STE WILLIAMS

The American Civil Liberties Union (ACLU) has filed a motion to find out what went on in a court case in which the US Department of Justice allegedly tried to make Facebook give it unencrypted access to Messenger calls.

Facebook Messenger backdoor demand, bail in Bitcoin, and lots more

READ MORE

Claims about the secret filings first emerged in August, when the government wanted the backdoor to help their investigation into the MS-13 gang, one of President Donald Trump’s favourite examples of crime gangs.

The ACLU believes the DoJ tried to have Facebook held in contempt of court for refusing (because it would have undermined security for all users) – but nobody knows for sure, because the proceedings are secret.

In a filing to the US District Court (eastern California district) the ACLU, along with the Electronic Frontiers Foundation and Stanford Law School’s Riana Pfefferkorn (acting in her personal capacity), hopes to get that secrecy removed.

The ACLU said it wants “legal arguments and analysis” from the government and the court, not whatever technical evidence was given. “We emphasized to the court that we would not object to appropriate redactions made to protect any details that would hamper legitimate law enforcement investigations.” Which is a pity, because it would be useful to know why the Feds are so convinced of the feasibility of what they demanded.

“This need for transparency is especially true when it comes to surveillance, where the government has a track record of hiding from public oversight,” the ACLU continued.

Specifically, the ACLU wants any sealed docket sheets, court orders on sealing requests, the associated judicial rulings, and legal analysis.

Facebook’s public claim has always been that it can’t decrypt Messenger conversations because it doesn’t hold any of the keys involved – those are known only to the participants in a conversation. Changing that would require a redesign of the system, so as to decrypt messages on their way through Facebook’s infrastructure.

As readers know, a similar debate is playing out in Australia, where its parliament is currently considering a law to force providers to cooperate with law enforcement demands to access encrypted messages.

Another hint that the demand for decryption was denied came when the FBI charged 16 suspected members of MS-13. In its affidavit, a footnote said “currently, there is no practical method available by which law enforcement can monitor” calls on Messenger. ®

Sponsored:
Putting the Sec into DevSecOps

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/29/aclu_asks_court_to_unseal_messenger_decryption_case/

On the same day that certain types of British state-backed hacking now need a judge-issued warrant to carry out, GCHQ has lifted the veil and given the infosec world a glimpse inside its vuln-hoarding policies.

The spying agency’s internal Equities Process is the way by which it decides whether or not to tell tech vendors that its snoopers have discovered a hardware or software vulnerability.

A hot topic for many years, vuln disclosure (and patching) is a double-edged sword for spy agencies. If they keep discovered vulns to themselves, they can exploit them for their own ends, for which the public reason is given as disrupting “the activities of those who seek to do the UK harm” – including Belgian phone operators.

If GCHQ discloses vulns it has found to the affected vendor, that can “benefit global users of the technology”, in the agency’s words, as well as tending to build trust – something the Peeping Tom agency is dead keen on following the international damage done to its reputation after the Snowden disclosures.

However, in a briefing note today the agency revealed it may keep vulns in unsupported software to itself. “Where the software in question is no longer supported by the vendor,” it said, “were a vulnerability to be discovered in such software, there would be no route by which it could be patched.”

Only last year Microsoft prez Brad Smith was raging against GCHQ’s American cousins, the NSA, for the “stockpiling of vulnerabilities by governments” – though, as we revealed, Microsoft had been sitting on a pile of patches that were only provided to corporate customers and not the public, so not everyone in this debate is squeaky clean.

Lovely bureaucracy

When it decides whether or not to give up a vuln, GCHQ said three internal bodies are involved: the Equities Technical Panel, made up of “subject matter expert” spies; the GCHQ Equity Board, which is chaired by a civil servant from GCHQ’s public-facing arm, the National Cyber Security Centre (NCSC), and staffed by people from other government departments; and the Equities Oversight Committee, chaired by the chief exec of the NCSC, Ciaran Martin.

Broadly speaking, Martin gets the final word on whether or not a vuln is “released” to be patched. Those decisions are “regularly reviewed at a period appropriate to the security risk” and, regardless of the risk, “at least every 12 months”.

What do they review? Operational necessity (“How reliant are we on this vulnerability to realise intelligence?”) is one criterion, as well as the impact on other British government departments’ activities. Questions about whether the vuln could be spotted independently by others and used to harm business and private citizens is considered under the general category of “defensive risk”, but appears to be less of a priority than looking at whether the state will find its wings clipped as a result of disclosure.

Even then, the agency would rather nudge industry into applying “configuration changes” to mitigate against vulns rather than seeing a proper patch deployed after disclosure. The reason is obvious: not everyone implements config changes, meaning some GCHQ targets may continue to be vulnerable to “network exploitation”.

“Assessment in relation to a number of these factors is based on standardised criteria and past experience, including applying the use of the Common Vulnerability Scoring System where appropriate,” said GCHQ.

Good stuff, now go and get a proper warrant

Today a post-Snowden legal tweak comes into force: state employees wanting to hack targets’ networks and devices must now get a judge-issued warrant, under section 106 of the Investigatory Powers Act.

“Such warrants can then be issued from 5th December. However unless urgent, the warrant will need to be reviewed and approved by a Judicial Commissioner,” noted the Society for Computers and Law in an update about the new law. It added that from January, law enforcement agencies will have to use this process to insert probes into suspected hackers’ gear.

Using hacking tools to investigate alleged crimes that fall under sections 1 to 3 of the Computer Misuse Act 1990 is now subject to the “equipment interference warrant” procedure, rather than the bog-standard Police Act 1997 “property interference authorisation”.

The difference is that state-backed hackers set out to find “communications, private information or equipment data”, which therefore needs a different set of legal protections than the Police Act process, which was written around slightly different scenarios such as planting tracker bugs on cars. ®

Bootnote

“In exceptional cases, the CEO of the NCSC may decide that further escalation via submissions to Director GCHQ and, if required, the Foreign Secretary should be invoked,” said the GCHQ press briefing note, giving rise to images of spy agency suits pacing in circles around a smoking server and chanting Jeremy Hunt’s name, falling to their knees in gratitude when the mystical foreign secretary himself appears in a flash of lightning, ready to dispense vuln-disclosing justice.

We encourage GCHQ-based readers to send us videos of this process if this is actually what goes on.

Sponsored:
Putting the Sec into DevSecOps

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/29/gchq_vuln_disclosures_judge_hacking_warrants/

Miscreants gained access to US healthcare billing vendor AccuDoc Solutions’ database for about a week in September, exposing the data of at least 2.65 million people.

North Carolina-based Atrium Health, a customer of AccuDoc Solutions, this week said it had been affected by the breach. The firm operates 44 hospitals across North Carolina, South Carolina and Georgia, as well as urgent care centres and other practices.

In a statement, Atrium Health said a third party had gained access to AccuDoc’s databases for a week (22-29 September), “through a website for an unrelated client”.

Atrium Health – which repeatedly emphasised its innocence – said AccuDoc had terminated unauthorised access as soon as the breach was identified, closed off the compromised path and rebuilt the affected database.

However, the intruder still gained access to information on 2.65 million patients who use Atrium Health’s services, with the firm saying “even one record accessed is one too many”.

Information that the hacker had access to included names, addresses, dates of birth, insurance policy information, medical record numbers, account balances and dates of services.

In about 700,000 cases, it also included social security numbers, Atrium Health said – these people will be offered free identity monitoring services.

It did not include any financial details or medical records and the company stressed an investigation had confirmed that although data was accessed, none was downloaded.

An FAQ statement, posted on the website of corporate fraud investigation firm Kroll, said Atrium was told about the incident on 1 October, but didn’t tell patients until after an initial investigation.

“Cybersecurity investigations can be very complicated and it was important that we accurately understood what happened and properly identified who was affected,” the statement said.

“Both AccuDoc and Atrium Health engaged their own forensic investigators to review the incident and alerted the Federal Bureau of Investigation (FBI).”

AccuDoc provides billing services – such as preparing paper statements and operating a website for patients to pay for services – to various healthcare providers.

Local press reported that AccuDoc’s general counsel, Kenneth Perkins, said one other customer, Baylor Medical Center in Texas, was affected, with potentially 40,000 people’s records exposed.

The Charlotte Observer reported that Perkins had said “anything is possible” when asked whether the breach might have affected more people.

“We’ve tried to take the high road and (notified) everybody and be good stewards…. We take health care privacy very seriously.”

The Register has contacted AccuDoc for confirmation that the breach affected just these two customers. ®

Sponsored:
Putting the Sec into DevSecOps

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/29/accudoc_atrium_health_data_breach/

Attendees of Black Hat Europe in London next week will hear about worldwide cybersecurity developments and challenges from the Global Commission on the Stability of Cyberspace’s Marina Kaljurand.

Are you ready for Black Hat Europe in London next week? It promises to be jam-packed with valuable learning opportunities! So as you’re planning out your schedule be sure to leave time between seeing old friends and making new ones to attend some of this year’s most intriguing Briefings, Trainings, and Arsenal demos.

Most notably, check out this year’s keynote, Developments and Challenges in Cybersecurity from the Nation-State Perspective. Presented by Global Commission on the Stability of Cyberspace chair and former Estonian Foreign Minister Marina Kaljurand, this premier talk will address the lessons learned from the politically-motivated cyberattacks Estonia weathered in 2007.

It’s a unique opportunity to learn from firsthand accounts of nation-state cyberwarfare. Kaljurand intends to shed light on the challenges we face in 2018/2019, the role of states and other stakeholders in global cybersecurity, and what the future holds. She’ll also introduce you to the work of the Global Commission on Stability in Cyberspace, which is a multi-stakeholder model that contributes to international discussion and policy-making. Don’t miss it!

If you’re after more in-depth learning, know that there’s still time to register for many of the 2-Day Trainings next week, including Mandiant’s Windows Enterprise Incident Response. This intensive course is designed to teach fundamental investigative techniques needed to respond to today’s landscape of threat actors and intrusion scenarios. Completely redeveloped with all new material in 2016, the class is built upon a series of hands-on labs that highlight the phases of a targeted attack, key sources of evidence, and forensic analysis know-how.

Stop by the Black Hat Europe Arsenal to enjoy demos of some potential new tools, including VirusTotal Graph: Investigation, which is a  free visualization tool built on top of the VirusTotal data set. The tool helps you study the relationship between files, urls, domains and IP addresses through an easy navigation interface. By exploring and expanding each of the nodes in your graph, you can build the network and quickly see the connections across the samples you are studying.

You might also want to check out Kurukshetra, a web framework to host reasonably complex secure coding challenges. Developed with the aim of being the first open-source secure coding framework, it’s composed of two components:

• A backend framework written in PHP, which manages and leverages the underlying docker system to provide a secure sandbox for the challenge execution;
• Tthe frontend, which is a user-facing web app providing necessary controls, for the admin to host and modify the challenges, and the user to execute and view the result of each of his input.

To close out this year’s conference, join Black Hat founder Jeff Moss and members of the esteemed Black Hat Review Board for an insightful conversation on the most pressing issues facing the InfoSec community. This special Locknote: Conclusions and Key Takeaways from Black Hat Europe 2018 Briefing, held at the end of the final day (Thursday, December 6) will review key takeaways coming out of Black Hat Europe and how these trends will impact future security strategies.

Black Hat Europe returns to The Excel in London December 3-6, 2018. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/black-hat-europe-get-the-nation-state-perspective-on-cybersecurity/d/d-id/1333361?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An old attack technique is making its way back into the mainstream with an onslaught of messages that legacy tools and script writing can’t easily detect.

Imagine your inbox receiving 15,000 messages over the course of just a few days. What would certainly be an extreme nuisance could also translate into a huge productivity and operations liability, taking days or even weeks to return your primary method of communications back to normal.

Known as email flooding, this easy-to-implement technique is re-emerging among attackers for two primary reasons: to deliver the messages and demands of hacktivists, and as a diversionary tactic to help perpetrate financial or operational fraud.

A Tsunami of Emails
Also known as subscription bombing or email bombing, email flooding dates back to the late-1990s, when attackers automated programs to scan the web for sign-up forms and insert the emails of those being targeted into numerous subscription forms. The targeted emails would subsequently be sent to thousands of emails in a short period of time, often disabling the account.

Such attacks have been used in the past for harassment or for political purposes. One of the first noted instances was in 1996, when a stockbroker in San Francisco was bombarded with a flood of 25,000 emails that prevented him from using his computer.

Symantec argues that such attacks are almost impossible to prevent because they come from legitimate email accounts, and most major mail servers don’t even pick them up in spam filters. The attacks can also be carried out automatically with simple scripts at registration forms that aren’t protected by CAPTCHA or opt-in email. Today, sophisticated landing pages are built to continuously send automated messages to any valid email address.

A Smokescreen for Fraudulent Transactions
Email bombs are also still used as a means of harassment. In August 2017, an email bomb shut down ProPublica’s email for a day, and secure email provider Tutanota was recently hit with a massive bomb that sent 500,000 newsletters to one of its mailboxes. At best, these attacks are a nuisance. But at their worst, they can cripple networks, shutter operations, and lead to a loss of productivity and revenue. 

In addition to hacktivism, email flooding is now being used as a smokescreen for more dangerous phishing techniques such as business email compromise, spearphishing and malware. Criminals use the email flood to distract victims and to exhaust security resources while they perpetrate fraudulent transactions. By the time the targeted person or organization clears the clutter and discovers the legitimate emails notifying them of account changes or suspicious activity, the attackers have made off with the funds.

The end-of-year global security report by AppRiver noted that cybercriminals are increasingly using this so-called “distributed spam distraction” (or DSD) to disguise fraud in real time. The attacks include email subscriptions and text-only messages that bombard the account for a period of 12 to 24 hours, then abruptly end after the real crime has been completed. Email bombs are not only effective but cheap and simple to orchestrate. Services on the Dark Web now enable anyone to bomb an email account with 5,000 messages for as little as $20.

The Underlying Need: A Comprehensive Email Strategy
With all types of phishing attacks increasing in frequency and sophistication, many organizations are hardening their email security posture at both the server and the mailbox. This is especially important to stop email flooding, as traditional email safeguards such as secure email gateways and phishing awareness training are not built to mitigate this technique.

Currently, organizations trying to remediate an email flooding attack are asking IT to create scripts and tools to counter the influx of emails that come in bulk or intermittently. While correct in theory, this approach is time consuming and there is no guarantee that it will work. A paper at the Anti-Phishing Working Group noted that one of the most effective measures against email flooding is a layered approach toward detection and throttling through volume and time-based methodologies with phrasal pattern recognition. Authors of the paper said a combination of user email behavior profiling and anomaly detection can better help identify the start of a bombing attack.

This early detection can enable users to maintain functionality of the inbox by limiting new messages and allowing expected messages to come through. In many cases, it may buy just enough time to enable the user or the security operations center team to prevent a wire transfer.

Hactivists and fraudsters may have very different motivations for launching email flooding attacks, but the outcomes for those on the receiving end are all damaging to finances, reputation, and operations, or a combination thereof. As this old technique makes its way back into the mainstream, those in charge of email security must adopt layered defenses that can detect and respond to an onslaught of messages with the efficiency that legacy tools and script writing cannot. 

Related Content:

• 7 Real-Life Dangers That Threaten Cybersecurity
• Understanding Evil Twin AP Attacks and How to Prevent Them
• 4 Ways to Fight the Email Security Threat

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Eyal Benishti has spent more than a decade in the information security industry, with a focus on software RD for startups and enterprises. Before establishing IRONSCALES, he served as security researcher and malware analyst at Radware, where he filed two patents in the … View Full Bio

Article source: https://www.darkreading.com/endpoint/the-return-of-email-flooding-/a/d-id/1333351?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New Fancy Bear attack campaign lures victims with phony Brexit-themed document to deliver Zekapab payload.

The Russian operatives behind the well-established Fancy Bear cyberthreat group are at it again. This time they’re making political hay by taking advantage of the most recent round of Brexit news to help them get first-stage malware onto victims’ machines.

According to a report out today by analysts with Accenture Security’s iDefense team, the threat group is timing its attack in conjunction with the announcement by UK Prime Minister Theresa May of negotiations to draft the initial Brexit agreement with the European Union. iDefense analysts found that Fancy Bear is using a Brexit-themed lure document to help it deliver two different versions of the Zekapab reconnaissance malware. 

The attack document contains malicious macro-enabled content loaded via the settings.xml.rels component that’s embedded within it. 

“To trick the targeted individual into enabling macros, the attackers deliberately used jumbled-up text as content,” the iDefense report says.

The core malicious macro code is the same as the code used in a different campaign earlier this spring initially found by researchers at ESET. The macros drop two binaries for a Delphi and new .NET version of the Zekapab malware, which is used by attackers to root around for system information and running processes. The malware deliver that information to a C2 server so that the bad guys can determine whether it’s worthwhile to execute second-stage malware using an autorun registry key set.

First identified by security researchers in 2014 but likely operating far longer, the Fancy Bear threat group has been known by a number of names, including APT28, Sednit, and Stronium. iDefense analysts refer to this group as SNAKEMACKEREL and remind the security community that this highly sophisticated group has been linked by several governments to RIS, the Russian military intelligence service. 

“The creation of this malicious document, coming on the same day that the UK government announced an initial agreed draft of the BREXIT agreement, suggests that SNAKEMACKEREL is a group that pays close attention to political affairs and is able to leverage the latest news headlines to develop lure documents to deliver first-stage malware, such as Zekapab, to its intended targets,” the report says.

In spite of highly touted industry work by the likes of Microsoft and others to battle Fancy Bear  through takedowns and domain seizures, iDefense analysts explain that the group still remains “highly active.” This latest attack is just one of many continually crafted by the group.

“It is behind a large number of cyberattacks targeting global aerospace and defense contractors, military units, political parties, the International Olympic Committee (IOC), anti doping agencies, government departments, and various other verticals,” the report explains.

Related Content:

• Worst Malware and Threat Actors of 2018
• New Threats, Old Threats: Everywhere a Threat
• 3 Keys to Reducing the Threat of Ransomware
• Cybercrime Gang Ramps up Ransomware Campaign 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/beware-the-malware-laden-brexit-news/d/d-id/1333364?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft’s multi-factor authentication (MFA) for Office 365 and Azure Active Directory has fallen over for the second time in a week.

Azure’s service status page delivered Tuesday’s bad news:

Between 14:25 UTC and 17:08 UTC on 27 Nov 2018, customers using Multi-Factor Authentication (MFA) may have experienced intermittent issues signing into Azure resources, such as Azure Active Directory, when MFA is required by policy.

Officially, that’s just shy of three hours with either no or intermittent MFA, although it took until 18:53 UTC for Microsoft’s Twitter account to become confident enough to announce that the service was definitely up and running again.

We’ve performed restarts across the infrastructure responsible for processing MFA requests and have confirmed servi… twitter.com/i/web/status/1…

—
Microsoft 365 Status (@MSFT365Status) November 27, 2018

Microsoft’s initial root cause analysis (RCA): something went wrong at DNS level which led the infrastructure supporting MFA to become “unhealthy”.

The solution was to reboot – which seemed to work but at the expense of receiving several sarcastic tweets congratulating Microsoft on a successful reboot/turning it off and on again.

@MSFT365Status https://t.co/rWSvzj1TxM

—
Arnaud Meyer (@neointhemix) November 27, 2018

Déjà vu – all over again

This issue is the latest in what’s fast becoming a long line of bloopers for Microsoft in recent weeks. The company has only just published an explanation for a longer and more serious MFA outage suffered on 19 November that left many customers unable to log into Office 365 or Azure for an entire working day, or in some cases, longer.

This included frank admissions about what the company said were three interconnected root causes:

1. Under high traffic loads, the Azure MFA front-end server’s communication with cache services deteriorated (which, ironically. exist to boost performance).
2. This caused a ‘race condition’ in processing responses from the MFA’s backend servers, a way of saying that different parts of the MFA system were out of sync with one another badly enough to stop them communicating properly.
3. This then caused the backend services to overload at which point MFA stopped working.

Extraordinarily – this is the bit that will make some customers sit up – Microsoft didn’t notice any of this until users started complaining about MFA’s disappearance.

How so? Because:

Gaps in telemetry and monitoring for the MFA services delayed the identification and understanding of these root causes which caused an extended mitigation time.

Microsoft then explains how attempting to fix the above problems for APAC and EMEA regions by re-routing MFA traffic via the US caches simply made things worse there too.

Having issued a post-mortem for the first outage, Microsoft has promised to follow up with something similar for Tuesday’s.

What might be going on?

There is perhaps a small clue in the analysis for the 19 November outage where Microsoft mentions that the service was struggling to cope with high traffic levels.

Perhaps, then, it’s simply that lots of organisations and consumers have been turning on MFA, which wouldn’t be surprising given that Microsoft itself has been promoting the extra security benefits that it can bring.

So, let’s be positive: the outages might not be symptoms of MFA’s failure but rather of its sudden – and very welcome – popularity.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EniDRIhhCFw/

It is said of Dong Mingzhu, known as China’s most successful businesswoman, that wherever the driven, I-haven’t-taken-a-day-off-in-27-years Queen of Air Conditioning walks, no grass grows.

Yeah, well, forget about the grass: she’s a scofflaw JAYWALKER!!!

That, at any rate, was the erroneous conclusion arrived at recently by a facial recognition traffic camera that obviously can’t tell an advertisement on a bus from a human face.

Hence was the face of the famous woman known throughout the land as “Sister Dong” splashed onto a huge screen erected along a street in the port city of Ningbo for purposes of naming and shaming jaywalkers. Dong’s photo included a line of text saying that she’d just broken the law by crossing the street against a red light.

The South China Morning Post (SCMP) reported that the surveillance system captured Dong’s image on Wednesday from an advertisement on the side of a moving bus.

“Whoops,” said Ningbo’s traffic police. That same day, they wrote in a post on Sina Weibo that it had been a mistake, that the surveillance system had since been “completely upgraded,” and that Dong’s photo had been deleted. From a Google translation of the post:

The portraits on the bus body advertisements traveling south to north were misidentified, and the traffic police department immediately deleted them afterwards. At present, the technicians have completely upgraded the system to reduce the false recognition rate.

Some Chinese cities have been using these AI-backed facial recognition systems to name and shame jaywalkers for months now.

Cities, including Beijing and Shanghai, have also been using AI and facial recognition to regulate traffic and identify drivers who violate road rules. Shenzhen traffic police launched the jaywalker name-and-shame campaign in April 2017, when the city began displaying jaywalkers’ photos on large LED screens at major intersections.

Shenzhen traffic police announced in February that some 13,930 jaywalkers had been recorded and displayed at just one busy intersection in the prior 10 months.

According to NextShark, the system works with a camera that’s triggered whenever somebody enters the crosswalk during a red light. Shenzhen Traffic Police Technology Department Chief officer Li Qiang told the publication that the camera captures a photo of the jaywalker’s face, then automatically sends it to the LED screen and to a police database for identification.

The system registers how many times a repeat offender has violated traffic rules. After a point, the offender’s social credit score will take a hit. China’s all-encompassing social credit score system is due to be fully up and running by 2020, according to a plan posted on the Beijing municipal government’s website last week.

Repercussions of getting a downgraded social credit score are manifold for Chinese citizens: beyond not being able to get a loan, they include being barred from flights and high-speed trains, having to forego heating subsidies, being denied promotions, and pervasive public shame.

Ms. Dong, however, didn’t hold the mistake against police. Her company, Gree Electric Appliances, issued a statement thanking Ningbo’s traffic police for their hard work and calling on people to obey traffic rules.

At least Dong had a chance to be exonerated. Chinese citizens often don’t even know they’re being surveilled.

The Telegraph quoted Sophie Richardson, China director for the non-profit Human Rights Watch:

States have an obligation to provide their citizens with public security, but not at the expense of fundamental human rights. Much of this technology gathers information about people without their knowledge and consent. They have no way of knowing until it’s somehow being used against them. There is no effective way of pushing back against that.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/u2qFaM6gnLQ/

Symantec says the biz that accused it of conspiring with others to avoid independent security audits is “less than honest” and driven by a “thirst for profits.”

“This is, at bottom, a case where one company’s thirst for profits has led it to brush aside the needs of its customers for more accurate testing of their computer security in order to support an opaque, inaccurate, and less-than-honest business model,” Symantec argued [PDF] in a California court filing this week.

It argues that the legal action brought by independent software tester NSS Labs against Symantec in the US should be dismissed in its entirety because its claims “are entirely devoid of merit.”

Those claims included that several security vendors – Symantec, CrowdStrike, ESET, and the Anti-Malware Testing Standards Organization (AMTSO) – not only knew of bugs in their code and had failed to act but that they were “actively conspiring to prevent independent testing that uncovers those product deficiencies.”

NSS Labs sued the four organizations back in September in what it said was an effort to highlight bad practices in the security software field.

At the time, all four denied the allegations but this is the first time that those organizations have formally responded to the lawsuit. Each has filed its own response, every one calling for the lawsuit to be summarily dismissed, but Symantec’s stands out as aggressively attacking NSS Labs.

It points out that NSS Labs runs two forms of test: a private one where it works with a vendor confidentially to identify and fix flaws in its product; and a public one where it tests a company’s products without informing it and publishes the results publicly.

It only makes money from the former and, Symantec notes, “to do well in an NSS public test, it is important to pay NSS first for a private test. That is its business model.”

But there’s still flaws, right?

While that model is clearly far from ideal, NSS Labs claims that the reality is still that it identifies significant security flaws in software bought by businesses and individuals to protect themselves. As such, the companies’ efforts to boycott NSS Labs altogether because it won’t work with them to keep flaws under wraps is anti-consumer, the testing company claims.

Somewhat worryingly, none of the responses to NSS Labs lawsuit tackle this issue head on but instead claim that the company doesn’t have a case because even if they had conspired, they wouldn’t have broken the law.

“In the end, Defendants are simply alleged to have exercised their discretion not to cooperate with a firm whose way of doing business conflicted with their own understanding of what will best serve their customers,” argued Symantec.

The other defendants claims that NSS Labs hasn’t got any proof that they conspired against it.

NSS Labs sues antivirus toolmakers, claims they quietly conspire to evade performance tests

READ MORE

CrowdStrike claims in its response [PDF] that NSS has not provided any plausible facts over the alleged boycott “namely (1) who conspired, (2) what they conspired to do, (3) when or where the conspiracy took place, (4) why the alleged conspirators conspired, i.e., the purpose of the alleged conspiracy, or (5) how they were to enforce the conspiracy.”

And it uses its own tangled legal history with NSS Labs to argue that it had no need to conspire – it had already refused to work with the company over a previous argument after the tester “fraudulently accessed CrowdStrike’s proprietary and confidential software platform.”

CrowdStrike had paid NSS for one of its private tests and was infuriated when the company subsequently said it would publish test results of the company’s products. Crowdstrike filed an injunction to prevent the release of the results claiming that NSS had “failed to adhere to NSS’s own stated testing methodologies and that its testing exhibited severe quality control failures.” It failed, but the legal battle continues.

NSS Labs “only insinuates a conspiracy and offers no facts to support one, particularly with respect to CrowdStrike,” Crowdstrike argues.

It also claims that NSS is simply in it for the money: “The crux of NSS’s Complaint is that it would prefer a standard that better benefits NSS’s business model, such as by not requiring Testers to work with Vendors in a transparent way. This conflict with Vendors that want transparency does not render the Standard anticompetitive, however.”

It notes: “Even if NSS’s quibbles were correct, it would need to do more to state a claim.”

Trust as standard

And as for the Anti-Malware Testing Standards Organization (AMTSO) – whose standards the companies are using and which allows them to communicate in private and fix issues before they are made public – it argues [PDF] that it can’t be sued for antitrust because the law says so.

“Under the Standards Development Organization Advancement Act of 2004 (SDOAA), ‘the conduct of a standards development organization while engaged in standards development activity shall not be deemed illegal per se.’ AMTSO is a standards development organization… Accordingly, AMTSO’s conduct in developing the Standard cannot be deemed illegal per se.”

Which may be true but is far from reassuring.

In terms of the whole public/private testing approach, AMTSO offers this as an explanation: “A useful analogy is the cross examination of witnesses. Federal courts require extensive witness disclosures in advance of testimony at trial, and many practitioners feel that these disclosures promote the truth-seeking purpose of cross examination.

“Some state courts provide for no witness disclosures whatsoever, and some practitioners would argue vehemently that trial by ambush is most effective. Both camps have a valid argument. But there is no valid argument for requiring witness disclosures of one party to a trial but not the other. In other words, the provision of information does not defeat the fairness of a trial (or a comparative test). But an undisclosed information disparity between litigants (or test subjects) does.”

Or, in other words, no one likes that fact that NSS Labs doesn’t give vendors a heads-up about security holes they find in their products before publishing the results.

And so, you know, maybe we decided we didn’t want to use them no more. Ain’t nothing illegal about that, your honor. ®

Sponsored:
Five steps to dealing with the insider threat

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/29/symantec_attacks_nss_labs/

Dell is resetting all customer passwords on its website after a hacker or hackers unknown infiltrated its internal network.

Big Mike’s server and PC biz says that the move is a precautionary measure after someone broke in and tried to get into a database containing customer names, email addresses, and hashed passwords, in what the IT giant is calling a “Potential Cybersecurity Incident.” The tech slinger reckons the miscreants left empty handed.

The saga began on November 9, when Dell says its admins detected an unauthorized user on the network attempting to access customer account data. While the offending party was promptly booted, Dell isn’t sure what they were able to get, if anything.

“Though it is possible some of this information was removed from Dell’s network, our investigations found no conclusive evidence that any was extracted,” Dell said today in a statement disclosing the daring cyber-heist bid.

“Additionally, Dell cybersecurity measures are in place to limit the impact of any potential exposure.”

No payment card information was accessed, and Dell said that none of its other services were affected by the network security breach, including Dell’s EMC and DellTechnologies.com sites.

While Dell works to determine just what, if anything, the hackers may have been able to access, the company is resetting and then hashing the passwords. Anyone who might have re-used their Dell.com password on another site (for the nth time; don’t do this) is being advised to change those credentials as well.

Vision Direct ‘fesses up to hack that exposed customer names, payment cards

READ MORE

“Upon detection of the attempted extraction, Dell immediately implemented countermeasures and initiated an investigation,” the IT hardware giant said.

“Dell also retained a digital forensics firm to conduct an independent investigation and has engaged law enforcement.”

A website has been set up to keep customers updated on any further developments in the case.

If the early indications are to be believed, Dell looks to have dodged a bullet. As no personal information or card details were accessed, the hardware vendor will not need to pay up for credit monitoring or identity protection service for customer. Once the password is reset, Dell says customers will be protected even if that information was found to have been stolen at all.

Still, the incident should come as a wake-up call to administrators and users alike. If one of the largest computing companies in the world can be at least partially breached by hackers, smaller companies can easily fall victim themselves. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/28/dell_resets_passwords_hack_alert/