STE WILLIAMS

After a delay of about two months, Uber and Waymo, the self-driving-car unit from Google, finally had their first day in court in the trade secrets lawsuit brought by Waymo a year ago.

If Day One is any indication, this suit is going to paint a picture of a vicious competition between the two companies.

The BBC wrote about the evidence Waymo presented on Monday, including emails that portrayed Uber’s then-chief executive Travis Kalanick as having been desperate to catch up with Google’s autonomous driving technology.

According to that evidence, Uber Engineering Manager John Bares, who was head of Uber’s autonomous group at the time, took notes during an 18 September 2015 teleconference in which he writes about “increasing pressure” to 1) catch up on Google’s seven-year head start in autonomous vehicle technology and to 2) deploy 100,000 driverless cars in 2020.

Notes from a subsequent meeting Bares had with Kalanick show that the former Uber CEO wanted to obtain “the cheat codes,” “all of their data” and a “pound of flesh” from Waymo.

Waymo claims that Uber, worried about Waymo beating it in the self-driving car race, ripped off Waymo’s trade secrets when it hired one of its former executives, Anthony Levandowski. Levandowski had led the driverless car project for Google since 2011. That project first began in 2009, which is about as long as Uber’s existence.

Kalanik contacted Levandowski directly in October 2015 to discuss “selling a nonexistent company.” Levandowski allegedly stole 14,000 proprietary Waymo documents just days before leaving Waymo to start that company, “Otto,”  in January 2016. In August 2016 Uber then acquired Otto, a move, which Waymo alleges, was all part of a plan with Levandowski to steal Google’s technology.

Waymo presented evidence that points to Levandowski having downloaded documents just hours before meeting with Uber and then again on the same day as the meeting. Google attorneys presented an email from a Morrison Foerster lawyer who was involved in investigating Otto before Uber acquired it. The email indicated Levandowski had files that included source code and design software: “everything you need to create a self-driving car.”

The alleged document rip-offs have been at the heart of the case from the beginning, as has Uber’s insistence that none of the files ever made it to Uber. Besides, Uber argues, the information that Waymo alleges is proprietary is actually in the public domain.

Uber’s attorney, Bill Carmody, said that this legal fiasco is all Levandowski’s fault and that the company regrets ever having hired him. The Financial Times quotes Carmody:

Uber regrets ever bringing Anthony Levandowski on board. And the reason they do so, is because for all his time at Uber, all they have to show for bringing on Anthony Levandowski is this lawsuit.

Levandowski, whom Uber fired in May 2017, has pleaded the Fifth Amendment right to avoid self-incrimination in the case. Uber says he was fired for not cooperating with the case, but his firing actually came about three months after Waymo filed its suit.

Beyond the question of the files Levandowski allegedly took from Google, the plot thickened in November with the appearance of a 37-page letter written nine months ago by an attorney for Richard Jacobs, a former Uber security analyst who worked in the company’s global intelligence unit.

Waymo’s attorneys said there was no way they could review the new documents in time for what was supposed to be a 4 December start date for the trial, so Judge William Alsup agreed and granted a two-month delay. Alsup himself received a copy of the letter from the US Attorney’s Office for Northern California only a week before the civil trial was set to begin.

The letters described Uber having a unit, called Marketplace Analytics (MA), that allegedly spied on competitors worldwide for years, scraping millions of their records using automated collection systems and conducting physical surveillance.

Uber allegedly used “non-attributable” servers that couldn’t be traced back to the company to store that data, non-attributable laptops, pre-paid phones and Mi-Fi wireless internet devices, and “ephemeral” messaging services like Wickr and Telegram to communicate – all to avoid leaving digital evidence that could damage the company in any legal proceeding.

Uber doesn’t deny it, but it’s said that it’s not doing this “shadow-server” stuff anymore. The company’s current CEO, Dara Khosrowshahi, acknowledged in a tweet that the company had used Wickr and Telegram before he arrived, but that Uber employees had been directed to stop using them as of 27 September.

The legal twists and turns will keep coming as the trial plays out over what’s expected to be about three weeks, but don’t expect any juicy details about the sensitive technology secrets involved. Technical discussions of the trade secrets will be closed to the public because of their proprietary nature.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1j15nokxFVA/

In support of Safer Internet Day 2018, we went on Facebook Live to take on the question, “What can we all do to work our way to a better internet?”

From the mechanics of how we log in (and out – don’t forget that part!) to the concept of do-as-you-would-be-done-by…

…here’s how we think we can all make a difference, not just for today and tomorrow but for our children’s internet tomorrows, too.

(Can’t see the video directly above this line, or getting an error such as “no longer available”? Watch on Facebook instead.)

Note. With most browsers, you don’t need a Facebook account to watch the video, and if you do have an account you don’t need to be logged in. If you can’t hear the sound, try clicking on the speaker icon in the bottom right corner of the video player to unmute.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/DdIO2LA2WcU/

Five mega-breaches last year accounted for more than 72% of all data records exposed in 2017.

It was a record-breaking year for the numbers of publicly reported data breaches and exposed records in 2017 worldwide: a total of 5,207 breaches and 7.89 billion information records compromised.

While hacking remained the No. 1 method used in data breaches last year (55.8%), for the first time it wasn’t the top cause of exposed data records: 68.7% of exposed records came at the hands of unintentional Web-borne exposure due to accidental leaking online and misconfigured services and portals.

Some 5.4 billion records were exposed this way, even though that was via just 5% of all reported breaches. Data breaches due to hacks accounted for 2.3 billion records.

“These were misconfigured services, faulty backups, that sort of administrative error that leads to those data sets then being open and exposed to the Internet,” explains Inga Goddijn, executive vice president of Risk Based Security, which compiled the breach data from public disclosures for its annual report. “The popularity of search engines like Shodan make it an incredibly open doorway for discovering that information. … Both security researchers and malicious actors alike understand the power of those tools.”

There was a painful wave of publicly disclosed leaks via misconfigured Amazon Web Services (AWS) Simple Storage Service (S3) bucket accounts in 2017. RedLock CSI (Cloud Security Intelligence) found that 53% of businesses using cloud storage services like AWS S3 had inadvertently exposed one or more of their cloud services to the Internet. Among the big-name companies found with exposed AWS S3 storage buckets were Accenture, Booz Allen Hamilton, and Verizon.

Goddijn says most of the exposed record incidents in 2017 were data-handling errors that could have been prevented. Risk Based Security, which compiles and aggregates publicly disclosed data breach events, published its findings today in its annual Data Breach QuickView report on breach trends for 2017.

Both the number of total breaches and total records exposed each jumped by 24% over 2016.

Big Data
Eight of 2017’s reported data breaches made the Top 20 list of all-time largest breaches, according to the report. And the five biggest breaches of the year exposed 72.2% of the records, or 5.7 billion records total.

Goddijn points to a few mega-breaches driving that data, including those at Equifax and Sabre Systems. While travel systems provider Sabre has not reported the full extent of its breach, affected third parties continue to issue notifications affecting their customers, she says. “We are still getting information on organizations that had employee or customer data exposed as part of that Sabre breach,” including hotels and travel organizations, she says.

“They [Sabre] never came out and said how big it was, but it has been one of the larger ones” based on the fallout, she says. It’s unclear if Sabre even knows the full extent of the breach, she says.

Most reported breaches (39.4%) occurred in the business sector, followed by medical (8.1%), government (7.2%), and education (5.3%). And 40% of breaches came from organizations that were not identifiable based on the public disclosure data.

Businesses suffered the most exposed records, with 82.9%, government (3.7%), medical (less than 1%), education (less than 1%), and some 12.4% in sectors not identifiable via public disclosure information.

The US led the world with the most reported breaches, with 2,330, followed by the UK (184), Canada (116), India (78), and Australia (62). That wide gap between the US and Europe could change once the European Union’s General Data Protection Regulation (GDPR) goes into effect in May, which includes rules for mandatory breach notification. “I’ll be curious to see how GDPR impacts the data,” she says, noting that the US has had some of the most stringent reporting requirements thus far.

Even so, the US didn’t rank at the top for median number of lost records: 1,458, far below China (11.8 million), South Africa (6.7 million), South Korea (1 million), and other nations.

The top five all-time biggest data breaches are Yahoo (3 billion records) in 2016; China’s DU Caller Group (2 billion records); US’s River City Media (1.3 billion); China’s NetEase (1.2 billion); followed by 711 million records exposed by a Netherlands organization not disclosed, according to the report.

There was a bit of good news amid the record-breaking year of breaches and exposed data records, however: “We don’t see overall severity [of breaches] getting worse. That dropped a bit in the fourth quarter,” Goddijn says.

Given the heavy representation of human error for exposed data, Goddijn says organizations should continue to double down on security awareness training, including preparing users on how they can be targeted and what sort of information attackers are after. “That could help cut down the number of breaches,” she says. Training is an ongoing process, she adds.

But don’t expect any major improvement in breaches for 2018. “I have a feeling 2018 is going to be just as bad and worse,” Goddijn says.  And the annual breach report doesn’t even include Internet of Things data exposure, she points out.

Related Content:

• Identity Fraud Hits All-Time High in 2017
• 7 Ways to Maximize Your Security Dollars
• Over 12,000 Business Websites Leveraged for Cybercrime
• Industrial Safety Systems in the Bullseye

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/2017-smashed-worlds-records-for-most-data-breaches-exposed-information/d/d-id/1330987?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Windows Insider Preview Bounty Program will award between $500 and $15,000 for eligible submissions.

Microsoft has updated the eligible submission criteria and payment tiers for its Windows Insider Preview bounty program, which first launched on July 26, 2017.

The program was created to find vulnerabilities that reproduce in versions of Windows released through the Windows Insider Preview (WIP) fast ring. Insiders test early releases of each OS update before the final release goes to the public, to eliminate bugs and security problems.

The typical payments for qualified submissions earn between $500 to $15,000 USD per bug. In an announcement on its latest update, Microsoft notes bounties are awarded at its discretion and higher payouts beyond $15,000 may be possible, depending on the quality and complexity of each entry.

Higher-quality reports lead to bigger payouts. The baseline reward for a remote code execution vulnerability ranges from $500 to $7,500, but a high-quality RCE report could earn up to $15,000 per bug. Similarly, the payout for a privilege escalation flaw ranges from $500 to $5,000 as a baseline sum, but up to $10,000 for a high-quality report.

Each submission must meet certain criteria to be eligible for payment. It must identify an original and unreported Critical or Important flaw in WIP Fast. The bug must reproduce in the version of WIP Fast being tested. Reports must have the vulnerability impact and attack vector.

A description of the problem, and the steps to reproduce it, must be easily understood to Microsoft engineers so they can patch. If a submission has all the info necessary for an engineer to reproduce, understand, and fix the problem – including a short write-up with background data, description, and proof-of-concept – it could earn more money.

Microsoft encourages any submissions describing security flaws in WIP Fast. It won’t pay out for bugs in the Windows Store, Windows apps, firmware, third-party drivers, or third-party software in Windows. Vulnerabilities requiring “unlikely user actions” also don’t count; neither do vulnerabilities that are known to Microsoft or require users to downgrade security settings.

Related Content:

• Microsoft Patches Exploited Office Bug
• This Year’s Pwn2Own HackFest Will Offer Up to $2 Million in Rewards
• You Break It, They Buy It: Economics, Motivations Behind Bug Bounty Hunting

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/microsoft-updates-payment-criteria-for-windows-bug-bounty/d/d-id/1330991?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

But the response to the new hacking tool, now readily available to the masses of script kiddies, has been a mix of outrage, fear, some applause, and more than a few shrugs.

Hacking, like any form of security, is a numbers game. Attackers, even very capable ones, are limited in the number of targets that they are able to hit in accordance with the level of resources at their disposable. A larger team can attempt to seek out more targets, pinging them for vulnerabilities, but there are only so many hours in the day to compile lists of potential systems to p0wn and find the right exploit to break into a system and make off with the goods.

Now a new hacking program, AutoSploit, which was released last week on GitHub by a security researcher and hacker who uses the Twitter nom de guerre VectorSEC, is making it easier to erase this balance between resources and capacity.

AutoSploit is an apt name for this new tool, which essentially automates the majority of the hacking process. VectorSEC has combined two existing tools: Shodan.io,  which works like Google for searching out connected devices, and the penetration testing tool Metasploit to create something interesting to some, dangerous to others. Essentially, the program uses the Shodan API for finding potential targets. As VectorSEC explains on his GitHub page, “The program allows the user to enter their platform specific search query such as Apache, IIS, etc, upon which a list of candidates will be retrieved.”

Apache, for example, is a very commonly used open source project, which GitHub shows to have over 9 million commits. Being such a large project, many of its libraries are likely to have vulnerable versions that could be exploited, which is where VectorSEC uses Metasploit. Instead of looking up which versions of Apache (or any other project that the hacker wants to target) have known vulnerabilities, AutoSploit uses a “Hail Mary” method to try the system for all possible exploits until it determines that there are no holes in the security, or it hits paydirt. The bad news: because this entire process is automated, it could possibly be used by low-level hackers for great gain. It is safe to say that the thousands of organizations using popular Apache projects such as Struts and Tomcat could find themselves in a world of hurt if their systems are not patched.

Mixed Reaction
So far the response to AutoSploit has been a mix of outrage, fear, some applause, and more than a few shrugs. Many have voiced concern that the tool could change the battlefield of security from a game of bows and arrows to one of carpet bombing, calling VectorSEC wildly irresponsible for putting a cyber weapon of this sort out for public consumption. Although these two tools have been around for some time, it is the combination of them in a single package that has folks worried. Others, like security expert Dan Tentler, point out that by taking two tools that can cause trouble on their own and then combining them in an automated process, VectorSEC has dumbed down the field of hacking.

The idea of people using tools developed by others for carrying out hacks is hardly new. Black markets for exploit kits have been around for years, populated by criminals who lack the proper technical understanding to write the malware themselves. However, by posting his tool on GitHub as open source under a GNU license for all to play with, VectorSEC has taken the hacking of systems to a whole new level with increased availability.

Those who view AutoSploit as a positive measure contend that by making exploitation so easy and available to the masses of script kiddies, it could encourage organizations to really implement solutions that can keep them safe not only from this exploit kit but from more-experienced hacker teams as well.

In the meantime, others in the open source community have stepped up to prevent some of the worst potential damage from AutoSploit. Security expert Jerry Gamblin posted to GitHub his own bit of code that he says will block Shodan from being able to scan your systems. However, it is questionable as to whether this response will be widely used, considering the generally poor performance of the software industry for implementing critical patches when they are announced from the project managers themselves.

Related Content:

• Open Source Components, Code Volume Drag Down Web App Security
• Metasploit Can Now Be Directly Linked To Hardware For Vulnerability Testing
• 25 Percent of Web Apps Still Vulnerable to Eight of the OWASP Top Ten

Rami Sass is CEO and co-founder of WhiteSource. Rami is an experienced entrepreneur and executive with vast experience in defining innovative products, leading technology groups and growing companies from seed level to business maturity. Before founding WhiteSource, Rami … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/autosploit-mass-exploitation-just-got-a-lot-easier-/a/d-id/1330982?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It’s Safer Internet Day 2018, a day designed to “promote the safe, responsible and positive use of digital technology for children and young people”.

Like any technology, the internet and the software that runs on it has plenty of bugs, and there is much that could be fixed or improved in the service of keeping young people safe.

In fact, my colleague Paul Ducklin has written an article all about that for Safer Internet Day, entitled 3 things your social networks can do for you. You should read that article too (after you’ve read this one ;).

But that’s only half the story.

The internet and its social networks are driven and shaped by how we use them. Our children aren’t just inheriting some technology, they’re inheriting culture and behaviour too.

And that’s why I’m looking at the other side of the coin: 3 things you can do for your social networks.

1. Turn on 2FA

2FA (two-factor authentication) keeps your account safe and secure even if your password is guessed or stolen. In exchange for putting up with the the minor inconvenience of entering a one-time code alongside your password when you log in, you’ll get an instant, permanent security upgrade that makes your valuable accounts much harder to hack.

At this point you might be thinking that this sounds a lot like something you can do for yourself rather than something you can do for the others on your social network.

It is, but losing control of your Facebook or Twitter account to some crooks doesn’t just affect you. You’ve lost an account but the friends and colleagues in your network have a fox in their hen house, disguised as you, with all the PII they need to pass themselves off as you.

The most popular social networks like Facebook, Twitter, Instagram and Snapchat have all done their part and made two-factor authentication available, but it’s up to us to actually use it.

2. Behave yourself

A wiser person than me once said “Before you complain about being stuck in traffic remember, you are the traffic”. And so it goes with social media: you are the social network and how you choose to behave matters.

It’s easy to come up with lists of things that social networks should do to make our lives easier by controlling and regulating other people’s behaviour (indeed Paul Ducklin’s got something to say on that). It is far harder, but perhaps even more important though, to look critically at ourselves and ask how we might control and regulate our own behaviour.

“Controlling and regulating” might sound onerous but it shouldn’t because it’s exactly what we do all day, every day, in the real world. Of course it’s easier in the real world where we’ve been swimming in a sea of almost constant non-verbal feedback for about 200,000 years. Online we’re all still figuring out the very basics of what used to be called netiquette.

Teachers will tell you: if you want to connect kids with the consequences of what they say online, just have them say it aloud. That seems like a good enough place to start so I suggest this: if you wouldn’t say something to a person’s face, don’t say it to their avatar.

3. Log out

Want to model some good behaviour for your kids, protect your account and put a stick in the spokes of your social network’s giant track-o-matic machine? Just log out.

I know, I know – if you log out then next time you want to use your favourite social media you’ll have to log in again. With two-factor authentication enabled that could take several seconds, time you could have better spent watching 1/8^th of a cat video.

Logging in when you start and logging out when you’ve finished is a little inconvenient, it’s true, but it stops two kinds of attackers in their tracks. The first is the kind of person who pretends to be you by sitting at your desk when you’re not there, or by stealing your phone if you leave it somewhere. The second is a hacker using an attack called a Cross-Site Request Forgery (CSRF) to trick you into doing something bad, like giving them access to your account, without you realising.

Logging out also stops the social networks from tracking your movements around the web. The tracking beacons they use to do this, which are present on a huge number of websites, feed information about what you’re doing on the web into their giant data-collection apparatus, but only if you’re logged in.

Staying logged in after you’re finished with something is the same as writing your password on a post-it and sticking it to your screen when you go to make a coffee. You wouldn’t do that and you wouldn’t want your kids to either.

Next steps

In this article we’ve suggested you consider adopting behaviours to make things better for your own social networks.

But we think there are things the sites themselves should be doing too…

…so please take a read of Paul Ducklin’s 3 things your social networks can do for you to find out what we think they should be doing to help.

Follow @NakedSecurity
Follow @markstockley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Q281iTZotiM/

It’s Safer Internet Day 2018, which is a double-sided challenge.

Part of building a safer internet is how we use it.

If we forward inappropriate or risky links; if we display, or even tolerate, unacceptable behaviour ourselves; if we do things that put other people’s computers at risk because we don’t care about our own…

…all of this amounts to a sort of “race to the bottom” that ends up in an internet where creeps and crooks can thrive, and the rest of us are left to watch our backs all the time.

With this in mind, my colleague Mark Stockley has written an article entitled 3 things you can do for your social networks – I urge you to read it.

But the other side of building a safer internet is the very technology we build in the first place.

So, I’m looking at the other side of the coin: 3 things your social networks can do for you.

1. Turn on 2FA when you login

Mark’s article urges you to adopt two-factor authentication (2FA), also known as two-step verification.

When you login, you have to put in your usual password, which typically doesn’t change very often, plus an additional login code, which is different every time.

These one-time login codes are typically sent to you via SMS (text message) or voicemail, or calculated by a secure app that runs on your mobile phone.

It’s not a perfect solution, but it does make it much harder for a crook who has just bought stolen usernames and passwords on the Dark Web: your password alone isn’t enough to raid your account.

Most mainstream online services already have 2FA, but it’s typically not turned on by default, because a lot of us still don’t like it – logging in takes a little longer, it’s marginally more hassle, and there’s more to go wrong.

So we’re suggesting that social networks should up the ante and try using a stick and not a carrot:

We’re inviting all social networks to make 2FA an opt-out setting that will be just about as much hassle to turn off as it would be to start using it instead.

Anything to raise 2FA’s takeup higher than the 10% recently reported by Google.

2. Behave yourself while you’re logged in

Even those of us with modest lives and mild pastimes have experienced disquieting behaviour online.

We often hear cries along the lines of, “They should do something about it,” based on an expectation that social networking sites can and should police their users, monitor their behaviour and corral it to conform to various norms.

However, we think it’s unreasonable to expect online services themselves to become so self-regulated that they end up as suppressed, uninventive, stuck-in-the-mud, uncritical, self-serving, anodyne communities of, well, of participants who are robotically in tune with the algorithms that direct them.

Nevertheless, we’ve probably all heard stories of, or even experienced, battles to get content taken down even though everyone would agree it violated the terms set by the site involved.

Sometimes, the explanation given is that the sheer scale of today’s online services – hundreds of millions or billions of users – makes reliably rapid response impossible for any incident that requires a truly human touch.

But we’re saying that this is a cop-out: the big social networks chose to expand to the scale they did, so they could equally well choose to scale up their community support infrastructure, too.

We think that reacting to realistic complaints rapidly is something users ought to be able to rely upon:

We’re inviting all social networks not only to set out their community guidelines very clearly but also to enforce them quickly and effectively.

You don’t need page after page of rules and regulations, but you do need to be speedily consistent about the rules you do have, so your users can avoid unpleasant surprises.

3. Log off when you’re done

Mark is urging us all to log off when we aren’t using services like Facebook, Twitter and others, so that we can’t like things by mistake, don’t leave our accounts open for misuse, and don’t end up with all aspects of our digital life “open for business” all the time.

One problem here, though, is that even if you decide you want to log out and back in regularly, it’s not always easy to do, especially via mobile apps.

For example, we can’t find an “automatically log out when closing the program” option in Facebook’s iOS app – we have to remember to pop up the hamburger menu every time, and then scroll all the way to the end of the list and tap on [Log Out].

We understand the concept of frictionlessness – where interacting with a vendor or service is engineered to require a convenient minimum of clicks – but it should be equally convenient to introduce “account friction” whenever we want:

We’re inviting all social networks to make it really easy to set up your account to log off automatically when it’s not being used.

We’re also suggesting that all those “stay logged in” and “remember me” options should be opt-in (i.e. off by default), rather than turned back on automatically every time you log back in.

Next steps

Here, we’ve invited social networking sites to push the envelope a bit – your envelope, as it happens.

All of the things we’re suggesting here need to be mirrored by behaviours you agree to adopt yourself…

…so please head over to Mark Stockley’s 3 things you can do for your social networks to find out why they’re good for you!

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-Ws_eTZYFto/

Unlike most jobs, we know your work in IT doesn’t just stop when you leave the office.

We don’t mean getting calls from your CEO about his laptop. Parents, kids, friends, neighbors, random strangers who find out what you do for a living… everyone comes to you for computer help.

Last year, Sophos released Sophos Home which helped make being everyone’s IT expert that little bit easier. This free, web-based security option let you look after the IT security of the people you care about (or maybe the people who bother you the most to fix their computers – we’re not judging) with a brand that you know always looked out for you as well.

Sophos Home Premium is an upgrade to the already headache-preventing technology available with Sophos Home. The Premium edition includes cutting edge technology from the groundbreaking anti-ransomware, anti-exploit solution, Intercept X.

Ransomware might make the news when it hits huge companies, but it doesn’t discriminate. Your grandmother is as at risk of finding her files locked down by ransomware as a billion-dollar company. And you know who she’s going to call when she gets that terrifying pop-up window asking for cryptocurrency? The same person she calls when she forgets her password. You.

We know how much time and energy you spend keeping your family and friends safe at home. It’s like an entire second career. That’s why Sophos is offering 50% off Sophos Home Premium to Naked Security readers for the next month.

And if you’re already using Sophos Home, you can also sign up at 50% off. Sophos Home Premium usually costs $50 (€40, £40) per year so it’s a great saving.

New and current Sophos Home users can try out the Premium features for 30-days and then decide to upgrade to Sophos Home Premium or stay with Sophos Home Free. Both versions will continue to receive updates from our engineers and SophosLabs.

It’s all about making the internet safer for everyone – and making your life easier too!

Get half price Sophos Home now

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/U9lImOZ8wEE/

Survey reports that the number of fraud victims topped 16 million consumers last year, and much of that crime has moved online.

Two new fraud studies have confirmed that while EMV chip cards are preventing breaches at point-of-sale (POS) terminals at retail stores, fraudsters continue to turn their attention to online crime. In fact, card-not-present fraud has become 81% more likely to occur than POS fraud.

One report, the 2018 Identity Fraud Study released today by Javelin Strategy Research, found that in 2017, the total number of fraud victims increased 8% to 16.7 million. The Javelin report also found that 6.64% of consumers became victims of identity fraud last year, an increase of almost 1 million victims from the previous year. The increase was driven by growth in existing non-card fraud and account takeover (ATO) schemes.

In one of the more damaging iterations of an ATO, a fraudster takes over a person’s account, commits the crime and then changes the account back before the security people or the victim even know what’s happened. Javelin found that total ATO losses reached $5.1 billion last year, a 120% increase from 2016. Victims pay an average of $290 out-of-pocket costs, and spend 16 hours on average to resolve an ATO event.

“Criminals are also gaining access to mobile phones and using the information they find on the victim’s phone to conduct a transaction on another account,” says Al Pascual, senior vice president, research director and head of fraud and security at Javelin.

The other study, the 2017 Fraud Index released by Radial last week, found a four-times increase in digital gift card attacks from Thanksgiving to Christmas this past season. In addition, overnight shipping remains a popular actor vector for fraudsters. Radial tracked $1 of fraud for every $13 in purchased goods shipped.

“I think companies have to face that staying ahead of the fraud has become a full-time job, it’s not something you can have your customer service people work in in their spare time,” says KC Fox, vice president of payments, tax and fraud at Radial.

Short of that, here are some tips that Javelin’s Pascual offers to prevent fraud:

• Turn on two-factor authentication whenever possible. While one-time PINs have become a popular method, especially with financial institutions, Pascual warns that they are not foolproof. He advises enabling tools such as the Google Authenticator or Microsoft Authenticator, which offer far superior two-factor authentication.
• Pay attention to mobile security. The vast majority of users have some form of antivirus or antimalware software on their desktops and laptops, but that has not translated to the mobile world. As consumers run more banking and other financial applications on their phones they have to pay more attention to mobile security.
• Place a security freeze on your credit reports. Keep in mind this only works when a financial institution uses a credit bureau, but if you are concerned that fraudsters are hacking into your credit information, this makes sense. When the time comes, if you are applying for a home or car loan, you can temporarily lift the freeze.
• Sign up for account alerts. This can get cumbersome for users with many accounts, but over time it may make sense for financial institutions to have people sign up for these alerts when they initially register with a bank or credit card company.
• Lock down online transactions. Many more financial institution now let consumer set up thresholds for online transactions and will send alerts if it passes a certain dollar limit. For example, if you only authorize online transactions of up to $1,000, the system will alert you on anything above that number.

The Javelin 2018 Identity Fraud Study(registration required for full report) was sponsored by Identity Guard; here is a link to Radial’s 2017 Fraud Index.

Related Content:

• Poor Visibility, Weak Passwords Compromise Active Directory
• Passwords: 4 Biometric Tokens and How They Can Be Beaten
• Google Cloud Least-Privilege Function Goes Live

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/operations/identity-fraud-hits-all-time-high-in-2017-------/d/d-id/1330979?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Video A security researcher who last year demonstrated that X.509 certificate exchanges could carry malicious traffic has now published his proof-of-concept code.

Fidelis Cybersecurity’s Jason Reaves has disclosed a covert channel that uses fields in X.509 extensions to carry data.

The X.509 standard defines the characteristics of public key certificates and anchors much of the world’s public key infrastructure; for example, it defines the certificates exchanged at the start of a TLS session.

The reason this matters, Reaves explained in a presentation at the Bsides conference in July 2017, is that if a company suffered a breach the attacker could exfiltrate data over the X.509 path without being noticed.

TLS uses X.509 for certificate exchange, during the handshake process that sets up an encrypted communication.

Fidelis’ paper explains:

In brief, TLS X.509 certificates have many fields where strings can be stored … The fields include version, serial number, Issuer Name, validity period and so on. The certificate abuse described in our research takes advantage of this fact to hide data transfer inside one of these fields. Since the certificate exchange happens before the TLS session is established there appears to never be data transfer, when in reality the data was transferred within the certificate exchange itself.

The particular field Reaves’ proof-of-concept abused is called class=wrap_textSubjectKeyIdentifier and while “most libraries” try to cap the packet size during the handshake, “the extension in the certificate itself can be created to a length that appears to only be limited by memory.”

It would be hard to spot, Reaves said in his Bsides presentation: “How do you detect this? You have to parse out all the data inside X.509, and there’s a lot”, he said.

In its proof-of-concept (here), Fidelis transferred Mimikatz in the TLS negotiation, simulating an attacker pushing Benjamin Delpy’s attack tool into a compromised network. Here’s what that looks like:

Mimikatz in an X.509 certificate. Image: Fidelis Cybersecurity

Reaves wrote that the proof-of-concept used self-signed certificates, and blocking those might be a useful way to defeat any such attack. ®

Youtube Video

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/06/x509_certificate_attack/