chicksdaddy quotes a report from Security Ledger: The Automotive industry's main group for coordinating policy on information security and "cyber" threats has published a "Best Practices" document, giving individual automakers guidance on implementing cybersecurity in their vehicles for the first time. The Automotive Information Sharing and Analysis Center (ISAC) released the Automotive Cybersecurity Best Practices document on July 21st, saying the guidelines are for auto manufacturers as well as their suppliers. The Best Practices cover organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response, training, and collaboration with appropriate third parties. Taken together, they move the auto industry closer to standards pioneered decades ago and embraced by companies like Microsoft. They call on automakers to design software to be secure from the ground up and to take a sober look at risks to connected vehicles as part of the design process. Automakers are urged to test for and respond to software vulnerabilities, to develop methods for assessing and fixing security vulnerabilities, to create training programs, promote cybersecurity awareness for both information technology and vehicle specific risks, and educate employees about security awareness. The document comes after a Kelly Blue Book survey that found that 62% of drivers think "connected cars will be hacked," and that 42% say they "want cars to be more connected."
It's no secret that ransomware hackers are in the business to make money. But a new business arrangement hitting the news today may surprise many. Vice's Motherboard, citing research and investigation (PDF) from security firm F-Secure, is reporting that a Fortune 500 company, the name of which hasn't been unveiled, hired a ransomware gang to hack its competitors. From the article: In an exchange with a security researcher pretending to be a victim, one ransomware agent claimed they were working for a Fortune 500 company. "We are hired by [a] corporation to cyber disrupt day-to-day business of their competition," the customer support agent of a ransomware known as Jigsaw said, according to a new report by security firm F-Secure. "The purpose was just to lock files to delay a corporation's production time to allow our clients to introduce a similar product into the market first."In a statement to Motherboard, Mikko Hypponen said, "If this indeed was a case where ransomware was used on purpose to disrupt a competitor's operation, it's the only case we know of." F-Secure adds that the consumer representative noted that "politicians, governments, husbands, wives -- people from all walks of life contract [them] to hack computers, cell phones."
Reader itwbennett writes (edited): Artem Vaulin, the alleged owner of the torrent directory service KickassTorrents, was arrested in Poland earlier this week, charged with copyright infringement and money laundering. As we dig deeper as to what exactly happened, it turns out Apple and Facebook were among the companies that handed over data to the U.S. in its investigation. Department of Homeland Security investigators traced IP addresses associated with KickassTorrents domains to a Canadian ISP, which turned over server data, including emails. At some point, investigators noticed that Vaulin had an Apple email account that was used to make iTunes purchases from two IP addresses -- both of which also accessed a Facebook account promoting KickassTorrents.if you're wondering where exactly iTunes came into play, here's a further explanation. It all started in November 2015, when an undercover IRS Special Agent reached out to a KickassTorrents representative about hosting an advertisement on the site. An agreement was made and the ad, which purportedly advertised a program to study in the United States, was to be placed on individual torrent listings for $300 per day. When it finally went live on March 14th 2016, a link appeared underneath the torrent download buttons for five days. Sure it was a short campaign, but it was enough to link KAT to a Latvian bank account, one that received $31 million in deposits -- mainly from advertising payments -- between August 2015 and March 2016. Upon further investigation of the email accounts, and corresponding reverse lookups, it was found that the account holder had made a purchase on iTunes.
Zack Whittaker, reporting for ZDNet: A hacker has targeted the official forum of popular mobile game "Clash of Kings," making off with close to 1.6 million accounts. The hack was carried out on July 14 by a hacker, who wants to remain nameless, and a copy of the leaked database was provided to breach notification site LeakedSource.com, which allows users to search their usernames and email addresses in a wealth of stolen and hacked data. In a sample given to ZDNet, the database contains (among other things) usernames, email addresses, IP addresses (which can often determine the user's location), device identifiers, as well as Facebook data and access tokens (if the user signed in with their social account). Passwords stored in the database are hashed and salted. LeakedSource has now added the total 1,597,717 stolen records to its systems.
An anonymous reader quotes a report from The Verge: Police in Michigan have a new tool for unlocking phones: 3D printing. According to a new report from Flash Forward creator Rose Eveleth, law enforcement officers approached professors at the University of Michigan earlier this year to reproduce a murder victim's fingerprint from a prerecorded scan. Once created, the 3D model would be used to create a false fingerprint, which could be used to unlock the phone. Because the investigation is ongoing, details are limited, and it's unclear whether the technique will be successful. Still, it's similar to techniques researchers have used in the past to re-create working fingerprint molds from scanned images, often in coordination with law enforcement. This may be the first confirmed case of police using the technique to unlock a phone in an active investigation. Apple has recently changed the way iOS manages fingerprint logins. You are now required to input an additional passcode if your phone hasn't been touched for eight hours and the passcode hasn't been entered in the past six days.
Reader Trailrunner7 writes: Apple has fixed a series of high-risk vulnerabilities in iOS, including three that could lead to remote code execution, with the release of iOS 9.3.3. One of those code-execution vulnerabilities lies in the way that iOS handles TIFF files in various applications (Alternate source: Fortune ). Researchers at Cisco's TALOS team, who discovered the flaw, said that the vulnerability has a lot of potential for exploitation. "This vulnerability is especially concerning as it can be triggered in any application that makes use of the Apple Image I/O API when rendering tiled TIFF images. This means that an attacker could deliver a payload that successfully exploits this vulnerability using a wide range of potential attack vectors including iMessages, malicious web pages, MMS messages, or other malicious file attachments opened by any application that makes use of the Apple Image I/O API for rendering these types of files," Cisco TALOS said in a blog post.
Cory Doctorow, writes for BoingBoing: The Electronic Frontier Foundation has just filed a lawsuit that challenges the Constitutionality of Section 1201 of the DMCA, the "Digital Rights Management" provision of the law, a notoriously overbroad law that bans activities that bypass or weaken copyright access-control systems, including reconfiguring software-enabled devices (making sure your IoT light-socket will accept third-party lightbulbs; tapping into diagnostic info in your car or tractor to allow an independent party to repair it) and reporting security vulnerabilities in these devices. EFF is representing two clients in its lawsuit: Andrew "bunnie" Huang, a legendary hardware hacker whose NeTV product lets users put overlays on DRM-restricted digital video signals; and Matthew Green, a heavyweight security researcher at Johns Hopkins who has an NSF grant to investigate medical record systems and whose research plans encompass the security of industrial firewalls and finance-industry "black boxes" used to manage the cryptographic security of billions of financial transactions every day. Both clients reflect the deep constitutional flaws in the DMCA, and both have standing to sue the US government to challenge DMCA 1201 because of its serious criminal provisions (5 years in prison and a $500K fine for a first offense).Doctorow has explained aspects of this for The Guardian today. You should also check Huang's blog post on this.
BetaNews's Mark Wilson writes: Yesterday France's National Data Protection Commission (CNIL) slapped a formal order on Microsoft to comply with data protection laws after it found Windows 10 was collecting "excessive data" about users. The company has been given three months to meet the demands or it will face fines. Microsoft has now responded, saying it is happy to work with the CNIL to work towards an acceptable solution. Interestingly, while not denying the allegations set against it, the company does nothing to defend the amount of data collected by Windows 10, and also fails to address the privacy concerns it raises. Microsoft does address concerns about the transfer of data between Europe and the US, saying that while the Safe Harbor agreement is no longer valid, the company still complied with it up until the adoption of Privacy Shield. It's interesting to see that Microsoft, in response to a series of complaints very clearly leveled at Windows 10, manages to mention the operating system only once. There is the promise of a statement about privacy next week, but for now we have Microsoft's response to the CNIL's order.
Smartphones become indispensable tools for journalists, human right workers, and activists in war-torn regions. But at the same time, as Intercept points out, they become especially potent tracking devices that can put users in mortal danger by leaking their location. To address the problem, NSA whistleblower Edward Snowden and hardware hacker Andrew "Bunnie" Huang have been developing a way for potentially imperiled smartphone users to monitor whether their devices are making any potentially compromising radio transmissions. "We have to ensure that journalists can investigate and find the truth, even in areas where governments prefer they don't," Snowden told Intercept. "It's basically to make the phone work for you, how you want it, when you want it, but only when." Snowden and Huang presented their findings in a talk at MIT Media Lab's Forbidden Research event Thursday, and published a detailed paper. From the Intercept article: Snowden and Huang have been researching if it's possible to use a smartphone in such an offline manner without leaking its location, starting with the assumption that "a phone can and will be compromised." [...] The research is necessary in part because most common way to try and silence a phone's radio -- turning on airplane mode -- can't be relied on to squelch your phone's radio traffic. Fortunately, a smartphone can be made to lie about the state of its radios. The article adds: According to their post, the goal is to "provide field-ready tools that enable a reporter to observe and investigate the status of the phone's radios directly and independently of the phone's native hardware." In other words, they want to build an entirely separate tiny computer that users can attach to a smartphone to alert them if it's being dishonest about its radio emissions. Snowden and Haung are calling this device an "introspection engine" because it will inspect the inner-workings of the phone. The device will be contained inside a battery case, looking similar to a smartphone with an extra bulky battery, except with its own screen to update the user on the status of the radios. Plans are for the device to also be able to sound an audible alarm and possibly to also come equipped with a "kill switch" that can shut off power to the phone if any radio signals are detected.Wired has a detailed report on this, too.
An anonymous reader writes: BlackBerry CEO John Chen said he is "disturbed" by Apple's tough approach to encryption and user privacy, warning that the firm's attitude is harmful to society. Earlier this year, Chen said in response to Apple resisting the government's demands to unlock an iPhone belonging to one of the San Bernardino shooters: "We are indeed in a dark place when companies put their reputations above the greater good." During BlackBerry's Security Summit in New York this week, Chen made several more comments about Apple's stance on encryption. "One of our competitors, we call it 'the other fruit company,' has an attitude that it doesn't matter how much it might hurt society, they're not going to help," he said. "I found that disturbing as a citizen. I think BlackBerry, like any company, should have a basic civil responsibility. If the world is in danger, we should be able to help out." He did say there was a lot of "nonsense" being reported about BlackBerry and its approach to how it handles user information. "Of course, there need to be clear guidelines. The guidelines we've adopted require legal assets. A subpoena for certain data. But if you have the data, you should give it to them," he said. "There's some complete nonsense about what we can and can't do. People are mad at us that we let the government have the data. It's absolute garbage. We can't do that." Chen also warned that mandatory back doors aren't a good idea either, hinting at the impending Investigatory Powers Bill. "There's proposed legislation in the U.S., and I'm sure it will come to the EU, that every vendor needs to provide some form of a back door. That is not going to fly at all. It just isn't," he said.
France's National Data Protection Commission (CNIL) has ordered Microsoft to "stop collecting excessive data and tracking browsing by users without consent," adding that Microsoft must comply with the French Data Protection Act within next three months. BetaNews reports: In addition to this, the chair of CNIL has notified Microsoft that it needs to take "satisfactory measures to ensure the security and confidentiality of user data." The notice comes after numerous complaints about Windows 10, and a series of investigations by French authorities which revealed a number of failings on Microsoft's part. Microsoft is accused of not only gathering excessive data about users, but also irrelevant data. The CNIL points to Windows 10's telemetry service which gathers information about the apps users have installed and how long each is used for. The complaint is that "these data are not necessary for the operation of the service."
An anonymous reader shares a report on Android Authority: In a bid to increase the security of the Android operating system, Google has introduced a new check for malware as part of the boot process in all Android devices. Until Marshmallow, Android devices ran the check as part of the boot process and in Marshmallow, the phone would warn you that it was compromised but would continue to let the phone boot up. In Nougat however, Google is taking this security check to the next level. On the Android Developer's blog, the company explains that Android Nougat strictly enforces that boot check, giving you far more than a warning. The good news is that if your phone is infected with types of malware, it will refuse to boot or will boot in a limited capacity mode (presumably akin to safe mode). The bad news however, is that some non-malicious corruption of data could also mean that your phone will refuse to boot up. Considering that corrupted data may not always be malicious -- even a single-byte error could cause your phone to refuse to boot up -- Android Nougat brings additional code to guard against corruption.
Mozilla has announced that it plans to discontinue support for Flash in Firefox. Starting next month, Firefox will block Flash content "that is not essential to the user experience." Also, starting sometime in 2017, the browser will require click-to-activate approval from users before a website activates the Flash plugin for any content. In a blogpost, the company writes:Mozilla and the Web as a whole have been taking steps to reduce the need for Flash content in everyday browsing. Over the past few years, Firefox has implemented Web APIs to replace functionality that was formerly provided only by plugins. This includes audio/video playback and streaming capabilities, clipboard integration, fast 2D and 3D graphics, WebSocket networking, and microphone/camera access. As websites have switched from Flash to other web technologies, the plugin crash rate in Firefox has dropped significantly. [...] We continue to work closely with Adobe to deliver the best possible Flash experience for our users.
Dan Goodin, reporting for Ars Technica: A newly disclosed vulnerability could allow attackers to seize control of mobile phones and key parts of the world's telecommunications infrastructure and make it possible to eavesdrop or disrupt entire networks, security experts warned Tuesday. The bug resides in a code library used in a wide range of telecommunication products, including radios in cell towers, routers, and switches, as well as the baseband chips in individual phones. Although exploiting the heap overflow vulnerability would require great skill and resources, attackers who managed to succeed would have the ability to execute malicious code on virtually all of those devices. The code library was developed by Pennsylvania-based Objective Systems and is used to implement a telephony standard known as ASN.1, short for Abstract Syntax Notation One."The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources," researchers who discovered the flaw wrote in an advisory published Monday evening. "These may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier's network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network."
When it was first created, Skype network was built as a decentralized peer-to-peer system. PCs that had enough processing muscle and bandwidth acted as "supernodes," and coordinated connections between other machines on the network. This p2p system was generally perceived as being relatively private, a belief that has since been debunked. There were several technical challenges, which led Microsoft to move most of Skype's operations to the cloud. Ars Technica is reporting that the company has finalized the switch. From the article: Microsoft has developed a more conventional client-server network, with clients that act as pure clients and dedicated cloud servers. The company is starting to transition to this network exclusively. This transition means that old peer-to-peer Skype clients will cease to work. Clients for the new network will be available for Windows XP and up, OS X Yosemite and up, iOS 8 and up, and Android 4.03 and up. However, certain embedded clients -- in particular, those integrated into smart TVs and available for the PlayStation 3 -- are being deprecated, with no replacement. Microsoft says that since those clients are little used and since almost every user of those platforms has other Skype-capable devices available, it is no longer worth continuing to support them.The issue, as the report points out, is that Microsoft is strangely not talking about privacy and security concerns. The article adds: The Ed Snowden leaks raised substantial questions about the privacy of services such as Skype and have caused an increasing interest in platforms that offer end-to-end encryption. The ability to intercept or wiretap Skype came as a shock to many, especially given Skype's traditionally peer-to-peer infrastructure. Accordingly, we've seen similar services such as iMessage, WhatsApp, and even Facebook Messenger, start introducing end-to-end encryption. The abandonment of Skype's peer-to-peer system can only raise suspicions here.Matthew Green, who teaches cryptography at Johns Hopkins, said: "The surprising thing here is not that Microsoft can intercept Skype calls (duh) but that they won't just admit it."
An anonymous reader writes: The Library of Congress (LOC) announced via Twitter Monday that they were the target of a denial-of-service attack. The attack was detected on July 17 and has caused other websites hosted by the LOC, including the U.S. Copyright Office, to go down. In addition, employees of the Library of Congress were unable to access their work email accounts and to visit internal websites. The outages continue to affect some online properties managed by the library. "In June 2015, the Government Accountability Office, or GAO, published a limited distribution report -- undisclosed publicly though it was sourced in a 2015 GAO testimony to the Committee on House Administration -- highlighting digital security deficiencies apparent at the Library of Congress, including poor software patch management and firewall protections," reports FedScoop.
New submitter yzf750 quotes a report from ESPN: A federal judge sentenced the former scouting director of the St. Louis Cardinals [Christopher Correa] to nearly four years in prison Monday for hacking the Houston Astros' player personnel database and email system in an unusual case of high-tech cheating involving two Major League Baseball clubs. "The data breach was reported in June 2014 when Astros general manager Jeff Luhnow told reporters the team had been the victim of hackers who accessed servers and proceeded to publish online months of internal trade talks," reports ESPN. "Luhnow had previously worked for the Cardinals. The FBI said Correa was able to gain access using a password similar to that used by a Cardinals employee who 'had to turn over his Cardinals-owned laptop to Correa along with the laptop's password' when he was leaving for a job with the Astros in 2011. Prosecutors have said Correa in 2013 improperly downloaded a file of the Astros' scouting list of every eligible player for that year's draft. They say he also improperly viewed notes of trade discussions as well as a page that listed information such as potential bonus details, statistics and notes on recent performances and injuries by team prospects. Authorities say that after the Astros took security precautions involving [a database called Ground Control] following a Houston Chronicle story about the database, Correa was able to still get into it. Authorities say he hacked the email system and was able to view 118 pages of confidential information, including notes of trade discussions, player evaluations and a 2014 team draft board that had not yet been completed. Federal prosecutors say the hacking cost the Astros about $1.7 million, taking into account how Correa used the Astros' data to draft players. Christopher Correa had pleaded guilty in January to five counts of unauthorized access of a protected computer from 2013 to at least 2014, the same year he was promoted to director of baseball development in St. Louis. He was fired last summer and now faces 46 months behind bars and a court order to pay $279,038 in restitution. He had faced up to five years in prison on each count."
Trailrunner7 quotes a report from On the Wire: A security researcher has discovered a method that would have enabled fraudsters to steal thousands of dollars from Facebook, Microsoft, and Google by linking premium-rate numbers to various accounts as part of the two-step verification process. Arne Swinnen discovered the issue several months ago after looking at the way that several of these companies's services set up their two-step verification procedures. Facebook uses two-step verification for some of its services, including Instagram, and Google and Microsoft also employ it for some of their user accounts. Swinnen realized that the companies made a mistake in not checking to see whether the numbers that users supply as contact points are legitimate. "They all offer services to supply users with a token via a computer-voiced phone call, but neglected to properly verify whether supplied phone numbers were legitimate, non-premium numbers. This allowed a dedicated attacker to steal thousands of EUR/USD/GBP," Swinnen said in a post explaining the bug. "For services such as Instagram and Gmail, users can associate a phone number with their accounts," reports On the Wire. "In the case of Instagram, users can find other people by their phone number, and when a user adds a number, Instagram will send a text to verify the number. If the user never enters the code included in the text, Instagram will eventually call the number. Swinnen noticed that Instagramâ(TM)s robocallers would call any number supplied, including premium-rate numbers. 'One attacker could thus steal 1 GBP per 30 minutes, or 48 GBP/day, 1.440 GBP/month or 17.280/year with one pair. However, a dedicated attacker could easily setup and manage 100 of these pairs, increasing these numbers by a factor 100: 4.800 GBP/day, 144.000 GBP/month or 1.728.000 GBP/year.'"
An anonymous reader writes from a report via CNBC: The Republican National Convention will be a popular target for cyberattacks. An official in charge of securing the network has said the RNC already had to fend off a wave of cyberattacks before the convention opened. Many more attacks are expected throughout the convention ranging from "nation-states hunting for intelligence or protesters trying to disrupt the network at the convention," said the consulting chief information officer for the RNC, Max Everett. Donald Trump's campaign appears to only fuel attackers, security experts said. The convention opens Monday afternoon and will attract roughly 50,000 people in addition to a global audience watching from afar. "A successful attack could impact physical security on the ground, for example, by taking connected security scanners offline. It could also affect online activity, for example, by hijacking the livestream and derailing the GOP's message," reports CNBC. The Secret Service has designated the conventions "national special security events." Everett and his team of 70 IT specialists will be using Microsoft and ForeScout software to monitor the network in real time, working with ATT and Cisco on securing external access to the network and a firm called Dark Cubed to share real-time threat information among the firms trying to defend against cyberattacks.
An anonymous reader shares a TechCrunch report: Microsoft today launched Stream, a new business video service that aims to give businesses that want to share video internally the same kind of tools and flexibility that YouTube offers to consumers -- but with the added benefits of the security tools enterprises expect from their document management services. The service is now available as a free preview. As James Phillips, Microsoft's corporate VP of its Business Intelligence Products Group, told me, all it takes to get started with Stream is an email address. The user experience in Stream does take its cues from consumer services like Vimeo and YouTube, and includes a number of social features, including likes and comments, as well as recommendations. "We've all been trained as consumers to understand what beautiful and fully featured software looks like," Phillips told me. "And we are now delivering on those experiences in business software." Some of the basic use cases for using video in a company include training and employee communications.