security – Page 918 – STE WILLIAMS

Miner vs miner: attack script seeks out and destroys competing currency exploits

library
crime | hacking | security

Cryptocurrency-mining malware-scum have started to write code that evicts rivals from compromised computers.

The miner in question was first noticed by SANS Internet Storm Center handler Xavier Mertens. Mertens spotted the PowerShell script on March 4, and noting that it kills any other CPU-greedy processes it spots on target machines, he wrote: “The fight for CPU cycles started!”

Pre-infection, the attack script checks whether a target machine is 32-bit or 64-bit and downloads files known to VirusTotal as hpdriver.exe or hpw64 (they’re pretending to be HP drivers of some kind).

If successfully installed, the attack then lists running processes and kills any it doesn’t like. Mertens noted that alongside ordinary Windows stuff, the list of death-marked processes includes many associated with cryptominers, some of which are listed below.

Silence
Carbon
xmrig32
nscpucnminer64
cpuminer
xmr86
xmrig
xmr

Mertens wrote that the script also checks for processes associated with security tools.

Marten’s next post is also worth a look if you’re a Linux admin. He followed up on this Tweet from ESET’s Michal Malik.

https://t.co/KjDgSgGz94 infects Linux servers

1) adds public key to authorized_keys

2) runs a coinminer

3) generates IP ranges, uses masscan

3a) to pwn Windows hosts with EternalBlue, then its payload downloads a PE file

3b) to pwn Linux hosts via Redis downloads itself on pic.twitter.com/IvWzU1jBqy

— Michal Malík (@michalmalik) March 2, 2018

It’s a bash script that tries to push a miner onto Linux boxes, along with scanning the Internet for Windows machines vulnerable to the NSA’s EternalBlue attack. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/06/cryptocurrency_miner_sans_martens/

Pennsylvania AG sues Uber over 2016 data fail

library
crime | hacking | security

Uber has been hit with a lawsuit over its failure to disclose the 2016 theft of its customer and driver records.

Pennsylvania state Attorney General Josh Shapiro says the dial-a-ride broker violated state data breach law when it failed to promptly file a report and notify both drivers and passengers of the loss of data.

Shapiro said the suit will seek at least $13.5m in damages.

According to the suit (PDF) filed with the Philadelphia County state district court, Uber violated the state’s Consumer Protection Law when, in 2016, it paid a hacker six figures to keep quiet about the incident. Uber finally came forward about the matter in 2017.

Among those whose data was exposed by the attack were 13,500 Uber drivers in Pennsylvania.

By failing to notify those drivers of the breach, Shapiro believes Uber violated the ‘Breach of Personal Information Notification Act’, a provision that calls for any breach of personal information to be disclosed ‘without unreasonable delay’.

“Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet,” said Shapiro.

“That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”

The suit asks the court to levy damages against Uber of $1,000 for each of the 13,500 exposed drivers. The suit also seeks legal costs and restitution for the victims.

Uber chief legal officer Tony West, who has promised to cooperate with all state investigations, said in a statement he was “surprised” by Shapiro’s lawsuit.

“I look forward to continuing the dialogue we’ve started as Uber seeks to resolve this matter. We make no excuses for the previous failure to disclose the data breach,” West told The Register.

“While we do not in any way minimize what occurred, it’s crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or social security numbers, which present a higher risk of harm than driver’s license numbers.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/05/pennsylvania_ag_sues_uber_over_2016_data_breach/

World’s biggest DDoS attack record broken after just five days

library
crime | hacking | security

Last week, the code repository GitHub was taken off air in a 1.3Tbps denial of service attack. We predicted then that there would be more such attacks and it seems we were right.

Arbor Networks is now reporting that a US service provider suffered a 1.7Tbps attack earlier this month. In this case, there were no outages as the provider had taken adequate safeguards, but it’s clear that the memcached attack is going to be a feature network managers are going to have to take seriously in the future.

Time to batten down the hatches

The attacks use shoddily secured memcached database servers to amplify attacks against a target. The assailant spoofs the UDP address of its victim and pings a small data packet at a memcached server that doesn’t have an authenticated traffic requirement in place. The server responds by firing back as much as 50,000 times the data it received.

With multiple data packets sent out a second, the memcached server unwittingly amplifies the deluge of data that can be sent against the target. Without proper filtering and network management, the tsunami of data can be enough to knock some providers offline.

Gits club GitHub code tub with record-breaking 1.35Tbps DDoS drub

There are some simple mitigation techniques, notably blocking off UDP traffic from Port 11211, which is the default avenue for traffic from memcached servers. In addition, the operators of memcached servers need to lock down their systems to avoid taking part in such denial of service attacks.

“While the internet community is coming together to shut down access to the many open mecached servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit,” said Carlos Morales, VP of sales, engineering and operations at Arbor Networks.

“It is critically important for companies to take the necessary steps to protect themselves.”

It has been nearly five years since the first memcached attacks were reported, but in the last few weeks they have grown in popularity, and even include ransoms. It’s clear these are going to be a feature unless memcached server operators get their act together. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/05/worlds_biggest_ddos_attack_record_broken_after_just_five_days/

6 Questions to Ask Your Cloud Provider Right Now

library
crime | hacking | security

Experts share the security-focused issues all businesses should explore when researching and using cloud services.

(Image: ra2studio via Shutterstock)

The cloud is fairly new territory for many organizations and, consequently, it’s an area where mistakes are made stemming from confusion around the role cloud service providers play in security, and how companies should work with them.

“Organizations looking to host their data in cloud service providers have the best intentions in mind, and the clients I speak with are looking at security as being a key motivator,” says Mark Judd, research analyst at Gartner’s Research Analyst Lab.

But, Judd says, many businesses are in the mindset of thinking that because major players like Amazon and Microsoft have not been directly compromised, any data they put in those companies’ cloud environments will automatically be secure. The problem is, security works both ways.

“They neglect to realize that moving into a cloud does not automatically make their data secure, but requires an understanding of the shared responsibility in regards to security controls between the organization and the cloud provider,” Judd explains.

Andrei Florescu, group product manager for datacenter at Bitdefender, observes that enterprise responsibility for cloud security varies from function to function, depending on whether you’re buying Infrastructure-as-a-Service, Platform-as-a-Service, or Software-as-a-Service.

Renting instances in Amazon Web Services will involve different responsibility from buying Office 365, he says, adding that “customers should spend a bit of time understanding the type of service they’re consuming from cloud providers, and understanding the security model of whatever it is they’re consuming.”

Misconceptions around the responsibilities of cloud service providers and their customers in securing data can put information at risk. Here, cloud experts share the security-focused questions all businesses should be asking when researching and using cloud services.

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/cloud/6-questions-to-ask-your-cloud-provider-right-now/d/d-id/1331189?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

CERT.org Goes Away, Panic Ensues

library
crime | hacking | security

Turns out the Carnegie Mellon CERT just moved to a newly revamped CMU Software Engineering Institute website.

When a major security-based website goes away, people notice and often assume the worst. So while the Carnegie Mellon Community Emergency Response Team (CERT)’s stand-alone website recently was removed, it caused some confusion. It turns out the CERT remains in operation.

A blog post by Risk Based Security reflected the uncertainty that ensued in the wake of the recent disappearance of the cert.org site. The confusion began after a tweet by a former CERT employee that the website had been removed. Risk Based Security then found that the content of cert.org had folded into the Software Engineering Institute website at Carnegie Mellon. It seemed ominous that typing in the former CERT URL took visitors not to the CERT site, but to the site of the SEI.

“The important thing is that this [website change] doesn’t portend anything about CERT itself,” a CERT spoksperson said, adding that the work of CERT is more important than ever.

All of the information formerly found at cert.org – from blog posts to podcasts to research reports – is available at www.sei.cmu.edu, and CERT’s knowledge base of security issues remains accessible under its traditional URL, https://www.kb.cert.org.

CERT announced the changes in late January, he said. “We put banners on most of the main websites, and on the blog and resource library and other sites, we put splashes up about a month in advice. We gave a link to preview the new site well ahead of the launch,” the spokesperson said. “We were managing a large number of external Web properties. These were two of the largest and for a variety of organizational reasons we decided to combine them,” he said.

More Security Vendors Putting ‘Skin in the Game’

library
crime | hacking | security

Secure messaging and collaboration provider Wickr now publicly shares security testing details of its software.

Product warranties, while still rare in the security industry, appear wildly popular among enterprises looking for more guarantees from their vendors. More than a dozen security vendors now offer some sort of warranty for their products and services.

Proofpoint, Symantec, SentinelOne, and Trustwave are among the security product vendors that reimburse customers for various security failures with their products or services. Symantec, for instance, offers coverage with its LifeLock identity theft protection service coverage from $25,000 to $1 million for stolen funds, while SentinelOne offers $1,000 per endpoint infected with ransomware and up to $1 million in aggregate per year for a ransomware attack that slips past its endpoint product. But few big-name enterprise security vendors offer warranties today.

Meanwhile, secure messaging and collaboration provider Wickr has created a new security transparency program for its customers that ultimately could lead to a warranty program as well: Wickr today launched what it calls a customer security promises program, which shares with the public the details of its regular third-party software security testing results as well as any resulting remediation tasks.

The program stops short of a product warranty, but Wickr CEO Joel Wallenstrom left the door open for a warranty offering at some point. “Warranties are very intriguing, and pretty close to what we are doing in our promise process,” Wallenstrom says.

Security product guarantees increasingly are gaining traction. A study by Vanson Bourne found that 95% of US companies want their security vendors to provide a guarantee on their products and services, and 88% would consider switching to a vendor that offered one.

Wickr’s new program, meanwhile, opens up to the public its internal engineering and software testing process, including its code and how it engages with third party software security testing providers. “We’re really trying to open the kimono to customers around the world” on how Wickr’s code stands up to regular testing and how the firm then makes any relevant fixes, he says. The customer security promises initiative joins the company’s existing secure development and bug bounty programs, and provides a framework for third-party testing firms that test Wickr’s software.

But Wickr isn’t a typical security provider. Its platform is aimed at users and organizations with high levels of privacy and security requirements. Wickr’s end-to-end encryption platform uses perfect forward and backward secrecy with a new random key for each message, file, and voice call communication, and Wickr does not store any content.

“Our customers are pretty self-selecting,” notes Wallenstrom. “They are pretty serious about data security.”

NCC Group, the third-party software security testing firm currently working with Wickr in the new program, says Wickr is the first of its vendor clients offering such transparency. “They started the next bar,” says Ollie Whitehouse, CTO at NCC Group. Whitehouse expects GDPR to place more regulatory and economic pressures on other companies and vendors to perform stronger software-security due diligence akin to Wickr’s efforts. “Anyone with PII [personally identifiable information],” for example, he says.

Jeremiah Grossman, chief of security strategy at SentinelOne, has been pioneering the movement toward security product warranties and guarantees for several years now. He sees Wickr’s new testing transparency program as a gamechanger. “Most companies could do this, provided that they know how well their product actually worked,” he says.

He says it makes sense for Wickr to lead the way with its program because it’s offering secure end-to-end communications that calls for validation and transparency of the code to back up its product claims. “An additional benefit [would be] to add a warranty to it,” he says.

Cyber insurance provides a level of risk coverage for enterprises, he notes, but vendors also need to offer some product guarantees, he says. “We’re trained to think security can’t be guaranteed,” Grossman says. “But customers deserve [more]. Vendors need to put some skin in the game.”

Cryptography expert Paul Kocher, an advisor to Wickr and one of the industry researchers who discovered the Spectre and Meltdown microprocessor vulnerabilities revealed earlier this year, notes Wickr’s testing transparency program isn’t for all security vendors. “I don’t think a lot of companies are able to do something as comprehensive as Wickr is doing,” he says.

Kocher, who is chief scientist at Rambus, says security product liability programs remain a bit of an enigma. There’s no clear model for liability, he says. “Are we at a point broadly where the cost benefit of strict liability for security failures is good or bad? When you put in a lot of liability, you slow innovation down,” for instance, he says.

Spectre is a current example of the gray area surrounding product liability, according to Kocher. “There are 35 active lawsuits over” Spectre right now, he says.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/application-security/more-security-vendors-putting-skin-in-the-game/d/d-id/1331192?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Insider Threat Seriously Undermining Healthcare Cybersecurity

library
crime | hacking | security

Two separate reports suggest insiders – of the malicious and careless variety – pose more of a problem in healthcare than any other sector.

The healthcare industry’s ability to defend against cyberthreats is being seriously undermined by its own workforce, according to two separate reports released this week.

In an analysis of 1,368 security incidents at healthcare organizations in 27 countries, Verizon found that nearly six out of 10 (58%) security incidents involve insiders. That figure, according to Verizon, makes healthcare the only sector where internal actors pose the biggest threat to an organization’s cybersecurity posture than external actors.

The primary driver in many cases is financial gain, with insiders often stealing data to commit tax fraud, to open lines of credit, and to commit other fraud. Fun and curiosity are other factors as well: 31% of the security incidents involved insiders looking up personal records of celebrities and family members, Verizon found.

In an Accenture report based on a survey of 912 healthcare employees in the US and Canada, some 18% of the respondents — or nearly 1 in 5 — professed their willingness to sell confidential data to unauthorized thirds parties for as little as between $500 and $1,000. Among the malicious activity they were willing to peform: sell login credentials, download data to portable drives, and install tracking software on business systems.

Twenty-four percent actually know someone in their organization who had sold their access credentials to an unauthorized third-party. The willingness to sell confidential data was more pronounced among respondents from provider organizations (21%), compared to those in payer organizations (12%), Accenture found.

“Healthcare is a veritable treasure trove of valuable information,” says John Schoew, lead of Accenture’s health public service security practice in North America. The adoption of electronic medical records (EMRs), wearables, and other healthcare technologies has created a wealth of data, making healthcare organizations an attractive target for data thieves, he says.

“Employees are often a weak link in an organization’s cyber defenses – across many industries,” Schoew says. But as with most other industries, the bad actors in the healthcare sector are the exception and not the rule. Often, breaches result from employee error caused by a failure to comply with or understand policies.

“When it comes to healthcare cybersecurity, however, the stakes are higher,” Schoew cautions. A healthcare data breach could have a significant impact on patient care, cause reputation damage, and hurt enormously from a financial standpoint. Accenture’s research has shown that cyber breaches cost individual healthcare providers on average of more than $12 million, and individual victims, an average of $2,500, he says.

There are multiple short-term improvements organizations can make to address some of security threats posed by insiders, says Suzanne Widup, senior analyst with Verizon Security Research. They include measures like implementing full disk encryption; conducting a comprehensive review and ongoing audits of access rights to sensitive PHI and other data; establishing a proactive policy of building security into technology updates; and developing and testing incident response plans ahead of an issue.

“The healthcare sector houses unique and sensitive protected health information,” Widup says. The most important takeaway for organizations and IT leaders is to prioritize the security of that data. “Healthcare organizations should develop longer-term strategic actions to keep this information private for future stability and success in the digital world,” she says.

Employees need to be made aware through training and awareness campaigns that improper access to patient data could lead to corrective actions being taken against them, according to Verizon’s report.

More Sick Data

The Verizon and Accenture reports are among several new reports that paint an especially bleak picture of healthcare cybersecurity against the backdrop of the Healthcare Information and Management Systems Society’s (HIMSS) conference in Las Vegas this week. US organizations in particular appear to be struggling more with security issues than counterparts in other regions of the world.

One of the reports, from Thales, for instance, found that healthcare organizations in the US experience substantially more breaches than organizations in other regions of the world.

Thales surveyed 100 senior healthcare IT managers in the US and 135 professionals from nine other countries and found 48% of the US respondents reporting a breach in the last 12 months, compared to an average of 36% elsewhere.

More than three-quarters (77%) of US healthcare entities say they have experienced at least one data breach in the past, and nearly six in 10 (56%) confess to feeling either “very vulnerable” or “extremely vulnerable” to potential data security incidents. In comparison, just 34% of the respondents from other countries felt the same way, the Thales study shows.

On a positive note, Thales found that more US healthcare organizations plan to increase spending on cybersecurity than organizations in any other sector. Eighty-four percent of healthcare entities in the US indicate they will spend more on security, with 46% saying their spending would be “much higher” than present.

“Data breaches have become the new reality for healthcare organizations,” says Peter Galvin, chief strategy officer at Thales. Healthcare records, which can include full names, social security numbers, birth dates, banking information, and credit card data, are the most valuable pieces of information on the Dark Web, he says.

“Given the value of the information, the breaches are coming from cyber gangs, insiders, and even nation states mostly for monetary advantage,” Galvin notes.

Unfortunately, too many healthcare organizations continue to use compliance with regulations such as HIPAA as their sole benchmark for security and are therefore spending on the wrong controls. “While organizations have found that encryption, tokenization, and data masking are the most effective techniques for preventing data breaches, they are spending the majority of their budgets on 10-year-old perimeter security solutions,” Gavin says.

Encouragingly, while the number of attacks has kept increasing, there is some data to suggest that healthcare organizations are getting somewhat better at mitigating the fallout.

Security vendor BitGlass analyzed breach data from the US Department of Health and Human Services and found that organizations are losing less data records in breaches than previously.

In 2017, the number of records compromised per breach on average, was 16,060 — a 72% decline from 2015 and a 95% decline from 2016 when mega breaches like those at Anthem and Premera were excluded. BitGlass also found that between 2014 and 2017, healthcare organizations reduced the number of breach incidents resulting from lost and stolen devices by 63%.

“More and more, healthcare organizations are turning to proactive security solutions rather than reactive security solutions in order to address breaches,” notes Mike Schuricht, vice president of product management at Bitglass. “In other words, instead of focusing on cleanup after the fact, they are deploying tools that actively alert and enable IT to take action on high-risk activities.”

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/insider-threat-seriously-undermining-healthcare-cybersecurity/d/d-id/1331191?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Brit semiconductor tech ended up in Chinese naval railgun – report

library
crime | hacking | security

A Chinese firm’s buyout of a British semiconductor company may have directly led to China developing railgun weaponry and electromagnetic aircraft carrier catapults for its navy, according to reports.

An anonymous source, identified as a former Dynex exec, told The Sunday Times that the acquisition of Dynex Semiconductor by Chinese railway firm Zhouzhou CRRC Times Electric in 2008 “could have helped the development” of the Chinese navy’s new railguns.

Dynex produces, as its name suggests, semiconductors, in particular insulated-gate bipolar transistors (IGBTs). These can be used as critical components in railguns and similar catapult-type technologies thanks to their very high voltage and current ratings.

“In these big electronic systems… you need to be able to turn on and off big power very, very quickly. And your standard power switches are too slow,” the former Dynex exec told the newspaper.

The basic principle behind a railgun is that a current passed between two rails via a sliding armature generates an electromagnetic field that flings a projectile carried in the armature out into the great beyond. A little lateral thinking easily turns this into an electromagnetic catapult. To make it work you need seriously high currents and voltages – sufficient to generate 160MJ, if this paper is taken at face value.

The main advantages of railguns over conventional artillery are that muzzle velocities (and thus the kinetic energy of the projectile, i.e. how much of a thump it makes when it hits its target) can be far higher than conventional explosive propellant-based gun tech, or steam pressure tech in the case of naval catapults. In theory, the vastly higher muzzle velocities will lead to far greater range for naval guns. Some sources claim this could be up to 100 nautical miles (as opposed to around 15-20NM at present), breathing new life into an otherwise inexpensive-but-obsolescent naval weapon system.

According to The Sunday Times’ source, CRRC’s buyout of Dynex enabled a full-scale technology transfer. The state-owned train company reportedly built a £167m factory in Hunan province, based on Dynex’s Lincoln premises. The newspaper cited various other reports drip-feeding their way out of China which suggest that the nation is currently at a similar stage to US railgun research, having apparently started from nothing a decade ago.

“The acquisition of IGBT from the British company a decade ago led to China’s leapfrogging of electromagnetic aircraft launch technology critical for its aircraft carrier program,” reported US-based NTD TV.

While appealing to navies for a whole host of reasons, electromagnetic catapult tech is not without its own problems, as the US Navy revealed with its EMALS project in early 2017. Controlling the rate of acceleration appears to be one of the main problems dogging EMALS, with auditors warning that the stress of EMALS launches was taking a hard toll on F-18 carrier-based fighter jets.

The national security implications of this tech transfer are obvious, and troubling. Britain’s post-Brexit answer to maintaining national prosperity is to go full throttle into cutting-edge technologies, racing ahead of other countries to commercialise and license the technologies we develop. If that comes into conflict with our strategy of using Chinese capital to cover the upfront costs, and the result is that British advanced technologies find their way into Chinese weapon systems, that will not only make the world a less safe place, it will potentially harm Britain’s standing with its allies – particularly the US, which is keen to confront Chinese challenges to its hegemony.

Dynex did not respond to The Sunday Times’ request for a comment. We have asked Dynex for a statement and will update this article if they respond. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/05/dynex_semiconductor_china_railgun/

Emirates dinged for slipshod online data privacy practices

library
crime | hacking | security

International airline Emirates leaks customers’ sensitive personal information to third-party marketing partners and network adversaries, according to Konark Modi, a data security engineer for Cliqz, a privacy-focused browser based on Firefox.

Modi, in an online post on Friday, said that after a customer books a flight through Emirates, the process of managing the reservation shares personally identifiable information with over a dozen third-party trackers, including Boxever, Coremetrics, Crazy Egg, Facebook, and Google.

The data includes: customer name, customer email, itinerary, phone number, passport number and details, and brings with it the ability to edit this information.

The Emirates privacy policy makes clear some data sharing may occur. But the policy language stops short of declaring a wholesale customer data giveaway or granting the ability to alter reservations.

Emirates and Turkish Airlines lift laptop ban on US-bound flights

Modi said his argument is not against using third-party trackers. “The concern lies when such services are implemented across all pages of the website, without distinguishing between what is private data and what is not,” he said, noting that not all such services should have access to the full spectrum of customer data.

The reservation confirmation email, when clicked, Modi explains, takes the user to Emirates website, which is festooned with trackers – code that captures data on behalf of a marketing partner.

And because the initial link relies on the insecure HTTP protocol, related data is potentially accessible to a network-based man-in-the-middle attack.

In an email to The Register, Modi described several scenarios by which such information could be abused:

1. The third-party companies themselves might use the data. Even if the privacy policy currently states they do not use it right now, policies change all the time.
2. Malicious users inside the company might use this data for identity theft.
3. In case these companies get hacked, and the users’ data is compromised, an entity outside that company will also have access to this sensitive information.
4. If the link which the user opens over HTTP, which it is in case of Emirates.com, then any adversary capable of monitoring the network will have access to the same information.

This are, however, theoretical concerns; there’s no indication that this data is presently being abused.

Modi says he identified the issue and raised it with Emirates via social media back in October 2017. At the time, he maintains, the web app passed personal information through hidden form fields that were nonetheless accessible as plain text.

The web app received a subsequent revision that eliminated the problem, but the Emirates mobile app, he insists, now exhibits the same issue.

“For Emirates, yes the issue still persists,” he confirmed to The Register.

Modi contends that other airlines like KLM and Lufthansa exhibit similarly lackluster data security practices, or at least did so when he checked last October. He says that the problem isn’t so much the usage of third-party services as how these services are implemented.

Trackers like Facebook and Google Analytics allow companies to track individuals across the internet and potentially to de-anonymize them, said Modi.

“The key point here is the user never signed for this, all s/he did was surf the internet,” he explained.

Modi would like to see Emirates limit the use of third-party tracking code that puts privacy data at risk.

“Emirates has the control of their website and what the website shares with third party services,” he says. “It is this control that needs to be exercised to limit the leakage of user information.”

Emirates did not immediately respond to a request for comment. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/05/emirates_dinged_for_slipshod_privacy_practices/

Facebook Upgrades Link Security with HSTS Preloading

library
crime | hacking | security

Facebook and Instagram links will automatically update from HTTP to HTTPS for eligible websites, increasing both speed and security, the social media giant said.

Facebook has upgraded its link security infrastructure to include HSTS preloading, which automatically switches HTTP links to HTTPS for eligible websites. The change is intended to improve security and navigation speed for Facebook and Instagram links, according to the social media firm.

HTTP Strict Transport Security (HSTS) is a feature for websites to request a browser-only access to them over HTTPS. Preloading lets websites tell browsers to always perform this upgrade ahead of time. Many browsers support HSTS but many people still use browsers that don’t. This ensures connections are secure when people click supported links from Facebook or Instagram.

Facebook determines which links are eligible for HTTPS based on two sources. One is the Chromium preload list, which is used in most major browsers and is regularly updated. The other is recording HSTS headers from sites shared on Facebook. The browser preload list is updated with any sites that serve HSTS with the preload directive.