Monthly Archives: October 2016

Challenging work, skills training and flexible work hours are important for the highest skilled workers.

Challenging work, skills training and flexible work hours are important for all cybersecurity employees, but especially so for the highest skilled workers, according to a report released today by the Center for Strategic and International Studies.

In addition, these employees were nearly twice as likely to want promotions that did not require them to move into management.

“We figured out who the cybersecurity ninjas were by asking people what their day-to-day tasks were,” said report author Katrina Timlin, an associate fellow in the center’s strategic technologies program.

Examples of tasks that ninjas perform more often are penetration testing, hunt team activities, security monitoring and event analysis, digital forensics, secure coding, and security engineering.

“Both sets of people had the priority of having important and challenging tasks,” she said. “But people with advanced skill sets wanted flexible work schedules and being able to get training and advance without having to go into management,” she said.

Specifically, 72 percent of ninjas and 71 percent of non-ninjas said that having engaging and challenging tasks were “very important.” And 72 percent of ninjas and 69 percent of non-ninjas said the same of having employer-provided training to keep their skills current.

The question of training came up during the interviews Timlin conducted for the report.

“One of the things that struck me was how much it would cost someone if they wanted to get the training, go to conferences, and get the certifications on their own,” she said. “One guy said he could easily spend $20,000 a year.”

Offering training opportunities could be one way to incentivize these highly skilled employees to join a company, and then to continue to retain those employees.

“That’s a major driving factor in being seen as a place where people want to work,” she said.

The gap between ninjas and non-ninjas grew wider when it came to flexible work schedules, with 67 percent of ninjas saying it was important to be able to set their own hours, compared to 52 percent of non-ninjas. And only 58 percent of ninjas said that competitive pay and benefits were very important, compared to 64 percent of non-ninjas.

“Our assumption with this is that the ninjas are already fairly well compensated,” said Timlin. “So some of these other factors make more of a different when finding a new job or staying with their current companies.”

The most dramatic gap was in the area of career advancement, where 46 percent said that they wanted to be able to get promotions while staying in technical jobs instead of moving to management. This was very important to only 26 percent of non-ninjas.

The report also asked employees about the traits that made companies particularly attractive. The top factors were being in an industry that prioritizes cybersecurity, offering exposure to diverse and high-impact projects, and having a mission that motivates employees.

And the top three factors that ninjas ranked as being most important in motivating them to stay with their job were having a variety of tasks instead of solving the same problem over and over again, having the time to explore new technologies, and being able to engage with other experts.

These factors can also help bring new people into cybersecurity, said Max Shuftan, business development manager of SANS CyberTalent Program at SANS Institute, which sponsored the report.

“There are only so many people in the field now,” he said.

In addition, flexible work schedules and ongoing training can help a company draw from a wider pool of talent, both geographically and in terms of gender.

“A lot of security professionals are job seekers [who] are very interested in a work-from-home model,” he added.

While this might not be easy to do with a traditional security operations center, consulting organizations often have staff who split their time between traveling to different work locations and working at from home offices.

Shuftan said he’s also talked with a number of people about how to make a work environment more challenging, and the most common recommendation was job rotation.

“For two years, you’ll be focused on incident handling,” he said. “For two years, on incident response. For two years, continuous monitoring or penetration testing. That keeps challenges coming and the employees motivated and positive.”

via:  csoonline

A cybersecurity audit of the U.S. Secret Service found ‘unacceptable vulnerabilities’ that leave the possibility of insider-threat activity and privacy violations.

The U.S. Secret Service received poor marks after a cybersecurity audit by the Office of Inspector General. The investigative report blamed the security issues on a lack of proper oversight and because the Secret Service traditionally has not prioritized cybersecurity.

The inspector general (IG) performed the cybersecurity audit after the Secret Service improperly accessed and disclosed information about Rep. Jason Chaffetz (R-Utah), chairman of the House Committee on Oversight and Government Reform, which monitors U.S. Secret Service(USSS) operations.

A number of weaknesses were found, including inadequate system security plans (SSP), systems with expired authorities to operate, inadequate access and audit controls, noncompliance with logical access requirements, inadequate privacy protections and over-retention of records.

“These problems occurred because USSS has not consistently made IT management a priority. The USSS CIO lacked authority for all IT resources and was not effectively positioned to provide necessary oversight,” the report read. “Inadequate attention was given to updating USSS IT policies to reflect processes currently in place. High turnover and vacancies within the Office of the CIO meant a lack of leadership to ensure IT systems were properly managed. In addition, USSS personnel were not adequately trained to successfully perform their duties.”

