Trailrunner7 writes: A senator from Oregon who has a long track record of involvement on security and privacy issues says he plans to introduce a bill soon that would prevent border agents from forcing Americans returning to the country to unlock their phones without a warrant.
Sen. Ron Wyden said in a letter to the secretary of the Department of Homeland Security that he is concerned about reports that Customs and Border Patrol agents are pressuring returning Americans into handing over their phone PINs or using their fingerprints to unlock their phones. DHS Secretary John Kelly has said that he’s considering the idea of asking visitors for the login data for their various social media accounts, information that typically would require a warrant to obtain.
“Circumventing the normal protection for such private information is simply unacceptable,” Wyden said in the letter, sent Monday.
The failures that led to Edward Snowden walking out the door with a massive cache of NSA data four years ago were not the kind that normally make their way into the public’s line of sight. Those failures were organizational, technical, and procedural, and the agency had to take a hard look at itself in the aftermath of Snowden’s theft, the NSA’s former deputy director said.
“If you’d asked me in the spring of 2013 what’s the state of your defense of the business, I would’ve said it’s good but not perfect. We don’t take our eye off the ball, we don’t assume we can chase everything down. We’d have said we vet the insiders the old-fashioned way,” Chris Inglis, the former deputy director of NSA, said in a talk at the RSA Conference here Thursday.
“Cybersecurity professionals don’t have experience dealing with traditional investigations. These cases are complex because you often don’t have the data you need to tell the story. We need to find a way to help companies characterize what’s going on. It’s a problem we haven’t really thought about for a long time,” Milan Patel, a former FBI cyber investigator and current managing director of cyber investigation and incident response at K2 Intelligence said during a panel discussion on cyber espionage at the RSA Conference here Wednesday.
In one recent case, Patel was called in to a large real estate company to investigate an administrator who had given himself extra network privileges. The admin then got access to the Exchange server and began reading emails sent by the company’s executive team. During the investigation, Patel discovered that several other people had unnecessary elevated privileges, but the firm didn’t have a way to track when the employees had gotten those rights or how. The company also didn’t have any way to do forensics on the employee’s laptop or phone.
“Lots of people are being infected and lots of people are paying. The bottom line its it’s getting worse and it’s going to continue to do so,” Jeremiah Grossman, chief of security strategy at SentinelOne, said during a talk on the ransomware epidemic at the RSA Conference here Monday. “Seven-figure ransoms have already been paid. When you’re out of business, you’ll pay whatever you have to in order to stay in business. You’re dealing with an active, sentient adversary.”
The ransomware market seems to be headed in the same direction as real-world kidnapping, where high-profile targets take out insurance policies to pay ransoms. Grossman said it probably won’t be long before the insurance companies latch onto the ransomware game, too.
“The insurance companies are going to see a large profit potential in this. Kidnapping and ransom insurance is still very boutique. This economic model will probably apply equally well to ransomware,” he said.
BrianFagioli writes: Today, a bit of a failure was discovered on Apple's part regarding user privacy. You see, when an Apple user deleted their web browser history, they assumed it was gone forever — and rightfully so. While the data no longer appeared on Apple devices, it has been discovered by ElcomSoft that it persisted on iCloud. To make matters worse, this data is easily recoverable.
Vladimir Katalov, ElcomSoft says, "Safari history is synced across devices. Once you delete a record on one device, it will disappear on all other devices in a matter of seconds (or minutes), provided that those devices are connected to the Internet. While those records can be retained in SQLite database for technical reasons, a flush or cleanup will purge them sooner or later (on an actively used device, this can happen in a few days or up to 2-3 weeks). However, those same records will be kept in Apple iCloud for much longer. In fact, we were able to access records dated more than one year back. The user does not see those records and does not know they still exist on Apple servers."
Trailrunner7 writes: A group of influential lawmakers, including Sen. Ed Markey and Sen. Ron Wyden, are pressing the Trump administration for answers about how an executive order that includes changes to the Privacy Act will affect non-U.S. persons and whether the administration plans to release immigrants’ private data.
The letter comes from six senators who are concerned about the executive order that President Trump issues two weeks ago that excludes from privacy protections people who aren’t U.S. citizens or permanent residents. The order is mostly about changes to immigration policy, but Trump also included a small section that requires federal government agencies to exclude immigrants from Privacy Act protections.
On Thursday, Markey, Wyden, and four other senators sent a letter to Secretary of Homeland Security Jon Kelly, asking a series of 10 questions about how the exclusion would be implemented, what it would cost, and whether the government plans to release the private data of people affected by the order.
“These Privacy Act exclusions could have a devastating impact on immigrant communities, and would be inconsistent with the commitments made when the government collected much of this information,” the senators say in the letter to Kelly.
Roger Anderson last year debuted his Jolly Roger bot, a system that intercepts robocalls and puts the caller into a never-ending loop of pre-recorded phrases designed to waste their time. Anderson built the system as a way to protect his own landlines from annoying telemarketers and it worked so well that he later expanded it into a service for both consumers and businesses. Users can send telemarketing calls to the Jolly Roger bot and listen in while it chats inanely with the caller.
Now, Anderson is targeting the huge business that is the Windows fake support scam. This one takes a variety of forms, often with a pre-recorded message informing the victim that technicians have detected that his computer has a virus and that he will be connected to a Windows support specialist to help fix it. The callers have no affiliation with Microsoft and no way of detecting any malware on a target’s machine. It’s just a scare tactic to intimidate victims into paying a fee to remove the nonexistent malware, and sometimes the scammers get victims to install other unwanted apps on their PCs, as well.
Anderson plans to turn the tables on these scammers and unleash his bots on their call centers.
Trailrunner7 writes: The House of Representatives has passed the Email Privacy Act, which requires law enforcement agencies to get a search warrant in order to obtain emails and some other stored records that are older than six months.
The legislation is an effort to modify the old Electronic Communications Privacy Act to reflect the way that service providers handle and store email. When the ECPA became law in 1986, service providers generally didn’t store their customers’ email messages for long periods of time. The ISPs mainly acted as forwarding services, and the ECPA allowed the government to access emails older than 180 days without a search warrant because those messages were considered abandoned.
The new Email Privacy Act would update that rule and on Monday the House passed the bill by voice vote. The legislation now moves on to the Senate, where it stalled last year after passing the House unanimously. Rep. Kevin Yoder (R-Kansas) and Rep. Jared Polis (D-Colo.) reintroduced the Email Privacy Act in January and urged their colleagues to move it along quickly to close the warrantless search loophole.
Trailrunner7 writes: When the Mirai botnet burst onto the scene last year, it did so in style, with two of the largest DDoS attacks on record. One of the initial targets of its wrath was the site run by reporter Brian Krebs, and the attack set off a chain reaction that not only took the site offline but eventually got Google’s anti-DDoS team involved.
Mirai is not the typical botnet, for a number of reasons, including the fact that many of the compromised machines that make it up are actually IoT devices, not normal computers. There are hundreds of thousands of DVRs, CCTV cameras, and other devices in the Mirai network, and attackers have used the botnet to generate enormous attacks. The attack on Krebs on Security hit a peak of more than 600 Gbps, and one that hit French hosting provider OVH a few weeks later was around 1 Tbps.
When the attackers targeted Krebs’s site, it was protected by DDoS mitigation services provided by Akamai. But the company eventually had to drop its protection, which it was providing for free, because the size of the attack was affecting its ability to protect other customers. So Krebs contacted Google, which runs Project Shield, a free DDoS protection service for journalists, news providers, and other sites. The service protects hundreds of sites now, and when Krebs reached out to Google, the company’s anti-DDoS team took on the challenge.
Trailrunner7 writes: Security teams are frustrated constantly by users who ignore warnings about phishing sites, bad certificates, or malware, and just click through to get wherever they were going. It turns out that behavior probably isn’t the users’ fault. It’s just human nature.
There are many reasons why this behavior persists, even when users are told in no uncertain terms that continuing to a site or downloading a browser extension will harm their computer. Much of it has to do with the fact that humans aren’t very good at doing more than one thing at a time, despite the modern emphasis on multitasking. In fact, people are pretty terrible at handling multiple tasks.
“Most people think they’re good at multitasking, but the truth is we’re all bad at it, and in security that has serious implications,” Anthony Vance, an associate professor of information systems at Brigham Young University, said in a talk on neuroscience and usable security at the Enigma conference here Tuesday.
Vance studies the way that the brain responds to certain inputs, especially when there are more than one. When a person is trying to do two things at once, his effectiveness at doing those tasks can go down, a phenomenon known as dual-task interference (DTI). In his work, Vance has found that people are significantly worse at responding appropriately to a browser security warning message when they’re performing other tasks on the computer than they are when the warning comes while they’re idle. So he worked with engineers on Google’s Chrome team to find better times to display warnings, such as when a video has finished playing or while a page is loading.
Trailrunner7 writes: Facebook has developed a new account-recovery system that eschews the typical communications channels used for this process, and instead relies on a user’s connections with other services. The scheme allows users to regain access to accounts without providing any identifiable information to other services.
The Delegated Recovery system, which Facebook introduced at the Enigma conference here Monday, could be a major step forward in the way that sites handle the messy and sensitive process of account recovery. Right now, most sites use either email, SMS, or a combination of the two when a user needs to recover her account. A user typically clicks on a link, which will generate an email or text with a link that the user can follow to reset a password or go through other account-recovery steps.
The system that Facebook has implemented allows a user to link her Facebook account with an account on another site. Instead of using email or SMS, the two sites exchange cryptographically secured packages with data tokens. The two sites don’t change any identifiable information about the user during the process and the communications are done over HTTPS.
“The only thing that gets learned is that you have an account on the other site,” said Brad Hill, a Facebook engineer, who spoke at the Enigma conference. “No user-identifiable information is exchanged, so it’s not tied to a username, or email, or phone number.”
A small section of the executive order, which mostly focuses on changes to immigration policy and enforcement, lays out a change that will force federal agencies to rewrite their privacy policies to make sure that anyone who isn’t a U.S. citizen or permanent resident isn’t covered by the policy.
“Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information,” the order says.
Privacy and legal experts say the change is a signal from the Trump administration that it intends to move away from the privacy policies Barack Obama established during his administration.
“It’s not something we expected to see in an immigration order and it’s important to take note of because it specifically highlights the fact that we have yet to take action to extend legal protections to citizens of other countries. It really importantly applies only to the Privacy Act protections and it’s saying that they’re limiting the protections afforded to non-U.S. persons, and that’s significant in and of itself,” said Amie Stepanovich, U.S. policy manager at Access Now.
The bill is sponsored by Rep. Ted Lieu (D-Calif.) and Rep. Joe Wilson (R-S.C.), and it’s another indication that federal regulators are taking a hard look at the security of a wide range of devices, including vehicles, medical devices, and IoT gear. The main thrust of the bill is to require the National Highway Traffic Safety Administration, along with NIST, the FTC and the Secretary of Defense, to produce a study on the necessary standards for regulating the cybersecurity of vehicles.
ole_timer writes: Brian Krebs id's the author of mirai
On September 22, 2016, this site was forced offline for nearly four days after it was hit with “Mirai,” a malware strain that enslaves poorly secured Internet of Things (IoT) devices like wireless routers and security cameras into a botnet for use in large cyberattacks. Roughly a week after that assault, the individual(s) who launched that attack — using the name “Anna Senpai” — released the source code for Mirai, spawning dozens of copycat attack armies online.