STE WILLIAMS

Cambridge Analytica (CA) may have gotten its hands on data from a far greater number of Facebook users, without their knowledge or permission, than independent sources originally estimated: 87 million, up from the initial estimate of 50 million.

Facebook tucked the new number into a post announcing new data access restrictions: just the latest in a string of attempts it’s been making to appease lawmakers and regulatory bodies and to try to keep users from torching their accounts.

(Need a match? Here you go.)

Facebook said in Wednesday’s post that “most people on Facebook” may have had their public profile information scraped by “malicious actors.” The scraping was done with account recovery and search tools that let users look up people by their phone numbers and email addresses, then take information from their profiles.

From the post, written by Facebook CTO Mike Schropfer:

Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.

Facebook has now disabled the feature that allowed for searching by phone number or email address. It says it’s also making other changes to account recovery to reduce the risk of scraping, but it didn’t give details.

Facebook’s been dishing up its appeasement banquet for a few weeks, ever since whistleblowers started telling the tale of “utterly horrifying” data harvesting that’s been routine at the platform.

Sandy Parakilas, the platform operations manager at Facebook responsible for policing data breaches by third-party software developers between 2011 and 2012, has described a history of Facebook hiding its head in the sand when it came to user data shared with apps, likely frightened of being found liable for what it’s enabled developers to do with that data.

The first whistleblower was CA founder Christopher Wylie, who worked with Cambridge University professor Aleksandr Kogan to obtain the data used to create a tool that could be used to profile voters and influence the 2016 US presidential election and Brexit campaign. Kogan has been linked to previously undisclosed Russian affiliations.

The fallout has been all sorts of hairy for Facebook: for one thing, the US Federal Trade Commission (FTC) is on its tail, investigating how the company let all those users’ data wind up with CA … a data analytics firm whose secret influence-voters-with-psychographic-voodoo sauce was recently, allegedly discovered open to all on the internet.

Late last month, Facebook said it was revamping security and privacy settings as one response to the CA mess.

Before that, CEO Mark Zuckerberg announced a crackdown on abuse of Facebook’s platform, strengthened policies, and pledged an easier way for people to revoke apps’ ability to use their data.

Besides disabling the ability to look people up by their phone numbers or email addresses, Facebook’s making a number of other changes to try to crack down on third-party data access.

Apps will no longer be able to see personal information about users, like religion, political views, relationship status, education, work history, fitness activity and what books, movies and music people have consumed.

Apps will also need permission from Facebook before they can access things like Groups, Pages and check-ins. Nor will they be able to see the names and profile photos of people posting and commenting in a group, or see the guest list for events.

Facebook plans to delete call logs older than a year for Messenger and Facebook Lite users on Android who’ve opted in to the call and text history feature. In spite of this having been opt-in, many Android users were startled to discover years of contacts and call history when they downloaded their data archives last month.

On Monday, Facebook users will also see an option on top of their News Feed to review which apps have access to what type of information. As part of that process, Facebook will also tell people if their information was improperly shared with CA.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9ozFyvc5WQA/

Rogue stingrays – spy kits that can track people’s locations by tricking phones into thinking they’re connecting to cell towers and which can then intercept calls and messages – have been found in Washington and beyond, the Department of Homeland Security (DHS) has confirmed.

The Associated Press reports that this is the first time the government has publicly acknowledged the presence of stingrays, possibly being used by spies and/or criminals, in the capital.

(StingRay is the brand name of an International Mobile Subscriber Identity (IMSI) locator, also known as an IMSI catcher, that’s targeted and sold to law enforcement. The term stingray has also come into use as a generic term for these devices.)

DHS said in a 26 March letter to Oregon Sen. Ron Wyden – a politician known as a privacy hawk – that agents came across unauthorized cell-site simulators in the Washington, DC, area last year.

The letter was written in response to specific questions (PDF) Wyden asked DHS in November. In his letter, Wyden referenced how security researchers in 2014 had detected a number of IMSI catchers in the capital region that they suggested may have been operated by foreign governments.

At the time, the Federal Communications Commission (FCC) responded by establishing a task force to investigate the threat posed by foreign governments or criminals using stingrays, which are “widely available from surveillance vendors around the world,” Wyden noted. But since then, the FCC hasn’t issued any public findings or guidance.

So, Wyden wanted to know, what’s the deal? Has DHS detected foreign IMSI catchers in the capital? If so, did it report the discovery to any Congressional committees? Does the department have the technological capability to detect the catchers? Has DHS detected the devices being used in other cities?

From DHS’s response:

[T]he National Protection and Programs Directorate (NPPD) has observed anomalous activity in the National Capital Region that appears to be consistent with International Mobile Subscriber Identity (IMSI) catchers.

DHS said it’s also aware of IMSI use outside the Beltway.

In a separate letter accompanying his response, DHS official Christopher Krebs, the top official leading the NPPD, added that use of IMSI catchers by malicious actors to track and monitor cellular users “is unlawful and threatens the security of communications, resulting in safety, economic and privacy risks.”

The letter included answers to Wyden’s specific questions. As far as DHS’s technical capability to detect IMSI catchers goes, Krebs said his department doesn’t have any budget for the pricey endeavor:

NPPD is not aware of any current DHS technical capability to detect IMSI catchers. To support such a capability, DHS would require funding to procure, deploy, operate and maintain the capability, which includes the costs of hardware, software, and labor.

The Associated Press talked to Aaron Turner, president of the mobile security consultancy Integricell. He was one of the experts who conducted the 2014 sweeps that turned up the rogue stingrays. He said that little has changed since: Washington, like other major world capitals, is “awash” in unauthorized interception devices. Foreign embassies, for their part, can do as they like: they’re on sovereign soil.

[Every embassy] worth their salt [has a cell tower simulator installed] to track interesting people that come toward their embassies.

Canada’s still trying to figure out who’s behind mystery stingrays found throughout its capital. Last year, after Mounties admitted to using stingrays, a CBC News investigation found that the devices had also been planted at Montreal’s Trudeau airport… and that somebody was also using IMSI catchers in the area around Parliament Hill in Ottawa.

As of October, an investigation into who was behind the planting of stingrays in Ottawa hadn’t come up with anything concrete. Instead, it revealed a lot of confusion over whether the responsible party might have been the Canadian Security Intelligence Service (CSIS), which is Canada’s electronic spy agency.

CBC quoted an email from Christiane Fox, then the assistant secretary to the cabinet:

Can we be categorical on security agencies NOT being involved?

The reply from a director at Public Safety Canada:

I don’t know that we can say that categorically.

The day after, Public Safety Minister Ralph Goodale said that it was not a Canadian agency responsible for the spying.

Interesting that the question was hard to answer, isn’t it? Interesting, but not surprising. Law enforcement has a tendency to keep its use of IMSI catchers quiet. That secretiveness was borne out by the US government swooping in to snatch mobile phone tracking records away from the American Civil Liberties Union (ACLU) in 2014.

Mere hours before the ACLU was going to review the records, the Feds seized them. US Marshals then moved the physical records 320 miles away, preventing the ACLU from learning how, and how extensively, police use snooping devices.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jKzzWvfOukE/

If your PC runs one of Intel’s older microprocessors, bad news: Intel has announced that some of the company’s consumer and business chips from this era will not now receive updates to fix a variant of the Spectre mega-flaw.

After a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products.

The affected processor families are: Penryn, Yorkfield, Wolfdale (all 2007), Bloomfield (2008), Clarksfield (2009), Jasper Forest, and Gulftown (both 2010).

The more recent SoFIA 3GR X3 Atom chip used in smartphones from 2015 is also on the list.

For most people, these names won’t be terribly helpful in working out whether they’re affected because they relate to a chip’s architecture not the product name it was sold under.

Helpfully, Intel itemises the individual processors in each affected family (see rows marked red, column two), so it’s a question of reading through the list to see which ones are mentioned.

A theme that jumps out of the listing is the number of high-performance Core 2 Extreme, Core i7 and Xeon server processors listed.

The likely reason for this is that the announcement relates to variant 2 of Spectre (CVE-2017-5715), rather than variant 1 (CVE-2017-5753).

From the moment Spectre was made public in January, it was clear that that while variant 1 could be addressed in userland software, variant 2 would need a mixture of BIOS and possibly operating system updates.

This required a lot of work by BIOS vendors and OS makers, such as Microsoft, to patch a flaw affecting older chips used in a relatively small number of specialist PCs.

Less politely, it’s not worth the bother when there’s so much other work needed to fix this flaw for everyone else.

The upside is that anyone whose PC contains one of these older chips can now make an informed choice about whether to ditch it and buy something more recent.

For everyone else, the process of mitigating and patching systems affected by both variants of Spectre as well as Meltdown is still unfolding.

How users achieve this will depend on which vendor made their PC, the BIOS inside it, and the operating system. Spectre variant 2 also affects chips from AMD (including recent Ryzen parts) and ARM.

Good places to drill down into the practical effects are Microsoft’s Meltdown and Spectre resource page, or similar ones provided by Intel, or AMD, or ARM’s developer-oriented site.

An introduction to Meltdown and Spectre can be found on a site set up by some of the researchers, and you can read a clear explanation of the KPTI flaws behind them from Naked Security’s own Paul Ducklin.

Spectre’s ghostly nickname has turned out to be spot on. As researchers wrote when announcing it in January:

As it is not easy to fix, it will haunt us for quite some time.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/h7qeuBZGZJ8/

Who are these yo-yos who share fake news on social media?

None of your friends, right? Your friends are too smart to fall for cockamamie click bait, and they’re diligent enough to check a source before they share, right?

Well, get ready to have the curtain drawn back. These yo-yos may be us. Or, at least, they may turn out to be our friends and/or relatives.

In its ongoing fight against fakery, Facebook has started putting some context around the sources of news stories. That includes all news stories: both the sources with good reputations, the junk factories, and the junk-churning bot-armies making money from it.

On Wednesday, Facebook announced that it’s adding features to the context it started putting around News Feed publishers and articles last year.

You might recall that in March 2017, Facebook started slapping “disputed” flags on what its panel of fact-checkers deemed fishy news.

You might also recall that the flags just made things worse. The flags did nothing to stop the spread of fake news, instead only causing traffic to some disputed stories to skyrocket as a backlash to what some groups saw as an attempt to bury “the truth”.

In Facebook’s new spin on “putting context” around news and its sources, it’s not relying on fact-checkers. Rather, it’s leaving it up to readers to decide for themselves what to read, what to trust and what to share. At any rate, when it mothballed the “disputed” flags, Facebook noted that those fact-checkers can be sparse in some countries.

So this time around, Facebook said, the context is going to include the publisher’s Wikipedia entry, related articles on the same topic, information about how many times the article has been shared on Facebook, where it’s been shared, and an option to follow the publisher’s page. If a publisher doesn’t have a Wikipedia entry, Facebook will indicate that the information is unavailable, “which can also be helpful context,” it said.

Facebook is rolling out the feature to all users in the US. If the feature has been turned on for you, you’ll see a little “i” next to the title of a news story. It looks like this:

Once you click on that i, you’ll get a popup that shows the Wikipedia entry for the publisher (if available), other articles from the publisher, an option to follow the publisher, a map of where in the world the story has been shared, and, at the bottom, a list of who among your friends has shared it, along with the total number of shares.

Like so:

Facebook says it’s also starting a test to see if providing information about an article’s author will help people to evaluate the credibility of the article. It says that people in this test will be able to tap an author’s name in Instant Articles to see additional information, including a description from the author’s Wikipedia entry, a button to follow their Page or Profile, and other recent articles they’ve published.

The company says that the author information will only display if the publisher has implemented author tags on its website to associate the author’s Page or Profile to the article byline, and the publisher has validated their association to the publisher. The test will start in the US.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/INDykHw5qGw/

Exclusive A popular drone dealership website left its entire transaction database exposed online with no encryption at all, revealing a host of purchases by thousands of police, military, government and private customers.

