Monthly Archives: August 2018

The U.S. Department of Defense (DoD) and HackerOne together announced the creation of a new bug bounty program called “Hack the Marine Corps.”

On 12 August, DoD kicked off its new vulnerability disclosure initiative at DEF CON 26 in Las Vegas, Nevada with a live hacking session. For the launch event, 100 ethical hackers hand-selected by the Department of Defense spent nine straight hours scouring the Marine Corps’ public-facing websites and services for vulnerabilities. Those security researchers, who worked alongside Marines from the U.S. Marine Corps Cyberspace Command (MARFORCYBER), filed 75 vulnerability reports during the hacking session and received a total of $80,000 in awards.

Maj.Gen. Matthew Glavy, commander of MARFORCYBER, said he’s pleased with the creation of the bug bounty program. As quoted in a press release:

Hack the Marine Corps allows us to leverage the talents of the global ethical hacker community to take an honest, hard look at our current cybersecurity posture. Our Marines need to operate against the best. What we learn from this program will assist the Marine Corps in improving our warfighting platform, the Marine Corps Enterprise Network. Working with the ethical hacker community provides us with a large return on investment to identify and mitigate current critical vulnerabilities, reduce attack surfaces, and minimize future vulnerabilities. It will make us more combat ready.

Hack the Marine Corps is the latest bug bounty program announced under the “Hack the Pentagon” digital security initiative. Since the creation of that challenge, security researchers have reported over 5,000 vulnerabilities discovered in government systems. They’ve done so as part of sub-programs of Hack the Pentagon including “Hack the Army” and “Hack the Defense Travel System (DTS).”

DoD designed Hack the Marine Corps to run on HackerOne’s platform and focus on strengthening the security of the Marine Corps Enterprise Network (MCEN).

This program is set to run until 26 August 2018.

via:   tripwire

A year and nearly four months after the measure was introduced, the NIST Small Business Cybersecurity Act officially passed after President Donald Trump signed the legislation into law.

Originally proposed as H.R. 2105 in April 2017, the act was later absorbed into U.S. federal law S.770, and requires the director of the National Institute of Standards and Technology, within within one year of the law’s passing, to issue guidance and a consistent set of resources to help SMBs identity, assess and reduce their cybersecurity risks.

S.770 also tasks NIST, a division of the U.S. Commerce Department, with considering the needs of small businesses when developing these recommendations, which among other key qualities should be widely applicable and technology-neutral and “include elements that promote awareness of simple, basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships.”

The legislation in its current form was introduced by Sen. Brian Schatz, D-Hawaii, along with Sen. James Risch, R-Idaho, and was sponsored by fellow lawmakers John Thune, R-S.D.; Maria Cantwell, D-Wash.; Bill Nelson, D-Fla.; Cory Gardner, R-Colo.; Catherine Cortez Masto, D-Nev.; Maggie Hassan, D-N.H.; Claire McCaskill, D-Mo.; and Kirsten Gillibrand, D-N.Y.

In a press release, Schatz, the the lead Democrat on the Commerce Subcommittee on Communications, Technology, Innovation, and the Internet, said that “As businesses rely more and more on the internet to run efficiently and reach more customers, they will continue to be vulnerable to cyberattacks. But while big businesses have the resources to protect themselves, small businesses do not, and that’s exactly what makes them an easy target for hackers.”

“This new law will give small businesses the tools to firm up their cybersecurity infrastructure and fight online attacks,” Schatz continued.

“The NIST Cybersecurity Small Business Act is a significant win for the cybersecurity industry and for small-to-medium size businesses who struggle to operate consistent with the NIST standards,” said Dr. Bret Fund, founder and CEO of cybersecurity academy ServerSet, in emailed comments. “This change sets the stage for greater compliance and readiness from smaller organizations who previously thought that NIST compliance was too costly or complex to obtain.”

“Small businesses are not immune to threats, and are often not equipped with the IT resources or personnel to protect their networks,” remarked Dirk Morris, chief product officer at Untangle, a provider of network security for SMBs. “The NIST Small Business Cybersecurity Act will provide small businesses the resources and a simplified cybersecurity framework so they can effectively protect their businesses from threats.”

via:  scmagazine

Never before have big employers tried so hard to hand over chunks of their business to contractors. From Google to Wal-Mart, the strategy prunes costs for firms and job security for millions of workers.

No one in the airline industry comes close to Virgin America Inc. on a measurement of efficiency called revenue per employee. That’s because baggage delivery, heavy maintenance, reservations, catering and many other jobs aren’t done by employees. Virgin America uses contractors.

“We will outsource every job that we can that is not customer-facing,” David Cush, the airline’s chief executive, told investors last March. In April, he helped sell Virgin America to Alaska Air Group Inc. for $2.6 billion, more than double its value in late 2014. He left when the takeover was completed in December.

Never before have American companies tried so hard to employ so few people. The outsourcing wave that moved apparel-making jobs to China and call-center operations to India is now just as likely to happen inside companies across the U.S. and in almost every industry.

The men and women who unload shipping containers at Wal-Mart Stores Inc. warehouses are provided by trucking company Schneider National Inc.’s logistics operation, which in turn subcontracts with temporary-staffing agencies. Pfizer Inc. used contractors to perform the majority of its clinical drug trials last year.

The contractor model is so prevalent that Google parent Alphabet Inc., ranked by Fortune magazine as the best place to work for seven of the past 10 years, has roughly equal numbers of outsourced workers and full-time employees, according to people familiar with the matter.

About 70,000 TVCs—an abbreviation for temps, vendors and contractors—test drive Google’s self-driving cars, review legal documents, make products easier and better to use, manage marketing and data projects, and do many other jobs. They wear red badges at work, while regular Alphabet employees wear white ones.

