Monthly Archives: January 2017

Mark Zuckerberg has a revealing routine he carries out on a regular basis which says as much about him as it does our current era of cyber-uncertainty. Every day when he’s finished talking to friends and business associates, he covers up his laptop’s webcam and microphone jack with a small piece of tape.

Is this simply the paranoia of a man who over the last two decades has had to deal with increasingly sensitive information as well as diminishing privacy in his personal life?

All we know is that many people are utilizing the simple hardware hack, in much the same way, as a cyber security precaution. Whilst those who promote the use of tape no doubt favor the method for its brilliant simplicity, we have worrying news for anyone that thinks this method has all bases covered.

Now even your headphones can spy on you

Your headphones, it has now emerged, can be repurposed from afar, turning them into a microphone capable of recording audio, all of this unbeknownst to the device’s user. A group of Israeli researchers has recently created a piece of malware in order to show how determined hackers could hijack your device and reconfigure it into sending them audio links.

The headphone technology

The researchers, based at Ben Gurion University, created a code aimed at testing their fears about headphone technology. The proof-of-concept code, titled “Speake(a)r,” proved that the very commonly used RealTek audio codec chips contain a vulnerability that allows them to be used to silently repurpose a computers output channel as an input channel.

As Wired magazine have noted, turning a pair of headphones into microphones is a fairly simple task. A quick search on Youtube reveals an abundance of simple hack videos demonstrating how to switch your music listening device into an audio recorder. So it’s the RealTek vulnerability that is the real worry. As the Israeli research team have found, the issue would allow a hacker to record audio if you’re using a mic-less pair of headphones, and even if your laptop or device’s microphone setting is disabled.

Privacy vulnerability

Mordechai Guri, part of Ben Gurion’s cyber security research team, spoke to Wired about the vulnerability they had discovered. “People don’t think about this privacy vulnerability. Even if you remove your computer’s microphone, if you use headphones you can be recorded.” He added that, “almost every computer today [is] vulnerable to this type of attack.”

The researchers tested their malware hack using Sennheiser headphones. “It’s very effective,” Guri said. “Your headphones do make a good quality microphone.” The team also detailed the extent of the malware’s capability, saying that a hacked pair of headphones could record audio as far as 20 feet away. The recorded file can even be compressed so it can easily be sent over the Internet.

As Guri says, the problem is not one that can receive a simple patch and the vulnerable audio chip may need to be redesigned and replaced in future computers. The full extent of the problem is also not known, as the Ben Gurion research team has so far focused only on RealTek audio chips. They are set to expand their research to determine which other codec chips and smart phones may be vulnerable.

So, if like an increasing amount of people in this era of cyber security, you feel vulnerable to eavesdropping, don’t only reach for the tape. Make sure those headphones are unplugged so as not to be the victim of a stealthy new form of malware.

via:  pandasecurity

Rules aren’t really rules if breaking them has no consequences.

In today’s dangerous cyberworld, corporations often say that cybersecurity is now a top priority for them, especially after all the massive data breaches we’ve been hearing about on a day-to-day basis. But one has to wonder, if that’s case, why are so few companies doing cybersecurity training properly?

Sadly, the most common and detrimental thing that many companies are doing wrong when it comes to training employees on cybersecurity is a big one: they aren’t doing it all.

Regardless of industry or company size, I’ve seen way too many companies that aren’t implementing any sort of cybersecurity training, not even at employee orientation. It’s also important to note that the companies that do implement security training, but only conduct it at new-hire orientation and then never mention it again, are not much better. Many companies fall into this category.
While employees are getting some sense of what to look out for when they receive training, the threat landscape changes so quickly that the information becomes obsolete within weeks or months and, without regular reminders, it’s out of employees’ minds quickly. In other words, the information is no longer top of mind.

Finally, very few companies are having regular cybersecurity training programs and refresher courses. I recommend companies do training updates once a month throughout the entire year, and I only know of a handful of companies that are actually doing this.

The next step after implementing a regular cybersecurity training program is to put in place policies and procedures to enforce what’s learned. Again, I’m seeing almost no companies doing this, so employees aren’t being held accountable for skirting proper procedures that would normally protect their company from different cyberthreats.

