STE WILLIAMS

One week after Facebook CEO Mark Zuckerberg pledged to spend the new year fixing Facebook – as in, attempting to tackle problems of abuse/hate/nation-state meddling/couch potato syndrome – he again took to blogging to announce a “major change” to the way Facebook is built.

The problem, he said in a post published on Thursday, is that an explosion of corporate posts – be they from corporations, businesses or media – are overcrowding the platform, squeezing out personal content from friends and family.

Well, that isn’t what we intended, he said. And it hasn’t made Facebook into something that’s necessarily good for people. From his post:

The balance of what’s in News Feed has shifted away from the most important thing Facebook can do – help us connect with each other… We feel a responsibility to make sure our services aren’t just fun to use, but also good for people’s well-being.

“Research shows that strengthening our relationships improves our well-being and happiness,” he said, making us feel more connected and less lonely – markers that correlate to long-term measures of happiness and health… as opposed to passively reading articles or watching videos, which can make us depressed and isolated.

The changes, which the product teams started implementing last year, will be seen first in News Feed and will show up in other Facebook products in coming months. They’ll constitute the most significant change to News Feed in years. Expect to see more posts from friends, family and groups, less from businesses, brands, and media. Expect also to see fewer viral videos or articles coming out of media companies.

Instead, expect to see a great deal more of your friend’s adorable kitten sitting on top of their dog’s head, given the (very likely) possibility that such a post was liked or commented on by many friends.

How did we get to this point, where business has elbowed out friends/family/group’s content? Well, that’s “Easy to understand,” Zuckerberg said, before transitioning to the passive voice to talk about a world that Facebook was actually quite active in creating:

Video and other public content have exploded on Facebook in the past couple of years.

Yes, the content exploded, but it didn’t take Facebook by surprise. It didn’t just happen to Facebook. The explosion happened because Facebook lit the match, buying content and paying dearly for it. The Wall Street Journal reported in June 2016 that Facebook inked nearly 140 contracts with video creators, worth more than $50 million, including established media outlets such as CNN and the New York Times; digital publishers like Vox Media, Tastemade, Mashable and the Huffington Post; and celebrities including Kevin Hart, Gordon Ramsay, Deepak Chopra and NFL quarterback Russell Wilson.

Zuckerberg framed the upcoming more-friends, less-business overhaul as something that will cost Facebook, at least in the short term:

Now, I want to be clear: by making these changes, I expect the time people spend on Facebook and some measures of engagement will go down. But I also expect the time you do spend on Facebook will be more valuable. And if we do the right thing, I believe that will be good for our community and our business over the long term too.

It sounds noble and self-sacrificing, and it may well be those things. But it’s also part of an extended response to increasing criticism of the platform.

In the past year, Facebook has had to defend itself against charges of spreading fake news, cloistering users in filter-created echo chambers and thereby ripping apart the fabric of how society works, being used as a pawn by nation states that have tampered in other countries’ elections, and having been built by people who knew full well they were exploiting a “vulnerability in human psychology” to get people addicted to the “little dopamine hit” when someone likes or comments on your page.

Facebook has already been plagued by questions about how its algorithms may have prioritized fake news in News Feeds, influencing the 2016 American presidential election as well as political discourse in many other countries. Facebook has cited 10 million US users who saw Kremlin-purchased ads. But there were far more who saw Russia-backed posts. According to the company’s prepared testimony, submitted to the Senate judiciary committee before hearings at the end of October, Russia-backed Facebook posts actually reached 126 million Americans during the US election.

On Wednesday, lawmakers will yet again return to the job of grilling Facebook. The focus of the upcoming hearing, in which Facebook will be joined by Twitter and YouTube, is the online spread of extremist propaganda. Representatives from the social media platforms will appear before the Senate Commerce Committee in a hearing titled “Terrorism and Social Media: #IsBigTechDoingEnough?”

All of this grilling, criticism and introspection have pushed the company far from what’s been a lackadaisical attitude in the recent past. For example, there was Zuckerberg’s initial reaction to suggestions that misleading/misinformative Facebook posts influenced the outcome of the 2016 presidential election: a reaction that was basically a shrug. It was a “pretty crazy idea,” he said, though he later conceded that he’d been unduly dismissive.

In an interview with the New York Times about the upcoming overhaul, Zuckerberg said that in light of all the public content that has appeared in News Feed, the company’s been trying to figure what it’s “really here to do.”

From that interview:

If what we’re here to do is help people build relationships, then we need to adjust.

Part of the adjustment will be asking product managers to “facilitate the most meaningful interactions between people,” he said, rather than the previous mandate of helping people find the most meaningful content.

As it is, he’s a father now, Zuckerberg said.

Since the birth of his two daughters, he’s been rethinking things, he told the NYT. Namely – what kind of legacy does he want to leave?

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/RvGtEuJ8HfU/

If you have an iPhone running iOS 6S or later, you’ve got Apple’s Health App, which accurately records steps. You’ve also got the Altimeter app, which keeps track of changes in elevation, to track how many stairs you’ve climbed.

And it is that health data that’s been used in the trial of an Afghani refugee in Germany who has admitted to raping and murdering 19-year-old medical student Maria Ladenburger in October 2016.

The refugee, Hussein Khavari, admitted to raping Ladenburger and to drowning her in the river Dreisam. But as the BBC reported on Friday, although he’s admitted his guilt, he’s disputed some details.

He was identified by a long strand of hair found in bushes close to the crime scene and by DNA recovered from a scarf that was found on the river bed nearby. In spite of those and other pieces of evidence, Khavari refused to provide police with the PIN to unlock his phone.

So, similar to the case of the FBI trying to get into the iPhone of the San Bernardino terrorists in the US, German investigators turned to an unnamed company from Munich that has a reputation for being able to crack locked phones. The unnamed cyber forensics firm did, in fact, manage to get into Khavari’s phone after months of work, according to German newspaper Welt. The case had begun in September.

Getting into the phone meant getting at details of its owner’s geodata.

Investigators found that the suspect’s Apple Health app recorded his movements. Between 2:30 a.m. and shortly after 4 a.m., he moved only a few steps, it showed. But it also showed that during the same time, he twice “climbed stairs.”

The investigators soon realized that those two moments might be translated into the suspect first dragging his victim down the river bank, and then climbing back up.

To verify their theory, Freiburg police sent an investigator with a similar stature as that of Khavari to the scene of the crime and gave him an iPhone to track his movements. It confirmed their theory: Climbing up and down the embankment was recorded as stair climbing.

Use of mobile health data in an investigation was a first for the police of Baden-Württemberg, but it’s not the first time personal device data has come into play in a criminal case. Last year, we saw Amazon fighting to keep Echo recordings out of court in a murder case. The Amazon Echo had been found at a murder scene where a man had been strangled in a hot tub.

The Echo wasn’t the only smarthome gadget that was a source of potential evidence in that case. Investigators had already gotten water usage data from the suspect’s smart water meter to allege that a spike in consumption during the wee hours of a frigid night were caused by somebody using a garden hose to clean blood off a patio near the hot tub.

Clearly, we can expect to see more court cases where data from our devices comes into play in courtrooms. Our devices hear us, they track us, and they can be figuratively put on the witness stand.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/S-4ri6OVBzc/

Log-sniffing vendor SolarWinds has used its own wares to chronicle the application of Meltdown and Spectre patches on its own Amazon Web Services infrastructure, and the results make for ugly viewing.

The image below, for example, depicts the performance of what SolarWinds has described as “a Python worker service tier” on paravirtualized AWS instances.

Performance of SolarWinds Python worker service tier on AWS, before and after patches. Click here to embiggen

The company also observed the CPU utilization of its EC2 instances as patches rolled out across different AWS availability zones. The results, depicted below, aren’t pretty.