Bobby Kuzma, systems engineer at Core Security Corp., based in Roswell, Ga., said it was “absolutely not” surprising that another government agency was found to have poor cybersecurity.

“There is a huge institutional and cultural problem in many organizations, and not just within the government,” Kuzma told SearchSecurity. “There are huge amounts of staff turnover combined with poor prioritization and lack of support from upper management leading to this scenario, as the report reveals.”

Rebecca Herold, CEO of Privacy Professor, said she knew people trying to implement strong security in government agencies are not always getting the necessary resources.

“They often get little budget, no authority or support, and plenty of blame when bad things happen,” Herold told SearchSecurity. “Congress typically cuts information security budgets; opposes strong security controls, such as encryption; does not give CISOs and [chief privacy officers] CPOs appropriate authority; and then they are the first to blame and shame when security incidents and privacy breaches occur.”

According to the cybersecurity audit report, the USSS has little room for error in its primary mission of “protecting the president, other dignitaries and events, and investigating financial [crimes] and cybercrimes to help preserve the integrity of the nation’s economy.”

“USSS has much work to do to make IT a priority. This requires establishing and implementing an IT governance framework that addresses, at a minimum, the IT organizational and management deficiencies identified in this report,” the report read. “It also requires that USSS leadership fully understand and address the potential for insider risks, not only from system administrators and inadequately managed IT contractors, but also from employees and business partners.”

The IG report noted cybersecurity documentation for the USSS was often incomplete and the SSP was even missing in one case, leading to confusion as to how responsibilities were allocated and who was performing what functions.

“Without these key SSP items in place, USSS had no reasonable assurance that mission-critical case management and investigative information was properly maintained and protected. In addition, those relying on the system to protect their identities or [personally identifiable information] could have no assurance of proper data maintenance or protection against unauthorized disclosure, access or theft,” the report read. “Without complete and accurate documentation, authorizing officials lack information necessary to make credible risk-based decisions that the protections assigned to each information system were adequate and effective.”

Kuzma said the lack of training stems from a flawed organizational culture and misplaced priorities.

The key findings of the audit showed the USSS policies and procedures were a decade out of date, Kuzma said, and he attributed the lack of training to human resource requirements.

“All employees must hold a top-secret clearance, which there is a huge backlog on,” Kuzma said. “They then have to utilize contractors to fill these roles who are unaware of the special requirements by both federal laws and DHS [Department of Homeland Security] policies.”

The cybersecurity audit also found USSS access controls were outdated and did not address the principle of least privilege. In addition, audit controls were not fully implemented, information systems were not compliant with privacy protection requirements, privacy documentation was incomplete, records were held longer than necessary and there was no full-time CPO.

“Fifty percent of the USSS privacy officer’s duties related to Freedom of Information Act requirements. Thus, the privacy officer was not available full time to monitor USSS compliance with all federal privacy laws and regulations; implement corrective, remedial and preventative actions to ensure privacy protections; draft privacy documents; and carry out other privacy-related responsibilities,” the report read. “The lack of a full-time, dedicated USSS privacy officer reporting directly to the USSS director increased the likelihood that privacy requirements would continue to not be fully addressed.”

Herold said assigning a privacy officer for the USSS was only half the battle.

“What is needed to enable cybersecurity staff to be effective is to give a position, such as information security officer and/or privacy officer, true authority to implement security and privacy policies and procedures that they can then enforce,” Herold said. “Over the course of my entire career, I’ve seen that information security and privacy officers who have no or insufficient authority will consistently fail. When people ignore your policies because you have no authority, security and privacy risks expand and breaches occur.”

The IG admitted in the report that starting in 2006, the USSS CIO “no longer had oversight and authority over USSS agencywide IT,” when that authority was given to the Information Resources Management Division. The USSS has also seen quite a lot of turnover in the CIO, as well as with the CISO and information system security manager positions.

All of this means the “USSS systems and data remain vulnerable to unauthorized access and disclosure,” according to the report, and “insider threats present within the organization may be able to steal, alter or destroy mission-critical data; export malicious code to other systems; install covert backdoors that would permit unauthorized access to data or network resources; or impact the availability of any information system’s resources or networks.”

