now browsing by tag
It was the RSA security conference in San Francisco this week, and the security industry descended on Moscone Center for days of handing out free stickers, demoing products, and presenting research. And the week was punctuated by fewer handshakes and more elbow bumps thanks to Covid-19. WIRED looked at research that North Korea is recycling Mac malware, and how it’s indicative of booming malware reuse. Google researchers presented progress using deep learning to catch more malicious document attachments in Gmail.
Longtime vulnerability disclosure advocates Katie Moussouris and Chris Wysopal looked back on progress—as well as frustrating limitations—of disclosure today. And one hacker shared a story of sending his mother to break into a South Dakota prison. For research!
Outside of RSA, Nintendo has been cracking down on game leaks in recent months. A new tool called Dangerzone quarantines new PDFs you receive, combs them for anything sketchy, scrubs them, and spits out a safe version. And we looked at strategies for sharing online accounts like streaming accounts safely.
Plus, there’s more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.
Soon after the Daily Beast reported that controversial facial recognition company Clearview AI’s client list had been compromised in a breach, Buzzfeed shared details of who exactly was on that list. Among the thousands of listed organizations were law enforcement agencies, as you might expect, but also commercial entities like Best Buy and Macy’s. Some of these groups only took a 30 day trial, rather than having an ongoing relationship. But Clearview’s apparent pervasiveness troubles privacy advocates, who find both the company’s opacity and its apparent willingness to share it far beyond the confines of law enforcement acutely troubling.
Cerberus malware has been around since last summer, but it’s already picking up new tricks. Researchers at security firm ThreatFabric have observed that recent Cerberus samples appear capable of stealing two-factor authentication codes from Google Authenticator. The upgrade hasn’t hit the version of Cerberus currently in use, but if it works it’ll make it even easier for hackers to crack your bank account. If you’re truly skittish, you’ve got plenty of 2FA options beyond Authenticator, a venerable but rarely updated app.
The NSA’s vast phone metadata collection, authorized under Section 215 of the Patriot Act, has been one of the most controversial practices in the intelligence agency’s history since it was exposed in 2013 by the leaks of Edward Snowden. But only now, a year after the program was officially ended, has the public learned not only the sweeping scope of that surveillance but also how expensive it was—and how expensive. A declassified study by the intelligent community’s Privacy and Civil Liberties Oversight Board shared with Congress this week revealed that the metadata program cost $100 million, and only on two occasions produced information that the FBI didn’t already possess. On one of those occasions, the investigation was dropped after the FBI looked into the lead. In another case, the NSA’s findings led to an actual foreign intelligence investigation. For that one case, the report doesn’t reveal the nature of the investigation or what may have resulted. Hopefully whatever happened, it was worth $100 million of taxpayer funds—and an enormous controversy that has tarnished the NSA’s reputation for years.
CNET took a close look this week at Inpixon, a company that provides technology that allows schools to keep track of students’ locations accurate down to a meter. The company touts its safety benefit, but raises obvious surveillance concerns, especially given that the affected group is definitionally minors. Its scanners pick up Wi-Fi, Bluetooth, and cellular signals from student smartphones, smartwatches, tablets, and more. And while it technically anonymizes data, it’s easy enough to pair it with ubiquitous in-school camera systems to tie the individual to the activity.
The Justice Department this week announced the arrest of John Cameron Denton, an alleged former leader of the white supremacist group Atomwaffen Division, in connection with a series of swatting events between November 2018 and April 2019. (Swatting is the practice of calling 911 to report a serious crime at an address where none is occurring to get a heavily armed SWAT team to show up; it has gotten people killed, though not in the instances Denton is alleged to have participated in.) If convicted, Denton faces up to five years in prison.
More Great WIRED Stories
View full post on National Cyber Security
(Reuters) – Twitter
The accounts were hacked through a third-party platform, a spokesperson for the social media platform said in an emailed statement, without giving further details.
“As soon as we were made aware of the issue, we locked the compromised accounts and are working closely with our partners to restore them,” the Twitter spokesperson said.
A spokesperson for the IOC separately said that the IOC was investigating the potential breach.
Twitter also said Spanish soccer club FC Barcelona’s account faced a similar incident on Saturday.
“FC Barcelona will conduct a cybersecurity audit and will review all protocols and links with third party tools, in order to avoid such incidents,” the soccer club said in a tweet after the hack.
Last month, the official Twitter accounts of several U.S. National Football League (NFL) teams, including the San Francisco 49ers and Kansas City Chiefs, were hacked a few days ahead of the Super Bowl.
Earlier this month, some of Facebook’s official Twitter accounts were briefly compromised.
(Reporting by Akshay Balan in Bengaluru, Editing by Rosalba O’Brien)
The post #nationalcybersecuritymonth | Twitter says Olympics, IOC accounts hacked | News appeared first on National Cyber Security.
View full post on National Cyber Security
Last month, SpaceX became the operator of the world’s largest active satellite constellation. As of the end of January, the company had 242 satellites orbiting the planet, with plans to launch 42,000 over the next decade. This is part of its ambitious project to provide internet access across the globe. The race to put satellites in space is on, with Amazon, U.K.-based OneWeb, and other companies chomping at the bit to place thousands of satellites in orbit in the coming months.
These new satellites have the potential to revolutionize many aspects of everyday life—from bringing internet access to remote corners of the globe to monitoring the environment and improving global navigation systems. Amid all the fanfare, a critical danger has flown under the radar: the lack of cybersecurity standards and regulations for commercial satellites, in the U.S. and internationally. As a scholar who studies cyberconflict, I’m keenly aware that this, coupled with satellites’ complex supply chains and layers of stakeholders, leaves them highly vulnerable to cyberattacks.
If hackers were to take control of these satellites, the consequences could be dire. On the mundane end of the scale, hackers could simply shut satellites down, denying access to their services. Hackers could also jam or spoof the signals from satellites, creating havoc for critical infrastructure. This includes electric grids, water networks, and transportation systems.
Some of these new satellites have thrusters that allow them to speed up, slow down, and change direction in space. If hackers took control of these steerable satellites, the consequences could be catastrophic. Hackers could alter the satellites’ orbits and crash them into other satellites or even the International Space Station.
Commodity parts open a door
Makers of these satellites, particularly small CubeSats, use off-the-shelf technology to keep costs low. The wide availability of these components means hackers can analyze them for vulnerabilities. In addition, many of the components draw on open-source technology. The danger here is that hackers could insert backdoors and other vulnerabilities into satellites’ software.
The highly technical nature of these satellites also means multiple manufacturers are involved in building the various components. The process of getting these satellites into space is also complicated, involving multiple companies. Even once they are in space, the organizations that own the satellites often outsource their day-to-day management to other companies. With each additional vendor, the vulnerabilities increase as hackers have multiple opportunities to infiltrate the system.
Hacking some of these CubeSats may be as simple as waiting for one of them to pass overhead and then sending malicious commands using specialized ground antennas. Hacking more sophisticated satellites might not be that hard either.
Satellites are typically controlled from ground stations. These stations run computers with software vulnerabilities that can be exploited by hackers. If hackers were to infiltrate these computers, they could send malicious commands to the satellites.
A history of hacks
This scenario played out in 1998 when hackers took control of the U.S.-German ROSAT X-ray satellite. They did it by hacking into computers at the Goddard Space Flight Center in Maryland. The hackers then instructed the satellite to aim its solar panels directly at the sun. This effectively fried its batteries and rendered the satellite useless. The defunct satellite eventually crashed back to earth in 2011. Hackers could also hold satellites for ransom, as happened in 1999 when hackers took control of the U.K.’s SkyNet satellites.
Over the years, the threat of cyberattacks on satellites has gotten more dire. In 2008, hackers, possibly from China, reportedly took full control of two NASA satellites, one for about two minutes and the other for about nine minutes. In 2018, another group of Chinese state-backed hackers reportedly launched a sophisticated hacking campaign aimed at satellite operators and defense contractors. Iranian hacking groups have also attempted similar attacks.
