STE WILLIAMS

The Canadian government recently put forward a new set of cyber laws designed to prevent online bullying.

The proposed legislation immediately drew howls of outrage from all corners, accusing the government of simply reviving its previous failed attempt at introducing draconian state snooping in a new disguise.

So, what’s really going on with Bill C-13?

The bill was announced by Canada’s Justice Minister Peter MacKay on November 20th, nicely coinciding with Anti-Bullying Week in the UK.

Referred to as the “Protecting Canadians from Online Crime Act”, the legislation is seen as a direct response to the deaths of Canadian cyberbullying victims Rehtaeh Parsons and Amanda Todd, both of whom committed suicide following online harassment, as have tragically many others.

The opening section of the bill seems to address this issue fairly directly, making it a criminal offence to publish or otherwise distribute “intimate images” without consent, with a potential punishment of up to five years imprisonment.

Even this part is not without controversy however, with some commentators suggesting that it would cover far more than the malicious online bullying, harassment and defamation it is aimed at, citing public interest publication and also frivolous and unintentional posting of pictures which could be seen as intimate.

Others have suggested it fails to properly understand and address the issues faced by young internet users, calling for more proactive rather than purely punitive intervention, while still others contend that the “consent” requirement may not cover the likes of “revenge porn” where images may have been taken with consent but later distributed.

Revenge porn is an area specifically targeted by new and planned laws in other jurisdictions, including California.

It is the rest of Bill C-13 that most commentators have taken issue with though.

In the summary of the bill, only the first of six key points refers directly to its ostensible main subject of cyber-bullying, while the rest detail additional powers to be granted to investigators, to access, monitor and record information on suspected digital criminals.

Much of this content seems to be recycled from the Canadian government’s previous attempt at getting this legislation, 2012’s Bill C-30, known as the “Protecting Children from Internet Predators Act” and introduced as an attempt to battle online paedophilia.

This seems to reveal a pattern of hiding these provisions under the cover of a clearly worthwhile effort to protect young people, although Bill C-30 was originally (and rather more honestly) entitled the “Lawful Access Act”, in reference to the added access rights it would have granted to police.

One Canadian minister went as far as claiming that those who opposed the bill stood on the side of child pornographers. Bill C-30 was killed after public outcry at the snooping powers it would have granted.

This was back in 2012, before the whole Snowden/NSA debacle heightened public awareness of just how much governments may be intruding into their privacy online.

Canadian legal experts point out that the new bill retreads much the same ground, although some of the most widely-criticised components have been removed, including granting full and unimpeded access to subscriber info from phone and internet provider firms, with no need for warrants, and requiring ISPs to build in interception methods into their systems.

The new powers that remain in Bill C-13 include granting immunity to anyone who hands over personal info to the police as long as there is no explicit ban on passing on such info – so, police can call on anyone they think may have data they might be interested in and ask for a look at it, with no requirement that they have any reason to want to see that data.

The data holders will not be obliged to comply without a warrant, but they will not be penalised if they do hand over information.

Where warrants are required, they seem to mostly only require the police have “reasonable grounds to suspect” some sort of wrongdoing, rather than the more usual and considerably stricter “grounds to believe”.

New warrants proposed include ones allowing access to metadata and location information from suspects’ devices and service providers, and letting the police avoid telling people that they have been subject to such intrusions.

There are also tweaks to sections of law covering what could be loosely called “hacking”, including accessing systems or intercepting data or passwords without authorisation, as well as making or owning hardware or software designed to access for-fee services without paying (previously only hardware was covered), and creating tools which might facilitate hacking.

All in all there seems to be quite a lot here worth worrying about. There is doubtless some worthwhile content in the bill, but the way it has been put together looks at best misguided, at worst duplicitous.

Not only are there many points which remain little changed from the previous highly controversial outing, they have once again been buried inside a bill which, for all its worthiness, now looks like little more than a cloak under which to hide the nastier content.

The bill has been up for debate in the Canadian parliament over the last week. It has already drawn comment from the Canadian Privacy Commissioner, and a campaign to fight the provisions has been launched.

Given the reaction the last time these powers were proposed, and the increased profile of privacy issues in the last six months or so, it seems likely that the Canadian government will face another barrage of indignation at their latest attempt to sneak in-depth snooping powers into law.

Follow @VirusBtn
Follow @NakedSecurity

Image of Canada eye and Big Brother courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cU5YUsgEOIw/

The Canadian government recently put forward a new set of cyber laws designed to prevent online bullying.