Herold said, “Every government agency that collects, handles, stores or otherwise has access to a lot of personal data, along with other sensitive information, has heightened insider-threat risk. And so, [it] needs to put more attention to ensure personnel are training, monitored appropriately and have ongoing background checks for the positions with access to large amounts of data.”

via:  techtarget

After TrueCrypt mysteriously discontinued its service, VeraCrypt became the most popular open source disk encryption software used by activists, journalists, as well as privacy conscious people.

First of all, there is no such thing as a perfect, bug-free software.

Even the most rigorously tested software, like the ones that operate SCADA Systems, medical devices, and aviation software, have flaws.

Vulnerabilities are an unfortunate reality for every software product, but there is always space for improvements.

Due to the enormous popularity of VeraCrypt, security researchers from the OSTIF (The Open Source Technology Improvement Fund) agreed to audit VeraCrypt independently and hired researchers from QuarksLab in August to lead the audit.

And it seems like VeraCrypt is not exactly flawless either.

Now after one month of the audit, researchers have discovered a number of security issues, including 8 critical, 3 medium, and 15 low-severity vulnerabilities in the popular encryption platform VeraCrypt.

Quarkslab senior security researcher Jean-Baptiste Bédrune and senior cryptographer Marion Videau analyzed the VeraCrypt version 1.18 and the DCS EFI Bootloader 1.18 (UEFI), mainly focusing on new features introduced since last year’s TrueCrypt security audit.

VeraCrypt file encryption software has been derived from the TrueCrypt project, but with enhancements to further secure your data.

“VeraCrypt is a project hard to maintain,” researchers said. “Deep knowledge of several operating systems, the Windows kernel, the system boot chain and good concepts in cryptography are required. The improvements made by IDRIX demonstrate the possession of these skills.”

The researchers have detailed all the vulnerabilities in a 42-page audit report [PDF], which includes:

• Critical bugs in the implementation of GOST 28147-89, a symmetric block cipher with a 64-bit block size, which they say must be removed completely due to unsafe implementation.
• All compression libraries are considered outdated or “poorly-written,” and must be replaced with modern and more secure zip libraries.
• If the system is encrypted, the boot password in UEFI mode or its length can be determined.

The majority of flaws have been fixed in the latest VeraCrypt version 1.19 release, but a few of them including AES implementation have not yet been patched due to substantial modifications of the code or/and the architecture of the project.

So, according to the OSTIF, “VeraCrypt is much safer after this audit, and the fixes applied to the software mean that the world is safer when using this software.”

You are recommended to download the latest VeraCrypt version 1.19.

via:  thehackernews

What was once a couple of physical doors that kept your office safe, is now a multitude of virtual doors that you can’t control. For example, in the case of Spear Phishing emails, criminals are targeting you as an individual, as opposed to a general attack on an organization, and hackers might target you in exactly the same way.

A hacker might want to target you because they are trying to steal money, information, or because they have a grudge against you or your organization.
They will usually have done some homework on who you are and what your job involves, and could start by hacking into your PC and installing spyware that gathers technical information on your PC (Anti-virus, operating system, IP address, user ID).

On average it takes 229 days to detect a security breach. In this time the hacker can input false information, change information, delete information or steal information. Let’s say you created a document on a Friday and then you came back into work on the Monday. Would you notice a small change made at the weekend, such as a decimal point out of place or a change in bank details? Once you start thinking about it, it’s not hard to imagine how even the smallest of changes could end up damaging your reputation or costing you a lot of money!

The hackers can also turn on a webcam without you knowing and can watch and listen in to boardroom discussions. If you have a webcam in your boardroom, it’s worth checking if there is a security risk. Here are some steps you should be taking:

• You should have a cyber security policy
• You should review staff permissions and appoint a cyber security officer
• You need training to understand the importance of certain actions. Training doesn’t have to be expensive and it will probably save you time and money in the future
• You need to understand, across your business, and that most breaches are as a result of human lack of awareness; criminals rely on this
• You need specialist advice from a company that is up to date with the latest threats
• There will be revisions to data protection laws soon that include cyber security and you will need to comply
• You should also be aware of hackers when using devices in your personal time

You may feel you have more to lose here, because your own money is at stake not your company’s money! Hopefully good cyber awareness in our personal lives will transfer to our work lives and vice versa, so here are some tips to help you:

1. Be cautious when using public WiFi: There are simple ways to prevent data loss via public WiFi. Check it’s legitimate; it’s easy for hackers to set up a fake WiFi network that looks like an official one. Before signing on to any WiFi, the best way to check if the network name is legitimate is by asking an employee of the place you’re in.

2. Forget the network: Once you have finished browsing on a WiFi, log off all services you were using and then ask the device to forget the network so it doesn’t automatically join next time you’re in range.

3. Turn that WiFi off!: Make sure you disable WiFi when you’re not using it. This prevents your device joining any other networks automatically without you noticing.

4. Use a VPN: VPNs act as an intermediary between your device and the internet server, routing all your activity through your own little loop of the internet that is encrypted, meaning a would-be intruder will find it impossible to sniff your information out or know what you’re doing, whether this is on a mobile, tablet or computer.

5. Keep your passwords strong: It’s good practice to change all passwords regularly and not use the same passwords across many different services. There are password managers available online that help manage them all. There are also services that support two-factor authentication, allowing you to add two levels of password protection on services such as Gmail, Twitter and Facebook.

6. Check websites for ‘the lock’: You wouldn’t leave your front door open, so why leave yourself vulnerable online? If a website is secure it displays the green lock sign by it. This is otherwise known as HTTPS, and it encrypts the data that passes from your device to the internet server, meaning any hackers can’t decipher your private information.

7. Watch out for Apps: Always check permissions on the apps before installing and make sure they aren’t accessing unnecessary information. For example, a drawing app should not have access to your contacts list or your network info. (or most apps don’t need microphone and location access.)

via:  itproportal

You may have heard about BWAINs before.

A BWAIN is a Bug With An Impressive Name that has been given special marketing treatment in the hope of getting the right people to wake up and do something about it.

The more PR-savvy BWAINs even have their own logos, such as Heartbleed, HTTPoxy, Sweet32,Shellshock and ImageTragick.

Here’s this week’s one: SSHowDowN.

As BWAINs go, SSHowDowN isn’t a terribly catchy name, but it’s worth knowing about, especially if you are a vendor of IoT products that automatically set themselves up so they can be managed remotely over the internet.

The name SSHowDowN comes from Akamai, a huge player in the world of content delivery, and it got Akamai’s attention when the company started looking into recent surges in time-wasting traffic – what are usually called DDoSes, short for Distributed Denial of Service attacks.

If you want to knock someone off the internet, or at least to cramp their online style, without having to hack into their servers and break them on purpose, then generating lots and lots of purposeless traffic is an effective way to do it.

But just flooding them with network traffic from a few super-high-bandwidth locations, such as hacked servers on a modern multi-gigabit academic network, is not enough these days.

100 servers each pumping out a gigabit every second are fairly easy to identify and block, and every time you block the traffic from just one of them, you cut the severity of the attack by a whole percentage point.

What you really want are thousands, even hundreds of thousands, of modestly well-connected networks that don’t fit any obvious pattern, and that are hosted by hundreds or thousands of different ISPs in tens or hundreds of different countries.

Indeed, we recently wrote about a DDoS case involving investigative journalist Brian Krebs, in which more than 600 gigabits per second of legitimate-looking but completely purposeless data was generated from tens or hundreds of thousands of home networks, thanks to insecure “Internet of Things” devices such as cameras, routers and even printers.

The attack on Krebs was apparently driven by malicious software called Mirai that had deliberately been copied onto all those insecure devices.

No infection required

In contrast, Akamai’s SSHowDowN story doesn’t rely on infected routers: it needs only badly-configured ones.

The name SSHowDowN comes from SSH, short for Secure Shell, a well-known tool that is used ubiquitously across the internet for secure remote access.

But even though SSH is supposed to improve security, Akamai reported that SSH servers on a large number of SoHo routers – millions, it seems! – were the source of a vast quantity of DDoS traffic in Akamai’s network…

…and yet the crooks never even needed to login to the SSHowDowNable routers.

Simply put, the crooks figured out how to take traffic from one set of sources (this could, for example, be high-bandwidth servers on a hacked network), split it into lots of separate streams, and bounce each one off a different, innocent-looking router on an innocent-looking small network.

You can think of this as the network equivalent of money laundering on a huge scale.

By splitting your attack amongst thousands or millions of unexceptional and otherwise innocent networks around the world, you make it much harder for content delivery networks such as Akamai to block the malicious traffic cleanly and efficiently, because it’s mixed in so thoroughly with legitimate packets.

That’s why it’s called a distributed denial of service.

Improper lockdown

The SSHowDowN problem is caused by IoT devices that allow SSH connections, but don’t lock them down properly.

According to Akamai, many IoT systems have remote access via SSH enabled by default, but also have default “internal accounts” with known username/password pairs.

To stop these default accounts being abused across the internet, some vendors simply configure the system so that if you try to login with a known default password, the system immediately kicks you off.

Unfortunately, SSH isn’t only about secure shell logins, for all that it’s called “Secure Shell”.

SSH can also do what’s called traffic forwarding, for example by acting as a web proxy that accepts traffic from browser X, and transparently redirects it to site Y.

Done correctly, this sort of proxying can greatly increase security, because the traffic from X to the proxy, and from the proxy back to X is strongly encrypted, so that SSH acts as a sort of basic VPN (virtual private network).

But if you can make unauthorised use of proxies on other people’s devices, you can effectively co-opt them as partners in cybercrime, without them even being aware of it.

Unfortunately again, as Akamai points out, letting a crook authenticate first and then relying on them formally logging in immediately afterwards in order to detect they are up to no good is simply the wrong way to do security.

That would be like deliberately letting someone onto your property, but not into your house, and assuming that you’d done enough to stop them using your garden for criminal purposes.

And that’s exactly what crooks can do with a weakly-protected SSH server: there’s a well-documented way to authenticate, start up a proxy server for redirecting traffic, and then deliberately suppress the login part.

In other words, you use the dodgy password to trick the insecure router into letting you steal its identity and bandwidth as a proxy, but avoid the login part that’s needed for the router to kick you out.

The relevant SSH details, if you want to learn more about SSHowDowN, are as follows. The command sshconnects, authenticates and immediately logs in; ssh -D connects, authenticates, starts a forwarding proxy, and then logs in; but ssh -D -N connects, authenticates, starts a forwarding proxy…and then just sits there without logging in. That’s by design, and not a bug. It’s at the authentication phase that you are supposed to verify that the user is allowed to use your resources, whether that’s logging in to a remote shell, starting a proxy, or anything else. Default passwords subvert the entire authentication process. (In case you didn’t notice – it took me a while – the capitalised letters in the word SSHowDowN are a nod to ssh -D -N, where -D means to do proxy forwarDing and-N means Not to login.)

What to do?

Akamai presents various mitigations in its article, so we’ll send you there for the details.

All we’re going to say here is this, and because it’s Cybersecurity Awareness Month we are going to say it VERY, VERY LOUDLY…

DON’T WIRE DEFAULT PASSWORDS
INTO YOUR PRODUCT.

If you don’t intend to let a crook into your house, then don’t make it easy for them to get into the garden in the first place.

via:  sophos

Google has added the data from the first half of 2016 to its ongoing Transparency Report page, and the changes are pretty much what you’d expect: more requests. Some frivolous, some legit, some top secret.

Requests for user information jumped to a record total of 44,943 (up from the previous six months’ 40,677), with the U.S. leading the pack, as usual, with 30,123 of those — second place goes to Germany, then France a distant third, with India and the U.K. at her heels.

New to the board: Algeria, Belarus, Cayman Islands, El Salvador, Fiji and Saudi Arabia. Welcome! None produced more than a handful of requests, though.

The U.K. overtook India, but other than that, the top 5 are unchanged.

An average of 64 percent of those requests were granted, though Google doesn’t (and in most cases can’t) give details of which accounts and data were requested.

The statistics for content removal requests are more detailed, but that data is still from late 2015; I’m sure we can expect updated numbers there soon.

Richard Salgado, the company’s director of law enforcement and information security, did note in a blog post that a single National Security Letter was made public, changing the numbers of NSLs received in the second half of 2015: what was once 0-499 is now 1-499. Smells like freedom!

On the other hand, Foreign Intelligence Surveillance Act requests increased in the same period, to somewhere north of 21,000 — considerably more than the year’s first half, which had around 16,000. We won’t know 2016’s numbers for a while, as there’s a mandatory six-month delay on reporting them. It’s been a more or less continuous climb since 2009, so don’t expect the numbers to go down, or if they do, not by much.

via:  techcrunch

Rumors have been swirling around Amazon’s plans to launch its own, standalone music streaming service, and now those reports have been proven out: the company is today announcing the launch of Amazon Music Unlimited. This new, on-demand streaming service offers access to tens of millions of songs, and is available for $7.99 per month for Prime members, or $9.99 per month for non-Prime members. Amazon has also launched a “for Echo” subscription plan that lets you listen only on its connected speakers for just $3.99 per month.

The Echo-only plan confirms the earlier report from Recode which said a second service aimed at owners of Amazon Echo hardware would help differentiate Amazon Music Unlimited from rivals.

This isn’t Amazon’s first foray into music streaming. Prime membership has included access to Amazon Music before today’s launch, but with a more limited catalog.

Amazon Prime members could access over two million songs, as well as over a thousand playlists and personalized stations. Amazon Music Unlimited is a big step up from that, with “tens of millions” of songs from the major labels Sony, Universal, and Warner, plus hundreds of indies, as well as thousands of playlists and personalized stations.

A family subscription plan for up to 6 people is not live today, but will arrive later this year for $14.99/month or $149/year. Prime members can also choose to pay $79 per year (which works out to $6.58/month).

The service supports standard features like offline listening, and is free of advertising. It works across any Amazon Music compatible device, including the Amazon Echo, Echo Dot and Amazon Tap, Fire devices like Amazon Fire TV and Fire tablets, iOS, Android, the web, PCs and Macs, Sonos, Bose, and others.

Although the new service will compete in a crowded landscape against rivals like Apple Music, Google Play Music/YouTube Red, Spotify, and even Pandora’s newly announced discounted tiers, what makes Amazon Prime Unlimited most interesting is its “Echo-only” plan.

Echo-only music, powered by Alexa

For a few dollars per month, you can add on-demand music to your Echo speaker, including the Amazon Echo, Echo Dot or Amazon Tap.

If you’re hesitant to leave your preferred on-demand service, the Echo-only price is just affordable enough that you don’t really have to. And, at this price, it may even appeal to those who weren’t in the market for an on-demand music subscription.

Though limited to the Echo, this discounted service does come with some advantages.

Not only does it allow you to cue up songs via simple voice commands, Alexa’s machine learning makes the experience “more conversational and personalized” over time, Amazon claims. For instance, you’ll be able to ask it to “play music” and it will start playing songs that are already personalized to your tastes.

The service can do more than play songs by name or artist.

You can ask more complicated queries, too, like “play Green Day’s new song” to hear the band’s latest single; you can request music that matches a mood (e.g. “Alexa, play ‘Happy Music’”); or even a genre from a particular era (e.g. “play the most popular rock from the 90’s”).

You can combine these queries, and ask for music from an artist from a particular decade. You can ask Alexa to play the “song of the day” for a DJ-introduced daily pick. And you can ask for playlists, without even knowing what they’re called on Amazon’s service.

For instance, “Alexa, play music for a dinner party” will cue up a playlist Alexa selects based on your listening history, like “Dinner with Friends,” Cooking with a Classic Soul,” or “Indie Dinner Party,” etc.

You can also ask Alexa to play you a song when you don’t know the name, only some of its lyrics. You do this by asking the virtual assistant to “play the song that goes…” followed by the lyrics you know.

The Echo service includes some behind-the-scenes artist commentaries, called Side-by-Sides. At launch, these are available for The Chainsmokers, Jason Aldean, Lindsey Stirling, Sting, Norah Jones, One Republic, and Kongos, but more will be added in time.

Naturally, you can sign up for Amazon Music Unlimited from the Echo itself, just by asking the virtual assistant to start your free trial. Though still relatively new, tapping into the Echo user base could potentially become a sizable market for Amazon – the company isestimated to have sold over 4 million smart speakers,and is hoping to sell 10 million next year.

New App

Along with the new music service, the Amazon Music app has been given a makeover, and now better emphasizes artist images, album art, music discovery and playback. The app has a “Home” section where you’ll see updates on music from editors, and what’s trending and popular; and a “Recommended” section will include personalized suggestions; and the “Now Playing” section will include synchronized lyrics.

Amazon Music Unlimited is live in the U.S. today. It will debut in the U.K., Germany and Austria later this year.

via:  techcrunch

In the wake of a report from the American Civil Liberties Union (ACLU) about police monitoring of activists and protesters via social media data, Twitter, Facebook and Instagram have cut off the data streams they’ve been sending to the Geofeedia app.

For about 5 years, Geofeedia has used the companies’ APIs to create real-time maps of social media activity in protest areas. Those maps have been used to identify, and in some cases arrest, protesters shortly after their posts became public.

According to a post from the ACLU on Tuesday, Geofeedia sales reps brag about its product being used to cover racially charged protests over the fatal shooting of Michael Brown in Ferguson, Missouri.

From an email secured in response to 63 public records requests the ACLU made to 63 California law enforcement agencies:

Geofeed Streamer [a product feature] is unique to Geofeedia and has numerous uses (i.e., Live Events, Protests – which we covered Ferguson/Mike Brown nationally with great success …

In one Geofeedia testimonial, Baltimore Police Department Detective Sergeant Andrew Vaccaro described the aftermath of the death of Freddie Gray, calling it a “watershed moment” for the department in terms of social media surveillance.

The minute his death was announced, we knew we needed to monitor social media data at key locations where protesting was likely, especially at the local police precinct where Gray had been arrested.

In one specific case, relying on Geofeedia’s real-time information and alerts sent via text and email, Baltimore police noticed chatter from a high school from kids who planned to walk out of class and use mass transit to head to a protest.

Police intercepted them – the students had allegedly already hijacked a metro bus – and found their “backpacks full of rocks, bottles and fence posts.”

From Vaccaro’s testimonial:

They planned to do a lot of damage.

After the ACLU reported its findings to the companies, Instagram cut off Geofeedia’s access to public user posts, and Facebook cut its access to a topic-based feed of public user posts.

Twitter suspended Geofeedia’s commercial access to Twitter data on Tuesday.

At least one Twitter commenter wondered why Twitter had to wait for the ACLU to “reveal” that Geofeedia was providing location data on protesters. It’s not as if Geofeedia was scraping it without permission, after all, making Twitter’s decision to shutter it something like the police being “shocked!” to find out that gambling was going on at Casablanca.

As far as Facebook goes, in an email from May 2016, a Geofeedia representative touts a “confidential legally binding agreement” with the company.

The ACLU lists these additional discoveries:

• Instagram had provided Geofeedia access to the Instagram API, a stream of public Instagram user posts. This data feed included any location data associated with the posts by users. Instagram terminated this access on September 19 2016.
• Facebook had provided Geofeedia with access to a data feed called the Topic Feed API, which is supposed to be a tool for media companies and brand purposes, and which allowed Geofeedia to obtain a ranked feed of public posts from Facebook that mention a specific topic, including hashtags, events, or specific places. Facebook terminated this access on September 19 2016.
• Twitter did not provide access to its “Firehose,” but has an agreement, via a subsidiary, to provide Geofeedia with searchable access to its database of public tweets. In February, Twitter added additional contract terms to try to further safeguard against surveillance. But ACLU records show that as recently as 11 July, Geofeedia was still touting its product as a tool to monitor protests. After learning of this, Twitter sent Geofeedia a cease and desist letter.

This isn’t the first time that Twitter’s extended, but then decided to close down, special access to allow surveillance outfits to datamine.

In May, the Wall Street Journal reported that Twitter had closed down access to Dataminr: a datamining service used by US spying agencies to spot terror attacks.

A Facebook rep said in a statement sent to The Verge that it terminated Geofeedia’s access to the API because the company wasn’t using the data for media or brand purposes.

[Geofeedia] only had access to data that people chose to make public. Its access was subject to the limitations in our Platform Policy, which outlines what we expect from developers that receive data using the Facebook Platform.

If a developer uses our APIs in a way that has not been authorized, we will take swift action to stop them and we will end our relationship altogether if necessary.

Geofeedia CEO Phil Harris said in an emailed statement that the company is committed to the principals of personal privacy and has clear policies in place to “prevent the inappropriate use of our software.”

That said, we understand, given the ever-changing nature of digital technology, that we must continue to work to build on these critical protections of civil rights.

Geofeedia will continue to engage with key civil liberty stakeholders, including the ACLU, and the law enforcement community to make sure that we do everything in our power to support the security of the American people and the protection of personal freedoms.

As The Verge’s Russell Brandom notes, the map of Ferguson protests that Geofeedia featured in a public demo doesn’t differentiate between posts from protesters and credentialed journalists: all posts are pulled into the same map.

And while the metadata on that specific map is publicly available, including images, geolocation data, and screen names that are available on Instagram’s public feed, the scale at which police are identifying and retaining data on protesters is beyond what any individual could achieve without special access to social media platforms’ APIs.

In fact, the access enjoyed by Geofeedia is denied in the terms of service for both Twitter andFacebook.

From the ACLU’s post:

Because Geofeedia obtained this access to Twitter, Facebook and Instagram as a developer, it could access a flow of data that would otherwise require an individual to “scrape” user data off of the services in an automated fashion that is prohibited by the terms of service… With this special access, Geofeedia could quickly access public user content and make it available to the 500 law enforcement and public safety clients claimed by the company.

In joint letters to Twitter, Instagram and Facebook, the ACLU, together with Color of Change and the Center for Media Justice, is calling on Facebook and Twitter to change their API policies to prevent similar systems from being used for surveillance:

[These companies] should not provide user data access to developers who have law enforcement clients and allow their product to be used for surveillance, including the monitoring of information about the political, religious, social views, racial background, locations, associations or activities of any individual or group of individuals.

via: sophos

A 12-year-old vulnerability in the OpenSSH security utilities suite is letting hackers launch massive distributed denial of service (DDoS) attacks using Internet of Things devices, according to new research.

The vulnerability has essentially enabled the “Internet of Unpatchable Things,” as there is no effective way to fix the problem in many devices, said Ory Segal, senior director of threat research at Akamai Technologies.

Last month, IoT devices were linked to a DDoS attack on the KrebsOnSecurity.com Web site that writer Brian Krebs called “among the biggest assaults the Internet has ever witnessed.” According to data from Arbor Networks, DDoS attacks are growing in size and frequency. By the end of 2016, the average attack is expected to be “large enough to knock most businesses offline,” according to Arbor Networks.

CCTV Devices, Modems, Routers at Risk

“After analyzing large data sets from Akamai’s Cloud Security Intelligence platform, we discovered several common features, which led us to believe that the IoT devices were being used as proxies to route malicious traffic against victim sites,” Akamai researchers Segal and Ezra Caltum wrote in their new report.

On further investigation, Segal and Caltum identified what they called “SSHowDowN Proxy” attacks that use an OpenSSH vulnerability to access the Web administration consoles of IoT devices to compromise data on those devices or, in some cases, take them over completely.

Among the devices likely to have that vulnerability are CCTV (closed circuit television) cameras and other devices for video surveillance, satellite antenna equipment, networking devices such as modems and routers, and Internet-connected network-attached storage devices.

Segal and Caltum are recommending that users of such devices try to protect themselves by always changing the factory default credentials for any Internet-connected devices they own. They said users should also completely disable the SSH service on every such device unless it’s needed for normal operations. If devices need SSH to function properly, users should change the sshcd_config to “AllowTcpForwarding No.”

‘Mirai’ Malware Release Could Fuel More Attacks

IoT device-related security problems are likely to increase with the recent public release of the “Mirai” malware, which powers the botnet that can be used to launch DDoS attacks through such devices, Krebs noted recently.

The malware works by “continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords,” Krebs said. The source code for Mirai shows the botnet can work with well over 68 IoT devices and perhaps many more, he added.

Vendors can help reduce the vulnerability of their devices by requiring users to change the factory default credentials after installation, disabling SSH unless necessary and providing a “secure process for end-users to update sshd configuration so that they may mitigate future vulnerabilities without having to wait for a firmware patch,” according to the Akamai report.

Some companies, such as Panasonic and Samsung, are now requiring each user to choose a unique password for devices like Internet-connected video cameras. However, even such precautions “may or may not address the fundamental threat,” Krebs said.

Part of the problem is that IoT devices typically cost much less than the average computers or smartphones, which means that manufacturers are selling them at relatively small profit margins, cybersecurity expert Bruce Schneier noted in a blog post Monday. As a result, IoT device makers often have little incentive to incorporate strong security or regularly update security protocols, he said.

“Even though the source code to the botnet that attacked Krebs has been made public, we can’t update the affected devices,” Schneier said. “Microsoft delivers security patches to your computer once a month. Apple does it just as regularly, but not on a fixed schedule. But the only way for you to update the firmware in your home router is to throw it away and buy a new one.”

via:  enterprise-security-today

Messaging app Signal is proud to be end-to-end encrypted, and privacy is their watchword — but its new ephemeral messages aren’t being billed as tools to that end, and nor should they be.

Disappearing text and pictures are the main addition (along with a meatspace verification tool) of the latest version of the app. But while once people thought of expiring pictures à la Snapchat as a way to send racy or sensitive information, the fact is it adds very little to your security, if any at all. Screenshots, a separate camera, copy and paste — it’s easy to give ephemeral messages permanent form.

Instead, Open Whisper Systems bills the feature as a way to prevent digital clutter.

Disappearing messages are a way for you and your friends to keep your message history tidy. They are a collaborative feature for conversations where all participants want to automate minimalist data hygiene…

It’s really a much more sensible way to think of this kind of messaging, and in fact this is the way young people like miliminals generally use it. No one really cares about last week’s conversations. Like Rafiki says, they’re in the past! So grab the new version of the app foriOS or Android and hakuna matata. See, I’m hip.

via:  techcrunch