Although the U.S. Department of Defense and the National Security Agency have made some efforts to address space cybersecurity, the pace has been slow. There are currently no cybersecurity standards for satellites, and there is no governing body to regulate and ensure their cybersecurity. Even if common standards could be developed, there are no mechanisms in place to enforce them. This means responsibility for satellite cybersecurity falls to the individual companies that build and operate them.
Market forces work against space cybersecurity
As they compete to be the dominant satellite operator, SpaceX and rival companies are under increasing pressure to cut costs. There is also pressure to speed up development and production. This makes it tempting for the companies to cut corners in areas such as cybersecurity that are secondary to actually getting these satellites in space.
Even for companies that make a high priority of cybersecurity, the costs associated with guaranteeing the security of each component could be prohibitive. This problem is even more acute for low-cost space missions, where the cost of ensuring cybersecurity could exceed the cost of the satellite itself.
To compound matters, the complex supply chain of these satellites and the multiple parties involved in their management mean it’s often not clear who bears responsibility and liability for cyberbreaches. This lack of clarity has bred complacency and hindered efforts to secure these important systems.
Regulation is required
Some analysts have begun to advocate for strong government involvement in the development and regulation of cybersecurity standards for satellites and other space assets. Congress could work to adopt a comprehensive regulatory framework for the commercial space sector. For instance, they could pass legislation that requires satellite manufacturers to develop a common cybersecurity architecture.
They could also mandate the reporting of all cyberbreaches involving satellites. There also needs to be clarity on which space-based assets are deemed critical, in order to prioritize cybersecurity efforts. Clear legal guidance on who bears responsibility for cyberattacks on satellites will also go a long way to ensuring that the responsible parties take the necessary measures to secure these systems.
Given the traditionally slow pace of congressional action, a multistakeholder approach involving public-private cooperation may be warranted to ensure cybersecurity standards. Whatever steps government and industry take, it is imperative to act now. It would be a profound mistake to wait for hackers to gain control of a commercial satellite and use it to threaten life, limb, and property—here on earth or in space—before we address this issue.
William Akoto is a postdoctoral research fellow at the University of Denver. This article is republished from The Conversation under a Creative Commons license. Read the original article.
The post #nationalcybersecuritymonth | What happens when satellites get hacked? appeared first on National Cyber Security.
View full post on National Cyber Security
#cybersecurity | #infosec | Man who hacked National Lottery for just £5 is jailed for nine months – HOTforSecurity
A 29-year-old British man has been jailed for nine months after admitting using hacking tools to break into UK National Lottery gambling accounts.
Anwar Batson, of Notting Hill, West London, downloaded the readily-available Sentry MBA hacking tool to launch a credential stuffing attack against the National Lottery website.
Credential stuffing takes lists of usernames and passwords exposed in data breaches and uses the same credentials to see if they will unlock other accounts online. As so many users make the mistake of reusing passwords on different websites, credential stuffing is a technique commonly deployed by attackers and tools such as Sentry MBA make the process even easier for the attacker.
Prosecutors told Southwark Crown Court that after Batson downloaded Sentry MBA he joined a WhatsApp group devoted to hacking under the alias of “Rosegold,” and provided to accomplices a configuration file specifically designed to launch Sentry MBA against the National Lottery website.
The attack, in late 2016, caused National Lottery operators Camelot to issue a warning to thousands of gamblers that their accounts may have been accessed, and forced a password reset on affected accounts.
Batson’s accomplices, Daniel Thompson and Idris Akinwunmi, were jailed in 2018 after admitting their involvement in the attack.
Batson was arrested in May 2017 by the National Crime Agency (NCA), and initially denied that he was involved in the attack – claiming that his devices had been cloned or hacked
by online trolls.
But when NCA officers examined his devices they uncovered the conversations between Rosegold and others on WhatsApp where they discussed hacking, the buying and selling of lists of usernames and password, and more.
In addition, officers found at Batson’s flat clothes which had been addressed to someone calling themself “Rosegold”.
Time and time again, people roll out the adage that “crime doesn’t pay.”
Well, it certainly doesn’t pay in the case of Batson.
As the NCA reports, Batson gave the username and password of one National Lottery player to Akinwunmi, who stole the entire contents of the account – a grand total of £13. Batson’s split of the ill-gotten gains? A mere £5.
