What are “WannaMine” attacks, and how do I avoid them?

There’s a hot security news topic right now that combines the ETERNALBLUE exploit and cryptomining.

ETERNALBLUE is infamous for having been used in the WannaCry worm, so the combination of this method of breaking in, followed by a cryptomining payload, has been dubbed WannaMine.

WannaMine attacks aren’t a new thing, but the number of enquiries our Support team are receiving from people wanting to know about the issue has risen sharply this year.

Support asked us if we’d make a Facebook Live video about it…so here it is:

(Can’t see the video directly above this line, or getting an error such as “no longer available”? Watch on Facebook instead.)

Note. With most browsers, you don’t need a Facebook account to watch the video, and if you do have an account you don’t need to be logged in. If you can’t hear the sound, try clicking on the speaker icon in the bottom right corner of the video player to unmute.

Follow @NakedSecurity
Follow @duckblog

from Naked Security http://ift.tt/2ErNUtm

The 10 Best Deals of January 31, 2018

Stop Studying for the Test

How to Not Die in America

We're All Doing Push-Ups This February

Save a Few Bucks On Nylon-Wrapped Charging Cables With Lifetime Warranties [Exclusive]

Preserve Fruit in Oxidized Vermouth

It's Time to Bury Funeral Selfies for Good

The Best Resale List For 2018 Is Basically All Trucks And A Rally Car

Israeli Scientists Accidentally Reveal Classified Information

Why Your Credit Score May Not Be As Good As You Think It Is

How to Build Your Own App If You Don't Know How to Code

The Paper Challenge Is the Cool New Way to Fall on Your Face

One Of Our Readers Favorite Wallets Is Just $10 Today, In A Ton of Different Colors

The Takeout investigates: Which chip for which dip?

What Men Should Learn From Women About Work-Life Balance

How to Build a Way Better Super Bowl Betting Pool

Instant Pot Buffalo Wings Are Fast, Easy, and Very Good

Get Super-Fancy SK-II Sheet Masks on eBay for Way Less Than Sephora

Put Your Needs Before Your Kid's Wants

Jezebel United Airlines Prevents Woman From Traveling With Emotional Support Peacock | Splinter Eve

Jezebel United Airlines Prevents Woman From Traveling With Emotional Support Peacock | Splinter Everyone Loved Trump’s Horrifying Story About the Nice White Couple Taking a Homeless Addict’s Baby | Deadspin The Hurricanes Are Finally Ready To Embrace Their Hartford Whaler Past | Earther Invasive Pine-Killing Wasps Are Even Worse Than They Sound | The Grapevine Michelle Obama Finally Reveals What Was in That Tiffany & Co. Box that Melania Trump Gave Her on Inauguration Day |

from Lifehacker http://ift.tt/2GxttvE

Google Flights Now Predicts Flight Delays

How to Keep Your Family and Friends From Snooping on Your Laptop and Phone

Hang Your Knowledge On the Wall With This Sitewide Discount From Pop Chart Lab

Here’s How Soy Milk Stacks Up Against Other Plant-Based Milks

The Ransomware Survival Handbook

When a ransomware infection spreads through your network, its goal is to encrypt any files it can access (even backups) as quickly as possible. That can happen in a matter of minutes or even seconds. And from there, the clock starts ticking. Because everyone is expecting you to get things back up and running.

Read The Ransomware Survival Handbook and learn how to recover quickly and effectively (and not get hit again).

Written based on advice from IT pros who experienced ransomware first hand, the handbook provides you with essential tips and recovery lessons you don’t have to learn the hard way.

What’s inside the handbook:

• Breakdowns of the most likely infection scenarios
• Clear step-by-step instructions for containing and responding to a ransomware attack so you can get back to work
• Important tips for ransomware prevention that go beyond having good backups.

from Help Net Security http://ift.tt/2DMZVMO

Attackers disrupt business operations through stealthy crypto mining

WannaMine, a Monero-mining worm discovered last October, is increasingly wreaking havoc on corporate computers.

Either by slowing down computers or by crashing systems and applications, the crypto mining worm is, according to CrowdStrike researchers, seriously affecting business operations and rendering some companies unable to operate for days and even weeks.

In one case, a client informed CrowdStrike that nearly 100 percent of its environment was rendered unusable due to overutilization of systems’ CPUs.

As time passes and criminals’ covetousness for cryptocurrencies and “free” mining resources rises, enterprises will have to find a way to keep their systems secure against progressively sophisticated tactics.

A fileless attack

The initial infection vector is not mentioned, but it’s likely that the patient zero in the network has been tricked into running a file hiding an exploit.

What is known is that the threat spreads through corporate networks by leveraging Mimikatz to harvest legitimate credentials and then using them.

If that particular approach fails, it attempts to exploit the remote system with the EternalBlue exploit used by WannaCry in early 2017.

WannaMine uses Windows Management Instrumentation (WMI) permanent event subscriptions to ensure persistence on a system, and its repository to store code for execution.

“Its fileless nature and use of legitimate system software such as WMI and PowerShell make it difficult, if not impossible, for organizations to block it without some form of next-generation antivirus,” CrowdStrike researchers pointed out. Endpoint solutions that can detect and block malicious scripts and processes that fuel the mining are a better solution in this case.

from Help Net Security http://ift.tt/2nxRgmL

I'm National Book Foundation Executive Director Lisa Lucas, and This Is How I Work

Amazon's Running a Massive Discount On This Floor-Sensing Vacuum, Today Only

Bitcoin payments used to unmask dark web users

After Section 702 Reauthorization

For over a decade, civil libertarians have been fighting government mass surveillance of innocent Americans over the Internet. We've just lost an important battle. On January 18, President Trump signed the renewal of Section 702, domestic mass surveillance became effectively a permanent part of US law.

Section 702 was initially passed in 2008, as an amendment to the Foreign Intelligence Surveillance Act of 1978. As the title of that law says, it was billed as a way for the NSA to spy on non-Americans located outside the United States. It was supposed to be an efficiency and cost-saving measure: the NSA was already permitted to tap communications cables located outside the country, and it was already permitted to tap communications cables from one foreign country to another that passed through the United States. Section 702 allowed it to tap those cables from inside the United States, where it was easier. It also allowed the NSA to request surveillance data directly from Internet companies under a program called PRISM.

The problem is that this authority also gave the NSA the ability to collect foreign communications and data in a way that inherently and intentionally also swept up Americans' communications as well, without a warrant. Other law enforcement agencies are allowed to ask the NSA to search those communications, give their contents to the FBI and other agencies and then lie about their origins in court.

In 1978, after Watergate had revealed the Nixon administration's abuses of power, we erected a wall between intelligence and law enforcement that prevented precisely this kind of sharing of surveillance data under any authority less restrictive than the Fourth Amendment. Weakening that wall is incredibly dangerous, and the NSA should never have been given this authority in the first place.

Arguably, it never was. The NSA had been doing this type of surveillance illegally for years, something that was first made public in 2006. Section 702 was secretly used as a way to paper over that illegal collection, but nothing in the text of the later amendment gives the NSA this authority. We didn't know that the NSA was using this law as the statutory basis for this surveillance until Edward Snowden showed us in 2013.

Civil libertarians have been battling this law in both Congress and the courts ever since it was proposed, and the NSA's domestic surveillance activities even longer. What this most recent vote tells me is that we've lost that fight.

Section 702 was passed under George W. Bush in 2008, reauthorized under Barack Obama in 2012, and now reauthorized again under Trump. In all three cases, congressional support was bipartisan. It has survived multiple lawsuits by the Electronic Frontier Foundation, the ACLU, and others. It has survived the revelations by Snowden that it was being used far more extensively than Congress or the public believed, and numerous public reports of violations of the law. It has even survived Trump's belief that he was being personally spied on by the intelligence community, as well as any congressional fears that Trump could abuse the authority in the coming years. And though this extension lasts only six years, it's inconceivable to me that it will ever be repealed at this point.

So what do we do? If we can't fight this particular statutory authority, where's the new front on surveillance? There are, it turns out, reasonable modifications that target surveillance more generally, and not in terms of any particular statutory authority. We need to look at US surveillance law more generally.

First, we need to strengthen the minimization procedures to limit incidental collection. Since the Internet was developed, all the world's communications travel around in a single global network. It's impossible to collect only foreign communications, because they're invariably mixed in with domestic communications. This is called "incidental" collection, but that's a misleading name. It's collected knowingly, and searched regularly. The intelligence community needs much stronger restrictions on which American communications channels it can access without a court order, and rules that require they delete the data if they inadvertently collect it. More importantly, "collection" is defined as the point the NSA takes a copy of the communications, and not later when they search their databases.

Second, we need to limit how other law enforcement agencies can use incidentally collected information. Today, those agencies can query a database of incidental collection on Americans. The NSA can legally pass information to those other agencies. This has to stop. Data collected by the NSA under its foreign surveillance authority should not be used as a vehicle for domestic surveillance.

The most recent reauthorization modified this lightly, forcing the FBI to obtain a court order when querying the 702 data for a criminal investigation. There are still exceptions and loopholes, though.

Third, we need to end what's called "parallel construction." Today, when a law enforcement agency uses evidence found in this NSA database to arrest someone, it doesn't have to disclose that fact in court. It can reconstruct the evidence in some other manner once it knows about it, and then pretend it learned of it that way. This right to lie to the judge and the defense is corrosive to liberty, and it must end.

Pressure to reform the NSA will probably first come from Europe. Already, European Union courts have pointed to warrantless NSA surveillance as a reason to keep Europeans' data out of US hands. Right now, there is a fragile agreement between the EU and the United States ­-- called "Privacy Shield" -- ­that requires Americans to maintain certain safeguards for international data flows. NSA surveillance goes against that, and it's only a matter of time before EU courts start ruling this way. That'll have significant effects on both government and corporate surveillance of Europeans and, by extension, the entire world.

Further pressure will come from the increased surveillance coming from the Internet of Things. When your home, car, and body are awash in sensors, privacy from both governments and corporations will become increasingly important. Sooner or later, society will reach a tipping point where it's all too much. When that happens, we're going to see significant pushback against surveillance of all kinds. That's when we'll get new laws that revise all government authorities in this area: a clean sweep for a new world, one with new norms and new fears.

It's possible that a federal court will rule on Section 702. Although there have been many lawsuits challenging the legality of what the NSA is doing and the constitutionality of the 702 program, no court has ever ruled on those questions. The Bush and Obama administrations successfully argued that defendants don't have legal standing to sue. That is, they have no right to sue because they don't know they're being targeted. If any of the lawsuits can get past that, things might change dramatically.

Meanwhile, much of this is the responsibility of the tech sector. This problem exists primarily because Internet companies collect and retain so much personal data and allow it to be sent across the network with minimal security. Since the government has abdicated its responsibility to protect our privacy and security, these companies need to step up: Minimize data collection. Don't save data longer than absolutely necessary. Encrypt what has to be saved. Well-designed Internet services will safeguard users, regardless of government surveillance authority.

For the rest of us concerned about this, it's important not to give up hope. Everything we do to keep the issue in the public eye ­-- and not just when the authority comes up for reauthorization again in 2024 -- hastens the day when we will reaffirm our rights to privacy in the digital age.

This essay previously appeared in the Washington Post.

from Schneier on Security http://ift.tt/2BFIhEY

Ban Facebook Messenger for Kids, urge children’s health advocates

Mozilla plugs critical and easily exploitable flaw in Firefox

Firefox users would do well to upgrade to the browser’s latest release if they want to keep their computers safe from compromise.

Released on Monday, Firefox 58.0.1 contains one but very important security fix that plugs a vulnerability arising from insufficient sanitization of HTML fragments in chrome-privileged documents. (In this context, chrome is not the popular Google browser, but a component of Firefox.)

The vulnerability (CVE-2018-5124) is considered critical because a successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. And if the user has elevated privileges, the attacker could compromise the system completely.

Another reason for such a classification is that exploitation can be triggered with just a bit of clever social engineering.

“An attacker could exploit the vulnerability by persuading a user to access a link or file that submits malicious input to the affected software,” Cisco explained in an advisory.

“To exploit this vulnerability, the attacker may use misleading language or instructions to persuade a targeted user to open a crafted file.”

The flaw was found in Firefox versions 56 through 58 by Mozilla developer Johann Hofmann. Firefox for Android and Firefox 52 ESR are not affected.

Users and administrators are advised to apply the software update as soon as possible and, in general, to avoid following links or opening attachments contained in unsolicited (email) messages that come from unrecognized sources.

from Help Net Security http://ift.tt/2Es0Xef

My cryptocoin startup vanished and all I got was this lousy penis

Multiple zero-day vulnerabilities found in ManageEngine products

Digital Defense uncovered multiple, previously undisclosed vulnerabilities within several Zoho ManageEngine products.

ManageEngine offers more than 90 tools to help manage IT operations, including networks, servers, applications, service desk, Active Directory, security, desktops, and mobile devices. Currently, the company claims to have more than 40,000 customers, including three out of every five Fortune 500 company.

Vulnerability impact

The discovered vulnerabilities allow unauthenticated file upload, blind SQL injection, authenticated remote code execution and user enumeration, potentially revealing sensitive information or full compromise of the application.

Affected applications include: ServiceDesk Plus, Service Plus MSP, OpManager, Firewall Analyzer, Network Configuration Manager, OpUtils and NetFlow Analyzer.

Summary:

• DDI-VRT-2018-01 – Unauthenticated File Upload via /servlets/CmClientUtilServlet
• DDI-VRT-2018-02 – Unauthenticated Blind SQL Injection via /servlets/RegisterAgent
• DDI-VRT-2018-03 – Unauthenticated Blind SQL Injection via /servlets/StatusUpdateServlet and /servlets/AgentActionServlet
• DDI-VRT-2018-04 – Multiple Unauthenticated Blind SQL Injections via /embedWidget
• DDI-VRT-2018-05 – Unauthenticated XML External Entity Injection via /SNMPDiscoveryURL
• DDI-VRT-2018-06 – Unauthenticated Blind SQL Injection via /unauthenticatedservlets/ELARequestHandler and /unauthenticatedservlets/NPMRequestHandler
• DDI-VRT-2018-07 – User Enumeration via /servlets/ConfServlet.

What you can do

Zoho ManageEngine has addressed the vulnerabilities and is making patches available for each of the affected applications.

from Help Net Security http://ift.tt/2FtaeSL

Ransomware makes it into the Oxford English Dictionary

What's The Best Electric Toothbrush?

The Root Baltimore Cops Kept Toy Guns to Plant Just in Case They Shot an Unarmed Person | Adequate

The Root Baltimore Cops Kept Toy Guns to Plant Just in Case They Shot an Unarmed Person | Adequate Man Which Industry Has The Worst Jargon? | Jezebel Mark Salling Has Died By Apparent Suicide | Earther Scott Pruitt’s First Senate Oversight Hearing Was a Total Sham | Splinter The Full Email From Columbia University Rejecting Its Grad Students’ Union, Annotated |

from Lifehacker http://ift.tt/2GxNXEr

The 10 Best Deals of January 30, 2018

I Made My Girlfriend Choose Between Me or Weed

Make New Mexico green chile cheeseburgers in queso form

Get Ready for a Month-Long Financial Detox

Soon You Won't Have to Say 'Hey Google' to Launch Google Assistant

It's Okay to Increase Your Discretionary Spending Sometimes

What Do You Over-Organize?

This 'Airbnb For DIY Garage Space' Lets You Wrench In Random People's Garages

Stop Cooking Avocados

Upgrade to a Smart Toothbrush For the Best Price Ever

What to Know About Monero, the Black Market Cryptocurrency That's Going Mainstream

Here's Your State of the Union Drinking Game

The Sleep Tech That Actually Matters

Secure Your Reddit Account Using Two-Factor Authentication

Reminder: Start Planning Your Vacation Right Now

Ask The Salty Waitress: What should I do if my food just doesn't taste good?

This Electric Arc Lighter Reaches Around Corners, and Doesn't Need Fuel

Non-Meat Foods You Should Make With Animal Fat

Don't Give Your Teens Alcohol

How to Watch Tonight's State of the Union Address

All The Best Deals: Logitech Gold Box, Mattress Sale, Charging Station, and More

How to Find Your Dream Job Without Waiting for a Listing

How to Avoid Being Tracked on Your Laptop, Phone, or Fitness Tracker

Cisco plugs critical hole in many of its enterprise security appliances

There’s an eminently exploitable remote code execution flaw in the Adaptive Security Appliance (ASA) Software running on a number of Cisco enterprise appliances, and admins are advised to plug the hole as soon as possible.

The Cisco Product Security Incident Response Team (PSIRT) says that it is aware of public knowledge of the vulnerability, but not of any current malicious use of it. Nevertheless, active exploitation might be close at hand.

About the vulnerability

The vulnerability (CVE-2018-0101) has been found by Cedric Halbronn from the NCC Group in the Secure Sockets Layer (SSL) VPN functionality of the Cisco ASA Software.

“The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device,” Cisco explained.

The flaw is deemed critical, as it can be easily exploited by unauthenticated, remote attackers.

There are no available workarounds for it, but luckily Cisco has already pushed out fixed releases of the Cisco ASA Software, as well as of the Cisco FTD Software, which supports the vulnerable Remote Access VPN feature.

Among the vulnerable products are the 3000 Series Industrial Security Appliance (ISA), the ASA 5500-X Series Next-Generation Firewalls, the ASA 1000V Cloud Firewall, the Adaptive Security Virtual Appliance (ASAv), and many others.

Administrators are advised to upgrade to fixed releases.

The complete list of affected appliances and fixes software releases can be found here.

from Help Net Security http://ift.tt/2BF9cR3

How to prepare for the future of digital extortion

Digital extortion has evolved into the most successful criminal business model in the current threat landscape, and Trend Micro researchers predict that it will continue to grow rampant because it’s cheap, easy to commit, and many times the victims pay.

Attackers can go after a wide variety of targets

The line between blackmail and extortion is blurred in the digital realm.

“Many digital crimes we normally think of as blackmail are, in fact, extortion — like ransomware,” the researchers pointed out.

“Likewise, some crimes categorized as extortion are actually not. Sextortion comes to mind, wherein an individual is forced to perform acts of a sexual nature under the threat of having compromising material regarding them exposed online.”

In short, any attempt by a criminal to coerce a victim into doing something – paying money or performing a favor — falls within the realm of digital extortion. But the big difference between of offline and online extortion is the wide variety of assets that can be targeted in the digital domain.

Attackers can:

• Encrypt company secrets
• Steal and threaten to divulge customer or other compromised data
• Lock devices and ask for ransom in exchange for giving back access to device
• Ask for money in exchange for stopping attacking sites
• Ask for money in exchange for fixing a hacked process or to not disrupt processes or sabotage production, and so on.

End users, on the other hand, are usually targeted with ransomware or become victims of sextortion.

Also, some users who want to keep their (potentially compromising) online personas separate from their real identities have lately been targeted by attackers who threaten to reveal their names publicly if they don’t pay up (e.g., in the wake of the Ashley-Madison breach).

Successful approaches and future attempts

How successful the attackers are in blackmailing targets depends on how much they ask and what leverage they have.

“Given data breach laws and regulations and the very significant impact hacks can have on a company’s reputation, the recurring cost of the extortionist’s fees may fall within the corporate victim’s loss tolerance for brand protection. In that case, some corporate victims may decide to simply pay,” the researchers noted.

Sextortionists, on the other hand, are often successful, and especially when they don’t ask for money, but (usually sexual) favors – the victims panic and comply, and by doing so provide the extortionist with more material for blackmail.

The researchers predict more and more extortionists to take advantage of social media and threatening users and companies with smear campaigns.

Machine learning capabilities that can be used to create convincing face-swap videos will likely only add to the problem, for private and public individuals alike.

A classic smear campaign is more effective in the digital world than in real life.

“Digital data lasts longer than real-world news: a successful smear campaign in 2016 may still be showing high in search ratings in 2017 or later. News can also spread faster online, with social media able to transmit news – fake or otherwise – with the click of a button. That is decidedly a factor in these attacks.”

The researchers expect ransomware peddlers to focus their attention on industries and companies that yield the most return, such as those in the healthcare and manufacturing sectors. They also expect ransomware to be perfected (quicker encryption of files, speedier infection and spreading, minimized interaction with the victim, dynamic pricing).

Finally, with the increasing use of IoT devices, wearables, and smart cars, digital extortionists can be expected to hijack devices, prevent users from accessing them or rendering them inoperable if they don’t pay up, stealing interesting data stored in them as holding it for ransom, and so on.

“Another way cybercriminals could bridge the gap between the digital space and the physical world: requesting physical favors as payments instead of mere monetary payment. As we have alluded previously, a generic blackmail attack is likely to fail. However, a person with enough access to a building can be blackmailed to provide temporary untraceable access in exchange for his or her naked pictures not being made public,” the researchers noted.

“With this in mind, we can also see how attackers with political agendas may spy on influential leaders and hold information for ransom in exchange for political advantages or perhaps other smaller favors.”

It is, in fact, possible that these situations already happen, but as they are unlikely to reach public attention, we don’t know about them.

Be prepared

Trend Micro advises companies to have potential digital extortion scenarios figured out, so they can react quickly and adequately.

DDoS attacks and smear campaigns should be countered by sharing the situation with the press and asking administrators of the sites where the smear campaign is being run to help with prevention.

“In incident response plans, any new or novel assets should be taken into account. Assets such as blockchain technology accounts, wallets, and the like should be reflected in the plan, as well as what to do when those are compromised or attacked. The same is true for any business process that is susceptible to being attacked. Any system involved should be accounted for and a viable strategy to deal with extortion attacks should be devised ahead of time,” they noted.

Individuals who are targeted with sextortion must know that the demands will never end, and should not give into them.

“A solution here is to go to the authorities to report the incident and hopefully trigger an investigation that would lead to the arrest and indictment of the culprit. Conversely, when the victim gives less value to the material the extortionist already has, the data also loses value in the attacker’s eyes and will be less likely to use it,” the researchers concluded.

from Help Net Security http://ift.tt/2rQSO0u

This New Mobile Browser Helps You Search Faster

Deadspin Boston Is So Embarrassing | Jezebel Diane Keaton, Why?

Deadspin Boston Is So Embarrassing | Jezebel Diane Keaton, Why? | Splinter The Racist Strain of ‘Marijuana’ | Earther Washington Governor Shuts Down Gigantic Fossil Fuel Project | The Grapevine Quincy Jones Is Probably Shooting Dust, but Doesn’t Want to Date ‘Old,’ ‘Fat’ Women |

from Lifehacker http://ift.tt/2E1ROLW

Finally Get Yourself An Internet Mattress From This One-Day Amazon Sale

No nukes: How I live just fine without a microwave

Yes, the Flu Vaccine Still Works

There's Something For Everyone In Amazon's One-Day Logitech Sale

Dridex gang follows trends, also created FriedEx ransomware

The gang behind the infamous banking Trojan Dridex has also created the FriedEx (aka BitPaymer) ransomware, ESET researchers confidently claim.

The similarities between Dridex and FriedEx

By analyzing and comparing the code of both threats, the researchers discovered a handful of similarities:

• Both malware use the same function for generating UserID (i.e., that generates a unique string from several attributes of the victim’s machine)
• Most of the other functions that correspond to the specific malware functionalities are the same and are listed in the same order in the binaries
• The two threats use the same malware packer
• The PDB (Program Database) paths included in the analyzed malware binaries are the same (and unique to the Dridex and FriedEx projects).
• Several Dridex and FriedEx samples have the same date of compilation (with time differences of several minutes at most) and consistent randomly generated constants (which means that the samples were probably built during the same compilation session).
• Malware binaries of both threats are compiled in Visual Studio 2015.

“With all this evidence, we confidently claim that FriedEx is indeed the work of the Dridex developers,” the researchers noted.

An active group

This discovery points to the group being active on multiple fronts: they consistently update the banking malware (a new code injection technique that makes it easier to avoid AV detection, a new MS Word zero-day exploit to help the malware spread), but also follow the latest malware trends and participate in them (they created their own ransomware).

FriedEx has been first detected in July 2017, concentrates on higher profile targets (companies), and is usually delivered via an RDP brute force attack. Dridex first appeared in 2014. The Dridex botnet has had its ups and downs 1,2) during the years, but continues to chug along.

from Help Net Security http://ift.tt/2rS6GHB

Are organizations prepared for the ransomware threat?

Secret Service warning: Jackpotting ATM attacks reach the US

Attacks targeting ATMs, called “jackpotting,” which have been seen in Europe and Asia for some time, have now reached the US, according to a recent alert from the US Secret Service obtained by Brian Krebs.

One of Krebs’s sources reported that the Secret Service is warning about the appearance in the US of ATM malware known as Ploutus.D, which has been actively in use for ATM jackpotting since 2013.

The Secret Service alert also warns that ATMs running Windows XP are “particularly vulnerable” and advises updating them.

Yes, there are still ATMs running Windows XP.

And yes, people still need reminding that it’s time to update – even extended support for the stripped-down Windows XP Embedded ended more than two years ago.

How the attack works

Jackpotting attacks usually happen in two stages.

First, an attacker performs some basic reconnaissance to figure out a way in to the ATM – usually a model with a front-facing panel, as it’s easier for the attacker to access.

Next, the attacker connects a computer up to the ATM, and either swaps out the hard drive entirely or gains access to the ATM’s software and operating system.

In order to evade suspicion, the attacker may pose as an ATM technician so they can hook up the computer to the ATM out in the open.

Once connected to the machine, the attacker will deploy malware that puts the ATM under their control while appearing to be out of service.

In the second stage, which can happen at a later and less conspicuous time, attackers return to the compromised ATM and command it to quickly dispense all its cash – this usually happens within just a few minutes, according to the report by Krebs.

ATMs remain a tantalizing target

Jackpotting isn’t the only reason that cybercrooks might show up in the vicinity of your local ATM – there’s also card skimming and “casher crew” raids for financial institutions to worry about.

There’s a common thread running through these attacks: they’re not solo operations, as they usually have multiple criminals coordinating the various steps to hit the ATMs and get away with the cash as quickly as possible.

Right now it’s not clear how widespread the new jackpotting attacks are in the US, but it’s clearly something the Secret Service isn’t taking lightly.

Follow @mvarmazis
Follow @NakedSecurity

from Naked Security http://ift.tt/2nmgrcl

Deepfakes AI celebrity porn channel shut down by Discord

Subway Elevators and Movie-Plot Threats

Local residents are opposing adding an elevator to a subway station because terrorists might use it to detonate a bomb. No, really. There's no actual threat analysis, only fear:

"The idea that people can then ride in on the subway with a bomb or whatever and come straight up in an elevator is awful to me," said Claudia Ward, who lives in 15 Broad Street and was among a group of neighbors who denounced the plan at a recent meeting of the local community board. "It's too easy for someone to slip through. And I just don't want my family and my neighbors to be the collateral on that."

[...]

Local residents plan to continue to fight, said Ms. Gerstman, noting that her building's board decided against putting decorative planters at the building's entrance over fears that shards could injure people in the event of a blast.

"Knowing that, and then seeing the proposal for giant glass structures in front of my building ­- ding ding ding! -- what does a giant glass structure become in the event of an explosion?" she said.

In 2005, I coined the term "movie-plot threat" to denote a threat scenario that caused undue fear solely because of its specificity. Longtime readers of this blog will remember my annual Movie-Plot Threat Contests. I ended the contest in 2015 because I thought the meme had played itself out. Clearly there's more work to be done.

from Schneier on Security http://ift.tt/2DKqoqj

Bitcoin exchange robbed by real-life bank robbers with real-life guns

UK critical operators risk £17m fines for poor cybersecurity practices

UK essential service operators risk fines of up to £17 million if they fail to implement robust protections against cyber attack.

The penalties will apply to energy, transport, water, digital infrastructure, and health firms.

“A simple, straightforward reporting system will be set up to make it easy to report cyber breaches and IT failures so they can be quickly identified and acted upon. It will also cover other threats affecting IT such as power outages, hardware failures, and environmental hazards. Under the new measures recent cyber breaches such as WannaCry and high profile systems failures would be covered by the Network and Information Systems (NIS) Directive,” the UK government said.

“These incidents would have to be reported to the regulator who would assess whether appropriate security measures were in place. The regulator will have the power to issue legally-binding instructions to improve security, and – if appropriate – impose financial penalties.”

The new rules are the result of the UK implementation of the EU Network and Information Systems (NIS) Directive, and will go in effect on May 10.

Margot James, Minister for Digital and the Creative Industries, encouraged all public and private operators in these essential sectors to consult NCSC’s advice on how they can improve their cybersecurity.

A welcome directive

“It’s only a matter of time before we see a category 1 attack and we need to be prepared. GDPR compliance stole many of the headlines last year, but the NIS Directive is the most important deadline in May for the future protection of the nation,” Steve Malone, Director of Security Product Management at Mimecast, told Help Net Security.

“Robust business continuity strategies have never been more important to ensure organizations can continue to operate during an attack and get back up on their feet quickly afterwards. This legislation signals the move away from pure protection-based cybersecurity thinking.”

Lorena Marciano, EMEAR Data Protection and Privacy Officer at Cisco, noted that the UK government’s announcement demonstrates its awareness of the risks cyber attacks pose to organizations and the ramifications of not having appropriately robust provisions in place.

“Yet, the financial implications of these sanctions are set to go well beyond the suggested £17m fines,” she says.

“According to Cisco’s Data Privacy Benchmarking Study, 74% of organizations which are seen as privacy-immature experienced losses of more than £350,000 in 2017, as a result of data breaches. This comes in stark comparison to those companies which went beyond data privacy compliances, with only 39% of privacy mature organizations seeing losses of a similar amount. These figures indicate that provisions shouldn’t be adopted for the single purpose of avoiding fines, but that organizations which are willing to go beyond the set compliances will reap the long-term financial benefits as well as protecting customer data.”

from Help Net Security http://ift.tt/2rQ6Uiz

Secret military bases revealed by fitness app Strava

Achieving zero false positives with intelligent deception

Cyber attacks are not single events. When attackers compromise an asset, they don’t know which asset is infected. They must determine where they are in the network, the network structure and where they can find valuable information. That means attackers carefully try to find out as much as possible about the organization. This is precisely the behavior that intelligent deception technology can exploit in order to thwart attackers and protect organizations.

Breadcrumbs are clues for a potential attacker that an intelligent deception platform intentionally leaves behind on organizational systems. These clues create a false trail that lead attackers to decoys and traps that catch them while protecting real assets. However, in order for breadcrumbs to be effective, they must look and feel like real information and credentials to an attacker and create a persuasive false trail back to deception decoys and traps.

There are four kinds of breadcrumbs that can combine to thwart an attacker as they seek evidence of credential and connection that they require to complete their mission of theft and destruction. These are:

• Credential and Active Directory breadcrumbs
• File and data breadcrumbs
• Network breadcrumbs
• Application breadcrumbs.

Credential and Active Directory breadcrumbs

As part of their reconnaissance, attackers try to find credentials that will give them access to high value systems in your organization. This presents a key opportunity to create and store fake user credentials and permissions in your Active Directory system.

When a decoy associated with a certain faked user appears in the AD as a regular user of the organization, it presents a tempting target for an attacker who is trying to allocate the right account which might be used, for example, to reset a user’s password. The AD deception model uses faked users in Active Directory. Those users run on the decoys spread throughout the organization and periodically access the AD as would regular users with different permission levels in the organization. This creates the impression of legitimacy and furthers the persuasiveness of the deception. When an attacker accesses a decoy based on the breadcrumbs in AD, a validated decoy alert is automatically triggered and prompting immediate response by the administrator and security operations teams.

While querying AD, attackers will spot the decoy systems that are accessing AD and be lead to the decoys. Meanwhile, sensitive and protected systems remain safe.

Beyond fake Active Directory credentials and false information, these kinds of breadcrumbs can also include elements like passwords in registry keys for decoy services and SPN (service principal name) entries. If an attacker uses a decoy credential, validated detections are enabled even for Man-In-The-Middle style attacks prompting rapid escalation and response.

File and data breadcrumbs

File based breadcrumbs are some of the simplest and most versatile deception elements available. File and data breadcrumbs can include deception elements such as documents, emails, database entries and links to recent file lists that point to shared folders on the decoy systems. Documents that are created and placed on real machines include information about decoy systems that look interesting to attackers.

They can also contain passwords and credentials – such as servers and accounts in the organization – that create tempting targets and reconnaissance for would-be attackers. Since each organization is different, it is ideal when these file and data breadcrumbs appear as real as any other organizational content. Documents, naming conventions, and templates should be customized with the actual logos and usernames from the customer while simultaneously pointing to decoys. Common examples include:

• A text file of some application configuration that contains a username and password
• A technical document common to every organization, such as instructions of how to connect to the corporate VPN
• IT/corporate documents (txt, doc, xls pdf, etc.)

When an attacker accesses documents, emails or other data contained in these kinds of breadcrumbs, they are directed toward decoys and away from protected systems.

This has the effect of both increasing the attacker’s activity footprint and thwarting them in their attempts to locate sensitive information.

A word about emails

Email messages have an important role as breadcrumbs in a deception system. Despite the ease with which emails can be read, they are still used extensively to transmit sensitive data from one person to another. In other words, emails are often high on an attacker’s reconnaissance list because of the sensitive data they all-too-often contain.

Furthermore, emails are more often accessed by the attackers themselves rather than automatic malware they have deployed. This affords emails a high degree of credibility (with attackers) and makes them excellent deception breadcrumbs.

Network breadcrumbs

There are a number of ways the decoys are designed to create network noise to lure attackers. The decoy communicates with assets in the organization. They communicate with the DNS server. They publish themselves using different protocols that are used to inform the environment about their existence – just like as other assets in the organization. This deception behavior is an effective lure for attackers to conduct MITM (man-in-the-middle) attacks. It adds entries to the ARP cache (address resolution protocol) and shows open connections to the decoys.

Attackers investigating the ARP cache for interesting IPs and MAC addresses spot the decoy information and pursue that false trail or intervene with the protocols that lure them to attempt MITM interception but which can actually trigger automated and validated alerts to the security team.

Application breadcrumbs

Application breadcrumbs should ideally be broad and varied. Session application breadcrumbs drop tempting SSH, FTD, RDP credentials for would-be attackers. Web browser breadcrumbs create a trail that leads to decoys through history, cookies, stored passwords and bookmarks. The deceptive illusion comes alive when attackers see expected data.

Conclusion

Deception solutions are a very good source for threat intelligence and detecting infected assets inside the organization. Because they interact with attackers – unlike perimeter or endpoint solutions that attempt to block them – they can monitor attacker activity and track the patterns of its advance.

To attract attackers, decoys are made to resemble the target systems as closely as possible. They have the look and feel of systems that an attacker seeks. Intelligent deception solutions actively lure attackers to the decoys once they have penetrated the perimeter. These lures, or breadcrumbs, exploit the fact that when an attacker initially exploits an asset, they are essentially blind. The attacker cannot tell where in the network he has landed, so he starts looking for other assets that have been accessed from the infected asset.

The attacker looks for tools that the infected asset is currently using, credentials that the exploited system may be using and other systems to which the affected asset is connected. This evidence of credential and connection is a necessity if the attacker is to continue his exploit and successfully navigate to sensitive and protected systems in the organization.

Intelligent deception takes advantage of the attacker’s initial hunt for credential and connection by creating deceptive breadcrumbs that lead to decoys. Breadcrumbs can take many forms. From cookies to registry values, to emails to files, to ARP table values and beyond – all with fake credentials and fake data that attackers find irresistible.

Breadcrumbs should be strategically placed in order to be effective. An intelligent deception solution passively scans network traffic and analyzes the applications being used on each asset, the communication graphs in the organization, the behavior of assets including internet communication habits, and much more. Using all of this data, intelligent deception solution can deliver better and automated detection and response with as fewer false positives.

from Help Net Security http://ift.tt/2DXFfRz

What is a security data lake?

The concepts of the data lake and the specialized security data lake are relatively new. While data lakes have a bit of a head start in adoption – largely among data science teams – some security teams are beginning to look into security data lakes to keep afloat in the wash of security log data they amass every day. Understanding the capabilities and differences between the two types of repositories will help determine if implementing one is right for your organization.

What is a data lake?

A data lake is a repository designed to store large amounts of data in native form. This data can be structured, semi-structured or unstructured, and include tables, text files, system logs, and more.

The term was coined by James Dixon, CTO of Pentaho, a business intelligence software company, and was meant to evoke a large reservoir into which vast amounts of data can be poured. Business users of all kinds can dip into the data lake and get the type of information they need for their application. The concept has gained in popularity with the explosion of machine data and rapidly decreasing cost of storage.

There are key differences between data lakes and the data warehouses that have been traditionally used for data analysis. First, data warehouses are designed for structured data. Related to this is the fact that data lakes do not impose a schema to the data when it is written – or ingested. Rather, the schema is applied when the data is read – or pulled – from the data lake, thus supporting multiple use cases on the same data. Lastly, data lakes have grown in popularity with the rise of data scientists, who tend to work in more of an ad hoc, experimental fashion than the business analysts of yore.

How is a security data lake different?

A security data lake is a specialized data lake. A security analyst could certainly pull from a generic data lake built for multiple applications, but several things would prove more difficult.

Every security product, network device, endpoint computer and server creates its own logs. In some cases, security products like DLP and IPS, also store a copy of network and endpoint logs. To perform an investigation, a security analyst would need access to logs produced by all the relevant systems – from the wireless router to the endpoint computer and the server accessed and the DLP application – in the case of a user suspected of accessing a system without permission. Centralizing all relevant logs in a security data lake simplifies the investigation by reducing the work of collecting logs from multiple systems.

To collect all of this information, a security data lake needs to connect to and parse many different types of logs. With hundreds of security solutions on the market, not to mention all the networking device types, this can be a daunting task. A security data lake automates the connection, via an API or other method. The data lake also automates the processing of the data when loaded (known as parsing), and the schedule on which the data is collected.

Lastly, analysts often need additional context to perform an investigation. Details like user location, device type, and job role help an analyst understand what the user was attempting and whether there might be a legitimate reason for accessing certain systems or data. A person from the sales team accessing a server in finance might cause alarm, unless that person is in sales operations and calculates commissions. A security data lake will append, or enrich, log data with this kind of additional information.

Key capabilities of a security data lake

Here are five key capabilities security buyers should look for in a security data lake:

1. Automated collection: With hundreds of commonly used security, networking, computer and mobile device types in organizations, an automated collection process is the only practical way to keep the data up to date. It is not uncommon for large organizations to have billions of security-related logs per day. Unlike the periodic tasks of the data scientist, the security analyst needs all logs, every day.

Automation requires a method to schedule the data fetch, e.g. via an API call, or accept a data push from a given system, via security protocols like syslog, NetFlow, and Cisco eStreamer. Once the data is received, it must be parsed. A large parser library is essential, along with support for the wide range of security protocols used across security applications, networking devices, computers and devices.

2. Security context: The time-series data found in log files is verbose but lacks the organization and context an analyst needs. A security data lake helps organize log files and enriches them with important contextual information. For example, to a WiFi router connection log event, a security data lake would add device type, geolocation and job title. Someone logging in from an unknown computer, or from a distant location, might cause an analyst to raise a red flag, unless perhaps that person is a salesperson who travels frequently. Device information alone is not sufficient. Insider threats are often detected base on the role of the user; a developer accessing HR files could be deemed suspicious.

3. Hostname-to-IP mapping: IP addresses are typically assigned dynamically. A WiFi router in an office, for example, will assign and reassign the same IP address to multiple machines, sometimes in the same day. Though it may sound like a very tactical requirement, it is essential. Tracking down malicious insiders or criminals who have breached a network requires knowing which user was assigned to which IP and at what time of day. Without mapping addresses to machines at a given time, even vast numbers of logs in the security data lake will be largely useless.

4. Security analysis and reporting interface: The types of research done by security analysts is quite different from that done by data scientists. Security analysts are usually trying to demonstrate compliance, look for risky behavior, or investigate a breach that has already happened. For this they need search, alerting and reporting capabilities built into the data lake. SOC managers cannot expect analysts to master query languages or specialized analytical languages like R. Security data lakes need to provide a simpler way for analysts to search and understand the information contained within them.

5. Scale out architecture: While all data lakes need to scale, it is especially important for security data lakes. Why? The sheer volume of data ingestion and the required retention. Analysts need access to all security events in order to recreate timelines. Also, depending on local laws, industry regulations, and audit practices, organizations may be required to retain log data for months to years. Scaling out to a multi-note cluster, rather than a larger machine, has the advantages of a virtually unlimited storage capacity and a fit for flexible cloud deployment.

Security data lakes hold the promise of helping security analysts become more efficient in performing an incident investigation or hunting for threats. Knowing what to look for is an important first step in improving security. Without this specialized technology, even the most skilled analyst risks drowning in a sea of data.

from Help Net Security http://ift.tt/2BFKJLO

Your Car Is the Best Place For a Wireless Charger

The 10 Best Deals of January 29, 2018

Serve Shishito Peppers at Your Super Bowl Party

Splinter Make This Amazon Charade Illegal | Very Smart Brothas Beyoncé With Snacks on Deck for Blue

Splinter Make This Amazon Charade Illegal | Very Smart Brothas Beyoncé With Snacks on Deck for Blue Ivy Is Proof That Parenting Is the Same No Matter Who You Are | Deadspin Report: Britt McHenry Is Fake News | Jezebel I Exhausted Myself Relaxing at the ‘In Goop Health’ Summit | Earther Hey, Trump Nominated a Science PhD to Lead a Science Agency |

from Lifehacker http://ift.tt/2nmhGs3

How the MacBook Air Changed Laptops Forever

What to Do With Your Tax Refund

What You Need to Know About Cryptocurrencies and Taxes

Stop Giving Your ISP Extra Equipment Rental Fees - Buy This $50 Modem Instead

What Your Pediatrician Should and Shouldn't Do During a Physical Exam

Don’t Use Gordon Ramsay's Trick to Get Out of Speeding Tickets

Is It Legal to Own a Flamethrower?

Equifax's Free Credit Freeze Deal Ends in Two Days

How Goodyear Hid Evidence Of 'The Worst Tire Made In History' Linked To At Least 9 Deaths

Locating Secret Military Bases via Fitness Data

How to Set Up a Little Free Library in Your Neighborhood

How to Keep Strava From Telling Everyone Where You Live

Save $8 On Anker's Excellent Qi Charging Pad

Adjust Your Top Dishwasher Rack Height Like a God of Time and Space

Is it safe to eat food that’s been freezer burnt?

How to Go Out Alone and Love It

Transform Your Old Android Phone Into a Pixel 2 With This App

What Should We Casserole Next?

$500m cryptocoin heist could be biggest cybertheft ever

Monday's Best Deals: LG 4K TV, Sous Vide Circulator, Smart Light Bulbs, and More

How to Drink Less, With Author Annie Grace

Donate Whenever Your Super Bowl Team Scores

Deadspin Tom Brady Cuts WEEI Interview Short Because Host Called His Kid An “Annoying Little Pissant

Deadspin Tom Brady Cuts WEEI Interview Short Because Host Called His Kid An “Annoying Little Pissant” | Jezebel Alec Baldwin Claims Dylan Farrow Is Trying to ‘Shame’ Public Into Believing Woody Allen Abused Her | The Root California Woman Sues Walmart for Locking Black Beauty Products Behind Glass | Earther How Much Worse Could That Eruption in the Philippines Get? | Splinter Melania Trump Spent Nearly 700,000 Dollars of Our Money Not to Live With Her Husband |

from Lifehacker http://ift.tt/2njeMVa

How Much Should I Regret Not Buying Bitcoin?

How Did You Do With January’s Pull-Up Challenge?

Will It Sous-Vide? Find Out For Yourself With a Great Deal On Anova's Circulator

British cryptocurrency traders robbed of Bitcoin at gunpoint

Cryptocurrency heist are usually covert affairs that leave users with empty wallets, but not fearing for their life. Still, there are always some unlucky individuals who get the worst of everything.

Case in point: Bitcoin traders Danny Aston and Amy Jay, who were robbed at gunpoint on January 22 in their home in Moulsford, Oxfordshire (UK).

The two are directors of Aston Digital Currencies, and Aston traded cryptocurrency online under the pseudonym “Goldiath.” He has carried out more than 100,000 trades, and the attackers likely discovered his real identity because some of his clients referred to him by his real name.

Once they knew that piece of information, finding an address to go with the name and the company was easy.

According to the Daily Mail, the four masked robbers broke into the couple’s house in the morning, tied the woman, left the couple’s baby in the pram outside, and forced the man to transfer the company’s Bitcoin stash to a Bitcoin address they control.

The amount of Bitcoin the attackers stole is still unknown.

Instances of cryptocurrency heists at gunpoint are rare

Another similar, but ultimately failed heist happened in Ottawa, Canada, on January 20.

According to the Daily Beast, three armed thieves entered the offices of Canadian Bitcoins, a brick-and-mortar Bitcoin exchange, tied four employees up, and attempted to coerce them to complete a Bitcoin transaction to an address provided by them.

A fifth employee that managed to go unnoticed by the attackers alerted the police.

As the police descended on the offices, the thieves fled without getting what they came for. One of them was arrested and charged, the others are still at large.

These are not the first instances of criminals attempting to physically force Bitcoin owners to part with their stash.

Last December, Pavel Lerner, CEO of the UK-registered cryptocurrency exchange Exmo Finance, was kidnapped by armed attackers as he was exiting the company’s offices in Kiev, Ukraine. He was released after paying the $1 million bitcoin ransom.

from Help Net Security http://ift.tt/2BAzfsZ

How Two-Income Couples Should Manage Their Cashflow

Tell Us Your Atlanta Tips

Upgrade All of Your Lights With Smart Bulbs For Just $14 Each, No Hub Required

Lenovo Fingerprint Manager Pro is full of fail

Lenovo Fingerprint Manager Pro, a piece of software that allows users to log into their PCs or authenticate to configured websites using fingerprint recognition, has been found seriously wanting in the security department.

The problems are several: the software contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in.

Also, the data it stores – users’ Windows logon credentials and fingerprint data, among other things – is encrypted using a weak algorithm.

These security issues were unearthed by Jackson Thuraisamy of Canadian software security company Security Compass, and have been fixed in version 8.01.87 of the software.

Lenovo advises users of a variety of ThinkPads, ThinkCentres and ThinkStations running Windows 7, Windows 8, and Windows 8.1 to check whether they have a vulnerable version of the software installed, and to update it.

Windows 10 users can uninstall the software altogether, though, as Microsoft has added full support for fingerprint readers into that version of the OS.

from Help Net Security http://ift.tt/2nnyLkL

Cop buys mobile spyware, says he can’t remember why

Researchers warn of invisible attacks on electrical sensors

Estimating the Cost of Internet Insecurity

It's really hard to estimate the cost of an insecure Internet. Studies are all over the map. A methodical study by RAND is the best work I've seen at trying to put a number on this. The results are, well, all over the map:

"Estimating the Global Cost of Cyber Risk: Methodology and Examples":

Abstract: There is marked variability from study to study in the estimated direct and systemic costs of cyber incidents, which is further complicated by the considerable variation in cyber risk in different countries and industry sectors. This report shares a transparent and adaptable methodology for estimating present and future global costs of cyber risk that acknowledges the considerable uncertainty in the frequencies and costs of cyber incidents. Specifically, this methodology (1) identifies the value at risk by country and industry sector; (2) computes direct costs by considering multiple financial exposures for each industry sector and the fraction of each exposure that is potentially at risk to cyber incidents; and (3) computes the systemic costs of cyber risk between industry sectors using Organisation for Economic Co-operation and Development input, output, and value-added data across sectors in more than 60 countries. The report has a companion Excel-based modeling and simulation platform that allows users to alter assumptions and investigate a wide variety of research questions. The authors used a literature review and data to create multiple sample sets of parameters. They then ran a set of case studies to show the model's functionality and to compare the results against those in the existing literature. The resulting values are highly sensitive to input parameters; for instance, the global cost of cyber crime has direct gross domestic product (GDP) costs of $275 billion to $6.6 trillion and total GDP costs (direct plus systemic) of $799 billion to $22.5 trillion (1.1 to 32.4 percent of GDP).

Here's Rand's risk calculator, if you want to play with the parameters yourself.

Note: I was an advisor to the project.

Separately, Symantec has published a new cybercrime report with their own statistics.

from Schneier on Security http://ift.tt/2EledkP

Lyft investigates allegations of employees snooping on riders

Strava user heatmap reveals patterns of life in western military bases

In November 2017, online fitness tracker Strava published a heatmap of the activity many of its users around the world engage in (and track) daily. But what might have seemed as a harmless sharing of anonymized, aggregated data turned out to reveal potentially sensitive information about (mostly western) military bases and secret sites.

The revelation was made and shared over the weekend by Nathan Ruser, an Australian university student and founding member of Institute for United Conflict Analysts, a grassroots intelligence organization.

Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq

— Nathan Ruser (@Nrg8000) January 27, 2018

He pointed out that soldiers and security personnel obviously use the app during their daily exercise and patrols.

The activity information, shared with Strava, ended up showing in the heatmap and could provide potential attackers with helpful information about the “pattern of life” in and around military bases, intelligence secret sites, and training facilities around the world.

Problematic information

Strava has pointed out that the activities marked as private by users have not been included in the heatmap, and that activities have been cropped to respect user defined privacy zones. “Athletes with the Metro/heatmap opt-out privacy setting have all data excluded,” they also added.

Unfortunately, some users didn’t think about making their data private.

And, as some noted, the information collected by Strava, some tools provided by it, and information provided by the users themselves on public profiles can be scraped, and used to target them:

Okay here is where things get problematic: Via Strava, using pre-set segments we can scrape location specific user data from basically public profiles (and yes those exist w/in bases and lead us straight so social media profile of service members). https://t.co/VDNBGcKvIY

— Tobias Schneider (@tobiaschneider) January 29, 2018

Security and privacy researcher Lukasz Olejnik pointed out that anonymising location and fitness data is challenging and should always be considered on many different levels before publishing even aggregated data.

While admitting that it could be a daunting prospect, he noted that a privacy impact assessment should be a must when publishing any big user dataset.

from Help Net Security http://ift.tt/2njcjJs

Waterfall Security and HCNC collaborate to provide OSIsoft PI offerings to the Korean market

Waterfall Security Solutions, a global leader in cybersecurity technologies for critical infrastructure and industrial control systems, announced a partnership with HCNC Co., a systems integrator based in Korea, to further extend Waterfall’s and HCNC’s OSIsoft product offering within the region.

HCNC specializes in integrating OSIsoft PI solutions throughout a wide spectrum of industries including power, oil and gas, utilities and transportation. HCNC’s combination of strong, local support coupled with extensive knowledge of and services for the OSIsoft PI System suite make HCNC the perfect complement to the Waterfall Security product offering.

“We are proud to be joining forces with HCNC” said Lior Frenkel, CEO and Co-Founder of Waterfall Security Solutions, “this new partnership will lead to dramatically improved security for OSIsoft PI deployments in Korea.”

“We are delighted to be partnering with Waterfall Security – a global leader in industrial cybersecurity and leading OSIsoft PI trusted partner” said HCNC General Manager Dae Gyu Choi.

Having already established joint mutual projects in Korea, the Waterfall and HCNC partnership will lead to dramatically improved security for OSIsoft PI deployments in the country.

Waterfall Unidirectional Security Gateways replace firewalls in industrial network environments, providing absolute protection to industrial control system and operations networks from attacks originating on external networks. Upon deploying Unidirectional Gateways, critical infrastructure and industrial sites enjoy safe and reliable IT/OT integration, vendor and cloud services access, and remote monitoring.

from Help Net Security http://ift.tt/2DKBKi1

Monday review – the hot 21 stories of the week

From deciphering a famous cryptographers’ tombstone and how AI fake porn could cast any of us to Tinder's lack of encryption, and more!
from Naked Security http://ift.tt/2nkLfu4

PCI DSS 3.2 will unveil compliance cramming culture

February 1, 2018 marks the deadline for businesses to adopt the new industry standard, PCI DSS 3.2, aimed at reducing and better responding to cyber attacks resulting in payment data breaches.

Originally announced in 2016, the industry has had almost two years to prepare for these increased requirements but a significant percentage of businesses are still not prepared, secure payment solutions provider, PCI Pal, warns.

“The industry has developed a culture of compliance cramming, treating PCI as an annual exam to be passed without working towards a culture of continuous compliance. For businesses in this ‘annual pass’ group, PCI DSS 3.2 could be a rude awakening because it requires evidence of continuous compliance instead of a pass/fail,” said Geoff Forsyth, CTO at PCI Pal.

PCI DSS 3.2 requirements

Primary requirements of PCI DSS 3.2 include:

• Expansion of requirement 8.3 to include use of multi-factor authentication for administrators accessing the cardholder data environment
• Additional security validation steps for service providers and others, including the “Designated Entities Supplemental Validation” (DESV) criteria.

Despite existing data security standards, many companies struggle to ensure continuous compliance – data taken from a 2017 report found that at the time of data compromise the average merchant is not compliant with almost half (47%) of current PCI DSS requirements. Of those that do pass compliance checks, almost a third are not compliant just 12 months later, according to Verizon’s PCI DSS Compliance report.

PCI DSS 3.2 will address compliance cramming

Forsyth continues: “To be PCI compliant is a constant process. The annual assessment has, to date, only been able to check that the correct processes are in place. PCI DSS 3.2 will change that approach, requiring evidence that device inventories and configuration standards are kept up to date, and security controls are applied where needed.

“Companies should no longer rely on outdated workarounds such as pause-and-resume. The recent spate of high-profile security has thrust this issue into the spotlight but this new standard will ensure it stays front of mind for the industry at large.”

from Help Net Security http://ift.tt/2DVGyAq

How to Watch RuPaul's Drag Race Without Cable

How to Clean the Inside of Your Washer and Dryer

Week in review: Intel testing new Spectre fixes, ICO protection, cybercrooks abusing travel industry

Here’s an overview of some of last week’s most interesting news, articles, and whitepapers:

British teenager hacked top ranking US officials using social engineering
How did British teenager Kane Gamble, who at the time was only 15 years old, manage to break into email accounts of the CIA and DNI chiefs, as well as gain access to a number of sensitive databases and plans for intelligence operations in Afghanistan and Iran? The answer is social engineering.

Download: 2018 Cybersecurity Checklist
Today’s attacks are spreading faster, evolving quicker, and evading even the most widely used security solutions. But that doesn’t mean you can’t fight back. Get practical recommendations for preventing and mitigating the latest attacks with this free checklist.

Rise in cryptomining malware impacts organizations worldwide
Cybercriminals are increasingly turning to cryptominers to develop illegal revenue streams, while ransomware and malvertising adware continue to impact organizations worldwide.

Old Bitcoin transactions can come back to haunt you
A group of researchers from Qatar University and Hamad Bin Khalifa University have demonstrated how years-old Bitcoin transactions can be used to retroactively deanonymize users of Tor hidden services.

ICO protection: Key threats, attack tools and safeguards
Group-IB has analyzed the basic information security risks for the cryptoindustry and compiled a rating of key threats to an ICO (initial coin offering).

How cybercriminals abuse the travel and hospitality industry
With the right combination of other underground services (compromised accounts, credit cards, etc.) it is possible to cover almost every aspect of the holidays, including food and restaurants, shopping, entertainment, guided tours and more.

Industries most at risk of phishing attacks revealed
A new KnowBe4 study of phishing statistics for top industries, shows small insurance companies have the highest percentage of phish-prone employees in the small to mid–size organization category. Not-for-profit organizations take the lead in large organizations.

Intel testing new Spectre fixes, tells everyone to hold off on deploying current firmware updates
Shortly after Red Hat stopped providing microcode to address variant 2 (branch target injection) of the Spectre attack, Intel has advised OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current firmware updates that fix the same vulnerability (CVE-2017-5715).

Download: The Ultimate Guide to the CISSP
The CISSP is an elite way to demonstrate your knowledge, advance your career, and join a community of like-minded cybersecurity leaders. Earning your CISSP will show your employer that you have all it takes to design, engineer, implement, and run an information security program. The Ultimate Guide to the CISSP is a must-have resource if you are planning to sit for the exam – and it was developed by (ISC)², the creator of the CISSP Common Body of Knowledge (CBK).

Human trafficking victims forced to defraud Chinese computer users
Late last week, the Croatian police executed a coordinated raid on two houses where 59 individuals were confined and forced into defrauding Chinese and Taiwanese computer and smartphone users through a police-ransom-type-of-scheme.

Fake cryptocurrency wallet carries ransomware, leads to spyware
People around the world are rushing to acquire all kinds of cryptocurrency, hoping that prices will go up and they will be rolling in money when they sell their investment stash. Criminals have, expectedly, noticed the rush and are doing their level best to cash in on it. The latest attack on cryptocurrency-hungry users comes in the form of fake wallet software carrying ransomware.

GDPR: Whose problem is it anyway?
Effective GDPR compliance requires well-defined roles and division of responsibilities, as well as strong interdepartmental partnerships. Above all, it’s a team effort, and clear communication is the key.

Facebook, Microsoft announce new privacy tools to comply with GDPR
One of the things that the regulation mandates is that EU citizens must be able to get access to their personal data held by companies and information about how these personal data are being processed.

Good privacy is good for business, so pay attention
Data privacy concerns are causing significant sales cycle delays for up to 65 percent of businesses worldwide, according to findings in the new Cisco 2018 Privacy Maturity Benchmark Study.

Escape future ransomware attacks by leveraging the right technology
Devising a ransomware defense plan isn’t easy. If you’re wondering where and how to start, here’s a short cheat sheet on a few security mechanisms that are especially helpful in preventing and detecting ransomware threats.

Alphabet enters enterprise cybersecurity market, launches Chronicle
Google’s parent company Alphabet has announced its entry into the lucrative enterprise cybersecurity market through Chronicle, a company started in early 2016 as a project at X, Alphabet’s “moonshot factory.” VirusTotal, a malware intelligence service acquired by Google in 2012, will be become a part of the new company, but Chronicle will also offer a new product.

PCI Council sets security requirements for mobile point of sale solutions
The PCI Security Standards Council has announced a new PCI Security Standard for software-based PIN entry on commercial off-the-shelf (COTS) devices such as smartphones and tablets.

DuckDuckGo offers new privacy extension and app
DuckDuckGo Privacy Essentials forces websites to serve users with an encrypted version of the site, blocks third-party trackers, and provides information about website’s terms of service and privacy policies.

Cybercriminals stole $172 billion from 978 million consumers in the past year
In the United States, 143 million consumers were victims of cybercrime – more than half the U.S. adult online population.

New infosec products of the week​: January 26, 2018
A rundown of infosec products released last week.

from Help Net Security http://ift.tt/2BzOlie

What You Need to Know About MoviePass' New Terms and Conditions

Our Favorite Shaving Product Ever Is Just $26 Today

Philips Norelco OneBlade | $26 | Amazon

The Philips Norelco OneBlade is the shaver of choice for every guy on our staff, and you can try it yourself for just $26 today.

If you aren’t familiar with this thing yet, Shane shared his thoughts about it on Gear:

I’m pretty blown away by the Philips OneBlade. I was expecting a deconstructed electric razor or a souped up Gillette Power-style situation, but the OneBlade is more like the next evolution of beard trimmers.

The OneBlade can be used to get a close shave, edge, or trim down to your preferred length. It’s also washable and rechargeable, and the replaceable blades that last an estimated four months are already available on Subscribe and Save.

The OneBlade can be used in the shower or over the sink, with or without shaving cream or oil. To be clear, this is not going to give you a straight razor-close shave, but it’s going to get you 99.5% of the way there in no time and with no irritation.

The OneBlade usually sells for $35, and while it was famously available for $17 on Black Friday, this is otherwise about as good a deal as we’ve seen. I paid full price for it back in March of last year (I’m still on my original blade, for the record), and have zero regrets.

---

from Lifehacker http://ift.tt/2BziPkr

Ask Dr. NerdLove: Our Relationship Is Great, But I Can’t Stop Worrying

Sunday's Best Deals: Tailgating Gear, Fire TV, Philips OneBlade, Nike, and More

How to Tell the Difference Between a Cold and the Flu

This Web App Files Your Divorce Papers For You

How to Stream The Grammys Without a TV

Ask The Salty Waitress: Should I tip on takeout orders?

Saturday's Best Deals: Dyson V6, Noise-Canceling Headphones, OLED TVs, and More

This Battery Pack Can Charge Your MacBook, Your Switch, and Even Jump Start Your Car

The 10 Best Deals of January 26, 2018

Friday Squid Blogging: Squid that Mate, Die, and Then Sink

Stop Twitter From Turning Your PNGs Into JPGs

A Partial List of Companies That Definitely Could Have Afforded to Pay Their Employees a Good Wage at Any Point Before the GOP Tax Bill

What Was the First Purchase That Made You Feel Like an Adult?

This Gyro-Inspired Casserole Is the Perfect Dish for the Inebriated

Here's How To Do A Tune-Up On A Modern Gasoline Car

Why Your Debt to Income Ratio Matters, and How to Find It

See if Your Toys 'R' Us Is One of the 180 Stores That Are Closing

How to See the Super Blue Blood Moon Next Week

How to Buy Bitcoin With a Credit Card—and Why You Probably Shouldn't

Make Your Evenings an Instagram-Free Zone

Why You Keep Getting Acne in the Same Spot

Organize All Your Laundry Throughout The Week With This 3-Bag Laundry Sorter

You Should Bring Earplugs to Movies and Concerts

DJI's New Osmo Gimbal Is the Rare Phone Accessory That's Actually Worth It

What to Do About the Weird, Gross Things That Happen to Your Pregnant Body

3-Ingredient Happy Hour: The Rum Sidecar

Karaage is the Japanese method for making superior fried chicken

How to Tame a Wild Horse

Friday's Best Deals: Anker Gold Box, Dolby Atmos Sound System, MicroSD Cards, and More

Deadspin Russell Westbrook Mistakenly Thought He Was Picked Last In The All-Star Draft, So He Went O

Deadspin Russell Westbrook Mistakenly Thought He Was Picked Last In The All-Star Draft, So He Went Out And Scored 46 Points | Splinter Sean Hannity Forced Into a Spectacularly Humiliating Retreat Over NYT Trump-Mueller Story | Jezebel Brock Turner Victim No Longer Involved in Memorial Plaque After Stanford Reportedly Ignored Her Suggestions | The Root White Candidate for Georgia Governor Basically Does MLK Blackface | Earther The Weather Channel Homepage Is Out Here Reminding Everyone Climate Change is Real |

from Lifehacker http://ift.tt/2naylyT

Why Your Credit Score Suddenly Dropped by 200 Points

Build Your Own Mini Game Console For $46 With This Raspberry Pi Starter Kit

How to Make a Fair Coin Flip With an Unfair Coin

How To Drive A Right-Hand-Drive Car

Old Bitcoin transactions can come back to haunt you

A group of researchers from Qatar University and Hamad Bin Khalifa University have demonstrated how years-old Bitcoin transactions can be used to retroactively deanonymize users of Tor hidden services.

It seems that Bitcoin users’ past transactions – and especially if they used the cryptocurrency for illegal deals on the dark web and didn’t think to launder their payments – may come back to haunt them.

Researchers’ findings

“We crawled 1.5K hidden service pages and created a dataset of 88 Bitcoin addresses operated by those hidden services, including two ransomware addresses. We also crawled online social networks for public Bitcoin addresses, namely, Twitter and the BitcoinTalk forum. Out of 5B tweets and 1M forum pages, we created two datasets of 4.1K and 41K Bitcoin addresses, respectively. Each address in these user datasets is associated with an online identity and its corresponding public profile information,” the researchers explained.

“By analyzing the transactions in the Blockchain, we were able to link 125 unique users to 20 Tor hidden services, including sensitive ones, such as The Pirate Bay and Silk Road.”

What now?

Whether law enforcement and intelligence agencies will bother to replicate and widen the research remains to be seen, but there is no doubt that the permanence of the Bitcoin blockchain can be exploited for similar endeavours.

The researchers noted that the online identities to which they tied the transactions might and might not point directly to individuals, as it’s possible that these are fake online identities. Still, well resourced adversaries can perform online surveillance to track down the users and uncover their true identities.

They also pointed out that this approach can be used to deanonymize only a small number of users.

But for those users who can be linked, the researchers advised that the best course of action is to clean their social network footprint, focusing on removing PII that is publicly shared or deleting their linked online identities altogether – and hope that the information hasn’t been cached or preserved by digital archive services like the Internet Archive.

And, in the future, for similar transactions, it might be best to switch to using alternative coins that provide additional anonymity for transactions on the blockchain (e.g., Monero, Zcash).

from Help Net Security http://ift.tt/2rGFNGK