The DronesForLess.co.uk site was left wide open by its operators, who failed to protect critical parts of its web infrastructure from curious people, as spotted by Alan at secret-bases.co.uk, who told The Register.

We discovered more than 10,000 online purchase receipts had been saved to its web servers without any encryption or even password protection whatsoever – and the sensitive customer details in those receipts were exceptionally easy to access. Even your grandma could have found it using Internet Explorer.

Details available for world+dog to browse through included names, addresses, phone numbers, email addresses, IP addresses, devices used to connect to the site, details of ordered items, the card issuer (e.g. Visa) and the last 4 digits of credit cards used to pay for goods.

Orders placed by police and military personnel included:

• A purchase of a DJI Phantom 3 quadcopter by a serving Metropolitan Police officer, delivered to the force’s Empress State Building HQ in London, and made with a non-police email address composed of his unit’s very distinctive abbreviation
• An Army Reserve major who had an £1,100 drone posted to his unit’s HQ
• A member of the Ministry of Defence’s procurement division who bought a DJI Inspire 2, complete with spare battery and accidental damage insurance
• A member of the National Crime Agency, who appeared to have used his ***@nca.x.gsi.gov.uk secure email address to buy a Nikon Coolpix digital camera

It was unclear whether these purchases were for personal or governmental use.

Other orders seen by The Reg include ones placed by: staff from privatised defence research firm Qinetiq; the UK’s Defence Science and Technology Laboratory’s radar RD base at Portsdown Hill; the Brit Army’s Infantry Trials and Development Unit; UK police forces up and down the country; local councils; governmental agencies; and thousands more orders placed by private individuals.

Many were for cameras and other optical gear as well as drones, reflecting the network of branded e-commerce sites that Drones For Less forms a part of.

Infosec researcher Scott Helme told us: “From a technical perspective having this kind of information in a publicly accessible directory is incredibly negligent. This information should be stored in a database and most certainly should not be available to the internet and stored in plain text!

“At a minimum the company involved need to contact all of the affected customers and inform them what data has been leaked so that they can take whatever steps they deem necessary, even if that’s just so they can be vigilant for potential phishing emails. I hope that the ICO will also take action against the company for such a negligent leak of personal information.”

About that UK web address…

Drones For Less gives a London Mailboxes ETC shop (effectively a PO box number) as its postal address, and an 0203 SIP number – which can be configured to forward calls anywhere in the world – as a contact telephone number.

We first called it to report the breach to the site’s operators on 2 April. After being invited to hold by a cheery North American-accented auto-answer message, we got through to a customer support rep who introduced himself as John. He also had a distinctly North American accent. John asked us to email him details of the breach. We did this and asked repeatedly for a statement from the firm, to no avail.

Repeated followup phonecalls resulted in John sending us the email addresses of others within Drones For Less, inviting us to ask them for a comment, which we have done.

The dronesforless.co.uk domain name is registered to a company calling itself Mapleleafphoto LLC. The address – 2 Toronto Street, Toronto, Canada, as a Nominet Whois lookup shows – is a UPS shop, so is effectively another anonymous PO Box forwarding address.

A superficially similar website called Mapleleafphoto.ca gives a Quebec contact address which appears to lead to an industrial unit in that city.

The Drones For Less operator appeared, earlier this week, to be playing whack-a-mole with individual links to samples of the breached data we sent to him, taking those down but not others. Following sustained pressure, it now appears, to the best of El Reg‘s ability to confirm, that the data has been removed from public view.

Drones For Less appears to be closely related to Cameras For Less, Video For Less and Tablets For Less, judging by house adverts on its Contact Us page.

A spokeswoman for the UK Government sent us a statement:

“We treat the security of our information very seriously. We have asked the company involved to remove any public record of this data and to let all those affected know.”

The Information Commissioner’s Office and Canada’s Office of the Privacy Commissioner are both aware of the breach. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/06/dronesforless_data_breach/

Belgian bank Argenta has apologised for a botched tech plumbing upgrade that delayed transfers and confronted customers with incorrect balance data.

The bank, which has 1.4 million Belgian customers, blamed the problems on post-upgrade issues with the data transfer mechanism between its two data centres, among other things.

Last weekend, we did some radical work on our bank’s IT infrastructure. This work did not go smoothly, causing a delay in the transfer of our internal data. As a result, our customers and our agencies have experienced significant inconvenience as of Tuesday, April 3.

In collaboration with various experts, our colleagues are making every effort to remedy the problems and normalise the situation. We will keep you informed throughout this process, including through this temporary web page.

Argenta has set up micro-sites in French and Dutch to keep customers updated.

On Thursday night the bank decreased the load on the data transfer network by optimising certain applications and increased the bandwidth between its two main sites. Improved data storage technologies were installed as part of its ongoing efforts to get back to normal. The work was completed by the early hours of Friday, allowing Argenta to reactivate its mobile banking app.

In its latest statement (PDF, en français), Argenta admitted the system is still not stable. Internet banking is still not possible via Argenta’s website. “In the exceptional circumstances, we authorise certain urgent transactions made by email,” it said, adding that this would only happen after telephone checks and other controls.

Argenta customers can still obtain cash from ATMs or pay in shops using their debit cards. The account balances glitch has been resolved even though other problems clearly remain.

Online banking applications were taken offline at the weekend to facilitate the upgrade. When they were reactivated on Tuesday (3 April), it quickly became clear that something was seriously wrong, as Reg reader Robin L explained.

“Transfers of money, for instance wages, were in some instances delayed and some customers were confronted with an ‘insufficient balance’ message when trying to carry out a payment or withdraw cash,” Robin told us. “Customers sufficiently in credit have been able to make payments but are only able to see their balance by visiting a branch of the bank.”

Even more distressingly, 850 account holders reported that their accounts were now in the name of their former or deceased partner.

By Wednesday, scammers had attempted to take advantage of the confusion by sending Belgians phishing emails. Argenta is warning customers to disregard all such messages. “We will never contact you by email to resolve security issues or other issues related to your Internet banking accounts or applications,” it said. “Do not answer it in any case.”

This sage advice sits awkwardly against what Argenta was saying earlier this week, specifically in relation to bank transfers where it asked customers to get in touch with it via email.

Our tipster reported: “On Thursday, one of the FAQs on the bank’s temporary landing page was ridiculed by Twitter users. Customers who urgently needed to transfer money and who were unable to visit a bank branch were advised to email the bank with as subject ‘dringende overschrijving’ (urgent transfer) and include the details of the transaction to be carried out as an attachment.

“The bank first insisted it ‘remained vigilant’ and would verify every transaction by telephone but withdrawn the advice later on Thursday.”

Belgian news outlet GVA reported (in Dutch) how experts reacted in disbelief after Argenta asked customers to email bank details.

Belgian bank Argenta still struggling to restore online banking

Eddy Willems, a Belgian security expert who works for security firm G DATA Software, criticised Argenta for failing to get a grip on the problem more quickly. If the bank had a disaster recovery plan then that too has evidently failed.

“It took them a week before everything was under control which is more or less the case now,” Willems told El Reg. “The app is finally working and the website should be accessible by now. It’s unbelievable that a bank can get away with a problem like this these days. They should have planned this more carefully and tested backups or alternative plans much better.”

Willems confirmed that phishing emails have flourished in the chaos surrounding the bank’s upgrade woes.

“During this week there was a big spike in Argenta phishing mails which were related to the problems. More than 80 complaints were received by the Centre For Cyber Security. Personally I got about 20 phishing mails (in Dutch/Flemish) on my email accounts.

“People should know better, I’m pretty sure that some transactions have gone to the cybercriminals. Argenta is paying their customers back in this case and tried to block the phishing websites ASAP after appearing. It seems that people are still not aware enough about phishing during this kind of situation.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/06/belgian_bank_argenta_outage_botched_it_infrastructure_upgrade/

New research by Digital Shadows finds more than 1.5 billion sensitive files are open to discovery on the internet.

Companies are putting their sensitive data on the internet for all the world to see. That’s the conclusion of research published by security firm Digital Shadows, which found more than 1.5 billion sensitive files visible on the internet.

Misconfigured S3 buckets, NAS devices, FTP servers, and other storage and gateway systems were responsible for the vast majority of the visible files, the company says.

Visible data includes everything from patent applications to employee information, though payroll and tax return information accounted for the largest group of files available, with more than three-quarters of a million total files of these types seen. In all, Digital Shadows found more than 12 petabytes of sensitive information available to anyone bothering to look.

Third-party contractors misconfiguring systems was seen as the most significant cause of the open information. While S3 buckets have been in the news recently as a source of free data, Digital Shadows found that they only account for 7% of exposed data; technologies such as SMB (33%), rsync (28%), and FTP (26%) were responsible for the bulk of the data availability.

Digital Shadows notes that the rapidly approaching implementation of GDPR should provide companies with additional impetus to review the status of their systems and make configuration changes where necessary.

For more, read here.

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/study-finds-petabytes-of-sensitive-data-open-to-the-internet/d/d-id/1331473?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

How cyber threat intelligence can help you gain a better understanding of the enemy and why that gives security teams the upper hand.

When it comes to cyberattacks, nobody is immune. Some of the largest enterprises and most important government agencies have been victims of intrusions where sensitive corporate or client data and classified information was stolen and put in the public domain.

Given the fact that no one can prevent breaches from happening, everyone must be as prepared as possible to handle threats. Preparation requires enhancement not only of defenses but of response processes too, and to accomplish this, it’s essential to gain a better understanding of the enemy.

There are a few key areas that demand our sustained focus in order to achieve these goals. First, security personnel must identify the “crown jewels” — the vital data needing protection. It’s then important to understand what the motivation and profile of an attacker is. After establishing this, the next steps involve identifying who has legitimate access to those assets, then, finally, working out what the potential attack vectors are against legitimate users and the infrastructure that hosts the crown jewels themselves.

It’s imperative to have a clear vision and understanding of the cyber terrain, assets being protected, and capabilities of the enemy. This enables us to better re-enforce defenses where we can and have the know-how to respond properly where we can’t. Ultimately, it’s about establishing a process that will eventually lead to the infusion of cyber threat intelligence information into the defense and response apparatus.

For example, if a company is engaged in selling goods online, one of the crucial assets to protect is the financial information of product buyers. Of all the attackers out there, we can likely deduce that nation-states, corporate spies, and most “script kiddies” up for a challenge are not prime suspects. This leaves cybercriminals. Usually, our thinking stops there — but that’s a mistake. What’s needed is to push the reflection further and think about the attack itself.

Yes, cybercriminals might want to steal credit card numbers, but this is obvious, and so it’s important to think a bit more like them to work out what else they might be after. Can they lock down a part of a system using ransomware that will prevent selling products? Is this a type of bribery to keep the company out of large distributed denial-of-service attacks? Is the organization selling products delivered in unidentified brown boxes of a very personal nature to buyers, and, therefore, is the mere fact that customer names end up in the public sphere going to create problems?

Based on more specific attack scenarios, it may be easier to align defensive measures — but this brings up additional questions. For instance, if a company only sells products to US-based customers, could you block foreign connections using geolocation? It might also open questions related to legal liabilities, due care, and diligence obligations, which could drive more specific processes on how to respond to different types of incidents.

Regarding cyber threat intelligence more specifically, understanding attackers can allow for the extraction of very specific indicators of attack or of compromise from the various databases commercially available. This might enable the focus to be a little more on criminal adversaries and their modus operandi instead of going very wide and generating a ton of false positives. Then, it could be possible to study their techniques and ask ourselves if we have what we need in our infrastructure to prevent them from using their tools and techniques.

By using a more practical and specific approach, organizations can gain the ability to invest precious cybersecurity dollars on things that matter most to a business model and its protection. By knowing the enemy inside out, and by being one step ahead, control is regained. What adversaries consider their attack playground is effectively our arena, and as security professionals, we rule it. It is for us to step up and — when they trespass on our turf — leave them standing naked and defenseless.

Related Content:

• 8 Low or No-Cost Sources of Threat Intelligence
• Looking Back to Look Ahead: Cyber Threat Trends to Watch
• The Case for Integrating Physical Security Cybersecurity

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Originally from Montreal, Martin has been navigating the tormented water of cybersecurity for over 20 years. He was the founder and CTO at Above Security Canada where he worked locally and in the Caribbean’s. Twelve years ago, he moved to Switzerland to launch SecureIT, … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/stripping-the-attacker-naked/a/d-id/1331429?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Intel has made much of its NUC and Compute Stick mini-PCs as a way to place computers to out-of-the-way places like digital signage.

Such locations aren’t the kind of spots where keyboards and pointing devices can be found, so Intel sweetened the deal by giving the world an Android and iOS app called the “Intel Remote Keyboard” to let you mimic a keyboard and mouse from afar.

But now Chipzilla’s canned the app.

The reason is three nasty bugs that let attackers “inject keystrokes as a local user”, “inject keystrokes into another remote keyboard session” and “execute arbitrary code as a privileged user.” The bugs are CVE-2018-3641, CVE-2018-3645 and CVE-2018-3638 respectively.

Rather than patch the app, Intel’s killed it and “recommends that users of the Intel® Remote Keyboard uninstall it at their earliest convenience.”

The app’s already gone from the Play and App Stores (but Google’s cached pages about it for Android and iOSin case you fancy a look).

The Android version of the app’s been downloaded at least 500,000 times, so this is going to inconvenience plenty of people … at least until they get RDP working on Windows boxes and VNC running under Linux. The greater impact may be on Intel’s reputation for security, which has already taken a belting thanks to the Meltdown/Spectre mess. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/06/rip_intel_remote_keyboard/

The Verge cryptocurrency has seen its value drop by 25 per cent after hackers exploiting a bug in the alt-coin’s software forced its developers to hit the reset button and hard-fork the currency.

Programmers on Wednesday confirmed that the fun-bux had been on the receiving end of a “small hash attack” that caused its value to drop from $0.07 to $0.05 per XVG. The developers claimed they had cleared up what was portrayed as a minor hiccup.

We had a small hash attack that lasted about 3 hours earlier this morning, it’s been cleared up now. We will be implementing even more redundancy checks for things of this nature in the future! $XVG #vergefam

— vergecurrency (@vergecurrency) April 4, 2018

According to netizens observing the attack from the Bitcointalk forums, however, the shenanigans were anything but minor. Rather, bugs were present in the XVG code that allowed miscreants to mine blocks with bogus timestamps, messing up the currency’s blockchain.

The programming blunders were leveraged by persons unknown to generate new blocks at a rate of roughly one per second. This, in turn, allowed the attackers to net an estimated $1m.

“Usually to successfully mine XVG blocks, every ‘next’ block must be of a different algorithm,” explained forum poster OCminer, of the Suprnova Mining Pools. “So, for example, scrypt, then x17, then lyra, etc.

“Due to several bugs in the XVG code, you can exploit this feature by mining blocks with a spoofed timestamp. When you submit a mined block, as a malicious miner or pool, you simply set a false timestamp to this block one hour ago and XVG will then “think” the last block mined on that algorithm was one hour ago. Your next block, the subsequent block, will then have the correct time. And since it’s already an hour ago – at least that is what the network thinks – it will allow this block to be added to the main chain as well.”

OCminer added it was a 51 per attack, in which miscreants seize control of the majority of miners on a cryptocurrency’s network.

We’ve asked the Verge currency team for comment on the matter, but have yet to hear back at the time of publication.

In addition to the attack, the handling of the aftermath is also drawing criticism. To remedy the issue, the developers hard forked XVG, effectively creating a new blockchain.

“The XVG team erroneously forked their entire network to ‘undo’ the exploited blocks, but this resulted in the entire network being unable to sync,” noted cryptocurrency news site The Merkle.

“When the team was made aware of their mistake, they were able to re-sync the network, but still have not completely defeated the issue.”

XVG is itself a fork of Dogecoin, funnily enough. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/06/verge_cryptocoin_gets_hacked_devs_go_fork_themselves/