SolarWinds telemetry of instance CPU utilization across availability zones during AWS’ rolling Spectre/Meltdown patch process. Click here to embiggen

SolarWinds has created other visualizations of its cloud post Meltdown/Spectre and most of the results are ugly. Throughput was down as much as 40 per cent on its Kafka rig, while CPUs spiked by around 25 per cent on Cassandra.

But there’s also some good news: the company has noticed some CPU utilization rates falling and has guesstimated that it could be as a result of second-generation patches that address Meltdown and Spectre more elegantly than AWS’ first fixes.

New EC2 hot patches for Meltdown/Spectre rolling out? Previous CPU bumps appear to be dropping off starting after 10:00 UTC this morning. pic.twitter.com/OL5N5TNG1s

— Mike Heffner (@mheffner) January 12, 2018

Let’s hope SolarWinds is right, because the first lot of graphs it produced suggest that Meltdown and Spectre will make many current rigs more expensive to operate, inadequate for the jobs they were rated to perform, or both. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/15/solarwinds_aws_meltdown_fix_analysis/

The government has moved to allay fears over amendments to the Data Protection Bill that critics say could undermine both the law and the powers of the UK’s privacy watchdog.

The changes, for a Framework for Data Processing for Government, were quietly inserted at the Bill’s final committee stage in November – but soon faced a backlash from privacy groups, opposition parties and the Information Commissioner’s Office itself.

Critics were concerned that the new clauses granted the secretary of state broad powers to determine the content of the framework, while making it hard for the ICO to either challenge that content or even enforce data protection law.

In the most recent House of Lords debate on the Bill, Lord Ashton of Hyde – government minister for the Department for Digital, Culture, Media and Sport – moved to justify the framework.

“I hope that by the end I will be able to convince noble Lords that this is not quite as sinister as has been made out,” Ashton said in his opening remarks in the discussion.

However, he did then acknowledge the ICO’s concerns – the body said back in December that the new clauses “go beyond” their stated ambition and “create different risks”.

“I am not pretending that she [commissioner Elizabeth Denham] is completely happy with this… [but] it is one of the few areas in the whole Bill where that is the case” Ashton said.

He acknowledged that the commissioner was “worried about complications regarding independence and the extent of her authority in this”, but denied that the wording undermined her authority.

“She is free to disregard the Government’s framework wherever she considers it irrelevant or to disagree with its contents,” he said.

Pressed by peers on what exactly this meant, he added:

“I think it means that, if the Information Commissioner were considering the case of a data breach committed by the Government, she would normally take the framework into account, as she would take into account the guidance that other sectors produce.

“If, however, there were circumstances in which she did not consider that it was relevant for her investigation into whether the law had been broken, given that she is the enforcer of the law, she would be free to disregard it.”

He emphasised that the clause’s use of the phrase “must take into account” meant that she should consider it, but was “not bound by the provision”.

Elsewhere in the debate, Ashton announced that the ICO would have pay flexibility – meaning it is not bound by strict civil service pay rules – up to 2020-21.

The aim is to ensure the ICO can afford to hire and retain data protection experts in a competitive field, especially as it will have more on its plate with the incoming General Data Protection Regulation.

The peers also accepted an amendment that aims to protect security researchers from a new offence for re-identifying anonymised data.

However, Lord Stevenson of Balmacara did flag up concerns raised by security researchers following the text of the amendment being released.

These relate specifically to the requirement that researchers report de-identification of data “without undue delay, and … where feasible, not later than 72 hours after becoming aware of it”.

So: if you discover that combining some NHS dataset with some Education dataset appears to yield identification of named children with cancer across London, then you MUST get your shit together and report your findings upstream within 72 hours, or explain to a judge, why.

— Alec Muffett (@AlecMuffett) January 10, 2018

Stevenson said during the debate: “That is a very tight timetable. Again, I wonder if there might be a bit more elasticity around that. It does say “where feasible”, but it puts rather tight cordon around that.”

He added: “We are asking a researcher to go to court, perhaps, and defend themselves, including arguing that they have satisfied [these clauses], which is a fairly high burden.

“All in all, we just wonder whether how this has been framed does the trick satisfactorily.”

Ashton said that he could not give an answer to these comments “off the top of my head”, but would “commit to taking those points back and having a look at them”.

The Bill has its third reading on Wednesday. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/15/data_protection_bill_ico_framework/

Oracle still has nothing to say about whether the Meltdown or Spectre vulnerabilities are a problem for its hardware.

Big Red today offered The Register another “no comment”, making it a notable absentee from the Intel’s list of x86 vendors’ advisories on how to handle the twin problems.

Oracle of course also operates an x86 cloud, users of which The Register imagines would be keen to learn of any imminent disruptions or service degradation.

Big Red also had nothing to say about whether Spectre and Meltdown apply to its SPARC hardware. We also asked Fujitsu about its SPARC situation and the company told The Reg “We are in the process of checking the status. Details of updates will continue to be published by Fujitsu as they become available.”

But Oracle’s usual verbosity on software patches may have revealed the company’s x86 fix: the company’s preview of its quarterly patch dump due on Tuesday, January 16th, lists “Oracle X86 Servers, versions SW 1.x, SW 2.x” among the 97 products to be patched.

Oracle swallows sales spurt from one of its niche categories: Cloud

READ MORE

Operators of the Sun ZFS Storage Appliance have been urged to brace for a severity 10.0 fix, while users of Oracle’s Fusion Middleware, PeopleSoft, Oracle Retail, Virtualization, Communications Applications and the Supply Chain Suite have 9.8-rated flaws to fight.

Most of the patches are for applications^*, but Solaris 10 and 11.3 made the list too, as did the Java Advanced Management Console and the Java ME SDK. ®

^* Including Oracle’s Cruise Dining Room Management application, the Cruise Fleet Management application and the Cruise Shipboard Property Management System. Who knew those apps even existed?

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/15/oracle_still_silent_on_meltdown_but_lists_patches_for_x86_servers/

Roundup The security world is still feeling the aftereffects of last week’s CPU design flaw disclosures, which continued to dominate the news this week, even amid the noisy CES jamboree in Las Vegas.

The Meltdown-slash-Spectre saga, broken by The Register last week, is still causing major headaches, not least for Intel. On Friday, Chipzilla’s CEO Brian Krzanich, under pressure over its corp’s handling of the processor design flaws, issued an open letter to the industry.

He claimed Intel was committed to fixing things up, and had rolled out patches for 90 per cent of affected systems. What he left unsaid was that some of those patches are causing their own issues. He also acknowledged that the repairs could bring a performance hit, without saying how much.

“We know that impact on performance varies widely, based on the specific workload, platform configuration and mitigation technique,” he said. “We commit to provide frequent progress reports of patch progress, performance data and other information.”

That last line elicited some hollow laughter at The Reg offices. It wasn’t until Red Hat and Microsoft published slowdown figures, as well as a sea of complaints from punters deploying the much-needed patches, that Intel finally released its own numbers.

Signal/WhatsApp scare

Signal is the gold standard in the encryption market and WhatsApp is one of the most widely used communications channel in the world. This week, there was a report of flaws in the two systems.

German researchers at the Real World Crypto conference in Zurich presented details [PDF] about how they had found a way to add new participants to group chats on the two platforms. These ghost members of the group would be able to listen to and record all future messages and conversations between group members.

It sounds scary – the very reason people use these platforms (and Signal in particular) is for privacy. But if you read all the way through the research, the hack looks interesting but is almost unworkable in the real world.

For the WhatsApp crack to succeed, the attacker would need to take control of one of the machines providing the chat service, and add themselves to a group. Crucially, if a snoop added themselves to the group, all of its members would be notified, rather giving the game away.

The Signal hack was even harder. Without having to hack any servers, an attacker could add people to a group chat – but only if they knew the group session’s identifying number. This is a randomly generated 128-bit number, so good luck guessing it.

Tavis strikes again

Meanwhile, Tavis Ormandy, a member of Google’s Project Zero team, found an interesting little issue with popular open-source torrenting software Transmission.

Ormandy spotted that the Transmission protocol had a flaw that would allow a DNS rebinding attack. An attacker hosting a malware-laden page could use the flaw to alter a victim’s DNS server to launch a client-side script.

Transmission is vulnerable to this kind of attack, Ormandy found, and an attack was both quick and easy. Either code could be added to the machine using the website, or a special torrent could be inserted into the download stream to add larger chunks of code.

“I’ve verified it works on Chrome and Firefox on Windows and Linux (I tried Fedora and Ubuntu), I expect other platforms and browsers are affected,” Ormandy said. A patch has now been released.

And finally, watch out for some new macOS malware doing the rounds: MaMi, which hijacks your DNS settings. Plus, here’s an in-depth look at that $100,000 payout Uber made to hackers who found its AWS private keys accidentally left on GitHub. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/13/security_roundup/

The US House of Representatives this week approved a bill that, given further legislative and executive branch support, will require the American government to account for its handling of software and hardware vulnerabilities.

The “Cyber Vulnerability Disclosure Reporting Act,” sponsored by Rep Sheila Jackson Lee (D-TX), requires the Department of Homeland Security to issue “a report that contains a description of the policies and procedures developed for coordinating cyber vulnerability disclosures.”

The US government has not provided much detail about how it handles vulnerabilities that it becomes aware of, and advocacy organizations like the Electronic Frontier Foundation argue that more transparency is needed to debate the consequences of vulnerability research and disclosure.

“Perhaps the best thing about this short bill is that it is intended to provide some evidence for the government’s long-standing claims that it discloses a large number of vulnerabilities,” said EFF attorneys Nate Cardozo and Andrew Crocker in a blog post on Friday.

The US National Security Agency has said it discloses most of the vulnerabilities it finds, more or less.

“Historically, the NSA has released more than 91 per cent of vulnerabilities discovered in products that have gone through our internal review process and are made or used in the United States,” the agency said on its website in 2015, or so the Internet Archive’s Wayback Machine would have us believe.

The remainder, the NSA said, are either fixed by vendors before disclosure or are retained for national security reasons.

But Cardozo and Crocker insist evidence of such disclosures has been scarce, noting that Apple received its first vulnerability disclosure from the government in 2016.

When vulnerabilities are not disclosed in a timely manner, one of the risks is that they will be revealed by hackers, as the Shadow Brokers did with the NSA’s stockpile of flaws and related hacking tools. Another is that they will be independently discovered by those with malicious intent and used prior to public disclosure.

The Trump Administration’s approach to the issue involves a revision of the Vulnerabilities Equities Process (VEP), a classified policy put in place in 2010 and revealed several years later that attempts to balance the tension between cyber offense and defense requirements.

The 2017 revision offers an updated take on how government agencies should decide what gets revealed and what stays secret.

The Cyber Vulnerability Disclosure Reporting Act doesn’t really overlap with VEP, but if it survives the remaining legislative hurdles, it will ensure basic information about vulnerability handling gets circulated to lawmakers. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/13/us_house_reps_security_holes/

Let’s Encrypt – a SSL/TLS certificate authority run by the non-profit Internet Security Research Group (ISRG) to programmatically provide websites with free certs for their HTTPS websites – on Thursday said it is discontinuing TLS-SNI validation because it’s insecure in the context of many shared hosting providers.

TLS-SNI is one of three ways Let’s Encrypt’s Automatic Certificate Management Environment (ACME) protocol validates requests for TLS certificates, which enable secure connections when browsing the web, along with the confidence-inspiring display of a lock icon. The other two validation methods, HTTP-01 and DNS-01, are not implicated in this issue.

The problem is that TLS-SNI-01 and its planned successor TLS-SNI-02 can be abused under specific circumstances to allow an attacker to obtain HTTPS certificates for websites that he or she does not own.

Such a person could, for example, find an orphaned domain name pointed at a hosting service, and use the domain – with an unauthorized certificate to make fake pages appear more credible – without actually owning the domain.

For example, a company might have investors.techcorp.com set up and pointed at a cloud-based web host to serve content, but not investor.techcorp.com. An attacker could potentially create an account on said cloud provider, and add a HTTPS server for investor.techcorp.com to that account, allowing the miscreant to masquerade as that business – and with a Let’s Encrypt HTTPS cert, too, via TLS-SNI-01, to make it look totally legit.

It sounds bonkers but we’re told some cloud providers allow this to happen. And that’s why Let’s Encrypt ditched its TLS-SNI-01 validation processor.

Ownership

It turns out that many hosting providers do not validate domain ownership. When such providers also host multiple users on the same IP address, as happens on AWS CloudFront and on Heroku, it becomes possible to obtain a Let’s Encrypt certificate for someone else’s website via the TLS-SNI-01 mechanism.

On Tuesday, Frans Rosén, a security researcher for Detectify, identified and reported the issue to Let’s Encrypt, and the organization suspended certificate issuance using TLS-SNI-01 validation, pending resolution of the problem.

In his account of his proof-of-concept exploit, Rosén recommended three mitigations: disabling TLS-SNI-01; blacklisting .acme.invalid in certificate challenges, which is required to get a cert via TLS-SNI-01; and looking to other forms of validation because TLS-SNI-01 and 02 are broken given current cloud infrastructure practices.

AWS CloudFront and Heroku have since tweaked their operations based on Rosén’s recommendation, but the problem extends to other hosting providers that serve multiple users from a single IP address without domain ownership validation.

Late Thursday, after temporarily reenabling the validation method for certain large hosting providers that aren’t vulnerable, Let’s Encrypt decided it would permanently disable TLS-SNI-01 and TLS-SNI-02 for new accounts.

Those who previously validated using TLS-SNI-01 will be allowed to renew using the same mechanism for a limited time.

“We have arrived at the conclusion that we cannot generally re-enable TLS-SNI validation,” said ISRG executive director Josh Aas in a forum post. “There are simply too many vulnerable shared hosting and infrastructure services that violate the assumptions behind TLS-SNI validation.”

Aas stressed that Let’s Encrypt will discontinue using the TLS-SNI-01 and TLS-SNI-02 validation methods. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/13/lets_encrypt_certificate_drama/

Updated Security shortcomings in Intel’s Active Management Technology (AMT) can be exploited by miscreants to bypass login prompts on notebook computers.

Insecure defaults in Intel AMT allow an intruder to completely bypass user and BIOS passwords and TPM and Bitlocker PINs to break into almost any corporate laptop in a matter of 30 seconds or so, according to security biz F-Secure. The issue, which requires physical access to targeted computer to exploit, is unrelated to the recent Spectre and Meltdown vulnerabilities.

The problem potentially affects millions of laptops globally.

AMT offers remote-access monitoring and maintenance of corporate-grade personal computers, allowing remote management of assets. Shortcomings in the tech have been discovered before (examples here and here) but the latest flaw is nonetheless noteworthy because of the ease of exploitation. “The weakness can be exploited in mere seconds without a single line of code,” F-Secure reported.

Setting a BIOS password, which normally prevents an unauthorised user from booting up the device or making low-level changes to it, does not prevent access to the AMT BIOS extension. This allows an attacker access to configure AMT and make remote exploitation possible.

Trivial

To sidestep the password prompts, all an attacker needs to do is power up the target machine, and press CTRL+P during boot. The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password “admin”, as this is most likely unchanged on most corporate laptops. The attacker would then be free to change the default password, enable remote access, and set AMT’s user opt-in to “None”.

At this point, the crook would be able to gain remote access to the system as long as they’re able to insert themselves onto the same network segment as the victim’s machine. Access to the device may also be possible from outside the local network via an attacker-operated CIRA server.

How to remote hijack computers using Intel’s insecure chips: Just use an empty login string

READ MORE

The security issue “is almost deceptively simple to exploit, but it has incredible destructive potential,” said Harry Sintonen, the senior security consultant at F-Secure who came across the oversight. “In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

Although the initial attack requires physical access, Sintonen explained that the speed with which it can be carried out makes it easily exploitable in a so-called “evil maid” scenario. “You leave your laptop in your hotel room while you go out for a drink,” he said. “The attacker breaks into your room and configures your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN. And since the computer connects to your company VPN, the attacker can access company resources.”

Laptop hijackings in an airport or coffee shop may also be possible in cases where a mark either leaves their system unattended or is distracted for a minute or two, perhaps by the accomplice of the hacker.

Sintonen and his colleagues at F-Secure have come across the issue repeatedly since early summer last year. A similar vulnerability, related to USB provisioning, was previously uncovered by CERT-Bund. The issue highlighted by F-Secure is distinct from that and other recent problems, the company confirmed, and relates to the insecure configuration and deployment of Intel AMT.

A large part of the problem is that enterprises are not following Intel’s guidance in practice, said F-Secure, adding that it was going public in order to draw attention to the issue.

“We discovered the issue this summer, and since discovering it, we have found it in thousands of laptops,” F-Secure told El Reg. “Despite there being information available for manufacturers on how to prevent this, manufacturers are still not following best practices, leaving vast numbers of vulnerable laptops out there. Organisations and users are left to protect against this themselves, but most don’t realise this is a problem. That is why it’s important to raise public awareness.”

F-Secure’s research indicates that some system manufacturers were not requiring a BIOS password to access MEBx. As a result, an unauthorised person with physical access to a computer in which access to MEBx is not restricted, and in which AMT is in factory default, could potentially alter its AMT settings.

El Reg understands that Intel began telling systems manufacturers to provide a system BIOS option to disable USB provisioning and to set the value to disable by default as far back as 2015. This guidance (PDF) was updated and reiterated last November.

F-Secure reports that despite all this guidance, insecure Intel AMT setups remain widespread:

While Intel has written extensive guides on AMT, they have not had the desired impact on the real world security of corporate laptops.

The issue affects most, if not all, laptops that support Intel Management Engine/Intel AMT. Chipzilla advises vendors to require the BIOS password when rolling out AMT. However, many device manufacturers do not follow this advice.

F-Secure recommends enterprises adjust the system provisioning process to include setting a strong AMT password, and disabling AMT if this option is available. Below is a video by F-Secure on its findings… ®

Youtube Video

Updated to add

A spokesperson for Intel has been in touch to tell us: “We appreciate the security research community calling attention to the fact that some system manufacturers have not configured their systems to protect Intel Management Engine BIOS Extension (MEBx).

“We issued guidance on best configuration practices in 2015 and updated it in November 2017, and we strongly urge OEMs to configure their systems to maximize security. Intel has no higher priority than our customers’ security, and we will continue to regularly update our guidance to system manufacturers to make sure they have the best information on how to secure their data.”

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/12/intel_amt_insecure/

A recent survey finds a number of attributes women seek in their careers can be found in a cybersecurity profession – the dots just need to be connected.

With the cybersecurity industry facing a shortfall of 1.8 million professionals by 2022, increased efforts are underway to find and train more infosec pros – especially women who, according to a Global Information Security Workforce Study, comprise only 11% of the cybersecurity workforce.

And although a number of challenges exist in attracting women and young girls to a cybersecurity career, a number of similarities exist between the attributes these women and young girls seek in a career and what the cybersecurity profession can offer, according to a recent survey by Kaspersky Lab and interviews with female cybersecurity pros.

In its global survey of approximately 2,000 females ages 16-to 21 years old, Kaspersky’s report, “Beyond 11% – A Study Into Why Women Are Not Entering Cybersecurity,” found:

• 72% want a career they can be passionate about
• 83% do not believe a cybersecurity career would be dull
• 23% want a career that can make a difference to society
• 44% believe cybersecurity is helpful to society
• 52% want a career that will enable them to earn a good salary

Median annual salary is $100,000 for cybersecurity staff members, according to a Dark Reading 2016 Security Salary Survey.

Career Passion

“Being passionate is important for any job,” says Ambareen Siraj, founder of the national Women in Cybersecurity (WiCyS) organization and an associate computer science professor at Tennessee Tech University. “Cybersecurity is a very dynamic field and you are always learning. If you want to be in a field that is always refreshed and you have a big thirst for learning, then you should consider cybersecurity.”

As for the 17% of survey respondents who believe a cybersecurity career would be boring, it comes down to a lack of understanding of the various roles in cybersecurity that can range from technical to training to developing policies, says Mari Galloway, director of finance and communications for the Women’s Society of Cyberjutsu.

Benefit to Society

A career in cybersecurity can make a difference in society, Galloway says. 

“Take healthcare. So much technology is used to keep people alive. All it takes is one bad hacker to exploit a vulnerability in a hospital system and bring the whole operation down, potentially killing patients,” Galloway explains. “It’s the cyber professionals’ job to ensure things like this don’t happen.”

Noushin Shabab, senior security researcher with Kaspersky’s Global Research Analysis Team, says she was surprised by the low percentage of women and young girls who noted they wanted to make a difference in society with their career and believed that cybersecurity helped society.

“Despite the [23%] statistic, I feel deep down, a woman wants to make their mark in society,” Shabab says. “Hopefully with the hard work and efforts that women around the world are taking in today’s world, more women will feel empowered to make a difference in their respective societies. If women believe they can make an impact (big or small) this is already a big start to change how they feel about their careers.”

Salary and Job Security

Salaries are a big factor in women’s career choices but not the only deciding factor, Siraj says. Cybersecurity not only provides a good salary but, in many cases, infosec professionals are able to work from home and can relocate to a new job with relative ease, since there is virtually no unemployment in the industry, she adds.

Challenging Stereotypes

Despite these similar attributes that can be found in cybersecurity careers, it remains a challenge to attract women and young girls to the field, these cybersecurity professionals say.

“All that women hear about in the media is about the bad guys in cybersecurity. They don’t hear about the researchers who made a difference and helped society,” Siraj says. “In the movies and TV shows, cybersecurity professionals are portrayed as guys sitting in a dark room alone, surrounded by computers, and as highly intelligent nerds. That is not how most women want to view themselves.”

Shabab noted WannaCry, ExPetr and other large-scale cyberattacks may attract more women to the IT security field, rather than chase them away. These attacks proved cybersecurity is essential for every individual, home user, and enterprise – perhaps fueling a desire to pursue a cybersecurity career and protect what matters most to them, she adds.

A range of efforts are underway to dispel of cybersecurity career stereotypes and educate young girls and women about the profession, these women note. Cyberjutsu Girls Academy, Girl Scouts, Black Girls Code, WiCyS, and others are providing information and role models, they add.

“What will bring more women in are seeing women at various levels making decisions, [girls] getting hands-on experience in STEM, cyber at a young age, providing equal opportunities for women to grow, and laying out a roadmap of potential career paths for young women to visualize where they can go,” Galloway says.

Related Content:

• Cybersecurity Faces 1.8 Million Worker Shortfall By 2022
• How to Build a Path Toward Diversity in Information Security
• Making Infosec Meetings More Inclusive

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/how-to-attract-more-women-into-cybersecurity---now/d/d-id/1330816?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple