STE WILLIAMS

Some of the 15 million Britons affected by the Equifax mega-hack are only now receiving letters notifying them that they were affected by the breach, eight months after the event.

As we reported in September 2017, Equifax confessed to having been hacked, upping the number of affected people in the following weeks to a 145 million total (last month, it upped it again by another 2.4 million) as it got to grips with the scale of the breach.

It later involuntarily retired its chief exec, who graciously blamed the entire thing on a single IT staffer who hadn’t installed an Apache Struts patch issued in the weeks before the hack.

Although Equifax began writing to affected Britons in October, it appears the company is still in the process of posting letters to hack victims warning them to be on their guard.

An Equifax breach notification letter received by a Reg reader in Essex. Click to enlarge

“I’m just fucked off it’s taken this long to tell me!” spluttered Reg reader John, who received the letter above earlier this week. Others in the UK have also been receiving similar letters, as a cursory glance at one particularly well-known microblogging website shows:

What the actual fuck? Sort it out @Equifax #DataBreach #WhereTheresBlameTheresAClaim pic.twitter.com/CoMtpZRjEC

— Joe McKenzie (@McKenzieJoe9) April 17, 2018

In February Equifax also quietly coughed to American government agencies that the hacked data included US citizens’ taxpayer ID numbers, phone numbers, email addresses and credit card expiry dates. Despite public sector outrage at this in the US, a proposed investigation was quietly dropped, with nobody involved admitting why.

Sole Equifax security worker at fault for failed patch, says former CEO

READ MORE

The British government’s pet Peeping Tom agency, GCHQ, issued a statement through its public-facing National Cybersecurity Centre offshoot warning Brits not to re-use passwords that were previously used on Equifax services, as well as other security-sensitive data such as answers to password reset questions. Other obvious attack vectors include phishing attempts such as emails luring the unwary into clicking on links to attack websites designed to steal login information.

We have contacted Equifax for comment and its PR agency has promised to send us a timeline of the credit reference agency’s efforts to contact hack victims. We will update this article if it responds. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/19/slow_equifax_breach_notification_letters_uk/

What’s This?

This time attackers appears to have spoofed the Recording Industry Association of America (RIAA) and New York University (NYU) user-agents.

F5 threat researchers have discovered a second campaign targeting an earlier rTorrent configuration error, this time to disguise threat actors’ activities with user-agents that appear to be legitimate from the Recording Industry Association of America (RIAA) and New York University (NYU) user-agents.

• The campaign (running in January) appears to have spoofed RIAA and NYU user-agents.
• F5 researchers do not believe either of these user-agents are legitimately from RIAA or NYU because of the origin of returning IP addresses and other attacks seen from those addresses as well. 
• The sending server for the RIAA user-agent is a proxy server in the Netherlands set up with the hosting company Hostkey B.V. Activity from the same IP address includes scans of ports commonly used by Torrent software, and scans for Intel AMT ports.
• The sending servers for the NYU user-agent resolve to various hosting companies around the world from which malicious activity has been seen previously, including SSH brute force scans.

Why the RIAA?

The RIAA helps members protect copyrighted works from piracy. It’s also widely known that BitTorrent is a file sharing protocol that is primarily used to illegally share software, movies, music, and other protected works—the very same materials RIAA exists to protect. In 2001, the RIAA tried to fight piracy of copyrighted works by filing lawsuits against offenders. It even drafted an amendment to proposed legislation (the USA Act of 2001) that would have allowed the RIAA to hack distributors’ computers to delete stolen content from their file systems and indemnified them from any responsibility for damage caused to distributors’ computers.

We reference this historical proposed legislation (which, by the way, was never signed into law) because the RIAA user-agent “RIAALABS” appears in the configuration snapshot of the January campaign, shown in Figure 1.

 

Figure 1: RIAA Labs user agent

The HTTP POST request targets rTorrent’s XML-RPC interface and tries to invoke a “system.client_version” method on the frequently used path “/RPC2”. Upon successful execution of this method, it returns the rTorrent version number as shown in Figure 2.

Figure 2: Campaign collects torrent client version

New York University?

The NYU campaign was spotted just one day after the RIAA campaign. As with the RIAA campaign, we cannot be sure who is behind this campaign. NYU started a Torrent tracking project in 2015, so this spoofed user-agent could be trying to disguise itself as that project. Again, this campaign tries to query the XML-RPC interface to get the Torrent client version.

Origins of these Campaigns

There is no obvious connection between the source of these two campaigns except the timeframe. The RIAA campaign originates from a single IP address: 5.39.223.136. The NYU campaign uses three different IP addresses: 185.130.104.198, 62.210.152.47, and 203.24.188.242. All of the IP addresses are owned by hosting companies.

RIAA Campaign

F5 and our data partner Loryka checked our systems to see if the originating IP address (5.39.223.136) for the RIAA campaign had shown up as malicious over the past five years. The first time we saw it engaging in malicious activity was June 1, 2017. Other scanning activity from this IP address includes destination ports 16992, likely looking for Intel AMT-vulnerable systems, and various TCP ports commonly used by torrent software (see torrent invite site). Because of this additional malicious traffic, we do not believe this is the actual RIAA, rather a spoofed user agent. 

NYU Campaign

All of the originating IP addresses for the NYU campaign (185.130.104.198, 62.210.152.47, and 203.24.188.242) are also launching SSH brute force attacks. Because of these additional attacks, we assume these are threat actors spoofing an NYU user agent.

For now, it’s unclear what happens once a vulnerable host is found. The misconfiguration vulnerability enables attackers to invoke methods on a victim’s machine that can provide a great deal of information about the shared materials on the host. (If, for example, the goal was to delete stolen, copyrighted material), or execute their own code and use the system to mine crypto-currency like we found in the February Monero campaign. Since rTorrent is the defacto standard for threat actors attacking seedboxes, which could be great crypto-miners, we are not surprised to see attacks leveraging this rTorrent misconfiguration vulnerability to compromise hosts.

Since the IP address related to the RIAA user-agent has been engaging in other malicious activity, it’s highly unlikely this is the work of the RIAA. Rather, a threat actor is pretending to be the RIAA as a deceptive tactic, or perhaps just for their own amusement. Because this campaign was seen at least a month before the Monero crypto-mining campaign, it could have been the inspiration for cybercriminals.

Of course, it’s never okay to steal and share copyrighted works, but if you are using rTorrent for legitimate purposes, please see the misconfiguration remediation actions in our previous post. 

Get the latest application threat intelligence from F5 Labs.

 

F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com. View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/researchers-discover-second-rtorrent-vulnerability-campaign-/a/d-id/1331551?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

US-CERT recently issued an alert about Russian threat activity against infrastructure sectors. Is there a way to fight back?

On March 15, a significant alert was issued by the US-CERT regarding Russian state-sponsored threat activity against critical infrastructure sectors, including energy, aviation, and critical manufacturing. The attacks were not random; these were deliberate, multistage, focused attacks designed to gain a foothold within high-impact assets that can be used for any number of nefarious actions. 

A new approach to protecting industrial control systems (ICSs) is necessary. The only clear path is to start relying on network data analytics, which is far less vulnerable than other security tools to tampering and erasure by attackers and does not require challenging updates or software installation on legacy systems.

ICSs have always presented notoriously difficult security challenges because their microcode is often embedded within proprietary hardware or aging computer platforms that are difficult or impossible to monitor and secure. The attackers in this case used sophisticated tactics, techniques, and procedures (TTPs) to compromise sensitive systems, and to erase the evidence of their behaviors on the compromised systems.

To understand the inadequacy, or at least incompleteness, of current security mechanisms in ICS systems, note the “cleanup and cover tasks” section of the CERT alert:

In multiple instances, the threat actors created new accounts on the staging targets to perform cleanup operations. The accounts created were used to clear the following Windows event logs: System, Security, Terminal Services, Remote Services, and Audit. The threat actors also removed applications they installed while they were in the network along with any logs produced.

This classic behavior by the threat actors highlights the inherent weaknesses of relying on self-reported data such as logs that can be disabled or altered on compromised assets.

The Critical Role of Network Data
An entire industry has sprung up to try to address this problem, involving network segmentation and secure overlay networks that require no instrumentation on the ICS assets themselves. But these do not address the general lack of visibility into existing systems or the difficulty of maintaining a real-time view of what’s happening in these difficult-to-monitor deployments.