The proposed legislation immediately drew howls of outrage from all corners, accusing the government of simply reviving its previous failed attempt at introducing draconian state snooping in a new disguise.

So, what’s really going on with Bill C-13?

The bill was announced by Canada’s Justice Minister Peter MacKay on November 20th, nicely coinciding with Anti-Bullying Week in the UK.

Referred to as the “Protecting Canadians from Online Crime Act”, the legislation is seen as a direct response to the deaths of Canadian cyberbullying victims Rehtaeh Parsons and Amanda Todd, both of whom committed suicide following online harassment, as have tragically many others.

The opening section of the bill seems to address this issue fairly directly, making it a criminal offence to publish or otherwise distribute “intimate images” without consent, with a potential punishment of up to five years imprisonment.

Even this part is not without controversy however, with some commentators suggesting that it would cover far more than the malicious online bullying, harassment and defamation it is aimed at, citing public interest publication and also frivolous and unintentional posting of pictures which could be seen as intimate.

Others have suggested it fails to properly understand and address the issues faced by young internet users, calling for more proactive rather than purely punitive intervention, while still others contend that the “consent” requirement may not cover the likes of “revenge porn” where images may have been taken with consent but later distributed.

Revenge porn is an area specifically targeted by new and planned laws in other jurisdictions, including California.

It is the rest of Bill C-13 that most commentators have taken issue with though.

In the summary of the bill, only the first of six key points refers directly to its ostensible main subject of cyber-bullying, while the rest detail additional powers to be granted to investigators, to access, monitor and record information on suspected digital criminals.

Much of this content seems to be recycled from the Canadian government’s previous attempt at getting this legislation, 2012’s Bill C-30, known as the “Protecting Children from Internet Predators Act” and introduced as an attempt to battle online paedophilia.

This seems to reveal a pattern of hiding these provisions under the cover of a clearly worthwhile effort to protect young people, although Bill C-30 was originally (and rather more honestly) entitled the “Lawful Access Act”, in reference to the added access rights it would have granted to police.

One Canadian minister went as far as claiming that those who opposed the bill stood on the side of child pornographers. Bill C-30 was killed after public outcry at the snooping powers it would have granted.

This was back in 2012, before the whole Snowden/NSA debacle heightened public awareness of just how much governments may be intruding into their privacy online.

Canadian legal experts point out that the new bill retreads much the same ground, although some of the most widely-criticised components have been removed, including granting full and unimpeded access to subscriber info from phone and internet provider firms, with no need for warrants, and requiring ISPs to build in interception methods into their systems.

The new powers that remain in Bill C-13 include granting immunity to anyone who hands over personal info to the police as long as there is no explicit ban on passing on such info – so, police can call on anyone they think may have data they might be interested in and ask for a look at it, with no requirement that they have any reason to want to see that data.

The data holders will not be obliged to comply without a warrant, but they will not be penalised if they do hand over information.

Where warrants are required, they seem to mostly only require the police have “reasonable grounds to suspect” some sort of wrongdoing, rather than the more usual and considerably stricter “grounds to believe”.

New warrants proposed include ones allowing access to metadata and location information from suspects’ devices and service providers, and letting the police avoid telling people that they have been subject to such intrusions.

There are also tweaks to sections of law covering what could be loosely called “hacking”, including accessing systems or intercepting data or passwords without authorisation, as well as making or owning hardware or software designed to access for-fee services without paying (previously only hardware was covered), and creating tools which might facilitate hacking.

All in all there seems to be quite a lot here worth worrying about. There is doubtless some worthwhile content in the bill, but the way it has been put together looks at best misguided, at worst duplicitous.

Not only are there many points which remain little changed from the previous highly controversial outing, they have once again been buried inside a bill which, for all its worthiness, now looks like little more than a cloak under which to hide the nastier content.

The bill has been up for debate in the Canadian parliament over the last week. It has already drawn comment from the Canadian Privacy Commissioner, and a campaign to fight the provisions has been launched.

Given the reaction the last time these powers were proposed, and the increased profile of privacy issues in the last six months or so, it seems likely that the Canadian government will face another barrage of indignation at their latest attempt to sneak in-depth snooping powers into law.

Follow @VirusBtn
Follow @NakedSecurity

Image of Canada eye and Big Brother courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cU5YUsgEOIw/

Quick guide to disaster recovery in the cloud

Hold the front page: Saudi Arabian and Israeli spy agencies are developing a worm more powerful than Stuxnet to sabotage Iran’s nuclear program again, after meeting in Vienna last week.

Sound a little far-fetched? Well, stranger things have happened but this particular yarn comes from Iran’s FARS news agency, thought to have strong ties to the country’s Revolutionary Guard, so a healthy dose of scepticism is probably advised.

Citing “an informed source close to the Saudi secret service”, the agency claims that the November 24 meeting was held to “increase the two sides’ cooperation in intelligence and sabotage operations against Iran’s nuclear program”.

“One of the proposals raised in the meeting was the production of a malware worse than the Stuxnet to spy on and destroy the software structure of Iran’s nuclear program,” the source told FARS, adding that the $1m plan was welcomed by the Saudis.

The two sides had apparently set off on this hardline course after being frustrated by a warming of relations between the US and Iran and a deal struck between the Islamic Republic and the US, UK, Russia, China, France and Germany.

This November 24 deal, branded a “historic mistake” by Israel, will see Iran agree to halt some of its nuclear activities in return for around £4bn in sanctions relief.

The yarn certainly plays to the paranoia and FUD so often present in coverage of the Middle East, but it’s unlikely that Israel would want to anger its allies in Washington by jeopardising the recent rapprochement with Iran.

Unless, that is, the idea is to have the malware all ready to go in case there’s a sudden breakdown in talks.

A final thought: FARS lifted almost word-for-word an entire Onion story last year claiming most rural US voters would rather hang out with former Iranian president Mahmoud Ahmadinejad than Barack Obama.

The agency’s editorial judgement was called into question again this year after it posted a story claiming an Iranian boffin had invented a time machine. ®

Hybrid storage performance leadership

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/03/fars_stuxnet_2_saudi_arabia_israel/

Quick guide to disaster recovery in the cloud

Hold the front page: Saudi Arabian and Israeli spy agencies are developing a worm more powerful than Stuxnet to sabotage Iran’s nuclear program again, after meeting in Vienna last week.

Sound a little far-fetched? Well, stranger things have happened but this particular yarn comes from Iran’s FARS news agency, thought to have strong ties to the country’s Revolutionary Guard, so a healthy dose of scepticism is probably advised.

Citing “an informed source close to the Saudi secret service”, the agency claims that the November 24 meeting was held to “increase the two sides’ cooperation in intelligence and sabotage operations against Iran’s nuclear program”.

“One of the proposals raised in the meeting was the production of a malware worse than the Stuxnet to spy on and destroy the software structure of Iran’s nuclear program,” the source told FARS, adding that the $1m plan was welcomed by the Saudis.

The two sides had apparently set off on this hardline course after being frustrated by a warming of relations between the US and Iran and a deal struck between the Islamic Republic and the US, UK, Russia, China, France and Germany.

This November 24 deal, branded a “historic mistake” by Israel, will see Iran agree to halt some of its nuclear activities in return for around £4bn in sanctions relief.

The yarn certainly plays to the paranoia and FUD so often present in coverage of the Middle East, but it’s unlikely that Israel would want to anger its allies in Washington by jeopardising the recent rapprochement with Iran.

Unless, that is, the idea is to have the malware all ready to go in case there’s a sudden breakdown in talks.

A final thought: FARS lifted almost word-for-word an entire Onion story last year claiming most rural US voters would rather hang out with former Iranian president Mahmoud Ahmadinejad than Barack Obama.

The agency’s editorial judgement was called into question again this year after it posted a story claiming an Iranian boffin had invented a time machine. ®

Hybrid storage performance leadership

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/03/fars_stuxnet_2_saudi_arabia_israel/

Cloud services aim to simplify the implementation and management of business applications, a goal that has generally worked well for security services. Yet, simplified interfaces and aggregated data can often hide the details that management needs to make decisions about attacks.

Responding to customers’ requests for more access to security-event data, cloud providers are exposing customer-specific aspects of their massive data sets to help businesses better defend themselves. Cloud security firm Incapsula, for example, announced last month that it would start delivering to each customer their servers’ performance and attack metrics in real time. The company takes millions of transactions across 15 data centers, brings them into a central data repository, organizes them and then displays the data relevant to each customer. The data can be used by businesses to better react to certain types of attacks, such as application-layer denial-of-service attacks, says Marc Gaffan, co-founder and vice president of business development for the company.

“Now, our end user can see, in real time, the transactions hitting their network,” he says. “This is gives them the visibility to work with us, and be more self-sufficient.”

Cloud security providers are finding that their customers want more data. For many companies, learning that a threat was blocked is no longer enough. More sophisticated enterprise customers want deeper access to the data on which a decision is based, so they can investigate the incident themselves and determine if they need to take further action.

In some ways, the trend is an adjustment in the cloud services model, says Dean De Beer, chief technology officer for malware-analysis-as-a-service platform ThreatGRID. Companies moved to security-as-a-service to simplify a complex set of processes, but that does not mean that they do not want access to the data on attacks or malware targeting their networks, he says.

“The ability for people to really make a difference in the environment without having to have the expertise to setup the infrastructure–it’s huge,” he says, adding that companies need to give the sophisticated users of their services as much information as they need to do their job. “The end user is saying that they want this data and vendors need to provide it.”

[With employees using hundreds of cloud services, companies need a greater ability to monitor the services for anomalous activities. See Services Offer Visibility Into Cloud Blind Spot.]

Another cloud security firm that has opened the curtains to reveal certain facets of its large datasets is OpenDNS. The company has modified its cloud-based domain name service to go beyond blocking or allowing traffic, and now offers companies the ability to gather additional details about the domains to which traffic is flowing.

Called Security Graph, the service lets customers of OpenDNS’s Umbrella service to dig down into the data and determine, for instance, if an attack is part of a mass, opportunistic probe or a targeted attempt to compromise the business. In an opportunistic attack, the company will be one of many OpenDNS customers that attempt to go to a specific, malicious server; in a targeted attack, the company may account for the lion’s share of traffic to that server, says Dan Hubbard, chief technology officer for OpenDNS.

“If you see a machine beaconing out to a domain, a cloud solution would say, this is blocked as malware,” he says. “With that sort of response, there is not enough information to determine if this is an attacker looking for Paypal credentials or is this is someone exfiltrating data to a Chinese network.”

While using Big Data analytics for security has garnered a great deal of attention, it typically requires staff with specialized knowledge to successfully implement. Because of their expertise in dealing with large datasets, cloud providers can excel at providing meaningful access to the data, says Incapsula’s Gaffan.

“I think Big Data analytics and security analytics are a core competency for cloud service providers,” he says. “They can immediately identify a certain pattern and give companies visibility into the data.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/services/cloud-providers-reveal-more-big-data-ana/240164385

Cloud services aim to simplify the implementation and management of business applications, a goal that has generally worked well for security services. Yet, simplified interfaces and aggregated data can often hide the details that management needs to make decisions about attacks.

Responding to customers’ requests for more access to security-event data, cloud providers are exposing customer-specific aspects of their massive data sets to help businesses better defend themselves. Cloud security firm Incapsula, for example, announced last month that it would start delivering to each customer their servers’ performance and attack metrics in real time. The company takes millions of transactions across 15 data centers, brings them into a central data repository, organizes them and then displays the data relevant to each customer. The data can be used by businesses to better react to certain types of attacks, such as application-layer denial-of-service attacks, says Marc Gaffan, co-founder and vice president of business development for the company.

“Now, our end user can see, in real time, the transactions hitting their network,” he says. “This is gives them the visibility to work with us, and be more self-sufficient.”

Cloud security providers are finding that their customers want more data. For many companies, learning that a threat was blocked is no longer enough. More sophisticated enterprise customers want deeper access to the data on which a decision is based, so they can investigate the incident themselves and determine if they need to take further action.

In some ways, the trend is an adjustment in the cloud services model, says Dean De Beer, chief technology officer for malware-analysis-as-a-service platform ThreatGRID. Companies moved to security-as-a-service to simplify a complex set of processes, but that does not mean that they do not want access to the data on attacks or malware targeting their networks, he says.

“The ability for people to really make a difference in the environment without having to have the expertise to setup the infrastructure–it’s huge,” he says, adding that companies need to give the sophisticated users of their services as much information as they need to do their job. “The end user is saying that they want this data and vendors need to provide it.”

[With employees using hundreds of cloud services, companies need a greater ability to monitor the services for anomalous activities. See Services Offer Visibility Into Cloud Blind Spot.]

Another cloud security firm that has opened the curtains to reveal certain facets of its large datasets is OpenDNS. The company has modified its cloud-based domain name service to go beyond blocking or allowing traffic, and now offers companies the ability to gather additional details about the domains to which traffic is flowing.

Called Security Graph, the service lets customers of OpenDNS’s Umbrella service to dig down into the data and determine, for instance, if an attack is part of a mass, opportunistic probe or a targeted attempt to compromise the business. In an opportunistic attack, the company will be one of many OpenDNS customers that attempt to go to a specific, malicious server; in a targeted attack, the company may account for the lion’s share of traffic to that server, says Dan Hubbard, chief technology officer for OpenDNS.

“If you see a machine beaconing out to a domain, a cloud solution would say, this is blocked as malware,” he says. “With that sort of response, there is not enough information to determine if this is an attacker looking for Paypal credentials or is this is someone exfiltrating data to a Chinese network.”

While using Big Data analytics for security has garnered a great deal of attention, it typically requires staff with specialized knowledge to successfully implement. Because of their expertise in dealing with large datasets, cloud providers can excel at providing meaningful access to the data, says Incapsula’s Gaffan.

“I think Big Data analytics and security analytics are a core competency for cloud service providers,” he says. “They can immediately identify a certain pattern and give companies visibility into the data.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/services/cloud-providers-reveal-more-big-data-ana/240164385

The popularity of online shopping continues to grow every year as cash-strapped consumers discover the savings that can be made in comparison to traditional brick and mortar retailers.

At this time of year, as we search for Cyber Monday bargains and prepare for Christmas, it is also rather tempting to enjoy the comfort of shopping from our own homes and not have to battle the seasonal queues.

But shopping on the web is not always a perfect experience as many consumers discover to their cost.

Last Christmas, for example, shoppers in the UK lost over £12m, according to Action Fraud, the City of London Police and Get Safe Online who are warning consumers to take extra care when shopping for tablets, games consoles, electrical items and other gifts online.

Tony Neate, CEO of Get Safe Online said:

£12.4m is a huge amount of money to be lost to online fraud but unfortunately, it’s the type of figure I see every year. The problem is, scams change and adapt as trends come and go. They have also become more sophisticated as we get wiser to what is and isn’t legitimate so it’s understandable that people sometimes get caught out.

Action Fraud, run by a government agency known as the National Fraud Authority, received more than 10,000 reports of online fraud and auction site scams over the Christmas period. On average, the victims of these crimes lost over £1,700 each.

One of the reasons why so many people were duped last year may have been the fact that the fraudsters were well aware of which items were going to be popular. Rip-offs and scams centred on smartphones, games consoles, Apple products and items of designer clothing.

Other gift ideas such as jewellery, watches and precious metals were also used as bait in various online cons.

This year the list of popular gift ideas is likely to be very similar and so shoppers should be extra vigilant when considering buying any of the above. Particular attention should probably be given to the next gen consoles that have just been announced – the PS4 and Xbox One are both in short supply and in huge demand which will surely be a combination that online fraudsters will find hard to resist.

So, what can you do to ensure that you are not a victim at this time of year?

Action Fraud, Get Safe Online and the City of London Police have listed out ten tips:

1. Trust your instincts – if an offer looks too good to be true it usually is. Legitimate popular technology and designer items are rarely discounted.

2. Check the URL in the web browser. Don’t be fooled by spoof websites where the address is slightly different.

A while back we deliberately misspelled the addresses of many popular websites to see what we’d find. Watch the video below, or view it on YouTube here.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

3. Ensure the website address begins ‘https’ at the payment stage – this indicates a secure payment.

4. Don’t access links in unsolicited emails, always type in the website address or use a search engine to find a site.

5. Only deal with reputable sellers – only use sites you know or ones that have been recommended to you.

6. Avoid paying by money transfers direct to people you don’t know. Use an online payment option such as PayPal, which helps to protect you.

7. Watch out for pop-ups appearing asking you to confirm your card details before you are on the payment stage. Never enter your PIN number online.

8. If your bid for an online auction item is unsuccessful, don’t be tempted to trade off-site if another seller approaches you with a similar item. This is likely to be a scam and you won’t be covered.

9. Keep security software and firewalls up-to-date. Regularly update your internet browser when a new patch (security update) is released.

10. Keep receipts and check these against your statement – if you spot a transaction you did not authorise speak to your card company immediately.

Security Minister James Brokenshire said that although the UK government is working to reduce online crime, the public need to play their part in ensuring they don’t fall victim to festive scams:

We are taking the fight to cyber criminals with the newly created National Cyber Crime Unit, which is part of the National Crime Agency.

But the public should also stay vigilant to ensure they don’t lose their hard-earned money on fakes and frauds. Following straightforward steps while shopping online will help the public to avoid cyber fraudsters.

Shoppers can find great bargains online ahead of Christmas and this time of year provides a welcome boost to retailers. But shoppers should remember if something looks too good to be true it often is.

By following the tips above you can minimise the risk of becoming an online fraud victim but if you, or anyone you know, has fallen for any type of online con you can report the matter to Action Fraud in the UK, or if you’re in the US you can find out who to report the crime to on the Department of Justice website.

Looking ahead to January, the Government will be taking steps to increase online confidence amongst members of the public as well as small and medium-sized businesses. The campaign, designed to help organisations and individuals make simple changes to their online behaviour, will be funded and supported by private sector partners including Sophos whose CFO, Nick Bray, commented:

As the UK’s leading cyber security company, we are both delighted and proud to support the government in this and other cyber security initiatives. Improving cyber security is a national imperative and Sophos is committed to working with both government and industry to ensure this happens.

Follow @Security_FAQs
Follow @NakedSecurity

Image of scam alert courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/kV0Sw2VEGyk/

If you follow technology gossip, you probably saw the fuss kicked up last week by a Seattle resident called Nick Starr, who went into a local 24-hour diner wearing Google Glasses.

Those, in case you missed them, are the creepy streaming-video spectacles from Google that seem to have little practical purpose other than to intrude unrelentingly into the privacy of everyone who comes within eyeshot.

Indeed, the device (which is a nightmare of cardinality to start with, because spectacles are one of those curiously plural English singular nouns, while computers are not) has already spurred the amusingly apposite epithet glasshole.

That word describes those whose self-awarded sense of entitlement to wear their Glasses when out and about greatly exceeds the sense of discomfort and distrust those same Glasses provoke in the people around them.

Anyway, according to reports, Starr not only took exception to the diner’s laudable insistence that he take his Glasses off – for the sake of everyone else, and because, hey, the restaurant isn’t a public place – but went on a glassholic rant on Facebook to urge that the staff member who told him where to go should be sacked.

Starr apparently also ranted that the diner had lost business as a result of its killjoy attitude, because he had now shelved his plans to go there with his partner for Thanksgiving – glassed up, one assumes, so as not to miss a minute of his own self-importance.

We say “according to” and “apparently” because Mr Starr’s Facebook post, to which many stories direct us to learn about his outspoken views on privacy and why we need a lack of it, is not public.

You’ll have to log in to read it:

The Lost Lake Cafe and Lounge, Open 24 Hours, on the other hand, is not so coy about its opinion of glassholitude, and has served public notice on Starr and his ilk to show them where to stick their spectacles:

We recently had to ask a rude customer to leave because of their insistence on wearing and operating Google Glasses inside the restaurant. So for the record, here’s Our Official Policy on Google Glass:

We kindly ask our customers to refrain from wearing and operating Google Glasses inside Lost Lake. We also ask that you not videotape anyone using any other sort of technology. If you do wear your Google Glasses inside, or film or photograph people without their permission, you will be asked to stop, or leave. And if we ask you to leave, for God’s sake, don’t start yelling about your “rights”. Just shut up and get out before you make things worse.

We imagine that this sort of showdown will become ever more prevalent as always-on recording devices create a digital divide between those who dismiss privacy as outmoded in the 21st century, and those who feel strongly that it should be respected as part of civil society.

So, expect an ongoing argument between the privacy deniers, like Scott McNealy, then CEO of then-company Sun Micrososystems, who famously said, “You have zero privacy…Get over it,” and Eric Schmidt, then CEO of Google, who respected privacy so much that he banned CNET reporters from Google for 12 months for publishing information about him that they had found using his company’s search engine.

(Indeed, that’s the same Google that makes the Glasses.)

In the meantime, our guts are telling us that the Lost Lake Cafe and Lounge, Open 24 Hours, stands to gain much more in the way of publicity and business from unashamedly saying “No” to glassholes than it would from Google Glass users who might otherwise drop in to film themselves eating, say, Blackened Northwest Salmon, grilled with lemon and topped with fresh dill, served with seasonal vegetables and simple green salad, $13.00.

And if you don’t like it (the ban on Google Glasses, not the Blackened Northwest Salmon), then, in the words of Lost Lake Cafe and Lounge, Open 24 Hours, Capitol Hill, 1505 Tenth Avenue, Seattle WA, “We reserve the right to refuse service to anyone.”

Still, it wouldn’t hurt for Lost Lake to put some decent coffees on the menu – espressos and ristrettos, for instance.

Maybe it’s just that I speak British English, but “drip” as an adjective for anything – especially coffee – doesn’t make me want to consume it.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mEtBGRj4BeA/

Researchers late last week discovered targeted attacks in the wild exploiting a previously unknown kernel vulnerability in Microsoft XP. Security experts say the attacks may be a sign of things to come as attackers home in on the older operating system, which Microsoft will no longer support as of April 2014.

One-fifth of all operating systems in use today are Windows XP machines, according to Microsoft, and XP machines are six times more likely to be infected by malware, even though Windows 8 and XP actually encounter the same volume of malware. That, and the fact that there will be no more patches for the 12-year-old operating system as of April 8, are making XP an even more attractive target by cyberespionage actors and, ultimately, traditional cybercriminals.

The newly discovered zero-day flaw actually involves both XP and Windows 2003, but the attacks seen in the wild by researchers at FireEye only appear to exploit XP. The local privilege escalation bug in the kernel of both OSes alone can’t exploit a remote system, but can be used on an already-hijacked system to execute the malware or other attacks.

The attacks rely on a the victim opening a malicious PDF file to infect them, according to Dustin Childs, group manager for response communications with Microsoft’s Trustworthy Computing group. “These limited, targeted attacks require users to open a malicious PDF file. While we are actively working to develop a security update to address this issue, we encourage customers running Windows XP and Server 2003 to deploy” workarounds, he says, which Microsoft included in a Security Advisory issued on Thanksgiving eve.

FireEye researchers Xiaobo Chen and Dan Caselden say the exploit targets a patched bug in Adobe Reader 9.5.4, 10.1.6, 11.0.02, and earlier versions on Windows XP SP3, so users running updated Reader software are safe. “The vulnerability cannot be used for remote code execution but could allow a standard user account to execute code in the kernel. Currently, the exploit appears to only work in Windows XP,” they wrote in a blog post. “Post exploitation, the shellcode decodes a PE payload from the PDF, drops it in the temporary directory, and executes it.”

[Nearly half of the 1 million machines managed by enterprise mobility management firm Fiberlink for its clients are XP systems. See Windows XP Holdouts Hold On.]

These latest zero-day attacks are just the tip of the iceberg in attacks to come for XP, security experts say. “I think we’ll see a whole group of people looking at XP vulnerabilities,” says Wolfgang Kandek, CTO at Qualys. “I don’t think XP is going to be very defendable for two to three months after it stops getting updated.”

Kandek says it won’t take much effort, either, to find new flaws in XP. Attackers can merely extrapolate some flaws in XP from patches to Internet Explorer 7, for example.

The new local privilege escalation attack basically performs an Adobe PDF sandbox escape, he says. This multiple-vulnerability chain approach is becoming popular in many new attacks, he says, mainly thanks to tighter software security features like ASLR and others that make it more difficult for exploitation. “Most attackers need to chain together multiple vulns. I think this is in that spirit,” he says of the new attack. “The attackers now send you a document with a PDF vulnerability. They need to chain another [exploit] to it to become administrator” on the targeted machine, he says.

Microsoft did not provide any additional details on the nature of the targeted attacks or the victims, but Kandek says it has all the earmarks of an advanced persistent threat (APT)-style attack. “My feeling is that it was used in an APT targeted attack,” he says. And next it will be exploited by mainstream attackers and become more widespread, as is the typical progression of zero-days, he says.

Meanwhile, Microsoft has issued a recommended workaround for the flaw while it prepares a patch: rerouting the NDProxy service to Null.sys. FireEye suggests upgrading to the latest version of Adobe Reader and migrating the operating system to Windows 7 or higher.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/targeted-attacks-spotted-exploiting-micr/240164381

Tags: 2FA, backup, bitcoin, chet chat, Cryptography, drupal, Exploit, mersenne twister, passwords, random, sophos security chet chat, sscc, twister, two-factor authentication, vulnerability, XP, Zero Day

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/IO_1cEPB7X0/