The shift is radically altering what it means to be a company and a worker. More flexibility for companies to shrink the size of their employee base, pay and benefits means less job security for workers. Rising from the mailroom to a corner office is harder now that outsourced jobs are no longer part of the workforce from which star performers are promoted.

For companies, the biggest allure of replacing employees with contract workers is more control over costs. Contractors help businesses keep their full-time, in-house staffing lean and flexible enough to adapt to new ideas or changes in demand.

For workers, the changes often lead to lower pay and make it surprisingly hard to answer the simple question “Where do you work?” Some economists say the parallel workforce created by the rise of contracting is helping to fuel income inequality between people who do the same jobs.

No one knows how many Americans work as contractors, because they don’t fit neatly into the job categories tracked by government agencies. Rough estimates by economists range from 3% to 14% of the nation’s workforce, or as many as 20 million people.

One of the narrowest definitions of outsourcing, workers hired through a contracting company to provide on-site labor for a single client, rose to 2% of all U.S. workers in 2015 from 0.6% in 2005, according to an academic study last year.

Companies, which disclose few details about their outside workers, are rapidly increasing the numbers and types of jobs seen as ripe for contracting. At large firms, 20% to 50% of the total workforce often is outsourced, according to staffing executives. Bank of America Corp. , Verizon Communications Inc., Procter & Gamble Co. and FedEx Corp. have thousands of contractors each.

In oil, gas and pharmaceuticals, outside workers sometimes outnumber employees by at least 2 to 1, says Arun Srinivasan, head of strategy and customer operations at SAP Fieldglass, a division of business software provider SAP SE that helps customers manage their workforces.

Janitorial work and cafeteria services disappeared from most company payrolls long ago. A similar shift is under way for higher-paying, white-collar jobs such as research scientist, recruiter, operations manager and loan underwriter.

According to data from the Bureau of Labor Statistics, 25% of all medical transcriptionists, who type medical reports recorded by doctors and nurses, were employed in what the agency calls the business support services industry in 2015. The percentage has jumped by more than a third since 2009, a sign that transcriptionists are being pushed out of many doctors’ offices and hospitals.

“I haven’t yet met a CEO who’s not surprised by how many people who touch their products aren’t their own employees,” says Carl Camden, president and CEO of staffing agency Kelly Services Inc. Outsourcing and consulting brought in 14% of Kelly’s revenue in 2016.

Eventually, some large companies could be pruned of all but the most essential employees. Consulting firm Accenture PLC predicted last year that one of the 2,000 largest companies in the world will have “no full-time employees outside of the C-suite” within 10 years.

Accenture is one of the world’s largest providers of outsourced labor. Along with many rivals, it is pitching chief executives on the idea that their company’s core business is smaller than they think.

“We’ve shown we can do core parts of their business better than they can do it themselves,” says Mike Salvino, who ran Accenture’s outsourcing business for seven years until he left in 2016.

Efficiency Boosters

Average revenue per employee at the largest U.S. companies has climbed 22% since 2003. The jump could reflect the growing use of contractors and temporary workers, who aren’t counted as employees. Outsourcing is having a major impact in manufacturing and might have inflated official measurements of labor productivity from 2009 to 2015.

Average revenue per employee, in 2016 dollars

Estimated number of outsourced temp workers in manufacturing

Outsourced temp workers as a percentage of direct-hire employees

Note: Revenue figures are adjusted for inflation and include about 430 companies that were in the S&P 500 from 2000 to 2016. Direct-hire employees usually have full-time jobs with benefits.

Source: S&P Global Market Intelligence and The Wall Street Journal (revenue per employee); Matthew Dey (Bureau of Labor Statistics), Susan Houseman (W.J. Upjohn Institute for Employment Research) and Anne Polivka (Bureau of Labor Statistics) (manufacturing workers and direct-hire employees)

Steven Barker, 36 years old, says companies often dangle the possibility of full-time employment but seldom follow through. He has worked contract assignments at Amazon.com Inc., where it was common during orientation sessions for someone to ask if the job could become permanent.

He says the answer usually was: “We’ll see. Anything’s possible!”

At Amazon, Mr. Barker applied to become a full-time employee on X-Ray, which lets customers access actor biographies and other information while watching movies and television shows. He was an X-Ray contractor since it was in the development stage, he says, but wasn’t offered a job interview and eventually received a generic rejection letter from the company. Amazon declines to comment.

(Tell us about your experiences working as a contractor, and go here to join our Facebook group for contract workers.)

Companies sometimes try outsourcing and then change their minds. About 70% of Target Corp.’s information-technology jobs were outsourced when Mike McNamara became chief information officer at the retailer in 2015. About 70% of those jobs now are done by employees.

“I’m a strong believer that if you can get competitive advantage out of something, you want it in-house,” he says. “That I have better supply-chain algorithms than [my competitors] really matters.”

Few companies, workplace consultants or economists expect the outsourcing trend to reverse. Moving noncore jobs out of a company allows it to devote more time and energy to the things it does best. When an outside firm is in charge of labor, it assumes the day-to-day grind of scheduling, hiring and firing. Workers are quickly replaced if needed, and the company worries only about the final product.

Steven Berkenfeld, an investment banker who has spent his career evaluating corporate strategies, says companies of all shapes and sizes are increasingly thinking like this: “Can I automate it? If not, can I outsource it? If not, can I give it to an independent contractor or freelancer?”

Hiring an employee is a last resort, Mr. Berkenfeld adds, and “very few jobs make it through that obstacle course.”

Visitors arriving at SAP, based in Walldorf, Germany, likely don’t notice that about 30 receptionists at its U.S. facilities work for contractor Eurest Services, part of Compass Group PLC. It happened in 2014 after SAP executives concluded during a review of potential outsourcing opportunities that some managers were paying their receptionists above-market wages.

SAP handed over hiring, training and oversight of receptionists to an outside firm. They were told they could leave SAP or keep their jobs through Eurest, which pays the receptionists in line with the overall market.

SAP says the move left the company with less to manage. “Internally, when [an employee’s] skills aren’t up to par, there’s a protracted process of managing performance,” says Jewell Parkinson, the human-resources chief for SAP’s North American division. “Working through the vendor, it’s a more efficient turnaround.”

Some economists liken the strategy to Hollywood studios, which greenlight movies and then hire directors, actors, editors, special-effects teams and marketing agencies for production. All those outsiders work together to deliver the movie, but the studio has no long-term obligations after the film’s release.

When jet-engine maker Pratt & Whitney no longer wanted to handle coordinating deliveries to its factories, it hired United Parcel Service Inc., which has thousands of logistics experts and specialized automation technology.

For years, suppliers delivered parts directly to Pratt’s two factories, where materials handlers unpacked the parts and distributed them to production teams. Earl Exum, vice president of global materials and logistics, says Pratt had “a couple hundred” logistics specialists. Some handlers were 20- or 30-year veterans who could “look at a part and know exactly what it is,” he adds.

As Pratt wrestled with plans to speed production of a new jet engine and open three new factories, executives decided in 2015 to centralize delivery and distribution of parts in one facility. That facility would receive all the parts, pack them into assembly kits and send them to the five factories.

UPS custom-built a 600,000-square-foot facility, roughly the size of 10 football fields, for Pratt in Londonderry, N.H. About 150 Pratt employees who handled parts at the two factories were offered a chance at retraining for production jobs. Many did, and the rest left the company or retired. UPS has hired about 200 hourly workers for the facility.

Most of the UPS employees had no experience in the field, and assembly kits arrived at factories with damaged or missing parts. Pratt and UPS bosses struggled to get the companies’ computers in sync, including warehouse-management software outsourced by UPS to another firm, according to Pratt.

The result: a 33% decline in engine deliveries by Pratt, a unit of United Technologies Corp. , or about $500 million in sales, in the third quarter of 2015.

Production was back on schedule by the following quarter, and Pratt’s Mr. Exum says the facility is running well now. The 200 UPS employees can do work for five factories that 150 Pratt employees used to do for two. Pratt’s employees were unionized, but UPS’s aren’t. The union representing Pratt workers objected to the move.

The flexibility of outsourced labor helps Southwest Airlines Co. shield its employee base from the ups and downs of the airline industry. The fourth-largest U.S. carrier by traffic has about 53,000 employees and 10,000 outside workers.

The nonemployees range from wheelchair pushers in airports to information-technology professionals. “We’ve never had a layoff in our history,” says Greg Muccio, Southwest’s head of recruiting. “When we look at contingent workers, we’re protecting that because what we don’t want to do is balloon up and then be in a situation where we need to lay people off.”

Outsourced workers at Google parent Alphabet arrive through staffing agencies such as Zenith Talent, Filter LLC and Switzerland’s Adecco Group AG , which alone bills Alphabet about $300 million a year for contractors and temps who work there, according to an Adecco executive.

Google wouldn’t comment on how it decides which jobs are done by contractors rather than employees. A former contractor in the search division says he got the impression from conversations and meetings that he was a nonemployee because his skill set wasn’t a core feature of the product on which he was working. He says managers also needed the ability to ramp down quickly if the project wasn’t successful.

The contractor eventually became a full-time employee. He says he was told the decision to put him on the regular payroll had to be approved by Google co-founder Larry Page, now Alphabet’s chief executive, at a product-review meeting.

The trade group Staffing Industry Analysts estimates businesses spend nearly $1 trillion a year world-wide on what it calls “workforce solutions,” or outside services to place and manage workers.

As more companies outsource jobs, the resulting improvement in some measurements of productivity puts pressure on other companies.

Bank of New York Mellon Corp. executives were asked in a 2015 earnings conference call to explain why its revenue per employee trailed other banks.

Todd Gibbons, BNY’s vice chairman and chief financial officer, said investors should focus on a different indicator “because it’s just too hard to tell exactly what’s going on with head count and how people compute it and whether they’ve got contractors in versus full-time employees and so forth.”

BNY Chairman and CEO Gerald Hassell vowed to “drive down the labor component of our company” with technology that can perform tasks currently done by people. Other companies view contracting as a stopgap until more jobs are automated, freeing firms to dispense with some workers altogether.

In January, BNY told analysts and investors that the bank has “more than 150 bots now in production.”

via:  wsj

Web sign-in, FIDO 2, remote biometrics–Windows 10 is ready for better security than passwords offer.

Passwords are hard to remember and easy to lose. Whether it’s people reusing the same weak password on multiple sites or services that don’t protect their user data and expose usernames and passwords in data breaches, simple passwords don’t offer enough protection. That’s why Windows 10 is moving towards more secure options like biometrics, tokens and push authentication — including support for the new FIDO 2 internet identity standards.

Fingers and faces

Windows Hello makes using biometrics like fingerprint sensors and infrared facial-recognition cameras much easier, by making it part of the standard way you sign in, rather than leaving OEMs to add this functionality to the account process.

Faces, fingers and other biometric factors like hand vein prints can’t be phished like passwords, and they aren’t sent across the network or roamed between devices the way passwords are. This means that attackers who get into a network can’t scoop up and reuse credentials from a PC to access servers. Windows 10 has protections like Credential Guard to make it harder for attackers to get at credentials by running the LSA service that stores them in Virtual Secure Mode. There’s also a new Cloud Credential Guard that protects cloud credentials like Azure AD tokens using TLS token binding. However, switching to biometrics means that credentials aren’t as vulnerable because they aren’t sent back and forth.