Lottery operator Camelot says that responding to the attack cost it £230,000, and that 250 players had closed their accounts due to the negative publicity.
View full post on National Cyber Security
Version 79 of Chrome is out, and it promises to do a better job of protecting you against phishing sites and credential stuffing attacks.
Since 2017, Chrome has protected users against phishing by checking the sites you enter your Google credentials into against a list of known phishing sites. It keeps these as part of its Safe Browsing initiative. Google synchronises its list of bad sites with the browser every 30 minutes, but because sites change so quickly, that means users might fall victim to new sites that had come online just minutes earlier.
Chrome 79, released on Tuesday 10 December, now performs that phishing protection in real-time, even for users with the synchronisation feature turned off. The company says this will protect users in 30% more cases. The protection has also been extended to include all the passwords stored in the Chrome password manager rather than just Google accounts. You can turn it on by enabling the ‘Make searches and browsing better’ option in Chrome.
The browser also now includes some other protections. It will now show you more clearly which profile the browser is currently using, which is handy for those sharing a browser and using different profiles. There’s also a feature that Google has been testing out for months: a built-in check for hacked passwords during site logins.
The feature began as a Chrome extension called Password Checkup that warned users their login credentials had been breached. Released in February 2019, it found that 1.5% of all web logins were using breached credentials, according to a Google survey released in August this year. That fuelled Google’s next move, in which it folded the feature directly into Chrome’s password manager. The service still didn’t check your credentials against hacked logins whenever you logged into a website. Instead, it would run the passwords you’d stored in the password manager service periodically to see if it found a match.
The version of Password Checkup integrated into Chrome 79 goes a step further. Now, it runs the check whenever you log into a site. Google is at pains to avoid any suggestion of creepiness or spying as part of this move, so it’s been pretty clever about how it performs the check. It wants to be clear that it doesn’t get to see your login credentials.
When you log into a website, Chrome will now send a hashed copy of your login credentials to Google. A hash creates a unique and reproducible string of text using whichever data you give to it, which identifies the data without revealing it. This data is encrypted in the browser using an encryption key to which only you have access.
Google already used its own key to encrypt the list of hacked login credentials that it sniffed from various sources online. It does the same thing with the credentials that Chrome sends it, encrypting them a second time.
This double encryption is part of a technique called private set intersection with blinding. It tries to match the login credentials you entered against Google’s database of hacked usernames and passwords.
For your privacy, Google doesn’t do this matching itself. Instead, it sends a small part of its encrypted hacked credentials database back to Chrome, along with your double-encrypted login credentials (which you’ll remember have now been encrypted twice). Chrome removes the encryption it applied to your login credentials using your own key, leaving only Google’s encryption in place. It then tries to match those hashed encrypted credentials against the small subset of the database that it received from Google. If it finds one, then your credentials have been hacked.
Google knows which small subset of the database to send back because your browser also creates a hash of the username you tried to enter into the website. It sends part of that hash to Google along with the other data. Google uses that snippet of your hashed username to select the part of its database including the same snippet in the index.
It’s an ingenious system, and as long as you feel you can trust the encryption (and Google), then it looks like a good way to automate hacked password detection. It will alert you that your credentials have been pwned at the point in time when you’re most likely to do something about it – when you’re trying to log into the site.
As with all password breaches, you should change your password if Chrome does discover a match, and turn on multi-factor authentication if the hacked site makes it available, to prevent a possible attack. You should also avoid reusing passwords across multiple sites so that attackers won’t be able to unlock your other accounts with a hacked password. You can make that easier by using a password manager with a built-in password generator.
The post Chrome 79 includes anti-phishing and hacked password protection – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
For researchers at testing outfit AV-Test, the SMA M2 kids’ smartwatch is just the tip of an iceberg of terrible security.
On sale for around three years, superficially it’s not hard to understand why the model M2 might appeal to anxious parents or carers.
Costing only $32, it pairs with a smartphone so that adults can track the real-time location of kids via GPS, GSM or Wi-Fi using a simple mapping app and online account. Add a SIM and it can be used to make voice calls and there’s even an SOS button children can press in the event of an emergency.
