Tor Browser 6.0 released

The Tor Browser lets you use Tor on Windows, OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is portable.

Tor Browser 6.0 is now available. Some of the improvements include:

• Code-signing for OS X systems is introduced. This should help users who had trouble with getting the Tor Browser to work on their Mac due to Gatekeeper interference.
• The release features new privacy enhancements and disables features potentially harmful in a Tor Browser context.
• SHA1 certificate support is disabled and the updater is not only relying on the signature alone, but is checking the hash of the downloaded update file as well before applying it.
• Version 6.0 provides a fix for a Windows installer related DLL hijacking vulnerability.

from Help Net Security http://ift.tt/1VuVfwq

Identity fears are holding back the sharing economy

Businesses operating in the sharing economy are being held back by consumer fears over trust in the identity of the other party in the transaction, according to a new report from HooYu, a global identity confirmation service.

It reveals that despite rapid growth from millions of users sharing, swapping and renting, over two thirds (68%) of British people have not yet conducted an online peer-to-peer transaction such as buying something from an online marketplace or renting a holiday property.

Participation is markedly higher in the United States where nearly seven out of ten people (69%) have already conducted such peer-to-peer online transactions. The difference is particularly stark in the proportion of consumers who have bought or sold an item via an online marketplace such as Gumtree or Craigslist, with 39% having done so in the US compared to just 11% in the UK.

A key finding of the study is that in both the UK and the US, consumers are unlikely to conduct peer-to-peer online transactions without first obtaining assurance about the other person’s identity. Six out of 10 respondents (61%) will not or are uncertain to trust without checking identity compared to 39% that are either happy to trust or would do so with reservations before they had assurance about the other person’s identity.

Eight in 10 (79%) respondents stated they would be much more likely to trust a stranger online if they were sent an in-depth ID confirmation report about the person they were dealing with.

from Help Net Security http://ift.tt/1TWAjvV

GDPR: Essential glossary

GDPR is the acronym for General Data Protection Regulation, itself a shorthand for “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016”. It is a European privacy legal framework directly applicable in all 28 EU countries and regulating personal data flows of individuals based in the European Union.

It is in force (fully part of the EU legal order, but not yet enforceable) from 25th May 2016 and enforceable starting from 25th May 2018.

It repeals (replaces) Directive 95/46/EC, the previous data protection law adopted by EU Member States with considerable variation among them, by simplifying rules for data controllers, imposing for the first time obligations also on data processors, strengthening rights for data subjects (individuals), making personal data breach notification compulsory and, generally, striving for one continent, one rule handling of personal data across the Union. It is one more step towards the longer-term strategy for a European Digital Single Market.

Its reach is considered extraterritorial in that the GDPR regulates the processing (handling) of personal data of EU-based individuals wherever that data may be stored or processed round the world. It applies also to anyone’s personal data if the data controller or processor is based in the EU. The only situations in which the GDPR does not apply is when data controllers or processors are based entirely outside the EU and are dealing exclusively with personal data of non-EU individuals.

The GDPR is not intended to cover the protection of individual’s fundamental rights to privacy in the context of criminal investigations, covered by a distinct, but parallel Directive: “Directive (EU) 2016/680 on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities”.

Companies are expected to be fully compliant by May 25th 2018 and Help Net Security will be publishing updated guidance notes in the 24-month run up period.

GDPR essential glossary

Data Subject: a natural person.

Personal Data: any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, by reference to an identifier: ID number, location data, online identifier, or factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Data Controller: is the natural or legal person, public authority, agency or other body which alone, or jointly with others, determines the purpose and means of the processing of personal data; where the purposes and means of processing are determined by European Union law or Member State law, the controller or the specific criteria for his nomination may be designated by European Union law or by Member State law.

Data Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data Processing: any operation or set of operations performed upon personal data, or sets of it, be it by automated systems or not. Examples of data processing explicitly listed in the text of the GDPR are: collection, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasure or destruction.

Profiling: any form of automated processing personal data using it to evaluate, analyse or predict certain personal aspects of a natural person. Examples of profiling explicitly listed in the text of the GDPR are: performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymisation: the processing of personal data so that it can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and technical and organisational measures are used to ensure non-attribution to an identified or identifiable person.

Data Subject’s Consent: any freely given, specific, informed, unambiguous indication of his/her wish by which the data subject, by statement or clear affirmative action, signifies agreement to personal data relating to them being processed.

Personal Data Breach: breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Binding Corporate Rules: personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings or group of enterprises engaged in a joint economic activity.

Principles: All of the fundamental principles in the GDPR are further “translated” into detailed rights for the individual and corresponding obligations for the organisation. Additionally all of the principles are reinforced with the overarching Accountability principle: this means that organisations (Data Controllers) not only must follow each Data Protection principle, but must also be able to prove how they are putting each into practice.

The GDPR does not offer many technical specifications, and organisations are free in the choice of technical or organisational measures they adopt to comply. However, all will have to put in place some sort of audit trail, data tagging or metadata framework to show how personal data is handled in accordance to the principles.

Legality Principle: Personal data must be processed only on the basis of one of the legal grounds specified by the GDPR. In practice, this means that for any personal data element processed, an organisation must be able to indicate on which of the following list of grounds it is processing it:

1. Individual’s own consent.
2. Contract with the individual.
3. Complying with an existing legal obligation.
4. Necessary to protect the vital interests of a person.
5. Necessary for a task in the public interest or in the exercise of public authority.
6. Necessary in the pursuit of the legitimate interest of the organisation or a third party.

Transparency Principle: Any information the data controller (organisation) gives to the data subject (individual) about its data processing practices must be concise, transparent, intelligible and in easily accessible form; must be provided at the latest within one month, in writing. The data controller can only refuse if it can demonstrate that it is not in a position to identify the data subject. If the data controller does not take action on the request, it must inform the data subject at the latest within a month of the reasons for not taking action and of the possibility of lodging a complaint to a supervisory authority and of seeking a judicial remedy. Information shall be free of charge, unless the requests are unfounded, excessive or repetitive, in which case the controller may charge an administrative fee but bears the burden of proving the unfounded or excessive character of the request.

Fairness Principle: Fairness is achieved when the Data Controller has put in place working procedures for the Data Subject to exercise in an effective manner the following rights:

1. Right of access to the data (to know what data is held about the individual).
2. Right to rectification of the data.
3. Right to erasure of the data (to be forgotten).
4. Right to restriction of processing.
5. Right to data portability (to be given personal data in a structured and commonly used and machine-readable format and transmit such data to another controller).
6. Right to object to the processing of personal data, including profiling.
7. Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects him/her.

Purpose Limitation Principle: Personal data must be collected for specified, explicit, legitimate purposes and not further processed in a way incompatible with those purposes. Public interest archiving, scientific, historical, statistical research are deemed to be compatible with the initial purpose.

Minimisation Principle: Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy Principle: Personal data must be accurate and kept up to date and every reasonable step must be taken to ensure that inaccurate personal data are erased or rectified without delay.

Storage Limitation Principle: Personal data must be kept in a form which permits identification of data subjects for no longer than necessary for the processing purposes. Data may be stored for longer periods only for public interest archiving, scientific, historical or statistical research purposes.

Integrity and Confidentiality Principles: Personal data must be processed using appropriate technical and organisational security measures, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Accountability Principle: The Controller has responsibility for and must be able to demonstrate compliance with the all the principles listed above.

from Help Net Security http://ift.tt/1UtnLMy

The Action (Figure) Packed Workspace

The Exercise You Need to Go From "Skinny Fat" to Fit

Remains of the Day: You Can Now Complain to Airbnb About Your Neighbors

Get Over a Breakup With "Redemptive Narrative" Journaling

Lagom Is an Informative, Minimalist Browser Start Page

We’ve gotten reports that someone is using a fake address to phish people into signing up for a fake

The Three Stages of Failure and How to Fix Them

Make Use of an Unripened Avocado by Turning It Into a Garnish

Arduino Create Is an All-In-One Platform to Create and Browse Arduino Projects

Lodge's Essential Cast Iron Pan is Back On Sale For $15

Use Marks to Quickly Navigate Through the OS X Command Line

The Best Metro Areas in the U.S. for Recent College Grads

Build a NPR One Radio with a Raspberry Pi Zero

Create Separate Netflix Profiles to Fit Your Moods

Your Favorite HDTV Antenna Is Down to $30

What’s the Difference Between All These Running Apps?

65 million Tumblr passwords stolen and up for sale

The Medical Screenings All Women Need, and When

Today's Best Deals: Tech Gear, Logitech Harmony, Self-Inflating Air Mattress, and More

The Differences Between Antibiotics, Antibacterials, and Antiseptics and When to Use Them

Format Encrypted Drives as ExFAT to Make them Play Nice on Windows and Mac

How Much It Costs to Fly With a Pet on the Most Popular U.S. Airlines

Improving software security through a data-driven security model

The current software security models, policies, mechanisms, and means of assurance are a relic of the times when software began being developed, and have not evolved along with it, says Google researcher Úlfar Erlingsson. Practical security of computer users has, therefore, worsened, even as a plethora of computer security mechanisms have been introduced time and time again.