Registering a biometric like a fingerprint or a face with Windows Hello creates a cryptographic key pair that’s stored in the TPM (or a software TPM) and used with identity services like Microsoft accounts and Azure Active Directory. If you register the same fingerprint or face onto multiple Windows PCs, each device creates a unique key pair — not a copy of the key pair from the first device.

You’re not going to leave your face or fingerprint behind the way you could forget a password, but you still need a way to log in if you’ve got a cut on your finger or are working in unusually dark or bright surroundings where a facial recognition camera can’t see you clearly. The fallback for biometrics that aren’t recognized is still called a PIN, but as well as numbers it can include special characters and upper and lower-case letters like a password. Enterprise policies dictate how complex PINs have to be (the home edition of Windows 10 is happy with just four digits in your PIN). But it’s the fact that they’re only stored on the device (not roamed to other devices with the same account) and only used to unlock the authentication key used to sign requests to servers (not sent to a server the way a password is) that make PINs more secure than passwords. Plus, PINs are stored in the TPM, whereas passwords aren’t.

If your PC doesn’t have a facial camera or fingerprint sensor, you can plug one into a USB port, or you can use a ‘companion device’ like the Nymi Band that uses your heartbeat and ECG to identify you.

With the next release of Windows 10, you’ll be able to use Windows Hello biometrics to sign in to Remote Desktop sessions. If you’ve logged into Windows with biometrics, you’ll be signed in to the remote desktop automatically when you open an RDP session (although if you need to confirm your Windows password inside the remote session, for example to elevate a dialog, you’ll have to type in the PIN).

But biometrics don’t work in every situation or for every person. Almost every biometric, from fingerprints to hand vein prints to irises, only works for about 80 percent of the population. For example, some older Chinese women and people who work at dry cleaners have fingerprints that just don’t scan well. Replacing passwords is about using multiple factors, including other devices. If you have a YubiKey for services like Gmail, GitHub and DropBox, you can sign into Windows Hello by inserting it into your PC (you’ll also need the YubiKey for Windows Hello app).

You could use a phone with text messages or an authenticator app to log into Windows, the way you can use that kind of multi-factor authentication to make logging into Twitter or Gmail more secure, but it’s not particularly convenient. Using your phone to lock your device when you walk away from it is handy though; once you’ve paired a phone with your PC over Bluetooth, you can use the Dynamic Lock feature to lock it when you’re out of range. You turn that on under Accounts > Sign-in options in the Settings app. Admins can use the Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business\Configure dynamic lock factors Group Policy to set how weak the Bluetooth signal can be before the PC locks.

Is it me you’re looking for?

Up until now, Windows Hello has only handled your Windows password, the Microsoft Store and any services that you’ve set up for single sign-on with Azure Active Directory. With the next release of Windows 10, we’re going to finally see more of the FIDO 2 standards. Direct support for FIDO 2 security keys like Yubikeys and smart cards (without needing a specific app for each separate key) is in limited preview.

This isn’t a major change to Windows Hello, which was built to an early version of the FIDO protocols; it’s more about updating it now that FIDO 2 standards for secure keys and the W3C Web Authentication API have been agreed. That means a user with a FIDO 2 security key can log into any Azure AD-joined PC without having to set up an account on it first, which is ideal for front-line and mobile workers.

It also means that as browsers implement and websites adopt the new WebAuthn API, Windows Hello will be able to start replacing passwords in the browser too, using biometrics or FIDO UAF security keys to log in without a password at all when websites support that. WebAuthn also supports the two-factor U2F option, where you use a username and password and either a FIDO security key or Windows Hello biometrics as the second factor. Edge has supported a preview version of WebAuthn since 2016; in build 17723 (currently available to Windows Insiders), Edge supports the Candidate Recommendation of the API, although it doesn’t yet work for PWAs or UWP apps that are web based. There aren’t many sites that support WebAuthn yet, but you can try it out in this sample app and there are instructions for adding WebAuthn support to your own internal sites.

As well as new kinds of credentials, Windows is also going to support more identity providers directly. Windows Hello works with Azure AD, Active Directory and third-party federation servers that support the necessary extensions to OAuth 2.0 and OpenID Connect 1.0. With the next release of Windows 10, Windows logon will support SAML identity providers — not just identities federated to ADFS and other WS-Fed providers.

You’ll need Azure AD to use this new Web Sign-in, and you’ll have to enable the Policy CSP/Authentication/EnableWebSignIn Group Policy. This isn’t likely to shake the dominance of Active Directory in the enterprise, but it makes it much more convenient for organizations that use SAML systems like Oracle Identity Federation to have these accounts show up as an option for signing into Windows.

via:  techrepublic

Here’s a thing: numerous apps on your phone have permission to access your microphone.

Some, like the Phone app itself, were on the phone when you got it, but you’ve almost certainly added others – WhatsApp, Skype and Facebook, for instance – along the way.

From the moment you gave those apps audio permission, they’ve been able to listen in whenever they want, without telling you.

In theory, you’ll never know if an app is overstepping the mark; in practice, however, there are some cool ways of checking to see when an app is listening in.

Keeping track of an app’s behaviour is a handy technical skill to have, so we’re going to show you how to look at the system calls made by your Android mobile to the audio subsystem.

No more audio secrets!

By following our tutorial, you can keep track of exactly when when an app is accessing the microphone.

Note. For this article, we used a test device that was wiped first and then rooted. This means we deliberately altered the security settings to give us administrative access – on Linux/Android, the admin account is called root, so getting root access is colloquially called rooting. We strongly recommend that you don’t do research of this sort on your regular phone, just in case something goes wrong. And definitely don’t try this on your work phone!

Tracing Android API calls

The tool we’ll use to find out if apps are listening to us is called AppMon.

AppMon’s Android Tracer can monitor apps on your phone by tracing Java classes when they’re called (almost all Android apps are written in Java).

Apps that want to use the microphone use the AudioRecord class. By monitoring this with Android Tracer, we can see how and when apps are interacting with the microphone.

Most of AppMon’s documentation is focused on macOS and Linux, but in this article we’ll show you how to install it on Windows.

AppMon talks to Android via a utility called Frida, monitoring software that you’ll need to install on your test Android device first.

Frida allows you to inject scripts into Android processes, hook into functions and spy on crypto APIs. For this reason it’s a scary app to have installed on any phone outside of a test environment.

You won’t find it in the Google Play Store, so you have to sideload it. For that you’ll need to have debugging enabled on your mobile, and the Android Debugging Bridge (ADB) installed on Windows.

Here’s how to get started.

Enabling USB Debugging on Android

Firstly you’ll need to make sure your Android device is in developer mode, and that USB Debugging is enabled:

1. Open the Settings app.
   
2. Select System (Only on Android 8.0 or higher).
   
3. Scroll to the bottom and select About phone.
   
4. Scroll to the bottom and tap Build number 7 times. (Yes, that’s officially how you do it!)
   
5. Return to the previous screen to find Developer options near the bottom.

Switch developer mode on, scroll down until you see the newly revealed option USB debugging, and turn it on. Now plug the Android device into your Windows machine with its USB cable, ready for the next phase.

Installing ADB on Windows

ADB is a handy tool for interacting with Android phones, and we’ll be using it to install Frida onto our device.

Download the android-sdk command-line tools for Windows.

Once the tools are downloaded and unzipped, you can run adb.exe from the command line.

Open a command window in the directory where adb.exe is currently located. You can do this by holding shift whilst right clicking on the explorer window where adb.exe exists, and selecting “open command window here”.

With your newly opened command prompt, type adb devices and hit return.

This will show you a list of the Android devices with debugging enabled that are currently connected.

Example:

    C:\Users\User1> adb devices
    List of devices attached
    XXXXXXXXX    device

DEEP LEARNING FOR DEEPER CYBERSECURITY

Watch Video

Running Frida on Android

Download the frida-server app, which you need on your Android device to monitor apps that are running.

Download the compressed binary with the file name “Frida-server-NN.N.NNN-android-MMM.xz” where NN.N.NN represents the version number, and MMM is the processor type in your phone (one of arm, arm64, x86 or x86_64).

Most older Androids have ARM chips; many newer phones have the more powerful ARM64 processor – if you choose the wrong version of frida-server you won’t break anything, but it won’t work. If you aren’t sure, use a search engine to find the CPU type for your specific model of phone.

Unzip the downloaded file to the same location as adb.exe, and rename the file to Frida-server.

Back in the command prompt you opened earlier, push the Frida-server file onto your Android device and run it:

    adb push frida-server /data/local/tmp/
    adb shell "chmod 755 /data/local/tmp/frida-server"
    adb shell
    su
    /data/local/tmp/frida-server &

Here we’ve pushed the Frida-server file to our Android device in the location of /data/local/tmp/, which is a directory on the Android file system that permits you to execute a script.

Then we used chmod to edit the file permissions of the Frida-server to make sure it’s allowed to run.

Finally, we ran the Frida-server program (the ampersand at the end of the command makes it run in the background).

Prepping Windows

Windows now needs to be prepared to run Android Tracer. Tracer is written in Python, and Python must be installed for it to run.

By placing Python and adb within the Windows Environment Variables, you can run both ADB and Python without having to be in the directory where adb.exe or python.exe are installed.

Installing Python 2

Here’s a quick guide on getting started with Python 2.7, which at the time of writing is the most current version of Python 2.

Browse to the Python website, select “download” next to the latest version of python 2 (2.7.15 at the time of writing). Scroll down until you see the MSI for 64 bit and 32 bit environments, and select the respective MSI based on your version of Windows. Once downloaded, launch the MSI file and follow the installation instructions.

Python and ADB Windows Environment Variables

On Windows 10, open Control Panel and search for “environment variables”. Under System select Edit the system environment variables.

Select Environment Variables at the bottom of the window. This pops open a new window where you’ll see User variables for <your user> and System variables. Under System variables there is a variable named Path. Select this so that it’s highlighted as shown in the screen grab below and then select Edit….

Select New to add the adb directory to the existing list, and enter the directory where adb.exe is currently located (e.g. C:\Program Files\ADB\).

Select New a second time and add the location of python.exe (e.g. C:\Python27\).

Select New for the last time and add the location of pip.exe (e.g. C:\Python27\Scripts\).

Installing AppMon Dependencies

In order to run AppMon on Windows, there are a few Python dependencies which are required.

AppMon makes use of argparse, frida, flask, termcolor and dataset.

Run the following command on your Windows device to install these dependencies:

   pip install argparse frida flask termcolor dataset --upgrade

Installing AppMon

On the AppMon github page, select clone or download and download the zip file containing AppMon. You’ll have to unzip the appmon-master folder to a convenient location on your windows device.

Now navigate to the location where AppMon is unzipped and go into the folder named tracer. Hold shift and right click in this directory and then select the option to Open command window here.

You can now use Tracer to monitor if a mobile app is eavesdropping when it shouldn’t be.

An example command to see if WhatsApp is listening when it shouldn’t is provided in the following section.

Monitoring Your Microphone

This is where all the hard work pays off.

We can now run Android Tracer to monitor when the microphone starts to record:

   python android_tracer.py -a "com.whatsapp" -c "*AudioRecord*" -m "startRecording"

above, -a "com.whatsapp" says you want to monitor an app called com.whatsapp; the ‑c option specifies the class (Java sub-program) to monitor; and -m says which specific method (Java function) to watch out for.

The asterisks in the text string “*AudioRecord*” denote that you want to match any characters at the start and end of the text.

This makes it easy to keep an eye on a whole set of related classes or methods without listing every one explicitly – any method that has “AudioRecord” somewhere in its name will match.

Android’s comprehensive developer documentation has a complete list of classes and methods you might want to monitor – for example, we’re monitoring startRecording in the AudioRecord class here, but you might want to look at takePicture in the Camera class instead.

Here’s what we uncovered on our test device:

f you’ve enjoyed researching into what your mobile is getting up to behind the scenes, check out this article on oversharing apps.

New! Improvements to Android

Since writing this article, Android 9 Pie has been released, bringing with it some much-needed privacy for us all. In a statement on the Android Developers Blog, Dave Burke, VP of Engineering, said that the microphone won’t be accessible whilst the app is idle:

The system now restricts access to mic, camera, and all SensorManager sensors from apps that are idle.

Free tools

Sophos Home
for Windows and Mac

Hitman Pro

Sophos Mobile Security
for Android

Virus Removal Tool

Antivirus
for Linux

via:  nakedsecurity

Google tracks you everywhere, even if you explicitly tell it not to.

Every time a service like Google Maps wants to use your location, Google asks your permission to allow access to your location if you want to use it for navigating, but a new investigation shows that the company does track you anyway.

An investigation by Associated Press revealed that many Google services on Android and iPhone devices store records of your location data even when you have paused “Location History” on your mobile devices.

Disabling “Location History” in the privacy settings of Google applications should prevent Google from keeping track of your every movement, as its own support page states: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.”

However, AP found that even with Location History turned off, some Google apps automatically store “time-stamped location data” on users without asking them, eventually misleading its claim.

“For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are,” the AP explains.

“And some searches that have nothing to do with location, like “chocolate chip cookies,” or “kids science kits,” pinpoint your precise latitude and longitude—accurate to the square foot—and save it to your Google account.”

To demonstrate the threat of this Google’s practice, the AP created a visual map of the movements of Princeton postdoctoral researcher Gunes Acar, who carried an Android smartphone with ‘Location History’ switched off to prevent location data collection.

However, the researchers discovered that the map includes records of Dr. Acar’s train commute on two trips to New York and visits to the High Line park, Chelsea Market, Hell’s Kitchen, Central Park and Harlem.

To protect the privacy of Dr. Acar, the publication did not plot the most telling and frequent marker on the map which includes Acar’s home address.

According to the researchers, this privacy issue affects around two billion Android users and hundreds of millions of iPhone users across the world who rely on Google for maps or search.

Google Admits Tracking Users’ Location

In response to the APs investigation, Googled issued the following statement:

“There are a number of different ways that Google may use location to improve people’s experience, including Location History, Web, and App Activity, and through device-level Location Services. We provide clear descriptions of these tools, and robust controls so people can turn them on or off, and delete their histories at any time.”

Well, technically Google made it entirely clear, but Jonathan Mayer, a Princeton researcher and former chief technologist for the FCC’s enforcement bureau, argued:

“If you’re going to allow users to turn off something called ‘Location History,’ then all the places where you maintain location history should be turned off. That seems like a pretty straightforward position to have.”

Here’s How to Stop Google From Tracking Your Location

To stop Google from saving time-stamped location markers, users need to turn off another setting, called “Web and App Activity”—a setting which is enabled by default and stores a variety of information from Google apps and sites to your Google account.

Once disabled, it will not only stop Google from storing location markers but also prevents the company from storing information generated by searches and other activities.

For Any device:
Open your web browser, go to myactivity.google.com, select “Activity Controls” from the upper left drop-down menu, and now turn off both “Web & App Activity” and “Location History.”

For Android Devices:
Head on straight to the “Security & location” setting, scroll down to “Privacy”, and tap “Location.” Now you can toggle it off for the entire device.

You can also use “App-level permissions” to disable access to various apps.

For iOS Devices:
If you use Google Maps, Go to Settings → Privacy Location Services and adjust your location setting to ‘While Using’ the app. This will prevent the app from accessing your location when it is not active.

via:  thehackernews

If you’re looking to move into IT management, be sure you evaluate both the upsides and any potential downsides. Here are some questions to help you determine whether this is the right path to pursue.

In 2014, CareerBuilder conducted a survey and found that more than one-third of employees had no aspirations to become a manager. Reasons varied, but high on the list were concern about long hours, the inability to work and fulfill family responsibilities at the same time, and a general dislike for conflict management, which inevitably occurs whenever people are involved.

Still, companies (and the way they construct career paths) are skewed toward rewarding those who climb management ladders more than rewarding accomplished technical experts. Because of this, many employees in IT decide to pursue a career in management.

But is management right for you?

Here are five questions that IT professionals aspiring to become managers should ask themselves.

1. Can you give up being a techie?

Unless you’re operating in a two-person shop, you’ll have to give up configuring servers and networks or coding applications if you become an IT manager. You’ll be asked to do many more things, such as managing people and projects, negotiating budgets, and mediating conflicts. For a long time before I chose to go into IT management, I kept trying to place myself in positions where I could build my application development skills—but every time I landed an app developer role, I got pulled off the assignment to manage a project. I finally gave up trying to develop apps as a career.

2. How comfortable are you with difficult people?

You’ll encounter many kinds of personalities as a manager. Among the most difficult will be peers you went out to lunch with who are suddenly your subordinates. Newly minted managers have lost friendships over this, because it is difficult for peers to suddenly accept subordinate roles. Other people challenges involve overdeveloped egos of technical gurus who don’t want to take orders from a “pencil pusher” who is “practicing his buzzwords in his office.” In still other cases, you may run into powerful end-user managers who want projects done their way, even though their way will make projects fail. Then, there is the “good person” who tries and tries but just can’t do the job. You’ll be faced with having to reassign or fire them. All of these are challenging people issues that managers face.

3. How will you keep up with technology?

Even if IT management takes you away from the day-to-day business of configuring networks or developing apps, you still have to find ways to keep up with technology so you can be in a position to evaluate project progress and have meaningful conversations with your most technical staff members.

I once worked for an IT director who refused to get out of his office and really examine what was happening in a major project. The project manager was telling him that all tasks were complete and on schedule, but they weren’t. As staff members, we finally went to the director and told him that the project was in trouble. By then, it was too late. The director lost his job and most of our staff were let go, too.

4. Can you take the heat and the hours?

All projects develop snags. When they do, it is up to the management to work late and get them resolved. The onus is placed on the manager. Be prepared to take the heat from your end users—even if what has happened isn’t anything you could have known about. This accountability goes with the job of being a manager.

5. Will you get job satisfaction?

As a manager, you get more autonomy in your job and are also in line to receive raises and promotions. All of these contribute to job satisfaction but not everyone is satisfied with being a manager. A Harvard Business Review article said that that men were more satisfied with their management positions than women were. Some of the reasons were the glass ceiling and the subtle challenges to leadership legitimacy that women continue to experience in their organizations. As a woman CIO, I felt these challenges as well—but it didn’t stop me from wanting management. In the end, I realized that it was most important for me to feel I was doing the job I was best suited for. In my case, it was management. Ultimately, this is the decision all IT’ers who aspire to become managers must make: Is management the best way for you to express your individual talents and feel good about what you do?

via:  techrepublic

Security researchers at Check Point Software Technologies have discovered a new attack vector against the Android operating system that could potentially allow attackers to silently infect your smartphones with malicious apps or launch denial of service attacks.

Dubbed Man-in-the-Disk, the attack takes advantage of the way Android apps utilize ‘External Storage’ system to store app-related data, which if tampered could result in code injection in the privileged context of the targeted application.

Google itself offers guidelines to Android application developers urging them to use internal storage, which is an isolated space allocated to each application protected using Android’s built-in sandbox, to store their sensitive files or data.

However, researchers found that many popular apps—including Google Translate itself, along with Yandex Translate, Google Voice Typing, Google Text-to-Speech, Xiaomi Browser—were using unprotected external storage that can be accessed by any application installed on the same device.

How Android Man-in-the-Disk Attack Works?

Similar to the “man-in-the-middle” attack, the concept of “man-in-the-disk” (MitD) attack involves interception and manipulation of data being exchanged between external storage and an application, which if replaced with a carefully crafted derivative “would lead to harmful results.”

For instance, researchers found that Xiaomi web browser downloads its latest version on the external storage of the device before installing the update. Since app fails to validate the integrity of the data, the app’s legitimate update code can be replaced with a malicious one.

“Xiaomi Browser was found to be using the External Storage as a staging resource for application updates,” the researchers said in a blog post.
“As a result, our team was able to carry out an attack by which the application’s update code was replaced, resulting in the installation of an alternative, undesired application instead of the legitimate update.”

In this way, attackers can get a man-in-the-disk position, from where they can monitor data transferred between any other app on the user’s smartphone and the external storage and overwrite it with their own malicious version in order to manipulate or crash them

The attack can also be abused to install another malicious app in the background without the user’s knowledge, which can eventually be used to escalate privileges and gain access to other parts of the Android device, like camera, microphone, contact list, and more.

Man-in-the-Disk Attack Video Demonstrations

Check Point researchers also managed to compromise files and crash Google Translate, Google Voice-to-Text, and Yandex Translate because those apps also failed to validate the integrity of data used from the Android’s external storage.

Among the apps that Check Point researchers tested for this new MitD attack were Google Translate, Yandex Translate, Google Voice Typing, LG Application Manager, LG World, Google Text-to-Speech, and Xiaomi Browser.

Google, which itself doesn’t follow its security guidelines, acknowledged and fixed some affected applications and is in the process of fixing other vulnerable apps as well, Check Point said.

Besides Google, the researchers also approached the developers of other vulnerable applications as well, but some, including, Xiaomi declined to fix the issue, according to the researchers.

“Upon discovery of these application vulnerabilities, we contacted Google, Xiaomi, and vendors of other vulnerable applications to update them and request their response,” Check Point researchers said.
“A fix to the applications of Google was released shortly after, additional vulnerable applications are being updated and will be disclosed once the patch is made available to their users, while Xiaomi chose not to address it at this time.”

The researchers stressed they only tested a small number of major applications and therefore expect the issue affects a more significant number of Android apps than what they explicitly noted, leaving millions of Android users potentially vulnerable to cyber threats.

via:  thehackernews

Alarms and alerts surround us every day. From the moment our clocks wake us up in the morning, we rely on alarms for many things. But what happens when those alarms and alerts malfunction? What does it do to us and how does that affect our day to day life? Recall the Dallas Emergency Alert Malfunction.

As it turns out, getting tired of these alarms can prove dangerous to cybersecurity.

A few years ago, Nick was traveling through Newark airport in New Jersey. All of a sudden, the airport alarm system started going off. He stopped and looked around as everyone just paused for a moment, stared at one another, then went along their way. In just a few moments, the alarm became an annoyance – not a sign of any real danger.

Several years back, however, he was at the LAX airport during a TSA-involved shooting, so the alarm panicked him. Nick ran up to the closest TSA agent and asked what was going on; it’s not often you hear a global alert system go off. The agent’s response to his question was, “I don’t know,” and they didn’t seem concerned to find out. Different rant for a different day.

The point is, we’ve all experienced false alarms in our lives just like this one. Fire alarms go off by accident in our workplace or college dorm. Ocean safety authorities release false tsunami alarm after false tsunami alarm. When we first hear these alerts, we’re likely filled with panic. But the more these alerts falsely sound, the more our panic diminishes.

Much like the villagers in the “Boy Who Cried Wolf” story, we’ve become immune to what would otherwise be a sign of real danger. This is known as alarm fatigue. Each time we hear false alarms, we’re being desensitized to the stimulus, whether consciously or not. Our attention gets shorter and our reaction time (e.g., leaving the building) gets longer.

In our increasingly-connected world, digital alarms surround employees every day. Depending on the employee’s role, they may even rely on alarm systems to perform their jobs. Take, for example, a security operation center (SOC) and the importance of alarms in that environment. False positives aren’t just an annoyance – they can harm an organization when responses to security events are delayed or non-existent.

On the other hand, this still applies outside of SOCs and other settings in which security employees work. We have employees that are not security experts, (In fact, most of them probably aren’t.) so we use alerts and alarms to keep them informed about security risks. Right after a major, newsworthy cyber event, for instance, many IT departments might send an email saying, “Watch out for phishing emails! Stay alert, and help protect our clients’ data.”

Phishing awareness training is obviously important, and framing security in ways that employees can understand (e.g., protecting customer interests) is critical, as well. However, companies and governments are constantly experiencing data breaches and other cyberattacks, which means these warning emails are sent quite frequently. Considering what we now know about alarm fatigue, do we really believe this works to prevent phishing?

The same idea applies when security incidents occur at an organization. While we certainly should educate our employees and empower them to be more cyber-secure, we also shouldn’t overload them.

“Malware launched against company networks – don’t open an email from humanresources @companyname.com!”

“An employee’s credentials were recently stolen. Enable two-factor authentication on all of your accounts!”

And so on.

These alerts are trying to help, but if employees tune out as soon as they hear “cyber” or “encryption” or “cybersecurity,” are they really going to pay attention when they receive an overload of these emails? More specifically, how quickly is alarm fatigue going to set in if employees receive constant reminders and alerts?

While the answer is by no means simple, this is just another reason to make cybersecurity “for the human.” We have to study how cognitive biases impair human decision-making and then design security training with that in mind. We have to fight the “scariness” of cybersecurity so employees will actually read and understand security alerts. And we have to build an internal alert system within our employees – one that becomes instinctual behavior – rather than just relying on beeps, dings, and pop-ups from software programs.

If we are to better prepare security professionals and non-professionals alike to face the complex landscape of threats, we need to recognize, study, and design around alert fatigue.

via:  tripwire

Amazon Rapids, the chat fiction that encourages kids to read by presenting stories in the form of text message conversations, is now going free. Previously, Amazon had been charging $2.99 per month for a subscription that allows unlimited access to its story collection, which now numbers in the hundreds.

First launched in November 2016, Amazon Rapids was meant to capitalize on kids’ interest in chat fiction apps like Hooked, Yarn, Tap and others, which tend to cater to a slightly older teenage crowd. Amazon Rapids, meanwhile, was the schoolager-appropriate version, without the swearing, alcohol, sex and yeah, even incest references you’ll find in the Hooked app, for example. (Yuck. Delete.)

Instead, Amazon Rapids’ stories are aimed at kids ages 5 to 12 and generally just silly and fun. They’re not meant to addict kids through the use of cliffhangers and timeouts, nor are they scary.

Some of the app’s stories also serve as crossovers that helped promote Amazon’s kids’ TV shows, like “Danger & Eggs,” and “Niko and the Sword of Light.” These were authored by the shows’ writers, allowing them to extend the show’s universe in a natural way.

In addition, the app included educational features like a built-in glossary and a read-along mode to help younger readers.

However, the app wasn’t heavily marketed by Amazon, and many parents don’t even know it exists, it seems.

According to data from Sensor Tower, Amazon Rapids has been installed only around 120,000+ times to date, three-quarters of which are on iOS. (Subscription revenue goes through Amazon, not the app stores, so the firm doesn’t have a figure for that.)

Amazon Rapids is ranked pretty low on the App Store, at No. 1105 for iPhone downloads in the Education category, and No. 1001 on iPad. The highest it ever reached was No. 65 on iPad.

Oddly, it chose not to compete in the “Books” category, where the other chat fiction apps reside, as do the other non-traditional “book” apps, like Wattpad’s crowd-sourced fiction app, Audible’s audiobooks app, various comics apps, and others.

Amazon now says that the hundreds of stories in Rapids will be free going forward. Families can also listen to some of these stories through the Storytime Alexa skill, launched last summer, which includes stories from Amazon Rapids, along with others.

Given Amazon Rapids’ small user base, it’s clear that Amazon no longer believes it makes sense to try to sell subscriptions, and likely now sees its database of stories as more of a value-add for Alexa owners.

That said, it’s unclear what this means for Rapids’ future development and story catalog, which may not continue to grow.

Update: Amazon tells us its immediate focus is not going to be on adding new content to Rapids, but on adapting its stories for the Amazon Storytime skill.

Monthly subscribers will no longer be charged and annual subscribers will be refunded for the remainder of the year. As a “thank you,” each customer will also receive a $5 promotional credit.

via:  techcrunch