Friday, September 30, 2016
Build a Portable Movie Theater In the Back of a Pickup Truck
The best part of camping for some people is getting out in the middle of nowhere and looking at the stars. For others, it’s just getting together with friends and having a good time. Over on Tested, Adam Savage goes for the latter and builds a portable movie theater made for camping.
The idea here is to make a portable screen that unfolds easily and works from the bed of a truck. To do so, Savage creates a wood platform that also acts as a chair stand, then a blow-up portable screen inflates from inside the platform. Obviously Honda did a sponsorship here, but that doesn’t change the actual project much. You’ll still need to make your own measurements and build your own base.
Features Not Standard: Adam Savage’s Portable Movie Theater | YouTube
from Lifehacker http://ift.tt/2dxI37N
Deadspin It’s Probably Time To Start Worrying About Sammy Watkins | The Muse Artists Call for a Boyc
Deadspin It’s Probably Time To Start Worrying About Sammy Watkins | The Muse Artists Call for a Boycott of Kelley Walker’s ‘Irresponsible and Offensive’ St. Louis Exhibition | Gizmodo Massive Earthquake Along the San Andreas Fault Is Disturbingly Imminent | The Slot ‘Check Out Sex Tape,’ Presidential Candidate Tweets at 5 AM |
from Lifehacker http://ift.tt/2dtB8ff
Why You Get White Spots On Your Nails
There are a lot of rumors about white spots on your nails being a sign of something serious, like a nutrient deficiency, but the most common cause is nothing to worry about: You just bumped your nail against something.
The reason the spots seem to occur so mysteriously is that you don’t see them until long after the injury happened. Your nails grow from the base, and if you damage that tissue at the base of your nail, it creates a white spot that you won’t see until perhaps weeks later.
Check out the full video from SciShow for more on what those white spots mean and how they’re created.
What Are Those Lines on My Nails | SciShow
from Lifehacker http://ift.tt/2dtueqe
The Best Way to Tie a Shirt Into a Crop Top So It Looks Good
Tying a knot in a button up is a fast way to transform it into a crop top. But if you don’t tie the knot right, it can stick out and look lopsided, which isn’t the look you’re going for. Here’s how to tie it so it lays flat and still looks good.
The video above has a visual demonstration, but if you can’t watch it, unbutton your shirt to the point where you want the crop top to end. Grab the two “tails” of cloth, making sure the side without buttons is on top, and tie your knot. The side without buttons should loop under the other tail and be pulled through the hole. Knot a second time to secure your shirt, again making sure the side without the buttons is on top. The knot should lay flat against your body.
How to Knot a Crop Top the Right Way | Refinery29 (YouTube)
from Lifehacker http://ift.tt/2dwMOi8
DefecTor: DNS-enhanced correlation attacks against Tor users
A group of researchers from Princeton University, Karlstad University and KTH Royal Institute of Technology have devised two new correlation attacks that can be leveraged to deanonymize Tor users.
Collectively dubbed DefecTor, the attacks improve the efficacy of existing website fingerprinting attacks through the attacker’s ability to observe DNS traffic from Tor exit relays. The attacks offer great-to-perfect results – the latter mostly when identifying visitors to infrequently visited sites.
“It is well understood that low-latency anonymity networks such as Tor cannot protect against so-called global passive adversaries [i.e. those that can monitor both network traffic that enters and exits the network],” says Phillip Winter, a postdoctoral researcher in computer science at Princeton University and one of the group behind this latest research.
DefecTor attacks, on the other hand, can be leveraged by “semi-global” adversaries.
One of the most notable ones is Google, as it operates public DNS servers that observe almost 40% of all DNS requests exiting the Tor network.
“Additionally, Google can monitor some network traffic that is entering the Tor network: for example, via Google Fiber, via guard relays that are occasionally run in Google’s cloud, and formerly via meek app engine, which is now defunct,” Winter explains.
The researchers also found that DNS requests often traverse autonomous systems that the TCP connections made via Tor don’t transit, and this enables them to gain information about Tor users’ traffic.
While Tor developers are already working on implementing techniques to make website fingerprinting attacks harder to execute, there are other actions that can be taken to prevent DefecTor attacks, such as Tor relay operators ensuring that the network maintains more diversity into how exit relays resolve DNS domains.
The researchers added that their paper has yet to be peer reviewed, but if you’re interested in replicating their research, they have provided code, data, and replication instructions here.
from Help Net Security http://ift.tt/2cGALwT
Alto Dashboard Surfaces Important Information From All Your Email Accounts
Android/iOS/Web: It seems like everyone has some new product that will change email forever, but there are some good ideas in the mix. AOL’s new Alto Dashboard takes a lot of inspiration from apps like Inbox and applies them to all of your email accounts at once.
Alto Dashboard scans your emails to find important information like flight details and order numbers. These are presented as cards with just the important stuff highlighted. It can also easily find emails with attachments like files and photos, and you can even snooze emails for later.
If all of that sounds familiar, it should. Apps like Inbox and Boomerang have used some of these features for a while. Alto’s main advantage is that you can use it with nearly all your accounts. It supports Google, Outlook, Yahoo, iCloud, Exchange, and AOL accounts all in one. While Boomerang offers a few of these features for multiple accounts, Inbox only supports Gmail accounts for right now, giving Alto an edge.
Alto | Google Play Store
Alto | iTunes App Store
from Lifehacker http://ift.tt/2dwxZ3H
The Concourse Jeb: It’s Rude To Hear My Old Dad Say Things | Jezebel Amber Rose Felt ‘Body Shamed’ b
The Concourse Jeb: It’s Rude To Hear My Old Dad Say Things | Jezebel Amber Rose Felt ‘Body Shamed’ by Julianne Freaking Hough on Dancing With The Stars | Gizmodo Is Elon Musk’s Crazy Mars Plan Even Legal? | Jezebel USA Today Publishes Presidential Endorsement for the First Time in its History: ‘Don’t Vote for Donald Trump’ |
from Lifehacker http://ift.tt/2dwAqys
Facebook, Google, Amazon, Microsoft and IBM team up on AI
With Artificial Intelligence (AI) starting to reveal its real world potential, Facebook, Google, Amazon, Microsoft and IBM have teamed up to work together in the burgeoning technological space.
Speaking to the BBC, one of the new group’s members revealed that the aims of the consortium, called the ‘Partnership on AI’, are to:
maximise this [AI’s] potential and ensure it benefits as many people as possible
The sentiments are similar to those expressed by the Future of Life Institute, an organisation that aims to “maximize the societal benefit of AI” and famously published an open letter (since signed by a galaxy of tech stars) stressing that it’s “important to research how to reap [AI’s] benefits while avoiding potential pitfalls”.
AI’s potential is indeed far reaching. We can probably expect it to impact almost every aspect of our everyday lives over the coming years: from healthcare and education to manufacturing, energy management and transportation.
Growing fears
And as it does so, we can also expect to see fears continue to grow: fears that AI might replace human labor, undermining the skills that are so crucial to our economies; fears around safety as machines take over complex tasks such as driving vehicles, performing operations and making life and death decisions in war; and fears that we might one day reach the technological singularity from which we can never return, where machines become more intelligent than humans.
We even reported last year how Stuart Russell – an award-winning AI researcher, a Professor of Computer Science at the University of California and author of a leading AI textbook – had likened the dangers of AI to nuclear weapons.
Abating fears and opening discussions
With that in mind, the consortium notes on its website that it was established to:
… study and formulate best practices on AI technologies, to advance the public’s understanding of AI, and to serve as an open platform for discussion and engagement about AI and its influences on people and society.
Co-chaired by Microsoft Research chief Eric Horvitz and co-founder of Google’s DeepMind subsidiary Mustafa Suleyman, it will also include experts from AI research groups and academia. The BBC notes that:
The group will have an equal share of corporate and non-corporate members and is in discussions with organisations such as the Association for the Advancement of Artificial Intelligence and the Allen Institute for Artificial Intelligence.
Taking control
Or maybe there is more to it than simply educating the public, establishing best practices and enabling discussions.
In an interesting article, The Verge takes a deeper look at the list of tenets posted on the partnership’s website. It pays particular attention the sixth tenet:
Opposing development and use of AI technologies that would violate international conventions on human rights, and promoting safeguards and technologies that do no harm.
Writer Nick Statt notes that this tenet implies a degree of self-regulation – something that the technology giants involved might want to foster as a way of heading off government regulation.
No Apple at the core?
With the other tech giants now firmly showing their commitment to making AI a success, you may well wonder where Apple is. After all, Apple has been working hard on its own AI projects, and has even purchased machine learning start-ups.
Microsoft’s Eric Horvitz revealed to The Guardian:
We’ve been in discussions with Apple, I know they’re enthusiastic about this effort, and I’d personally hope to see them join.
Elon Musk has had plenty to say on the dangers of AI. His own horse in the AI race, OpenAI, is another notable absentee from the consortium, although the Verge reports that discussions between the two have begun.
Where are the brakes?
Whatever your views on the AI revolution, one thing is certain – it will happen.
Having the big tech players working together on such a disruptive technological arena is a good thing, in my opinion, providing that discussions are transparent and outside opinions are listened to and acted upon.
I would, however, feel more comfortable if there was more outside governance.
If the consortium turns into a body for industry self-regulation, are they really going to listen to those concerned with ethics when there are potentially trillions of dollars at stake?
Follow @NakedSecurityfrom Naked Security http://ift.tt/2dgoB0k
Arduino’s new open source kit makes creating IoT devices easy
The Arduino team is using Kickstarter to crowdfund their latest project: the ESLOV IoT Invention Kit.
ESLOV is a system of intelligent modules that can be connected in an endless variety of ways, and is meant to simplify the creation of Internet-connected devices.
The connected modules are plugged into a Wi-Fi and motion hub, which will connect the device (project) to the Internet. Then, the hub has to be connected to the user’s PC so that it can be programmed.
Programming it is extremely easy, though – in fact, no actual programming knowledge is required. By using the ESLOV’s visual code editor, which recognises the modules automatically, the user needs to simply draw connections between them, and the device is ready to be used.
Once the device is connected to the Arduino cloud, the user can control it and interact with it from anywhere, via a computer or smartphone, through a user-friendly interface.
The ESLOV kit consists of the wireless hub and 25 modules. The team welcomes third-party modules – design files and documentation for all modules will be made publicly available, to make it easier for creative people to design and create their own.
The Arduino team needs to raise $500,000 to finish the development and production of the ESLOV kit. Potential funders can choose to receive kits of different sizes, priced from $49 (you receive just the Wi-Fi hub) to $499 (PRO kit: Hub + 22 modules). The various kits can also be combined.
Delivery of the hardware to the backers is scheduled for June 2017.
More technical information can be head on the Kickstarter project page or this blog post.
from Help Net Security http://ift.tt/2dpJbNE
Thursday, September 29, 2016
Clear and present danger: Combating the email threat landscape
Like it or loathe it, email is here to stay. Despite the ubiquity of file sharing services like OneDrive and Google Docs, email remains a fast and convenient way for users to review, communicate and collaborate. Almost 25 years since the first email attachment was sent, businesses around the globe remain heavily dependent on using email to send their files. Indeed, according to research firm Radicati, business emails are set to reach 116.4 billion a day before the end of 2016.
It’s no wonder then, that email represents a major security threat vector. Because, as long as organisations use email to send and receive files, malicious email attachments will continue to plague corporate inboxes. Cyber criminals have consistently proved adept at exploiting the ‘click first, think second’ behaviours of email-users, which have the potential to open the door to malware, or unintentionally expose the business to data loss.
Protecting the enterprise against such vulnerabilities is no easy task. Email threats aimed at exploiting risky user behaviours have evolved into highly sophisticated phishing and spam campaigns, targeted zero-hour attacks and data theft initiatives. But with 91% of hacks starting with a targeted email attack, organisations need to be certain that the actions they take will truly protect their users, data and assets.
Unfortunately, standard anti-virus (AV) software can only go so far, as a recent incident graphically illustrates. In August, a public domain AV signature provider wrongfully categorised all Microsoft .doc files as a virus. This led to a large number of legitimate Microsoft Word documents being blocked from transmission when they encountered an AV layer.
In order to maintain an acceptable balance between user productivity and user safety, many vendors took the decision to disable the piece of AV technology that was blocking documents affected by these false positives. This meant that documents could be transmitted to their intended recipients, where an AV system would have, in theory, defended users from malicious attachments.
It wasn’t long before cyber criminals picked up on this enticing opportunity and began creating malware files whose signatures changed and morphed in order to evade signature-based AV solutions. This resulted in surge in the number of .doc files being transmitted over email – at which time our security analytics found that approximately 80% of the files were malicious.
It’s a sobering example of how criminals are constantly monitoring the security industry in an effort to find vulnerabilities and opportunities to exploit – in this case, the reduced security for .doc attachments. It also highlights why organisations need to use multiple layers of protection. Because in this case, the false positives ‘loophole’ meant there was a greater need for non-signature based defences.
Protecting the organisation against email-enabled attacks is no easy task when users across the enterprise are opening up hundreds of emails every day. But with hackers constantly on the look out for ways of working around signature-based technologies, businesses need to ensure their email security is one step ahead.
That means adopting multi-layered threat protection and prevention technologies alongside ‘good hygiene’ employee training and email best practices:
1. Advanced detection and intrusion prevention
Sandboxing is a valuable technical control that delivers a powerful line of defence. Scanning emails at the endpoint is a good start, but attachments should be scanned again before opening so that the files and URLs can be analysed. Ideally, all incoming mail should be automatically scanned in real-time, with any suspicious attachments being forwarded to a cloud-based sandbox environment where they can be executed and thoroughly analysed to identify potentially suspicious and malicious behaviour. This guarantees that even sophisticated pieces of malware can do no harm to digital assets, as only safe files will be forwarded to users.
2. Monitor unusual spikes in file transmissions
Minimising the fallout of a potential malware attack is a priority. That means gaining full visibility of any identified malware activity, so that infected users can be automatically quarantined to prevent malware from spreading within the network, or creating unwanted communications to the outside world.
3. End user education
Representing the enterprise’s first line of defence, the workforce needs to be educated about their responsibilities when it comes to protecting customer and colleague data. Often viewed by security experts as the weakest link, employees are a target for hackers who know there are specific times when people are most susceptible to attack – at the start or end of the day, when the pressure is on to ‘get out the door’ or ‘get stuff done’ – and will send out bursts early in the morning and late in the afternoon.
For this reason, training needs to be an ongoing endeavour during which staff members are trained on how to spot a suspicious email and what to do if they receive one. This isn’t a once a year task – employees need to be regularly updated with the latest threats and approaches used by cyber criminals.
4. Stay on top of version control
Installing the latest versions of operating systems, applications and email platforms should be an essential good housekeeping practice, as vendors regularly release security patches that can help reduce exposure to some attacks.
5. Limit user access to critical IT systems
More often than not, user devices and business-critical databases are located within the same internal network. This means that infected devices could potentially going about their malicious ways while remaining undetected for a long time. Segmentation is a very effective way for businesses to detect malicious activity and contain the fall out of any attack. Data leakage prevention starts with inhibiting data collection.
Dealing with today’s modern and persistent email threats means reliance on antivirus protection or existing intrusion prevention systems is no longer enough. Today’s enterprise needs advanced threat detection technologies that not only detect targeted attacks, but provide sophisticated technical controls to detect and extract malware before it enters the organisation. Whether an organisation operates a cloud or on-premises email platform, email security is a multi-layered affair that involves taking a holistic approach to educating and protecting users and ensuring the enterprise network is constantly monitored and safe.
from Help Net Security http://ift.tt/2dfBYxF
1 in 3 organizations have experienced an insider attack in the last year
A new Bitglass report on insider threats in the enterprise found that, in a third of organizations surveyed, careless or malicious user behavior resulted in data leakage, up slightly from a year ago. 56 percent of respondents believe insider leaks have become more frequent in the last year.
“Adoption of cloud and BYOD are positive developments, but organizations that have limited cross-app visibility will struggle to detect anomalous behavior and need to rethink their approach to data security,” said Nat Kausik, CEO, Bitglass. “The reality is that cloud apps have made data more readily accessible and insider threats more likely – it’s up to the enterprise to put adequate data controls and policies in place to secure vital data.”
Bitglass found that 64 percent of enterprises can detect a breach within a week, up significantly from 42 percent a year ago. Only 23 percent take a month or longer to identify insider breaches, which indicates growing use of cloud-based audit and security tools. Respondents identified analytics as critical in detecting anomalous behavior.
Employee training (57 percent) and identity management solutions (52 percent) topped the list of best means for preventing insider attacks. Data leakage prevention was also included among the most effective tools in 49 percent of organizations.
Key findings
- One in three organizations surveyed have experienced an insider attack in the last year, while 74 percent feel vulnerable to insider threats.
- Seventy-one percent of cybersecurity professionals are most concerned with inadvertent leaks that are the result of risky unsanctioned app usage, unintended external sharing and unsecured mobile devices. Negligence (68 percent) and malicious insiders (61 percent) were also of concern to respondents.
- Privileged users, more than any other user group, were seen as posing the greatest security risk by 60 percent of organizations.
- Cloud and mobile are forcing IT to rethink detection and prevention. Cybersecurity professionals agree that lack of employee training (62 percent), insufficient data protection solutions (57 percent), more devices with access to sensitive data (54 percent) and more data leaving the network perimeter (48 percent) are at the core of many insider leaks.
- A third of organizations do not have any analytics solutions in place to detect insider threats. Fifty-six percent use some kind of analytics solution to address anomalous behavior, but only 15 percent have user behavior analytics in place.
- Collaboration tools (44 percent) and cloud storage apps (39 percent) were perceived to be most vulnerable to insider threats, as careless users are easily able to share data externally or lose a mobile device that contains sensitive information.
from Help Net Security http://ift.tt/2dpmedD
Security appliance market shows positive growth
The total security appliance market showed positive year-over-year growth in both vendor revenue and unit shipments for the second quarter of 2016, according to IDC. Worldwide vendor revenues in the second quarter increased 5.8% year over year to $2.75 billion, and shipments grew 15.2% year over year for a total of 659,305 units.
The Unified Threat Management (UTM) sub-market has doubled in size over the last five years and continues to be the major driver for the entire market. The UTM market generated revenues of $1.35 billion in 2Q16 for year-over-year growth of 13.4%.
During the first half of the year UTM vendor revenue grew 15.7% compared to the first half of 2015 to $2.6 billion and it is the only sub-market with double-digit growth for seven consecutive years.
The Intrusion Detection and Prevention (IDP) sub-market, with $402 million and 4.8% annual growth, and the Content Management sub-market, with $426 million and annual growth of 4.9%, also had a solid performance in 2Q16. The Firewall and VPN sub-markets experienced year-over-year declines of 6.7% and 14.6%, respectively.
Regional highlights
In the second quarter of 2016, the United States remained the largest market with 41% of global security appliance market revenue and year-over-year growth of 6.0%. Asia/Pacific was the second largest region with 22% of total worldwide revenues and year-over-year growth of 1.7%. Western Europe accounted for 20% of worldwide vendor revenue and had annual growth of 5.9% compared to the same quarter of 2015.
“The second quarter saw growth of 5.8% led by growth in the UTM, IDP, and Messaging Security categories. UTM continues to be the only category with sustained strong growth metrics,” said Elizabeth Corr, research analyst, Security Products at IDC.
from Help Net Security http://ift.tt/2daTML8
Boardroom perspectives on cloud implementation
Although there’s a significant uptick in cloud adoption at the enterprise level, companies are missing the full benefit of their cloud adoptions by not factoring their IT implementations into their overall business strategy, according to Accenture.
A study of nearly 1,900 c-suite executives across the world found that while more than 95 percent of respondents have a five-year cloud strategy already in place, only 38 percent have aligned these plans with overarching business goals.
The survey also revealed enormous potential for hybrid and public cloud growth across all 15 surveyed industries, with four of five executives reporting that less than half of their business functions are currently operated in public cloud, but noted increasing intent on moving more of their operations to the cloud in the coming years.
“Our research confirms that enterprise clients are overwhelmingly recognizing the value of a Cloud First agenda – leveraging the cloud to bring applications, infrastructure and business processes together and be delivered as-a-Service – as a driver of digital innovation, and they are upfront about the guidance they need in order to move even faster on their journey to the cloud,” said Jack Sepple, senior managing director, Accenture Cloud and Accenture Operations group technology officer. “By taking steps to align their cloud and business strategies and to involve IT more directly in cloud decision-making, companies will be better positioned on their journey to the cloud as the as-a-Service economy matures.”
C-suite moving past outdated objections to cloud migration
The study found that executives are more informed about the benefits of public and hybrid cloud implementations, shunning dated opposition and doubts.
While half of respondents cite security as their biggest concern with the public model, more than 80 percent believe public cloud security is more robust and transparent than what they’re able to provide in-house. Similarly, 80 percent say they are no longer worried about compliance and regulatory issues. With an overwhelming majority, 89 percent, now agreeing that implementing cloud strategies is a competitive advantage which allows their companies to leverage innovation through agility.
C-suite must provide training in order to include IT in cloud decision-making
The research also revealed a perceived shortage in cloud competencies and emerging skill-gaps within the enterprise IT functions that must be addressed to increase cloud decision-making capacity for enterprise IT to truly lead in the as-a-Service economy.
Nearly four of five executives reported that the IT function of their businesses may lack the necessary skills to be involved in as-a-Service purchases, despite an overwhelming consensus (88 percent) that IT should participate in these transactions. To help bridge this gap, 92 percent of organizations have or are planning to establish a formal IT service broker role.
from Help Net Security http://ift.tt/2cFv87c
Deadspin American Fan At Ryder Cup Heckles Europeans, Gets Called Out To Putt For $100, Sinks It | J
Deadspin American Fan At Ryder Cup Heckles Europeans, Gets Called Out To Putt For $100, Sinks It | Jezebel Princess Charlotte Attacks a Balloon Arch With Joy and Destruction in Her Tiny Royal Heart | Gizmodo Scientists Just Discovered a Major New Source of Carbon Emissions | Adequate Man Don’t Laugh At Logan, He Has A Metabolism Issue |
from Lifehacker http://ift.tt/2do9yDV
Why a massive DDoS attack on a blogger has internet experts worried
Someone on the internet seems very angry with cybersecurity blogger Brian Krebs.
On 20 September, Krebs’ website was hit with what experts say is the biggest Distributed Denial of Service (DDoS) attack in public internet history, knocking it offline for days with a furious 600 to 700 Gbps (Gigabits per second) traffic surge.
DDoS attacks are a simple way of overloading a network router or server with so much traffic that it stops responding to legitimate requests.
According to Akamai (which had the unenviable job of attempting to protect his site last week), the attack was twice the size of any DDoS event the firm had ever seen before, easily big enough to disrupt thousands of websites let alone one.
So why did someone expend time and money to attack a lone blogger in such a dramatic way? Krebs has his own theories, and the attack follows Krebs breaking a story about the hacking and subsequent takedown of kingpin DDoS site vDOS, but in truth nobody knows for certain and probably never will.
DDoS attacks, large and small, have become a routine fact of internet life.
Many attacks are quietly damped down by specialist firms who protect websites and internet services.
But the latest attack has experts worried all the same.
Stop what you’re doing
DDoS attacks first emerged as an issue on the public internet in the late 1990s, and since then have been getting larger, more complex and more targeted.
Early motivations tended towards spiteful mischief. A good example is the year 2000 attacks on websites including Yahoo, CNN and Amazon by ‘MafiaBoy’, who later turned out to be 15-year old Canadian youth Michael Calce. Within weeks, he was arrested.
Things stepped up a level in 2008 when hacktivist group Anonymous started an infamous series of DDoS attacks with one aimed at websites belonging to the Church of Scientology.
By then, professional cybercriminals were offering DDoS-for-hire ‘booter’ and ‘stresser’ services that could be rented out to unscrupulous organizations to attack rivals. Built from armies of ordinary PCs and servers that had quietly been turned into botnet ‘zombies’ using malware, attacks suddenly got larger.
This culminated in 2013 with a massive DDoS attack on a British spam-fighting organization called Spamhaus that was measured at a then eye-popping 300Gbps.
These days, DDoS is now often used in extortion attacks where cybercriminals threaten organizations with crippling attacks on their websites unless a ransom is paid. Many are inclined to pay up.
The Krebs effect
The discouraging aspect of the Krebs attack is that internet firms may have thought they were finally getting on top of DDoS at last using techniques that identify rogue traffic and more quickly cut off the botnets that fuel their packet storms.
The apparent ease with which the latest massive attack was summoned suggests otherwise.
In 2015, Naked Security alumni and blogger Graham Cluley suffered a smaller DDoS attack on his site so Krebs is not alone. Weeks earlier, community site Mumsnet experienced a DDoS attack designed to distract security engineers as part of a cyberattack on the firm’s user database.
At the weekend, Google stepped in and opened its Project Shield umbrella over Krebs’ beleaguered site. Project Shield is a free service launched earlier in 2016 by Google, specifically to protect small websites such as Krebs’ from being silenced by DDoS attackers.
For now it looks like Google’s vast resources were enough to ward off the unprecedented attack, but it’s little comfort to know that nothing short of the internet’s biggest player was the shield that one simple news site needed.
With criminals apparently able to call up so much horsepower, the wizards of DDoS defence might yet have to rethink their plans – and fast.
from Naked Security http://ift.tt/2doPr4T
Yahoo breach was not state-sponsored, researchers claim
The massive 2014 Yahoo breach isn’t the work of state-sponsored hackers as the company has claimed to believe, say researchers from identity protection and threat intelligence firm InfoArmor.
Instead, the breach was effected by a group of professional blackhats believed to be from Eastern Europe.
Group E: Masterminds of the attack
InfoArmor researchers have dubbed them “Group E”, and according to the firm’s knowledge, they have been hacking databases for years now, and were the ones behind the MySpace, Tumblr and LinkedIn hacks.
“The actual Yahoo data dump is still not available on any underground forums or marketplaces, and has been distributed from so called Group E to one of their proxies for further monetization based on the sale of particular records from the dump, which can be delivered based on the specific criteria of the buyer (login, recovery e-mail, geography, etc.),” the researchers note.
This proxy has sold parts of the database to at least three threat actors. Two of them were cybercriminals (a spammers and an underground affiliate network owner), and the third one looks like it could be a state-sponsored party interested in exclusive database acquisition (the sale was made in 2015).
The researchers believe that “the data theft of the Yahoo customer database may be the key in several targeted attacks against US Government personnel, which resulted after the disclosed contacts of the affected high-level officials of intelligence community happened in October 2015.”
They also believe that the batch of some 200 million Yahoo users offered for sale in early August on the TheRealDeal dark web market by a seller named “peace_of_mind” wasn’t actually stolen from Yahoo, but was based on multiple third party data leaks that have no relation to Yahoo.
Yes, some of the records matched those of Yahoo users, but they chalk it up to the fact that many users reuse passwords across multiple online services. All in all, this batch seemed to have been intentionally misrepresented, in order for “Peace” to earn a few bucks.
InfoArmor says that Group E used “tessa88”, another seller on underground markets, as another proxy.
“This approach was ‘carefully’ orchestrated in order to mask the actual sources of the hacks and to commercialize the data in an anonymous manner, due to the fact that this data had been used by the threat actors for their own purposes, namely, targeted account takeover (ATO) and spam.”
“Peace” was just another seller that collaborated with “tessa” to exchange data batches each had, and to sell them on, they concluded.
Of course, we should also take this conjecture with a grain of salt, as there is no definitive proof. Definitive attribution of cyber attacks is still a major problem.
Yahoo and its poor security practices
This week, a group of US senators sent a letter to Yahoo CEO Marissa Mayer, asking her to provide information about the hack, how widespread it is, when it was discovered, when law enforcement was notified, and what the company is doing to prevent such a hack in the future.
The premise is still that Yahoo did their best to prevent such breaches from happening in the first place but, when it comes to security, the company has been lagging behind Google, Facebook and other Internet giants for years.
And even when Marissa Mayer took over as CEO in 2012, things didn’t get better.
She concentrated on keeping and building the company’s user base through different services, and repeatedly opted to forego the implementation of additional security measures to avoid more users jumping ship, internal sources told the New York Times.
Security expert Alex Stamos was brought on as CISO in 2014, and his pushing and his team’s enthusiasm managed to accomplish some good things (such as end-to-end encryption for email). But other proposed improvements, such as intrusion-detection mechanisms for the company’s production systems, were shot down.
“Stamos, who departed Yahoo for Facebook last year, declined to comment. But during his tenure, Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Mayer’s team for fear that even something as simple as a password change would drive Yahoo’s shrinking email users to other services,” NYT reports.
It’s unclear whether this means that they knew about the 2014 breach, or simply wanted to reset passwords after another hack that didn’t result in the exfiltration of user information.
from Help Net Security http://ift.tt/2d9EMjJ
D-Link DWR-932 router is chock-full of security holes
Security researcher Pierre Kim has unearthed a bucketload of vulnerabilities affecting the LTE router/portable wireless hotspot D-Link DWR-932. Among these are backdoor accounts, weak default PINs, and hardcoded passwords.
Kim went searching for them after he previously poked around some Quanta LTE routers and also found a huge number of flaws, and a D-Link DWR-932 user noted that the two router types have many similarities.
In fact, he says that D-Link’s router is based on the Quanta models, and inherited some of the vulnerabilities.
The documented D-Link DWR-932 vulnerabilities affect the latest available firmware. Kim first responsibly disclosed them to the D-Link Security Incident Response Team in June, but after the company said early this month that they don’t have a schedule for a firmware release, he decided to go public with the details about some of the flaws.
In short, the firmware sports:
- Two backdoor accounts with easy-to-guess passwords that can be used to bypass the HTTP authentication used to manage the router
- A default, hardcoded Wi-Fi Protected Setup (WPS) PIN, as well as a weak WPS PIN generation algorithm
- Multiple vulnerabilities in the HTTP daemon
- Hardcoded remote Firmware Over The Air credentials
- Lowered security in Universal Plug and Play, and more.
“At best, the vulnerabilites are due to incompetence; at worst, it is a deliberate act of security sabotage from the vendor,” says Kim, and advises users to stop using the device until adequate fixes are provided.
“As the router has a sizable memory (168 MB), a decent CPU and good free space (235 MB) with complete toolkits installed by default (sshd, proxy, tcpdump …), I advise users to trash their routers because it’s trivial for an attacker to use this router as an attack vector (ie: hosting a sniffing tool, LAN hacking, active MiTM tool, spamming zombie),” he noted.
The router is still being sold and used around the world.
from Help Net Security http://ift.tt/2dnLQUt
The psychological reasons behind risky password practices
Despite high-profile, large-scale data breaches dominating the news cycle – and repeated recommendations from experts to use strong passwords – consumers have yet to adjust their own behavior when it comes to password reuse.
A Lab42 survey, which polled consumers across the United States, Germany, France, New Zealand, Australia and the United Kingdom, highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits.
Your personality will determine why – but not how – you get hacked
When it comes to online security, personality type does not inform behavior, but it does reveal how consumers rationalize poor password habits. Among key findings around personality types and online behavior, nearly half of respondents who identify as a Type A personality did not believe that they are at an increased risk by reusing passwords because of their own proactive efforts, which implies their behavior stems from their need to be in control.
In contrast, more than half of respondents who identify as a Type B personality believe they need to limit their online accounts and activities due to fear of a password breach. By convincing themselves that their accounts are of little value to hackers, they are able to maintain their casual, laid-back attitude towards password security. This suggests that while personality types didn’t factor into the end result of poor password habits, it does provide insight around why people behave this way.
Password paradox: You know it’s bad but you do it anyway
The survey revealed that the majority of respondents understand that their digital behavior puts them at risk, but do not make efforts to change it.
Only five percent of respondents didn’t know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols. Furthermore, 91 percent of respondents said that there is inherent risk associated with reusing passwords, yet 61 percent continue to use the same or similar passwords anyway, with more than half (55 percent) doing so while fully understanding the risk.
What consumers prioritize when it comes to passwords
Consumers continue to fall short in their password creation. The survey findings show that when attempting to create secure passwords, 47 percent of respondents included family names or initials. Another 42 percent contain significant dates or numbers and 26 percent use the family pet – all information that is generally easily obtainable through social media sites or a casual acquaintance.
Additionally, consumers prioritize their password strength based on which accounts they believe need to be the most secure. Respondents indicated that they create the strongest passwords for financial (69 percent), followed by retail (43 percent), social media (31 percent) and entertainment (20 percent).
While it may seem counterintuitive to prioritize all of these accounts at the same level, the Identity Theft Resource Center reports that just 21 financial institutions have been breached in 2016 out of more than 657 businesses. If passwords are being reused across accounts, cybercriminals who hack a lower-prioritized account can easily gain access to something that is more critical, like a savings or credit card account.
“Developing poor password habits is a universal problem affecting users of any age, gender or personality type,” says Joe Siegrist, VP and GM of LastPass. “Most users admit to understanding the risks but continue to repeat the behavior despite knowing they’re leaving sensitive information vulnerable to potential hackers. In order to establish more effective defenses, we need to better understand why individuals act a certain way online and a system that makes it easier for the average user to better manage their password behavior.”
from Help Net Security http://ift.tt/2dmoUZA
Wednesday, September 28, 2016
Enhance iMessage security using Confide
One of the new features in iOS 10 offers the possibility of deploying specially crafted applications within iMessage. Most users will probably (ab)use this new functionality for sending tiresome animations and gestures, but some applications can actually provide added value for iMessage communication.
Confide for iMessage seems like a nice addition for those who want to build on the already solid security foundation of the iMessage/Messages environment.
Confide is a confidential messaging app. It has been available for iOS since 2013, and for Android since 2014. To take advantage the benefits of the iMessage “add-on”, all parties involved in the communication will need to install the iOS app. It generally requires the use of a free account, but the developers say that if you want to use just the iMessage part, you don’t need to set up an account.
You can create messages via the Confide option located behind the App Store icon of the iMessages input field. As you can see from the accompanying images, the actual text of the communication is shielded and it is only available when you open the message and swipe with your finger from top to bottom.
As you swipe, parts of the message will appear. If the message has a couple of lines, you will initially see just the first portion of it – you’ll need to slowly swipe down to show the rest of the text. Strangely, it works the same for photos, so you never have the full image in front of you, just fractions of it.
All messages between Confide users are encrypted end-to-end. The encryption keys are generated locally, and this ensures that only the intended recipient can read your messages.
The company says the app uses “military grade cryptography”, but I couldn’t find any details about it. Communication is executed through Transport Layer Security. Users cannot view sent messages, and all received messages are deleted after they are read. Any unread confidential message will be automatically wiped after 48 hours.
from Help Net Security http://ift.tt/2dt63Oc
What’s driving boards of directors to make cyber security a top priority?
Almost half (46 percent) of board members believe compliance regulations help establish stronger security, but nearly 60 percent struggle with meeting increased mandates—a nearly 20 percent jump over the past two years, according to a nationwide survey by Osterman Research.
Chasm between intent and execution
Nearly half of the board members surveyed believe that regulations are very sufficient in helping to protect corporate data assets. However, as regulations increase, a growing proportion of companies struggle to satisfy their cyber security mandates.
Nearly 60 percent expressed that mandates are somewhat or very difficult to satisfy, a number that has increased by almost 20 percent from 2014 to 2016.
Knowledge is power
Three out of five board members believe that one or more of their fellow board members should be a CISO or some other type of cyber security expert.
With only one in six board members claiming substantial expertise in understanding the nuances and implications of cyber security issues, that power deficiency is driving a 60 percent belief that one or more board members should be a CISO or some other type of cyber security expert.
The drive to comply
The number one driver of board members making cyber security a top priority is complying with regulatory requirements. In the past two years, there has been an 11-fold increase in the number of organizations citing increased regulation from the government as a driver and a similarly dramatic increase from industry bodies.
Close behind, with a 10-fold increase, were fears of lawsuits and regulatory penalties. Shockingly, these factors drove more reaction and action than the experience of a breach at their own company.
“It is clear that boards understand that they are responsible for setting the cyber risk appetite of an organization. This current report shows that board members want to understand and be actively involved in the cyber risk reduction process. That includes making decisions that drive continuous compliance and going a step further by adding a board member with cyber-specific expertise who speaks the same language as the trusted security executives advising them,” said Ryan Stolte, CTO at Bay Dynamics.
from Help Net Security http://ift.tt/2dml0j4
Why digital hoarding poses serious financial and security risks
82 percent of IT decision makers admit they are hoarders of data and digital files, according to research conducted by Wakefield Research among 10,022 global office professionals and IT decision makers to look into how individuals manage data.
Significant concerns regarding data hoarding were highlighted, with 73 percent of all respondents indicating that they store data that could be potentially harmful to their organisations. These include: unencrypted personal records, job applications to other companies, unencrypted company secrets and embarrassing employee correspondence.
The digital hoarding struggle is real
The findings highlighted that IT decision makers are hoarding their digital files and saving 54 percent of all the data they create. In addition, 41 percent of all digital files created go unmodified for three or more years. While this indicates that data hoarding behaviour is common across organisations, many office professionals (48 percent) admit that they wouldn’t trust a data hoarder to turn in a project on time.
Respondents are also willing to do the unexpected in order to keep the files they’ve hoarded, giving up their clothes and weekends rather than deleting their files. Almost half (45 percent) would rather work weekends for three months than get rid of all of their digital files. Meanwhile, 46 percent would rather throw out all of their clothes than all of their digital files.
Employees overwhelmed by the deluge of data
A significant majority of IT decision makers were overwhelmed by the extent and amount of data that they are hoarding. About three quarters of IT decision makers frequently take time away from their daily responsibilities to deal with data hoarding. In addition, 69 percent of office pros admit to abandoning efforts to organise and delete their old digital files because it’s too overwhelming.
Employees struggle to determine if data has long-term importance or value. As a result, 47 percent of ITDMs have heard employees say they are afraid they’ll eventually need to refer to the data again.
IT decision makers admit to storing items that could be harmful to the company
The amount of data their company stores would increase the time it takes to respond to a data breach, according to 86 percent of IT decision makers. Moreover, what is being retained could itself be harmful, with 83 percent of IT decision makers and 62 percent of office professionals admitting they retained items that could be detrimental to their employer or their own career prospects. These include: unencrypted personnel records, job applications to other companies, unencrypted company secrets and embarrassing employee correspondence. Personal files make up quite a bit of the “junk” saved, with 96 percent of IT decision makers admitting to saving unnecessary personal files.
Data hoarding behaviour could mean GDPR compliance failure
In May 2018, the European parliament will implement the European General Data Protection Regulation (GDPR), a set of EU-wide laws designed to harmonise data protection across the region. Both EU-based companies and those outside doing business within are affected. With a focus on protecting EU citizens and their data from misuse and lax data security, the consequences for non-compliance are potentially huge. Maximum non-compliance fines are the higher of $22.3 million USD (€20 million) or four percent of worldwide turnover.
“In today’s digital age, virtually every organisation struggles with the challenges brought on by exponential data growth. As a result, office professionals and IT departments have reacted by hoarding data for ‘potential’ use in the future,” said Chris Talbott, solutions leader at Veritas Technologies. “To make matters worse, employees are downloading everything from personal music and photos, to shopping lists on the same servers, which could lead to serious brand integrity issues, hefty fines and regulatory inquiries if not properly managed by the IT department.”
from Help Net Security http://ift.tt/2dvvbmO
Deadspin Tim Tebow Hit A Home Run On The First Pitch | Jezebel We Couldn’t Come Up With a Better Hea
Deadspin Tim Tebow Hit A Home Run On The First Pitch | Jezebel We Couldn’t Come Up With a Better Headline Than This One About a Lady Fucking a Headless Dinosaur | Gizmodo New Wind Turbines Could Power Japan for 50 Years After a Single Typhoon | Adequate Man Send Us Your College Roommate Horror Stories |
from Lifehacker http://ift.tt/2dubRGG
Build a Digital Dashboard for An Older Car With a Raspberry Pi
Have an older, pre-OBD-II car, but still want a fancy data screen? DIYer 240SF on YouTube figured out how to use a Raspberry Pi to add a digital display to an older Nissan with a consult port, which can likely be applied to a number of different systems.
The dash displays live speed, RPM, and coolant temperature. In this case, it grabs data from the Nissan’s Consult port, runs it through the software, then displays it on the Pi-powered screen. As it stands, this is written specifically for those special Nissan-specific ports, but the concept is adaptable to something else provided you can handle rewriting the JavaScript file on GitHub. Of course, there are plenty of other ways to do this if this one doesn’t work for you.
Under $170 Digital Dash | YouTube via Hackaday
from Lifehacker http://ift.tt/2dlpeEd
Tesla introduces code signing to harden their cars’ security
When researchers from Tencent’s Keen Security Lab discovered that they were able to leverage vulnerabilities to remotely hijack Tesla cars, they reported the issues to the automotive company and rushed them into implementing a security feature they have been working on for a while: code signing.
The vulnerabilities were several, including one in Tesla S’ browser that would allow attackers to direct users towards a website hosting the malicious payload, and a privilege elevation flaw in the car’s Linux operating system that would allow attackers full access to the car’s head unit.
From there, they managed to send specific commands to the car’s driving components through the car’s CAN bus, by overwriting the firmware of the gateway that keeps the two systems separated and allows only certain messages to be sent through.
Tesla Motors was informed of the issues in early September, and by the time the researchers revealed their findings to the general public, an update with the new feature and the fixes had already been delivered to Tesla car owners via the over-the-air update mechanism.
Code signing, i.e. the signing of software (firmware) with a digital signature possessed only by the manufacturer, is a feature that has long been used to make sure that computers and smartphones run legitimate (non-malicious) software and software updates.
But despite organizations like I Am the Cavalry advising the automotive industry to implement code signing, big automakers resist the change.
Josh Corman, one of the founders of I Am the Cavalry, told Wired that he believes their resistance to the implementation of the feature is partly due to the fact that, unlike Tesla, they have less control over their supply chains, dealers, and aftermarket tools and mechanics.
But, in time, as the (in)security of connected vehicles becomes increasingly important, they will have to find a way to make the change, or risk getting passed over by consumers.
One of Tesla Motors’ stated goals is to serve as a positive example to other automakers. Let’s hope other automakers with follow their lead when it comes to the security of their cars’ computer systems.
from Help Net Security http://ift.tt/2dkbUUl
Deadspin Some UFC Guy Tries To Diss Conor McGregor, Walks Straight Into Huge Burn | The Slot Here’s
Deadspin Some UFC Guy Tries To Diss Conor McGregor, Walks Straight Into Huge Burn | The Slot Here’s Why Donald Trump Hates Rosie O’Donnell | Gizmodo Conspiracy Theorists Are Very Concerned About Hillary’s Mic Pack | The Slot Rudy Giuliani: Hillary Clinton’s Reaction to Lewinsky Scandal Makes Her ‘Too Stupid to Be President’ |
from Lifehacker http://ift.tt/2dkiK8w
ICS-CERT releases new tools for securing industrial control systems
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has published newer versions of two tools that can help administrators with securing industrial control systems: the Cyber Security Evaluation Tool (CSET), and a whitepaper on recommended practices for improving ICS cybersecurity with defense-in-depth strategies.
While the former has received many update through the years (this newer version is v8.0), the whitepaper is a “modernized” version of a document that has been first released in 2009.
Both tools are offered for free, in the hope that they will be widely used.
Cyber Security Evaluation Tool
The Cyber Security Evaluation Tool is a desktop software tool that guides asset owners and operators through a step-by-step process to evaluate their industrial control system and information technology network security practices.
It does so by asking questions about system components, architectures, operational policies and procedures, and so on. The questions will depend on which government and industry cybersecurity standards the operators want their systems to adhere to.
“When the questionnaires are completed, CSET provides a dashboard of charts showing areas of strength and weakness, as well as a prioritized list of recommendations for increasing the site’s cybersecurity posture. CSET includes solutions, common practices, compensating actions, and component enhancements or additions,” ICS-CERT explains.
The team also offers onsite training and guidance to asset owners (in the US) who might encounter problems while using CSET. This help also comes at no cost. For instructions on how to download and install the tool, go here.
The whitepaper
ICS-CERT works to reduce risks within and across all critical infrastructure sectors – chemical, emergency services, energy, critical manufacturing, healthcare, IT, transportation, and so on.
This newest report will be helpful for organizations in each of those sectors, and concentrates on defense-in-depth strategies and a holistic approach to security.
“The concept of Defense in Depth is not new — many organizations already employ many of the Defense-in-Depth measures discussed in this document within their information technology (IT) infrastructures; however, they do not necessarily apply it to their ICS operations,” the experts who penned the report noted.
“In the past, most organizations did not see a need to do so. Legacy ICSs used obscure protocols and were largely considered ‘hack proof’ because of their separation from IT and because of having physical protection measures in place. But with the convergence of IT and ICS architectures, recent high-profile intrusions have highlighted the potential risk to control systems.”
Another problem that the defense-in-depth approach can minimize is the fact that there is a distinct lack of ICS-specific security solutions.
The report includes an overview of the current state of ICS cybersecurity, ICS defense-in-depth strategies, an overview of possible attacks against critical infrastructures, and recommendations for securing ICS. The latter includes adopting a proactive security model, key security countermeasures, and a variety of available services and tools (CSET is among them).
from Help Net Security http://ift.tt/2d3T2HB
Malware Tries to Detect Test Environment
A new malware tries to detect if it's running in a virtual machine or sandboxed test environment by looking for signs of normal use and not executing if they're not there.
From a news article:
A typical test environment consists of a fresh Windows computer image loaded into a VM environment. The OS image usually lacks documents and other telltale signs of real world use, Fenton said. The malware sample that Fenton found...looks for existing documents on targeted PCs.
If no Microsoft Word documents are found, the VBA macro code execution terminates, shielding the malware from automated analysis and detection. Alternately, if more than two Word documents are found on the targeted system, the macro will download and install the malware payload.
from Schneier on Security http://ift.tt/2djMC8D
OS analysis tool osquery finally available for Windows
Nearly two years after Facebook open sourced osquery, the social networking giant has made available an osquery developer kit for Windows, allowing security teams to build customized osquery solutions for Windows networks.
Osquery is an extremely popular operating system analysis tool for OS X and Linux. It exposes the OS as a high-performance relational database, and allows users to write SQL-based queries to explore OS data.
“With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes,” Facebook security engineer Nick Anderson noted in the announcement.
For example, and among other things, Facebook uses it for keeping an eye on all the browser extensions running on their corporate network, so that they can quickly spot and remove malicious ones.
The port of osquery to Windows was performed with the help of engineers from independent infosec company Trail of Bits. They have documented the process and shared insight into the issues they’ve encountered and solutions they’ve come up with. They promised to write more about it for those that are interested in the technicalities of the process.
The port was worth the effort, they noted, as a similar solution for Windows was non-existent, despite the ubiquitousness of the OS in enterprise networks.
“To gather [operating system information] information, you’d have to cobble together a manual solution, or pay for a commercial product, which would be expensive, force vendor reliance, and lock your organization into using a proprietary – and potentially buggy – agent. Since most of these services are cloud-based, you’d also risk exposing potentially sensitive data,” they noted.
To start using the developer kit on Windows, follow this guide.
from Help Net Security http://ift.tt/2d3EvvJ
Europol identifies eight main cybercrime trends
The volume, scope and material cost of cybercrime all remain on an upward trend and have reached very high levels. Some EU Member States now report that the recording of cybercrime offences may have surpassed those associated with traditional crimes.
An expansion both in the number of cybercriminal actors and opportunities to engage in highly profitable illegal activities has partly fuelled this trend, as has the development of new cybercrime tools in areas such as ATM fraud and mobile malware. However, a large part of the problem relates to poor digital security standards and practice by businesses and individuals.
A significant proportion of cybercrime activity still involves the continuous recycling of relatively old techniques, security solutions for which are available but not widely adopted.
“The relentless growth of cybercrime remains a real and significant threat to our collective security in Europe. Europol is concerned about how an expanding cybercriminal community has been able to further exploit our increasing dependence on technology and the Internet,” said Europol’s Director Rob Wainwright.
“We have also seen a marked shift in cyber-facilitated activities relating to trafficking in human beings, terrorism and other threats. In response law enforcement authorities have increased their skill-sets and their capability to work together in platforms such as the European Cybercrime Centre at Europol, but the growing misuse of legitimate anonymity and encryption services for illegal purposes remain a serious impediment to the detection, investigation and prosecution of criminals,” Wainwright concluded.
The Head of the European Cybercrime Centre, Steven Wilson said: “2016 has seen the further evolution of established cybercrime trends. The threat from ransomware has continued to grow and has now expanded into sectors such as healthcare. Europol has also seen the development of malware targeting the ATM network, impacting cash services worldwide. Online child sexual abuse continues to be a very high priority for all countries, with international cooperation established as a significant part of the strategy to protect children and identify victims. However there are many positives to be taken from this year’s report. Partnerships between industry and law enforcement have improved significantly, leading to the disruption or arrest of many major cybercriminal syndicates and high-profile individuals associated with child abuse, cyber intrusions and payment card fraud, and to innovative new prevention programmes such as the no more ransom campaign.”
Eight cybercrime trends from Europol’s 2016 Internet Organised Crime Threat Assessment (IOCTA)
Crime-as-a-Service – The digital underground is underpinned by a growing Crime-as-a-Service model that interconnects specialist providers of cybercrime tools and services with an increasing number of organised crime groups. Terrorist actors clearly have the potential to access this sector in the future.
Ransomware – Ransomware and banking Trojans remain the top malware threats, a trend unlikely to change for the foreseeable future.
The criminal use of data – Data remains a key commodity for cyber-criminals. It is procured for immediate financial gain in many cases but, increasingly, also acquired to commit more complex fraud, encrypted for ransom, or used directly for extortion.
Payment fraud – EMV (chip and PIN), geo-blocking and other industry measures continue to erode card-present fraud within the EU, but logical and malware attacks directly against ATMs continue to evolve and proliferate. Organised crime groups are starting to manipulate or compromise payments involving contactless (NFC) cards.
Online child sexual abuse – The use of end-to-end encrypted platforms for sharing media, coupled with the use of largely anonymous payment systems, has facilitated an escalation in the live streaming of child abuse
Abuse of the Darknet – The Darknet continues to enable criminals involved in a range of illicit activities, such as the exchange of child sexual exploitation material. The extent to which extremist groups currently use cyber techniques to conduct attacks are limited, but the availability of cybercrime tools and services, and illicit commodities such as firearms on the Darknet, provides opportunity for this to change.
Social engineering – An increase of phishing aimed at high value targets has been registered by enforcement private sector authorities. CEO fraud, a refined variant of spear phishing, has become a key threat.
Virtual currencies – Bitcoin remains the currency of choice for the payment for criminal products and services in the digital underground economy and the Darknet. Bitcoin has also become the standard payment solution for extortion payments.
from Help Net Security http://ift.tt/2djncrJ
Which celebrities generate the most dangerous search results?
Female comedian Amy Schumer knocked DJ Armin van Buuren off of the list to become the most dangerous celebrity to search for online, according to Intel Security.
Now in its 10th year, the McAfee Most Dangerous Celebrities study researched a broad list of well-known figures including actors, comedians, musicians, TV hosts, athletes and more. This research uncovers which celebrities generate the most dangerous search results that could expose fans to malware.
“Consumers today remain fascinated with celebrity culture and go online to find the latest pop culture news,” said Gary Davis, chief consumer security evangelist at Intel Security. “With this craving for real-time information, many search and click without considering potential security risks. Cybercriminals know this and take advantage of this behavior by attempting to lead them to unsafe sites loaded with malware. As a result, consumers need to understand what precautions to take to enable safe online experiences.”
Top 10 celebrities generating dangerous search results
The top 10 celebrities from this year’s study with the highest risk percentages include:
1. Amy Schumer – 16.11%
2. Justin Bieber – 15.00%
3. Carson Daly – 13.44%
4. Will Smith – 13.44%
5. Rihanna – 13.33%
6. Miley Cyrus – 12.67%
7. Chris Hardwick – 12.56%
8. Daniel Tosh – 11.56%
9. Selena Gomez – 11.11%
10. Kesha – 11.11%
Crowded with comedians
Kicking off her world tour this fall, comedian Amy Schumer tops the list as the Most Dangerous Celebrity – coming in at No. 1. Chris Hardwick (No. 7) of “Funcomfortable” fame and Daniel Tosh (No. 8) were also among the top 10, while Nikki Glaser (No. 15) and Kevin Hart (No. 25) made the top 25. Other funny females to make the list include: Grace Helbig (No. 26), Mindy Kaling (No. 30), Kristen Wiig (No. 52), Chelsea Handler (No. 54) and Ellen DeGeneres (No. 57).
Musicians top the charts
This year’s riskiest celebrities included some of the most sensational, chart-topping pop artists such as Justin Bieber (No. 2), Rihanna (No. 5), Miley Cyrus (No. 6), Selena Gomez (No. 9) and Kesha (10). Pop, rap, hip-hop and a bit of country were represented by Drake (No. 13), Katy Perry (No. 14), Jason Aldean (No. 16), Justin Timberlake (No. 17), Jennifer Lopez (No. 18), Lady Gaga (No. 19), Nicki Minaj (No. 20), Iggy Azalea (No. 27), Beyoncé (No. 28) and Usher (No. 29) as they rounded out the top 30.
Late night TV shows
“Today” show anchor and “The Voice” host Carson Daly is the third Most Dangerous Celebrity, while late night hosts Seth Meyers (No. 11) and Conan O’Brien (No. 12) cracked the top 15. Host James Corden, widely known for his popular “Carpool Karaoke,” landed at No. 23, followed by John Oliver at No. 24 and Jimmy Kimmel at No. 32 – previously No. 1 in 2014 and No. 26 in 2015. Bill Maher rounds out the list at No. 34.
The Voice coaches make the cut
Three of the four celebrity coaches on “The Voice” this season, along with the host, are all in the top 50. Miley Cyrus leads the pack (No. 6), followed by Adam Levine (No. 41) and Blake Shelton (No. 66), as well as his girlfriend and rotating coach Gwen Stefani (No. 49). Blake Shelton’s fellow country superstars Jason Aldean (No. 16) and Luke Bryan (No. 39) are not far behind.
How to search safely
- Think before you click! Are you looking for the latest episode of Amy Schumer’s TV show, “Inside Amy Schumer”? Don’t click on that third-party link. Instead, get your content directly from the original source at comedycentral.com to ensure you aren’t clicking on anything that could be malicious.
- Use caution when searching for “torrent.” This term is by far the riskiest search term. Cybercriminals can use torrents to embed malware within authentic files making it difficult to determine if a file is safe. It’s best to avoid using torrents especially when there are so many legitimate streaming options available.
- Keep your personal information personal. Cybercriminals are always looking for ways to steal your personal information. If you receive a request to enter information like your credit card, email, home address or social media login don’t give it out thoughtlessly. Do your research and ensure it’s not a phishing or scam attempt that could lead to identity theft.
- Use cross device protection. Consumers need to protect all facets of their digital lives regardless of where they are, what device they use or where they store their personal data. Use solutions that work across all your devices to deliver protection against threats, such as malware, hacking and phishing attacks.
from Help Net Security http://ift.tt/2d5ML1d
Tuesday, September 27, 2016
Mobile security stripped bare: Why we need to start again
We’re all familiar with the cartoon image of a character stopping a water leak by plugging a finger into the hole, only for another leak to start, needing another finger, and so on, until the character is soaked by a wave of water.
It’s a little like the current, fragmented state of mobile security – the range of threats is growing fast, outpacing current security measures. Also, the devices themselves have inherent vulnerabilities that can be exploited by resourceful attackers. So it’s no surprise that enterprises are struggling with the issue of mobile security.
Finding flaws and mRATs
The list of potential security challenges and vulnerabilities across Android and iOS devices is complex. It starts with the devices’ mobility: they are connecting to public cellular networks, corporate networks, public hotspots to home internet providers and back again. This makes them vulnerable to Man in the Middle (MitM) attacks via rogue cellular base stations, WiFi hotspots or compromised public networks, allowing attackers to track, intercept and eavesdrop on data traffic and even voice calls, using SS7 protocol exploits.
Then, the Android and iOS mobile operating systems themselves have been shown time and time again to be plagued with vulnerabilities that smart malicious hackers can exploit to their advantage. One major recent example is ‘Quadrooter’, a privilege escalation vulnerability shown to affect over 900 million Android devices. These vulnerabilities often have long patching cycles which can take months to roll out, leaving millions of devices vulnerable to remote attack.
Similarly, iOS has also recently been in the headlines after news broke that it had been compromised in the NSO hack. This affected all Apple devices, making the iOS, the phones resources and any application running on it, including security apps such as anti-virus, vulnerable to attack. It’s worth highlighting that this wasn’t discovered by Apple or any detection applications but was only discovered because the attacker was negligent in concealing it.
Mobile remote access trojans (mRATs) give an attacker the ability to remotely access the resources and functions on Android or iOS devices, and stealthily exfiltrate data without the user being aware. mRATs are often embedded in supposedly benign apps available from appstores. Compromised or falsely certified apps are another security risk, as they can allow attackers to remotely take over devices, using the device resources without the user being aware.
As a result, the mobile security industry is always playing catch-up. Zero-day attacks, where cybercriminals exploit inbuilt vulnerabilities on mobile operating systems that haven’t yet been patched or even identified, are a major ongoing problem.
Protection versus performance
Ultimately, there are three main threat vectors for mobile devices. These are: targeting and intercepting the communications to and from devices; targeting the devices’ external interfaces (Cellular, WiFI, Bluetooth, USB, NFC, Web etc.) for the purpose of device penetration and planting malicious code (virtually as well as physically); and targeting the data on the device and the resources/functions the device/underlying OS provides access to such as microphone, camera, GPS, storage, network connectivity, etc.
While there is a wealth of technologies designed to help manage the security gaps on devices – from Enterprise Mobile Management to mobile anti-malware– these protections come at a price. First, a collection of multiple security tools and processes is a big drain on processing power, complex to manage, and doesn’t really fix the underlying device and OS vulnerabilities. Second, the conventional approach to mobile security is based on locking down or denying features and functions. This causes further problems on the end user’s acceptance front. It’s critical to balance security and usability: If protecting the device forces people to change the way they use it, they will find workarounds that will also undermine security measures.
So if enterprises are to continue harnessing the benefits of mobile devices without compromising their performance and usability, then we need to rethink our approach to mobile security, from the ground up.
Secure foundations
This new approach starts with the foundations of the mobile device: the OS and firmware. As the various software layers on devices have fundamental vulnerabilities which can be exploited, these should be replaced with secure, hardened versions from which the flaws have been removed/patched and advanced security layers have been put in place to effectively manage and protect against those three threat vectors mentioned above. This means attackers cannot use their conventional techniques to target vulnerabilities – but the device is still using an OS that the user is familiar with, giving users access to the full app ecosystem, so usability is not affected or restricted.
This stronger foundation is then used to build a strong, security architecture consisting of four layers to address each of the three main mobile threat vectors. The first layer is the Encryption Layer, in charge of encrypting all data stored on the phone, as well as all traffic from and to the device, securing all communications, whether voice, data or messaging, from any network sniffing and man-in-the-middle attacks.
The second layer is the Protection Layer, securing the device’s externally available interfaces, from WiFi, cellular, USB, NFC, Bluetooth to web. These need protecting against threats using an embedded firewall to monitor and block all downloads and exploit attempts.
Next layer is the Prevention Layer, monitoring for unauthorized attempts to access operating system functions like stored data, the microphone or camera, location technology and so on. These need their own specialist protective technologies.
The final layer is the Detection and Enforcement Layer monitoring, detecting and blocking execution attempts of malicious code or misbehaving apps, in the same way that we currently monitor for device and network anomalies on corporate networks.
In conclusion, mobile security is currently too fragmented, and the range of threats growing too fast for conventional protections. Instead of plugging leaks as they appear, we need to start again, from the foundations up – and fundamentally rethink the way in which we protect and secure mobile devices.
from Help Net Security http://ift.tt/2dywj5n
By 2018, 25 percent of new mobile apps will talk to IoT devices
With the convergence of devices, bots, things and people, organizations will need to master two dimensions of mobility, according to Gartner. CIOs and IT leaders will need to excel at mainstream mobility and to prepare for the post-app era.
“The future of mobile will provide ubiquitous services delivered anywhere, by any person or thing, to any person or thing,” said David Willis, VP and distinguished analyst at Gartner. “While users are constantly looking for new and compelling app experiences, the importance of apps in delivering services will diminish and the emergence of virtual personal assistants (VPAs) and bots will replace some of the functions performed by apps today. Alternative approaches to interaction and service delivery will arise, and code will move from traditional mobile devices and apps to the cloud,” said Mr. Willis.
Mobile becomes “business as usual”
“The mobile landscape has changed dramatically during the past few years; mobile is no longer a novel technology, but business as usual, for most organizations,” said Mr. Willis. In 2016, Gartner forecasts the shipment of 2.37 billion devices (PCs, tablets, ultramobiles and mobile phones), and that 293 million wearables will be sold in the same year. In 2017, Gartner estimates that 2.38 billion devices will be shipped and 342 million wearables will be sold.
“The proliferation of mobile devices means that phones, tablets, laptops and wearables are now omnipresent within the business environment, reinventing the way people interact and work,” said Mr. Willis.
Today’s tech users are smart and savvy, demanding better features and experiences. The traditional forms of bring your own (that is, devices and applications) will continue to grow, making bring your own device and bring your own application the norm for the majority of organizations. “Moreover, the arrival of wearables and bring your own “thing” (such as smart kettles, smart power sockets or smart light bulbs) in the workplace will introduce new interaction techniques and new platforms, diluting the need for specific mobile app experiences,” said Mr. Willis.
Much of the innovation in the mobile space isn’t taking place inside the smartphones themselves, but in the things that communicate with them. Gartner predicts that by 2018, 25 percent of new mobile apps will talk to Internet of Things (IoT) devices.
Most IoT devices that talk to smartphones do so via an app or the browser. “Through 2018, the app will be the preferred mechanism, because it provides a better experience and allows more sophisticated interactions and data analysis, with low-level networking and background processing,” said Mr. Willis.
However, the current dominance of apps is challenged by several trends that, together, Gartner labels the “post-app era”. “As new technologies grow in importance as a way to control and interact with things, app interfaces will fade,” added Mr. Willis.
Prepare for the post-app era today
New ways to interact with things will deliver pervasive services, and emerging technologies — such as artificial intelligence, natural-language processing and bots integrated into messaging apps,open new opportunities to interact with users seamlessly.
A number of global players are enabling businesses and consumers to “chat” with users on their messaging platform evolving APIs and services so that developers can create their own bots. This concept allows users to chat with organizations to get information, answer questions and transact through messaging or VPAs.
“This means that instead of going into a system and filling out complicated forms with checkboxes, users can ask a bot a question, and it will answer or negotiate on our behalf, based on rules and knowledge in the system,” said Mr. Willis. “It will then move to those systems that allow interactions with customers — from marketing to sales.”
“Apps are not going away and code isn’t vanishing,” added Mr. Willis. “The post-app era means that there will be more data and code in the cloud and less on the device, thanks to the continuous improvement of cellular network performance.”
“The post-app era will be an evolving process through 2020 and beyond,” concluded Mr. Willis. “It has, however, already begun, and organizations should prepare for it by being agile and tactical, planning for new skills, assessing the new opportunities created by the post-app era, and developing a digital business strategy that integrates many different technologies.”
from Help Net Security http://ift.tt/2dqmfzE
Many tech senior decision-makers don’t understand encryption
Nearly a quarter of tech senior decision-makers in the UK don’t fully understand encryption, according to PKWARE.
This number increases to 40% in the retail sector and half in the healthcare sector. Overall, only 50% of respondents said they encrypt their customer data.
“It’s hard to believe how many companies are still scraping by with such lax security when handling their customers’ valuable data. Just being compliant with basic security regulations isn’t enough anymore. As demonstrated by numerous high profile cyber-attacks, organisations need to encrypt their data and have foolproof security measures in place,” said Miller Newton, CEO of PKWARE.
Additionally, the survey revealed that 40% of UK tech senior decision-makers agree with the Investigatory Powers Bill, which would allow the government to bypass encryption. This demonstrates a lack of understanding of what encryption is and why it should be used.
Additional findings from the survey include:
- Less than half of all tech decision-makers train their staff in security measures.
- Only 40% of companies implement a clean desk policy – a move which doesn’t require any investment.
- Only 35% of tech decision-makers think their staff definitely knows enough about data security and encryption to avoid a cyber-attack.
from Help Net Security http://ift.tt/2cBAoc6
Adequate Man Lamp Switches, Ranked | The Slot Here’s Why Donald Trump Hates Rosie O’Donnell | Gizmod
Adequate Man Lamp Switches, Ranked | The Slot Here’s Why Donald Trump Hates Rosie O’Donnell | Gizmodo Conspiracy Theorists Are Very Concerned About Hillary’s Mic Pack | Deadspin Gregg Popovich Explains America |
from Lifehacker http://ift.tt/2cTsBSJ
Project Springfield: Cloud-based fuzz testing for uncovering million-dollar bugs
This Moday Microsoft debuted Project Springfield, a cloud-based fuzz testing (aka fuzzing) service that the company has been working on for a quite a while.
David Molnar and Patrice Godefroid, two of the key researchers behind Project Springfield, have been claiming since 2010 that fuzzing in the cloud will revolutionize security testing, and now they have provided the means to prove that assertion.
What is fuzz testing?
Fuzz testing is a method for discovering bugs and security vulnerabilities in software by hitting it with random and unexpected inputs. Some of the inputs thrown at the software will cause crashes, thus revealing the existence of a bug and pointing programmers in the right direction to fix it.
Fuzz testing improves software security because it often finds bugs that human testers fail to find.
In fact, Microsoft has been using SAGE – a fuzzing technology they developed and employed internally, and a key component of Project Springfield – to test Windows 7 before it was released. Through it, they found one third of the “million dollar” security bugs affecting the OS.
About Project Springfield
“Project Springfield works on binaries, with no source code or private symbols needed,” Microsoft explains. “You need to be able to install software you deploy on a virtual machine that runs in Azure, provide a “test driver” that exercises your software, and a set of sample inputs. Project Springfield uses these to create many test cases for exercising your program.”
The service performs (among other things) white-box fuzz testing with the help of artificial intelligence. This way, the fuzzing is more focused and, they claim, definitely more effective.
Project Springfield incorporates SAGE, but also other fuzz testing tools. Users interact with the service through a web portal.
“Project Springfield reports security vulnerabilities in real time on the secure web portal. Customers can download actionable test cases to reproduce the issue,” they explain. “Customer can prioritize and fix bugs, then re-test to ensure the effectiveness of the fix.”
Project Springfield is currently being used by a number of enterprise customers, and others are welcome to sign up for a free evaluation.
from Help Net Security http://ift.tt/2d3widU