The colour screen, cartoon icons, and baby-blue or pink colour scheme is almost guaranteed to appeal to younger children.
AV-Test’s investigations reveal that the M2 also happens to be an unmitigated security disaster.
Naked Security has covered numerous security screw-ups over the years but it’s hard to imagine a more face-palming charge sheet than that levelled at the makers of the M2 by AV-Test.
To illustrate the point, the testers use the example of a girl called Anna who lives in Dortmund, Germany.
She vacations with her grandparents in a coastal town called Norderney, where she regularly visits the local harbour around 2 o’clock to spot seals for an hour.
The company knows all of this because Anna is wearing an M2 smartwatch which has been leaking this information along with that of another 5,000 children via a public system whose security would be non-existent for any competent hacker.
AV-Test was able to find the names and addresses of these children, their age, images of what they looked like, as well as voice messages transmitted from the watch.
In a development that would be ironic if it weren’t so serious, they were able to discover children’s current locations. Warns AV-Test’s Maik Morgenstern:
We picked out Anna as much as we could have picked Ahmet from London or Pawel from Lublin in Poland.
The epic fail starts with the fact that communication with the online system is unencrypted and its authentication is weak.
Although an authentication token is generated and sent to requests to the Web API to prevent unauthorized access, this token is not checked on the server side and is therefore inoperative.
Perhaps worse, the smartphone app’s poorly secured web API makes it possible to borrow any user’s account ID and log into that account.
An attacker could not only track and contact a child but lock legitimate adults out of the account.
Remember, this is a device that is supposed to be a security tracker for carers that turns out to do the same job for anyone.
This is surely worse than no security trackers because at least using nothing wouldn’t lull its users into a false sense of security.
What to do
If you own one of these watches, our advice would be to stop using it immediately.
It’s not clear how many children might be wearing one – AV-Test detected users in Turkey, Poland, Mexico, Belgium, Hong Kong, Spain, the UK, The Netherlands, and China – but it’s likely to be a lot more than the 5,000 the researchers identified.
The maker, SMA, has been told of the flaws while the product’s German distributor has removed it from sale.
The troubling part of this story is that AV-Test has been looking at this type of children’s smartwatch for some years, and this is only the latest and worst example in a sector that seems to have treated security as little more than a tick box – if it looks secure then it probably is.
Indeed, Naked Security has covered security problems with this class of device many times before. In 2017, Germany even reportedly banned the devices over spying worries. Then there’s this week’s case of the baby monitor hacked by a stranger.
Until IoT products like this can demonstrate better security, it’s wise to shop with great caution.
The post Kids’ smartwatch security tracker can be hacked by anyone – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans Disney’s new video-on-demand streaming service has been compromised within a week of its being launched, with hacked Disney+ accounts offered for sale online for just $1. According to The Daily Dot, the hugely popular Disney+ service, which amassed over 10 million subscribers on its first day alone, was […] View full post on AmIHackerProof.com
Watch out for this iPhone call scam, prominent Germans hacked, Android spyware found and an Acrobat update.
Apple iPhone users should be on the lookout for a phone phishing scam. According to security writer Brian Krebs, it works like this: You get a call and when you look at the phone’s screen to see who it is, the Apple logo, real phone number and real address is displayed. The target in this case didn’t answer the call so a message was left asking her to call a 1-866 number. It probably led to a scammer who would have asked for personal information. So iPhone users, ignore calls purporting to be from Apple. Apple won’t phone you. And for those who use other phones, hang up on anyone who tries to get personal information or passwords.
Hackers somehow have gotten access to private emails, memos and financial information of hundreds of German politicians, reporters, comedians and artists. The information was then published through a Twitter account. At this point no one knows if this was the work of a mischievous activist or a foreign country, or exactly how it was done. But British security writer Graham Cluley suspects victims fell for a phishing lure and gave away a password to one of their email or social media accounts. The hacker then went from there. Victims may have also used the same password for different accounts, which also makes a hacker’s job easier. If so, it’s another example of why you shouldn’t use the same password on more than one site, and, where possible enable two-factor authentication to make sure someone else can’t log into your account. Two factor authentication usually sends a six-digit number to your smart phone that you have to enter in addition to your password. Check your applications’ settings to see if you have it.
UPDATE: According to the Associated Press, a popular German YouTube contributor who was victimized said the perpetrator somehow first gained access to his email account and then convinced Twitter to disable a second security check — presumably two-factor authentication — required to take control of his account on the social networking site.
Twitter didn’t immediately respond to a request for comment and it wasn’t clear how many of those affected by the leak had such “two-factor authentication” enabled for their email or social media accounts, and whether the hacker similarly managed to bypass it.
As hard as Google tries to keep malware out of the Google Play store, criminals manage to find ways to evade detection. Trend Micro reports it discovered spyware hidden in six seemingly legitimate Android applications including a game called Flappy Bird, a presumably copycat called Flappy Birr Dog, FlashLight, Win7Launcher and others. All have been removed from the app store. The spyware would have stolen information like user location, text messages, contact lists and device information as well as try to phish for passwords. Owners of any computing device have to be cautious when deciding what to download, advises Trend Micro.
Finally, Adobe usually issues security updates on the second Tuesday of the month, which is tomorrow. However, it has already issued an emergency patch for Acrobat and Acrobat Reader. So if you use either of these applications check you have the latest versions.
View full post on National Cyber Security
Green Bay Police say they are investigating the hacking of a local corporation’s computer network, resulting in the theft of “significant amounts of money” from victims in the organization.
Police did not immediately identify the company that was attacked. Action 2 News will work to find that out.
Officers say the hackers stole human resources information.
“In this case, it appeared the cyber actors utilized a known vulnerability to access the company’s computer systems and human resources software to steal personal identifying information from employees,” reads a statement from Capt. Jeremy Muraski.
Police say the vulnerability was a known issue and a security patch had not been installed and updated.
“This incident demonstrates how vital it is to maintain public facing computer systems with the latest security patches from the server companies as cyber actors will attempt to use exploits as long as they are finding vulnerable systems,” reads the statement from Capt. Muraski.
The post Local #company's #system #hacked; employee #info #stolen appeared first on National Cyber Security .
View full post on National Cyber Security
When hackers get hacked” should become the tagline of 2018. After several other similar incidents, it is now the turn of an Android spyware maker that advertises its spyware to be used against children and employees. A target of a vigilante hacker, the company known as SpyHuman offers surveillance software for Android devices that enables its users to intercept phone calls, text messages, track GPS locations, read messages on WhatsApp and Facebook, and use the target device’s microphone.
It now appears that a hacker has stolen customer text messages and call metadata from the spyware company. Call metadata includes phone numbers the target devices dialled or received calls from along with their duration and dates. Hackers managed to access over 440,000,000 call details through exploiting a basic security flaw in the website.
“These spy apps should be out of market, most people spy on girls and [their] data image […] always sensitive,” the hacker wrote in a message that was obtained by Motherboard. “No one have rights to do that and same these apps and provider making money by doing this.”
While SpyHuman sells its spyware as a tool to monitor children and employees, it’s mostly used to illegally spy on partners and spouses without their consent. “Several review websites and social media posts do push the app for such purposes, and archives of particular SpyHuman pages include phrases such as ‘know if your partner is cheating on you,’ and suggests monitoring your husband’s texts in case he is having an affair,” the publication reports.
The company gave the following (non)explanation when asked about how it makes sure its software isn’t being used for illegal surveillance:
“As a precaution, at an initial stage of our app installation, we always ask users that for what purposes they are installing this app in the target device. If they select child or employee monitoring then our app stays hidden and operate in stealth mode. Otherwise, it will create visible Icon so that one can know that such app is installed on his/her devices.”
As is apparent, since its users can always select a child or an employee – which in itself raises several questions – they don’t necessarily have to reveal if they are using the product for spying on people, mostly partners, without their consent.
– If you are a victim of spyware or technology-facilitated abuse, this is a very comprehensive resource list offering guidelines and help.
The post When Spies Get Hacked… Hackers Steal Customer Data from Android Spyware Company appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures