STE WILLIAMS

Lauri Love, the Brit who beat US attempts to extradite him over accusations of hacking, is suing the National Crime Agency (NCA) to get back computing gear seized in 2013 as part of the case against him.

More than five years ago, Love was indicted across the pond over allegations he hacked thousands of PCs in America and other countries, inserting backdoors into networks with the aim of circling back at a later date to pilfer confidential data.

It was alleged Love had breached the security of NASA, the US military, and other government agencies. The following year, 2014, Uncle Sam added the Federal Reserve to that list.

Here’s how police arrested Lauri Love – and what happened next

READ MORE

Love, who has dual British and Finnish nationality, was arrested in late 2013 following a joint probe by the FBI and the NCA. He won a preliminary hearing in 2016 in which the NCA was ruled to have attempted to sidestep protections for encrypted data under the Investigatory Powers Act 2000 when it tried to to force him – via a RIPA notice – to disclose encryption keys and passwords for kit it seized from him in 2014.

Love was bailed in June 2016.

The case was then put on ice as Love battled extradition: efforts to haul him to court stateside ultimately failed in 2018, though a High Court beak urged British authorities to “bend their efforts” to pursue a UK prosecution.

Love and his legal team have since heard nothing in the intervening year, and now he is requesting the NCA return two PCs and several storage devices that allegedly contained encrypted data, using Police Property Act of 1897 legislation.

“As the NCA has not elected to pursue charges and has seemingly not put any effort into this end either before the commencement or since the conclusion of extradition proceedings, it has become unfortunately necessary to use the instruments handed down by Parliament for redress of arbitrary dispossession of individuals by executive bodies through the Police Property Act,” said Love.

He said the “responsibility” lies with the legal process to “fathom the issues, not least of which is whether it is acceptable that claims made about encrypted contents can overturn the default presumption that individuals, groups and entities can own property, and on whom rests the burden of proof regarding such claims.”

Love is representing himself in the civil action.

The NCA told us at the time of publication that it is drafting a statement. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/06/accused_hacker_laurie_love_to_sue_national_crime_agency_to_retrieve_confiscated_computing_kit/

The key? Rather than getting bogged down in the technical details, focus on how a security program is addressing business risk.

Image Source: Shutterstock

CISOs and other security leaders are under growing pressure to improve how they communicate with boards of directors.

Cybersecurity has become a board-level issue in many organizations amid growing concerns over the regulatory, financial, and reputational implications of data breaches and security failures. In fact, Gartner expects that by 2020, 100% of large organizations will be asked to report to their boards at least once annually on cybersecurity risk — up from the 40% that are required to do so currently.

That means security leaders will need to overcome their traditional communication challenges and find new and better ways to convey technology risk.

Ensuring board awareness about key metrics of cybersecurity programs has become critically important, says Greg Reber, partner at Moss Adams, a Seattle-based accounting, consulting, and wealth management firm. Board members need to be able to track not just cybersecurity events and actions, but also new and emerging threats. They also require a continuous assessment of how a program is doing, along with a road map of cybersecurity-related projects and their goals, Reber says.

“Cybersecurity is a relatively new risk but aligns very directly within traditional BoD oversight duties,” he notes.

Here are the key steps for effectively communicating with the board.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/7-tips-for-communicating-with-the-board/d/d-id/1333795?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

How much do companies really gain from offloading security duties to the cloud? Let’s do the math.

Security is a shared responsibility between the cloud provider and the customer. This shared model can help relieve customer’s operational burden as cloud providers operate, manage, and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.

Up until recently, when deploying applications on infrastructure-as-a-service (IaaS) platforms, the customer assumed responsibility and management of the guest operating system, including updates and security patches, associated application software, and configuration of the network firewalls in the cloud. With virtual instances, customers need to carefully consider the services they chose as their responsibilities depending on the services used, the integration of those services into the IT environment, and applicable laws and regulations.

With the introduction of serverless computing (also known as FaaS, or function-as-a-service), security shifted even more towards cloud providers by allowing organizations to offload many more tasks in order to concentrate on their core business. But just how much do companies really gain by offloading security duties to the cloud? Let’s do the math.

Core Requirements: Physical to Application Security 
The items below are listed bottom-up, starting with physical security, all the way up to the application layer.

• Physical infrastructure, access restrictions to physical perimeter and hardware
• Secure configuration of infrastructure devices and systems
• Regularly testing the security of all systems/processes (OS, services)
• Identification and authentication of access to systems (OS, services)
• Patching and fixing flaws in OS
• Hardening OS and services
• Protecting all systems against malware and backdoors
• Patching and fixing flaws in runtime environment and related software packages
• Exploit prevention and memory protection
• Network segmentation
• Tracking and monitoring all network resources and access
• Installation and maintenance of network firewalls
• Network-layer DoS protection
• Authentication of users
• Authorization controls when accessing application and data
• Log and maintain audit trails of all access to application and data
• Deploy an application layer firewall for event-data inspection
• Detect and fix vulnerabilities in third-party dependencies
• Use least-privileged IAM roles and permissions
• Enforce legitimate application behavior
• Data leak prevention
• Scan code and configurations statically during development
• Maintain serverless/cloud asset inventory
• Remove obsolete/unused cloud services and functions
• Continuously monitor errors and security incidents

IaaS: Provider vs. Customer

 

When developing applications on IaaS, the security responsibilities are roughly divided as follows:

Cloud Provider Responsibility

• Physical infrastructure, access restrictions to physical perimeter and hardware
• Secure configuration of infrastructure devices and systems

Customer Responsibility

• Regularly testing the security of all systems/processes (OS, services)
• Identification and authentication of access to systems (OS, services)
• Patching and fixing flaws in OS
• Hardening OS and services
• Protecting all systems against malware and backdoors
• Patching and fixing flaws in runtime environment and related software packages
• Exploit prevention and memory protection
• Network segmentation
• Tracking and monitoring all network resources and access
• Installation and maintenance of network firewalls
• Network-layer DoS protection
• Authentication of users
• Authorization controls when accessing application and data
• Log and maintain audit trails of all access to application and data
• Deploy an application layer firewall for event-data inspection

Serverless (FaaS): Provider vs. Customer

How responsibilities are divided when developing applications on serverless architectures:

Cloud Provider Responsibility

• Physical infrastructure, access restrictions to physical perimeter and hardware
• Secure configuration of infrastructure devices and systems
• Regularly testing the security of all systems/processes (OS, services)
• Identification and authentication of access to systems (OS, services)
• Patching and fixing flaws in OS
• Hardening OS and services
• Protecting all systems against malware and backdoors
• Patching and fixing flaws in runtime environment and related software packages
• Exploit prevention and memory protection
• Network segmentation
• Tracking and monitoring all network resources and access
• Installation and maintenance of network firewalls
• Network-layer DoS protection

Customer Responsibility

• Authentication of users
• Authorization controls when accessing application and data
• Log and maintain audit trails of all access to application and data
• Deploy an application layer firewall for event-data inspection
• Detect and fix vulnerabilities in third-party dependencies
• Use least-privileged IAM roles and permissions
• Enforce legitimate application behavior
• Data leak prevention
• Scan code and configurations statically during development
• Maintain serverless/cloud asset inventory
• Remove obsolete/unused cloud services and functions
• Continuously monitor errors and security incidents

FaaS vs. SaaS?
Not all tasks and requirements are created equal — and some of those I’ve included are obviously more resource and budget intensive than others. If you disagree with my methodology or conclusions, please share your thoughts in the comments.

Related Content:

• 6 Cloud Security Predictions for 2019
• Serverless Architectures: A Paradigm Shift in Application Security
• Securing Serverless: Attacking an AWS Account via a Lambda Function

Ory Segal is a world-renowned expert in application security, with 20 years of experience in the field. Ory is the CTO and co-founder of PureSec, a start-up that enables organizations to secure serverless applications. Prior to PureSec, Ory was senior director of threat … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/serverless-computing-function-vs-infrastructure-as-a-service/a/d-id/1333765?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Analysis Hunting for exploitable security bugs in software is not an easy way to make a living, and vulnerability researchers say vendors who don’t pay out for reports are making life even harder while putting their own products at risk.

Such was the case with João Figueiredo, a researcher in Brazil who tracked down and reported remote code execution vulnerabilities in two websites run by Sony and Sony Pictures. Those flaws were rated as a critical risk, and earned Figueiredo recognition on the hacktivity page of HackerOne, hired by Sony to handle its bug bounties.

It could, however, have been an even bigger disclosure, with potentially more security holes in the entertainment giant’s systems reported, had Sony offered Figueiredo better incentives. With just a t-shirt up for grabs, though, he decided to leave it at two.

“In addition to the two cases I reported to them, there are still other potential critical vulnerabilities,” Figueiredo told The Register. “However, Sony rewards the efforts of researchers with just a simple shirt. So I decided not to spend more time analyzing Sony systems.”

Figueiredo says it is not a matter of greed – he has given the US Department of Defense multiple reports free of charge – but rather having to make ends meet. Finding security vulnerabilities takes a long time, and Figueiredo explained that other companies, such as PayPal, get more attention and auditing because they offer cash rewards.

“Big corporations often say they care about security, but the practical reality is different,” Figueiredo said. “Many of the companies that claim to be concerned about the safety of their consumers are, in fact, not.”

Swag doesn’t pay for groceries

Figueiredo is not alone in that sentiment, either. BugCrowd founder and CTO Casey Ellis told El Reg that while each hacker has their own reasons and motivations for the work they do, at the end of the day, bills have to be paid.

“Swag is cool, and almost all hackers I’ve worked with love it – but it doesn’t work in Walgreens,” Ellis said. “It’s important for companies not to confused swag or reputation with cash.”

In many cases, cash is also at a premium for bug-hunters. While we may talk of six-figure payouts and accolades for researchers who find high-profile flaws, the reality is that rooting out and then developing proof-of-concept exploit scripts for lower-profile systems can be a tedious, time-consuming task that more often than not brings little financial reward.

“It’s quite uncommon to make significant amount of money doing bug bounties,” Katie Moussouris, the former Microsoft security strategist who launched Redmond’s bug bounty program and now runs her own biz Luta Security, told us. “There’s a lot of burnout and frustration.”

With few people getting mega-rich, it’s easy to see how bounty payouts would make certain companies more attractive to researchers.

So, no cash = no bug reports? Not so fast

Given these circumstances, it would be easy to conclude that organizations that offer cash care more about their security, and those who won’t pay up couldn’t care less about locking down their products.

Microsoft blue biz bug bounty bonanza beckons

READ MORE

But the reality isn’t that simple.

Moussouris cautions against condemning corporations that only give out swag, noting that while money can be a factor, it does not by itself determine the quality of a company’s security program nor its ability to work well with bug-hunters. For some businesses and teams, swag and kudos may be its first steps toward offering larger rewards. We’d also argue that companies may have hired professional security auditing teams, with bug bounties set up to top up that effort, or at least use it attract people within the infosec community.

“The fact that some offer thanks only, and some offer cash, is not a factor in judging them ‘good at security’ or not,” Moussouris told El Reg. “Google only started offering cash in 2010. It was $1,337.”

This, the researchers seem to agree, is the real crux of the issue. Bug-hunters want to feel respected and appreciated for what they do. While paying out money and giving vulnerability researchers a living wage is one, and arguably the best, way to do that, it is not the only way.

“The bounties, when done right, are for targeting eyes to where you’re most interested in hearing about bugs,” Moussouris said.

“It’s fine if researchers don’t want to do it for free – there are plenty of bug bounty programs to try if that’s the case. But it’s also fine for organizations and governments not to pay bug bounties, especially if they haven’t put a bunch of thought into structuring the incentives.”

Spokespeople for Sony declined to comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/05/sony_tshirt_bounty/

New attack uses a repurposed version of the Trojan that spreads using Internet Relay Chat.

Shellbot crimeware has been spotted in the wild as part of a growing campaign that appears to target infrastructure resources for cryptomining.

Tactics, techniques, and procedures observed in this campaign are similar to TTPs seen previousl with the Outlaw Group, a hacking organization whose operations were previously uncovered by Trend Micro. In Nov. 2018, researchers discussed a host portion of the botnet run by Outlaw, which they found using a tool called “haiduc” and a miner to obtain Monero cryptocurrency.

This latest campaign, detected by JASK Special Ops team (SpecOps) in late Nov. 2018, has these same qualities and was likely the same group. Analysts identified an SSH brute force campaign against Internet-facing Linux devices within the DMZ infrastructure of an education organization.

In the last weeks of November, firewall alerts notified the victim organization of SSH user authentication brute-force attempts, a sign of increased scanning against the target environment. After its machines were breached, network traffic showed payloads being installed and operated from infected devices, researchers explain in a report on the findings.

Payloads delivered to the target organization included Internet Relay Chat (IRC) C2 botware, cryptomining malware, and an SSH scan, brute force, and network propagation toolkit. SpecOps says host machines were hit with an opportunistic attack, likely sponsored by Outlaw, which has been responsible for Shellbot, cryptomining, and SSH brute-force campaigns.

Shellbot is a Trojan that creates a pathway between the attacker’s command-and-control infrastructure and a victim’s device.

The toolkit observed in use in this latest attack contains three primary components: the IRC botware for command-and-control, a revenue stream via Monero mining, and haiduc, the popular scan and brute force tool that helped researchers link this activity to Outlaw, says Rod Soto, JASK director of security research. The Perl-based IRC was identified as a new, lightly obfuscated version of Shellbot. Once executed, it creates a connection to a specific IRC channel.

In a tactic increasingly common with financially motivated cyberattacks, researchers note, the attackers created an easily liquidated revenue stream using a configurable Monero miner.

Game Server Hosting Connection

Based on the payloads, SpecOps uncovered a mining pool configuration related to the campaign, which points to a VPS provider in the Netherlands. Analysis showed the pool address is down, and passive DNS data for the VPS shows it hosts several domains that seem to be gaming servers – the host is a game server hoster. Experts say attackers may have built their own mining pool infrastructure on this provider instead of using publicly available ones.

“That’s sort of bold,” Soto points out. Typically, he says, groups would want to hide their activity in public pools. It’s not the only sign this group is advanced: researchers noticed multiple languages in the code; specifically, Portuguese or Romanian. “It made me wonder if it’s part of a multinational group, or if the person speaks multiple languages,” Soto noted. Multi-stage payloads suggest reuse and repurpose of Shellbot code in different regions of the world.

SpecOps analysts believe the attackers behind this campaign, likely the Outlaw group, are motivated to target exposed Linux servers for broad propagation and abuse infrastructure for illegal cryptomining.

“I think the lesson from Outlaw and Shellbot is, you can do a lot with legacy tools and tradecraft,” says Kevin Stear, lead threat analyst at JASK. IRC has been around for a while now, he says. Its use with Shellbot in this attack is a sign that attackers are changing strategies. Shellbot is good at hiding the noise of legitimate traffic, he points out.

“Crimeware is more and more operating as a business model,” Stear explains. “Outlaw and Shellbot are just a great example of how sophisticated crimeware actors are going.”

Typically, he says, SpecOps sees the infection surface tied to opportunistic bots, spamming vulnerable targets and converting them into revenue. “These are not unguarded infrastructure,” he adds, and there is evidence of weaponized capabilities in intrusions.

Related Content:

• New Vulnerabilities Make RDP Risks Far From Remote
• New Botnet Shows Evolution of Tech and Criminal Culture
• Exposed Consumer Data Skyrocketed 126% in 2018
• 6 Security Tips Before You Put a Digital Assistant to Work

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/shellbot-crimeware-re-emerges-in-monero-mining-campaign/d/d-id/1333801?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In this episode, we look at who was at fault in a network home invasion, investigate how both Google and Facebook fell foul of Apple’s developer rules, and answer the vital question, “Which is better, Android or iPhone?”

With Anna Brading, Paul Ducklin and Matthew Boddy.

This week’s stories:

• Hacker talks to baby through security cam, jacks up thermostat
• Apple tells Facebook to get rid of its snoopy Research app
• Google says sorry for pulling a Facebook with monitoring program
• Which is better, Android or iPhone?

If you enjoy the podcast, please share it with other people interested in cybersecurity, and give us a vote on iTunes and other podcasting directories.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/edQHRH754Dg/

Security biz Check Point has found some 25 security vulnerabilities in three of the most popular remote desktop protocol (RDP) tools for Windows and Linux.

The infosec outfit tasked its bug-hunters with a manual code audit on Microsoft mstsc as well as the FreeRDP and rdesktop remote desktop utilities, and what they turned up was a glut of potentially serious flaws and security weaknesses.

Of the 25 CVE-listed vulnerabilities included in Check Point’s report on its findings, 15 could be potentially exploited to achieve remote code execution. For what it’s worth, Check Point focused its effort on attacks that flowed from the server to the client.

The idea of the study, Check Point said, was to look at the ways someone trying to connect to a machine, such as an admin or tech support staff, could actually be compromised by the box they wanted to remotely access.

“In a normal scenario, you use an RDP client, and connect to a remote RDP server that is installed on the remote computer. After a successful connection, you now have access to and control of the remote computer, according to the permissions of your user,” Check Point’s Eyal Itkin said.

“But if the scenario could be put in reverse? We wanted to investigate if the RDP server can attack and gain control over the computer of the connected RDP client.”

Trigger

As it turns out, there are more than a few ways the RDP server could be used to attack the remote user. The researchers found that many of the channels used to exchange data between the two points do not properly check for the length of packets being sent, potentially allowing the server to throw malformed packets at the client to trigger out-of-bounds read errors and integer overflows that would potentially set up remote code execution attacks.

Another particularly vulnerable point of attack was the way both the client and server shared data through a common clipboard. Because, again, the data traffic over this channel is not properly sanitized, the shared clipboard would allow for data path traversal attacks or information disclosure caused by the server peeking into the activity of the client’s local clipboard.

A malicious RDP server can modify any clipboard content used by the client, worryingly, even if the client does not issue a “copy” operation inside the RDP window. “If you click ‘paste’ when an RDP connection is open, you are vulnerable to this kind of attack,” noted Check Point’s Itkin.

“For example, if you copy a file on your computer, the server can modify your (executable?) file / piggyback your copy to add additional files / path-traversal files using the previously shown PoC,” it added.

In total, the manual source code review led to the assignment of 19 CVE-listed vulnerabilities in rdesktop, and six in FreeRDP. To secure yourself against exploitation: rdesktop is, we’re told, fixed as of version 1.8.4, and FreeRDP as of version 2.0.0-rc4, so make sure you’re running those builds or later.

Foggy Windows

The findings for Microsoft’s closed-source RDP client were a bit more murky. Though Check Point found Windows RDP to be vulnerable to the above-mentioned clipboard issues, the security house said Redmond did not see it as serious enough to merit a CVE or security patch assignment.

Stealing, scamming, bluffing: El Reg rides along with pen-testing ‘red team hackers’

READ MORE

Regardless, what Check Point ultimately concluded was that there is nonetheless real potential for RDP to be abused by an attacker posing as a remote user or employee who might then compromise an admin simply by requesting an RDP service. It also mused that it could be used by criminals to fight back against malware researchers who use RDP to connect to virtual machines for analysis.

On a lighter note, Check Point also suggested that the bugs could allow for a bit of mischief between security teams.

“As rdesktop is the built-in client in Kali Linux, a Linux distro used by red teams for penetration testing, we thought of a 3rd (though probably not practical) attack scenario,” Itkin’s report stated. “Blue teams can install organizational honeypots and attack red teams that try to connect to them through the RDP protocol.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/05/rdp_check_point_vulnerabilities/

Promo As cyber attackers evolve their techniques, businesses are exposed to a relentless stream of worrying data security breaches. The latest big one hit hotel group Marriott International in November 2018, and may have led to the personal information of up to 500 million guests being compromised.

Marriott revealed that an unauthorised party had first gained access to the reservation database of its Starwood subsidiary in 2014, demonstrating yet again how attackers will get into an enterprise and remain undetected for some time. The Marriott hotel chain acquired Starwood in 2016.

New 2019 global independent research from Carbon Black shows that a staggering number of companies have been breached in the past year, with a large proportion reporting that they have fallen victim to multiple breaches.

Cyberattacks are becoming more frequent and more sophisticated, as nation state actors and crime syndicates continue to leverage fileless attacks, lateral movement, island hopping and counter-incident response in an effort to remain undetected.

This issue is compounded by a lack of resources and budget. Not only is there a major talent deficit in cybersecurity, there is also a major spending delta.

It’s estimated that the underground cybercrime community spends upward of $1 trillion annually on developing attacks. By comparison, worldwide businesses are spending about $96bn to protect themselves. Defenders are being outspent by a ratio of 10:1. But according to Carbon Black’s research, globally, businesses are largely unaware of the scale, scope, and sophistication of modern attacks.

So what can businesses do? And how can security teams quickly react to these evolving threats? We will explore these questions in more detail as we unveil findings from Carbon Black’s new threat report, the first in 2019.

Streaming from a London studio, Rick McElroy, head of security strategy at Carbon Black; Bob Tarzey, independent security analyst; a Carbon Black end user CISO; and author and British radio and television presenter Ian Collins will debate the research, revealing ways that organisations can keep attackers at bay in 2019.

• Rick is a regular on the speaker circuit, with 15 years of information security experience educating and advising organisations on reducing their risk posture and tackling tough security challenges.
• Bob writes regular analytical columns for key technical and national media.
• Ian recently hosted the late-night shows on LBC, one of the most listened-to topical affairs and debate programmes.
• The Carbon Black CISO comes from a major blue chip retail organisation where he has been implementing a number of new security initiatives.

• Together they will look at how threats are changing, what island hopping means for CISOs, and tactics for reducing the amount of time that an adversary hunts in your network. They’ll compare and contrast the situation in countries across EMEA, Asia Pacific and Canada. They will also discuss how organisations can adapt their behaviours to match the behaviours of their adversaries.

Join Rick, Bob, Ian and our CISO in Carbon Black’s Broadcast to hear how you can more effectively tackle escalating attacks.

SIGN UP NOW!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/05/live_broadcast_carbon_black/

During its incessant web crawling, Google’s search engine constantly encounters credentials dumped by hackers or left exposed by the careless. And because it can, the ad confectionery copies and encrypts these spilled usernames and passwords.

Armed with this info, the Chocolate Factory directed its software engineers, in conjunction with crypto boffins from Stanford University, to create a Chrome browser extension called Password Checkup that allows Chrome users to check to see whether their passwords can be found online.

The hope is that users thus warned will get the hint and change the compromised secret.

Mozilla’s rival browser Firefox implemented a similar service last year called Firefox Monitor that checks a third-party database of exposed credentials called HaveIBeenPwned.com. Users of password management app 1Password also have access to an extension that checks stored credentials against exposed ones using the same service.

Google’s Password Checkup extension takes a similar approach with its internal dataset of 4bn identifiers.

Your password is safe – trust us

Members of Google’s security and anti-abuse research team – Jennifer Pullman, Kurt Thomas, and Elie Bursztein – claim that “Google never learns your username or password” even through it collects the data.

“At a high level, Password Checkup needs to query Google about the breach status of a username and password without revealing the information queried,” the trio explain in a blog post today. “At the same time, we need to ensure that no information about other unsafe usernames or passwords leaks in the process, and that brute force guessing is not an option.”

The company’s supposed ignorance of these secrets arises from repeated hashing and privacy techniques like single-party private information retrieval (PIR) and 1-out-of-N oblivious transfer.

As netizens, devs scream bloody murder over Chrome ad-block block, Googlers insist: It’s not set in stone (yet)

READ MORE

Google hashes found usernames and passwords with the Argon2 hash, storing first two bytes of the hash an index for lookups, and then encoding the hash with elliptic curve encryption.

Password Checkup can thus subject user credentials to the same encoding process and then query Google’s database of unsafe passwords for match candidates using the two-byte index. Google returns the set of encrypted hashes that share that anonymous prefix to be compared on the user’s local machine to the encrypted hash of the user’s current username and password. A match means it’s time to come up with a new password.

Pullman, Thomas and Bursztein say that this is the first version of Password Checkup and that they expect to refine it over time. They may have to if the Chromium team’s proposed Manifest v3 changes to the Chrome Extensions platform go ahead: the extension relies on the webRequest API that slated for future renovation.

In terms of privacy permissions, the extension can read and change site data on all websites. If that’s a concern, consider DuckDuckGo and the Tor Browser.

In a Twitter chat with The Register, Troy Hunt, the security researcher who created HaveIBeenPwned (HIBP), expressed support for Google’s similar service.

“I think anything that drives people away from the behavior that is password reuse is a very positive thing and on that front, I’m glad they’ve done it,” he said.

“It certainly doesn’t bother me that they’re doing a similar thing to HIBP’s Pwned Passwords, it’s a completely free service with the same objectives they have anyway.”

He said he wasn’t familiar enough with the workings of Google’s system to evaluate its privacy implications. “I believe it’s similar to the model Cloudflare came up with for HIBP which is really solid privacy wise,” he said.

“Of course, being Google people will always assume they’re trying to siphon up all the data, hopefully that’s not something that’s actually happening in any fashion that would impact privacy.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/02/05/google_leaked_passwords_chrome_extension/

That’s the conclusion of a classified postmortem report sent to the White House yesterday by Acting Attorney General and DHS Secretary.

A classified report submitted to the White House on Monday concludes that there was no evidence of “material impact” of any foreign entities on the integrity and security of the US 2018 midterm campaign and election infrastructures.

The joint classified report, signed off by Acting Attorney General Matthew Whitaker and Secretary of Homeland Security Kirstjen Nielsen, was based on findings prepared by the Office of the Director of National Intelligence (ODNI). The Department of Justic and DHS said work is now underway to secure the 2020 US elections from nation-state meddling and hacking. 

“While the report remains classified, its findings will help drive future efforts to protect election and political/campaign infrastructure from foreign interference,” the DoJ said in a press release.

Read more here. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/no-sign-of-material-nation-state-actor-impact-on-2018-us-midterms/d/d-id/1333797?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple