STE WILLIAMS

What’s This?

Today’s deception products go far beyond the traditional honeypot by catching attackers while they are chasing down non-existent targets inside your networks.

During the Second World War, a unit of the Allied Forces called the Ghost Army used rubber airplanes, inflatable tanks and other props to fool German commanders into thinking they were dealing with a bigger military force than in reality. One of their many subterfuges was to get Axis forces to think an entire Allied Army unit was in a particular area when in fact there was none. Such deception and strategic trickery has been a staple of warfare through history, and is an approach that a growing number of organizations have now begun employing in cyberspace as well.

Gartner defines deception technologies as a class of products that use “deceits, decoys and/or tricks” to stop, throw off or delay an attacker, disrupt automated malware tools and to detect attacks. Analysts at Technavio estimate the global demand for deception tools to grow at 10% annually to around $1.5 billion by 2021.

Deception tools are basically decoys of real systems that can be deployed at multiple points on the network to keep intruders away from your real assets. They work by getting malicious actors to chase down non-existent targets, luring attackers into traps, and keeping them engaged long enough for security teams to understand their activities. The goal is to confuse and confound attackers to the point where it becomes too hard or too costly for them to pursue a campaign.

Honeypots are a good example of a deception technology. But they are not the only available option, by far. Deception tools these days allow you to deploy decoys for virtually every hardware and software asset on your network. The tools — available from a fairly long and growing list of vendors — can be used to mimic your endpoint systems, servers, network components, applications and real data. From an attacker’s perspective, the decoy systems will appear exactly like the real thing down to the operating system and software versions.

In addition to luring attackers away from your real assets, deception tools trick attackers into revealing their hands early. With deception systems, there is no question of false positives and false alerts. Anytime someone hits a decoy system you know it has to be an unfriendly actor because there is no reason for a legitimate user to want to access it. You can then either choose to shut down the attackers more quickly, or observe their moves and see what you can learn about the tactics, techniques and procedures.

Deception products can supplement the capabilities of your existing portfolio of security controls. They are not primarily designed to stop attacks from happening. Virtually no existing security tool or control can guarantee against a breach. Instead, deception tools can help you quickly and reliably spot intruders who have managed to penetrate your outer defenses in order to prevent them from moving laterally inside your network. That is a critical capability to have at a time when attackers have shown a growing ability to breach perimeter defenses and lie hidden on enterprise networks for extended periods of time. 

Laurence Pitt is the Strategic Director for Security with Juniper Networks’ marketing organization in EMEA. He has over twenty years’ experience of cyber security, having started out in systems design and moved through product management in areas from endpoint security to … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/juniper/misleading-cyber-foes-with-deception-technology/a/d-id/1331123?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

$350 million deal scheduled to close Q1 2018.

Splunk plans to purchase security orchestration and automation pioneer Phanton Cyber Corp. for $350 million in cash and stock, the data analytics company said today.

Phantom’s security orchestration, automation, and response (SOAR) technology will be integrated with Splunk’s big data analytics platform as a way to streamline incident response in security operations centers. Oliver Friedrichs, founder and CEO of Phantom, will report to Splunk’s senior vice president and general manager of security markets Haiyan Song.

The acquisition is scheduled to close in the first half of this year, subject to regulatory and other closing conditions.

“Phantom’s employees and technology significantly expand and strengthen Splunk’s vision for the security nerve center and for business revolution through IT,” Doug Merritt, Splunk president and CEO said in a statement. “Splunk is committed to continuously pushing the limits of technology to help our customers get the answers they need from their data. I am very excited to reach this definitive agreement with Phantom and look forward to welcoming the team to Splunk.”

Read more about the acquisition here. 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/splunk-to-acquire-phantom/d/d-id/1331141?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Few sites are bothering to use the opt-in version ofCoinhive, the controversial ride-along JavaScript crypto-mining package that requires end-users’ consent to run.

So said security firm Malwarebytes in an analysis emitted on Monday, but Coinhive developers disputed those findings and argued that a third of cryptomining-using websites get their users’ consent.

Cryptomining sees web pages operators use visitors’ computers to mine for cryptocurrencies as they surf a site. Sometimes the mining is covert, as a result of mining malware infections. Publishers can also run miningware without explicitly telling users about their efforts. On other occasions publishers formally tell visitors they’re helping it to raise funds by running mining code.

Coinhive tried to make the last cryptomining scenario legit by offering software that only works after users opt-in. In October 2017 the outfit therefore introduced a new API (AuthedMine) that explicitly requires user input for any mining activity to be allowed.

Reg now behind invisible HTML5 Bitcoin paywall

READ MORE

Data from security software firm Malwrebytes, unveiled on Monday, said that in January and February 2018 the opt-in version of Coinhive was used by just 40,000 folk each day compared to three million users of its silent miner . The security software firm adds that even sites that do use the opt-in option may still be crippling machines by running an unthrottled miner, as was the case news website Salon.

The developers of Coinhive disputed these figures. “We don’t have statistics about the exact number of clients, but as for our raw hashrate: ~35% comes from AuthedMine,” the developers told El Reg via Twitter. “Many sites still use the classic implementation with their own (non intrusive) opt-in or with a prominent opt-out. Ultimately it’s the decision of the website owners.”

Malwarebytes’ findings were supported by security researcher Troy Mursch who said its figures are consistent with his own research.

The Coinhive crew went on to claim that Malwarebytes blocks AuthedMine, too. “Attempts to get this resolved remained unanswered,” they said.

Malwarebytes’ The State of Malicious Cryptomining report also notes how groups used the WannaCry vulnerabilities to infect servers with cryptomining packages, a tactic previously reported by El Reg. ®

Bootnote: The “Read More” box above links to our 2017 April Fool’s Day prank, in which we joked that we’d added cryptomining to the site. Not many months later, actual cryptomining became prevalent.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/27/ethical_coinhive/

Guitar amp manufacturer Fender’s recently-introduced Mustang GT 100 guitar amplifier can made to play whatever audio an attacker fancies, security researchers have discovered.

The amp allows Bluetooth connections, but without pairing security. Anyone within range could therefore “stream arbitrary audio to it and hijack your amp output”, security researcher Chris Pritchard of Pen Test Partners (PTP) reported.

The device – marketed towards gigging musicians – is trivially easy to hack, as a video put together by PTP (below) demonstrates.

Youtube Video

Anyone using the Mustang GT at a concert therefore ought to turn Bluetooth off – even though that removes the “smart” features that would have been the main reason for buying it in the first place.

The same amplifier is also vulnerable to more subtle hacks. For example it’s possible to interfere with its preset sound settings.

The presets feature allows users to wield a smartphone app that imbues the amp with presets that mimic famous guitarists’ signature sounds. The app interacts with the amp over Bluetooth Low Energy (BLE) and does so separately to the Bluetooth audio input.

Permissions-based security is absent from the preset feature, meaning mischief-makers could push a new sound preset to the amp over BLE: a musician could expect to sound like Hendrix but instead come out sounding rather different. The same trick could be used to mute the amp by enabling a feature designed to be used only when musicians are tuning up their kit.

Security researchers at Pen Test Partners also put the Marshall Code 50 smart amp through its paces. Marshall’s machine has similar features to the Fender but with better security. “It relies on authentication to do anything, so it can’t be hijacked in the same way,” PTP’s Pritchard said.

The issues uncovered in Fender’s amp are best-described as features that are open to abuse rather than vulnerabilities that could leak data. They do, however illustrate that vendors are adding smarts to all manner of technologies without also adding intelligent security controls.

“We don’t consider these to be vulnerabilities particularly, more abuse of features for unintended consequences,” Pen Test Partners’ Ken Munro told El Reg.

PTP reckons Fender could mitigate the issues it has uncovered by implementing some simple pairing security. “Even a button press on the amp to put it in pairing mode for a short period would be a step in the right direction,” PTP concludes.

Fender is yet to respond to a request for comment from The Register. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/27/fender_smart_guitar_amp_dumb_security/

A proposed anti-hacking law in the US state of Georgia is raising all kinds of alarms – because it could chill security research, and criminalize anyone who breaks a website or ISP’s TCs.

The bill, SB 315, would expand the state’s computer crime laws to include penalties for accessing a machine without permission even if no information was taken or damaged. Drawn up by state senator Bruce Thompson (R) in January, the proposed legislation has been approved by Georgia’s senate, and is being considered by its house of representatives.

Backers of the bill, including state Attorney General Chris Carr, said expanding the protections will close a loophole, and allow the state to better pursue criminals.

“As it stands, we are one of only three states in the nation where it is not illegal to access a computer so long as nothing is disrupted or stolen,” Carr said when the bill was first introduced.

“This doesn’t make any sense. Unlawfully accessing any computer in Georgia should be a crime, and we must fix this loophole.”

It took DEF CON hackers minutes to pwn these US voting machines

READ MORE

Opponents of the bill, however, say the draft legislation goes too far: it would, for example, criminalize “any person who accesses a computer or computer network with knowledge that such access is without authority.” Disclosing a password to someone without permission to do so is also a no-no.

Groups including the Electronic Frontier Foundation (EFF) worry that the bill could be used against legitimate security researchers who alert private companies to vulnerabilities found in corporate systems.

Specifically, the rights warriors fear organizations could try to shut down bug reporting and disclosures by pressing charges alleging the researchers committed an unauthorized access in discovering flaws in networks and services. The EFF also argued that, as written, the law could be used to crack down on ordinary netizens: breaking the terms of service of a website or similar falls foul of this draft law, we’re told.

In other words, if the terms of service on a website require you to be truthful about, say, your weight or martial status or email address, and if you’re not or simply make a mistake on a form, you’ll run up against the Peach state’s proposed anti-hacking law.

“Terms of service come from a private company — for instance, your cable and internet provider have terms of service,” said Electronic Frontiers of Georgia member Scott Jones.

“The bill is so broadly written that a violation of terms of service could possibly be construed as a criminal violation, and that would be improper delegation of powers.”

The EFF has asked the state [PDF] to amend the bill to better protect researchers.

It just so happens that Georgia’s electronic voting system was earlier probed by security researchers, who claimed to have found various exploitable holes. A computer system at the center of a lawsuit over the alleged vulnerabilities was later mysteriously wiped.

Beyond deleting evidence from servers, it would appear Georgia has found another way to avoid the hard gaze of computer security research – simply outlaw it. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/26/georgia_hacking_bil/

A bloke has been jailed for nearly three years for developing and selling malware that allowed miscreants to snoop on and remote-control victims’ Windows PCs.

Taylor Huddleston, of Arkansas, USA, pleaded guilty in July 2017 to one charge of aiding and abetting computer intrusions by building and peddling his $25 software nasty. In addition to the 33-month sentence handed down on Friday, he will also get two years of supervised release. He had faced a maximum of 10 years in prison.

The case is as a rare example of the US Department of Justice (DOJ) charging someone not for actively using malware to compromise and control victims’ computers, but developing and selling it to others. Huddleston admitted he created his software knowing it would be used by others to break the law.

The 27-year-old, a resident of Hot Springs, coded and sold the NanoCore remote-access trojan (RAT) from January 2014 to February 2016.

The spyware, once installed a mark’s machine, was able to harvest information such as passwords and emails as well as activate and control connected webcams. NanoCore also supported third-party plugins that allowed the RAT to lock infected PCs and hold them to ransom, or use them to launch denial-of-service attacks on websites and similar services.

“By developing NanoCore and distributing it to hundreds of people, some of whom he knew intended to use it for malicious purposes, Huddleston knowingly and intentionally aided and abetted thousands of unlawful computer intrusions and attempted unlawful computer intrusions,” US government prosecutors said in the statement of facts Huddleston would sign in his plea deal.

He said he sold ownership of NanoCore to a third-party in 2016.

Huddleston also fessed up to creating Net Seal, a copy-protection and licensing tool that was used by other malware writers to distribute their creations from 2012 through October 2016 while thwarting pirates. One of Net Seal’s customers was Zachary Shames, the Virginia college student who created and sold thousands of copies of keylogger software out of his dorm room. Huddleston said Shames paid $7.40 (via PayPal) for his copy Net Seal. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/27/nanocore_rat_coder_33_months/

CVE-2018-4878, a Flash zero-day patched earlier this month, has resurfaced in another campaign as attackers capitalize on the bug.

An Adobe Flash vulnerability CVE-2018-4878 patched earlier this month is being exploited in a new phishing campaign leveraging malicious Microsoft Word documents.

This critical vulnerability is a use-after-free bug that enables remote code execution, according to Adobe. It was first spotted in targeted attacks against primarily South Korean victims. In early February, the South Korea Computer Emergency Response Team (KrCERT/CC) issued an advisory on CVE-2018-4878 in Flash Payer ActiveX 28.0.0.137 and earlier versions.

Successful exploitation of the vulnerability could let an attacker assume control over an affected system. The first wave of attacks, delivered via malicious Excel documents, were attributed to the North Korean-based APT group ScarCruft. Some researchers say that group likely purchased the exploit given their overall lack of sophistication and access to cryptocurrency.

Adobe addressed CVE-2018-4878 in Flash version 28.0.0.161, released on February 6. Shortly after, Morphisec researchers spotted the vulnerability being exploited in the latest attack campaign.

After analyzing the first targeted attack, the team set up Yara rules to identify any usage of de-obfuscated attack files, explains Michael Gorelik, Morphisec CTO and vice president of RD. On February 22, they noticed matching files appear in the wild and started an investigation.

They discovered the new campaign is very similar to the first one, save for a few changes the attackers made to evade static defenses. All malicious documents showed a low detection ratio on VirusTotal, and all next-stage artifacts were downloaded from a newly registered domain.

This campaign, which targeted about 1,000 people, was larger than the first but still aimed for specific victims. Its targets are scattered; victims’ email addresses range from website owners to post offices. Most can be used as attack distributors to larger populations, says Gorelik. Unlike the earlier campaign, these targets were distributed between Europe and the US.

“The attackers did care less about staying undetected and had a very short campaign which was carefully designed, since they did know that other solutions will update their signatures within one to three days,” he says.

Attackers slightly altered the malicious files by changing the encryption algorithm, though the shellcode was visible, he continues. They also used Word documents to deliver the exploit, which helped them succeed since the last campaign used compromised Excel files.

Emails used in the campaign included short links to a malicious website. Because the links were created with Google URL Shortener, analysts could view the click rate and mail host used. They learned victims opened these links through Outlook, Gmail, and Aruba.it, an Italian web host.

Gorelik doesn’t think the attackers behind the first campaign are responsible for this one.

“It looks like very different actors are behind it, and they are using the de-obfuscated variants of published PoCs, and de-obfuscated samples which do not support 64-bit code execution,” he explains. He expects other attackers will continue to take advantage of this exploit.

“We anticipated that this Flash exploit will be used in malspam campaigns very soon,” he says, adding that he predicts the same exploit will be used in drive-by attacks in the near future. “The vulnerability is very stable and easy to exploit and bypasses all existing security mechanisms.”

Related Content:

• 7 Key Stats that Size Up the Cybercrime Deluge
• Leveraging Security to Enable Your Business
• Criminals Obtain Code-Signing Certificates Using Stolen Corporate IDs
• SEC: Companies Must Disclose More Info on Cybersecurity Attacks Risks

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/adobe-flash-vulnerability-reappears-in-malicious-word-files/d/d-id/1331139?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The number of unique mobile malware samples increased sharply in 2017 compared to a year ago, according to Trend Micro.

After years of focusing their attention largely on desktop systems, cybercriminals have, as expected, begun ramping up attacks on mobile devices.

Ransomware, banking malware, and other threats aimed at smartphones increased sharply in volume last year and will pose a growing threat to organizations and individuals in 2018 and beyond, Trend Micro said in a report released Monday.

In keeping with past trends, a vast majority of the threats affected Android devices and those downloading mobile applications from unofficial third-party stores.

But for the first time, people getting apps from Google’s official Play mobile app store were affected significantly as well. According to Trend Micro, it found 30,000 more malicious applications published on Google Play last year than it did in 2016. The threats were harder to detect because they often hid in encrypted traffic and behind legitimate application functionality.

Apple’s walled garden, though much harder to scale, wasn’t completely impervious, either. Many applications infected with adware and other unwanted functionality found their way to the company’s App Store. “Android is the predominant platform today for most malicious apps, including ransomware,” says Jon Clay, director of global threat communications for Trend Micro. “But iOS appears to be a platform that threat actors are starting to target due to the number of potential victims,” he adds. “Apple’s walled garden makes it a more difficult platform to compromise.”

Trend Micro’s report comes amid growing enterprise concerns over the threat to data security posed by mobile devices. Eighty-five percent of the respondents in a recent survey by Verizon’s wireless group said their organizations faced at least a moderate threat from mobile devices, with 74% saying those risks had increased over the past year. Four out of 10 see it as a “significant risk.” Over a quarter of respondents said their organizations had suffered at least one security incident involving a mobile device.

In 2017, Trend Micro’s Mobile App Reputation Service (MARS) analyzed more than 468,830 unique mobile ransomware samples. That number represented a 415% increase in new ransomware from 2016, according to the security vendor. Mobile ransomware detections were highest in China, which accounted for nearly one-third of all detections, followed by Indonesia, India, and Japan.

The most pervasive mobile ransomware in 2017 was SLocker, an Android file-locking malware tool that alone accounted for more than 424,000 of the unique samples that Trend Micro analyzed during the year.

The reason for SLocker’s pervasiveness stemmed from the fact that its authors released the malware’s source code publicly. This ensured that a lot more threat actors had access to the code and resulted in multiple versions of SLocker in the wild, each with different capabilities and ransom demands. One variant mimicked the user interface of the WannaCry crypto malware and was assembled using a do-it-yourself Android development kit, Trend Micro said.

On the (relatively) good news front, less than 1% of the mobile ransomware samples that Trend Micro spotted last year actually ended up hitting end-user devices. “When we look at the number of queries to our mobile app reputation service to see if an app is good or bad, they come back as detections around 0.27% of the time, Clay says. “In raw numbers. we had 28 billion queries and 75 million detections,” he says.

A vast majority of the mobile ransomware that Trend Micro spotted last year was also not as sophisticated in capabilities as desktop versions of the malware. For instance, PC-based ransomware often uses obfuscation techniques that make it harder to detect than mobile versions, Clay says.

Ransomware was not the only mobile threat. In 2017, the number of unique mobile banking malware samples that Trend Micro spotted increased 94%, to 108,439.

With banking increasingly becoming an integral part of mobile device usage, attackers have begun building more-sophisticated capabilities into their mobile banking malware. “They blended in with legitimate processes — or masqueraded as one — to stay under the radar, steal more than just credit card data, and bypass security mechanisms,” Trend Micro noted.

For example, the security vendor pointed to BankBot, malware with phishing templates for 160 banks, equipped with anti-sandbox and anti-signature capabilities and capable of communicating with command-and-control servers using Google’s Firebase Cloud Messaging services. One BankBot version found its way to Google Play and was downloaded between 5,000 and 10,000 times last year alone, according to Trend Micro.

Related content:

• The Mobile Threat: 4 out of 10 Businesses Report ‘Significant’ Risk
• Can Android for Work Redefine Enterprise Mobile Security
• Vulnerable Mobile Apps: The Next ICS/SCADA Cyber Threat
• 7 Cryptominers Cryptomining Botnets You Can’t Ignore

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/mobile/threats-from-mobile-ransomware-and-banking-malware-are-growing-/d/d-id/1331140?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A Mexican security researcher recently wrote up a Facebook bug he claims he found in just 2’18”.

Mohamed Baset spotted that autogenerated emails sent on behalf of a named Facebook page revealed more about the accounts behind the page than you’d expect.

This wasn’t exactly a show-stopping bug, but it was enough of a data leakage flaw for Facebook to fix it promptly and pay him a bug bounty of $2500.

The payout certainly brightened up Baset’s day more than his usual morning cup of coffee – the very cup he was drinking when the bug landed in his lap.

Simply put, Baset received an email inviting him to like a Facebook page on which he’d recently liked an individual post.

Page administrators can click a button to generate these emails automatically, aiming to convert readers who have shown an interest in something on a page into followers of the entire page.

That’s a bit like persuading occasional readers of your blog to subscribe to your newsletter, or getting intermittent podcast listeners to tap into your regular podcast feed: a positive engagement with a positive outcome.

Given that he hadn’t seen an email of this sort before from Facebook, Baset figured he might as well see what the raw content of the message looked like – after all, you never know what interesting mysteries might show up in the unprocessed HTML in the email body.

Lo and behold…

…visible in the raw HTML, but not in the on-screen rendering of the email, was the name of the page administrator who clicked the button that sent the message in the first place.

For many individual Facebook pages, the administrator and the page will share an identity, so putting the admin’s name in the page’s email isn’t really giving away much.

But for business or community pages, which might have a number of co-administrators, you wouldn’t expect Facebook to reveal anything more than the name of the page itself, at least not without asking.

If nothing else, this protects individual employees from getting bombarded with comments and questions – whether they’re praises or rants – in place of the account itself.

What to do?

• If you’re a Facebook page admin: you don’t have to do anything. Facebook already fixed this bug on its side.
• If you’re a Facebook user: you don’t have to do anything. Facebook already fixed this bug on its side.
• If you’re a bug hunter: always check in the obvious places first. Every bug is invisible until someone bothers to look for it.
• If you’re a web programmer: for any web-based or email-based interaction, make a list of data you know should never be in your replies. When you’re testing, go out of your way to look for data that isn’t supposed to be there, so you find data leakage glitches before anyone else does.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/MhOljM4BybA/

Live video feeds from UK schools are being streamed by a website that collects them from cameras that aren’t properly protected with passwords.