Erlingsson proposes a new data-driven software security model to improve user and system security.

“When deciding whether software should be permitted to perform a security-relevant action, it seems like a good idea to consider the historical evidence of what actions that software has performed in the past,” he noted.

“For popular, widely-used software, there are literally billions of executions from which to draw such historical evidence, thereby allowing a very accurate view of what constitutes ‘normal’ software execution to be established.”

He posits that this “historical” information, properly summarized and used along with the software, could support this new security model, which says: “Permit only executions that historical evidence shows to be common enough, unless given explicit, special permission.”

“This model could, by default, prevent many software attacks, such as privilege-escalation exploits of the vulnerabilities regularly discovered in esoteric operating system services,” says Erlingsson. “Most recently, this model’s enforcement would have blocked exploits of the CVE-2016-0728 vulnerability by prohibiting use of the Linux keyctl system call in commonly-used applications, since historical evidence would have shown that this software never used keyctl or kernel keyrings.”

This approach could either used by itself or combined with existing security models.

Erlingsson is aware that there may be obstacles to implementing it, and that it hinges on the efficient monitoring of how software is behaving, and that monitoring this behavior should be executed without intruding on users’ privacy.

But, these things can be achieved, he believes, and machine learning methods can help discover users’ expectations for intended software behavior, and thereby help set security policy.

In his paper, he also details examples of how Google has already managed to successfully perform and/or implement all three of these steps.

from Help Net Security http://ift.tt/1RIZBZQ

The Countries Where Your Vacation Dollars Will Go Farthest

Deadspin Hot Damn, Sidney Crosby Was Great Last Night | Jezebel Lily-Rose Depp Is Defending Her Dad

Deadspin Hot Damn, Sidney Crosby Was Great Last Night | Jezebel Lily-Rose Depp Is Defending Her Dad | Gizmodo Intel’s Insane New Desktop CPU Has Ten Cores and Costs $1,700 | Gawker Cincinnati Zoo Defends Killing Gorilla After a 4-Year-Old Boy Fell Into Its Enclosure |

from Lifehacker http://ift.tt/1Uauecu

Use Overripe Strawberries to Make Strange Springy Risotto

MySpace breach could be the biggest ever – half a BILLION passwords!

The Ideal Amount of Protein You Need In a Meal to Feel Full

Twitter paid out $322,420 in bug bounties

Researchers have proven that bug bounties are a cheaper way for discovering vulnerabilities than hiring full-time bug hunters would be and, in the last few years, many Internet and tech companies have instituted such programs.

The security community has praised those who have, and the companies themselves are satisfied with the results.

Take for example Twitter. Its bug bounty program, started in May 2014, has lead to 5,171 submissions and the discovery of an unspecified number of vulnerabilities, some of which were pretty serious.

The highest amount paid out to a researcher for a vulnerability report was $12,040, but in two years no bug hunter earned the minimum amount for a remote code execution flaw ($15,000).

All in all, the company gave out $322,420 to researchers in two years, and in 2015 alone, a single researcher got over $54,000 for reporting vulnerabilities to the Twitter security team.

“Since launching the program we’ve seen impressive growth in both the number of vulnerabilities reported and our payout amounts, reflecting our rising payout minimums and also the growing community of ethical hackers participating in the program,” says Twitter software engineer Arkadiy Tetelman.

“We’re thankful to all the security researchers who have worked hard to find and report vulnerabilities in Twitter, and we look forward to continuing our good faith relationship in 2016 and beyond.”

With the the rapid growth of the bug bounty economy, they can count on it.

from Help Net Security http://ift.tt/1qZWdE3

Amazon's Discounting a Grab Bag of Tech Gear, Today Only

The First Thing You Should Do to Get Your Money in Order, According to a Financial Planner

Ditch the Oven and Make Delicious, Quick Croutons On the Stove

Making homemade croutons for a salad is usually a process that’s easy enough, but you have to fire up the oven to do it. This method from Bon Appetit shows you how to do it on the stove in a fraction of the time, and infuse a ton of herb and garlic flavor.

The oven method is still best if you have the time to let those flavors develop slowly over time—or if you need a lot of croutons—but this stovetop method is super quick, and makes enough for a weeknight dinner, maybe for two. Just tear up some bread, preferably the day old stuff, into bite-size pieces. Saute some crushed garlic cloves in a little olive oil in a pan, and add some rosemary and thyme to add some herbaceous flavor. Once they’ve warmed up a bit, toss in the bread.

Saute until the bread pieces are crispy and brown, but the kicker is to keep them moving in the pan so they don’t get too dark on any one side, and not to add any more oil than you have to so the bread doesn’t get soggy. Oh, and keep the heat down, so the bread doesn’t burn. Check out the whole process in the video above, or hit the link below to check it out at YouTube.

How to Make Stovetop Croutons | Bon Appétit

from Lifehacker http://ift.tt/1XLL1I8

Is driving style the next biometric?

All the Roku Secret Commands and Menus In One Graphic

What it Really Means to "Tailor Your Resume"

Victim identifies armed robber after Facebook suggests he add him as a friend

The future of Identity Management: Passwords and the cloud

Compromised credentials are still the cause of almost a quarter of all data breaches, according to the Cloud Security Alliance. With a surge in cybercrime, it’s no wonder that the global identity and access management (IAM) market is expected to reach USD 24.55 billion by 2022, according to Research and Markets.

“Identity Management will serve as the central hub that other services leverage for threat detection, policy enforcement, and overall governance. Examples are CASB and SIEM integration,” Alvaro Hoyos, CISO at OneLogin, told Help Net Security.

“More governance related features like more full featured security workflows, more access and authentication monitoring, ability to make better decisions about what applications to bring into the ecosystem that has the identity management solution as it’s base. In addition, identity management is key for our professional and personal lives, so serving both B2B and B2C needs simultaneously might have higher demand. Features such as social sign-in are a clear indicator of this trend,” he added.

Passwords in the enterprise

Passwords in the enterprise were never really that secure in the first place. But in the absence of anything else, they were long the de facto standard.

“Perhaps the most significant change will be the abandonment of the username and password convention that was created nearly 40 years ago for more simple needs and networks. In its place will be multi-factor authentication,” says Brian Spector, CEO of MIRACL.

“Regardless of the device or factors that initiate or complete the authentication, what will be required for the success of security on the Internet is both the simplicity with which authentication can take place from a user’s perspective and the easing of administrative investment required from the service side,” he added.

Identity and the cloud

The cloud already has a strong impact in the daily lives of many people and businesses. Improved trust and security are critical to encouraging continued wide-scale cloud adoption. The question of trust within the cloud enables organizations of all sizes to realize the benefits of cloud computing.

“The liability faced by cloud service providers will continue to increase as identity management becomes ubiquitous in both our business and personal lives. The increased frequency of successful breaches will also have an impact on how companies deal with that liability, and cybersecurity insurance will be more closely tied to the work companies are doing to reduce risks,” says Hoyos.

from Help Net Security http://ift.tt/1TTzyUc

65 million Tumblr users’ email addresses, passwords sold on dark web

Email addresses and hashed and salted passwords of 65 million Tumblr users are being sold online by “peace_of_mind,” aka “Peace”, the individual that recently offered for sale LinkedIn users’ data dating back to a 2012 breach.

The account credentials stolen from Tumblr are also old – according to researcher Troy Hunt, they were stolen in the site’s February 2013 breach.

Tumblr warned about it earlier this month, but neglected to tell how many users are affected.

“We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password,” they said.

Peace is selling the lot for less than half a bitcoin (around $150), so it seems that the passwords are relatively safe from cracking but, as many have pointed out, a list of emails of 65 million Tumblr users can come in handy for mounting phishing attacks – something that the Tumblr team failed to warn about.

Hunt notes that all of these breaches (including the MySpace one announced recently) date back a few years.

“There’s been some catalyst that has brought these breaches to light and to see them all fit this mould and appear in such a short period of time, I can’t help but wonder if they’re perhaps related. One explanation may be related to the presence of these breaches being listed for sale on the dark market,” he mused.

“These 3 are all listed by peace_of_mind and by all accounts, this individual is peddling a quality product. Apparently, buyers are happy. Now this is not to say that peace is the guy who’s hacking into these sites and indeed attribution can be hard, particularly after so much time has passed by since the sites were actually attacked. But certainly there’s a trend here which is hard to ignore.”

Time will tell if there will be other similar revelations.

In the meantime, you can check via the Have I been pwned? service whether these latest data offered for sale contains your email address and password.

from Help Net Security http://ift.tt/1PeGjRS

How visibility can help detect and counter DDoS attacks

It’s been proven that preventive medical strategies are more cost-effective for treatment and better solutions to support long-term health than reactive medical measures. Anticipating issues and preparing for and supporting healthy systems is simply more logical than troubleshooting and fixing things when they go wrong.

The same concept has been successfully used in IT security for years and it should be no different when planning for DDoS attacks. But despite their relatively predictable nature and deployment, too many IT execs seem to be caught by surprise when a DDoS attack hits home. Can we stop DDoS attacks from happening? Unlikely. Can we mitigate the impact or head it off in the pass? Absolutely.

The most expedient way to prepare for and quickly respond to an attack is to increase visibility into Internet assets, so DDoS attacks can be spotted as they’re gaining traction and mitigated in short order. Knowing what your network’s normal behaviour looks like via an internet performance management system means you will be able to more readily tell when an attack is underway so you can spring into action.

Of course there are times when your network is going to experience legitimately higher volumes of traffic. Whether or not it’s to mitigate DDoS attacks, businesses must provision for enough server capacity, tuned for best performance under high load. Build the biggest network you can with effective elements for advanced mitigation. Yes, this is adding expense, but given the well documented consequences of a DDoS attack – or indeed any downtime – it’s one that’s easily justifiable if you’re facing a battle with the procurement department.

The theory is great, but it’s probably useful to examine a real life instance of what best practice when a DDoS attack is underway looks like. The following example demonstrates best practice in taking steps once internet performance monitoring systems have warned that a DDoS attack is underway.

Newspaper under DDoS attack

Sözcü is a popular Turkish daily newspaper. Like so many print publications around the world, it is increasingly reliant on its online offering to drive revenue into the business. It serves its web content from a large number of endpoints behind different providers around the world. Regularly the target of DDoS attacks, Sözcü uses traffic management tools to manage its endpoints and ensure visitors only connect to healthy endpoints.

Unbeknown to site visitors, this happens all the time, without their service being interrupted. Recently though, the newspaper suffered an attack that was much larger than usual at 40Gbps, lasting several hours. During this period, the attackers targeted all of Sözcü’s endpoints at some point. As usual, their traffic management system’s load balancing capabilities had reacted by actively removing unhealthy endpoints from being served up to site visitors. But critically, it was then re-adding them as the attackers moved on to other endpoints.

In effect, the attackers were playing a game of whack-a-mole with Sözcü’s infrastructure. But despite the service being unavailable for some users – site visitors dropped from a ‘normal’ level of 37,000 down to 25,000 – during the attack, Sözcü was able to hobble through the attack and stay online for the majority of people. Critically, they stayed out of the headlines.

Improvements to the distribution of traffic across all of an organisation’s data centres and content delivery networks, as well as the visibility to plan for and monitor internet performance, is critical to an organisation’s ability to effectively respond to any DDoS attack. But it’s also being used to optimise performance when the network isn’t under attack, and enable migration and critical infrastructure planning to provide the best user experience possible.

Planning for DDoS attacks should be a major consideration of any effective internet performance management strategy, rather than a problem tackled in isolation.

from Help Net Security http://ift.tt/1TUfqTk

Global profiles of the typical fraudster

Technology is an important tool to help companies fight fraud, but many are not succeeding in using data analytics as a primary tool for fraud detection. Meanwhile, fraudsters are leveraging technology to perpetrate fraud, according to a new report by KPMG.

Technology significantly enabled 29 percent of the 110 fraudsters analyzed by KPMG in North America and 24 percent of the 750 fraudsters analyzed worldwide. However, proactive data analytics was not the primary means of detection in any North American frauds, and organizations only used data analytics to detect 3 percent of fraudsters worldwide. In descending order, North American frauds were most often detected by tip offs and complaints, management review, accidentally, suspicious superiors and internal audit.

“Companies can use advanced data analytics technology to search for suspicious and unusual business activity amid millions of daily transactions,” said Phillip Ostwalt, partner and Global Investigations Network Leader at KPMG LLP. “However, many are not capitalizing on such technology while fraudsters find new ways to gain access to confidential information, manipulate accounting records and camouflage misappropriations.”

In instances where fraudsters used technology to perpetrate frauds in North America, 35 percent included creation of false or misleading information in accounting records; 29 percent involved providing false or misleading information via email or another messaging platform; and 21 percent involved abusing permissible access to computer systems.

A higher proportion of frauds aided by technology may be skirting internal controls designed to detect them. Twenty-five percent of frauds significantly enabled by technology were detected by accident rather than by other means, whereas 10 percent that did not use technology were spotted by accident.

A major culprit: Weak controls

Fraud is less likely to occur in companies with strong controls that monitor for unusual transactions through deploying analytical routines, or where the company invests in resources to defend against fraud, such as an internal audit function. However, despite the increasing threat of newer types of frauds, such as cyber fraud and continued traditional forms of wrongdoing, companies are not focusing on strengthening controls. Weak internal controls contributed to 59 percent of frauds in North America.

“In addition to ensuring internal controls are thoughtfully designed, companies should deploy effective training and instill a culture of integrity so that controls are properly executed,” said Ostwalt. “Companies should also adopt new controls as their risk profiles change. Ongoing risk assessments can help cost-constrained companies ensure they are properly investing in such controls.”

Additional findings

Women narrow the gap – The KPMG study reflected that men are more likely to collude on frauds than women at 66 percent versus 45 percent worldwide, respectively, but women are catching up. Forty-seven percent of fraudster groups included both genders in 2015 versus 34 percent in 2010.

Fraudsters cause greater damage together – In North America, 43 percent of the frauds involving collusion cost the victim company over $1 million. However, only 22 percent of fraudsters that acted alone inflicted a cost of over $1 million.

Threat comes from within – Fifty-six percent of North American fraudsters were employed by the company, with more than half being executives or management.

from Help Net Security http://ift.tt/1UqswWY

Check Point finds dangerous vulnerabilities in LG mobile devices

Check Point found two vulnerabilities which can be used to elevate privileges on LG mobile devices to attack them remotely. These vulnerabilities are unique to LG devices, which account for over 20% of the Android OEM market in the US.

The first vulnerability allows a malicious app installed on an LG device to abuse the lack of bind permissions in an LG service and to elevate its privileges, allowing additional control of the device. The second vulnerability allows a remote attacker to delete or modify SMS messages received on a device. This could be used as part of a phishing scheme to steal a user’s credentials or to install a malicious app.

Local vulnerability: CVE-2016-3117

The first vulnerability is in a privileged LG service called ‘LGATCMDService’. This service was not protected by any bind permission, meaning any app could communicate with it, regardless of its origin or permissions. By connecting to this service, an attacker could address ‘atd’, a high-privileged user mode daemon and a gateway for communications with the firmware. In addition, atd can be used to:

• Read and overwrite private identifiers like the IMEI and MAC address
• Reboot a device
• Disable a device’s USB connection
• Wipe a device
• Brick a device completely.

Ransomware would find these features very useful by locking a user out of a device and then disabling the ability to retrieve files by connecting the device to a PC via USB.

Remote vulnerability: CVE-2016-2035

This vulnerability exploits LG’s unique implementation of the WAP Push protocol. WAP Push is the SMS protocol (PDU) used to send URLs to mobile devices. This protocol was intended for the use by mobile carriers rather than users and includes “update” and “delete” features. LG’s implementation contained an SQL injection vulnerability that allowed attackers to send messages to devices with the ability to delete or modify all text messages stored on the device.

A potential attacker could use this vulnerability to conduct credential theft or to fool a user into installing a malicious app. The attacker could modify a user’s unread SMS messages and add a malicious URL to redirect the user to download a malicious app or to a fake overlay to steal credentials.

LG has issued fixes for both vulnerabilities, and Check Point recommends taking additional steps to mitigate risks:

• Examine carefully any app installation request before accepting it to make sure it is legitimate
• Contact your mobility, IT, or security team for more information about how it secures managed devices
• Use a personal mobile security solution that monitors your device for any malicious behavior
• Ask your enterprise to deploy a mobile security solution that detects and stops advanced mobile threats.

LG has issued fixes for both vulnerabilities which Check Point made LG aware of, before disclosing them publicly.

from Help Net Security http://ift.tt/1sI4L3G

Add Semolina Flour to Pasta Water for an Extra Creamy Sauce

Make a Better Mint Julep by Rubbing the Glass With Mint Leaves First

Liquidation and Store Closing Sales Don't Automatically Mean Lower Prices

Remains of the Day: Talk to Amazon's Alexa in Your Browser with Echosim.io

The Questions to Ask When Deciding to Work for Free

Grow “High Impact” Plants If Your Gardening Time Is Limited

Why You Should Avoid the Word “Fair” in Salary Negotiations

Add Depth to Your Summertime Punch with a Dash of Bitters

WriteWell Gives Students and Professionals Templates to Jumpstart Research Papers

If you’ve ever had to write a reference paper, essay, or lab report, you know what it means to struggle with an overwhelming amount of information to organize, or a blank page looking back at you. WriteWell helps you organize that information easily, and offers writing templates to help you get started with your paper.

The video above is a short demo of the service. It’s best feature by far are the wealth of templates built-in to give you a quick start on your writing project. They’re not perfect by any means, but they may serve as just enough scaffolding and framework to help you get away from a blank page and into the zone filling it in with your own voice, details, and research. WriteWell has templates for college research papers, specific types of essays (compare and contrast, argumentative, reference, and so on), news articles, scientific papers, and even cover letters and new job pitches.

To make the most writing with WriteWell, you’ll want to use it to create “sections” for your paper, and then jump into those sections—and a full text editor—to either do your writing, or to paste in your relevant text. From there, you can rearrange your sections quickly, build your citations or organize your reference data, or just use the natural way WriteWell breaks up you paper to get some writing done.

The service is free to start, and you can sign up with an email address, see all of the features and templates, and see if it’s something that would work for you. Free accounts are limited to three documents though, so if you want to keep using it, you’ll need to upgrade to a paid plan, for $6/mo, or $60/yr. Hit the link below to try it out or learn more.

WriteWell

from Lifehacker http://ift.tt/25u4nEp

Five Creative Ways to Use Hummus That Don't Involve Dipping

The Best Memorial Day Deals: Laser Printers, Cheap ThinkPad, Golfing Gear, and More

Use Mushy, Over-Ripe Tomatoes to Make an Amazing Vinaigrette

Morning Mail Sorts Your Inbox with Tinder-Like Swipes

Free Yourself From Inkjet Hell With These Discounted Brother Laser Printers

Hacker imprisoned for stealing Bitcoin, selling botnet on Darkode

A Louisiana man was sentenced to 12 months and one day in prison for using a computer to steal money, hacking computers to obtain passwords, and attempting to sell information on the online hacking forum known as Darkode.

Rory Stephen Guidry, aka k@exploit.im was sentenced by US District Judge Dee D. Drell on one count of obtaining information by computer from a protected computer. He was also sentenced to three years of supervised release.

According to the guilty plea, in July of 2014 while living in Liberty Hill, Texas, Guidry participated in an online hacking attack on a server in Austin, Texas. He moved to his grandparents’ home in Opelousas, Lousiana, in March of 2015 after an investigation ensued as a result of the server attack. While in Opelousas, he continued to use his skills to hack into personal computers and controlled them with malware and a botnet.

Guidry attempted to hack into and control more than 5,000 computers, and he attempted to sell the botnet to another hacker on Darkode. He also used his hacking skills and conspired with another individual to steal more than $80,000 in Bitcoin. He received half, $40,000, of the bitcoin and converted some of it to money, which he spent. He also admitted to hacking another computer to take more than 5,000 active credit card accounts. He was in possession of the credit card numbers and personal identifiers when he was arrested by the FBI.

In July of 2015, the Department of Justice and other agencies dismantled Darkode. Criminal charges were filed in the Western District of Louisiana, the Western District of Pennsylvania and elsewhere against 12 individuals associated with the forum. As alleged in the charging documents, Darkode was an online, password-protected forum in which hackers and other cyber-criminals convened to buy, sell, trade and share information, ideas, and tools to facilitate unlawful and unauthorized intrusions on computers and electronic devices.

Before becoming a member of Darkode, prospective members were allegedly vetted through a process in which an existing member invited a prospective member to the forum for the purpose of presenting the skills or products that he or she could bring to the group. Darkode members used each other’s skills and products to infect computers and electronic devices of victims around the world with malware. They would then gain access to, and control over, those devices.

The takedown of the forum and the charges were announced on July 15, 2015 as a result of the FBI’s infiltration of the Darkode’s membership. Twenty nations participated in the coordinated effort of law enforcement to charge, arrest or search 70 Darkode members and associates around the world.

from Help Net Security http://ift.tt/1NYjP7k

Week in review: API security, keyloggers disguised as USB device chargers, online tracking

Here’s an overview of some of last week’s most interesting news and articles:

Faulty TLS implementation opens VISA sites, users to attack
A group of researchers has discovered 184 HTTPS servers that are wide open to attackers looking to inject seemingly valid content into encrypted sessions. Some of these servers belong to the credit card company VISA, the Polish banking association ZBP, and the German stock exchange.

Review: ProtonMail
ProtonMail is an email service developed by a team of scientists who met while working at the European Organization for Nuclear Research (CERN) in Switzerland. The idea behind ProtonMail is to provide an easy to use email service with built-in end-to-end encryption and state-of-the-art security features.

ZCryptor ransomware spreads via removable drives
Once it infects a system, it also copies itself on removable drives, in the hopes that the same drives will end up plugged into another system and spread the infection.

Strengthen security during production and development
In an ideal world, applications would always be coded securely, pass all vulnerability scans and penetration tests, and never encounter zero-day attacks in production. However, vulnerabilities are often inevitable, and in a world of rapid software release cycles, remediation is often regarded as a burdensome task that slows down the pace of DevOps and business innovation.

FBI warns about keyloggers disguised as USB device chargers
A private industry notification issued by the FBI in late April may indicate that keyloggers disguised as USB device chargers have been fund being used in the wild.

ICS-CERT warns about vulnerable SCADA system that can’t be updated
A web-based SCADA system deployed mainly in the US energy sector sports vulnerabilities that may allow attackers to perform configuration changes and administrative operations remotely. What’s worse is that these holes can’t be plugged because the device has nowhere to put an update.

Behavior is the new authentication: A look into the future
Traditional pattern-based perimeter defense tools, password-based authentication, user access control solutions are necessary but missing a trick when it comes to the detection of privileged account misuse or hijacked credentials. Once the attackers are inside the network (using legitimate user accounts to access sensitive data), their behavior is the missing link in detecting and – with real-time intervention – preventing breaches.

WPAD name collision bug opens door for MitM attackers
A vulnerability in Web Proxy Auto-Discovery (WPAD), a protocol used to ensure all systems in an organization utilize the same web proxy configuration, can be exploited to mount MitM attacks from anywhere on the Internet, US-CERT warns.

OWASP set to address API security risks
The goal of the OWASP API Security Project is to provide software developers and security assessors with information about the risks brought on by insecure APIs (both public and private), and advice on how they can be mitigated.

Who’s tracking you online, and how?
Armed with a tool that mimics a consumer browser but is actually bent on discovering all the ways websites are tracking visitors, Princeton University researchers have discovered several device fingerprinting techniques never before seen in the wild.

WhatsApp Gold doesn’t exist, it’s a scam that spreads malware
WhatsApp users are once again targeted by malware peddlers, via messages that offer WhatsApp Gold, supposedly an enhanced version of the popular messaging app previously used only by “big celebrities.”

Microsoft bans common passwords
If you’re using the Microsoft Account service to sign into the various services offered by the company, and you tried to set up a too commonly used password, you have already witnessed Microsoft’s dynamical banning of common passwords in action.

1 in 10 banking CEOs don’t know if they’ve been hacked
Twelve percent of banking CEOs say they do not have insight into whether their institution’s security has been compromised by a cyber attack in the past two years, according to KPMG. Their survey also shows that there is a clear disconnect between how the C-Suite views cyber security versus the next tier of executives.

Review: Signal for iOS
Open Whisper Systems’ Signal is an encrypted voice and text communication application available for Android and iOS. The technology is built upon the organization’s open source Signal Protocol, which has recently been implemented by messaging heavy-hitters such as WhatsApp and Google Allo.

DNS provider NS1 hit with multi-faceted DDoS attacks
DNS and traffic management provider NS1 was hit with a series of DDoS attacks that lasted several days, and managed to impact DNS delivery in the European, American and Asian region.

Phishing attacks rise to highest level since 2004
The Anti-Phishing Working Group (APWG) observed more phishing attacks in the first quarter of 2016 than at any other time in history.

Reputation damage and brand integrity: Top reasons for protecting data
IT security leaders in European organisations detail IT security spending plans, perceptions of threats to data, rates of data breach failures and data security stances.

Consumers have no idea what ransomware is
A new study reveals almost half (43%) of connected consumers today do not know what ransomware is, despite the recent aggressive spread of this type of cyber threat. In addition, a similar amount (44%) confessed that they did not know what data or information could be stolen in a ransomware attack.

Tips for evolving your office’s security culture
Regardless of the size of the organization and your position in it, if you can persevere in finding the right way, you can change its security culture.

Cybercriminals add DDoS component to ransomware payloads
Instead of just encrypting data files on a workstation (plus any network drive it can find) and locking the machine, a new variant of the Cerber ransomware is now adding a DDoS bot that can quietly blast spoofed network traffic at various IPs, according to KnowBe4.

Criminals stole $12.7 million from ATMs in Japan
In the early morning hours of May 15, 2016, a group of over 100 people executed coordinated, fraudulent ATM withdrawals that netted them about 1.44 billion yen.