Results in the Real World
The longest it has ever taken for me to hack into a company’s system remotely through tactics such as phishing emails is minutes. Usually, I’m already in the system 10 minutes after the phishing email has been sent. When doing on-site tests, if we properly cased the company (which a good hacker will), we are in within an hour. This is a clear illustration of the need for better cybersecurity training.

For example, at one social engineering engagement I performed at a large oil and gas company, I was able to get into the organization and gain full run of the computer network in under an hour, and no one stopped or questioned me. While they did have an information security training program in place, no one was enforcing the practices being taught. Because I could penetrate their network so quickly, the CIO had to be in the exit interview with me, though that was not the initial plan. 

Another example is from a very large retailer. During the company’s cybersecurity training process, I came in to do a social engineering test on the employees. The training should have been top of mind because the employees were currently going through it — the person who let me into the office even said that she was doing training at the moment and knew she was not supposed to let people in — but then she let me in anyway. I quickly gained access to the computer network once I was in the building, and there were no repercussions to the employees. This is a key example why there is much less likelihood that employees will be mindful of security practices that the company expects them to adhere to if there is no enforcement of the rules.

Simply put, there must be some sort of policy and enforcement in place for not adhering to security policies, such as a counseling session, but I see no companies doing this. Without enforcement, employees see the training as onerous. They simply ignore what they have learned, or don’t take the training at all, claiming that they’re too busy.

To be effective, companies need to stop treating cybersecurity training like a box to check off for compliance purposes and take it seriously. Once that happens, employees will take it seriously as well.

via:  darkreading

Amazon’s cloud storage business AWS has been gradually expanding into a range of cloud services for people not to simply host their business or app with AWS, but to use the platform for productivity and their own work purposes, too. Today came the latest development on that theme: AWS launched re:Start, a new program for IT skills training, specifically in cloud computing, and job placement for young adults and military vets and their spouses, which Amazon has built in partnership with the UK’s Ministry of Defence, the Prince’s Trust, and QA Consulting.

The new service was announced earlier today during an event in London and will start its first intake on March 27 of this year, the company said. The courses will actually take place at physical training facilities, in London and likely at QA offices. The first for military vets will be in Manchester, Travel will be covered for those who have to go to another city.

Amazon says that initially the plans are to roll out re:Start in the UK only, although it will evaluate future plans.

As AWS describes it on its website, “re:Start is a training and job placement program, launched by Amazon Web Services, for the UK to educate young adults as well as military veterans, reservists, and their spouses, on the latest software development and cloud computing technologies.”

Skills will include technical training classes; cloud computing and how to architect, design, and develop cloud-based applications using AWS; how to set up new cloud environments; and to build apps in languages like Python.

The training will be built with companies like QA Consulting and the Micro:bit Foundation (the micro:bit is a learn-to-code device from the BBC, and there will be content made for it); and for work placements, the program taps into AWS’s Partner Network as well as customers of the AWS platform (which is a huge list: AWS is one of the go-to cloud services companies globally).

Initially, AWS said that it will offer work placements for 1,000 people via re:Start. Some of the organizations that will be offering placements include accounting company Sage, insurance company Direct Line and lending platform Funding Circle.

The move to expand services in the UK comes almost exactly a month after AWS opened its first data center in the country, in London.

Education — specifically skills training — is not a new area for Amazon’s AWS. The company also runs a program called AWS Educate aimed at educators and students, providing them “with the resources needed to greatly accelerate cloud-related learning and help students prepare for a cloud-enabled workplace.”

Educate provides a template for how re:Start is likely to be run: Educate offers training materials, collaboration tools, and credits to use cloud services for free — all to be used and redeemed on AWS’s platform. More widely, Amazon has been making a big push to position itself as a go-to platform for educational services.

The new site also raises another interesting point: it opens up a new area of competition between Amazon and Microsoft, this time the area of online education. This is already an area where Microsoft is active. Last year, Microsoft acquired LinkedIn, and LinkedIn has been building up its own platform for skills training (by way of its Lynda acquisition) and linking online, LinkedIn-based skills training with job placements. Microsoft also, of course, owns Azure, which competes very directly with AWS.