The CERT alert made it clear that the vast majority of logs or on-system records of what happened were methodically deleted by the threat actors. What remained as evidence was a set of network-behavior based clues that could not be deleted. Monitoring the actual traffic in flight on the network is the only way to get a conclusive audit of any connected devices, services that are running, dependencies, and threat behaviors in progress.

There are many mechanisms by which network behavior can be used to detect and investigate ICS breaches.

● Any login event by an unusual client to a system containing ICS data can be seen on the network and should raise an alarm. If a new user or client logs in, it’s worth investigating. The CERT alert described a privilege-escalation scenario in which the attacker attempted to create a new administrator account, using the Remote Desktop Protocol (RDP). New account creation, especially an administrative account on a sensitive system, is always worth extra scrutiny, and a network analytics platform that can decode RDP could provide real-time warning of this type of event.

● Any traffic from an ICS system to an unusual external IP space can be detected on the network and is worthy of immediate investigation. In this CERT alert, the attacker gained access to screenshots and schematics of flow diagrams detailing ICS output data and how the ICS system was configured. This sensitive data had to be exfiltrated off the network of origin and moved to a system controlled by the attacker. That exfiltration happened across the network and would be extremely noticeable to a network-data based anomaly-detection system.

● If an unusual client attempts to access a database containing ICS data, that may not be a sign of malicious intent per se. However, that client’s immediate behavior can indicate whether they’re malicious. For example, if that client transmits a SELECT command to the database, requesting sensitive data, that would be cause for alarm. Even more alarming would be a DROP command against the audit table of that database, removing the log of recent access from the database. The content of these queries would still be visible on the network to the right analytics platform but would be invisible to anything relying on logs from the database or associated devices.

● Similarly, visibility into Layer 7 transactions on the network can differentiate between “unusual, but acceptable” and “malicious” access to file storage systems. By reading the contents of queries in the CIFS/SMB protocol, a network data analysis service could help a security staff know quickly whether a given file-access event was worth investigating.

The list above is just a sampling of threat behaviors that are visible on the network. All of the hallmark behaviors of a malicious attack leave tracks on the network that the attacker cannot erase, including malicious payload delivery, command and control traffic, lateral movement, and data exfiltration.

Ultimately, it is critical to have a way to monitor and parse this traffic at the Layer 7 transaction level for network protocols used in ICS systems, including Modbus TCP/IP, DNS, CIFS, and more. Log-based analytics, while valuable, have crucial blind spots that only network analytics can shed light on.

This US-CERT alert describes a serious, ongoing threat to our national security. Compromises of our energy grid, manufacturing, air traffic control, and even roadway traffic control can be used to affect our way of life and make us vulnerable. Above all else, these attacks must serve as a wake-up call that the current security status quo isn’t working. Traditional methods can’t keep up with today’s threats. It’s time to rethink how we secure our most critical systems and assets.

Related Content:

• 8 Notorious Russian Hackers Arrested in the Past 8 Years
• US Critical Infrastructure Target of Russia-Linked Cyberattacks
  
• Russian APT Compromised Cisco Router in Energy Sector Attacks

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Matt Cauthorn is VP of Security for ExtraHop, where he is responsible for all security implementations and leads a team of technical security engineers who work directly with customers and prospects. A passionate technologist and evangelist, Matt is often on-site with … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/how-to-protect-industrial-control-systems-from-state-sponsored-hackers/a/d-id/1331529?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

At RSA Conference, Senrio researchers will show how relatively unskilled attackers can steal personally identifiable information without coming into contact with endpoint security tools.

RSA CONFERENCE 2018 – San Francisco – Many security professionals acknowledge that Internet of Things (IoT) devices have the potential to be an avenue into their enterprise networks — but for most, breach-by-refrigerator or DDoS-by-coffeepot is a theoretical flight of fancy and not a genuine threat. That might change Thursday, when researchers will present here the first public demonstration of an IoT hack resulting in a breach of personally identifiable information.  

The vice president of research, M. Carlton, and chief technology officer, Stephen Ridley, of IoT security company Senrio will present “Lateral Attacks between Connected Devices in Action” on the RSA Sandbox’s IoT stage Thursday. 

“‘Chained attacks on IoT security’ — it’s only been uttered as this platitude,” says Ridley, “but have you actually seen a camera get popped” and used to compromise other systems?

“We all know IoT is vulnerable,” says Carlton. “We don’t all know what the impact of one vulnerable IoT device in an enterprise can be. … It is a profound impact.”

This particular attack can also be a danger to organizations with good security measures in place. In the demo, the IoT device need not be directly connected to the target network device. It doesn’t require sophisticated hacking skills — Metasploit tools or the Linux command line will suffice. 

And the attacker never interacts with the endpoint, where most enterprises invest most of their security protections. As the Senrio team puts it, by staying away from the endpoint, the attacker doesn’t need to come up against Carbon Black or CrowdStrike.

“This could be done on a company that has spent millions on security,” says Ridley. “If I was a bad guy, I’d be doing nothing but IoT. Straight up.” 

The attack begins with an exploit of a surveillance camera via the Devil’s Ivy vulnerability — a remote code execution vulnerability in an open source gSOAP library that was discovered by the Senrio team last summer. A patch for the vulnerability already exists but was not applied to this camera model — and that’s not unusual. 

“In the IoT world, most patches do not get applied,” says Ridley. That’s due in part to the complexity of the IoT supply chain and the fact that most organizations do not know what IoT devices are connected to their network in the first place.

Once the camera is compromised, the attackers then have a bird’s-eye view of an employee at his workstation and the items on his desk — which include a router and a network access server (NAS). The attackers can then watch the user’s keystrokes when logging in to the NAS.

The attackers then send a request to the router to obtain its exact model number (so it can retrieve the proper exploit for it), which the router obligingly sends. 

The exploited router sends the attackers encrypted text containing the end user’s concatenated username and password. Then, using Rainbow Tables, the attackers can reverse the hash function and determine the administrator credentials for the router. (In this case, username: admin and password: admin.) 

With those credentials in hand, the attackers have full access to the router, which allows them to, among other things, change network settings — which thereby lets them open a secure SSH communication to the NAS and enjoy privileged access to all of the files it contains. 

Owning the NAS, the attackers can thus access all manner of sensitive data, from financial records to personally identifiable information. They copy it and exfiltrate it back through the router, through the video camera, and back home to the attackers.  

How can enterprises defend against attacks like these? Carlton takes a deep breath. 

“First, find what [IoT] devices are on your network,” she says. “Then we’ll talk.”    

 Related content:

• One-third of Internal User Accounts are ‘Ghost Users’
• Data Visibility, Control Top Cloud Concerns at RSA
• Microsoft to Roll Out Azure Sphere for IoT Security 

 

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop ITX and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/first-public-demo-of-data-breach-via-iot-hack-comes-to-rsac/d/d-id/1331588?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

On Tuesday, Google launched Chrome 66 for Windows, Mac, Linux, Android and iOS.

With the new browser comes blissful quiet: Google is muting all autoplay content by default, thus giving people the option to turn off one of today’s most annoying aspects of going online. The update also includes a passwords export feature, security improvements and new developer features.

You can update to the latest Chrome version now via the browser’s built-in updater, or download it from google.com/chrome.

Google originally planned for autoplay mute to arrive in Chrome 64, which introduced autoplay settings on a per-site basis, but it didn’t happen for reasons Google didn’t specify.

Now, however, all users are getting the feature, be they on mobile or desktop. In September, Google said the move is meant to address one of the most frequent user concerns – unexpected media playback, “which can use data, consume power, and make unwanted noise while browsing.”

The new autoplay blocking feature adds to Google’s existing ban on video, pop-up and intrusive advertisements, which it began to block on 15 February from within its browser on both desktop and mobile. As we noted at the time, that ad filter wasn’t an adblocker, and Google didn’t describe it as one. Rather, it was meant as a way to keep people from wanting to install an adblocker in the first place, by keeping these kinds of annoying ads out of people’s faces:

• Flashing animated ads (mainly a problem for mobile users)
• Large prestitial ads that cover the whole screen (a particular problem for mobile users)
• Auto-playing video ads with sound that catch users off guard
• Postitial ads that delay readers with countdown timers
• Sticky ads that hang around even when the reader scrolls

Of course, users who like autoplay noise can still get it, Google says:

Autoplay will be allowed when either the media won’t play sound, or the user has indicated an interest in the media. This will allow autoplay to occur when users want media to play, and respect users’ wishes when they don’t.

From now on, web-hosted media can only play automatically if it doesn’t have audio, if a user interacted with the page during a previous browsing session, or if the user frequently plays media on the site. Similarly, on the mobile versions, media can only autoplay if a user added a site to the Home Screen.

This release also marks a further turn of the screw on old certificates issued by Symantec-owned brands: this includes Symantec-owned brands like Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL. If your site is using a SSL/TLS certificate from Symantec that was issued before 1 June, 2016, it won’t work in Chrome 66. All other Symantec SSL/TLS certificates will stop working starting in Chrome 70, which is expected in October.

Apple beat Google to the punch on the autoplay blocking front: last year, it added autoplay-video-blocking to the new Safari browser for its High Sierra desktop operating system.

Thanks for catching up, Google. We know that there’s a pot of advertising gold behind the move to make content less annoying, but still, speaking from this side of the screen, it’s the silence that’s golden.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vSGOqr__KDM/

The UK government has admitted it can only delete custody images from its massive database through a complex manual process, and that it would cost too much to weed out all the images of innocent people by hand.

The custody image database now holds around 21 million shots of faces and identifying features like scars or tattoos, some of which are of people who have not been charged with a crime.

Unlike the government’s DNA and fingerprint databases, where data on unconvicted people is automatically deleted, custody images are only deleted if a person requests it.

This mass data slurp has come under fire from privacy groups, MPs and peers, who believe it runs counter to a 2012 High Court ruling that said keeping images of presumed innocent people on file was unlawful.

The Home Office’s line has been that it is not “technically possible” to automate the process – and a letter to the House of Commons’ Science and Technology Committee by minister Susan Williams, published today, reveals just how clunky the storage and deletion processes are.

Custody images are first stored on the policing system of the arresting force (of which there are 43 in England and Wales) and copied from these to the Police National Database (PND).

These records are structured around a person’s contacts with the police, rather than conviction status and so there may be multiple images across several systems relating to a particular individual. If a record is deleted from a local custody system it will also be deleted from the PND.

However deletion from the PND will not lead to an automatic deletion from the local police system as there is no link back from PND to local systems.

This means that images can only be deleted manually and custody images can also only be linked to outcomes – people’s conviction status – manually.

Overall, Williams said, this makes seeking and removing custody images a “much more complex exercise” than deleting DNA and fingerprint data, which are linked to information on conviction status on the Police National Computer and given a unique identifier that allows them to be filtered.

She argued that trying to clean up the central database to remove images relating to people without charges might not be worth the time and money, especially as the cops would have to cough up themselves.

UK peers: Is this what you call governance of facial recog tech? A ‘few scattered papers’!

READ MORE

“Any weeding exercise will have significant costs and be difficult to justify given the off-setting reductions forces would be required to find to fund it,” she said.

In order to fix the situation long-term – and create an automated system – all 43 forces’ local systems and the PND would need to be updated, Williams said.

She added, however, that a new platform being developed under the National Law Enforcement Data Programme would “resolve this in the medium term”.

This will offer a “considerably more flexible approach to automatic deletion”, she said, although she didn’t offer any more detail on what this would entail in practice. However, given the current situation is entirely manual, that wouldn’t seem to set a particularly high bar, even for government tech standards.

Williams also failed to provide the committee with details on how many people had requested their information be removed from the database, and how many were successful, as they had requested during an intense hearing back in February.

Committee chairman Norman Lamb was unimpressed, responding: “The government is unable to inform us of the number of cases in which images have been deleted, and they tell us that the systems that would be used to do so are not up to the task.”

He said that it appeared that the police were “making-do with current systems and practices” despite the fact images of people who have not been convicted of a crime were sucked into the database.

“This leaves an unsatisfactory approach to the retention of facial images compared to the approach used for DNA and fingerprint records,” he said. “The government should urgently review its approach and put suitable processes and digital infrastructure in place.”

Lamb added that it was also possible individuals didn’t even know that their image was on police databases – meaning they wouldn’t know to ask for them to be deleted.

The committee had also raised concerns about the police’s use of facial recognition technology, and Williams used the letter to try to allay fears about a lack of coordinated oversight and the retention of images collected.

She said that any images collected during deployment of the tech that aren’t matched, as well as the “watch list” – individuals the police are on the lookout for, which are generated on an event by event basis – are both deleted at the end of the deployment.

Williams also noted that the government plans to create a board comprised of the information, biometrics and surveillance camera commissioners.

Although she didn’t say when this was due, the long-awaited biometrics strategy is slated to arrive in June. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/19/cutting_custody_snaps_too_costly_for_cops_says_ukgov/

Cisco has patched a serious vulnerability in its WebEx software that lets an attacker remotely execute code on target machines via poisoned Flash files.

Switchzilla is today advising all users running WebEx Business Suite or WebEx Meetings (both client and server) to update their software in order to patch CVE-2018-0112.

The vulnerability, discovered and reported to Cisco by researcher Alexandros Zacharis of ENISA (the EU’s network and information security body), stems from the failure by WebEx to properly check Flash (.swf) files when they are uploaded to a meeting room.

Zacharis found that an attacker could submit a malicious .swf to a room full of attendees via the file sharing tool, then execute the code on all of the targeted machines and do any number of unsavory things.

Cisco says Zacharis contacted them directly to report the bug and the company is not aware of any attacks targeting the vulnerability in the wild. The flaw has been given a CVSS score of 9.0 and a ‘critical’ severity designation by Cisco.

Other than updating WebEx Client/Server (or just deleting the thing), Cisco says there is no way to mitigate against the vulnerability, so you’ll want to get the latest version of the software to be sure the patch has been applied.

For those running WebEx Business Suite the updated versions will be T32.10 and T31.23.2, respectively. WebEx Meetings users will want to update their client software to T32.10 and Meetings Server should be updated to 2.8 MR2.

Also getting a patch is Unified Computing System (UCS) Director, where Cisco’s tech support staff found a bug (CVE-2018-0238) that will let an end user view and run commands (with their target’s current permission settings) on any VM currently being hosted by the datacenter management platform.

The information disclosure bug can be exploited via the UCS Director Web Interface, meaning all an attacker needs is a valid username and password. The access levels needed to exploit the bug (VM Management Actions permission) are enabled by default on end user accounts.

Needless to say, admins will want to update UCS Director versions 6.0 and 6.5 to the “Patch 3” update in order to fix the flaw. Those running earlier versions of Director or Director Express for Big Data are in luck as those builds have not been deemed vulnerable. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/19/cisco_patch_webex/

A security researcher has claimed it’s possible to extract user information from Facebook’s Login service, the tool that lets you sign into third-party sites with a Facebook ID.

Readers will be familiar with Steven Englehardt (a Mozilla privacy engineer who pursues privacy research for his PhD at Princeton), whose work on browser fingerprinting led him to identifying a remarkable degree of privacy invasion by analytical scripts.

In Englebardt’s latest work, in partnership with Gunes Acar and Arvind Narayanan, the three explain that they identified seven sites accessing Facebook user data, and one site using Facebook’s application to track users around the Web.

For users, Facebook Login looks like a boon: they only need to use their Facebook password to log into multiple sites or apps. That, however, puts a very strong onus on Facebook to make sure the whole process is secure.

What Englebardt discovered is simple: “when a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site.”

The third parties were able to grab Facebook user ID, e-mail, name, and other profile information including (in one case) gender.

“We found seven scripts collecting Facebook user data using the first party’s Facebook access”, he wrote. The practice isn’t yet widespread, thankfully: scripts to gather this user information were only found on 434 of the Alexa top million sites, including “fiverr.com, bhphotovideo.com, and mongodb.com”.

Too easy, says Englehardt: a bit of JavaScript can exfiltrate Facebook Login data

The table below shows some a sample of some sites’ data collection Englehardt’s team identified.

Engledhardt noted that OnAudience stopped the data collection when he’d previously spotted them misusing browser autofill features.

The second tracker Engledhardt discovered was that sites can abuse iFrames to de-anonymise users who had used Facebook Login to access their sites. In the example given in the article, Bandsintown (an online gig guide) was carrying a hidden tracker that passed user information to an embedded iFrame script (meaning Bandsintown could read the Facebook profile).

He added that having linked the logged in user to their Facebook profile, Bandsintown could then pass that information up to advertisers.

How an online gig guide grabbed and shared user data

When notified, the site discontinued the practice.

Englehardt emphasised that this kind of third-party data gathering shouldn’t be regarded as a bug on Facebook’s part, although having announced “anonymous login” four years ago, it might be time for the Social Network™ to implement the feature.

As he wrote: “It is straightforward for a third party script to grab data from the Facebook API.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/19/facebook_third_party_site_login_security_leak/

The Payment Card Industry Security Standards Council (PCI SSC) has issued a big update to its guidance on using payment cards with cloud computing services.

A lot has happened in the cloud since 2013, when the last version was published. Which may explain why Wednesday’s version three hit 83 pages, 31 pages more than version two.

On The Register’s reading of the document, the big changes kick in around the new Section 6.5 on Vulnerability Management. This re-written section adds advice on testing web applications, internal networks and penetration testing.

PCI Council says bye-bye to big bang standards upgrades

READ MORE

Section 6.4 is new, too, and suggests “Customers should contractually require data breach notification from their Providers in clear and unambiguous language, taking into consideration the need to comply with local and global regulatory/breach laws, data privacy, security incident management and breach notification requirements.”

As you’d expect, new technologies like software-defined networking and the internet of things score a mention, along with guidance on how they impact PCI compliance.

Hypervisor introspection, the practice of peering into workloads to ensure they aren’t doing anything unexpected, has been given a long consideration because “… it can bypass role-based access controls and that it can be used without leaving a forensic audit trail within the VM itself.” Desktop virtualization, especially cloud-hosted desktops, has also require substantial new guidance.

There’s also a long list of things a container platform needs to do before it can be considered ready for duty handling payment card information in the cloud.

Another new and very modern recommendation concerns testing of automation to ensure that resources created in elastic cloud inherit the security controls required for PCI compliance.

The new document contains hundreds of changes. Perhaps the best way to assess the main points is by considering the updates to the section on “PCI DSS Compliance Challenges.”

The new version adds a warning that “… it may be particularly challenging to validate PCI DSS compliance in a distributed, dynamic infrastructure such as a public or multi-tenant environment.” Both documents warn that it is hard to understand what infrastructure a cloud provides. The new one adds that is therefore “difficult to identify which system components are in scope for a particular service or identify who is responsible for particular PCI DSS controls.”

Many changes concern scoping a cloud to ensure it is PCI compliant and plenty of those concern work to determine exactly what parts of a cloud are certified as PCI-compliant, who has responsibility for their security and how to make sure that an incident doesn’t end up with lots of finger-pointing that can’t help card-holders.

The new guidance document is here (PDF). Version two is here (PDF) if you fancy comparing the documents. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/19/pci_ssc_cloud_guidance_version_3/

High-profile ICS attacks Triton/Trisis, Industroyer/CrashOverride, and Stuxnet have driven energy firms to invest more in cybersecurity, survey shows.

RSA CONFERENCE 2018 – San Francisco – Operational outages and shutdowns and physical injury to employees due to cyberattacks are among the main worries of more than 95% energy and oil gas firms, a new survey shows.

Some 70% worry that cyberattacks could yield catastrophic results, such as explosions, according to the Dimensional Research study conducted on behalf of Tripwire. The report surveyed 151 IT and technology (OT) security professionals at energy and oil and gas companies. Some 65% say their organizations properly invest in ICS security, while 56% of those without sufficient security budgets say it would take a major cyberattack to pressure thier firm to properly invest in security. 

Ransomware has been slightly more of an incentive for energy firms to increase their ICS security (45%), followed closely by Triton/Trisis and Industroyer/Crashoverride (44%). Stuxnet inspired 11% to up their security budgets.

Some 35% of the firms employ multiple layers of security for their ICS systems, while 34% concentrate on securing their networks and 14%, their ICS devices.

Read more here. 

 

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/70--of-energy-firms-worry-about-physical-damage-from-cyberattacks/d/d-id/1331589?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple