Phishing embraces HTTPS, hoping you’ll “check for the padlock”

Készült: 2017. december 08

After a slow-burning romance, HTTPS has recently bloomed into one of security’s great love affairs.

Google is a long-time admirer, and in October started plastering “not secure” labels on many sites failing to use HTTPS by default in the Chrome address bar, a tactic meant to persuade more website owners to share its enthusiasm.

Facebook, Twitter and WordPress, meanwhile, have been keen for years, which helps explain EFF figures from early in 2017 estimating that an impressive half of all web traffic was being secured using HTTPS.

So alluring has HTTPS become that it has now acquired suitors it could do without – phishing websites.

According to PhishLabs, a quarter of all phishing sites now use HTTPS, up from a few percent a year ago.

The increase has been so dramatic in 2017 that in a single quarter its popularity among phishing sites doubled. What’s causing this sudden interest?

One explanation:

As more websites obtain SSL certificates, the number of potential HTTPS websites available for compromise increases.

This is logical. As the number of sites using HTTPS increases the chances that a legitimate site compromised to host phishing attacks will have it enabled increases too.

Which means that acquiring an HTTPS certificate is an empty upgrade if other vulnerabilities are not addressed at the same time.

But there’s a second, less savoury possibility:

An analysis of Q3 HTTPS phishing attacks against PayPal and Apple, the two primary targets of these attacks, indicates that nearly three-quarters of HTTPS phishing sites targeting them were hosted on maliciously-registered domains.

We’ll call this the ‘window-dressing theory’: cybercriminals believe that web users are lulled into a false sense of security by the presence of HTTPS even though their scams might work without it.

That these certificates are obtained free of charge from services such as Let’s Encrypt, set up to spread the use of HTTPS among legitimate web makers, only adds to the painful sense of unintended consequences.

The culprit here is not really HTTPS, or Let’s Encrypt, but the green padlock symbol itself, browsing’s most misunderstood and over-rated signifier.

Too many people see its glow and think it guarantees a site’s legitimacy when, of course, it does nothing of the kind. Some of this is plain naivety but there’s also confusion about what HTTPS and padlocks are for.

This is partly the industry’s fault, starting with Google. Visit an HTTPS site in Chrome and the browser will describe padlocked sites as “secure”, which refers to the connection, not the site itself.

Except that not everyone knows this.

Browsers also use a colour-coding system to designate the trustworthiness of a site (green padlocks being awarded to sites with an Extended Validation certificate), but these can still appear on phishing sites that have not been detected by integrated filtering.

Naked Security discussed this issue (and the problem of how sites are verified) in 2015 so it’s not a new worry.

The logical result of the trend PhishLabs has detected is that eventually all websites will use HTTPS whether they are phishing sites or not, at which point the misunderstanding of the whole padlock system will become apparent.

The dream of an entirely encrypted internet is a noble one but its ubiquity will be a pyrrhic victory if cybercriminals can find easy ways to manipulate it from the inside.

Source: Naked Security


Google AI teaches itself ‘superhuman’ chess skills in four hours

Készült: 2017. december 08

Human chess grandmaster Peter Heine Nielsen tells the BBC that he’s “always wondered how it would be if a superior species landed on earth and showed us how they played chess.”

Well, move aside, ugly, giant bags of mostly water: now we know, because Google’s “superhuman” AlphaZero artificial intelligence (AI) taught itself chess from scratch in four hours. Then, it wiped the floor with the former world-leading chess software, Stockfish 8.

AlphaZero is actually a game-playing AI created by its Google sibling, DeepMind. DeepMind Technologies Ltd., a Google subsidiary, created a neural network that learns how to play video games in a fashion similar to that of humans.

That neural network had to learn how to play chess – without human interaction, mind you – because until recently it was a Go specialist that had confined itself to going around beating the world’s best Go players in its incarnation as AlphaGo.

Now that AlphaZero has been generalized, it can learn other games. After learning the rules to chess in four hours, it took on a 100-game match with Stockfish 8, which is an open-source chess engine that consistently ranks first or near the top of most chess-engine rating lists.

In the AlphaZero/Stockfish 8 games, AlphaZero won or drew all 100 games, according to a non-peer-reviewed research paper published by the DeepMind crew with Cornell University Library’s arXiv. It garnered 28 wins, 72 draws, and zero losses.

From the paper, whose authors include DeepMind founder Demis Hassabis: a child chess prodigy who reached the rank of chess master at the age of 13:

Starting from random play, and given no domain knowledge except the game rules, AlphaZero achieved within 24 hours a superhuman level of play in the games of chess and shogi [a similar Japanese board game] as well as Go, and convincingly defeated a world-champion program in each case.

Former world chess champion Garry Kasparov told that AlphaZero’s performance is “remarkable”:

It’s a remarkable achievement, even if we should have expected it after AlphaGo. It approaches the ‘Type B,’ human-like approach to machine chess dreamt of by Claude Shannon and Alan Turing instead of brute force.

According to, AlphaZero is like humans in that it searches far fewer positions than its predecessors. The paper claims that it looks at “only” 80,000 positions per second, compared to Stockfish’s 70 million per second.

In fact, the DeepMind programmers used a specific type of machine learning – reinforcement learning – to train AlphaZero. From’s writeup:

Put more plainly, AlphaZero was not “taught” the game in the traditional sense. That means no opening book, no endgame tables, and apparently no complicated algorithms dissecting minute differences between center pawns and side pawns.

This would be akin to a robot being given access to thousands of metal bits and parts, but no knowledge of a combustion engine, then it experiments numerous times with every combination possible until it builds a Ferrari. That’s all in less time than it takes to watch the “Lord of the Rings” trilogy. The program had four hours to play itself many, many times, thereby becoming its own teacher.

Not all grandmasters are fully satisfied with the way the match was set up. They’re debating the processing power of the two adversarial systems, while American GM Hikaru Nakamura reportedly called the match “dishonest”, pointing out that Stockfish’s methodology requires it to have an openings book for optimal performance. Another expert, GM Larry Kaufman, said he wants to see how AlphaZero would do on a home machine, as opposed to Google’s souped-up computers.

But aside from arguments about the fairness of the match, experts say that we’re looking at actual AI at this point. From here, we could see much more than chess wins. quotes GM Peter Heine Nielsen:

It goes from having something that’s relevant to chess to something that’s gonna win Nobel Prizes or even bigger than Nobel Prizes. I think it’s basically cool for us that they also decided to do four hours on chess because we get a lot of knowledge. We feel it’s a great day for chess but of course it goes so much further.

Source: Naked Security


Uber disguised $100,000 hacker payoff as bug bounty, claims Reuters

Készült: 2017. december 08

Remember the 2017 Uber breach?

The one that was actually discovered in 2016, except that Uber conveniently forgot about it for a year before admitting, “Well, yes, now you mention it, some records did get taken.”

57,000,000 records in all, apparently, including – for Uber drivers, at least – data such as driving licence and vehicle registration details.

From a regulatory point of view, Uber ought to have reported this breach promptly in many jurisdictions around the world, rather than hushing it up; in the UK, for example, the Information Commissioner’s Office has variously stated:

Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics. [2017-11-22T10:00Z]

It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies. [2017-11-22T17:35Z]

Uber has confirmed its data breach in October 2016 affected approximately 2.7million user accounts in the UK. Uber has said the breach involved names, mobile phone numbers and email addresses. [2017-11-29]

At the time the breach news broke, it also emerged that Uber had paid $100,000 in what was effectively hush money to the hacker or hackers behind the breach, making it possible for Uber to sweep the breach under the carpet.

We speculated at the time how this payout might have been orchestrated:

It’ll be interesting to see how the story unfolds – if the current Uber leadership can unfold it at this stage, that is. I suppose you could wrap the $100,000 up as a “bug bounty payout”, but that still leaves the issue of “very conveniently deciding for yourself that it wasn’t necessary to report it”.

Well, if an exclusive investigation published recently by Reuters has it right, then so did we: Reuters claims that the payoff was indeed made to look like a bug bounty payout.

Bug bounties are official rewards offered by companies to researchers who find security bugs, flaws, holes and problems, but this sort of payout is offered within a legal framework that – for obvious reasons – puts limits on exactly where bounty hunters should go, and how they should behave.

Deliberately hacking a live system in a way that is likely to crash it just to prove a point is understandably off-limits; so too is using unlawful techniques to achieve a result – stealing a physical server, for example, or threatening an employee to extract a password.

Another unlawful no-no is actually cracking into a server, stealing a giant pile of data and then offering the data back for what amounts to a ransom, even if that ransom payment would also lead to finding and fixing the security hole.

But Reuters is insisting that is pretty much how it played out in the Uber case.

According to Reuters, the attack and breach went something like this: the hacker who was ultimately paid off by Uber contracted a “researcher” to dig out Uber passwords on GitHub; those passwords led to the 57 million records; Uber then received “an email […] demanding money in exchange for user data”.

Of course, even if that wasn’t quite how it what happened, or if calling this a bug bounty payout is ultimately deemed ethically acceptable…

…there’s still the issue that we described above, namely the matter of Uber very conveniently deciding unilaterally that it wasn’t necessary to report the breach.

Over here in the UK, we’ll be very interested to see what the Information Commissioner’s Office has to add to its earlier warnings.

Source: Naked Security


Apple fills the KRACK on iPhones – at last

Készült: 2017. december 08

Remember KRACK, short for Key Reinstallation Attack?

Nearly two months ago, it was all over the news – what we jocularly call a BWAIN, short for “bug with an impressive name” – because it exposed a cryptographic weakness in WPA, the Wi-Fi encryption protocol that is used to secure most of the world’s wireless networks.

Very greatly simplified, KRACK involved tricking a wireless access point into sending the first two packets of a session scrambled with the same encryption key, with the result that if you knew the content of one of the packets, you could figure out the other.

KRACK wasn’t the end of the world as we know it (we happily reported that Wi-Fi was still safe to use), but it was worth patching against – encrypted Wi-Fi connections aren’t supposed to leak any data, and that’s that.

Apple, amongst others, put out a patch pretty quickly for iPhone users, as we reported in early November 2017…

…but there was a twist in the fix, because it wasn’t for everyone:

According to Apple’s official support documentation, the [02 November 2017] KRACK fix only applies to iPhone 7s, iPad Pro 9.7 (early 2016) and later.

We don’t know why the KRACK patch is only being made available for newer iDevices only – it’s possible a fix for earlier devices is still in the works, or perhaps Apple has determined that these older versions aren’t vulnerable to KRACK at all.

Either way, if you’re a pre-7 iPhone user, keep your eyes peeled for an update from Apple just in case.

Well, the wait is now over, because Apple’s latest round of updates includes iOS 11.2, and that officially (and at last) includes KRACK-related patches for the devices that were left out last time:


Available for: iPhone 6s, iPhone 6s Plus, iPhone 6, iPhone 6 Plus, iPhone SE, iPhone 5s, 12.9-inch iPad Pro 1st generation, iPad Air 2, iPad Air, iPad 5th generation, iPad mini 4, iPad mini 3, iPad mini 2, and iPod touch 6th generation. (Released for iPhone 7 and later and iPad Pro 9.7-inch (early 2016) and later in iOS 11.1.)

Impact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks – KRACK)

As it happens, numerous other security holes were closed in the iOS 11.2 update, including four vulnerabilities listed as “may be able to execute arbitrary code with kernel privileges”, which is about as close to “good for a full jailbreak and takeover” as you’re likely to hear from Apple.

By the way, macOS goes to High Sierra 10.13.2 in the same tranche of updates, with three “may be able to execute arbitrary code with kernel privileges” fixed for Mac users, too.

Get ’em as soon as you can.

Use Settings | General | Software Update on an iPhone, and Apple Menu | About This Mac | Software Update... on a Mac.

Source: Naked Security


Man turns shed into top rated restaurant on TripAdvisor

Készült: 2017. december 07

Here’s an astonishing story that’s also fun to read.

It’s written by a UK journalist and serial hoaxer/bounds checker called Oobah Butler.

Butler has visited Harrods both as a punk (no problems) and as a cybergoth (refused entry) to test the famous department store’s dress code, so he’s no stranger to taking on unlikely challenges just to see what happens.

By Butler’s own admission, he used to make ends meet by writing bogus restaurant reviews on TripAdvisor; he kept tabs on the quality of his work (or, as he puts it, “became obsessed with monitoring the ratings of [the businesses that hired me]”), and realised that these fake reviews were effective and really did boost rankings.

So much for fake reviews to promote real restaurants: Butler decided to try something more audacious, namely a completely fake restaurant.

Or, as he more wittily puts it, “[w]ith the help of fake reviews, mystique and nonsense, I was going to do it: turn my shed into London’s top-rated restaurant on TripAdvisor.”

The glorious part of it is that Butler didn’t rip anyone off; didn’t take money under false pretences; didn’t actually open a restaurant; didn’t accept bookings and then let people down; didn’t really do anything except to keep on insisting that he had a restaurant, assuring everyone it was excellent, and allowing TripAdvisor to amplify his story.

Butler never took on a single customer – he simply told callers he was booked out for weeks ahead, which apparently only served to boost both the mystique and the desirability of his establishment.

(The “shed”, in case you are wondering, is actually where he lives – it’s designed to be lived in, and looks rather nice, actually, but it’s definitely a shed.)

It took more than six months of fakery before TripAdvisor checked up on Butler, sending him an email on 1 November 2017 entitled “Information Request”.

Expecting he’d been busted, and having reached no higher than #30 on the charts, he assumed he’d failed in his quest…

…but when he opened the email he realised that self-congratulation was in order – he’d made it to #1:

Butler’s own article continues most entertainingly as he “closes” his “establishment” – keen observers of the social scene should definitely read Butler’s iconoclastic tale! – but for us, we’re at the point where we draw security conclusions.

As fellow Naked Security writer Mark Stockley put it:

It’s a cautionary tale about placing too much faith in online reviews, something that (rightly or wrongly) people use to seek assurance that things are what they say. This is what you might call “using computers for security” rather than “computer security”. In this case it was a non-restaurant, but it could just as easily be a site that assures you that, “Yes, this person you’re inviting into your home is indeed a legitimate plumber with a long list of satisfied customers, rather than a crook who’s going to take your credit cards on a long tour of the local shops.

The way Butler set things up, he could easily have taken “deposits” for his quirky, luxury meals. With bookings months in advance he had a long window of opportunity to milk customers if he’d wanted to. He also ended up with a web property that passed the reputation test, where he could have advertised or promoted other scams from a position of apparent trust and reliability.

What to do?

Dealing with fake reviews is a tricky problem because there’s no easy technological solution once they’ve been approved and published: the judgement is entirely up to you, and that’s how reviews are supposed to work, anyway.

Here at Naked Security, we discussed “what to do” at some length, and Mark Stockley came up with an interesting twist on the issue – he suggests a simple and objective approach whereby you rate online reviews as no more valuable than the amount you’re prepared to lose:

Prepared to lose the cost of dinner? Not being asked for credit card details up front? OK, then look only at the reviews; they’re probably OK and if you’re wrong you’ve lost a few pounds. Prepared to lose the cost of a plumbing job, or to risk the theft of personal property or information right from your house? No? Then crank up the suspicion, try to meet in person in advance, ask for references, speak to the last customer yourself.

If you aren’t sure, ask a friend for advice.

And make that a friend in the old-school sense of someone you know, like, and trust – importantly, someone you have actually met.

Butler’s restaurant didn’t exist, so it wouldn’t have been possible for you, or any of your friends, to have eaten there for real.

Source: Naked Security


Mr. Robot eps3.8_stage3.torrent – the security review

Készült: 2017. december 07

Three seasons into Mr. Robot, we can easily recognize callbacks to hacks we’ve seen in previous episodes and seasons. And by now, this show has also made it really clear that no tactic, no matter how seemingly ironclad, is a guarantee – when the stakes are high, every move means measuring risk and reward.

In this week’s episode, we also saw some hacks and security concepts that exemplify how sometimes the very unlikely is still possible, and how – even in hindsight and with entirely new information – you might make the same decision twice.



RFID skimming: reading your badge at a distance

RFID chips can be found in a number of very important things that many of us have, like passports, debit and credit cards, train tickets and office badges, so any threat that puts this data at risk gets a lot of attention.

RFID stands for Radio Frequency Identification, and it works wirelessly. The RFID reader emits a magnetic field that generates just enough current to power up a coiled antenna attached to the chip; the magnetic field is then used to transmit data back from the card to the reader. In theory, then, you can skim RFID data off people’s cards just by getting close enough (typically from a few feet to a couple of inches, depending on the type of chip in use).

However, RFID skimming takes a lot of effort, you have to be there and close-up every time [*], and there are much easier ways to gather valuable data in greater volumes, so RFID skimming isn’t currently a big threat to the general, walking-around public.

But RFID skimming is a real and credible threat when it is targeted, which is exactly what we saw in tonight’s episode when Darlene repeatedly tried to get Dom’s FBI badge data by brushing up against Dom (and her badge) in the bar. We briefly saw that Darlene was using a real tool called RFID Thief. Had she nabbed the data from Dom’s badge, it is credible that she could have managed a way into to Sentinel.

For whatever reason, Darlene wasn’t able to get a read on the badge, and I didn’t see any obvious RFID shielding on Dom’s badge, so perhaps it was a decoy?

I didn’t get the impression Dom knew what Darlene was up to right away, so I’m skeptical there, but tools won’t always work 100% of the time in any case. Good thing Darlene had a backup plan… but bad luck that it didn’t matter in the long run.

[*] RFID skimming is not to be confused with ATM skimming, which reads magstripe data off contact-based cash cards at the point they’re inserted for use.

SOCs and Hindsight

The opening scene, which gave us some season one nostalgia for Gideon perhaps, shows E Corp and Allsafe in discussions about doing business together. To jog your memory, E Corp is the Typical Hugebig Company and Allsafe is the external vendor they hire to manage their security.

After the negotiation’s complete, we see Tyrell tell Price briefly that he’d rather not use an external security firm like Allsafe and would prefer to establish his own security operations center (or SOC) internally. When Price dismisses his concerns, Tyrell says – almost comically understated, this line – “I just hope it doesn’t come back to haunt us.”

Arguably a company like E Corp should be able to pull together its own security team internally – they have a lot at stake and they have the money to hire. But deciding whether to hire an outside security firm or build one in-house is a huge decision that many companies of all sizes struggle with. There are just as many decisions for and against on either “side,” and as much as the common thinking is that it’s cheaper to hire someone outside the company, there’s a lot more that goes into the in-house versus outsourcing decision.

Tyrell’s line about not regretting their decision was a key plot device, but in the security context, it’s worth pointing out that he could have had his wish and built his own SOC internally and still had issues thanks to the inside threat. (There’s no reason why Elliot couldn’t have been hired by E Corp directly if Allsafe wasn’t in the picture.) Despite the Captain Hindsight-esque line, this was never going to be an easy decision.

Other notes:

  • Did Elliot use the same car hack on Irving that Irving did in this season’s opener? That was a pretty cute callback. Irving seemed to know exactly what was going on as it happened and was already very over it.
  • Price’s line to Mr. Robot was a great statement on perception vs. reality in cybercrime: “Catastrophes don’t happen because of lone wolves like you, they happen because men like me allow them to happen.” Mr. Robot and Elliot represent the old stereotype of the brilliant hacker in the hoodie; the reality is most cybercrime nowadays is more pedestrian, with crooks often using well-known tools and techniques to break in to anyone who’s behind the curve on patching and protection.
  • In the show during a news segment you can hear a news anchor refer to the 2nd stage of the five/nine attack as a “cyberbombings,” a term I haven’t really heard before. (I’ve heard of “cyberbombs” in reference to really big, sudden, targeted cyberattacks against a virtual target, but not in the context of actual physical damage or bombings.) It makes sense – a cyberattack used to bomb 71 buildings, hence cyberbombing. But I really hope this term never ever joins the IRL lexicon.

It’s the season finale next week, which means I’ll be wrapping up these reviews until next year (and going to bed at a more reasonable hour). Still, I can’t help but wonder what we’re in for next week: Elliot seems to think he has things with Dark Army all neat and tidy with a bow on top. “And now I own Dark Army,” he said. Especially after all we’ve seen these past three seasons, that seemed way too easy.

There’s no way Dark Army would just grab a USB key from Elliot and run it sight unseen, there’s no way they’d underestimate him that badly. So how is it that Elliot would underestimate them to assume they’d get pwned so easily? I really hope we don’t have to wait until next season to get an answer.

Source: Naked Security


NiceHash cryptomining exchange hacked; everything’s gone

Készült: 2017. december 07

NiceHash buyers and miners, change your passwords immediately if you haven’t already been ransacked: the cryptomining exchange that describes itself as the world’s largest marketplace for mining digital currencies has been vacuumed out.

Late Wednesday night, NiceHash said that it was suspending its operations for at least 24 hours because of a security breach.

Importantly, our payment system was compromised and the contents of the NiceHash Bitcoin wallet have been stolen. We are working to verify the precise number of BTC taken. Clearly, this is a matter of deep concern and we are working hard to rectify the matter in the coming days. In addition to undertaking our own investigation, the incident has been reported to the relevant authorities and law enforcement and we are co-operating with them as a matter of urgency

According to CoinDesk, a site specializing in cryptocurrency news and information, news of the breach comes on the heels of an hours-long outage and reports from a multitude of users that their NiceHash-associated wallets had been emptied. NiceHash had previously posted an announcement that its service was “under maintenance.”

NiceHash users have been passing around a link to a Bitcoin account that appears to belong to the hacker(s). It shows that as many as 4,736 bitcoins had been stolen.

That jibes with what NiceHash head of marketing Andrej P. Škraba told The Guardian: namely, that the hack – “a highly professional attack with sophisticated social engineering” – resulted in approximately 4,700 bitcoin being stolen.

As of Thursday morning, that amount was worth about USD $80 million – a value that skyrocketed from what The Hacker News said was $58 million at the time of the theft.

At the time of writing, the NiceHash service was still offline. NiceHash, which formed in 2014, still had a “Service Unavailable” post on its website, along with its official press release about the hack.

Unfortunately, the NiceHash hack is a prime example of how you can lose money beyond just the wildly fluctuating value of cryptocurrencies. As Naked Security’s Taylor Armerding noted recently, cryptocurrency exchanges – the sites where these currencies are bought, sold and stored – are a soft and vulnerable underbelly.

Once you’ve uploaded your private keys to an exchange to make trading easier, they’re at the mercy of that site’s security. The sites can be hacked, via social engineering or other means, and the keys can be stolen. Unfortunately, there’s no Federal Deposit Insurance Corporation (FDIC) to protect your Bitcoin; nor do governments or central banks back them up.

In August 2016, we saw it happen to Bitfinex, which was then the world’s largest Bitcoin exchange.

At that point, the one question on everybody’s lips was this: Are we getting Goxed again?

That had been, up until the Bitfinex hack, the Mother of All Bitcoin Bellyups. Mt. Gox, a Tokyo bitcoin exchange, announced in 2014 that there’s been a mysterious vanishing of half a billion dollars worth of digital assets.

In the case of Mt. Gox, 850,000 Bitcoins went missing and were thought to be likely stolen. That would be worth about $14.4 billion nowadays. But sometime after Mt. Gox found 200,000 of those Bitcoins, its chief was accused of embezzlement and data manipulation.

His trial started up in a Tokyo court in July. According to the Guardian, those affected by Mt. Gox’s failure are still trying to claw back the funds they lost and looking to the trial to hopefully help explain what happened.

The value of Bitcoin is through the roof, and it’s showing no signs of slowing down. It jumped past 15,000 on Thursday, and experts are predicting that it could get as high as $100,000 one year from now.

With no better value for a hacker, we can expect more stories like this one.

Source: Naked Security


US gov says it can break your encryption without a court order

Készült: 2017. december 07

Remember all that drama over encryption, with the FBI wrestling in court with Apple over its inability to access an iPhone belonging to one of the San Bernardino terrorists? And the way that the FBI, even after it paid somebody to crack that iPhone, keeps arguing that strong encryption is allowing major swaths of the criminal and terrorist underworld to “go dark”?

It’s all octopus ink, if you go by what the government says: it doesn’t need approval from its secret surveillance court to ask a tech company to create an encryption backdoor. It already has the legal authority to compel cooperation, it stated in Congressional testimony released over the weekend.

According to ZDNet’s Zack Whittaker, the remarks were made in July in response to questions posed by Sen. Ron Wyden (D-OR), but they were only made public this weekend.

Intelligence officials from the FBI, the National Security Agency (NSA), and the Director of National Intelligence (DNI) told the Senate Intelligence Committee on 7 June 2017 that they can resort to an order from the Foreign Intelligence Surveillance Court (FISC) compelling tech companies to help them out if need be. But they don’t even have to go that far (and had not, as of the date of the hearing), given that they can use FISA to authorize government personnel to compel compliance without the FISC even being given a heads-up about the matter.

ZDNet says the intelligence officials declined to tell the committee whether they’d ever asked a company to add an encryption backdoor.

As ZDNet points out, the government relies on Section 702 of Title VII of the Foreign Intelligence Surveillance Act (FISA) to carry out the bulk of its intelligence gathering and surveillance operations.

That’s not the legislation the FBI relied on in its attempts to get Apple to unlock either the San Bernardino terrorist’s iPhone or that of an alleged meth dealer in Brooklyn. Rather, in those cases, the government relied on a broad interpretation of a law known as the All Writs Act.

The All Writs Act, which hails from 1789, allows courts to issue writs (orders) “necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.”

During the June testimony before Congress, intelligence officials strenuously defended Section 702, saying that it had provided valuable intelligence in multiple cases.

Their support is timely: the legislation is up for renewal, reform or expiration by year’s end, in a few weeks.

The news that the legislation OKs the government’s compelling of encryption breakage without seeking a court order likely isn’t consequential. As it is, the court in question – the FISC – basically just rubber stamps the government’s surveillance requests, keeping its proceedings secret and almost never pushing back against the requests, as NPR has reported.

ZDNet cited a blog post by Marcy Wheeler, an independent journalist who focuses on national security, who last month dissected a FISA reform bill proposed by Wyden.

Wheeler explained that Wyden is concerned that Section 702 “leaves in place current statutory authority to compel companies to provide assistance, potentially opening the door to government mandated de-encryption without FISA Court oversight.”

Translation: the government can use the legislation to force a company such as Apple to back-door its encryption.

Yup, that’s exactly what he’s concerned about, Wyden confirmed in a statement on the bill.

Source: Naked Security


Meow! Facial recognition reaches pet doors

Készült: 2017. december 07

Microsoft has built a facial recognition pet door that uses a webcam, a passive infrared motion sensor, servo motors, and OpenCV facial recognition on a Minnowboard Max – an open-source, single-board computer – running Windows IoT Core in order to let your cat into the house while barring criminals from the family Rodentia.

As Microsoft shows in the video it posted onto its official Windows YouTube channel on Tuesday, when your pet walks up to the door, it triggers a motion sensor, activating a mounted webcam that captures a few frames of the animal’s face. An OpenCV classifier then either grants or denies access to the animal seeking entry.

OpenCV classifiers can be trained using groups of similar images. For example, here’s a YouTube video tutorial on training a classifier on car detection using a library of car images:

Of course, facial recognition has a history of being tricked. Static photos are easy to spoof by holding up a 2D picture to a camera, for example. There’s a plethora of cat images that can be found online, along with latitude and longitude coordinates embedded in the images’ metadata.

Sentient hacker racoons with opposable thumbs, or gremlins small enough to fit through cat flaps, could theoretically find a nearby cat’s photo fairly easily and use it to spoof the biometric entry.

But even moving photos are spoofable. Google at one point filed a patent for “Liveness Checks,” but researchers using the most basic of photo editing tools managed to fool the Liveness Check with just a few minutes of editing and animating photos to make them look like subjects were fluttering their eyelashes.

Animating twitching whiskers would be just as easy.

In August 2016, researchers also managed to use a handful of publicly available photos collected on sites such as Facebook to create 3D facial models that fooled facial recognition systems.

Microsoft claims that its facial recognition cat flap takes only a few seconds to recognize or reject an animal, promising a “seamless approach” that won’t confuse pets.

The company has provided a guide for those who’d like to make their own automated pet door with Windows 10 IoT Core, which is a version of Windows 10 that’s optimized for smaller devices. Microsoft estimates that it takes about 10 hours on average – a potentially “fun project over the holidays” – to create your own cat biometric flap.

Security is of course a sore spot in the Internet of Things (IoT) space. Microsoft has promised that Windows 10 IoT Core provides security features that can prevent network attacks on, or physical tampering with, whatever devices IoT Core is running in.

It doesn’t hurt to be extra careful when it comes to the security of IoT gadgets, however. So before you start on the cat flap, you might also want to take a look at our tips on securing the IoT.

Because really. Squirrels?

Say no more.

Source: Naked Security


Net Neutrality comments “deeply corrupted” – NY Attorney General

Készült: 2017. december 06

New York Attorney General Eric Schneiderman called a press conference on Monday to demand a postponement of a 14 December 2017 vote by the Federal Communications Commission (FCC) on a proposed rollback of net neutrality regulations, declaring that the public comment process in advance of it has been “deeply corrupted.”

But Schneiderman is late – very late – to the party. Reports of fake and bot-generated comments started more than six months ago, before the official public comment period even began on 18 May 2017, after FCC Chairman Ajit Pai proposed the rollback.

ZDNet reported on 10 May 2017 that more than 128,000 identical comments had already been submitted. Some whose names were on those comments told ZDNet they had not submitted them – including one “commenter” who said that they didn’t even know what net neutrality was.

Those reports continued regularly through the year, and the flawed comments process, as Naked Security reported in October this year, was almost embarrassingly obvious.

Data analytics company Gravwell claimed at the beginning of October that only about 18% (3,863,929) of the 21.8 million comments submitted on the FCC website and via its API were unique.

The rest were likely from “automated astroturfing bots,” Gravwell founder Corey Thuen said, adding that the fakes were easy to spot.

Schneiderman, who was joined at the press conference by FCC commissioner Jessica Rosenworcel, demanded that the vote be delayed. Rosenworcel, an Obama appointee, was nominated for another term in July by President Trump, and confirmed by the Senate.

Schneiderman said his office carried out a review of the comments on the impending vote. They found that at least one million of these may have been made by impersonators, including up to 50,000 claiming to be from New York. He also accused the FCC of failing to help investigate who might be behind the fakes. Rosenworcel added that nearly 50,000 of the comments to the FCC were from Russian email addresses.

The FCC has now agreed to assist, but Schneiderman said that offer came on the morning of the press conference, after nine previous requests for FCC logs to show the origin of the comments.

It is not just fake comments at issue, either. There are also complaints from advocacy groups, including the National Hispanic Media Coalition (NHMC), saying that the docket – the collected files for and against the proposed rollback – doesn’t include the 50,000 consumer complaints filed about Internet Service Providers (ISP) since the Obama net neutrality rules took effect in 2015.

According to Ars Technica, 28 Democratic senators are also complaining about that omission. In a letter to Pai, they wrote:

50,000 consumer complaints seem to have been excluded from the public record in this proceeding… we believe that your proposed action may be based on an incomplete understanding of the public record in this proceeding.

At the press conference, Schneiderman contended:

You cannot conduct a legitimate vote on a rulemaking proceeding if you have a record that is in shambles, as this one is.

Advocates of the rollback agree that the comment process has been corrupted, but they say it has been happening on both sides. Brian Hart, an FCC spokesman, told the Washington Post that 7.5 million comments in favor of maintaining net neutrality appeared to come from 45,000 email addresses, “all generated by a single fake e-mail generator website.”

He said another 400,000 comments in favor of net neutrality appeared to come from a Russian mailing address.

And Tina Pelkey, also speaking for the FCC, declared in an emailed statement on Monday to reporters that neither Schneiderman nor Rosenworcel had identified, “a single comment relied upon in the draft order as being questionable.”

The key phrase there is, of course, “relied upon” – a tacit acknowledgement of the fake comments, but also an assertion that nobody on the FCC, including Pai, is giving them any credence.

There is no indication yet that the vote will be delayed. But opponents say they think the number of bogus comments will help them in a court battle to overturn the vote, if Congress doesn’t block it until an investigation is complete. Evan Greer, campaign director for the advocacy group Fight for the Future, told the Post:

It’s all about Congress for right now. But this (fake comments) will absolutely show up in court if we get there.

Source: Naked Security


Questions linger as data breach trading site LeakBase disappears

Készült: 2017. december 06

If account credentials stolen during a data breach are posted on public servers, is it ever legitimate business to make money trading access to this data?

It sounds dubious, but this is precisely what a small group of websites started doing two years ago to almost no applause.

The claim was that turning breaches into a business would aid notification because it would help advertise them quickly once the data appeared online somewhere, usually on the dark web.

The counter argument was that low-level connected criminals less savvy with dark web sources would also be enthusiastic subscribers, which would turn sites into databases fuelling more online crime.

Now with the news that a prominent name in the sector,, went silent last weekend, it appears breach-as-a-service might be on its last legs.

On 2 December LeakBase started redirecting to Troy Hunt’s campaigning breach site Have I Been Pwned? (HIBP), confirming an earlier message from the site’s Twitter feed that something was up:

This project has been discontinued, thank you for your support over the past year and a half.

Which, to anyone who thinks that selling credentials stolen during data breaches is not a legitimate activity in the first place, will count as a good day for security.

Earlier this year, another breach site called LeakedSource disappeared with identical suddenness, reportedly after being raided and having its servers seized by the FBI.

This should have cleared the way for LeakBase to dominate the market but now it too has succumbed to unspecified troubles. The nature of those troubles, which ironically started in April when the site was itself breached, defaced, and subsequently changed ownership, still interests a lot of people.

According to security blogger Brian Krebs, one of the site’s founders may have links to an illegal dark web drugs website, Hansa, taken over by Dutch police in July in order to covertly monitor its customers and users.

Not to mention that handling breached data was always likely to attract the attention of police, Troy Hunt of HIBP told another news site.

Is their demise a simple cause for celebration?

It might appear so if it weren’t for the knack some of these sites had of discovering unknown breaches, typically old ones nobody knew about. A good example was the 2016 Dropbox breach affecting 68 million users, which LeakBase brought to light years after it happened in 2012.

Recently, the site was at it again, telling a news site about a breach at Taringa affecting another 28 million users.

As LeakedSource summed it up in 2016:

For the most part, the reason all of these mega breaches are coming to light now is because we’ve gone out and found the data exists.

Clearly these sites were uncovering breaches. The problem was that they sold access to this data, telling journalists about it to attract attention to their services.

Public service sites such as HIPB and are the obvious alternatives whose recent success in making unknown breaches public might in any case have rendered the whole idea of paid breach databases obsolete.

What remains unsettling is that something as critical as data breach discovery is being left up to small and under-resourced sites to do off their own bat.  Software vulnerabilities eventually turned into a thriving area of independent research – for profit as well as public service – why can’t the same be the case for data breaches?

Source: Naked Security


Hacker who tried to free inmate early may soon join him in jail

Készült: 2017. december 06

Class, get out your pencils: we’re having a surprise quiz. Please choose the best answer to this question: What’s the best way to ensure your friend is released early from jail?

  1. Encourage him to keep up his best behavior during his sentence so as to maximize the chances that his good behavior will be recognized and rewarded with early parole.
  2. Write a letter in support of an early release through the appropriate jurisdiction’s credit-earning programs.
  3. Hack the county jail’s network and alter his prison record.

A Michigan man opted for No. 3. Bad choice, Konrads Voits! For flunking the quiz, you’re looking at a maximum penalty under federal law of 10 years’ imprisonment and a $250,000 fine (though, of course, maximum sentences are rarely handed out).

According to the US Attorney’s Office for the Eastern District of Michigan, Voits, 27, on Friday pleaded guilty to damaging a protected computer.

The Attorney General’s office says Voits used a classic phishing scheme laced with typosquatting. According to court records posted by The Register, in January 2017, Voits set up a phishing domain. It looks just like a legitimate county domain name for Washtenaw, except Voits swapped the final W for a double V.

Then, he called and emailed employees of Washtenaw County, claiming that he was “Daniel Greene” and that he needed help with court records. Over the phone, he pretended to be “T.L.” or “A.B.”, a county IT employee. The emails tried to entice employees into clicking on a hyperlink so they’d be whisked off to his malware-poisoned site, while the object of the phone calls was to get his victims to type that phishing site domain into their browsers so as to download an executable malware file.

It was to “upgrade the county’s jail system,” Voits claimed.

Some employees fell for it. Voits also finagled remote login credentials out of one employee. That’s how he managed to install malware on the county’s network itself.

Voits got full access to the county network, including to the XJail system – which is a program used to monitor and track county prison inmates – as well as to search warrant affidavits, internal discipline records, and personal information of county employees. Through the phishing and the malware installed on the county’s network, he succeeded in stealing passwords, user names, email addresses and other personal information of more than 1,600 county employees.

In March 2017, after he’d gained full access to the county’s network, Voits got into the records of multiple inmates. He tweaked the record of at least one in an effort to get him out early.

Fortunately, jail employees do careful reviews of inmate releases. No dice, Voits: your records alteration(s) didn’t fool anybody, and no inmates were released early. Washtenaw county employees did, however, spend what the AG said was “thousands of dollars and numerous extra work hours” responding to and investigating the breach.

Part of that was the expense of hiring an incident response company to determine how extensive the breach was. Many of the county’s hard drives had to be reimaged. Also, the county purchased identity theft protection for its employees. All told, the county said its losses were at least $235,488.

Voits agreed to give up his assets to try to pay it off. Goodbye, laptop. Goodbye, collection of four cell phones. Goodbye, undisclosed amount of Bitcoin.

He’s in custody after agreeing to a plea deal. He’s due to be sentenced on April 5 2018.

I wouldn’t be surprised if one repercussion of Voits’ exploits were that county employees have been subjected to refresher courses on how to spot, and avoid, both IT support scammers and phishing attempts.

It isn’t easy. Like that easy to miss double V swap Voits employed, the signs of a phish can be subtle.

In time for the holidays, we recently came out with some simple tips on how to avoid getting phished.

As far as the bogus calls go, you might want to check out our explanation of social engineering. After all, pretending to be the IT guy is just one of the tricks the crooks like to pull!

Source: Naked Security


1. oldal / 741

<< Első < Előző 1 2 3 4 5 6 7 8 9 10 Következő > Utolsó >>



Nincs esemény létrehozva még.

mySec talk #7 (ITBN)

A frissítés nélkül hagyott szoftverek magas aránya még mindig aggodalomra ad okot

A Secunia biztonsági cég jelentése azt mutatja, hogy az Egyesült Államokban rengeteg frissítés nélküli szoftver

Windows 8.1 Update 1

2014 áprilisában a Microsoft kiadott egy hatalmas méretű javítócsomagot, mely nem csak a szokásos javításokat tartalmazza

Óriási adatlopás Dél-Koreában

Dél-Koreában 27 millió állampolgár, azaz az összlakosság 27%-ának az adataihoz jutottak hozzá illetéktelenek.

Az androidos titkosító kártevő újra boncolása

Lehetne a poszt címe "Ha csak úgy nem", vagy egy újabb eleme "A kártevőkészítők által elkövete

Megtalálták az eltűnt maláj repülőt! Ismét ;-)

Az előző, 2014. márciusi posztunkra utalva, újra érkeznek a Facebookon azok a hamis posztok, amelye

Alig egy hét múlva Hacktivity

Október 21–22-én, immáron 13. alkalommal gyűlnek össze az etikus

Az újságírója lett az „Év információbiztonsági újságírója”

A Hétpecsét Információbiztonsági Egyesület 2006-ban alap&iac

Boldog Új Évet Kívánunk! - 2016.

Az nevében Minden Kedves Olvasónknak Egészségben, siker

Ez történt 2015-ben

Nem volt eseménytelen esztendő a 2015. - sem. A legizgalmasabb incidense

mySec Információ

Cron Job Starts