But even with both companies, and many, many more, all looking to be the go-to platform for cloud-based tech training, it’s a large opportunity that will take some effort to be tapped dry: today, Gavin Jackson, Amazon’s UK MD for AWS, noted a recent study that said that in the UK alone, some 93% of organizations are having problems finding people who have the necessary IT skill set for jobs that need filling.

“Increasing digital skills in the UK is a major priority for the Government and we are working to make sure that everyone has the skills they need,” said Karen Bradley, UK Secretary of State for Culture, Media, and Sport. “We welcome the launch of AWS re:Start which is a fantastic initiative bringing together employers from different sectors and providing the foundation on which they can continue to train and grow the UK’s digital workforce.”

And you have to wonder why we don’t see more programs like this from the tech sector. At a time when many young people still may not consider higher education, but have not had the necessary training for the jobs of today and tomorrow when still in school, providing them with opportunities like this to pick up those IT skills outside of a formal education system is becoming ever more crucial.

And in the case of military personnel and their families, who may have had to be uprooted several times in the course of several years, it can be one option for helping them out as they make the transition into civilian life.

via:  techcrunch

YouTube announced a new feature today aimed at helping creators make money while connecting with their fans during a live stream: Super Chat. The addition is reminiscent of streaming site Twitch’s Cheering feature, which allow viewers to pay real money in order to have their messages stand out in the chat stream through the use of emotes (animated icons.) In YouTube’s case, fans instead are able to highlight their message in a bright color, and have their comment pinned on the stream.

Though the implementation is different from Twitch’s, the goal is the same: it’s a means of allowing fans to pay real money in exchange for attention. (It’s also not all that different from technologies porn cam sites have used in their own chat systems for years, which typically involve the purchase of tokens.)

As YouTube explains in its blog post announcing the new feature, Super Chats will remain pinned to the top of the chat for up to five hours, which gives the message a lot of airtime.

Creators, of course, benefit from the feature not only by being able to better connect with their bigger fans, but also because it’s another means of generating revenue from their videos.

Along with the launch of Super Chat, YouTube is debuting an API that will allow developers to access real-time purchase data from the system. This API will replace the Fan Funding API, which will be shut down.

The launch follows a number of changes for YouTube aimed at bettering the experience for creators and viewers alike. Earlier this week, YouTube announced it would begin showcasing new talent on a weekly basis on its Trending section, while last year it rolled out a new Creator Hub, benefits program, improved support, and others tools, and launched a social network of sorts with YouTube Community.

Super Chat is launching today into beta with top YouTubers, including iHasCupquake, Great Library (buzzbean11) and Alex Wassabi. It will roll out more broadly at month end for creators in 20 countries and viewers in more than 40 countries, the company says.

via:  techcrunch

If you’re looking for a self-improvement project that doesn’t require much effort to use as you move forward this New Year, start using a password manager ( I also like lastpass) Seriously. At work and at home. Here’s why.

In his recent SecTor Talk, F-Secure Chief Research Officer Mikko Hypponen told the audience that about 30 percent of people only have one password. He also said that there’s no way this should be a problem in 2016.

And he’s right. Using strong, unique passwords on critical accounts is  #opsec 101 (opsec is jargon for keeping your information secure).

Some people are very conscious about protecting their information, and do things like hide their PIN codes while they enter them into bank machines or card readers. They do it so that even cameras can’t see what they’re doing. That’s smart given how important this information is.

But some of these same people use one password for everything. And that’s never made sense to me. Why be so cautious when using point-of-sale devices or bank machines (both of which are often regulated and professionally maintained on a business premise), but so careless when setting up and taking care of accounts on their own?

Security software does wonders in protecting people from online threats. But it won’t protect your accounts against an attacker that has your password. And unless you were hiding under a rock in 2016, you probably heard about some of the record breaking data breaches that occurred, such as the recently disclosed Yahoo hack involving more than one billion stolen passwords (that’s on top of the 500,000,000 Yahoo reported stolen earlier in the year).

Attackers can use these stolen passwords to take over online accounts by simply trying them with popular online services like Facebook, Google, Twitter, and so on. Automated tools make it easy for attackers to try large numbers of stolen credentials one after another until they access an account. And if an attacker is able to access an account that you use to verify your identity with other online services (think about how many services you register with using an email address), they can use that access to systematically take over your other accounts. That’s basically how identity theft works now.

And if they don’t feel like going through all that trouble themselves, they can always just sell the login credentials to other criminals. Groupon recently reported criminals were shopping on their website using login credentials stolen from other companies. And research conducted in 2016 found that 63 percent of confirmed data breaches were caused by weak, default or stolen passwords. That means stolen login credentials are a big problem that affects your personal and professional life.

So using a password manager is a great way to better yourself next year without having to work too hard for it. It makes using strong passwords much easier, which will pay off in terms of securing your online accounts. It’s also a lot less effort than committing to going to the gym on a regular basis for the next 52 weeks, so it won’t radically disrupt your daily life. F-Secure KEY is even free to use. You’re not going to find a more wallet-friendly way to improve yourself in 2017 than that.

And if you’re already using a password manager, you can check out these additional tips from security advisor Sean Sullivan if you want to make some other #opsec New Year’s Resolutions for 2017.

via:  safeandsavvy

Windows 10 users already have Windows Hello: the biometrics way to unlock systems using their faces, fingerprints or irises.

Now, Microsoft is working on Windows Goodbye: a way to lock your PC when Windows 10 notices that you’ve wandered off.

According to Windows Central, the official name of the feature is Dynamic Lock, but Microsoft insiders are referring to the feature as Windows Goodbye. Well, that makes sense. Instead of letting you in with Windows Hello, this feature would lock users out, ensuring that their security isn’t violated when they’ve forgotten to lock their machines by punching in the Windows Key + “L” combination before they step away.

…or before they’re urgently called away to put out some fire at work, as the case may be. At any rate, it’s a good security precaution to lock a system, given that it’s just too easy to forget to hit Windows Key-L. (That said, of course, Windows will lock automatically after a period of inactivity, which you can change to suit yourself.)

Dynamic Lock showed up on Monday as just one change in the latest iteration of the OS in an Insider Preview build 15002 of the Windows 10 Creators Update, which is due in April.

We don’t yet have details on how Windows will detect whether a user has vamoosed. So far, Microsoft hasn’t provided any documentation, though I have reached out to see if I can get more details.

As Windows Central reports, it could be a simple version of “lock my device after x minutes of inactivity,” or it could use the Windows Hello equipment to detect a face, proximity sensors or more.

Commenters on Windows Central’s coverage are musing about the possibilities.

One, rhapdog, noted that it would be great to have facial recognition built in to the Dynamic Lock feature: as in, “Lock the computer if someone else is detected that is not me.”

Mismatched iris print staring at the screen? Sorry, you’re locked out.

That would be a great security feature for the paranoid. Something I can’t use, since I’m always telling my wife, “Hey, check this out.” The second she would check it out, the computer would lock and she would see nothing, and tell me, “Very funny. Now leave me alone. You’re sleeping on the couch.”

via:  sophos

Colorado cybersecurity firm Coalfire Systems Inc. is acquiring Veris Group to become a major cybersecurity and threat assessment consultancy to federal agencies, businesses and cloud-computing service providers looking to do business with the federal government.

Westminster-based Coalfire announced the deal after closing the transaction. Terms were not disclosed.

The combined company has 550 employees, generates about $100 million in annual revenue and aims to maintain a 30 percent annual growth rate, the companies said.

Veris Group, based outside Washington D.C. in Vienna, Virginia, began looking in mid-2016 to make a deal to expand. One of Coalfire’s owners, The Carlyle Group, introduced the two companies soon after.

It was immediately apparent the companies would fit really well together, said Larry Jones, Coalfire CEO.

“The chemistry was right and culture was right, but the overlap between the businesses was pretty minimal,” he said.

Coalfire, founded 15 years ago, has grown by helping companies comply with federal data-protection regulations such as HIPAA, FedRAMP and PCI, and safeguard themselves against data breaches, cyber fraud, infrastructure attacks and intellectual property theft. It has many mid-sized business clients but has more recently been winning business from the likes of Amazon, Oracle and other big customers.

Veris Group draws half its business from federal government departments and intelligence agencies, lines of work Coalfire wanted to be in but hadn’t yet cracked, Jones said.

The merger also means Coalfire now has one of the most advanced technical penetration testing and “red team” organizations in the industry, Jones said.

Penetration testing is the process of trying to break into client computer systems as a way of finding vulnerabilities to fix, while “red team” exercises simulate cyber attacks and helps clients practice how to respond to threats.

Coalfire is well-positioned after the merger to compete for clients against the likes of IBM and the “big four” accounting firms — PricewaterhouseCoopers, KPMG, Deloitte and Ernst & Young — and cybersecurity specialists such as SecureWorks, Jones said.

via:  bizjournals

Database pwned, cyber-forensics outfit admits.

The Israeli company that found fame when it was fingered as a potential source of hacking software used by the FBI to crack open an iPhone has itself been hacked.

In a statement on its website, Cellebrite today admitted that an “external web server” containing the company’s license management system had been accessed by an unknown third party. The company is still investigating the extent of the hack, but it has advised all its customers to change their passwords.

The biz says the database is an old one – it has migrated to a new system – but warned that basic contact information for people that were registered to receive notifications from the company has been accessed. As much as 900GB of information was taken by hackers, according to Motherboard, whose report earlier today led to Cellebrite’s confession in the past hour.

Such a database could prove valuable given Cellebrite’s line of work: it specializes in mobile forensics. In that capacity, the FBI apparently approached it in an effort to crack the iPhone of San Bernardino shooter Syed Farook.

Farook was running version 9 of the iOS mobile software, which encrypted the phone’s data and required a four-digit pin to access it. Too many wrong tries effectively render the phone inoperable. The FBI decided to use the case to have a very public fight with Apple over its security features, demanding that the iTunes giant give the FBI access to the phone.

Apple refused, stating that it was effectively being told to break its own product, and the impasse became national news, with politicians dragged into the argument. In the end, in a face-saving exercise, the FBI said it had found a third-party vendor that could access the phone, and backed down from what had by then become a legal challenge.

Although neither the FBI nor Cellebrite ever confirmed the forensics company was the source of the hack, neither denied reports, either. Whatever biz bypassed the smartphone’s security, it received as much as $1m for its troubles. With that amount of money flying about, it was inevitable that hackers would try to get into Cellebrite’s systems.

“Cellebrite actively maintains an ongoing information security program and is committed to safeguarding sensitive customer information using best-in-class security countermeasures,” the company assured customers. “Once the investigation of this attack is complete, the company will take any appropriate steps necessary to harden its security posture to mitigate the risk of future breaches.”

The outfit, which is a subsidiary of the Japanese Sun Corporation but is based in Israel, said it was working with the authorities to try to track down the hackers.

via: theregister

Royal & Sun Alliance (RSA) has been handed a big fine by the Information Commissioner (ICO) for losing a networked hard drive full of unencrypted customer data in strange circumstances.

The facts of the case are that at some point between May and July 2015 (the lack of certainty is indicative), a Network Attached Storage (NAS) disappeared from a server room at the company’s Horsham site.

What went with it was a database containing 59,592 customer records, including names, addresses, bank and sort numbers. In 20,000 cases, credit card primary account numbers were also mentioned, although not expiry dates or CVV numbers.

The lack of encryption is one takeaway, although password protection was in place. The more incredible aspect of the incident is that nobody at RSA noticed that something as big and important as a NAS containing customer data had mysteriously been taken offline, apparently while it was still in use.

It then took weeks for anyone to notice the drive was no longer physically in the server room, supposedly a secure location. There was no CCTV in operation and it seems that up to 40 staff members, including contractors, visited the room unaccompanied.

Announcing a £150,000 ($185,000) fine for the loss, Steve Eckersley, the ICO’s head of enforcement, was perhaps stating the obvious when he said: “There are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure and routine monitoring of equipment. RSA did not do any of this and that’s why we’ve issued this fine.” However, despite that, the fine fell short of the maximum of £500,000 that could have been imposed.

We’ve been here before – numerous times in fact.

The firecracker at the start of this era was probably the £980,000 fine on Nationwide Building Society in 2007 after a laptop containing the unencrypted customer data of nearly 11m people was stolen from an employee’s home.

Issued by the Financial Service Authority (FSA), the City watchdog at the time, rather than the ICO, the fine has gone down in history for its record size. It was seen as a warning, and security heads duly took note. Despite its awkwardness and expense, encryption spread.

And yet incidents have continued to happen on a smaller scale, including Glasgow Council’s loss of dozens of unencrypted laptop in 2013, the same year NHS Surrey was fined £200,000 for allowing someone to buy a hard drive that still had 3,000 patient records on it.

Even government itself has found itself on the wrong end of fines, such as the £180,000 enforcement sent to the Ministry of Justice in 2014 for losing an unencrypted backup drive.

It’s not as if organizations can’t say they weren’t warned. Over the years, the ICO has issued a number of high-profile recommendations about the need for data encryption under the Data Protection Act (DPA), the latest of which appeared a year ago.

The question of the effect of fines is an interesting one. Critics regularly decry token fines for serious data loss incidents while the opposite view is that they are more about public embarrassment than monetary pain. However, fines under the forthcoming European General Data Protection Regulation (GDPR), due to take effect next year, will be big enough to focus minds further on security: they will be either up to €20m or up to 4% of global turnover.

The less discussed issue is how long it often takes organizations to discover the loss of drives. GDPR gets tough here, too, with strict new standards for breach notification (including physical loss of data). In whatever form Brexit unfolds, UK organizations will still find this de facto change in regulation impossible to ignore.

via:  sophos

Google’s somewhat aging VoIP calling service, Google Voice, is preparing to roll out a significant update, the company has confirmed. Several Google Voice users this week reported seeing an upgrade link touting “the new Google Voice” on the web version of the service, along with a link that would let them try it out. Clearly, the message was posted too early because the upgrade didn’t come through when the link was clicked.

However, its existence has been an encouraging sign for Google Voice customers, many of whom have felt as if the service has been abandoned in favor of Google’s many newer efforts in the communications space, including Hangouts, and more recently, messaging apps like Allo and Duo.

According to the Droid Life blog, which was one of the first to see the upgrade link appear, the banner popped up at the top of the screen when they logged into their account, with a message that read: “The new Google Voice is here. TRY NOW.” But when they tried it, the page just refreshed and they remained on the current user interface.

Google Voice hasn’t been updated in some time, making the product feel a bit been abandoned. Many are saying it hasn’t had any attention in years, but that’s not entirely true. It didn’t receive much attention in 2016, but before that, the last notable updates have included things like Google Hangouts’ integration with Google Voice back in fall 2014, and 2015’s update which improved Google Voice’s voicemail transcriptions.

Still, its updates have been few and far between, despite the usefulness of the service and its potential. Google’s failure to continue investing in the space has allowed other voice calling apps the ability to gain ground. Not only are voice messaging apps a popular category today, the idea to give users the ability share a public phone number that can ring them anywhere, on a line that has its own voicemail and filtering options, is now something other startups, like Burner or newcomer Listen, are handling instead.

These Google Voice rivals have succeeded in part by focusing on mobile users – an area where Google Voice has fallen behind, having not updated its iOS and Android apps since the first half of last year.

After the flood of reports, Google confirmed that it’s working on some updates to Google Voice, but declined to give us further details ahead of the launch.

Google’s strategy with regards to its communications apps has been messy, so it will be interesting to see what the new Google Voice entails. The company has a number of communication products, which seem to be in a constant state of flux.

Hangouts, for example, has just seen its API shut down, which will effectively shutter the app ecosystem on the platform for most developers. The apps that were allowed to remain have an enterprise focus instead, as Google explained to developers in an email that it’s moving away from its consumer focus.

via:  techcrunch