – San Francisco – Information warfare is often waged on social media, where legitimate consumer communication tools are weaponized by bad actors. As Facebook, Twitter, and National Security Agency (NSA) representatives discussed here today, the battleground is civilian territory, and if the defenders aren’t careful, First Amendment freedoms will suffer severe collateral damage.

“So far, America has emerged as one of the clearest losers in this kind of warfare,” said panel moderator Ted Schlein, general partner at Kleiner Perkins Caufield Byers, during the session “The Weaponization of the Internet.”

(In another keynote session Wednesday, General Paul Nakasone, commander of US Cyber Command, told CBS News’ Olivia Gazis that while Americans saw the Internet as a way for democracy to spread throughout the world, adversaries saw that same possibility as a threat.)

Schlein posed the question of why US intelligence agencies hadn’t gotten ahead of threats sooner – threats like disinformation campaigns, voter manipulation, hate speech crimes, and recruitment by terror organizations.

“I think there were efforts, but … we’re trying to shape and react in a place where we’re in the middle of speech,” said panelist Rob Joyce, senior cybersecurity adviser to the NSA. “We’re in a place where, as Americans, we value that First Amendment and the ability to say what I feel, I believe. And getting in the middle and breaking that disruptive speech that can be amplified on these platforms – that’s a hard place for America to go.”

However, panelist P.W. Singer, senior fellow at New America and author of “LikeWar: The Weaponization of Social Media,” suggested that intelligence services, platforms, and politicians were all “looking in the wrong place” for bad actors.

“We were looking, for example, for people hacking Facebook client accounts, not buying ads at scale that over half the American population saw unwittingly,” Singer said. “We were looking in the wrong place. They were looking for attackers who exploited Facebook accounts, not ones who bought Facebook ads.”

Indeed, attackers are building off some techniques first perfected by marketers. As Twitter VP of trust and safety Del Harvey explained, the first type of manipulation that Twitter discovered was a campaign to convince Justin Bieber to do a tour in Brazil; it was the first example of a strategic effort to create and sustain a trending topic. (Bieber did end up touring in Brazil, she noted.)

“ISIS’s top recruiter is mirroring off of [pop star] Taylor Swift and what works for her to win her online battles,” Singer said. “Or, in turn, Russian information operations are using the tools created by [Facebook and Twitter] not to market how they were intended but to misuse them to go after American democracy.”

So can the platforms tackle the malicious use problem by simply scanning tweets for ISIS recruitment videos and Russian propaganda (and ignoring Taylor Swift)? Not necessarily.

“Content is actually one of the weaker signals’ of a bad actor,” Twitter’s Harvey explained.

Content might not be shared for many reasons: Terrorist recruitment propaganda might be shared as part of a news report on that terrorist organization, for example. Conversely, Harvey said, “There are certain behaviors that you can identify as being attempts at manipulation.” 

For example, a user may be part of a network of accounts pushing the same messaging. These accounts are also related by IP address and carrier. They may be targeting certain networks or trying to social engineer their way into a trusted group.

This behavior of a manipulator is actually quite dissimilar to that of the community-native true believer who shares the same content, Harvey said.  

NSA’s Joyce says behavior is connected in some way to three main categories of an account: “The content itself, which we all agree is the most troublesome and the hardest to deal with. And then there’s an identity; it may be real, it may be assumed. And then there’s amplification.”

Panelist Nathaniel Gleicher, Facebook’s head of cybersecurity policy, added that whenever there is a public discussion up for debate, bad actors will target that debate. The challenge is stopping the bad actors without stopping the debate.

“The way you make progress in the security world is you identify ways to impose more friction on the bad actors and the behaviors that they’re using, without simultaneously imposing friction on a meaningful public discussion,” he said. “That’s an incredibly hard balance.” 

Facebook approaches this challenge, Gleicher said, with a combination of automated tools and human investigators, who look for the most sophisticated bad actors, identify their core behaviors, and develop ways to automatically make those behaviors more difficult to commit at scale.

Because regulating content is problematic, they may tackle the issues of identity and amplification instead – such as changing the way ads are purchased on Facebook and making it more difficult to create fake accounts or bots.

“None of this means that we shouldn’t be taking action on content that clearly violates our policies,” Gleischer noted. “The challenge is, the majority of the content we see in information operations doesn’t violate our policies. It’s not clearly hate speech, and it’s potentially framed to not fit into that bucket. And it’s not provably false. There’s a lot that fits into that gray space.”

Twitter’s Harvey noted that the conversation of “bots” has become so pervasive that it has begun to have a cultural impact on regular human discourse.  

“It is amazing the number of times you will see two people who get in an argument and one of them decides to end it by just saying, ‘Well, you’re just a bot [when] it is demonstrably not a bot,” she said.

Pasting the label of “bot” on anyone with a differing opinion is being used as “an exit path from conflict, from disagreement,” Harvey added. “In fact, you’re a Russian bot. And you are here to try to sway my mind on the topic of local football teams.”

Related Content:

• Facebook Plans Makeover as Privacy-Focused Network
• To Improve Security, We Must Focus on Its People
• Meet the New ‘Public-Interest Cybersecurity Technologist’
• Trust, or Lack of It, Is a Key Theme on RSAC Keynote Stage

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/twitter-facebook-nsa-discuss-fight-against-misinformation/d/d-id/1334107?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple