hacking – Page 545 – STE WILLIAMS

Nagging text messages can help you to quit smoking

library
crime | hacking | security

Nagging text messages help smokers to quit, Chinese researchers have found.

In a clinical trial carried out across various cities and provinces in China, they pulled in 1,369 people (mostly men) who agreed to join a smoking-cessation program. Then, they divided them into three groups: subjects who received five text messages/day, those who only received one to three texts a week, and a control group who didn’t receive any texts at all.

The study lasted 12 weeks, plus 12 weeks of follow-up. Very few smokers managed to quit, but the groups who got the texts did much better, regardless of how frequently they got messaged.

The results: biochemically verified continuous smoking abstinence after 24 weeks was 6.5% for those who were frequently messaged, 6.0% for those who got less frequent messages, and 1.9% for the control group that didn’t get messaged.

In an article published in the medical journal PLOS on Tuesday, the researchers said that the results demonstrate that text intervention – the program was called “Happy Quit – can work, albeit in a low proportion of smokers, and should be used in China’s large-scale intervention efforts.

The Chinese most certainly need it: the researchers note that the country’s population has the highest rate of cigarette smokers in the world. China’s smokers light up 40% of the world’s total number of consumed cigarettes.

The researchers say that text-based smoking cessation programs have proved cost-effective in other parts of the world. That’s good for China, the researchers say, given that the availability of smoking-cessation services is “extremely limited.”

If China’s situation is anything like that in the US, services and products such as nicotine gum or patches are also very expensive.

The researchers didn’t specify just what, exactly, their text messages said, but they did say that the Happy Quit messages were based on the principles of cognitive behavioral therapy (CBT) and were “aimed at improving self-efficacy and behavioral capability for quitting.”

There are pros and cons of CBT, a major one being cost. It takes a trained CBT therapist to lead smokers through unlearning old habits and learning new coping mechanisms, and that ain’t cheap.

A 6.0% to 6.5% success rate may seem very slight indeed, but when you’re talking about lung cancer and a crippling addiction, anything that makes a difference – and does so in an economical, easy-to-access way – is of utmost value.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/2ybQxwDtbUs/

Fortnite hackers making a fortune from reselling stolen accounts

library
crime | hacking | security

Teenage hackers have been making a fortune from selling stolen accounts for the popular online game Fortnite, it emerged this week.

Players have been reporting stolen accounts for a while, but this week the extent of the “Fortnite cracking” problem was revealed. The BBC interviewed one Slovenian teenager who said he had made £16,000 (around $20,000) in the last seven months.

The attackers access the accounts using a technique called credential stuffing. They search lists of exposed usernames/email addresses and passwords obtained from the hacks of other online services that are posted online. They then try using these credentials to log into Fortnite’s site. When one of these credentials works, it’s because the legitimate Fortnight gamer reused their password from another service.

A successful account thief doesn’t know what they’ll get. It could be a valueless newbie’s account or something with more valuable electronic items.

Created by Epic Games, Fortnite is a gaming phenomenon, with earnings estimated in the hundreds of millions of dollars. It comes in various versions but the most popular is Battle Royale, which pits 100 players against each other in a gradually decreasing circle of play. The last player standing wins.

Its users can earn or buy the game’s internal currency, called V-Bucks. They can then use this currency to purchase in-game accessories like character models, skins for their backpacks and weapons, and emotes (such as dances for their characters to perform).

Some of these items are extremely rare and are worth a lot of money in the real world, so intruders that steal an account with valuable items can sell the account on for a big profit, sometimes making hundreds of pounds.

Users can make it far harder for attackers to steal their accounts by turning on two-factor authentication (2FA), which Fortnite supports using either a mobile authenticator app or via email.

Fortnite offers players incentives to turn on 2FA, like backpack slots and a Troll Stash Llama, along with a free emote. Still, many players still aren’t taking the hint.

When a hacker steals an account, there may be a window for the victim to reset their password, but the hacker might get there first. If the hacker switches on 2FA, they block the user from accessing their account.

However, even users that do turn on 2FA could still be vulnerable if they use the email-based 2FA option. If they’re reusing the same passwords across their Fortnite and email accounts, then the attackers could steal their email accounts too and intercept any communication from the game’s security system.

This isn’t the first time that gaming accounts have been stolen and traded online. In 2017 Riot Games, which makes League of Legends, went to court to stop someone operating a website that it said traded in stolen accounts. In 2014, the Guardian noted that crooks were also stealing accounts for the online gaming service Steam using botnets and then selling them online.

There have also been several incidents of password thefts from gaming forums, including a forum breach at Epic Games in 2016. Forum account thefts could let players into a gamer’s online game account, if they used the same login credentials, although Epic protected its passwords by salting them with extra data, making them far more difficult to crack.

The takeaway here is that if you haven’t turned on 2FA, you should do so now, not just for Fortnite but for any online service that supports it. Use complex passwords and a password manager, and never reuse your passwords. If you have reused passwords, go and change them now.

30% off Sophos Home Premium

Sophos wants your holiday to be stress free. That means no stolen credentials, ransomware, hacking, spying, or malware. That’s why they’re offering 30% off Sophos Home Premium. With Sophos Home securing up to 10 of your family’s Macs or PCs, you can tabs on everyone.

And hopefully you can enjoy that eggnog without dashing off to provide IT support to Grandma who’s had her Fortnite account hacked for the fifth time this month.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7WxssF5SdfQ/

Microsoft gets users test driving Patch Tuesday’s non-security updates

library
crime | hacking | security

Microsoft will install non-security patches on Windows machines in advance of Patch Tuesday, if users select a new and not particularly descriptive option in Windows Update, it was revealed last week.

The company explained the new ‘Check for Updates’ box in Windows 10 in a recent blog post, but left some concerned that users unfamiliar with what it does might stumble into stealth beta program.

Not all Microsoft updates are created equal. In fact, the company identifies three kinds in the blog post. The most commonly-known update is the B release, which is the cumulative update that the company ships on the second Tuesday of each month (known as Patch Tuesday). This patch contains both new and existing security fixes, alongside previously-released non-security patches.

There are also another two types of optional update released in the third and fourth weeks of the month, known as C and D releases. “These are validated, production-quality optional releases, primarily for commercial customers and advanced users ‘seeking’ updates,” says Microsoft, adding that it makes them optional to avoid making customers reboot their Windows operating systems more than once a month.

Microsoft puts quotes around the word ‘seeking’ because customers that opt to install these patches early are often called seekers.

The C and D patches are the non-security updates that eventually make their way into the subsequent month’s B release, the company explains, adding:

The intent of these releases is to provide visibility into, and enable testing of, the non-security fixes that will be included in the next Update Tuesday release.

In its post, Microsoft also says that advanced users can access these releases by opening Settings and selecting the Check for Updates option in Windows Update.

This has some in the computing press a little upset because the performance of some Microsoft patches and updates has been less than stellar lately. PC Magazine points out that selecting the Check for Updates option would have downloaded an optional patch released late last month that crashed the Surface Book 2, and which Microsoft later removed.

Some see that as evidence that Microsoft’s new optional releases are a beta program by another name, one that allows Microsoft to try out updates on customers in advance of Patch Tuesday.

Microsoft is keen to stress, however, that the C and D updates are production quality releases that are identical to the non-security updates that will be included in the upcoming Patch Tuesday:

“C” and “D” monthly releases are validated, production-quality optional releases

This new updates exists quite apart from its Pre-release Validation Program, as well as its other software testing efforts, and there’s no reason to assume it’s an attempt to hoodwink customers, or that customers who check the option by accident will suffer unduly.

Making non-security updates available in advance of Patch Tuesday is supposed to give “seekers” confidence that the second Tuesday or each month is going to deliver fewer unpleasant surprises.

The bottom line though, is that for frustrated users it doesn’t matter when the unpleasant surprises come, only that they do.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/UpEuSEQYQdg/

London Gatwick Airport reopens but drone chaos perps still not found

library
crime | hacking | security

London Gatwick Airport has reopened after closing for more than a day due to a seemingly deliberate drone disruption ploy – but police still haven’t caught the perpetrators.

The errant drones, which are of an unknown make and model according to Sussex Police, were being flown near enough to Gatwick’s runway to trigger a full shutdown of the airport.

A few reasons why cops haven’t immediately shot down London Gatwick airport drone menace

While police eventually did not rule out shooting down the drones, El Reg has a handy guide here to all the immediate answers bubbling up in people’s heads about how to stop the devices. It appears more than one craft was being flown at intervals from different locations, just often enough to keep the airport closed down.

Police reported that they had had 50 sightings of the drones in the last day alone.

Although the airport has been reopened, “mitigations” are now said to be in place in case the errant craft show up again. 120,000 people have had their flights cancelled and the government has reportedly relaxed night-time flight restrictions in other airports, including London Heathrow – the country’s largest – in order to get holidaymakers on their way.

Around 280 police were involved in the search for the culprits. Nobody knows quite why they haven’t been caught yet, though one theory is that they may be environmental rights terrorists. Another possibility is that they could be one or more sacked airport workers with enough inside knowledge to get around planned anti-drone responses.

With new drone laws dragging their way through Parliament for most of this year, we can expect the Drones Bill, and its new restrictions on registration and licensing, to be fast-tracked in January. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/21/gatwick_airport_reopens_drones_closure/

APT10 Indictments Show Shift to MSP Targets

library
crime | hacking | security

US brings more indictments against a cyber espionage group operating in China, but what will they accomplish?

The US government has indicted two Chinese hackers for their role in a state-sponsored cyber esponiage campaign that included attacks on managed service providers (MSPs) and, subsequently, the MSPs’ clients. Security experts wonder, however, what impact the indictments will really make.

In an indictment unsealed in Manhattan federal court, the Justice Department described Zhu Hua and Zhang Shilong as members of APT10, a cyber espionage group working for the Chinese Ministry of State Security’s Tianjin State Security Bureau.

Security researchers have long identified China as one of the biggest sources of hacking activity targeted against US companies, critical infrastructure and government. APT10 has been previously linked to attacks on construction companies, aerospace firms, telecoms and government organizations for years.

“APT10 has been tracked by FireEye for years and is one of the most prolific cyber espionage groups,” said Ben Read, senior manager of cyber espionage analysis at FireEye, in a statement. “Their move towards compromising managed service providers (MSPs) showcases the danger of supply chain compromises and reflects their continuously evolving tactics.”

Through their involvement with APT10, Zhu and Zhang are alleged to have broken into computers and networks belonging to numerous managed service providers around the world in order to then gain access to systems belonging to the clients of the MSPs. Over the course of the MSP theft campaign, which began in 2014, Zhu and Zhang allegedly gained access to and stole data from computers belonging to organizations in various sectors including banking, finance, manufacturing, consumer electronics, medical equipment, biotech and automotive.

Longstanding Issue

In announcing the charges, U.S. officials accused the Chinese government of actively supporting the hacking activities to further its own long-term economic and security goals.

“It is galling that American companies and government agencies spent years of research and countless dollars to develop their intellectual property, while the defendants simply stole it and got it for free,” U.S. Attorney for the Southern District of New York, Geoffrey Berman said. “As a nation, we cannot, and will not, allow such brazen thievery to go unchecked.”

FBI Director Christopher Wray described China’s cyber campaigns and the alleged motives behind them as hurting American businesses, jobs and consumers. “No country should be able to flout the rule of law – so we’re going to keep calling out this behavior for what it is: illegal, unethical, and unfair,” he said.

The allegations are not new but are almost certain to put further pressure on the already strained relationship between the U.S. and China. The Washington Post last week in fact had described the then forthcoming indictments as part of an intensifying US campaign to confront China over the economic espionage activities.

Planned actions include sanctions against individuals responsible for the activities and de-classification of information related to the breaches.

How far such measures will go to deter China remains an open question. Though China famously signed an agreement with the US in 2015 promising not to engage in cyber activities for economic espionage, there’s no evidence that hacking activity out of the country has even abated, far less stopped.

Dave Weinstein, vice president of threat research at Claroty sees the latest actions as yet another example of the effort law enforcement is putting into investigating and holding accountable those responsible for such attacks. “At the same time, we’ve seen this play out before, dating back to 2014 when several [People’s Liberation Army] officers were indicted on hacking charges,” Weinstein says. “It’s not clear to me that the legal process is the best way of stopping what has been China’s persistent behavior for over a decade.”

Pravin Kothari, CEO of CipherCloud says indictments like these highlight the challenge the private industry faces in defending against well-funded, state-sponsored actors with little concern about reprisals. “The US government needs defend our Internet infrastructure to protect commerce and communications.”

It needs to be done within the rule of the law and by making all evidence available for public view. “In the meantime we also need to engage in constructive discussions with the Chinese government to try to reach an end to this activity,” Kothari says.

The charges

The victim organizations of the MSP campaign were scattered across 12 countries including the United States, U.K, Germany, France, Switzerland, Sweden and India.

Separately, Zhu, a penetration tester, and Zhang, a malware developer, also broke into computers and networks belonging to 45 technology companies and U.S. government agencies in 12 states. The technology theft campaign began in 2006 and resulted in Zhu and Zhang stealing hundreds of gigabytes of sensitive data. Among the victims were seven organizations in the aviation and space sectors; three communications companies; three manufacturers of advanced electronic components, NASA and the Jet Propulsion Laboratory.

The APT10 intrusions include one that compromised more than 40 computers belonging to the Navy and resulted in the theft of personally identifiable information belonging to some 100,000 Navy personnel.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/apt10-indictments-show-shift-to-msp-targets/d/d-id/1333539?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Uncle Sam fingers two Chinese men for hacking tech, aerospace, defense biz on behalf of Beijing

library
crime | hacking | security

Two men, linked to the Chinese government, stand accused of hacking cloud giants, aerospace and defense companies, chip designers, US government agencies – including the Navy – and other organizations globally.

The duo’s goal, according to American prosecutors: stealing blueprints and other secrets from dozens of corporations, departments, and other outfits on Beijing’s orders. It is understood the allegations were unsealed and made public this week by the Trump administration to pile further pressure on China amid an ongoing trade war.

The two Chinese citizens, Zhu Hua (朱华) – whose online identities are said to include Afwar, CVNX, Alayos, and Godkiller – and Zhang Shilong (张士龙) – whose aliases are said to include Baobeilong, Zhang Jianguo, and Atreexp – are alleged to be part of a hacker gang referred to as APT10, among other names. They’re charged with conspiracy to commit computer intrusions, wire fraud, and aggravated identity theft.

APT stands for Advanced Persistent Threat, a trendy term for malware and exploit code that requires some skill to create. As is usual in the mildly cartoonish world of cybersecurity, APT10 has been referred to as Stone Panda, MenuPass and Red Apollo.

“This case is significant because the defendants are accused of targeting and compromising managed service providers, or MSPs,” said Deputy Attorney General Rod Rosenstein in a statement today. “MSPs are firms that other companies trust to store, process, and protect commercial data, including intellectual property and other confidential business information. When hackers gain access to MSPs, they can steal sensitive business information that gives competitors an unfair advantage.”

According to Rosenstein, over 90 per cent of US Justice Dept cases alleging economic espionage over the past seven years involve China.

Though no victims are named by the prosecution… HPE and IBM are said to be among those infiltrated by the Chinese hacker gang. The miscreants’ campaign to break into the tech giants was dubbed Cloudhopper because it allegedly involved slipping into HPE and IBM’s cloud services to then creep through to their clients’ networks. Big Blue said it had no evidence of corporate secrets being accessed. HPE declined to comment.

‘Trade secrets and economies’

The UK government publicly echoed the US charges. “This campaign is one of the most significant and widespread cyber intrusions against the UK and allies uncovered to date, targeting trade secrets and economies around the world,” said UK Foreign Secretary Jeremy Hunt.

The UK’s Government Communications Headquarters (GCHQ), through its public-facing National Cyber Security Centre (NCSC) offshoot, said APT10 had “targeted healthcare, defense, aerospace, government, heavy industry/mining, Managed Service Providers (MSPs) and IT industries, among many other sectors.”

The NCSC also warned that APT10’s intellectual property theft is “current,” having been “facilitated by the group’s targeting of MSPs” – and added that “in some cases basic cyber security measures are still not being taken, and this is not acceptable.”

The US Energy Department also chimed in to scold the Chinese government and APT10. “Malicious actors are conducting sophisticated attacks to threaten our nation’s critical infrastructure,” said Secretary of Energy Rick Perry in a statement.

And the FBI put the defendants on a wanted poster.

Coordinated

The US indictment claims the two men worked for a company called Huaying Haitai in Tianjin, China, and acted in coordination with the Chinese Ministry of State Security’s Tianjin State Security Bureau.

From 2006 through 2018, a criminal indictment states, members of the APT10 group, including the defendants, broke into the computer systems of commercial and defense tech companies, and US government agencies. They allegedly penetrated more than 45 such organizations in at least 12 states. They’re said to have stolen gigabytes of data from organizations involved in aerospace, satellites, manufacturing, pharmaceuticals, oil and gas exploration and production, communications, and computer processors.

Starting in 2014, the group is said to have focused on MSPs. The indictment says APT10 and the defendants compromised a service provider with offices in New York and clients in at least 12 countries including Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, the United Kingdom and the United States.

Guess who’s back, back again? China’s back, hacking your friends: Beijing targets American biz amid tech tariff tiff

APT10 is also blamed for breaking into US Navy computer systems and stealing confidential data, including personal information for 100,000 Naval personnel. NASA was among other American government agencies affected.

In 2013, APT10, as MenuPass, was targeting defense contractors, while accounts ‘n’ audits firm PricewaterhouseCoopers (PWC) and BAE Systems jointly called out APT10’s Chinese links almost 18 months ago.

The indictment outlines APT10’s attack strategy, which included individually targeted phishing emails (spear phishing) with attachments that, when opened, installed and ran spyware and other data-stealing software nasties.

The group often used the QuasarRAT remote admin malware. Once inside a network, the hackers would extract documents – not only intellectual property and valuable commercial files but also personal data of staff, contractors and business contacts, usually by zipping them into a .rar file.

GCHQ’s summary (PDF, 6 pages) of APT10’s tactics said: “Industry partners have reported that data exfiltrated often relates to human resources information, suggesting an interest in the targeted company specifically, as well as potentially developing access to customers and suppliers.”

It also listed IP addresses that the NCSC had definitely linked to the advanced persistent threat crew’s command and control servers, ready for alert IT bods to block:

185.111.74.127
194.68.44.108
66.70.135.104
185.211.247.52
195.54.163.74
167.114.171.8
37.10.71.100

The Justice Department’s name-and-shame strategy echoes its 2014 indictment of five members of the Chinese military for cyber attacks. Those five have yet to be apprehended.

While the FBI said Zhu Hua and Zhang Shilong can be arrested if they travel outside China, Rosenstein made clear in his remarks that America doesn’t expect the two to appear before a US judge any time soon. China has no extradition agreement with the US, and ongoing trade conflict between the two countries, exacerbated by the recent arrest of a Huawei executive in Canada at the behest of the US, makes any sort of accord look unlikely.

“We hope the day will come when the defendants face justice under the rule of law in a federal courtroom,” said Rosenstein. “Until then, they and other hackers who steal from our companies for the apparent benefit of Chinese industries should remember: There is no free pass to violate American laws merely because they do so under the protection of a foreign state.”

There’s no real penalty either. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/20/two_alleged_chinese_hackers/

Update now! Microsoft patches another zero-day flaw

library
crime | hacking | security

Microsoft has found itself fixing a lot of zero-day flaws recently, including CVE-2018-8611, (patched this month), and November’s CVE-2018-8589 and CVE-2018-8589.

Now it has released an emergency patch for a remote code execution (RCE) zero-day vulnerability in Internet Explorer’s Jscript scripting engine affecting all versions of Windows, including Windows 10.

Identified as CVE-2018-8653, the flaw was reported by Google’s Threat Analysis Group researcher, Clement Lecigne, and according to Microsoft is being exploited in targeted attacks.

The company hasn’t elaborated on which attacks but the fact it’s being exploited at all explains why applying Microsoft’s patch should be a high priority.

According to Microsoft:

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.

Exploitation depends on the privilege level of the targeted user, and Microsoft’s latest advice says admins might consider limiting access to Jscript.dll if they don’t plan to implement the patch soon.

On server systems (Server 2008, Server 2012, Server 2016, Server 2019), the severity rating is lowered from ‘critical’ to ‘moderate’ thanks to a restriction called Enhanced Security Configuration.

Windows 10 too

Scroll down on Microsoft’s advisory and you’ll notice that the patch is also being offered as an update to IE 11 for Windows 10.

But, hold on, didn’t Windows 10 replace IE with the Edge browser which uses a different scripting engine, Chakra?

Indeed it did, but for backwards compatibility reasons, IE components remain a default part of all Windows versions (with the possible exception of Windows 10 Pro Long Term Service Branch (LTSB), a customisable Windows version used by larger organisations).

So even if you don’t use IE 11 – or any Microsoft browser – bits of it are lurking on every Windows system, presumably in case any older Microsoft applications or websites need to use them.

Windows 10’s new start begone! This has always been Microsoft’s OS philosophy – steer clear of hard forks and make backwards compatibility a high priority.

What to do

Apply the patch. For Windows 10 users running Windows 10 64-bit 1803 (April 2018), the update is KB4483234.

Users who’ve managed to upgrade to the much-delayed Windows 10 64-bit 1809 (October 2018), should look for KB4483235.

For anyone still on Windows 10 64-bit 1709 (October 2017), it’s KB4483232.

As for older versions, Windows 8.1 for x64-based systems and Windows 7 for x64-based Systems Service Pack 1, it’s KB4483187.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WxE4Qfek-Hk/

Uncle Sam fingers two Chinese men for hacking tech, aerospace, defense on behalf of Beijing

library
crime | hacking | security

American prosecutors have accused two men, linked to the Chinese government, of conspiring to hack dozens of cloud giants, aerospace and defense companies, chip designers, and other organizations globally, to swipe blueprints and other secrets.

The two men, Zhu Hua (朱华) – whose online identities are said to include Afwar, CVNX, Alayos, and Godkiller – and Zhang Shilong (张士龙) – whose aliases are said to include Baobeilong, Zhang Jianguo, and Atreexp – are alleged to be part of a hacker gang referred to as APT10, among other names. They’re charged with conspiracy to commit computer intrusions, wire fraud, and aggravated identity theft.

According to Rosenstein, over 90 per cent of US Justice Dept cases alleging economic espionage over the past seven years involve China.

Though no victims are named by the prosecution… HPE and IBM are said to be among those infiltrated by the Chinese hacker gang. The miscreants’ campaign to break into the tech giants was dubbed Cloudhopper because it allegedly involved slipping into organizations’ networks via HPE and IBM’s cloud services. Big Blue said it had no evidence of corporate secrets being accessed. HPE declined to comment.

‘Trade secrets and economies’

And the FBI put the defendants on a wanted poster.

Coordinated

Guess who’s back, back again? China’s back, hacking your friends: Beijing targets American biz amid tech tariff tiff

APT10 is also blamed for breaking into US Navy computer systems and stealing confidential data, including personal information for 100,000 Naval personnel. NASA was among the government agencies affected.

It also listed IP addresses that the NCSC had definitely linked to the advanced persistent threat crew’s command and control servers, ready for alert IT bods to block:

185.111.74.127
194.68.44.108
66.70.135.104
185.211.247.52
195.54.163.74
167.114.171.8
37.10.71.100

The Justice Department’s name-and-shame strategy echoes its 2014 indictment of five members of the Chinese military for cyber attacks. Those five have yet to be apprehended.

There’s no real penalty either. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/20/two_alleged_chinese_hackers/

2018 ain’t done yet… Amazon sent Alexa recordings of man and girlfriend to stranger

library
crime | hacking | security

A German man was very confused when he received, at his request, all the information that Amazon possessed on him.

He had requested the data dump through Europe’s GDPR privacy law, and among the records of his Amazon searches and purchases, he was surprised to find no less than 1,700 recordings of him using Amazon’s Alexa-powered Echo digital assistant. Surprised because he doesn’t own an Echo. And the voice on the recordings wasn’t his.

That’s right: Amazon had sent him the entire recording set of a complete stranger. He alerted the US tech titan, which didn’t respond but did delete the link to the file download. However, the guy already had the files, and went to our friends at German news outlet Heise. It was able to quickly track down [PDF] the bloke actually speaking, and the name of his girlfriend, thanks to the details on the recordings. Which is, let’s be honest, not exactly comforting. It also means Alexa is keeping a recording of all your queries.

The fella who owned the voice-controlled Echo confirmed it was him on the tapes, and we’re told he was “audibly shocked” on the phone to journalists when they broke the news.

Despite knowing that it must have sent a customer’s home recordings to a complete stranger, Amazon didn’t contact the snooped-on bloke, raising further questions over what systems the Silicon Valley biz has put in place to deal with voice recordings snafus.

The audio samples themselves were what you would expect: requests for specific music, queries about the weather, public transport, setting alarms, and so on. But they revealed a lot about the man without him having any idea that complete strangers were listening in.

Of course, Amazon responded by immediately apologizing, outlining exactly what had happened, and explained what steps it would put in place to make sure such a thing never happened again.

Yeah right

Gotcha. Of course it didn’t. It told c’t magazine that it was just an “unfortunate mishap” that had since been resolved to everyone’s satisfaction.

You know that silly fear about Alexa recording everything and leaking it online? It just happened

And so the magazine called back the Echo-owning bloke, and it turned out that Amazon only called him after the mag had prodded the web giant’s PR department, ie: Amazon didn’t actively reach out. It told him that his voice files had inadvertently been sent to the wrong person – something that Amazon claimed, wrongly, that it had discovered.

When Reuters subsequently followed up, and asked Amazon again what had happened, it gave the same line: “This unfortunate case was the result of a human error and an isolated single case,” an spokesperson told the news service, adding: “We resolved the issue with the two customers involved and took measures to further optimize our processes. As a precautionary measure we contacted the relevant authorities.”

And when we reached out today, we got the exact same response: “This was an unfortunate case of human error and an isolated incident. We have resolved the issue with the two customers involved and have taken steps to further improve our processes. We were also in touch on a precautionary basis with the relevant regulatory authorities.”

So that’s all very reassuring and you should continue using your Alexa without thinking too hard about any of this. It’s all fine. Absolutely fine. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/20/amazon_alexa_recordings_stranger/

How to Optimize Security Spending While Reducing Risk

library
crime | hacking | security

Risk scoring is a way of getting everyone on the same page with a consistent, reliable method of gathering and analyzing security data.

Globally, organizations have spent millions on security solutions; however, these purchasing decisions often are not based on fact or data — just hunches, expenditures, and market trends. Senior executives struggle to have complete visibility into their own company’s security posture as well as the current threat environment. There is a lack of comprehensive, near-real-time information that organizations can rely on to inform critical business decisions.

Getting everyone on the same page with a consistent, reliable method of gathering and analyzing security data is important to increase a company’s security strength while optimizing spending and working to reduce risk.

Identifying the Threat in a Constantly Shifting Landscape
The constantly shifting security landscape can have a negative impact on the way organizations approach security and how security is perceived within an organization. It’s important to know where the threats are coming from and the realities of the threat landscape. According to the Verizon 2018 Data Breach Investigations Report, cyberattacks are not always focused on billion-dollar businesses but more opportunistic targets that are unprepared. Moreover, 76% of breaches reported were financially motivated, and 73% of organizations breached were perpetrated by outsiders.

Security is always changing, and the need for it is growing — both in existing threats and in relation to your organization’s reputation. Those outside the traditional security realm are interested in your organization’s security posture, and for good reason. By 2020, organizations are expected to spend $101.6 billion on cybersecurity software, services, and hardware, according to research by the International Data Corporation. Gone are the days that just technologists and security executives needed to concern themselves with cyber threats.

The Ongoing Requirement for More Visibility
In order to combat the dynamic nature of cyber threats, business leaders need better data at their fingertips to help inform decisions, and security strategies need to evolve.

Security professionals must now spend time gathering and explaining the data they are working with to make assessments that make sense to someone outside of the security space. This can also mean needing to justify security investments to those who may not fully understand the breadth and reasoning behind them. CFOs have become more involved in decisions about cybersecurity in recent years, with many citing cyberattacks as the No. 1 external risk to their company, according to CNBC’s quarterly CFO Council Poll.

Not only are the types of people at the table changing, but the rules of the game are changing as well. For decades, security issues were fought in a reactive way. A plan was put in place based on previous knowledge, and situations were handled one at a time. Today, businesses no longer have the luxury to wait for a threat to occur or to lean on historical situations and strategies to be an effective guide.

Key Considerations for Security
When examining solutions to assist with the optimization of your organization’s security, there are a few key items to consider. Most importantly, the ability to identify and quantify your risk. To accurately identify risk, you’ll need to engage technology that can provide an automated, comprehensive security risk scoring framework that identifies security gaps, weaknesses, and associated risks on a daily basis. (Note: Verizon is among a number of companies that offer risk-scoring services.) By gaining insights into potential threats and unwanted attention such as brand mentions and exposed credentials, you’re likely a step ahead of a risk that could expose your organization to cyber-attacks.

Quantifying risk capabilities are evolving along with the threat landscape, but the idea behind being able to put a dollar amount to a potential issue is nothing new. Using data-driven dynamic cyber-risk scoring to calculate potential outcomes can guide towards smarter and more informed decisions as well as be able to help you more completely communicate those decisions with stakeholders outside of the security space. An internal analysis of the current system and external risk reports are additional considerations to take into account. Although this information can be costly to compile, when used effectively, it can help to provide an assessment that gives a comprehensive view of your organization’s security posture.

Solving the Problems of Tomorrow
A model for dynamic cyber-risk scoring enables enterprises to evaluate their current exposure to cyber-related risks, obtain an understanding of the probability of a potential future breach, and provide a quantitative and qualitative assessment of preventative measures, all underpinned by a framework for sustainable and measurable improvements. By doing this, enterprises have a better opportunity at proactively addressing weaknesses, preparing for threats, and better mitigating risks. Prioritizing the exploration of, and investment in, updated security technologies can enable a business to calibrate their current vulnerabilities to cyber-risk and put themselves in a place to try to prevent, and better handle, any future issues.

Related Content:

As head of Verizon Global Security Services, Bryan Sartin keeps pace with the leading and bleeding edges of innovation in the security market, while maintaining the highest quality of service in delivery operations. He manages the proactive and reactive span of Verizon’s … View Full Bio

Article source: https://www.darkreading.com/risk/how-to-optimize-security-spending-while-reducing-risk/a/d-id/1333513?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple