STE WILLIAMS

A group of boffins working at MIT’s Computer Science and Artificial Intelligence Laboratory believe that “private” browsing modes aren’t private, so have given developers a framework to fix it.

The problem, wrote Frank Wang with his thesis advisors (Nickolai Zeldovich and luminary James Micken), is that even if you’re using “private” or “incognito” mode on standard browsers, several leak vectors remain: the file system, the browser cache, the DNS cache, and even “on-disk reflections of RAM such as the swap file”.

In a paper (PDF) delivered last week at the Network and Distributed Systems Security Symposium, the three presented the fix: a framework called “Veil” that puts an onus on site operators to stop the leaks. Developers, Wang writes in the paper, do control what’s sent to browsers, and which servers deliver the content.

Of course, there are plenty of sites either indifferent or hostile to user privacy. The Veil framework won’t change their minds, but Wang says sites that want to protect privacy but “lack the technical skill”, and those who are “actively invested” in protecting users need help.

Encryption is at the heart of Veil, but it’s used differently to something like an HTTPS deployment. Here’s how VEIL works

• Compilation – HTML and CSS files are passed through the Veil compiler, which uses encryption to create a URL that can’t be linked to the original. These are called “blinded references”, and a runtime library injected into each page also forces dynamic requests to be blinded;
• Servers – the compiler sends Web page objects to Veil’s “blinding servers”, which send content to users, and which also mutate the content (HTML, CSS and JavaScript) to protect users’ client-side memory artefacts. The result is that different users get a unique client-side representation of the page;
• Client-side management – Veil forces the operating system’s “least-recently-used” algorithm to keep sensitive RAM pages in memory, so they don’t land on a disk cache;
• Document Object Model (DOM) hiding mode – the highest privacy level, this treats the browser as a dumb graphic terminal – no executable code is ever sent to the user. Instead, pages are rendered at the server-side and only the image is sent, so there’s no chance of a privacy leak from the browser;
• State encryption – Veil can store private, persistent state by encrypting the state. It gets a blinded reference the user generates, not the site.

As MIT explains here, even the “DOM hiding mode” doesn’t stop a user interacting with a site. The browser records the location of a click, that location is sent to the Veil server, and the server sends the new page image.

As MIT’s announcement notes, Veil imposes an extra infrastructure requirement on Website operators. Apart from adopting the Veil framework, they also need to be willing to host the extra server infrastructure.

That makes Veil more likely to be of interest to sites that stake their reputations on privacy-protected services.

Wang also believes the performance penalty is bearable, writing: “Experiments show that Veil’s overheads are moderate: 1.25x–3.25x for Veil with encrypted client-side storage, mutated DOM content, and heap walking; and 1.2x–2.1x for Veil in DOM hiding mode.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/26/mit_wang_veil_browsing/

Expect more as the year goes on: more breaches, more IoT attacks, more fines…

In 2017, it seemed like we faced a new, devastating breach and/or virus at least once a month. The victims — Chipotle, Brooks Brothers, Kmart, Verizon, Equifax, Deloitte, the SEC, Whole Foods, and Xbox among them — represent an astonishingly broad range of industries. At the same time, malware such as WannaCry, which affected more than 300,000 computers, far exceeded prior perceptions about the potential for hackers to wreak havoc. We don’t expect such incidents to go away anytime soon. In fact, they’ll likely escalate in scope and capacity for damage.

January 2018 brought us a whole new type of threat with the Meltdown and Spectre bugs. Suddenly, the scope of hardware vulnerabilities was front and center. However, amid the media frenzy, we should move forward with a reasonable sense of what to anticipate the rest of this year, to best defend our organizations and their sensitive data – which now resides in the cloud, in on-premises data centers, and in hybrid computing environments. With this in mind, here are six cybersecurity trends to watch for the rest of the year:

We’ll likely see another breach of Equifax proportions — and it’s likely to be a Web application attack.
Cloud computing has accelerated the adoption and usage of Web applications, and attacks targeting Web applications have skyrocketed. As with the Equifax breach — which resulted in the hacking of 145 million accounts — we will see the exploitation of more Web application vulnerabilities. Web application attacks account for nearly three in 10 breaches overall — far outpacing cyber espionage, privilege misuse, and all other threat drivers, according to the latest Verizon Data Breach Investigations Report. Also according to this report, the rate of Web application-related breaches has grown over 300% from 2014 to 2016. Furthermore, several IT spend reports point to a lack of security budget allocated to application security which represents the growing risks of web applications.  

There has yet to be a major cloud breach, and the streak is likely to continue — despite the panic over Meltdown and Spectre.
Most breaches we see target traditional apps and on-premises environments, not the cloud infrastructure itself. Think Target, Yahoo, and JP Morgan Chase. To date, no cloud application or cloud vulnerability has been the direct source of a cataclysmic breach, and we don’t envision this changing anytime soon. (The Verizon breach was caused by human error and was not due to a vulnerability of the cloud infrastructure itself.)

In analyzing more than 2.2 million verified security incidents captured in the Alert Logic network intrusion detection system over an 18-month period, the public cloud accounted for, on average, 405 incidents per customer. This was significantly lower than incidents occurring in on-premises environments (612 per customer), hosted private clouds (684), and hybrid cloud environments (977). While the Spectre and Meltdown vulnerabilities didn’t bypass cloud deployments, the impact is likely to be disruption from necessary patching and subsequent performance issues. We’re unlikely to see a major breach attributed to Spectre and Meltdown because they are unlikely to be used as initial attack vectors. However, they could be used as a means of moving laterally across the network once access has been gained through some other malware exploit, which is why patching is important.

The hype around machine learning will continue, but real security outcomes will remain elusive.
From the media to technophiles to countless vendors, everyone is talking about machine learning. There is immense power in its promise, particularly within cybersecurity. But in reality, few security vendors understand how to leverage it or integrate it into their solutions to produce results. Machine learning for cybersecurity requires a combination of data scientists, threat researchers and security operations center analysts who can identify patterns across data from thousands of real-world environments and feed that information into the machine learning algorithm. In other words, it isn’t a “plug-and-play” product.

The industry will see its first major fines for GDPR violations.
With the May 2018 deadline looming, we found in our research that only one-third of surveyed European Union (EU) companies are compliant or well on the way to complying with the General Data Protection Regulation (GDPR). Given this, we expect fines for noncompliance — including an example-setting large fine for a major global enterprise. GDPR mandates personal data protection for EU companies and all global organizations doing business in the EU, with companies required to document how and where data is stored and processed.

Hackers come for computing resources.
This year, we will see more hackers stealing computing power, slowing down systems, and running up the electric bills of the people who own the machines they’re hijacking. Why are they doing this? As cybercrime task forces and federal policing agencies battle ransomware, hackers are looking for safer and easier paths to profit. The bitcoin price surge in 2017 drove mass amounts of interest to cryptocurrency, but since bitcoin mining requires extreme amounts of CPU, hackers are mining other cryptocurrency variants, known collectively as “altcoins.”

Now hackers who are mining for cryptocurrency infect the computers of unsuspecting users — to “borrow” the power in the interest of making more money, faster. This type of attack is difficult to notice over time, although cloud computing delivered as-a-service can make it easier to spot in your bill.  

Hackers will monetize IoT attacks.
In 2018, hackers will attack Internet of Things environments less to cause disruption or to show they can and more for financial spoils. In 2017, we saw the Mirai botnet compromise a large IoT attack surface. We’re now starting to see a new and sophisticated breed of botnets and IoT infections such as IoTroop — which essentially is gathering as many victims as it can and adding new bots every day. It has already affected 1 million devices and could increase substantially in a worm-like fashion. It’s evident that hackers are reverting back to older methodologies to infect new devices and technology. Like other forms of hacking, once tactics for IoT exploits become refined and are replicated, we’ll see a shift in motivation from notoriety to financial gain.

Related Content:

• IoT Botnets by the Numbers
• Meltdown/Spectre: The First Large-Scale Example of a ‘Genetic’ Threat
• Fileless Malware: Not Just a Threat, but a Super-Threat

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Misha Govshteyn co-founded Alert Logic in 2002. Misha is responsible for security strategy, security research, and software development at Alert Logic. Prior to founding Alert Logic, Govshteyn served as a Director of Managed Services for Reliant Energy Communications. In this … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/6-cybersecurity-trends-to-watch/a/d-id/1331103?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Updated data on zero-days, IoT threats, cryptomining and economic costs should keep eyebrows raised in 2018.

Image Source: Adobe Stock (Phongphan Supphakank)

Now that we’ve got a couple of months from this year in the rearview mirror, security researchers have had enough time to crunch the numbers from 2017. That means a raft of new reports analyzing last year’s cybersecurity data with updated telemetry on the threat landscape, economic impact, and defense problems facing the cybersecurity industry.

Here are some of the most illuminating highlights. 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/endpoint/7-key-stats-that-size-up-the-cybercrime-deluge/d/d-id/1331116?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cofense is the new name for PhishMe, which was purchased by a private equity consortium.

PhishMe has rebranded under the name Cofense after being acquired by a private equity consortium, which valued the phishing defense company at $400 million.

The new brand signifies a broader approach to phishing defense, explains co-founder Aaron Higbee, who created the company with Rohyt Belani. Cofense plans to use its deeper financial backing to accelerate major product updates and grow its global presence in Europe and Asia.

Some things will stay the same, Higbee notes. Cofense will continue to give smaller organizations no-cost phishing tools including CBFree for employee training, email add-in Cofense Reporter, and PhishMe Free, a simulation tool for SMBs.

Read more details here.

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/phishme-acquired-rebranded-as-cofense-in-$400m-deal/d/d-id/1331132?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A former FBI official says the sprawling Russian black-market forum for illegal hacking and fraud services known as Infraud Organization – its motto was “In Fraud We Trust” – was operated like a “dark-web cousin of major commercial marketplace sites”. The official said it shows one thing: that we’re clearly not just fighting solo hackers at this point.

The US Department of Justice (DOJ) earlier in the month indicted no fewer than 36 people in a transnational bust of the forum, which it said was responsible for more than $530m in losses over the course of its seven-year history.

According to the indictment, Infraud was created in October 2010 by Svyatoslav Bondarenko, aka “Obnon,” “Rector,” and “Helkern,” a 34-year-old from Ukraine. It was allegedly set up to promote Infraud as the “premier destination” for carding – purchasing retail items with counterfeit or stolen credit card information, prosecutors said.

The money came from trading in stolen credit card numbers, taxpayer numbers, compromised accounts, and materials to create counterfeit cards. The crooks were also allegedly involved in malware, money laundering, and so-called “bulletproof” hosting services designed to host other illegal online operations. From the DOJ’s announcement:

Under the slogan, “In Fraud We Trust,” the organization directed traffic and potential purchasers to the automated vending sites of its members, which served as online conduits to traffic in stolen means of identification, stolen financial and banking information, malware, and other illicit goods.

It also provided an escrow service to facilitate illicit digital currency transactions among its members and employed screening protocols that purported to ensure only high quality vendors of stolen cards, personally identifiable information, and other contraband were permitted to advertise to members.

Infraud had all the markings of a disciplined, well-run organization, according to the indictment: one that employed administrators to manage day-to-day operations and strategic planning, approved and monitored membership, and meted out punishments and rewards to members. Infraud also allegedly had “super moderators” who oversaw and administered specific subject-matter areas according to their fields of expertise; moderators who presided over one or two specific sub-forums within their areas of subject-matter expertise; vendors who sold illicit products and services to members; and both VIP and regular memberships.

Other dark-web marketplaces have been professionally organized in a similar fashion: Silk Road, for example, or AlphaBay.

But none have enjoyed the longevity or scope of Infraud, which had 10,901 registered members as of March 2017.

On Thursday, NBC News published comments on the Infraud bust from John P. Carlin and David Newman. Carlin was the assistant attorney general for the DOJ’s National Security Division (NSD) and served as chief of staff and senior counsel to former FBI Director Robert S. Mueller III, where he helped lead the FBI in its goal to handling security threats, including cyber threats. Newman is a former special assistant to President Barack Obama, associate White House counsel, and director on the National Security Council staff.

The two former security officials said that the most important message for the public from the sweeping indictment is that companies aren’t just dealing with rag-tag script kiddies nowadays; rather, they’re basically up against other well-run companies:

While these types of multi-jurisdiction arrest sweeps are intended to send a message to cyber-criminals, the most important message in the near term is for the public: In today’s environment, companies are not just up against solo hackers, but highly skilled enterprises that rely on an international collection of criminal and cyber expertise.

… highly skilled enterprises that are also likely being sheltered from the eyes of the law by countries that find it convenient to overlook their criminal activities, Carlin and Newman suggest. They noted that the DOJ’s public statement sent out thank-yous to a long list of cooperating law agencies around the world, but that Russia was “conspicuously absent” from that list, even though the indictment indicates that the site was hosted in Russia.

Among other things, the indictment alleges that in 2011 the site’s founder issued a decree that banned the buying and selling of contraband involving Russian victims, a tactic experts noted is used to discourage Russian law enforcement from taking down a Russian-hosted server.

This is how shipshape the Infraud site was run:

The group’s leadership imposed a rigid hierarchy to maintain order on the site, delegated authority to system administrators and other associates who held roles of varying responsibility ranging from “Moderators” to “Super Moderators” to “Administrators.” It also relied on a system of strictly enforced rules and user-generated feedback to maintain quality control. Longstanding site members were promoted to “VIP Member” status to honor their contributions and solicited advice on the “In Fraud We Trust” discussion forum.

At the time of the bust, Wired quoted former FBI cybercrime agent EJ Hilbert, now a vice president of cybersecurity at security firm Gavin DeBecker and Associates, who speculated that Infraud used the same sort of “bulletproof” hosting that the site itself sold: the type that keeps servers tucked far away from western cops, that covers operators in a blanket of anonymity, and that frequently shuffles sites around to stay a step ahead of investigators.

Hilbert:

They were sitting in countries outside the jurisdiction of Western law enforcement. That’s why something like this can remain live for an extended period of time.

While the Infraud bust was one of the largest takedowns of a dark-web market in history, the DOJ’s schematic of the organization reveals that a majority of the accused are still at large:

…which means that we should gird our loins for predation from more well-organized enterprises, including at the hands of much of the Infraud gang. Carlin and Newman said that the way things are going, it’s going to take some serious investing and some fancy footwork to keep out of the clutches of criminal enterprises like this one:

Meeting this threat takes a serious investment in technological safeguards as well as a willingness to adapt to an evolving threat. Companies and individuals should invest now in protections against these kinds of threats and begin planning for scenarios in which their systems are breached and their information finds its way to these kinds of dark corners of the internet.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/4TscOROnReg/

E-passports – high-tech passports with chips to store traveler information and cryptographic hashes to verify that the passports haven’t been forged or otherwise tampered with – have been required for more than 10 years to get into the US if you’re coming from one of the 38 countries on the visa-waiver list.

Of course, there are readers at many ports of entry so that US Customs and Border Protection (CBP) can read the e-passports. That makes sense: after all, the US is the country that pushed for e-passport global adoption following the terrorist attacks of 9/11.

Too bad CBP agents don’t actually have the software necessary to discern whether the information on those high-tech passwords is or is not a machine-readable load of hooey.

Two senators last week revealed that the CBP has been aware of its inability to authenticate the data stored on the e-passport chips since at least 2010, when the Government Accountability Office (GAO) released a report about how to better use e-passport security features, including the cryptographic signature that’s designed to make it near-impossible to forge a travel document or steal someone’s identity.

The news about the security failing came to light on Thursday when the two senators, Ron Wyden (D-OR) and Claire McCaskill (D-MO), sent a letter demanding that the CPB “immediately” start using the anti-forgery and anti-tamper feature in e-passports. The letter was addressed to CBP acting commissioner Kevin K. McAleenan.

Despite border agents using e-passport readers at “most” ports of entry, the senators said…

CBP does not have the software necessary to authenticate the information stored on the e-passport chips.

Specifically, CBP cannot verify the digital signatures stored on the e-passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged.

As it is now, reading the e-passports amounts to security theater, given that there’s no verification of the data.

Matthew Green, who teaches cryptography at John Hopkins University, said in a tweet thread on Thursday that the news means that if you’ve got a passport from a visa waiver country, whoever inspects that passport will be looking at a picture and traveler information that’s read from your passport’s e-chip…

…and that data could well have been faked, given that the e-chip’s digital signature isn’t verified:

In other words, the data and a digital signature is loaded from the chip and displayed, but since the signature isn… twitter.com/i/web/status/9…

—
Matthew Green (@matthew_d_green) February 22, 2018

Eight years after that GAO report, “it is past time for CBP to utilize the digital security features it required be built into e-Passports,” the senators wrote.

They gave the CBP until 1 January 2019 to a) work with subject matter experts at the General Services Administration to figure out how much it will cost to set up the technology that can validate the digital signatures in e-passports and to b) make it happen.

Until they get the technology up and running, the senators said, border staff “will continue to lack reasonable assurance that data found on e-passport computer chips have not been fraudulently altered or counterfeited.”

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/B-KnrsXiOVo/

A group of boffins working at MIT’s Computer Science and Artificial Intelligence Laboratory believe that “private” browsing modes aren’t private, so have given developers a framework to fix it.

The problem, wrote Frank Wang with his thesis advisors (Nickolai Zeldovich and luminary James Micken), is that even if you’re using “private” or “incognito” mode on standard browsers, several leak vectors remain: the file system, the browser cache, the DNS cache, and even “on-disk reflections of RAM such as the swap file”.

In a paper (PDF) delivered last week at the Network and Distributed Systems Security Symposium, the three presented the fix: a framework called “Veil” that puts an onus on site operators to stop the leaks. Developers, Wang writes in the paper, do control what’s sent to browsers, and which servers deliver the content.

Of course, there are plenty of sites either indifferent or hostile to user privacy. The Veil framework won’t change their minds, but Wang says sites that want to protect privacy but “lack the technical skill”, and those who are “actively invested” in protecting users need help.

Encryption is at the heart of Veil, but it’s used differently to something like an HTTPS deployment. Here’s how VEIL works

• Compilation – HTML and CSS files are passed through the Veil compiler, which uses encryption to create a URL that can’t be linked to the original. These are called “blinded references”, and a runtime library injected into each page also forces dynamic requests to be blinded;
• Servers – the compiler sends Web page objects to Veil’s “blinding servers”, which send content to users, and which also mutate the content (HTML, CSS and JavaScript) to protect users’ client-side memory artefacts. The result is that different users get a unique client-side representation of the page;
• Client-side management – Veil forces the operating system’s “least-recently-used” algorithm to keep sensitive RAM pages in memory, so they don’t land on a disk cache;
• Document Object Model (DOM) hiding mode – the highest privacy level, this treats the browser as a dumb graphic terminal – no executable code is ever sent to the user. Instead, pages are rendered at the server-side and only the image is sent, so there’s no chance of a privacy leak from the browser;
• State encryption – Veil can store private, persistent state by encrypting the state. It gets a blinded reference the user generates, not the site.

As MIT explains here, even the “DOM hiding mode” doesn’t stop a user interacting with a site. The browser records the location of a click, that location is sent to the Veil server, and the server sends the new page image.

As MIT’s announcement notes, Veil imposes an extra infrastructure requirement on Website operators. Apart from adopting the Veil framework, they also need to be willing to host the extra server infrastructure.

That makes Veil more likely to be of interest to sites that stake their reputations on privacy-protected services.

Wang also believes the performance penalty is bearable, writing: “Experiments show that Veil’s overheads are moderate: 1.25x–3.25x for Veil with encrypted client-side storage, mutated DOM content, and heap walking; and 1.2x–2.1x for Veil in DOM hiding mode.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/26/mit_wang_veil_browsing/

Cisco’s Elastic Services Controller’s release 3.0.0 software has a critical vulnerability: it accepts an empty admin password.

The Controller (ESC) is Cisco’s automation environment for network function virtualisation (NFV), providing VM and service monitors, automated recovery and dynamic scaling.

Cisco’s advisory about the flaw explains the bug is in ESC’s Web service portal: “An attacker could exploit this vulnerability by submitting an empty password value to an affected portal when prompted to enter an administrative password for the portal.”

Once past the (non)-authentication, the attacker has administrative rights to “execute arbitrary actions” on the target system.

Only ESC software release 3.0.0 is affected, and the vuln has been patched. The bug’s been assigned CVE-2018-0121.

The Borg’s latest patchfest also included a critical-rated bug in Cisco’s Unified Communications Domain Manager that also gives a successful attacker remote code execution privileges.

The vulnerability occurs during application generation on the controller: the keys it generates are insecure, and an attacker could use “a known insecure key value to bypass security protections”. The bug affects Unified Communications Domain Manager versions prior to 11.5(2).

Thursday’s announcements included another 12 lower-rated vulnerabilities, listed here. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/26/cisco_elastic_services_controller_critical_vulnerability/

Roundup Happy weekend, everyone. Here’s a roundup of computer security news beyond everything we’ve already reported this week.

Last week a consortium of biz giants got together to set the bar on computer security because governments weren’t getting their act together. Sadly, based on Uncle Sam’s actions this week, it’s clear such concerns were justified.

Take, for example, the new guidance [PDF] from the US Securities and Exchange Commission on IT security, which was about as insightful as the ingredients list on a breakfast cereal box. The executive summary is: companies should advise investors of risks, and use law enforcement investigations as an excuse to keep quiet.

OK, let’s dial back the cynicism. While the SEC memo is not bad advice, it’s straight out of the department of the bleedin’ obvious: don’t break the law, basically. It also virtually identical to the advisory the SEC released in 2011, and the threat landscape, for want of a better buzzword, has changed considerably since then.

In a similar vein, US Attorney General Jeff Sessions announced the creation of a Justice Department-run Cyber-Digital Task Force. This “force” is actually just a bunch of administrators who can talk about threats and they have been tasked with preparing a report to Sessions in June about online threats.

“The internet has given us amazing new tools that help us work, communicate, and participate in our economy, but these tools can also be exploited by criminals, terrorists, and enemy governments,” Sessions said.

“At the Department of Justice, we take these threats seriously. That is why today I am ordering the creation of a Cyber-Digital Task Force to advise me on the most effective ways that this Department can confront these threats and keep the American people safe.”

A few things struck us as odd about this. Firstly, the NSA is tasked with defending against such threats, but won’t be having any staff on the “force.” Secondly the group will also set up subcommittees to handle specific issues. This sounds like bureaucratic waffle on a massive scale.

Killing the messenger

Where the government does seem to have people of talent it’s dumping them. Matthew Masterson, chairman of the US Election Assistance Commission, has been doing some sterling work in working with election officials and security professionals to try and fix the parlous state of voting machine security.

But now he’s out of a job and his likely replacement is fellow commission member Christy McCormick, who in the past has expressed skepticism that election hacking is even a serious issue and criticized the Department of Homeland Security for designating election mechanisms as critical infrastructure. The 2018 midterms should be interesting…

Once thing the government isn’t bad at is telling everyone how bad the situation. A research report [PDF] from the White House’s Council of Economic Advisers put the cost to the US of online crime at between $57bn and $107bn and reached this stunning conclusion.

Cyber connectivity is an important driver of productivity, innovation, and growth for the U.S. economy, but it comes at a cost. Companies, individuals, and the government are vulnerable to malicious cyber activity. Effective public and private-sector efforts to combat this malicious activity would contribute to domestic GDP growth. However, the ever-evolving nature and scope of cyber threats suggest that additional and continued efforts are critical, and the cooperation between public and private sectors is key.

That’s a little like the mice getting together for a meeting and deciding the best course of action is to put a bell around the bat’s neck, but with no clue on how to achieve this miracle.

Still, one shouldn’t be too hard on governments alone. Verizon also released a report on mobile security, looking at the lessons from the last year. Oddly, it didn’t include any mention of Verizon’s own snafu when it left the account information for 14 million of its customers online in an open Amazon S3 bucket. Selection bias anyone?

Furries and fixes

We’re a broad church here at The Register, so unlike a lot of people online we don’t have a problem with furries – folks who like to dress up as animals and hangout with likeminded folks. But such folks are understandably concerned about privacy and a dodgy software interface could leave them exposed.

The software, made by Civet Solutions, is used by conference organizers to register and log attendees and is used in many furry conventions, such as Alamo City Furry Invasion, Vancoufur and Pacific Anthropomorphics Weekend. The researcher found that simply entering someone’s name into the system would show their convention history and this had been uploaded into the cloud.

Given the privacy needs of such an out-there community this is a bit of an issue. The manufacturer is looking into locking down the system. And, for the record, no Reg journalists have a penchant for slipping into a fur suit.

Hirsute hijinks aside it has been a very good week for flaw fixes. Apple released a security update for customers that fixed a Unicode problem that could have made it possible to crash their shiny iDevices.

The issue was triggered when an attacker sent out a message containing a symbol composed of characters used in the Indian language Telugu. In a few cases rebooting didn’t help, and the machine tried to rerender the message and crashed again. If you haven’t updated already do so now for the fix.

Chasing the flaggin’ security

US bank Chase has also been doing some frantic patching after a serious flaw showed up in its online banking system. When some users tried to log in to check their accounts they got account information, just not their own.

One Chase customers recounted finding someone else’s bank account details when they logged in, but since the person in question had very little money and a lot of debt they joked that they had decided not to stage a heist. Chase says it has now fixed the issue.

Briefly last night, a limited number of customers saw the wrong information when logging into their account online. We resolved this technical glitch quickly.

— Chase Support (@ChaseSupport) February 22, 2018

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/24/security_roundup/

ANalysis US judges have shut down an appeal from a convicted pedophile who claimed the FBI hacking of his computer was an illegal and unreasonable search.

Gabriel Werdene, 53, of Bucks County, Philadelphia, is serving two years in a federal prison for rummaging through the Playpen dark-web filth souk for images and footage of child sexual abuse. Copies of the banned material were found on a DVD and USB drive at his home by the Feds during a sting operation in 2015.

Playpen was a hidden service on the anonymizing network Tor, and had up to a quarter of a million users sharing footage of underage sex. The FBI had seized its server after obtaining a search warrant to snoop on those connecting to the underground website. The g-men deployed what they termed a network investigative technique (NIT) on the site to determine the public IP addresses of Playpen users as they logged in.

Tor works by bouncing your connection through several nodes, concealing the public IP address you’re using to connect to the internet and thus hampering efforts to trace and identify you.

When you connect to a Tor hidden service, your true public IP address shouldn’t be revealed to the server. However, Uncle Sam’s NIT hidden on the commandeered Playpen website was able to determine the IP address of the forum’s users. The Feds then took these addresses to ISPs, such as Comcast, and demanded details of the subscribers assigned those IP addresses.

With those home addresses in hand, the Feds swooped, and arrested hundreds of people suspected of being Playpen degenerates. Werdene was among those cuffed, convicted, and in 2016 was thrown in the clink for 24 months by a Pennsylvania district court. Specifically, he signed a plea deal in which he would plead guilty early in exchange for a lighter sentence and sparing taxpayers a lengthy trial. Normally these bargains waive one’s right to appeal, but in this case, Werdene was allowed to challenge his prosecution.

He duly filed a request to suppress the FBI’s evidence against him, arguing the FBI’s spyware was illegal, in a bid to overturn his conviction.

This week, he failed.

Werdene, whose Playpen username was “thepervert,” argued that the FBI broke the rules by getting a warrant to install the NIT. Usually, a search warrant requires the judge to know the location of the suspect before it can be issued, however, prosecutors persuaded a court to give the bureau blanket search rights. It didn’t matter where the users were, according to the warrant, the FBI was allowed to unmask and collar them.

It’s a legal argument that has worked for some of the Playpen arrestees. Congress has since changed the rule – Rule 41 of the Federal Rules of Criminal Procedure – to allow US crimefighters to probe machines anywhere in the world, with a warrant. Judges Joseph Greenaway Jr, Richard Nygaar, and Mike Fisher, sitting in third circuit court of appeals, agreed this week that a magistrate should not have approved the search warrant, and that the FBI had exceeded its authority, but nonetheless decided that the government had acted in good faith.

That decision kills off Werdene’s attempts to throw out the prosecution’s evidence that he was a Playpen user.

I’ll torpedo Tor weirdos, US AG storms: Feds have ‘already infiltrated’ darknet drug souks

READ MORE

“We hold that the NIT warrant violated the prior version of Rule 41(b) and that the magistrate judge exceeded her authority under the Federal Magistrates Act. The warrant was therefore void ab initio, and the Rule 41(b) infraction rose to the level of a Fourth Amendment violation,” their ruling [PDF] read.

“However, we agree with the government that the good-faith exception to the exclusionary rule may apply to warrants that are void ab initio, which ultimately precludes suppression in this case. We therefore will affirm on alternative grounds the district court’s decision to deny Werdene’s suppression motion.”

The case did reveal some interesting details about the FBI’s mysterious NIT. In the past, the agency has actually dropped cases against suspected sharers of underage sex videos rather than reveal details of its Tor privacy exploit. Agents for one foreign government, working with the FBI, previously used a specially crafted video to snare dark-web pedos, yet it’s not known exactly how the FBI’s NIT works.

Now, we’ve got some extra details, thanks to this case. Court documents show the spyware – likely a piece of Flash or JavaScript that exploits a vulnerability in the Firefox-based Tor Browser – looked for seven pieces of information:

• The IP address
• A unique identifier to distinguish the data from that of other computers
• The type of operating system
• Information about whether the NIT had already been delivered
• A Host Name
• An active operating system username
• Media Access Control (MAC) address

The NIT likely has multiple components: one to exploit the bug or otherwise get a second part, the information gatherer onto the PC, and then a means to send this information back to the Feds.

The FBI took some flak for the way it handled the Playpen sting. After taking over Playpen’s server, hosted in North Carolina, it moved the box to Virginia, and ran the site for an additional 13 days to spread the NIT around. The dark-web site’s administrator, Michael Fluckiger, was sent down for 20 years for his role in aiding child abuse. Many more prosecutions are still weaving their way through the courts. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/24/tor_fbi_hacking_appeal/