Jaku: Analysis of a botnet
In May 2016, the Special Investigations team at Forcepoint revealed the existence of a botnet campaign that is unique in targeting a very small number of individuals while in tandem, herding thousands of victims into general groups.

from Help Net Security http://ift.tt/22tLLm8

Payment Application Data Security Standard 3.2 released

The PCI Security Standards Council (PCI SSC) published a new version of its data security standard for payment software, the Payment Application Data Security Standard (PA-DSS) version 3.2.

The Payment Application Data Security Standard is used by payment application vendors to ensure their software products will protect payment card data from theft. Merchants and other businesses globally use “PA-DSS Validated” software to ensure they can safely accept payments, both in-store and online.

Using “PA-DSS Validated” software also supports businesses in their efforts to secure payment card data throughout their systems and networks –– which is required by the more comprehensive PCI Data Security Standard (PCI DSS).

PA-DSS version 3.2 aligns with the recent release of PCI DSS version 3.2, both of which address growing threats to customer payment information. Updates to standards are based on feedback from the PCI Council’s more than 700 global Participating Organizations, as well as data breach report findings and changes in payment acceptance.

“Using secure software and making sure that the software is installed and maintained correctly is a critical part of protecting payments,” said PCI Security Standards Council General Manager Stephen Orfei.

Key changes in PA-DSS 3.2 include clarifications to existing requirements and updating requirements to align with PCI DSS v3.2. The revision also makes updates to the detailed instructions included with vendor products (the “PA-DSS Implementation Guide”), which explain how to configure payment applications properly and in accordance with PCI DSS. These address procedures for secure installation of software patches and updates, and instructions for protecting cardholder data if using debugging logs for troubleshooting, as these can be exploited during a compromise.

“We continue to see how failure to properly configure and patch payment applications exposes organizations to attacks that lead to mass data compromise,” said PCI Security Standards Council Chief Technology Officer Troy Leach. “That’s why in addition to updating PA-DSS to support PCI DSS 3.2, we’ve added more guidance to help integrators, resellers, and others implementing payment software to configure it properly and protect payment account data.”

A full copy of PA-DSS version 3.2, including a Summary of Changes document, Report on Validation (ROV) and Attestation of Validation (AOV) forms are available here.

from Help Net Security http://ift.tt/1TRU74P

Five tips to avoid getting hit by ransomware

Ransomware has emerged as the predominant online security threat to home users and small businesses. Delivered through spam or phishing emails that trick users into clicking on malicious links, this type of malware renders computer systems, devices or files inaccessible and holds the victim hostage until payment is made, usually in the form of Bitcoins.

“Understandably, nearly 1 in 3 security professionals at companies say they’d be willing to pay for the safe recovery of stolen or encrypted data, and that number jumps to 55% at organizations that have already been targeted. Meanwhile, your average home user feels as if they have no choice but to pay,” said Usman Choudhary, chief product officer at ThreatTrack Security.

No one is immune, not even law enforcement. Last year, a police department in Massachusetts paid $500 to cyber extortionists to decrypt its files – just one of many examples throughout the country.

What can people do to protect themselves?

ThreatTrack provides the following five ransomware tips for businesses and home users:

1. Back up your data – Always keep a copy of your data backed up. There are also numerous cloud-based “set it and forget it” options for automatically backing up your data to an offsite server. These services, which include Carbonite, CrashPlan and Mozy, have the added advantage that they store your data in the cloud, so in addition to being able to recover from a ransomware attack, you’re also protected in the event of a physical disaster such as a fire, flood, tornado or earthquake. This is by far the best do-it-yourself tactic you can take to protect yourself from being blackmailed.

2. Get on a schedule – It’s one thing to back up your data, but if you can’t remember the last time you performed one, it does you no good. ThreatTrack recommends backing up your data at least once a week and, ideally, once a day.

3. Be aware of phishing emails – Educate yourself, family members and employees on the latest social engineering tactics being used to lure people into clicking on malicious links and attachments. There are many resources available that can help, including online tutorials and security awareness training services. But simply sending out regular communications about the various tactics and terms – spam, malware, spear-phishing, whaling, etc. – will help employees become more vigilant about identifying phishing attempts, which often appear to originate from a trusted source – a friend, co-worker, favorite online store.

4. Practice safe computing, update your software – Another technique used by ransomware authors is to exploit vulnerabilities in popular software applications. If you’re diligent about keeping applications up to date, you’ll minimize your exposure to potential attacks. Better yet, make sure that any applications that can be set to update themselves automatically have that feature turned on. Commonly targeted applications include Adobe Reader, Adobe Flash, Java, Google Chrome, iTunes, Skype and Firefox.

5. Keep work and personal data and files separate – A recent survey showed that nearly a third of IT security staff were asked to remove malware from an executive’s computer/device because they had let a family member use it. With so many people working from home (many small businesses operate entirely out of the home), it can be hard to separate work from your personal life, but keeping these two worlds apart can go a long way toward protecting your data and/or minimizing the impact of an attack.

Finally, should you get hit by ransomware, immediately cut off any connections – that means shutting down your computer and disconnecting it form the network. While the damage has already been done, it can help stop the spread of malware to other systems or devices.

from Help Net Security http://ift.tt/1TRToAx

SANS maps SAP cybersecurity to the CIS Critical Security Controls list

The CIS Critical Security Controls are a set of internationally recognized standards outlining the most important cyber hygiene actions that every organization should implement to protect their IT networks.

They are highly regarded by the global IT community as they are developed, refined, validated, and updated by experts who pull data from a variety of public and private threat sources; and are transforming security in government agencies and other large enterprises by focusing spending on the key controls that block known attacks and find the ones that get through.

“Direct attacks on ERP systems such as SAP are being disclosed more frequently, validating the assumption that even complex applications housed in secure facilities need specific protection and that safeguarding them should be a top priority. Attacks aimed directly at complex, mission-critical applications result in extraordinary costs and impact to the business,” according to Barbara Filkins, a senior SANS analyst.

“To protect an SAP system, start by looking retroactively at current configurations to be sure they’re up to date with the latest patches and that they are continually monitoring unauthorized user behavior and advanced threats,” Filkins added.

SAP cybersecurity

Following recent attacks aimed at SAP systems, SANS maps SAP cybersecurity to the Critical Security Controls list for the first time. They advise on an approach that is largely application-oriented, but also applies network restrictions to underlying network devices and firewalls, in addition to closing loopholes through operational procedures and training.

Step 1: Tailor Enterprise Processes (CIS Control: 1, 2, 3, 4, 5, 6, 10, 13, 14, 16).
Step 2: Secure the Landscape (CIS Control: 3, 7, 9, 10, 11, 12, 18).
Step 3: Configure the Technical Controls (CIS Control: 2, 3, 4, 5, 6, 8, 13, 14, 16).
Step 4: Create the Human Action Framework (CIS Control: 17, 19, 20).

“This initiative from SANS is an extremely important step of integrating SAP cybersecurity into the complex security management process. Along with our colleagues, we have been putting emphasis of the significance of this area since 2007. SAP Cybersecurity was a topic of great importance and certainly the level of awareness was rather high, nonetheless, until the recent incidents people who were interested in SAP security did not have any convincing source to refer to, which will make C-level managers support the initiative,” Alexander Polyakov, CTO at ERPScan, told Help Net Security.

from Help Net Security http://ift.tt/1NY3mQu

Growing advanced threats will augment the IT security market through 2020

Research analysts are forecasting positive growth for many segments of the global IT security market over the next four years as several markets including BYOD security, mobile payment security software, and contactless smart card market in banking sector, will witness an increase in revenues.

Contactless smart card market

A study conducted by Technavio predict the global contactless smart card market in the banking sector to grow at a remarkable CAGR of more than 33% during the period 2016-2020. Most contactless smart cards are issued with preinstalled data codes for unique identification purposes. This makes it easy for end users to use these cards by swiping it against the card reader. Since contactless smart cards provide a user-friendly environment for consumers and are easy to maintain and store, its adoption is envisaged to increase significantly in the coming years.

Emergence of multi-application smart cards is another factor that will help in the growth of the global contactless smart card market in the banking sector. Vendors such as Gemalto provide multi-application smart cards, which is a combination of contactless and contact interfaces on a single card. Blue from American Express is a multi-application smart card that provides additional security while online shopping and ticketing.

BYOD security market

The global BYOD security market is another segment depicting immense growth in the IT security market, expected to grow at a rate of almost 25% from 2016-2020. The increasing adoption of mobile devices by enterprises and consumers for performing personal and business tasks has led to them becoming potential targets for cyber-attacks. This increasing instances of cyber-attacks have raised concerns and awareness among organizations of the various security risks translating into the augmented adoption of BYOD security solutions.

According to Amrita Choudhury, a lead analyst at Technavio for ICT research, “The global BYOD security market is highly fragmented, presenting several opportunities for mergers and acquisitions. As a result, large enterprise application vendors and core BYOD security vendors are engaging in mergers and acquisitions strategies to improve their position and presence in the global market.”

Mobile payment security software market

Research analysts label the global mobile payment security software market as another fast-growing segment in the market. High adoption of multi-factor authentication techniques and increase in the use of wireless networks among the individual consumers will help the market to post a CAGR of about 24% during the period 2016-2020.

With an increase in the number of advanced and sophisticated threats, the need for mobile payment security software has risen. The Americas will account for the highest market share in the mobile payment security software market by the end of 2020.

Key vendors

Some of the key vendors for IT security include Gemalto, Giesecke & Devrient, and Safran for contactless smart cards market in banking sector, IBM, MobileIron, and VMware for BYOD security, and Apple, CA Technologies, and Google for mobile payment security software.

from Help Net Security http://ift.tt/1UnJ4Py

Five Easy Tips for Keeping Pets Away From Your Houseplants

Revive a Broken Gas Grill by Replacing the Burners

You Can Now Schedule Your Lyft Ride 24 Hours in Advance

Diversify Your Plants for a Naturally Healthier Garden

Charm for iPhone Gives You Incredible Control Over Your Twitter Experience

Travel Guidebook Showdown: Lonely Planet vs. Fodor’s Travel

These Packing Techniques Save Space and Let You Carry More

Sunday's Best Deals: Calvin Klein, Grilling Gear, Compact Jump Starters, and More

Facebook now tracking and showing ads to people who don’t use Facebook

Accusations that Facebook tracks non-users as they browse around the web have dogged it for years.

Well, now we can stop calling them accusations thanks to an announcement on 26 May 2016 from the Social Network itself:

Today, we’re expanding Audience Network so publishers and developers can show better ads to everyone – including those who don’t use or aren’t connected to Facebook.

Audience Network is Facebook’s ad network for mobile apps. It uses the same data and targeting that powers ads inside Facebook to deliver ads “beyond Facebook and into mobile apps.”

When it was launched two years ago Audience Network would only show ads to people who had a Facebook account. Despite that it has grown to be the second biggest mobile ad network after Google’s.

That limitation has now been lifted and all of us, including people like me who’ve never had a Facebook account, will be fair game for ads that use Facebook’s targeted advertising algorithms.

It’s pretty obvious that users within the walled garden of Facebook’s, er, news-wall-stream-thing (or whatever it’s called now) have their every move hoovered up and analysed but how, you might ask, will it know what to show to un-hoovered non-users?

Ever since it launched it’s Like button in early 2009 Facebook has been installing windows on the web.

Every time you see a Like button on a website your browser is talking to Facebook; telling it what page you’re looking at and what kind of browser you’re using and, thanks to the magic of cookies, extending an invisible thread that links this page to the other pages with embedded Like buttons you’ve seen.

And that all happens even if you don’t click on it.

To put things in perspective, all of us share all of the same information with all the web pages we visit, and all of the third party sharing or analytics widgets that are embedded in that page.

That we send all of this information to Facebook is a quirk of the way the web works and that Facebook records it for users of its services is neither in dispute nor unusual (Twitter does it too for example.)

What has been matter of dispute and innuendo until now is whether or not Facebook records and acts upon the information it receives from non-users.

Last year it denied claims made in a report commissioned by the Belgian Privacy Commission that it was tracking non-users, claiming that the report was “based on assumptions.”

Following that report a Belgian court gave Facebook 48 hours to stop tracking non-users and as a consequence Belgians without a Facebook account are now unable to view any Belgian Facebook pages, even public profiles.

In February the French data protection agency CNIL gave Facebook three months to stop tracking non-users in France.

But even those actions didn’t clear things up entirely because, to my reading at least, both the accusations and the response from Facebook seem to deal with nothing more than we already knew; that Facebook sets cookies.

Doubters will say there’s nothing new in this announcement, that Facebook has been tracking all of us all along. Perhaps they’re right – perhaps this announcement is simply a big organisation that’s already tracking us all just bringing itself into line with EU regulations.

If they are right though they’ve never managed to prove it.

Now, at last, everything is out in the open.

In tracking non-users like this Facebook isn’t doing anything unusual, there are other ad networks that work in the same way and there are social media companies that use their third party widgets for similar purposes (and worse.) If you’re open to web and mobile advertising this might even be good news for you because you should see better ads.

What makes this announcement significant for the rest of us is Facebook’s size and reputation. Facebook isn’t just another ad network in exactly the same way that Microsoft isn’t just another software company.

Facebook is in our lives and (literally) in our faces. If you’ve decided not to be a Facebook or Instagram user you already have to contend with the fact that your friends and family are likely throwing mentions, photographs and tags of you into the great data hoover.

If you want to keep your browsing habits out of it too and you’re in North America or Europe you could follow Facebook’s vague advice and opt out via the marketing industry’s most relevant self-regulatory body:

Signing up should stop all of the participating networks from tracking you, not just Facebook, but you do have to trust the fox to guard the hen house.

If you want to put yourself in the driving seat then start using your browser in private browsing or incognito mode, uninstall Flash, use add-ons that help you control which cookies you accept or scripts you run, and install an ad-blocker.

At Naked Security we’re not generally in the habit of endorsing third party software but we hear a lot of good things about NoScript, Privacy Badger and the Tor Browser.

Feel free to use the comments to share your own preferences.

Follow @NakedSecurity
Follow @MarkStockley

Image by rvlsoft / Shutterstock.com

from Naked Security http://ift.tt/1sFuo59

Here's A 4-Pack Of LED Light Bulbs For Under $5

This Week's Top Downloads

Everything You Need to Stock Your First Home Bar

Laundry Day Reads Washing Symbols on Clothes So You Don't Have To

The Benefits of Writing by Hand Versus Typing

Add Greenery to Your Shower with This DIY Plant Caddy

Why the Sound of Running Water Makes You Want to Pee

Some people like the sound of running water because it helps them relax. For others, it creates a strong urge to urinate. This is no coincidence, and it happens more commonly than you think—all thanks to the power of suggestion.

Suggestion is a subtle force that can influence our behavior, how we perceive things, and how we act later. In regards to needing to pee, this SciShow video explains the obvious: running water simply sounds a lot like urination. And over a lifetime of performing the same bathroom ritual—peeing, hearing the sound, flushing the toilet, and (hopefully) washing your hands after—you associate many bathroom sounds with peeing.

And now that you’ve read this, you probably can’t not think about running water and likely want to pee now. You’re welcome.

Why Does Running Water Make You Want to Pee? | SciShow

from Lifehacker http://ift.tt/1qSicN3

Today's Best Deals: Cold Brew, Eneloops, Beach Chairs, Hammocks

Top 10 Last-Minute Travel Tricks for a Great Getaway

Sidekix: Urban Navigator Gives You Walking Routes Based on Your Interests

Celebrate Summer With a $36 Portable Hammock, Today Only

Julienne Fruits and Vegetables a Lot Faster With a Mandoline

Choose the Right Humidifier for Your Room with This Video Guide

A humidifier is an essential purchase for certain homes, but how do you know which one is right for you, or which one can handle your space? Consumer Reports has a comprehensive video buying guide for humidifiers, with a cheat sheet for the right size for a room.

After several tests, here are their recommendations based on the square feet (sq ft) area of the room, and the ideal humidifier for each.

• Small humidifiers for rooms less than 300 sq ft: Crane Owl, $45.
• Medium humidifiers for rooms between 300 and 499 sq ft: Vicks V5100NS, $50.
• Large humidifiers for rooms between 500 and 999 sq ft: SPT SU-4010, $75.
• Console humidifiers for spaces larger than 1000 sq ft: Essick MA1201, $115.

The full interactive video guide above has other things you should remember while buying a new humidifier, while the detailed post below has any other details you might need, like the best bacteria-free humidifiers.

Humidifier Buying Guide | Consumer Reports

from Lifehacker http://ift.tt/1TIJYsU

This Week's Most Popular Posts: May 20th to 27th

TimeStats Pomodoro Planner Is the Ultimate All-In-One Productivity App

Consumer Reports’ Mosquito Repellent Rankings Are Now Available for Free

This Discounted FoodSaver System Will Pay For Itself

Use a Simple Milk Carton for Dripless Pouring

Make Your Own Doritos With This Seasoning Blend

The Right Way to Measure Your Waist Size and Check Your Health

Scott Walker’s campaign is selling donors’ email addresses

Friday Open Thread: Welcome to the summer (heat)

ICS-CERT warns about vulnerable SCADA system that can’t be updated

A web-based SCADA system deployed mainly in the US energy sector sports vulnerabilities that may allow attackers to perform configuration changes and administrative operations remotely. What’s worse is that these holes can’t be plugged because the device has nowhere to put an update.

“Independent researcher Maxim Rupp has identified data controller vulnerabilities in the Environmental Systems Corporation (ESC) 8832 Data Controller,” ICS-CERT has noted in an advisory published on Thursday.

“ESC acknowledged that Balazs Makany reported these vulnerabilities on February 18, 2015. ESC has stated the ESC 8832 Data Controller has no available code space to make any additional security patches; so, a firmware update is not possible.”

The data controllers are used for automation and monitoring in various environments.

The two vulnerabilities are present in ESC 8832 Version 3.02 and earlier. Exploiting one allows for the bypassing of the authentication process for configuration changes, and exploiting the other allows an attacker to gain access to functions which are not displayed in the menu.

There is currently no indication that vulnerable systems are being attacked, but as detailed vulnerability information is publicly available, it could be just a matter of time until some of them are. ICS-CERT judges that low-skilled attackers would be able to exploit them.

Exploit PoC code a session hijacking vulnerability discovered by Makany in 2015 is available online.

The fact that these old devices can occasionally still be bought second-hand online can help attackers test attacks beforehand.

According to the manufacturer’s website, the 8832s are no longer manufactured or sold by them (they stopped in 2013).

“Though we will not be manufacturing new 8832s, ESC will continue to support the 8832 in future versions of our StackVision software until January 1, 2019. We will also continue to repair and service existing 8832 Data Controllers for as long as we can reasonably continue to get repair parts,” they state.

Effectively, the fact that implementing a firmware update is not possible should not be news to the organizations that use these devices – the last firmware update was back in March 2010 because of this same problem (no available code space).

Environmental Systems advises organizations – and has been advising them for a while – to ditch these controllers altogether and upgrade to newer products (their 8864 data controller, for example).

If that’s not possible, they advise blocking Port 80 with a firewall in front of the device, and educating operators and users to not use the web interface for device management.

from Help Net Security http://ift.tt/1XCodul

Everything You Need To Know About Buying Or Leasing A Car Memorial Day Weekend

When Fancy, Expensive Salts Are Worth Using

Today's Best Deals: Projection Screen, Hiking Shoes, FoodSaver, and More

Faulty TLS implementation opens VISA sites, users to attack

A group of researchers has discovered 184 HTTPS servers that are wide open to attackers looking to inject seemingly valid content into encrypted sessions. Some of these servers belong to the credit card company VISA, the Polish banking association ZBP, and the German stock exchange.

They are vulnerable to these attacks because they used a duplicate cryptographic nonce with the AES-GCM cipher during the TLS handshake between the browser and the HTTPS-protected sites. This means attackers that are able to monitor the connection could reconstruct the authentication key and misuse it to, let’s say, inject malicious code in the site or bogus forms to harvest user data.

The user, i.e. the browser, would have no way of noticing the attack.

This type of attack is not new, and has been dubbed the “forbidden attack” because unique nonces are a must for effective and secure encryption.

“The behaviour of these devices was mixed. 66 devices were using the value 0100000003001741 twice and then continued with a randomly chosen value and a counter starting from that value. Four further devices showed a similar behavior, but with other starting values (010000000100c289, 0100055f03010240 and 010000000080c0eb twice). 84 devices used a random value for the first encryption and subsequently zero values. 23 devices simply always used zero,” the researchers shared, but all of them can be practically attacked.

The researchers have also found over 70,000 HTTPS servers using random nonces, which theoretically puts them in danger of nonce reuse attacks. Such an attack would be much more difficult to pull off – but not impossible.

“If only a few TLS records are encrypted with the same key, then a random nonce does not pose a risk. However, if a large number of records is encrypted with the same key, the risk may become relevant,” they explained.

“The size of a TLS record is determined by many factors, therefore it is not trivial to calculate the exact amount of data necessary to generate a nonce duplication with an implementation with random nonces. It is however most likely in the area of Terabytes,” they noted.

“There are probably few scenarios in which this is a problem. VPN networks may use the same connection for such a large number of TLS records. Also in an attack scenario where an attacker can control Javascript and the victim has a very fast Internet connection such an attack might be possible. However this requires an HTTPS server that allows an unlimited number of requests over a single connection. Common HTTP server implementations usually limit the number of Keep Alive requests that can be sent over one connection, but this limit can be disabled.”

The researchers managed to identify some of the devices using random nonces: Lotus Domino web servers, A10 load balancers, Sangfor devices. So far, only IBM published an update fixing the flaw in Lotus Domino.

According to Ars Technica, VISA, the Polish banking association ZBP, and the German stock exchange have also been notified of the problem, but only the latter has dealt with it so far.

The researchers demonstrated a script injection attack on the HTTPS version of www.visa.dk as proof of their findings, and PoC attack code on GitHub.

from Help Net Security http://ift.tt/20KgDxh

“Google stole Java”: Oracle loses again, case closed – for now

Four years ago, give or take a few days, we wrote an article entitled Google wins, Oracle loses: Java API case closed.

The legal battle had been long, acrimonous and expensive, and many techies breathed a sigh of relief when the court case ended.

Some of the relief was down to the outcome: many programmers, as far as we can tell, felt in their hearts that the court’s decision was the right one.

Of course, at least some of the relief was simply the fact that it was over: no more squabbling in court over function calls in an application programming interface (API).

As we wrote back then, Oracle’s legal points seem to have been along these lines:

• Google didn’t copy Oracle’s code wholesale, but instead came up with its own implementations of the 37 Java API packages.
• Nevertheless, Google replicated the structure, sequence and organization of the overall code for those 37 API packages.
• The structure, sequence and organisation of those 37 API packages was copyrightable and thus Google infringed.

Taking both sides

Trying to see both sides, we offered the following analogy:

Taking Oracle’s side, you might think that the inventor of a programming environment should enjoy protection over the API itself. After all, isn’t the API part of the overall smarts of the system? If you think of it as the entrance lobby of the building that is your codebase, then it’s part of the complete edifice and thus as much private property as the corridors and offices themselves.

Taking Google’s side, though, you might argue the other way around. The API isn’t a strictly-private entrance lobby, but the public-facing doorway into the building: the part which actually opens onto the street. The invention is the codebase represented by the building into which the doorway opens, not the doorway and the street frontage itself.

Our opinion on the 2012 outcome was that independent software developers would surely welcome the judgement:

if you’re a software vendor trying to grow your business, persuading programmers to learn and write code for your API is what it’s all about. The more clients who can connect to your service, the better. But once you’ve grown your business, there’s something unappealing about being able to use the API alone to keep your clients locked in to your implementation.

Having someone rip off your implementation is clearly unacceptable. But being able to coast along with your current codebase whilst locking out competition doesn’t really help anyone.

As long as independent software developers are free to challenge you by “building a better mousetrap” – one which is not a clone or a copy, but which does the same tasks in a better way – then you’ll be under some sort of commercial pressure to continue to improve your own codebase.

If nothing else, this sort of pressure is good for security.

An important recent example of how API-based reimplementations have helped security by increasing choice and encouraging innovation is what happened after the Heartbleed bug in OpenSSL.

OpenBSD produced a plug-and-play replacement library called LibreSSL, Google came out with BoringSSL, and OpenSSL embarked on its own series of improvements, improving choice for everyone.

“For now”

Oracle and Google both seemed to agree with us in 2012 that the Java API court case had innovation at its heart.

Google said that “the court’s decision… [represented] a good day for collaboration and innovation.”

Oracle drew the opposite conclusion, arguing that “this ruling, if permitted to stand, would undermine the protection for innovation and invention.”

Indeed, Oracle was determined to see that the ruling didn’t stand, because there’s one little detail about our 2012 article that we omitted: the words for now at the end of the headline.

The case never did go away, and it’s all been played out again in a San Francisco courtroom over the past few weeks.

Now, the new result is in: the jury in the 2016 version of the court case decided that the re­implemen­tation of those 37 Java APIs was “fair use”.

In short, Google has won again.

For now.

Oracle has already said that it plans “to bring this case back to the Federal Circuit on appeal.”

Follow @NakedSecurity
Follow @duckblog

from Naked Security http://ift.tt/1sf01CK

Anker's Shockingly Small PowerCore 10000 Is Down to Its Lowest Price

Judge tosses evidence in FBI Tor hacking child abuse case

A US federal judge on Wednesday excluded all evidence in a child pornography case that was acquired by the FBI through an exploit compromising the Tor network. The federal government hasn’t announced what it’ll do next, but if it can’t prevail in an appeal, its case against Vancouver, Washington teacher Jay Michaud may well be doomed.

The background: early last year, the FBI used malware to take control of “Playpen,” a Tor-protected child abuse imagery site, run it for 13 days, and capture detailed information about the identities of visitors, including actual IP addresses that Tor would normally hide.

The government captured well over 1,000 IP addresses, leading to the arrest of 135 suspects. That, according to a January 2016 report in Motherboard, represented a small fraction of Playpen’s 215,000 member accounts, 11,000 unique visitors per week, and 117,000 posts, many containing “some of the most extreme child abuse imagery one could imagine… [and] advice on how sexual abusers could avoid detection online.”

As criminal cases have rolled in, some US defense attorneys have objected vigorously, demanding access to the full code for the “Network Investigative Technique” the FBI used to catch their clients.

Michaud’s attorney, Colin Fieman, argued that his forensic experts needed the code to:

…independently determine the full extent of the information the government seized from Mr. Michaud’s computer when it deployed the NIT… whether the government’s representations about how the NIT works… were complete and accurate… [and] to establish the electronic “chain of custody” for the data that allegedly links a computer purportedly used by Mr. Michaud to activities [on Playpen].

The federal government has consistently refused to reveal its code, in contrast to its one-time willingness to tell a court about its use of Metasploit in an earlier case.

So Fieman told the court it had a choice:

…between deferring to the government’s position that it will not or cannot comply with the court’s discovery order [or] upholding Mr. Michaud’s constitutional rights to effective representation and a fair trial… The Supreme Court has already made plain that, in situations like this, a defendant’s constitutional rights must prevail.

US District Court Judge Robert J. Bryan hasn’t dismissed Michaud’s case yet, but he has excluded all evidence arising from the FBI’s hack – and that doesn’t seem to leave much.

Bryan isn’t the only judge to take this position, either: judges in Oklahoma and Massachusetts recently suppressed evidence against other “Playpen” defendants, and in West Virginia, another defendant – seeing what’s happening to the government’s evidence in the other cases – is seeking to withdraw his guilty plea.

What the government will ultimately do about all this remains to be seen, but one thing seems clear: in the post-Snowden era, formerly compliant courts are becoming more skeptical of the US government’s claims on electronic search and privacy, and more willing to throw roadblocks in its way.

Follow @NakedSecurity

from Naked Security http://ift.tt/1TIDDKV

ZCryptor ransomware spreads via removable drives

The newly spotted ZCryptor ransomware has also the ability to spread like a worm, Microsoft warns.

Once it infects a system, it also copies itself on removable drives, in the hopes that the same drives will end up plugged into another system and spread the infection.

Other than that, ZCryptor does not differ much from other ransomware.

It encrypts all files that sport one of 88 extensions (Office and archive files, image, audio, movie files, log files, database files, APK files, Java source code files, etc.), changes their extensions to .zcrypt, and pops up the ransom note (a HTML file that’s opened in the default browser):

Microsoft says that the ransomware usually arrives via email: via downloaders posing as fake installers or via macro malware.

It assures its own persistence on the infected system by dropping copies of itself, and sets registry entries in order to execute at every system startup.

“Infected machines are noticed to have zcrypt1.0 mutex. The mutex denotes that an instance of this ransomware is already running in the infected machine,” the researchers noted.

The ransomware tries to contact a specific URL from which it receives information and likely the key to encrypt the files, but the website is currently down.

As always, users are advised to protect themselves against this and other ransomware by regularly backing up their important files and keeping the backups separate from their main system.

Needless to say, if you get hit with this ransomware, remember that any USB stick or other removable drive plugged into the system is also infected, and should also be cleaned before being used again.

Trend Micro has additional information about the malware.

from Help Net Security http://ift.tt/25psmYE

IT security skills remain in high demand

IT security tops the list of the skills that IT decision-makers say they want their team members to have, according to a new report by Global Knowledge, based on input from more than 10,000 IT and business professionals in North America.

Other in-demand skills include cloud computing, IT architecture, and network and systems engineering and operations. One in three IT decision-makers reported having difficulty finding skilled talent to fill cybersecurity positions, while one in five reported difficulty filling cloud-related roles.

Average salaries for IT professionals are on the rise

Though combined average salaries for IT professionals and decision-makers fell by two percentage points—from $88,835 to $86,545—average salaries increased for each group, from $75,889 to $76,865 for IT staff and from $109,165 to $111,167 for IT decision-makers.

The lower total average is due to a change in the distribution of these two groups within the response pool. Staff-level IT respondents increased from 63 percent in 2015 to 72 percent in 2016. Conversely, the percentage of respondents who are IT decision-makers dropped from 37 in 2015 to 28 in 2016.

Non-IT salaries took a plunge this year, averaging $95,019 after last year’s $109,165 and bringing figures back in line with those from 2014. A nine percent increase in the number of entry-level—and therefore lower-paid—respondents is at least partly to blame for that decline.

Skills gaps increase stress on employees

Sixty-two percent of IT decision-makers said their teams currently have measurable skills gaps or will likely have them within the next two years, and 70 percent said the gaps create increased stress on existing employees.

Other impacts include difficulty meeting quality objectives, delayed software and hardware deployments, and increased operating costs.

Building new skills is the top driver for professional development

Three-fourths of this year’s IT respondents said they use professional development to build new skills, and half said preparing for a career certification or specialist exam is a top motivator. More than 45 percent of those who did not train in the previous year blamed a lack of funds. IT decision-makers who responded said the lack of training funds is also one of the driving reasons behind skills gaps in IT departments.

Application developers choose JavaScript, SQL and HTML most often

Seventy percent of application developers use one or more programming languages—six different languages on average. More than 60 percent of the developers who responded said they use JavaScript, SQL and some version of HTML.

from Help Net Security http://ift.tt/25lFg6D

1 in 10 banking CEOs don’t know if they’ve been hacked

Twelve percent of banking CEOs say they do not have insight into whether their institution’s security has been compromised by a cyber attack in the past two years, according to KPMG. Their survey also shows that there is a clear disconnect between how the C-Suite views cyber security versus the next tier of executives.

KPMG surveyed 100 bank executives – representing banks in excess of $20 billion in assets – and found disparities around the awareness of hacks, company vulnerabilities and top concerns in the event of a breach at the bank.

While 12 percent of CEOs don’t know if they’ve been hacked in the past two years, the lack of awareness only grows when compared to the next level of executives. Approximately 47 percent of banking executive vice presidents and managing directors reported that they didn’t know if their bank had been hacked, and 72 percent of senior vice presidents and directors stated that they didn’t know.

“Banks are under an onslaught of attacks from bad actors, so the fact that 12% of banking CEOs reported that they don’t know if they’ve been compromised is troublesome. Cyber is a business bottom-line issue: a true CEO issue,” said Charlie Jacco, Financial Services Cyber Leader at KPMG. “While CEOs may be more privy to information regarding the exact number of cyber technology deployment and hack attempts, all employees should know and be in lock-step on their bank’s greatest vulnerabilities and concerns as it pertains to how that bank views cyber security. The data shows, on a leadership level, a strong difference in opinions.”

“A disconnect around cyber strategy among senior executives, can create great gaps in protections and deprioritize important tasks exposing banks to increased cyber risks,” says Jitendra Sharma, KPMG’s Advisory Line of Business Leader for Financial Services. “Naturally, banks are the top industry attacked by hackers due to the amount of funds flowing through the institutions. Since banks are under increased security pressures, it’s more important than ever that they employ a strong, top-down internal strategy to better protect themselves against bad actors.”

from Help Net Security http://ift.tt/1XBnXf2

Making security a high priority may not lead to improved measures

Technology professionals see many steps that could be taken to improve their company’s security. Just over half of the 500 security professionals surveyed by CompTIA say their company has altered its security approach based on changes in IT operations; such as relying on more cloud-based solutions or making wider use of mobile devices and apps.

“Far more than half of all companies have adopted cloud computing and mobile devices,” noted Seth Robinson, senior director, technology analysis, CompTIA. “This suggests that many companies are embracing new technology solutions without taking the corresponding actions necessary to build a proper defense. This poses huge challenges for the IT security professionals tasked with security responsibilities.”

Nine in 10 IT professionals say security is of greater importance today to their companies than it was two years ago. While some improvements in security have been noted, there remains a wide swath of companies that could improve their standing, along with those that may be over-estimating their readiness.

“Simply placing a higher priority on security may not lead to improved measures,” Robinson said. “Companies may not fully understand the nature of modern threats. It’s incumbent on the IT pros to adequately communicate the requirements for modern security; the potential cost of weak defenses; and the specific actions that should be taken.”

An abundance of challenges

IT professionals tasked with keeping digital assets safe face a multitude of challenges. Just under half (47 percent) say there’s a belief within their company that existing security is “good enough.” For 43 percent, other technology needs take a higher priority than security. Four in 10 cite a lack of security metrics; while a slightly smaller percentage (37 percent) point to a lack of budget dedicated to security.

Challenges extend to finding qualified security workers at a time when the demand for security skills is increasing. For example, job postings in the category “Information Security Analysts” rose 175 percent between Q1 2012 and Q1 2015, according to the Bureau of Labor Statistics.

Within the cybersecurity workforce there are skills gaps to close, too. Among companies with skills gaps, 53 percent want to be more informed about current threats. About 40 percent feel that they need to improve their awareness of the regulatory environment.

“The use of technology has outpaced cybersecurity literacy, so there’s also a growing need for the overall workforce to improve their knowledge and awareness of security issues,” Robinson added.

Two-thirds of companies are engaged in security training for employees, making it the most popular option for building the right security skills within an organization. The study also found that 56 percent of firms will seek out IT security certifications for their technology staff.

from Help Net Security http://ift.tt/1TZL9hM