STE WILLIAMS

The UK’s highest court has this week heard arguments in Privacy International’s long-running attempt to challenge decisions made by Britain’s shadowy spying oversight court, the Investigatory Powers Tribunal (IPT).

The campaign group wants to launch a judicial review at the Investigatory Powers Tribunal (IPT) over a 2016 decision in a case probing the legalities of the UK spy agencies’ computer hacking.

However, the government sought to stop that challenge in its tracks, saying the tribunal was exempt from judicial reviews, citing Section 67(8) of the Regulation of Investigatory Powers Act (as was in force at the time).

This would mean the only court in which decisions of the IPT can be challenged is the European Court of Human Rights, and only for possible breaches of human rights law – a situation civil rights groups unsurprisingly want to change.

After two failed challenges in lower courts, Privacy International was granted one last chance to makes its case, to the Supreme Court. That hearing took place over two days this week.

“This [case] is really quite significant,” Privacy International’s general counsel Caroline Wilson Palow told The Reg after the hearing. “If we are successful, that the judgment is going to be far-reaching.”

For Palow, the ability to challenge a decision by the IPT would introduce an important safeguard into the process, and said the court seemed to be taking the question seriously. “That was also indicated by the fact it was a seven Justice panel, which they usually reserve for the more serious cases.”

How did we get here?

2014 – Privacy International issues a legal complaint to the Investigatory Powers Tribunal challenging the lawfulness of the intelligence services’ use of computer hacking.

2016 – The IPT rules spies can lawfully hack devices using thematic, or “general”, warrants that cover broad classes; for instance, “all mobile phones in London”.

2017 – The High Court in February rejects Privacy International’s efforts to hold the IPT subject to judicial review, followed by the Court of Appeal in November.

2018 – The Supreme Court, the final court of appeal in the UK, in May agrees to hear the appeal.

Privacy International’s argument in the Supreme Court is that specialist tribunals, such as those for employment, are generally subject to judicial reviews in the regular courts. Without this oversight, a tribunal can effectively set the limits of its own powers, and interpret the law without oversight from other courts.

And while the government believes that s67(8) renders the IPT immune to judicial review, Privacy International has countered – so far unsuccessfully – that this section should be read in restricted terms.

“S67(8) properly construed does not oust judicial review of the Tribunal,” Privacy International said in its written argument.

“It is a very long-established principle of the common law that a statute should not be interpreted as ousting judicial review of a statutory tribunal of limited jurisdiction if there is any reasonably tenable construction of the provision which would preserve the supervisory jurisdiction of the High Court.”

Investigatory Powers Tribunal has a broad remit

The group is also seeking to persuade the Supreme Court that the IPT’s role in overseeing the conduct of the security and intelligence agencies is just one part of its jurisdiction.

This is to counter the argument that the tribunal was set up to deal with matters of national security, which might cause problems for a regular court when dealing with sensitive material as evidence.

The Court of Appeal “placed great weight” on the IPT’s national security caseload, Privacy International said in its written case.

“The Court drew an inference that Parliament had intended that a tribunal hearing sensitive claims against the security and intelligence services should be wholly insulated from any review, regardless of the context or seriousness of the error.”

But civil rights groups argue its remit is far more broad, as it considers claims and complaints on the use of investigatory powers, surveillance and covert human intelligence by various public authorities.

“It is objectionable in principle, and inimical to the rule of law, that a body with such broad jurisdiction should be entirely immune from challenge, save in the Strasbourg Court, and then only when the challenge raises a question of the UK’s compliance with the ECHR,” said Liberty, in a submission filed in support of Privacy International’s case.

Further to this, Palow said that the idea the regular courts would always have to deal with sensitive material as evidence wasn’t accurate

“Most of the time, that wouldn’t really be necessary, because often the points under judicial review are points of law… They could be argued in an open way.”

The never-ending battle needs cash

This week’s hearing, though, is just one of the many steps in Privacy International’s battle against government hacking.

The underlying case that brought it to the Supreme Court this week is that the IPT erred in one of its decisions – whether the government could issue what the group calls general warrants.

And so the next stage, if the group wins, will be to go back to the High Court to ask it to consider the question of general warrants and the IPT’s decision.

But, should the group lose, the court may order it to pay for the government’s lawyers and, despite a protective costs order, this could still reach £35,000.

As such, the group has this week launched a crowd funding campaign to help meet these costs – or put towards its many other challenges of government hacking if it does win.

“As a small charity, that’s a lot of money for us,” said Palow. “Of course, we’re hoping not to lose… The tribunal is a competent specialist tribunal, but the real point is that, ultimately, this very secretive work of the intelligence services needs to be subject to the rule of law.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/07/privacy_international_government_hacking_supreme_court/

Congratulations, Australia: somehow after chaotic scenes in parliament, the government last night managed to secure after-the-bell passage of its encryption-busting eavesdropping legislation.

The super-spying law, which will force websites and communications services Down Under to build in secret wiretapping capabilities for terror and crime investigators, looked in serious trouble for most of the day, with the opposition Australian Labor Party and the Greens picking over more than 150 proposed amendments to the rules.

That, combined with a separate row over border protection legislation, made it look like parliament simply wouldn’t have the time to pass the snoopers’ law, something that drew an angry rant from Aussie Prime Minister Scott Morrison.

He unloaded on opposition leader Bill Shorten on both issues, saying: “This is about Australia’s safety, and Bill Shorten is a clear and present threat to Australia’s safety.”

The UK, Australia’s Five Eyes partner, is hearing the same anti-strong-crypto messages with increasing frequency.

GCHQ in November called for “virtual crocodile clips”, aka adding a third party to encrypted chats without notifying the surveillance targets, while security minister Ben Wallace sought to extend the Investigatory Powers Act to allow bulk intercept of online comms.

GCHQ boss Jeremy Fleming yesterday joined the din with a speech to the Billington Cyber Security Summit, saying:

“Yes, encryption enables us all to live safer online lives. But its ubiquity brings anonymity to terrorists, paedophiles, and cybercrime gangs, who law enforcement and intelligence agencies are trying to stop. And it’s getting worse.”

While “we have no interest in undermining the security of commodity services,” Fleming said, he wanted a “rigorous, technology-literate, and dispassionate discussion about potential solutions.”

He promised GCHQ would “use our technical expertise built over 100 years to help people understand the realities of the requirement for exceptional warranted access.”

“They keep saying they’re with us on national security, and then keep laying blockers along the way. They’re not fair dinkum. They’re just not fair dinkum. They are intent on just frustrating and embarrassing the government. I get it. That’s politics. That’s my point. Bill Shorten is all about politics. I’m about keeping Australians safe.”

Note for readers outside Australia: “Fair dinkum” is a quaint and nearly-obsolete Aussie phrase that roughly translates as “genuine.” In the modern era, it only finds a home in the mouths of public figures attempting a “man of the people” posture.

Whether or not the PM’s bollocking had any direct effect, the opposition not only allowed the spy laws to pass – in the interests of getting them through in the last session before parliament rose for the year – it also dropped all of its proposed amendments, allowing the government to recall the House of Representatives early in the evening to green-light the legislation. The opposition’s amendments will instead be argued over and tacked on early next year, it was hoped.

Shorten explained the opposition’s decision thus: “I will not sacrifice the safety of Australians merely because Mr Morrison does not have the courage to deal with issues in the House of Representatives.

“If you agree to do the amendments you’ve already agreed to, to the encryption laws, in the first [parliamentary] week of next year, we will pass [the laws], unsatisfactory as they are, right now, because we’re not going to go home and leave the Australian people on their own over Christmas.”

With that, the laws passed – and it seems Shorten was misled about the government’s intent regarding the amendments. Attorney-general Christian Porter later issued a statement saying “the government has agreed to consider Labor’s proposed amendments in the New Year if they genuinely reflect the recommendations of the Parliamentary Joint Committee on Intelligence and Security” (emphasis added).

The law is now awaiting to be signed off by Oz’s Governor-General. Once the legislation is active, companies served with a request to install a backdoor have 28 days to respond.

It would be tedious to list every reaction to the passage of the bill, but this, from Greens senator Jordan Steele-John seems appropriate… ®

#AAbill already working its magic on #Auspol tech companies https://t.co/1VAnFt8jG2

— Senator Jordon Steele-John (@Jordonsteele) December 6, 2018

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/07/australias_crypto_legislation/

Want to know what Mark Zuckerberg and his underlings really think about us users?

Get ready to read ’em and weep: against the wishes of the Facebook CEO, the UK parliament’s inquiry into fake news has published confidential correspondence between Zuck and his staff.

That correspondence has some revealing stuff in it. But first, how did the Parliament’s Digital, Culture, Media, and Sport (DCMS) committee – which has been overseeing inquiries into Facebook’s privacy practices – get their hands on it?

Well, it has to do with bathing suit photos. A now-defunct app called Six4Three that searched for Facebook users’ bathing suit photos is embroiled in a years-long lawsuit against Facebook.

Six4Three alleges that Facebook suddenly changed the terms of how it allowed developers to access Facebook’s Graph API generally, and its Friends’ Photos Endpoint, specifically. Six4Three made an app known as “Pikinis” that specifically sought out bikini photos across Facebook users’ friends pages. In April 2015, Six4Three sued Facebook, claiming that Facebook’s sudden yanking of access rendered both the app and the company itself “worthless.”

According to a court filing from last week, Six4Three managing director Ted Kramer met with MP Damian Collins in his London office on 20 November. Collins told Kramer that he was under active investigation, that he was in contempt of parliament, and that he could potentially face fines and imprisonment.

Kramer is then said to have “panicked” and whipped out a USB drive before frantically searching his Dropbox account for relevant files obtained under civil discovery. He looked for any files whose names suggested they might be relevant, dragged them onto the USB drive without even opening them, and handed over the USB stick – in spite of Facebook having labelled the documents highly confidential, and “against the explicit statements by counsel in the above referenced communications,” according to last week’s filing.

That’s it in a nutshell. Check out write-ups from Ars Technica and from The Observer, which broke the news, for more details about the case and the incident: it’s a hell of a sticky legal wicket when it comes to limits of British authorities’ legal reach with international companies such as Facebook.

As it is, Facebook has steadfastly refused to appear before MPs to explain the company’s moves with regards to fake news. MP Collins, head of the committee, says that the Six4Three case in the US suggested another option of getting the information the committee sought. The Observer quoted him:

We have followed this court case in America and we believed these documents contained answers to some of the questions we have been seeking about the use of data, especially by external developers.

When it comes to the Cambridge Analytica user data fiasco, Six4Three alleges that the correspondence shows that Facebook was not only aware of the implications of its privacy policy, but actively exploited them. Collins and his committee were particularly interested in the app company’s assertions that Facebook intentionally created and effectively flagged up the loophole that Cambridge Analytica used to collect user data.

On Wednesday, the parliamentary committee published about 250 pages of the correspondence, some of which are marked “highly confidential”.

These are the key issues found in the correspondence that MP Collins highlighted in his introductory note:

• In 2014/2015, Facebook limited the data on users’ friends that developers could see. Regardless, it kept a whitelist of certain companies that it allowed to maintain full access to friend data. Collins said that it’s “Not clear that there was any user consent for this, nor how Facebook decided which companies should be whitelisted.”
• Collins says that Facebook knew that changing its policies on the Android mobile phone system to enable the Facebook app to collect a record of users’ calls and texts would be controversial …so the plan was to bury it deep. “To mitigate any bad PR, Facebook planned to make it as hard as possible for users to know that this was one of the underlying features of the upgrade of their app,” Collins said.
• You might recall that up until recently Facebook had been pushing people to download a virtual private network (VPN) app, Onavo, that it acquired in 2013 for “protection” …without mentioning that it was phoning home to Facebook to deliver users’ app usage habits, even when the VPN was turned off. In August, Apple suggested that Facebook remove Onavo from the App Store due to privacy violations. Collins wrote that, apparently without users’ knowledge, Facebook had been using Onavo to conduct global surveys of what mobile apps its customers were using. Then, it used that data to figure out not just how many people had downloaded apps, but how often they used them: useful knowledge when it came to deciding “which companies to acquire, and which to treat as a threat,” Collins wrote.
• The files contain evidence that when Facebook took aggressive positions against apps and turned off their access to data, it sometimes led to businesses failing.
• Twelve of the Six4Three documents include discussions on businesses that got whitelisted when it came to access to users’ friend data. The whitelisted firms include the dating service Badoo, its spin-off Hot or Not, and the dating app Bumble, which Badoo had invested in; Lyft; Netflix; and Airbnb. Facebook didn’t whitelist just any old company, though: it denied the friends data firehose API to companies including Ticketmaster, Vine, and Airbiquity, a connected-cars company.

Below is one of many email extracts published on Wednesday that show how Facebook has targeted competitor apps. It’s about shutting down access to users’ friend data to Vine, which was Twitter’s short-video service:

Facebook email 24 January 2013
Justin Osofksy (Facebook vice president):
‘Twitter launched Vine today which lets you shoot multiple short video segments to make one single, 6-second video. As part of their NUX, you can find friends via FB. Unless anyone raises objections, we will shut down their friends API access today. We’ve prepared reactive PR, and I will let Jana know our decision.

Mark Zuckerberg:
‘Yup, go for it.’

And here’s an excerpt from a discussion dated 4 February 2015 about giving Facebook’s Android app permission to read users’ call logs in such a way that they wouldn’t see a permissions dialog:

Michael LeBeau (Facebook product manager):
‘He guys, as you know all the growth team is planning on shipping a permissions update on Android at the end of this month. They are going to include the ‘read call log’ permission, which will trigger the Android permissions dialog on update, requiring users to accept the update. They will then provide an in-app opt in NUX for a feature that lets you continuously upload your SMS and call log history to Facebook to be used for improving things like PYMK, coefficient calculation, feed ranking etc. This is a pretty highrisk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it.’

Yul Kwon (Facebook product manager):
‘The Growth team is now exploring a path where we only request Read Call Log permission, and hold off on requesting any other permissions for now.

‘Based on their initial testing, it seems this would allow us to upgrade users without subjecting them to an Android permissions dialog at all.

‘It would still be a breaking change, so users would have to click to upgrade, but no permissions dialog screen.’

Facebook told the BBC that the documents have been presented in a “very misleading manner” and required more context. It quoted a Facebook spokeswoman:

We stand by the platform changes we made in 2015 to stop a person from sharing their friends’ data with developers.

Like any business, we had many internal conversations about the various ways we could build a sustainable business model for our platform.

But the facts are clear: we’ve never sold people’s data.

Zuckerberg also posted a response on his Facebook page. In it, he put context around the company’s decisions, including its efforts to fight “sketchy apps” such as the quiz that led to the Cambridge Analytica situation.

I understand there is a lot of scrutiny on how we run our systems.

That’s healthy, given the vast number of people who use our services around the world, and it is right that we are constantly asked to explain what we do. But it’s also important that the coverage of what we do – including the explanation of these internal documents – doesn’t misrepresent our actions or motives. This was an important change to protect our community, and it achieved its goal.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NO6GwfW7r6o/

On the Naked Security podcast this week: Marriott’s huge and scary data breach, a bug in software management software could be a data thief’s goldmine, and a self-righteous “hacker” prints out an advert on 50,000 internet printers.

With Anna Brading, Mark Stockley, Matthew Boddy and Paul Ducklin.

If you enjoy the podcast, please share it with other people interested in cybersecurity, and give us a vote on iTunes and other podcasting directories.

---

Thanks to Purple Planet Music for the opening and closing music.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tOmOKMsh0SI/

Black Hat Crafty infosec researchers have figured out how to remotely set answers to Windows 10’s password reset questions “without even executing code on the targeted machine”.

Thanks to some alarmingly straightforward registry tweaks allied with a simple Python script, Illusive Networks’ Magal Baz and Tom Sela were not only able to remotely define their own choice of password reset answers, they were also able to revert local users’ password changes.

Part of the problem is that Windows 10’s password reset questions are in effect hard-coded; you cannot define your own questions, limiting users to picking one of Microsoft’s six. Thus questions such as “what was your first’s pet name” are now defending your box against intruders.

The catch is that to do this, one first needs suitable account privileges. This isn’t an attack vector per se but it is something that an attacker who has already gained access to your network could use to give themselves near-invisible persistence on local machines, defying attempts to shut them out.

The Windows registry, said Baz and Sela, stores items such as the local machine and service users’ passwords within the well-known LSA Secrets entry, which is so secret and secure that even Microsoft Technet bloggers offer step-by-step Powershell guides to examining their contents, which are encrypted. Inevitably, there is a way round that.

Baz told his Black Hat presentation’s audience: “The important thing to understand about how it’s encrypted is that in order to assemble the AES key with which the LSA secrets are encrypted, you need to collect artefacts from the registry on that machine. So if you have full access to the registry on the machine, it’s really not that difficult to get the key with which you can rewrite LSA Secrets.”

Working on the “lucky” assumption that the elevated-privs account they were using for their proof-of-concept test was able to edit local access control lists, the two gave themselves read/write permissions, with Baz adding: “If you want to locate the secret you find the registry key through the format L, for local; SQSA, which stands for security question and security answer; and the GUID of the user to whom the questions belong.” The actual QA data was stored as JSON.

Opening a remote desktop session to the target machine gives you the standard Windows logon screen. “Nowadays… if you look at it closely you won’t see a reset password button,” said Baz, who went on to demonstrate a method of bypassing this security protection by forcing the remote desktop session to “fall back to non-network level authentication”.

“Luckily,” said Baz, “as an RDP client you can say you do not support NLA. Thus you can ask the server to give you back the old Windows logon screen with the password reset option”. He and Sela simply created an RDP file with the appropriate flag set.

Once they had obtained access to the standard password reset screen, the two then looked into persistence. It is no good having local access if a suspicious user simply changes his password. But what if you can revert that password back to your known one? “It’s pretty simple, luckily,” said Baz.

“In order to prevent people from reusing their passwords, Windows stores hashes of the old passwords. They’re stored under AES in the registry. If you have access to the registry, it’s not that hard to read them. You can use an undocumented API and reinstate the hash that was active just before you changed it. Effectively I’m doing a password change and nobody is going to notice that,” he continued, explaining that he’d used existing features in the post-exploitation tool Mimikatz to achieve that.

As for protecting against this post-attack persistence problem? “Add additional auditing and GPO settings,” said Sela. The two also suggested that Microsoft allows custom security questions as well as the ability to disable the feature altogether in Windows 10 Enterprise. The presentation slides are available here (PDF). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/06/windows_10_security_questions_remotely_defined_answers/

UK spies are planning to increase their use of bulk equipment interference, as the range of encrypted hardware and software applications they can’t tap into increases.

Equipment interference (EI) – formerly known as computer network exploitation – is the phrase used for spies poking around in devices, like phones or computers, and media like USB sticks.

UK’s new Snoopers’ Charter just passed an encryption backdoor law by the backdoor

READ MORE

It allows them to gather up info they claim would otherwise be “lost” as it can’t be obtained other ways – crucially, it means they can access encrypted data they cannot grab via the more traditional route of interception.

At the time the Investigatory Powers Bill was passing through Parliament – it was signed into law in 2016 – EI hadn’t been used, but it was already seen an alternative to bulk interception.

However, it was expected to be authorised through targeted or targeted thematic warrants; as then-independent reviewer of terrorism David Anderson wrote at the time, “bulk EI is likely to be only sparingly used”.

Since then, though, GCHQ’s use of these bulk powers has “evolved”, according to a letter (PDF) to members of parliament’s Intelligence and Security Committee, by security minister Ben Wallace.

During the passage of the Investigatory Powers legislation, he said, the government anticipated bulk EI warrants would be “the exception”, and “be limited to overseas ‘discovery’ based EI operations”.

But with encryption increasingly commonplace, the spies want the exception to edge towards becoming the rule.

“Since the passage of the Bill, the communications environment has continued to evolve, particularly in terms of the range of hardware devices and software applications which need to be targeted,” Wallace said.

“In addition, the deployment of less traditional devices, and usage of these technologies by individuals of interest has advanced significantly.”

Wallace said GCHQ had reviewed “current operational and technical realities” and “revisited” its previous position.

“It will be necessary to conduct a higher proportion of ongoing overseas focused operational activity using the bulk EI regime than was originally envisaged,” he said.

This was predicted by David Anderson, QC in his 2016 report (PDF), as he acknowledged that the logic of bulk interception could apply to bulk EI.

What is the double lock?

Introduced in a bid to increase independent oversight and convince critics there are enough safeguards in place, this requires judges to check and countersign government-approved warrants for spying powers.

Previously, politicians had sole say over what powers spies could use. The aim of the new measures is to ensure the snooping only happens when it is both necessary and proportionate.

The requirement that judges sign off on warrants for equipment interference came into force on 28 November.

“There will be foreign-focused cases where there is significant value to be gained, operationally, from it – but in which it won’t be possible to make a sufficiently precise assessment to proceed on the basis of the thematic EU power,” he said.

Anderson added that bulk EU would require “particularly rigorous and technically-informed oversight” from both the secretary of state and the judicial commissioners who form the other part of the recently introduced “double lock” mechanism.

Wallace said in his letter that the government had told the Investigatory Powers Commissioner, Adrian Fulford, about the proposals, and that Fulford “has proposed enhanced post facto safeguards for this activity”.

Writing on Twitter today, Anderson praised GCHQ’s transparency on the matter, but added that IPCO would need to investigate in more detail.

Admirable transparency by @GCHQ to publish this: now it is for @IPCOffice to explore the issue in (inevitably classified) detail and to report their conclusions. https://t.co/VBXylWndRJ

— David Anderson (@bricksilk) December 5, 2018

Others countered that it suggested there were major concerns about the legality of the new practices.

That, and/or there are chunky concerns as to the legality of the new practices. Cynic? Moi?

— Thomas de la Mare (@thebrieftweet) December 5, 2018

Wallace’s letter insisted the interpretation was “fully in line” with the IP Act and the EI Code of Practice, and that the judicial double lock process would apply the additional controls and safeguards of the regime. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/06/uk_gchq_bulk_equipment_interference/

Attackers used methods, tools previously used by known Chinese hackers.

Speculation about the criminals responsible for the Starwood/Marriot breach has centered on nation-state actors. In a new article, Reuters is reporting that “sources familiar with the matter” claim hackers left clues pointing toward China as the party responsible for the attack.

According to the article, the attackers used “hacking tools, techniques and procedures” previously used by known Chinese hackers. The sources caution, though, that two factors make conclusive attribution difficult at this point.

First, the tools that point toward China are now commonly available to, and used by, hackers around the world. Next, investigators have come to suspect that multiple groups may have been active in the databases during the four-year duration of the breach.

Read more here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/evidence-in-starwood-marriott-breach-may-point-to-china/d/d-id/1333421?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

How you report a data breach can have a big impact on its fallout.

Image Source: Shutterstock

Marriot International is quickly emerging as the latest example of the importance of proper breach disclosure.

Last week the hotel giant disclosed that sensitive data belonging to some 500 million Starwood Hotels customers had been compromised in an intrusion that began in 2014 and remained undiscovered until this September.

Since the disclosure, the parent company has been hit with at least two lawsuits accusing it of delaying the breach disclosure and not providing enough details on the incident. The lawsuits are expected to be the first of many the company will face over the breach.

The breach has focused considerable attention on familiar topics, such as the need for organizations to have better breach detection and response capabilities, and on issues including data collection and data minimization, encryption, access controls, and strong authentication.

It is also serving as a new example of the need for organizations to have strong processes in place for breach reporting and disclosure, especially in an era of stringent regulations like the EU’s GDPR.

“The fact this breach happened around four years ago and Marriott found out two months ago is concerning,” says Ken Underhill, master instructor at Cybrary. “We all understand that a company needs to investigate what happened, but two months to report something this large is not acceptable,” he says.

Here, according to Underhill and several security industry experts, are some of the most common pitfalls to avoid when making a breach disclosure.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/7-common-breach-disclosure-mistakes/d/d-id/1333401?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Even those that provide employee training do so sparingly, a new study finds.

Although most cyberattacks begin by compromising an end user, often via phishing messages, most organizations are not training their end users to recognize those attacks. A new survey found that just 45% of organizations provide employees mandatory, formal cybersecurity training; another 10% give optional training.

According to Mimecast, even those organizations that require formal security training only do so sparingly: Six percent conduct sessions monthly, 4% quarterly, and 9% only when onboarding a new employee. Emailed or printed lists of security tips are the most common format of education (33%). 

In addition, nearly one in four employees are not aware of common cyberthreats, such as phishing and ransomware, the study says. Sixty-nine perfect are using corporate devices for nonwork reasons (including news, personal email, social media); however, one in 10 employees are using business devices for personal use more than four hours per day. 

Organizations with security-unsavvy users are at particular risk during the holiday shopping season, as both attack activity and personal use of business devices increase. 

Read more details here. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/document.asp?doc_id=1333422&_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Software updates for Mac and iOS bring patches to Safari, iCloud, iTunes on Windows, and tvOS.

Apple has released security fixes for several vulnerabilities in Mac and iOS software. Affected services include iOS, Safari, iCloud, iTunes for Windows, tvOS, and macOS Mojave, High Sierra, and Sierra. All December patches can be installed via Software Update.

MacOS updates will arrive in Mojave 10.14.2, High Sierra security update 2018-003, and Sierra security 2018-006. They address 13 CVEs, including two for WindowServer (CVE-2018-4449 and CVE-2018-4450), one in Disk Images (CVE-2018-4465), one in Carbon Core (CVE-2018-4463), one in Intel Graphics Driver (CVE-2018-4434), and one in IOHIDFamily (CVE-2018-4427).

There are five CVEs for Kernel addressing a denial-of-service vulnerability (CVE-2018-4460), kernel memory disclosure (CVE-2018-4431), and three that would let an attacker or application elevate privileges and execute code (CVE-2018-4435, CVE-2018-4461, CVE-2018-4447).

The iOS 12.1.1 update comes with all patches for Airport, Disk Images, Kernel, Safari, and WebKit. It also fixes a vulnerability in FaceTime (CVE-2018-4430), which could let an attacker view contacts from the lock screen, and a File Provider bug (CVE-2018-4446), which could share data on the device’s other applications. Other iOS-specific CVEs affect LinkPresentation (CVE-2018-4429), which could enable user interface spoofing, and Profiles (CVE-2018-4436).

Safari version 12.0.2 brings six WebKit patches addressing issues that could lead to arbitrary code execution. It also patches vulnerabilities that could lead to address bar spoofing (CVE-2018-4440) or user interface spoofing (CVE-2018-4439), or prevent users from deleting their browser histories (CVE-2018-4445).

More details on this month’s patches can be found in the US-CERT advisory.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/apple-issues-security-fixes-across-mac-ios/d/d-id/1333423?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple