STE WILLIAMS

Mobile devices are becoming a ‘primary’ enterprise target for attackers.

How does it change security when the label we have for a device no longer describes what it does?

That was a key question Mike Murray, vice president of security intelligence at Lookout, addressed last week at Interop ITX in Las Vegas, in a session on the evolving mobile threat landscape. The label: “Mobile phone.” Because, as Murray pointed out, the device that lets us make phone calls isn’t really a phone anymore.

“The phone is no longer a phone; it’s an electronic device that has access to every part of our digital lives. Unfortunately, we still think of it and protect it like it’s a Motorola flip-phone,” Murray said. And that gap between what the device does and how it’s protected has led to our current situation: “Mobile has become not just a target, but the primary target in the enterprise,” he said.

It’s becoming the point of entry for many attacks. Murray pointed to the 2018 Verizon Data Breach investigations Report, noting that phishing and smishing are examples of the social attacks that convince many users to click on malicious links or download infected software. Then a dropper installs, or the user clicks through and it installs, he said. “After that, they elevate privilege, install software, and perform espionage on the device,” Murray said.

Users’ willingness to download malicious software has led to the dawn of the mobile APT (advanced persistent threat) age, Murray said. He pointed to two specific organizations, NSO Group and Dark Caracal, that are carrying out ongoing campaigns for data gathering on mobile devices.

Focusing on these two groups shows the breadth of the type of actors involved in mobile APT campaigns, Murray said. NSO Group is a $500 million per year software “arms dealer” based in Israel, while Dark Caracal is different. “Initially it looked like a couple of 18-year-old students had written the software,” he said. “When they looked at the targets, though, they found targets in 38 countries. When they looked at the data stolen, they found massive amounts of information that was taken.”

Both, though, show that mobile APT is evolving very differently than APT on PCs. “In the beginning, the PC attackers were not very good. The people attacking mobile devices are very, very good,” Murray said, meaning that defenders have much less time to learn from the attackers and build defenses than they did in the dawn of the PC APT wars.

The, key, he explained, is that mobile defenders don’t have the luxury of waiting for an attack before they build a defense. “We don’t get to be organic in the mobile world,” Murray said. “We have to think about where the threats and vulnerabilities are, and what can be done to turn them into actual attacks.”

Related Content:

• Kaspersky Lab Discovers ZooPark, an Android-based Malware Campaign
• Stopping Cyber Madness: Why the Private Sector Must Lead the Fight
• Report: Macro-less Word Document Attacks on the Rise, Zero Day Malware Variants Jump 167 Percent
• 8 Nation-State Hacking Groups to Watch in 2018

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/apt-attacks-on-mobile-rapidly-emerging/d/d-id/1331746?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The expenses and actions typically associated with a cyberattack are not all created equal. Here’s how to explain what’s important to the C-suite and board.

There is a lot of research, including Ponemon’s annual Cost of a Data Breach study, which does a good job of quantifying the average cost of each record lost across a large sample of records. Ponemon reasearch also provides some really interesting information related to the difference between direct and indirect costs of a breach across multiple countries. It is a must-read for me every year as soon as it is released.

However, the challenge with leveraging current cost of a data breach reports with the organizations I work with is that this type of research, when applied, yields a graph of breach cost by size that is linear in nature.

From my experience, such a graph does not reflect reality. It’s far too simple. What’s missing from traditional linear charts are at least two major inflection points that represent the escalation of awareness surrounding an organization’s breach.

Who Knows What, When?
All breaches incur a minimum cost related to identification and remediation, essentially a minimum cost of entry. This entry point is followed by a flattening curve until the size of the breach hits its first inflection point – organizational awareness. In addition, there are two thresholds that may cause a second and even a third inflection point. These thresholds relate to general public awareness and press coverage.

The trigger for a second inflection point is when security nerds like me pay attention, start talking about it, start writing about it, and begin using it as examples in presentations, podcasts and blogs. A third inflection point is triggered when a breach becomes big enough news that it hits the mainstream and everyone becomes aware of it. You can use different logical tests to determine whether a breach has hit mainstream, but I like the non-technical family member test. This is when my least security-minded or technically inclined family member starts asking me about a breach. At that point, I know it is a mainstream event.

The existence of the inflection became apparent to me as I was reading an entertaining report in USA Today about the top 20 most hated companies in the United States. As I scrolled up the list from the bottom, I passed Harvey Weinstein’s company, airlines that beat and bloodied their passengers, and companies that have experienced various public relations disasters. In the number one spot I found Equifax. Another article, about Equifax, described how, as a publically traded company, it lost 31% of its marketplace capitalization, totaling over $5 billion, a measure of the value of their company, since the breach.

Breaches that Increase Data Breach Costs
Another fun research project is to look at inflection points that reflect an increase in the cost of a data breach. For example, if you review Target’s topline sales in Q3, the year of the breach, and Q3, the year after, you will see a decline in sales of more than $1 billion, or 20%. This is in an industry sector that actually grew during the same period. So, while the initial breach occurred over a set period of time, the organization continues to experience longer-term effects.

Bottom line: if an organization does not properly disclose, does not know the extent of a breach, or isn’t forthcoming with information to the public, the additional negative publicity will increase the indirect costs related to a breach.

If a CIO, CISO or other person responsible for maintaining data security is only providing damages associated with a cost per record to the rest of the executive team, the executive team or board may not be thinking about, or be able to visualize, how different types of incidents would monetarily affect the organization. To do so, you must account for different categories of incidents, and what the inflection points represent. A minor event (Inflection Point 1: Security incident becomes more widely known), won’t gather much attention outside the organization, and is often accidental. It typically can be minimized with commonly available security tools and may not be required to be reported externally.

The second type of event (Inflection Point 2: Security incident hits the mainstream.) occurs when organizations start to evaluate brand impact and the cost per record starts to increase. Most security professionals, for example, are familiar with the Deloitte breach, but most non-security people are not.

The final breach category (Inflection Point 3: Ongoing media coverage and remediation.) would likely make the nightly news and have a major impact on enterprise value. The majority of companies in the world do not have enough data for a breach rise to this level. However, for those that do, there are few security expenses that are not justified if they can materially impact the likelihood of such an event.

I am not proposing that companies hide breach incidents from their clients. My point is that costs associated with events are not equal and do not follow a linear path. The type of incident, its size, overall impact, and the mitigation process all affect the actual cost of a breach, which is a concept that is critical for executive teams and boards to understand. As  security professionals, we must spend more time trying to build and perfect realistic investment models, and less time cheapening our mission by sowing seeds of fear, uncertainty and doubt. All of that starts with calculating the true cost of a data breach.

Related Content: 

• Doh!!! The 10 Most Overlooked Security Tasks
• Breaches Drive Consumer Stress over Cybersecurity
• Spring Clean Your Security Systems: 6 Places to Start

Jeremy Wittkop is chief technology officer at Denver-based InteliSecure (http://www.intelisecure.com), where leads a frontline team that investigates and ensures the integrity and functionality of every custom solution designed for its clients. He evaluates new offerings for … View Full Bio

Article source: https://www.darkreading.com/properly-framing-the-cost-of-a-data-breach-/a/d-id/1331702?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The US Food and Drug Administration (FDA) last month approved a firmware patch for devices made by Abbott’s (formerly St Jude Medical) that are vulnerable to cybersecurity attacks and which are at risk of sudden battery loss.

Some 350,000 patients are affected. The FDA is recommending that all eligible patients get the firmware update “at their next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician.”

The cybersecurity vulnerabilities were found in Abbott’s radio frequency- (RF-) enabled implantable cardioverter defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds).

The latest update is actually a continuation of the same effort Abbott undertook in August 2017 for its pacemakers and remote monitoring systems. The cybersecurity and battery performance updates issued in August are now FDA-approved and available for implantable defibrillators.

The issues with St Jude Medical’s devices have been playing out for a while. In September 2016, the company sued Internet of Things (IoT) security firm MedSec for defamation after it published what St Jude said was bogus information about bugs in its equipment.

In January 2017, five months after the FDA and the Department of Homeland Security (DHS) launched probes into claims that St Jude Medical’s pacemakers and cardiac monitoring technology were vulnerable to potentially life-threatening hacks, security consultants at Bishop Fox confirmed the validity of MedSec’s findings. The company begrudgingly stopped fighting and litigating and issued security fixes.

The January updates were for the Merlin remote monitoring system, which is used with implantable pacemakers and defibrillator devices.

At the time, cryptographic expert Matthew Green, an assistant professor at Johns Hopkins University, described the pacemaker vulnerability scenario as the fuel of nightmares.

He put out a series of tweets on the matter, including these messages:

The summary of the problem is that critical commands: shocks, device firmware updates etc. should only come from hospital programmer 5/

Unfortunately SJM didn’t use strong authentication. Result: any device that knows the protocol (including home devices) can send these 6/

And worse, they can send these (potentially dangerous) commands via RF from a distance. Leaving no trace. 7/

Specifically, the devices use 24-bit RSA authentication, he said: “No, that’s not a typo.” Beyond the weak authentication, St Jude also included a hard-coded 3-byte fixed override code, Green said.

I’m crying now.

To date, there have been no known reports of patients being harmed due to security vulnerabilities, either in the Merlin systems or in the ICDs and CRT-Ds covered in the most recent security advisory. Here’s the list of those devices:

• Current
• Promote
• Fortify
• Fortify Assura
• Quadra Assura
• Quadra Assura MP
• Unify
• Unify Assura
• Unify Quadra
• Promote Quadra
• Ellipse

Fortunately, the update doesn’t entail open-heart surgery, though it does require an in-person trip to a healthcare provider’s office. It can’t be done from home via Merlin.net. The firmware update takes three minutes, during which the device will operate in backup mode, pacing at 67 beats per minute.

Abbott said that with any firmware update, there’s always a “very low” risk of an update glitch. Based on the company’s previous firmware update experience from an August 2017 pacemaker firmware release and the similarities in the update process, Abbott said that installing the updated firmware on the ICDs and CRT-Ds could potentially result in the following malfunctions:

• Discomfort due to backup VVI pacing settings
• Reloading of the previous firmware version due to an incomplete update
• Inability to treat ventricular tachycardia/fibrillation while in back-up mode
• Device remaining in back-up mode due to an unsuccessful update
• Loss of currently programmed device settings or diagnostic data

The FDA said that nothing bad happened to patients in that August 2017 firmware update. About 0.62% of the devices experienced an incomplete update and remained in the back-up pacing mode, but in all of those cases, the devices were restored to the prior firmware version or received the update successfully after Technical Services intervened.

The FDA says that an update to the programmer should reduce the frequency of these minor update issues. Also, a small percentage (0.14%) of patients complained of diaphragmatic or pocket stimulation, or general discomfort for the time that the device was in the back-up pacing mode. There haven’t been any cases reported to Abbott where the device remained in back-up mode following an attempted firmware update.

UPDATE: 8 May 2018. This story was updated to correct the number of devices affected and the fact that this update was for implantable defibrillators.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/JKJnLFCGhkM/

Get yourself up to date with everything we’ve written in the last seven days – it’s weekly roundup time.

Monday 30 April 2018

• Google adds SSO verification check to G Suite
• YouTube snags millions of bad videos, but is it getting the right ones?
• DNA in genealogy database leads to arrest of suspected serial killer
• No, Mark Zuckerberg isn’t messaging you about winning a Facebook lottery

Tuesday 1 May 2018

• Google Maps open redirect flaw abused by scammers
• Twitter sold user data to Cambridge Analytica’s Aleksandr Kogan
• Surveillance watchdog learns that old domains never die
• The hacker who broke into jail and had to stay for 7 years
• “SamSam” ransomware – a mean old dog with a nasty new trick

Wednesday 2 May 2018

• What’s so special about the SamSam ransomware? [VIDEO]
• Medical devices vulnerable to KRACK Wi-Fi attacks
• Volkswagen and Audi car infotainment systems hacked remotely
• Firefox isn’t adding ads, it’s ‘sponsored content’

Thursday 3 May 2018

• Facebook’s getting a clear history button
• Google and Amazon put an end to censorship-dodging domain fronting
• Facebook fires engineer accused of stalking women

Friday 4 May 2018

• Breakthrough pushes Quantum Key Distribution beyond 500km
• Tech companies resist government hacking back and backdoors
• Half a million pacemakers need a security patch
• Twitter admits to password storage blunder – change your password now!

Saturday 5 May 2018

• Serious Security: The GLitch “row hammering” attack

News, straight to your inbox

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

Follow @NakedSecurity

Image of days of week courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/TpZgggE4lfY/

How does it end for phishing attackers who get caught?

In a case that’s been working its way through the British courts since last September, the unusual answer is in the first-class carriage of a train travelling between Wales and London.

That’s where police apprehended Grant West, 25, as he logged into an Alpha Bay dark web account using a laptop belonging to his girlfriend that police had been tracking as it hopped across IP addresses.

Police needed to pounce there to catch the accused in the act – ‘hands on keyboard’, as it were. The arrest was even caught on the train’s CCTV.

The laptop was found to contain the financial data of 100,000 people, bulked by another 63,000 credit and debit card numbers later discovered on an SD card at West’s home.

The latter also stored 78 million user names and passwords connected to a string of phishing attacks carried out against the customers of 200 companies, including Apple, Uber, Sainsbury’s, Groupon, Nectar, Ladbrokes, Asda, Argos, AO.com, Coral Betting, the British Cardiovascular Society, and T-Mobile.

What finally led police to West was a hugely successful and prominent phishing campaign attack against customers of the Just Eat food delivery service from the summer of 2015.

This offered recipients a bogus £10 reward in return for filling in a customer satisfaction survey used to lure them to a phishing site which grabbed their account credentials.

It might sound like the sort of routine phishing attack that fills inboxes every day, but it worked well enough to compromise the personal details of 165,000 accounts over several months.

These were sold on the dark web as ‘fullz’, slang for a complete set of records that could be used to commit fraud.

It’s not clear how much customers lost but it reportedly cost Just Eat £200,000 ($271,000) despite its systems not being breached.

It got bad enough that during late 2015 some wondered aloud whether Just Eat had suffered a data breach.

The sale of credentials helped West amass Bitcoin worth £500,000 (now £1.5 million), which became the first ever virtual currency to be seized by London’s Metropolitan Police.

West has admitted 10 offences and will be sentenced on 27 May.

The case offers plenty to think about, including how easy phishing attacks are when criminals understand how to find their way around the dark web.

This allowed an individual to pull off a one-man crimewave based on knowledge and contacts rather than advanced hacking skills.

The ease with which money can be squirreled away in pseudonymous accounts holding Bitcoins that banks never see is another well-worn theme.

Police were keen to underline that Bitcoins and the dark web are far from impregnable. Said the Met’s DCS Michael Gallagher:

There was a myth that Bitcoin in particular, and crypto-currencies more generally, was anonymous and it was also a myth that people can operate with impunity on the dark web and remain anonymous.

While true, it still took a lot of effort investigating a single attack to catch West after a lot of damage had already been done.

One down, untold numbers of others left to find.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/w0ZpXFePFu4/

Last July, Amazon suspended sales of the ultra-cheap Android phones made by Blu after mobile security firm Kryptowire demonstrated how the phones were collecting data and sending it to servers in China without telling phone users… Still.

In 2016, Kryptowire first noticed that Blu phones were calling home to China, sending user data every 72 hours, all without users being informed or opting in.

As of July 2017, the data (still) included browser histories, call logs, text message metadata (phone number with timestamp), phone subscribers’ International Mobile Equipment Identity (IMEI) numbers, International Mobile Subscriber Identity (IMSI) numbers, Wi-Fi MAC Addresses, lists of installed applications, and lists of applications used with timestamps.

Well, Blu phones are now back on Amazon, still nice and cheap. They start at $39.99.

But now, there are repercussions, besides Kryptowire’s Black Hat 2017 presentation on the data extraction – and those repercussions could get a bit more painful than that $39.99 per handset if Blu doesn’t shape up.

Namely, the Federal Trade Commission (FTC) has come to a proposed settlement with Blu over the issue. At this stage, the proposed settlement doesn’t carry any fines. But if Blu were to violate the final FTC settlement order, the company could be looking at a civil penalty of up to $41,484 per incident.

Here’s the FTC’s complaint. In it, the commission alleges that Blu and its co-owner and president, Samuel Ohev-Zion, misled consumers, stating that third-party collection of data was limited to only that needed to perform requested services. The FTC alleges that Blu also falsely let on that it had implemented the physical, electronic, and managerial procedures that would protect consumers’ personal information.

Blu, based in Florida, contracted with the third-party firm ADUPS Technology (in 2016, the full name was Shanghai Adups Technology Co. Ltd.) to issue security and operating system updates to its devices. But ADUPS sent way more data than just that, just as Kryptowire had found: ADUPS sent the full content of people’s text messages, real-time location data, call and text message logs with full telephone numbers, contact lists, and lists of applications used and installed on Blu devices, according to the FTC complaint.

Besides shipping off all that personally identifiable information (PII), the ADUPS firmware could also:

• Identify specific users and text messages matching remotely defined keywords
• Bypass the Android permission model
• Execute remote commands with escalated (system) privileges
• Remotely reprogram devices

The collected information was getting multiple layers of encryption (albeit with a plaintext decryption key that Kryptowire analysts uncovered), then being sent to a server in Shanghai. None of this raised flags with mobile anti-virus tools, which presume that software pre-packaged on a device isn’t malware and hence give it the green light.

Back in 2016, nobody was quite sure if the data-mining was being done for ad-slinging or potentially for spying on behalf of the Chinese government.

ADUPS pointed to the ad-slinging explanation. It’s not a bug, according to a document it provided to Blu execs to explain the problem. Rather, it was a big mistake, ADUPS said. The document said that ADUPS intentionally designed the software to help a Chinese phone manufacturer monitor user behavior. That version of the software was never intended for American phones, ADUPS said.

The FTC complaint alleges that Blu and Ohev-Zion failed to put in security procedures to keep an eye on the security practices of the company’s service providers; failed to have written data security procedures regarding service providers; and failed to adequately assess the privacy and security risks of third-party software installed on Blu devices. Also, preinstalled ADUPS software contained “common security vulnerabilities that could enable attackers to gain full access to the devices,” the FTC alleged.

In November 2016, when the data-nabbing first came to light, Blu issued a statement about ADUPS having updated its software. Blu claimed that the service provider had stopped all that surprising data collection.

Wrong-o, the FTC alleges: Blu did, in fact, let ADUPS keep right on hoovering up the data on its older devices.

The proposed settlement prohibits Blu and Ohev-Zion from “misrepresenting the extent to which they protect the privacy and security of personal information” in the future. It also requires them to “implement and maintain a comprehensive security program that addresses security risks associated with new and existing mobile devices and protects consumer information.” For the next 20 years, Blu’s also looking at third-party assessments of its security program every two years. Its record-keeping and compliance will also be monitored.

The FTC has published the proposed consent agreement package on the Federal Register. It will be up for public comment until 30 May, after which the FTC will decide whether to finalize what is now a proposed consent order. You can submit comments electronically by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section.

Once the FTC has issued the final consent order, it carries the force of law with respect to future actions. Each violation could lead to a civil penalty of up to $41,484.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EykzGIDCdBw/

The Pentagon has banned the sale of Chinese phones at military exchanges over security risks, it said on Wednesday.

Spokesman Maj. Dave Eastburn told Stars and Stripes that the Department of Defense’s (DOD’s) undersecretary for personnel and readiness issued a ban of “all Huawei and ZTE cellphones, personal mobile internet modems and related products from locations worldwide.”

More from his emailed statement:

Given the security concerns associated with these devices, as expressed by senior US intelligence officials, it was not prudent for the Department’s exchange services to continue selling these products to our personnel.

Military personnel haven’t been banned from using the Chinese phones yet, but that may well come: Eastburn said the DOD is “evaluating the situation” to see whether more security measures such as an outright ban might be needed.

In the meantime, they should keep an eye on the headlines, he said:

Servicemembers should be mindful of the media coverage about the security risks posed by the use of these devices, regardless of where they were purchased.

This is par for the course. Chinese companies Huawei and ZTE have a history of being telecoms non gratae.

In 2012, the US House of Representatives issued a report recommending that the firms be banned because of concerns over spying. A year-long investigation had shown that the companies had maintained close ties to the Chinese Communist Party and People’s Liberation Army back home while trying to expand their US businesses.

ZTE was also found to have violated an American embargo on technology sales to the Iranian government. In 2010, ZTE helped to send over software and hardware from US companies including Oracle, Microsoft and Cisco for use in building what was described as a $130m, nationwide surveillance system.

Lawmakers on 9 January, 2018, introduced the Defending US Government Communications Act (H.R. 4747), which would prohibit federal agencies from contracting with an entity that uses telecom gear or services from Huawei, ZTE, or any other entity thought to be under China’s thumb.

A companion bill, the Defending U.S. Government Communications Act, was filed in the Senate on 7 February.

Also in February, the heads of the FBI, NSA and CIA all testified to Congress that they and their organizations don’t use Huawei or ZTE phones or products. They also warned others against doing so.

The hearing influenced the Pentagon’s decision to ban Huawei and ZTE phone sales from military exchanges, according to what Eastburn indicated to FCW, a publication that covers the business of federal technology.

During a 2 May Pentagon news conference, Navy Secretary Richard Spencer gave more details on the Chinese phone ban: according to FCW, he alluded to testimony from a 19 April Senate Armed Services committee hearing, where it was revealed that the DOD had put a recent contract award on hold when officials realized Huawei would be one of the subcontractors.

FCW quoted Spencer:

The mobile phone ban was due to the location devices more than anything else – the ability to be located.

That’s definitely worth worrying about. We’ve already seen troop location given away inadvertently: In November, fitness app Strava posted its impressive Global Heat Map, which logs the activity history of the software’s tens of millions of active users. That’s a lot of data: users jogged or cycled along 17bn miles and three trillion GPS data points over two years.

As we reported in January, in short order, a student looked more closely at Heat Map countries such as Afghanistan and Syria, where he noticed vast dark areas dotted with small islands of user activity… which he tweeted about… and which other users pointed out might coincide with the location of US military personnel in places the DOD doesn’t necessarily want made public.

That was inadvertent intelligence gathering done by taking a close look at publicly available location data. With the Chinese phone ban and other regulations and pending bills, the US government is of course concerned with purposeful data theft.

Huawei spokespeople have repeatedly denied that their devices carry security risks. Nonetheless, Eastburn said, the company’s equipment might pose “an unacceptable risk to [the] department’s personnel, information and mission.”

During the February hearing, FBI Director Christopher Wray testified that Huawei’s products enable the Chinese government to covertly gather or alter sensitive corporate and military information. The concern about the company’s products first focused on routers, switches and other high-bandwidth commercial products, and later expanded to include consumer mobile phones, which are already banned for most official government use.

Huawei also makes personal mobile internet modems, called pucks, which in recent years it’s sold to US troops at a coalition base near Irbil, the capital of Iraq’s Kurdish region. Military.com reports that some soldiers may have purchased similar devices made by ZTE.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NDRDjGpDefU/

Equifax has published yet more details on the personal records and sensitive information stolen by miscreants after they hacked its databases in 2017.

The good news: the number of individuals affected by the network intrusion hasn’t increased from the 146.6 million Equifax previously announced, but extra types of records accessed by the hackers have turned up in Mandiant’s ongoing audit of the security breach.

In February, in response to questions from US Senator Elizabeth Warren (D-MA), Equifax agreed that card expiry dates and tax IDs could have been among the siphoned data, but it hadn’t yet worked out how many people were affected.

Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc

READ MORE

Late last week, the company gave the numbers in letters to the various US congressional committees investigating the network infiltration, and on Monday, it submitted a letter to the SEC, corporate America’s financial watchdog.

As well as the – take a breath – 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million address information and 209,000 payment cards (number and expiry date) exposed, the company said there were also 38,000 American drivers’ licenses and 3,200 passport details lifted, too.

The further details emerged after Mandiant’s investigators helped “standardise certain data elements for further analysis to determine the consumers whose personally identifiable information was stolen.”

The extra data elements, the company said, didn’t involve any individuals not already known to be part of the super-hack, so no additional consumer notifications are required.

The cyber-break-in occurred because Equifax ran an unpatched and therefore insecure version of Apache Struts, something it blamed on a single employee.

At February’s RSA conference in San Francisco, Derek Weeks of Sonatype claimed “thousands” of companies continued to download vulnerable versions of Struts (video below). ®

Youtube Video

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/08/equifax_breach_may_2018/

The forthcoming Android P release will protect the operating system’s network processes against snoops and nasties.

Android’s problems lie in a folder and file inherited from Linux, the source of Android’s kernel and its key structures: /proc/net.

In a commit at Android Open Source, Google’s Jeffrey Vander Stoep launched the apparently-prosaic process of “locking down /proc/net”.

As the commit explained: “Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs.”

Like Linux, Android uses the /proc filesystem to expose internal (that is, process) information to userspace processes. The kernel writes the information to virtual files in virtual directories under /proc – and this includes networking information under /proc/net.

The folder contain programs important information about interfaces, connections, hosts’ IP addresses and more, but much of that information is sensitive. In Android, any app can access /proc/net without telling the user.

The change will require audits of a number of processes that have more access to /proc/net than they should: the storage daemon, zygote (the parent process of user apps), the clatd IPv4-IPv6 daemon, the logging daemon, the vold (volume daemon) and others.

It’s no surprise, then, that with so many processes able to access /proc/net, apps can abuse it.

As Mishaal Rahman wrote at XDA-Developers, /proc/net doesn’t provide access to comms content – but IP addresses, for example, are valuable to advertisers.

And valuable to bad actors as, for example, an app burdened with malware can watch /proc/net for attempts to connect to security Websites.

The other key components of the lockdown include adding a proc_net_type attribute to SELinux, to protect privileged processes’ access to the file; VPN apps will be protected with a proc_net_vpn attribute, so they don’t stop working.

The commit says Android’s developers will audit “all other proc/net access for apps.”

The XDA Developers post notes that securing users will be a slow process: “For compatibility purposes, it appears that apps targeting API levels 28 will still have access for now. This means that until 2019 when apps will have to target API level 28, most apps will still have unrestricted access.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/08/android_p_will_improve_users_network_privacy/

Equifax has published yet more detail on the data lost in its now-infamous 2017 data breach.

The good news: the number of individuals affected in the breach hasn’t increased from the 146.6 million it previously announced, but extra data records turned up in Mandiant’s ongoing audit of the breach.

In February, in response to questions from Senator Elizabeth Warren, Equifax agreed that card expiry dates and tax IDs could have been among the lost data, but it hadn’t yet worked out how many people were affected.

Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc

READ MORE

Late last week, the company gave the numbers in letters to the various congressional committees investigating the breach, and on Monday, it filed the letter with the SEC.

As well as the (take a breath) 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million address information and 209,000 payment cards (number and expiry date) breached, the company says, there were also 38,000 US drivers’ licenses and 3,200 passport details.

The further details emerged after Mandiant’s investigators helped “standardise certain data elements for further analysis to determine the consumers whose personally identifiable information was stolen.”

The extra data elements, the company said, didn’t involve any individuals not already known to be part of the breach, so no additional consumer notifications are required.

The breach occurred because Equifax ran an unpatched version of Apache Struts, something it blamed on a single employee.

At February’s RSA conference in San Francisco, Derek Weeks of Sonatype claimed “thousands” of companies continued to download vulnerable versions of Struts (video below). ®

Youtube Video

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/08/equifax_breach_may_2018/