That is, feeds of restrooms, playgrounds and corridors, both inside and outside the buildings, that show school kids as young as infants, teachers, parents and cleaning staff – all freely available to any creep or crook who likes that kind of thing.

The Daily Mail picked up on the site’s antics, reporting on Sunday that it was seeing live feeds from security cameras in “at least” four British schools.

The publication didn’t mention the name of the site. But it did report that the site boasted this:

Watch live surveillance cameras in the UK

…a search term that points to a site found to be doing the exact same thing in the past. In 2014, reporters at the Daily Mail found that a similar site was streaming feeds from IP cameras in the UK that showed lots more besides schoolkids, including:

• Babies in cots
• A schoolboy playing on his computer at home in North London
• Another boy asleep in bed
• The inside of a Surrey vicar’s church changing room
• An elderly woman relaxing in an armchair
• Two men in a kitchen sharing a meal

I checked in on that company to find out if it’s responsible for the material the Daily Mail found this time around, which included:

• Footage from a CCTV camera installed in a toilet at Summerhill School in Kingswinford, West Midlands. Last year, after parents found out about the cameras, they called the surveillance “intrusive” and “creepy,” reporting that some kids were refusing to use the toilets. Terrible for the bladder, but still, smart kids! In November, the BBC reported that school administrators had claimed that “no cameras are directed towards sensitive areas including cubicles or urinals”. However, one of the stills shown in the Daily Mail’s recent report comes from a camera squarely pointed at a pair of urinals at Summerhill.
• Seven CCTV cameras being live streamed from Highfield Leadership Academy in Blackpool, whose student body includes 1,130 pupils aged between 11 and 16.
• Infant school children leaving their classrooms and being picked up by parents at St Mary’s Catholic Academy in Blackpool, which has 1,188 students enrolled.

The site the Daily Mail reported on in 2014 still calls itself the world’s biggest directory of online surveillance security cameras: one that lets you pick a country from which to watch “live street, traffic, parking, office, road, beach, earth online webcams,” all live, all available online because they aren’t secured with a password.

But the site also assures visitors that it’s now only offering feeds from “filtered cameras,” whatever that means. At any rate, the site says that at this point, “none of the cameras … invade anybody’s private life” and that if any “private or unethical camera” is found, it “will be removed immediately upon email complaint.”

Mind you, we have no clue if this is the same site. I asked, and I’ll update the story if I hear back.

In the meantime, the Daily Mail reports that staffers at St Mary’s and Highfield “strengthened” their passwords, “thereby removing cameras from the site.” Likewise, Jeremy Hartley, of the Eric Wright Group, which runs CCTV systems at two of the schools, said that the camera feeds were “immediately” taken offline and that technology experts are investigating the breach and the cause.

The site is reportedly in the US. It’s denied wrongdoing, saying that cameras simply need more security. The UK’s Information Commissioner’s Office has launched an investigation.

Is it a privacy breach, when someone isn’t using a password on their IP camera, or they don’t change the default password it shipped with?

Absolutely. Back in the 2014 incident, Jay Leiderman, a US lawyer with experience in computer intrusion cases, said that streaming private video streams is flagrantly breaking US law:

It is a stunningly clear violation of the Computer Fraud and Abuse Act (CFAA).

Even if you use that withered old prune “password” as a password, it’s still illegal for somebody to access your device unless they’ve been authorized to do so. As these type of sites are happy to point out, it doesn’t require “hacking” to find unsecured video feeds online. The FAQ for one of them even provides links to tools that do the searching for you.

But please don’t. The people being spied on aren’t guilty of whatever lax security in the internet-enabled cameras allowed their privacy to be invaded.

Yes, people with IP cameras can change their default passwords, and they absolutely should. But in many cases, these cameras are installed by third parties who should do so but don’t. That’s no good reason to invade the homes – or schools – of their hapless clients.

Whether the cameras are in locker rooms, nurseries, people’s homes, or trained on our kids, if somebody else has installed a camera for you or for any of your colleagues, friends or family, please do grill the installer for details on what type of password the device shipped with: whether it was unique to the device (preferable) or required a password change upon installation (ditto) or whether it had a default password that needs changing.

If it does have a default password, please change it to something unique and hefty! If it has no password at all? Ditto!

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/q8Wr9QgEaLQ/