STE WILLIAMS

Here are four tips to keep your mobile users safe from similar attacks.

There’s no question we’re still on high alert from Meltdown and Spectre. The fear and uncertainty has been unsettling for everyone, and it will take a while for things to calm down as patches are released —  and recalled —  for desktop operating systems. The month of March brought with it expanded patching efforts by Microsoft for the two flaws.

Mobile OS Differences
There’s less talk of the situation on the mobile side. From a perception standpoint, things may seem more settled. But significant underlying risks remain, and mobile as a threat vector should definitely not be overlooked. Understanding Meltdown and Spectre developments specific to mobile is an important step toward proper defense.  

For starters, mobile operating systems don’t have the ability to make the “push-pull” types of patching moves we’ve seen for Meltdown and Spectre on traditional endpoints. Advice like “Push the patch out. No, roll it back because we found there might be some issues with performance” on the traditional endpoint side — that doesn’t translate to mobile.

Meltdown/Spectre Patching Progress for Mobile
When it comes to iOS, Apple has released patches specifically for Meltdown and mitigations against Spectre. Sending out updates to Safari seems to be Apple’s solution for how to handle Spectre. Google has followed suit with the same course of action to address both flaws.

There are specific challenges associated with how changes make their way through the Android ecosystem, however. Our company’s global threat data consistently shows that well over two-thirds and — depending on timing — up to 80% of Android devices are running out-of-date operating systems. Meanwhile, our data shows about 25% to one-third of devices running iOS are using out-of-date versions.

Now that patches are out for Meltdown and Spectre, it’s a matter of whether companies update their employees’ devices and whether, on the Android side of things, the updates percolate all the way through the Android ecosystem.

For Better or Worse, Mobile Users Are in Control
One of the biggest differences between traditional and mobile endpoints is that there is no such thing as a patch management system when it comes to mobile. If you talk to enterprise IT security people, chances are they will tell you the single greatest security risk to a company is a carbon-based life form — aka, a human being. For traditional endpoints, you’ve got a patch management system and then centrally managed antivirus, centrally managed network firewalls, etc. All of these investments take IT control out of the hands of end users and give it to security pros, who are trained to defend against this weak (human) link in the security chain.     

Mobile flips the model on its head. With mobile devices, you take the same users who make bad-enough mistakes as it is with all of the abovementioned network security precautions —  and you give them full control over a small supercomputer (that is, their mobile device). You say, “You’re the admin for it; you’re responsible for deciding what networks you’re going to go in and out of, what apps you’re going to download, and, as your employer, I’m totally beholden to you to update your devices.”

Stay Protected
When it comes to getting protected, IT pros and companies should keep the following four tips in mind:

• For any device entering corporate networks, implement the ability to determine the OS version.
• Create a communication plan to encourage users to upgrade whenever new patches are available. Send this information out via email and text, and also in-line to out-of-date devices as they enter your network.
• Consider limiting or prohibiting access to certain key resources from out-of-date devices to encourage patching.
• Implement solutions that can detect exploit attempts, rogue Wi-Fi networks, and malicious apps.

Related Content:

• 7 Spectre/Meltdown Symptoms That Might Be Under Your Radar
• Microsoft Rushes Out Fix for Major Hole Caused by Previous Meltdown Patch
• Vendors Rush to Issue Security Updates for Meltdown, Spectre Flaws

JT Keating, Vice President of Product Strategy at Zimperium, has brought software and mobile communications solutions to market for 25 years. Being passionate about security, he helped define and create multiple innovative approaches, including application whitelisting at … View Full Bio

Article source: https://www.darkreading.com/mobile/what-meltdown-and-spectre-mean-for-mobile-device-security/a/d-id/1331653?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Do you really think Mark Zuckberg is going to personally message you in the middle of the night to tell you that you’ve won $750,000 in a Facebook lottery?

No? Well, you read security blogs, so let’s instead turn our attention to people who don’t, because they’re the juicy prey that hundreds of fake Zucks and fake Sheryl Sandbergs are targeting.

Not including fan pages and satire accounts—which are OK with Facebook policies—the New York Times has found 205 accounts impersonating Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg on Facebook and Instagram.

At least 51 of the impostor accounts the newspaper spotted, including 43 on Instagram, were lottery scams.

Cut some slack for those who fell for one of the frauds. One victim, retired forklift driver and Army veteran Gary Bernhardt, asked us to consider: Is it that hard to believe that Zuck himself would message you?

After all, this is the hands-on guy who last year set himself a challenge to visit all the US states he’s never been to. And, during the tour, to work on a car assembly line, hang out with a fireman in Indiana, feed a calf, drive a tractor, have lunch with farmers, and speak with recovering opioid addicts.

Bernhardt told the Times that he was up until dawn, trading messages with whoever was pretending to be the young billionaire. The faux Zuck told him that in order to get at his winnings, he’d first need to send in $200 in iTunes gift cards.

Bernhardt picked up some gift cards at a gas station and sent the redemption codes to the scammer’s account. That was in November 2017. By January, he still didn’t have his lottery winnings, but the imposter had bled him for another $1310. He told the Times that the money represented about a third of his Social Security checks over three months.

The Times claims that these imposter accounts are proliferating, in spite of Facebook groups that track scams and complaints about imposter accounts that date back to 2010. You can see sample Facebook lottery hoaxes on Hoax Slayer and other debunking sites.

Stealing a photo of a famous CEO or COO or, really, anybody who has photos online is plenty easy. So is cooking up a variation on the names of the sheep whose skins the wolves put on.

The Times found accounts for many variations on the name “Mark Elliot.” (Zuck’s middle name is Elliot.) Ditto for Sandberg, or, as the crooks like to call her and hope you’ll swallow, Sherryl Sandbarg, Sherryl Sandbeerg or similar name-twists.

Times reporter Jack Nicas came up with these fake accounts, among many others, after Facebook recently said that up to 3%—or 60 million—of its accounts are fake:

Let’s discuss Facebook’s issue with fake accounts…

After Facebook recently said that up to 3% of its accounts ar… twitter.com/i/web/status/9…

—
Jack Nicas (@jacknicas) April 25, 2018

The Times reported its findings to Facebook. A day later, the company took down all 96 fake Zuckerberg and Sandberg accounts. All but one of the 109 Instagram fake accounts were left up, but they too came down after the Times published its report.

Facebook spokesman Pete Voss thanked the newspaper for its report, though he couldn’t explain why Facebook hadn’t spotted scam accounts made to look like its top executives, including some that were up for more than eight years.

Voss:

It’s not easy. We want to get better.

The real photos and the twisted names all give the come-ons an air of authenticity if you don’t look closely, or if you’re one of the demographics the fraudsters target. Namely, after interviewing a half dozen recent victims, the Times found that the scams are working with older, less educated and low-income people.

The imposters’ believability is bolstered by networks of other sham accounts posing as “Facebook claim agents”, a title made to make it sound as if, sure, there really is such a thing as a Facebook lottery.

The Times talked to Robin Alexander van der Kieft, who manages several Facebook groups that track the scams. He said that the fake accounts, several of which he’s traced to Nigeria and Ghana via IP address, share their scam victories with each other.

Facebook has admitted that all these fake accounts are a problem. During the recent testimony he gave to the Senate, Zuckerberg told Sen. Dianne Feinstein that his team would have to get back to her about “tens of thousands of fake accounts” and whether they could be “specifically” attributed back to Russian intelligence.

In a January post on Facebook, Zuckerberg said that the company had nearly doubled the number of humans who review content for all sorts of abuse, including impersonation.

The fleeced people the Times talked to said that it’s tough to figure out how to report the scams, and once they do, Facebook has been sluggish in responding.

Still, if you’re targeted, report it. And please don’t laugh at people who get taken for a ride. The scams are causing serious financial and physical distress.

Facebook might well be slow to untangle the problem of imposter accounts, but it will never be able to fix what it doesn’t know about.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/QJAyCp91oOk/

California police on Tuesday arrested a 72-year-old man accused of committing more than 50 rapes, 12 murders and more than 120 burglaries across the state over the 70s and 80s: old cases that they believe they’ve finally cracked with new technology, in the form of online genealogy databases.

The suspect, arrested on six counts of first-degree murder, is Sacramento resident Joseph James DeAngelo, a former police officer and retired mechanic who lives in a cul-de-sac not far from the scene of the first murder.

Anne Marie Schubert, the Sacramento district attorney, said during a press conference that investigators surveilled DeAngelo and managed to collect samples of what she called his “abandoned” DNA:

You leave your DNA in a place that is a public domain.

She didn’t elaborate on how DeAngelo left his DNA behind. It could have been saliva left on a restaurant dish or on a discarded beer can, cigarette or tissue, the Mercury News suggested.

However they got the “abandoned” DNA, investigators then compared it with samples they’d collected and stored from crime scenes over the years. Then, they plugged the suspected murderer’s genetic profile into an online genealogy database.

According to the New York Times, one such, called GEDmatch, said in a statement on Friday that it’s aware that its database was the one used to crack the case.

The case poses privacy questions. Namely, we don’t have to spit into a tube and submit it to a genealogy database to have it made public. Because we share much of our DNA with relatives, all it takes is one of them to submit their DNA, thus making much of our own genetic information available to the police without our knowledge or consent.

On average, we share 50% of our single nucleotide polymorphisms (SNPs) — that’s what forms our genetic fingerprint — with a sibling, 25% with a half sibling, 12.5% with a first cousin and 3.1% with a second cousin.

The Mercury News quoted Andrea Roth, assistant professor of law at UC Berkeley Boalt School of Law and an expert on the use of forensic science in criminal trials:

When you put your information into a database voluntarily, and law enforcement has access to it, you may be unwittingly exposing your relatives — some you know, some you don’t know — to scrutiny by law enforcement. Even though they may have done nothing wrong.

The Mercury News describes GEDmatch as a “no-frills,” open-source version of sites such as 23andMe and AncestryDNA, which extract genetic profiles from saliva that customers send in a tube by mail. GEDmatch doesn’t extract DNA samples, but it does enable users to voluntarily share their genetic profiles for free.

Anybody can access the 900,000 DNA profiles on GEDmatch’s public database, which is built up by users submitting the DNA files they get from commercial DNA testing companies such as 23andme.

That means that investigators didn’t need a warrant to search for matches on DeAngelo’s DNA.

In fact, GEDmatch operator Curtis Rogers said in his statement that the company was unaware that investigators were using the site to search for the Golden State Killer:

We understand that the GEDmatch database was used to help identify the Golden State Killer. Although we were not approached by law enforcement or anyone else about this case or about the DNA, it has always been GEDmatch’s policy to inform users that the database could be used for other uses, as set forth in the Site Policy … While the database was created for genealogical research, it is important that GEDmatch participants understand the possible uses of their DNA, including identification of relatives that have committed crimes or were victims of crimes.

The statement said that those who are concerned about non-genealogical uses of their DNA shouldn’t upload it to the database, “and/or you should remove DNA that has already been uploaded.”

Getting a match with the database’s records helped investigators to first locate distant relatives of DeAngelo—third and fourth cousins. The DNA matches eventually led to DeAngelo himself. Steve Grippi, the assistant chief in the Sacramento district attorney’s office:

We found a person that was the right age and lived in this area — and that was Mr. DeAngelo.

Investigators say that DeAngelo’s DNA matches more than 10 of the California murders. The serial killer and serial murder was known as the Golden State Killer. He was also referred to as the East Area Rapist, the Original Night Stalker, the Diamond Knot Killer and the Visalia Ransacker. The killer was known for being sadistic: he started by attacking single women and then progressed to attacking and murdering couples, repeatedly raping the women over the course of hours as their partners witnessed it, tied up, nearby, and bludgeoning the women and their partners to death with objects including firewood or pipes.

Investigators who’ve spent years working on the case are, understandably, “ecstatic” at the sudden breakthrough, as the Times puts it.

DeAngelo was due to appear in court on Friday.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WK3vbdROj1o/

Earlier this month, Oracle patched a critical vulnerability in its WebLogic server – but someone identifying himself as an Alibaba security researcher reckons Big Red botched the patch.

The bug in question was fixed in Oracle’s x 254-strong quarterly patchfest that was headlined by Java and Spectre fixes.

Tucked way down on the patch list was CVE-2018-2628, an https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2628 “easily exploitable” complete remote takeover of the WebLogic server.

Over the weekend, @pyn3rd (whose Twitter bio says simply “Security researcher at @alibaba_cloud), Tweeted that the “critical patch update of 2018.4 can be bypassed easily”, along with a proof-of-concept (PoC) GIF.

#CVE-2018-2628 Weblogic Server Deserialization Remote Command Execution. Unfortunately the Critical Patch Update of 2018.4 can be bypassed easily. pic.twitter.com/Vji19uv4zj

— pyn3rd (@pyn3rd) April 28, 2018

How could this be? From @pyn3rd again:

there is the difference, just use java.rmi.activation.Activator replace java.rmi.registry.Registry pic.twitter.com/xeH0Ck86G3

— pyn3rd (@pyn3rd) April 29, 2018

Kevin Beaumont, @GossiTheDog, elucidated further, writing that “It looks like Oracle isn’t even fixing the issues here, they’re just blacklisting commands. In this case they missed the very next command.”

The Register has asked Oracle whether it plans to address the issue. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/30/umm_oracle_about_that_patch_there_could_be_bad_news/

A server hidden in a Thai university and allegedly used as part of a North Korean hacking operation has been seized by ThaiCERT.

Thailand’s infosec organisation announced last Wednesday that the box was operated by the Norks-linked Hidden Cobra APT group, and was part of the command-and-control rig for a campaign called GhostSecret.

ThaiCERT said (you’ll probably need a translation service Translate) GhostSecret kicked off in February this year.

Last Tuesday, McAfee reported the IP addresses it associated with Ghost Secret, as part of a report on malware attacks targeting infrastructure.

The McAfee report warned that GhostSecret was part of a “global reconnaissance campaign” scanning servers in various industries to find targets for an attack.

As well as identifying CC servers, McAfee said it discovered a new Destover malware implant variant, and another which it’s called Proxysvc that has “operated undetected since mid-2017”.

The new variant “resembles parts of the Destover malware, which was used in the 2014 Sony Pictures attack”, the McAfee research noted.

The IP addresses associated with Thai activity, McAfee said, were 203.131.222.95, 203.131.222.109, and 203.131.222.83, belonging to Thammasat University.

The last address, 203.131.222.83, “hosted the control server for the Sony Pictures implants,” McAfee said. It was also liked to an SSL certificate “used in Hidden Cobra operations since the Sony Pictures attack.”

Now the server is in its hands, ThaiCERT said it is working with authorities and with McAfee to analyse its contents and see what remediation it can offer to Thai victims of the campaign. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/30/thaicert_seizes_machine_from_university/

Roundup Here’s your summary of infosec news – from router holes to Windows crashes – beyond what we’ve already covered this week.

TPLink? More like TPwnedLink, amiright? Anyone?

Tim Carrington at Fidus Infosec went public on Thursday with not-so-new remote-code execution flaws in TPLink router firmware. We’re told the security holes (CVE-2017-13772) were not only reported to TPLink in October 2017, but were vulnerabilities that the company had patched in older models, only for the bugs to resurface when the exploitable code was reused in newer units.

“Code reuse is a huge problem within the IoT industry,” Fidus stated in its advisory. “In most cases, what we generally see is a company who sells devices with poor security to vendors who then brand them and sell them on. Tracking the original manufacturer can be quite difficult and, in our experience, getting such vulnerabilities patched is even harder.”

The stack-overflow bugs can be exploited via the built-in HTTP web server, used to configure the device, to gain control of the router. It appears to have to be able to log into the equipment to leverage the programming blunders, so make sure you’re not using the default credentials.

DiFi wants an express lane for banning software

Fresh on the heels of Uncle Sam blacklisting security company Kaspersky Lab from its computers, US Congress mulls streamlining the process of blocking particular software packages from being used on government networks and systems.

Senator Dianne Feinstein (D-CA) is putting her name on the Federal Network Protection Act, a bill that would give the Secretary of Homeland Security the ability to issue binding operational directives – strict orders, in other words – to remove software from federal networks without requiring that the vendor be notified first.

“We’re seeing more and more attacks on federal computer systems by foreign agents, and we need to make sure we have all the tools and authorities necessary to block those attacks,” Feinstein said.

“By clarifying what actions the Secretary of Homeland Security can take, we allow the department to act quickly in response to cyber threats.”

PyRoMine fires up EternalBlue flaw to forge Monero

Another day, another pack of criminals finding new and creative ways to make a buck on cryptocoins.

This time, it’s the creators of a horrible piece of malware called PyRoMine. It uses the compute power of infected Windows machines to generate Monero cryptocurrency for its controllers. What’s worse, the code spreads itself using the infamous EternalBlue and EternalRomance NSA-developed exploits. Sounds scary, but as Mounir Hahad of Juniper Threat Labs told El Reg, both flaws have long-since been patched by Microsoft. If you’re infected via these exploits, you need to take a long hard look at yourself.

“EternalRomance and EternalBlue are only made eternal by our inaction,” Hahad said.

“A patch to close the vulnerabilities that these exploits use has been available since before the WannaCry era.”

Bezop says be-ware, we got be-reached

Elsewhere in the world of internet funbux, blockchain commerce biz Bezop is on the defensive after researchers at Kromtech disclosed that the upstart had exposed to the public internet a poorly configured MongoDB database containing the names, email addresses, hashed passwords, and scans of IDs and passports for 25,000 of its ICO backers.

Bezop says it’s no big deal, as the incident actually occurred in January.

“If you remember, we reported a DDoS attack and a couple of security holes that unintentionally exposed user data such as name, wallet addresses, address on file, copies of identification documents, etc., and that they could possibly be in the public domain. That database has since been closed and secured.”

We’re sure the 25,000 people whose passport images were leaked out will find that very comforting.

Cisco smells a RAT

Cisco Talos researchers dished the dirt on GravityRAT, a software nasty targeting peeps in India. They say the malware was used to pull sensitive information from companies and organizations in the country for nearly two years before it was caught.

“GravityRAT has been under ongoing development for at least 18 months, during which the developer has implemented new features. We’ve seen file exfiltration, remote command execution capability and anti-vm techniques added throughout the life of GravityRAT,” Talos writes.

“This consistent evolution beyond standard remote code execution is concerning because it shows determination and innovation by the actor.”

Quick links

MikroTik router owners must patch their devices’ firmware to prevent miscreants from exploiting a flaw in a remote administration service to swipe a copy of the user database – it is already being leveraged in the wild by scumbags to commandeer affected hardware. Also, don’t forget to secure access to your HPE iLO management interfaces for your servers: hackers are exploiting poorly defended networks to hold systems to ransom.

Bitdefender bloke Marius Tivadar has developed a dodgy NTFS file system image that crashes at least Windows 7 and 10 systems: popping it on a USB stick and then plugging that into a vulnerable computer will cause it to fall over with a blue-screen-of-death when a mount attempt is made. Microsoft will not issue a patch for the programming blunder, we’re told.

Medical transcription biz MEDantex leaked patient records for thousands of physicians online, according to investigative reporter Brian Krebs. Revenge porn web exchange Anon-IB was seized by Dutch police, who also collared five suspects related to the image-sharing site.

If you go traveling with your Mac, or leave it unattended around strangers, try out Objective-See’s new Do Not Disturb app that thwarts evil-maid-style attempts to tamper with your computer or infect it with spyware.

Finally, Check Point warned that your Windows login details can be nicked by opening malicious PDFs that use remote document loading mechanisms to leak your credentials. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/28/security_roundup/

Analysis Those who cannot remember the past are condemned to repeat it, particularly if forgetfulness promises profit.

Ray Ozzie, former CTO of Microsoft and the designer of Lotus Notes, is old enough to recall the battle over the Clipper chip, an ill-fated NSA-backed effort from 1993 through 1996 to require a US-government-accessible backdoor in telecom devices.

Nonetheless, he has revisited that debate with a key escrow (a.k.a. key surrender) proposal – and a related patent – in which the authorities would hold the encryption keys necessary to access everyone else’s encrypted mobile device data.

Despite the Clipper chip’s inglorious end – it was sunk by technical flaws and political pushback – the idea never died. Authorities still want their private backdoor, despite the absence of longstanding technical impediments.

In recent years, demand for this magical portal has grown as cryptography improvements – prompted by the 2013 Edward Snowden-driven data dump about the scope of NSA spying – have made their way into commercial products and services.

The most widely publicized consequence of the tech industry’s rush to encrypt everything was the FBI’s brief inability to access a locked iPhone used by Syed Rizwan Farook during a 2015 mass shooting that killed 14 people. The US Justice Department demanded Apple’s help unlocking the encrypted device, only to later back off because it was apparently able to gain access with the help of Cellebrite, an Israeli mobile forensics firm.

It turns out the answer to encryption is that imperfect people make imperfect technical systems and those flaws, sooner or later, can be exploited.

In law enforcement circles, later isn’t always acceptable and therein lies the problem. FBI director Christopher Wray earlier this year said in 2017, the FBI was unable to access almost 7,800 locked and encrypted devices despite having the legal authority to do so. He called this “an urgent public safety issue for all of us.”

Wray’s predecessor, James Comey, said as much, though there are reports suggesting that the risks posed by encryption are exaggerated.

Ray of hope

Evidently seduced by the siren song of law enforcement officials lamenting the challenges of cracking today’s phones, Ozzie has proposed a scheme to reconcile two seemingly incompatible goals: creating a secure data storage mechanism that can be insecure on demand.

His system sounds a lot like the Clipper chip, because it is: “…Ozzie’s proposal is a straightforward example of key escrow – a proposal that people have been making in various guises for many years,” said Matthew Green, a computer science professor and cryptographer at Johns Hopkins University in the US, in a blog post published Thursday.

It also calls for a security chip that effectively bricks the device when activated by law enforcement, to prevent evidence tampering.

Green and a handful of other prominent security experts and cryptographers have weighed in on Ozzie’s proposal and found it wanting, though with obvious deference to Ozzie’s long history of technical accomplishment.

Green’s assessment is that Ozzie’s scheme won’t work. He notes that Apple has tried to design the sort of secure processor that Ozzie’s proposal would require and hasn’t managed to do so after five years and considerable resources.

Or as Green put it on Twitter: “When you’re proposing a system that will affect the security of a billion Apple devices, and your proposal says ‘assume a lock nobody can break,’ you’d better have some plan for building such a lock.”

Keys left under the doormat

Green was among the many prominent computer scientists who coauthored a 2015 report on the subject, “Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications.”

That report concluded that law enforcement demands for exceptional access will make systems more insecure, imperil innovation, and pose problems for human rights.

Riana Pfefferkorn, a cryptography fellow at the Stanford Center for Internet and Society, made similar arguments.

Columbia University computer science professor Steve Bellovin also took issue with Ozzie’s plan. He points out that flaws have already been identified and that the need for international coordination of key access makes the scheme implausible.

Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea

READ MORE

Robert Graham, CEO of Errata Security, said Ozzie’s proposal doesn’t bring anything new to the discussion. “He’s only solving the part we already know how to solve,” he explained in a blog post. “He’s deliberately ignoring the stuff we don’t know how to solve. We know how to make backdoors, we just don’t know how to secure them.”

In his own Twitter feed, Ozzie (estimated net worth: $650m) engaged in the debate, and in one instance touched on what’s arguably the most important aspect of the controversy: “Is the phone just a locked file cabinet, or is it a core extension of our minds?”

From a legal standpoint, the distinction is important: authorities can demand access to one, but not the other (yet). The Feds can demand what’s in a cabinet, but your thoughts in your brain are off limits.

Given what phone data says about our thoughts, our intentions and our activities, it’s just not the same as ideas deliberately put to paper. It’s a surveillance selfie of the mind.

And if we’re obligated to produce that information on demand, we might as well just get rid of the Fifth Amendment protection against self-incrimination. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/27/ray_ozzie_encryption_backdoor/

Total fraud against kids amounted to $2.6 billion and more than $540 million in out-of-pocket costs to families, a new report finds.

Data breaches are bad news for all victims but especially harmful to children. More than one million children were victims of identity fraud last year, costing $2.6 billion in total and $540 million in out-of-pocket costs to families.

The 2018 Child Identity Fraud Study, conducted by Javelin Strategy Research and sponsored by Identity Guard, found 11% of households had at least one minor’s data compromised in a breach last year. Nearly 40% of minors who found out their data was breached became victims of fraud. In comparison, only 19% of adults who were notified eventually became targeted.

High-profile breaches typically garner more attention; as a result, many people overlook the effects of identity fraud on minors. Children have limited financial histories, which presents a larger opportunity for fraudsters to leverage their information and build account networks. This “blank slate” lets perpetrators slowly grow accounts over time before tapping them.

Because children have no credit history, fraudsters usually fly under the radar as they build their schemes. They combine data from multiple victims to create identities. Social security numbers are particularly useful here because minors haven’t yet established financial histories; as a result, their SSNs don’t raise red flags when they’re used in identity fraud.

That said, the lack of history also makes things harder for perpetrators, who will have a tougher time getting high-value personal loans or credit cards using a minor’s identity.

Sixty percent of child identity fraud victims personally know the fraudster using their data; the same can be said for only seven percent of adult fraud victims. Identity fraud against minors is hard to prevent because many perpetrators have legitimate access to the children’s information. Two-thirds of child fraud victims are under the age of eight, 20% were between the ages of 8 and 12, and 14% were aged between 13 and 17.

Cyberbullied

Researchers also noticed a strong relationship between cyberbullying and fraud. Minors who were bullied online (6.67%) were more than nine times more likely to be fraud victims than those were not bullied (0.72%). The average fraud amount among bullying victims was $4,075, more than four times the average total among non-bullied targets.

“In many cases, fraud and bullying are not perpetrated by the same individual but arise from the same underlying vulnerabilities,” says Al Pascual, senior vice president of research and head of Fraud Security at Javelin. “Children who are unprepared to protect themselves from online risks are likely to encounter individual who wish to target them emotionally or financially.”

Most kids targeted with identity fraud are hit with new-account fraud, which affected 0.96% of minors in 2017, because they don’t have existing financial accounts. Adults, in contrast, usually experience existing-card fraud (ECF) because they’re targeted for the value of their accounts.

Fraudsters do more than misuse children’s identities to open new accounts and drain existing ones. Between 410,000 and 560,000 kids were affected by false tax claims in 2017, and attackers also use their data to gain unlawful employment or avoid punishment for crimes.

Ultimately, targeting minors leads to a bigger payout for perpetrators, who stole $2,303 when misusing the identities of children — more than twice the mean fraud total for adult victims. It’s also easier for adults to avoid liability for fraud, as they only have to pay an average of $104 per incident. The families of child identity fraud victims pay an average of $541 out of pocket.

Teaching kids to be cautious online lowers the likelihood of fraud. Only 0.69% of children of “highly cautious” guardians were affected by identity fraud in the past year, compared with 3.64% of dependents of less cautious guardians. More caution led to lower prevalence of fraud, and when fraud happened, it was for a lower amount and more easily contained.

You can monitor for new-account fraud by checking children’s credit histories. Setting a credit freeze is among the most effective ways to prevent new accounts from opening in a child’s or adult’s name. Many states let parents or guardians freeze a child’s credit.

Related Content:

• ‘Zero Login:’ The Rise of Invisible Identity
• 12 Trends Shaping Identity Management
• Why Information Integrity Attacks Pose New Security Challenges
• New Phishing Attack Targets 550M Email Users Worldwide

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/more-than-1m-children-victims-of-identity-fraud-in-2017/d/d-id/1331674?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In news that will surely be a surprise to nobody, apps that run on Amazon’s home assistant, Echo, can be turned into silent eavesdroppers: no fancy hacking required, no new Echo vulnerability pried open.

Or at least they could, until Amazon fixed it.

Researchers at information security firm Checkmarx demonstrated what we probably all suspected was possible but hoped wasn’t by tweaking options in Alexa’s software development kit (SDK) – the kit that’s used to develop software, known as skills, for the Echo.

The voice-activated skills are the equivalent of the apps on your phone: discreet bits of software that add capabilities to the device. There are skills for finding open restaurants near you, getting Starbucks started on your coffee order, checking your bank balance, hearing the latest news and turning on the Christmas lights.

And on somebody’s desk at Checkmarx, there’s one for eavesdropping on you. It silently captures transcripts of what you’re saying and sends them to an external log accessible to the researchers who rigged the trap.

The malicious skill is dressed up as a calculator and it’ll happily multiply seven times two, or answer any other basic math questions you throw at it.

In other words, this isn’t a hack of the device itself but a trick that shows what would have been possible if an attacker had succeeded in getting users to install a malicious application, something they’ve been fooling users into doing unwittingly on computers and phones for years.

Just like everything else on the Echo, the calculator is voice activated and it needs to listen to what you tell it in order to understand what you want. Unlike regular skills though, this one is specially designed to carry on listening long after it’s finished helping your kids with their homework.

Anything you say during the app’s very lengthy exit is transcribed.

There is one clue to the Echo’s continued interest in what you’re saying – it’s blue ring remains illuminated. Obviously that would only help you if your Echo was visible, you were looking right at it and you knew what this particular use of the device’s light was trying to tell you.

The researchers demonstrated their surreptitious recording device in a YouTube video:

Details of how they did it can be found in a two-page report that’s accessible in return for a bit of data entry.

If you’ve read about the risks of Amazon Alexa and Google Home, your reaction to the news that a voice-activated, internet-connected personal assistant was easily turned into an in-home spy may well be “no surprise there then.”

These devices, after all, are made to listen.

They’re only supposed to engage with us, and start performing their cloud-based speech recognition, when we use specific trigger words like “Google” or “Alexa” but obviously their microphones have to be on all the time in order to do that.

That’s something that’s of interest to both hackers and police, who may come bearing a search warrant if they think that Alexa may have been triggered at a crime scene, such as the one in which a man was strangled in a hot tub. (A request that Amazon resisted. At any rate, the issue was made moot after the murder suspect agreed to turn over the Echo recordings.)

Search warrants aside, do we now have to worry about seemingly innocuous little requests – “Alexa, start calculator” – potentially adding up to waaaaaay more than “seven times two”?

Amazon told Wired that it’s tightening up checks on its skills store in response to the research:

“We have put mitigations in place for detecting this type of skill behavior and reject or suppress those skills when we do.”

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9Vc0kyTDF-g/

One cybersecurity catchphrase you’ll hear these days is that “X is the new ransomware”.

That’s because the ransomware scene is no longer clearly dominated by long-running, well-known “brand names” (so to speak) such as CryptoLocker, TeslaCrypt or Locky.

In other words, many people are convinced that ransomware has had its day, is dying out, and new threats are taking over.

A popular value for the variable X in in the equation above is cryptojacking, where crooks sneakily insinuate cryptocurrency mining software onto your computer or into your browser.

Rather than snatching away your files, like ransomware does, cryptojackers steal your processing power and your electricity instead.

This means that the crooks earn a tiny bit of money from every victim for as long as they’re infected, rather that taking the all or nothing approach of ransomare, where victims face a stark choice: pay and win, or refuse and lose.

The thing is, neither cryptojacking, nor indeed any other cyberthreat, is the “new ransomware”.

If you must know, RANSOMWARE is the new ransomware.

As often happens in the world of cybercrime, old threats stay with us for ages, and new threats simply add themselves to the mix rather than taking over. (Do you seriously think that we’ll ever see the end of spam, for example?)

This year, we’ve seen a carefully orchestrated ransomware campaign known as SamSam, where the crooks have settled on a new mode of operation.

Instead of blasting out one copy of the malware out to thouands of potential victims over a day or two, the crooks blast thousads of copies of the malware onto computers inside a single organisation, pretty much all at once…

…and then, almost casually, offering a “volume discount” to fix the entire company in one fell swoop.

SophosLabs just published an intriguing technical paper about the SamSam menace, and in the sample discussed in the paper, the malware includes a BAT file that lets the crooks set their price point for each attack:

    @echo off
    SET runner=mswinupdate.exe
    SET password=%1
    SET path=xxxxxxxxxx
    SET totalprice=5
    SET priceperhost=0.8

The prices above are denominated in BTC (Bitcoin), and they seem to be adjusted each time so that the all-you-can-eat discount price works out at about $45,000.

At BTC0.80 per PC, but “just” BTC5.00 to decrypt your whole company, it’s almost as though the criminals are doing you a favour!

We don’t know why the price is $45,000. For all we know, that number was picked because it’s below certain reporting threholds, or because the crooks want to pick the highest value they dare without getting into corporate board-level approval territory. All we can say is that $45,000 is a lot of money.

Learn more about this new trend in ransomware by reading the paper now. (No registration required.)

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/r5mVMuPqxaM/