Category Archive: Uncategorized

New bill could let companies retaliate against hackers

A new proposed bill could make it legal for companies to retaliate against hackers.

Dubbed the “hack back” bill, it was introduced last week to allow businesses to hack the hackers who’ve infiltrated their computer networks.

Called the Active Cyber Defense Certainty (ACDC) Act, it amends the Computer Fraud and Abuse Act anti-hacking law so a company can take active defensive measures to access an attacker’s computer or network to identify the hackers, as well as find and destroy stolen information. It was introduced by two U.S. Representatives, Tom Graves, a Georgia Republican, and Kyrsten Sinema, an Arizona Democrat.

“I’ve heard folks say this is like the Wild West what we might be proposing, but in fact it’s not,” Graves told CNN Tech’s Samuel Burke in an interview. “We are already dealing with the Wild West and there’s a lot of outlaws out there but we don’t have a sheriff, we don’t have a deputy and all we were asking for is a neighborhood watch.”

But security experts warn the legislation could have serious consequences if passed.

According to digital forensics expert Lesley Carhart, the fundamental problem with the idea is that a majority of organizations who would want to hack back aren’t qualified to do so responsibly. It often takes a long time to correctly identify who was responsible for a hack.

“In cybercrime and in nation state attacks, there are often lots of attempts to mislead and confuse researchers analyzing the attack timeline or malware,” Carhart said. “A savvy bad guy could fairly easily emulate an innocent third party, and draw down the wrath of unskilled analysts on them.”

One way researchers place blame on a person or group for a hack is by looking at the evidence left in code. For example, researchers found similarities between the WannaCry code and malware created by Lazarus group, a hacking operation that has been linked to North Korea, earlier this year. Intelligence agencies later connected the country to the massive ransomware attack.

But it’s not uncommon for hackers to spoof that evidence and try and trick analysts into thinking it came from somewhere else, such as putting code from known hacking groups, or innocent third-parties, into their malware.

The bill says active defense measures could only be taken inside the U.S., which means it would have limited benefit. A majority of attacks are based outside the country or route their attacks through servers overseas so it looks like they’re coming from overseas, said Amanda Berlin, author of the Defensive Security Handbook.

Companies would also be required to alert the National Cyber Investigative Joint Task Force, an organization led by the FBI, before trying to hack their hackers. The agency could also review active defensive measures before they’re taken.

The FBI and other law enforcement agencies are already involved in investigating and prosecuting cybercrime. They work closely with major security firms and companies impacted by breaches. However, a relatively low number of businesses in the private sector report ransomware, a common and lucrative cyberattack.

Carhart says poking around in a hacker’s network could impede law enforcement investigations and court proceedings by potentially contaminating evidence.

The FBI defense review also introduces some thorny foreign retaliation issues. Kristen Eichensehr, assistant professor at UCLA School of Law, explained in Just Security, a national security publication.

“The FBI’s participation in the review process may trigger the U.S. government’s international legal responsibility for actions of private actors,” she wrote.

However, some firms already engage in hacking back, despite the illegality. Graves said the bill could put some parameters on that behavior.

“Word on the street is many companies are already doing some of these things,” Graves told Burke in an interview. “They know, you know, and I know that they are doing is illegal. What we would be doing is bringing clarity to what some might already be doing and what tools might be successful.”

He also said he hopes additional tools will be developed by the security community that can protect people from hackers.

Some experts believe resources may be better spent elsewhere than through retaliation.According to Berlin, companies should invest in their existing infrastructure to prevent hacks in the first place.

“So many corporations get the basics wrong, or skip steps to spend money on some fancy blinky box that’s supposed to protect them from everything,” Berlin said.

This year’s most serious hack was not sophisticated. Equifax failed to patch a software hole despite a fix existing for months before hackers compromised data on 145.5 million people.

To keep systems secure, Berlin advised companies to remove non-essential machines from direct internet access, and patch early and often to prevent hackers from exploiting known holes. If something can’t be updated or fixed, it should be separated from other networks.

Experts warn that hacking back could also hurt innocent third-parties.

Consider Mirai, a massive botnet that turned connected home devices into an army of zombie computers controlled by one attacker. If a company was attacked by a botnet like Mirai and tried to hack back, they could be hitting an innocent family’s network connected to a security camera, instead of the real person behind the attack.

“I’m afraid it will take us back to ancient Babylon and Hammurabi code which called for an eye for an eye and a tooth for a tooth,” said Bassel Ojjeh, cofounder and CEO of security firm LigaData. “And everyone at this rate will go blind.”

 

via:  money.cnn


Save pagePDF pageEmail pagePrint page

Now German companies are beating the drum over poor patent quality

New European Patent Office chairman gets in on it.

The issue of falling patent quality at the European Patent Office (EPO) has again reared its head, this time thanks to German intellectual property lawyers.

Following a testy exchange last week at an official meeting of the EPO’s Administrative Council where staff aired their grievances and were attacked by EPO president Benoit Battistelli in response, companies are now raising their concerns.

According to German newspaper Heise, a meeting at the Max Planck Institute in Munich grew heated when a group of patent lawyers used a presentation by new EPO chairman Christoph Ernst to make their views known about the “System Battistelli”.

For several years Battistelli has been aggressively pushing changes at the EPO aimed at increasing the number of patents that are reviewed and approved. The result of that drive has been a complete breakdown in communications between EPO staff and management – but that is something many consider a price worth paying in order to “modernize” the EPO and keep it in line with other competing patent authorities in the US and Japan.

The problem, as the patent attorneys told Ernst, is that despite official EPO claims stating the opposite, quality is starting to fall as a result of the changes.

Happy talk

Ernst gave an optimistic presentation to the group about the future of the European patent system in which he painted the rising patent numbers as a positive development and noted that advances in a common European patent system was going to benefit everyone. (Although the Unitary Patent Court is currently on hold in part because of structural changes forced through by Battistelli.)

Attendees were less enamored and noted that greater patent numbers were coming as a result of overworking examiners. A representative of the Grünecker law firm, Gero Maatz-Jansen, warned that the heavy workload combined with pressure by management to hit performance targets was having perverse knock-on impacts.

Patent filings were being approved or rejected much faster but patent lawyers have noticed that more mistakes were being made, the room heard. That could end up undermining the entire system, Maatz-Jansen warned – and his comments were reportedly met with a round of applause. Others made broadly the same point using their own recent experiences as evidence.

In order to turnaround filings much faster, examiners were rejecting applications for minor procedural errors, another lawyer claimed. Others said that EPO reports and comments on their patent applications were not as considered or in-depth, and research into prior art was slammed as being “superficial”. Efficiency was taking priority over quality.

That point was also made last week by a Reg commenter who complained that even though his patent application had been noted as valid by the EPO, “the brief comments given provide just one reference to another document – and that one has very little to do with the subject of my invention. Seems that a poor soul under heavy pressure to close as many open cases as quickly as possible just did that.”

A further warning was relayed by another German IP lawyer who was present at the meeting. Thorsten Bausch warned in a blog post that there is also a “catastrophic backlog of EPO appeal cases” and argued – in all caps – that “URGENT ACTION IS REQUIRED HERE! This matter should not be allowed to wait until the next EPO President takes over.”

Evidence?

Although Ernst has been a frequent critic of some of Battistelli’s reforms in recent years (and the German government’s representative on the EPO for longer), he pushed back on the idea that quality was deteriorating.

There is no solid evidence of a fall in quality, he countered, and pointed out that the number of appeals had actually fallen. “The mere fact that more patents are granted does not mean that the quality suffers,” he argued.

However, Elizabeth Hardon, an EPO staffer who was controversially fired by Battistelli for resisting his reforms, was also present at the meeting and said that it is going to take a few years for a decline in quality to be officially recognized as poor patents are challenged in nullity actions.

 

via:  theregister


Save pagePDF pageEmail pagePrint page

Homeland Security orders federal agencies to start encrypting sites, emails

Three-quarters of the federal government uses encryption. Homeland Security says that isn’t enough.

Homeland Security is ordering federal agencies to deploy basic web and email security features in an effort to boost cybersecurity across government.

Up until now, Homeland Security had been pushing businesses and enterprise customers to enable HTTPS web encryption across the board, which helps secure data in transit but also ensures that nobody can alter the contents of the website you’re visiting. The agency has also pushed DMARC, an email validation system used to verify the identity of an email sender, which helps to protect against inbound spoofed emails and phishing attacks.

Now, the Homeland Security has set its sights on government agencies, which have for years fallen behind.

The agency has issued a binding operational directive, giving all federal agencies three months to roll out DMARC across their networks. Enabling that email policy will prevent spammers from impersonating federal email addresses to send spoofed email.

The agency is also requiring within the next four months for all federal agencies to employ HTTPS.

If you thought the government already had that policy, you’re not wrong.

In 2015, the Obama administration issued a directive that all federal government sites should be HTTPS by default by the end of 2016. More than two years later, about one-quarter of all federal sites still don’t support basic website encryption.

Perhaps ironically, only 70 percent of all Homeland Security domains support HTTPS. Even fewer enforce the encryption by default.

The agency hopes that the remaining non-encrypted sites can get up to speed by early next year.

The order also asks that government agencies use other kinds of encryption, such as STARTTLS, a protocol that sends email over an encrypted channel when it’s available, on their email servers.

News of the announcement was lauded by one privacy-minded senator, who’s been on a crusade to get federal agencies up to speed on security.

Wyden called today’s move a “good, basic step,” in a statement to ZDNet.

“STARTTLS encryption and anti-phishing technologies like DMARC are two cheap, effective ways to secure email from being intercepted or impersonated by bad guys,” he said. “It’s my hope that other government agencies recognize the clear security benefits of strong encryption, and that private sector companies move quickly to upgrade their own email security.”

 

via:  zdnet


Save pagePDF pageEmail pagePrint page

DDoS Attacks Cause Train Delays Across Sweden

DDoS attacks on two separate days have brought down several IT systems employed by Sweden’s transport agencies, causing train delays in some cases.

The incidents took place early in the mornings of Wednesday and Thursday, October 11 and 12, this week.

The first attack hit the Sweden Transport Administration (Trafikverket) on Wednesday. According to local press, the attack brought down the IT system that manages train orders. The agency had to stop or delay trains for the time of the attack.

Trafikverket’s email system and website also went down, exacerbating the issue and preventing travelers from making reservations or getting updates on the delays. The agency used Facebook to manage the crisis and keep travelers informed.

Road traffic maps were also affected, an issue that lingers even today, at the time of publishing, according to the agency’s website.

Three Swedish transportation agencies targeted

Speaking to local media, Trafikverket officials said the attack was cleverly aimed at TDC and DGC, the agency’s two service providers, but they were both aimed in such a way to affect the agency’s services.

Trafikverket was able to restore service in a few hours, but the delays affected the entire day’s train operations.

While initially, some might have thought this was a random incident, the next day, a similar DDoS attack hit the website of another government agency, the Sweden Transport Agency (Transportstyrelsen), and public transport operator Västtrafik, who provides train, bus, ferry, and tram transport for parts of Western Sweden.

Cyber-warfare implications

In perspective, both incidents give the impression of someone probing various parts of Sweden’s transportation system to see how the country would react in the face of a cyber-attack and downtime.

The DDoS attacks come a week after a report that Russia was testing cyber-weapons in the Baltic Sea region.

In April 2016, Swedish officials blamed Russia for carrying out cyber-attacks on the country’s air traffic control infrastructure that grounded flights for a day in November 2015.

 

via:  bleepingcomputer


Save pagePDF pageEmail pagePrint page

Microsoft Quietly Patched the Krack WPA2 Vulnerability Last Week

Pretty sneaky, Microsoft. While some vendors were scrambling to release updates to fix the KRACK Attack vulnerability released today, Microsoft, quietly snuck the fix into last week’s Patch Tuesday.

While Windows users were dutifully installing October 10th’s Patch Tuesday security updates, little did they know they were also installing a fix for the KRACK vulnerability that was not publicly disclosed until today. This fix was installed via a cumulative update that included over 25 other updates, but didn’t provide any useful info until you visited the associated knowledge basic article.

Windows 10 October Cumulative Update

Windows 10 October Cumulative Update

Even if you were bored enough to actually click on the More info button, you would have had to be REALLY bored to even spot a reference to a vague mention of a wireless security update in the last bullet item of the knowledge base article.

Reference to Wireless Networking Security Update

Reference to Wireless Networking Security Update

 

A Microsoft spokesperson told BleepingComputer that “Microsoft released security updates on October 10th and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.”

While, I am not typically a fan of sneaky updates, I understand why it was necessary to fix the vulnerability while keeping information about it secret until it was officially disclosed.

Did Microsoft do the right thing quietly patching the update or is full disclosure the only way to go? I will let you decide.

 

The researcher who found the flaws doesn’t appear to think silent patches are a good idea. OpenBSD did the same thing and here is what he said in the FAQ on the KRACK website:

“Why did OpenBSD silently release a patch before the embargo?

OpenBSD was notified of the vulnerability on 15 July 2017, before CERT/CC was involved in the coordination. Quite quickly, Theo de Raadt replied and critiqued the tentative disclosure deadline: “In the open source world, if a person writes a diff and has to sit on it for a month, that is very discouraging”. Note that I wrote and included a suggested diff for OpenBSD already, and that at the time the tentative disclosure deadline was around the end of August. As a compromise, I allowed them to silently patch the vulnerability. In hindsight this was a bad decision, since others might rediscover the vulnerability by inspecting their silent patch. To avoid this problem in the future, OpenBSD will now receive vulnerability notifications closer to the end of an embargo.”

 

via:  bleepingcomputer


Save pagePDF pageEmail pagePrint page

WPA2: Broken with KRACK. What now?

On social media right now, strong rumors are spreading that the WPA2 encryption scheme has been broken in a fundamental way. What this means: the security built into WiFi is likely ineffective, and we should not assume it provides any security.

The current name I’m seeing for this is “KRACK”: Key Reinstallation Attack. If this is true, it means third parties will be able to eavesdrop on your network traffic: what should be a private conversation could be listened in to.

This has happened before with WiFi: who remembers WEP passwords? However, what is different this time around: there is no obvious, easy, replacement ready and waiting. This is suddenly a very big deal.

In truth, WPA2 has been suspect for some time now. A number of attacks against WPA2-PSK have been shown to be successful to a limited degree, WPA2-Enterprise has shown itself to be slightly more resilient (but doesn’t protect you from these problems).

This is a story that is unfolding as I write. Please be aware:

  • I’m not one of the researchers here: credit for this goes to Mathy Vanhoef and Frank Piessens at KU Leuven, who have a great track record of discovering problems here. I want to be clear about this as I’ve be quoted incorrectly in a couple of places!
  • www.krackattacks.com is now up! There is a list of vendor announcements being written, but remember all vendors are potentially affected. Few vendors appear to have updates ready
  • Attacks against Android Phones are very easy! Oh dear Best to turn off wifi on these devices until fixes are applied.
  • Windows and Mac OS users are much safer. Updates for other OSes will come quite quickly, the big problem is embedded devices for whom updates are slow / never coming
  • For the very technical, the CVE list is at the bottom of this post.
  • The main attack is against clients, not access points. So, updating your router may or may not be necessary: updating your client devices absolutely is! Keep your laptops patched, and particularly get your Android phone updated
  • Correction: I’ve highlighted specifically that WPA2-Enterprise is vulnerable.
  • If you have some great advice to share or corrections to this, please let me know!

Information here is good as of 2017-10-16 16:00 UTC.

So, this is going to be a horrible Monday morning for IT admins across the world. The practical question is: what now?

Keep Calm

Remember, there is a limited amount of physical security already on offer by WiFi: an attack needs to be in proximity. So, you’re not suddenly vulnerable to everyone on the internet. It’s very weak protection, but this is important when reviewing your threat level.

Additionally, it’s likely that you don’t have too many protocols relying on WPA2 security. Every time you access an https site – like this one – your browser is negotiating a separate layer of encryption. Accessing secure websites over WiFi is still totally safe. Hopefully – but there is no guarantee – you don’t have much information going over your network that requires the encryption WPA2 provides.

So, we’re alright?

In a word, No. There are plenty of nasty attacks people will be able to do this. They may be able to disrupt existing communications. They may be able to pretend to be other nodes on the network. This could be really bad – again, they won’t be able to pretend to be a secure site like your bank on the wifi, but they can definitely pretend to be non-secure resources. Almost certainly there are other problems that will come up, especially privacy issues with cheaper internet-enabled devices that have poor security.

You can think of this a little bit like your firewall being defeated. WiFi encryption mainly functions to keep other devices from talking on your network (the security otherwise has been a bit suspect for a while). If that no longer works, it makes the devices on your network a lot more vulnerable – attackers in proximity will now be able to talk to them.

Story for your boss

Keep it simple, and ideally get ahead of the game by communicating now. Re-iterate:

  • this won’t let people who are not physically present into your networks;
    (Mobile phones with WiFI are an attack vector (that does not require physical presence)
  • it’s unlikely any data is protected by the encryption WPA2 provides; in particular, accessing secure websites is still fine;
  • think about increasing the level of security of the nodes on your network if possible – make sure your AV is up-to-date, firewalls turned on, etc.;
  • if you’re paranoid about certain data or systems, turn off WiFi and switch to one of an internal VPN, a wired ethernet connection or mobile data (for WAN access);
  • that you are on top of the situation and monitoring the best next steps.

In terms of what to do, in many ways, we’re at the behest of our vendors. If you have a high quality vendor (I would include companies like Ruckus and Cisco in this bracket, for example) I expect new firmware to be available very shortly to mitigate these problems. This may well result in incompatibility with existing devices: as a business, you will need to make a decision in that case (unless you need compliance with PCI-DSS or similar, in which case you likely have little choice).

Story for friends / family

This is where it gets really sucky. Lots of us have old routers at home, which have no chance of a firmware upgrade, and lots of WiFi equipment that may well not get a protocol upgrade if one is required. Right now, it sounds like all this stuff is going to be worthless from the perspective of encryption.

Reiterate the same points as above:

  • secure websites are still secure, even over WiFi;
  • think about setting your computers to “Public Network” mode – that increases the level of security on the device relative to “Private / Home Network” modes. Remember, if third parties can get onto our home networks, they’re no longer any safer than an internet café;
  • if you’re paranoid about your mobile, turn off WiFi and use mobile data when necessary;
  • it sounds like no similar attack against ethernet-over-mains power line is possible, so home networks based on mains plugs are problem still ok;
  • keep computers and devices patched and up-to-date.

What for the future?

As I said before, this is a big problem, but not one that was unexpected. A number of encryption protocols have been problematic over the years; many of the implementations of those protocols have been even worse.

It’s clear to me that “Internet of Things” type devices will be the hardest hit. Devices with embedded WiFi for secondary functional purposes, like TVs and baby monitors, are unlikely to get proper updates. As a protocol problem, it’s possible we will be forced to choose between security and functionality, and many users will choose the latter – it’s a difficult problem to weigh.

I would love to say there’s an easy answer. I think it’s important that networks become increasingly software-defined, and that it makes sense that future standards focus on that runtime rather than the protocol itself. We cannot rely on vendors to keep devices up-to-date either (for many reasons), but previous attempts at standardizing a runtime (like UEFI) aren’t promising, either technically or security-wise.

As consumers, we have to continually question the security credentials of devices we buy, and demand the best evidence of their security. This is a tough ask; even in the IT world, buying “secure” is difficult. In tech we must strive for better.

CVEs involved

If you don’t know what these are, don’t worry – they are the “official notifications” of a problem, if you like. If you have a vendor of WiFi equipment, you will want to ask them if they’re affected by any of these, and if so, what the solutions are:

  • CWE-323
  • CVE-2017-13077
  • CVE-2017-13078
  • CVE-2017-13079
  • CVE-2017-13080
  • CVE-2017-13081
  • CVE-2017-13082
  • CVE-2017-13083
  • CVE-2017-13084
  • CVE-2017-13085
  • CVE-2017-13086
  • CVE-2017-13087

 

via:  alexhudson


Save pagePDF pageEmail pagePrint page

Pizza Hut Notifies Customers of Data Breach

American restaurant chain Pizza Hut has notified customers of a data breach that might have exposed some of their personal and financial information.

On October 14, the Italian-American cuisine franchise wrote to a portion of its customer base about an “unauthorized third party intrusion” involving its website. Pizza Hut thinks that the incident might have affected individuals who placed an order using the company’s website or mobile application during the 28-hour period stretching from the morning of October 1st to around midday on October 2nd.

If that’s the case, it’s possible the event exposed customers’ personal and financial information including their names, street addresses, email addresses, and payment card details.

The food chain goes on to say in its letter that it’s since terminated the instance of unauthorized access:

“Pizza Hut identified the security intrusion quickly and took immediate action to halt it. The security intrusion at issue impacted a small percentage of our customers and we estimate that less than one percent of the visits to our website over the course of the relevant week were affected. That said, we regret to say that we believe your information is among that impacted group.”

A portion of Pizza Hut’s letter sent to affected customers. (Source: Bleeping Computer)

 

A Pizza Hut call center operator confirmed that the intrusion is believed to have affected 60,000 customers, reports The Sacramento Bee.

Upon learning of the incident, more than a few of these consumers took to social media. Many vented their frustration about having learned of the data breach two weeks after it occurred.

image

Such a delay isn’t necessarily a bad thing, however. Pizza Hut could have waited to notify customers to prevent other hackers from learning of the data breach. It could also have decided to forestall disclosure until it knew exactly how many customers were involved and what kinds of information the incident might have compromised.

Anyone who has received a notice from Pizza Hut should watch their bank accounts and credit statements for suspicious activity. If any unauthorized transactions pop up, they should notify their card issuer immediately.

News of this incident follows several months after Arby’s Restaurant Group, Inc. confirmed a breach of its payment systems at its corporate restaurant locations.

 

via:  tripwire

 

 


Save pagePDF pageEmail pagePrint page

Cryptocurrency mining affects over 500 million people. And they have no idea it is happening.

This autumn the news spread that some websites had been making money by mining cryptocurrencies in their users’ browsers. AdGuard has been among the first to add protection from this hidden activity. AdGuard users now receive warnings if a website has been trying to mine, and the users are given the option to let it continue or to block the mining script from running.

They decided to research the issue more so that we could understand its scale and impact. On the Alexa list of the top one hundred thousand websites, they looked for the codes for CoinHive and JSEcoin, the most popular solutions for browser mining in use now.

We found 220 sites that launch mining when a user opens their main page, with an aggregated audience of 500 million people. These people live all over the world; there are sites with users from the USA, China, South American and European countries, Russia, India, Iran… and the list goes on.

220 sites may not seem like a lot. But CoinHive was launched less than one month ago, on the 14th of September.

How much money have these websites made? We estimate their joint profit at over US $43,000. Again, right now it’s not millions, but this money has been made in three weeks at almost zero cost.

Examining the website list more closely, we discovered that many of them are from the “gray zone”, mostly pirate TV and video sites, Torrent trackers and porn websites. Judging from these characteristics, we begin to wonder if browser mining is a bad thing and if it should be banned from the Internet.

There may be a further explanation for the fact that browser mining is found mostly on websites with a shady reputation. These sites traditionally have trouble making money through advertising, so they are open to experiments and innovation. Porn sites have always been early adopters; a lot of new tech solutions were actually invented by porn site developers and later copied by other webmasters.

In fact, it was the largest torrent search engine, The Pirate Bay, that made CoinHive famous by being caught using it. But among the “early adopters” of CoinHive were the Web properties of CBS’s Showtime network, Showtime.com and Showmeanytime.com. CoinHive disappeared from the CBS sites shortly after media coverage of this activity began to break out. The assumption was made that the mining had been a private initiative of some adventurous Webmaster within the Showtime network.

The company’s video streaming platforms are the exact type of websites that are good for mining: They boast a huge audience that keeps their site open in their browsers for a long time.

The problem with in-browser mining is not that it’s a bad thing by itself. There are no good and bad tools and technologies, but there are good and bad ways to use them.

The ethical way for a website to earn money by mining through its audience’s computers is to ask the audience for permission first, and to allow them the possibility to opt out. Actually, such a practice could make mining even more ethical than ads. After all, nobody asks us if we would like to see ads on a website. Mining parasitizes the user’s CPU, where ads parasitize the user’s attention, emotions, bandwidth, and often, their laptop or smartphone battery, and supports an industry of personal data harvesting that is a big headache in of itself.

The CoinHive team has issued a statement calling on website operators to inform their users about the mining operations and to ask for user permission to do this. However, we believe that it is very hard for them to force this recommendation into action; for example, they cannot forbid stealth mining.

But there are other ways to get miners to behave themselves. A popular CDN service called Cloudflare recently started to suspend accounts and deny service to sites that mine without user permission. A number of ad blockers and antivirus programs also added features that block browser mining.

At AdGuard they have also updated their apps in order to restrict mining. But they do not accomplish this by simply silently blocking it. Instead, they offer their users the choice to let a site mine, or to forbid it to launch mining in their browsers. With this approach, they achieve two goals at the same time: prevent hidden mining and expose websites attempts to abuse the technology.

Cryptocurrency mining on websites honestly does promise great possibilities. But these could be lost if abusive practices continue.

Why exactly is it so promising? Experts presently say that only sites with really huge audiences can make even somewhat substantial money on mining. Is this then just a game for a few, who actually don’t need any new monetization tools, since a big audience pays off perfectly with ads?

We see several reasons to believe in a big future for mining on sites:

  1. Cryptocurrencies are growing rapidly; existing currencies grow in value and new ones appear. Mining will eventually become more profitable.
  2. Mining may not promise huge profits, but neither do ads. An audience of a website might be big, but not “expensive” from the marketing point of view.
  3. Any alternative to advertising is a good thing. Ads annoy, so more and more people use ad blockers and simply do not see ads. Ads, after all, abuse users’ device resources — the same thing mining is criticized for. But what do we have besides ads, if we want a non-ecommerce website to feed us or at least to feed itself? We know that ideas like paid subscriptions and donations are truly at the end of the list. Of course, there are vehicles like crowdfunding, investments, and IPOs, but to put it mildly, these sources of capital are not accessible for everyone.

This is why we propose not to relegate cryptocurrency mining to the dark side by blocking it. We should harness this young and vigorous beast for our own common good.

  • UPDATE 1: Initially, the article contained a mistake – 220 of 100k is 0.22%, not 2.2%.
  • UPDATE 2: CTO of the largest website detected, uptobox.com (60M monthly visitors) said that they had removed the CoinHive code.
  • Full infographics image is here.
  • Raw research data.
  • We used SimilarWeb to analyze web traffic for each site.

 

Check out  How to block cryptocurrency mining in web browser with chrome extensions and other free ways.

 

via:  adguard


Save pagePDF pageEmail pagePrint page

Commit a crime? Your Fitbit, key fob or pacemaker could snitch on you.

Law enforcement entities are turning to Fitbits and similar internet-connected devices for information regarding criminal investigations.

The firefighter found Richard Dabate on the floor of his kitchen, where he had made a desperate 911 call minutes earlier, court records show. Bleeding and lashed to a chair with zip ties, the man moaned a chilling warning: “They’re still in the house.”

Smoke hung in the air, and a trail of blood led to a darkened basement, as Connecticut State Police swarmed the large home in the Hartford suburbs two days before Christmas in 2015.

Richard, 41, told authorities a masked intruder with a “Vin Diesel” voice killed his wife, Connie, in front of him and tortured him. Police combed the home and town of Ellington but found no suspect.

With no witnesses other than Richard Dabate, detectives turned to the vast array of data and sensors that increasingly surround us. An important bit of evidence came from an unlikely source: the Fitbit tracking Connie’s movements.

Others from the home’s smart alarm systems, Facebook, cellphones, email and a key fob allowed police to re-create a nearly minute-by-minute account of the morning that they said revealed Richard’s story was an elaborately staged fiction.

Undone by his data, Richard was charged with his wife’s murder. He has pleaded not guilty.

The case, which is in pretrial motions, is perhaps the best example to date of how Internet-connected, data-collecting smart devices such as fitness trackers, digital home assistants, thermostats, TVs and even pill bottles are beginning to transform criminal justice.

The ubiquitous devices can serve as a legion of witnesses, capturing our every move, biometrics and what we have ingested. They sometimes listen in or watch us in the privacy of our homes. And police are increasingly looking to the devices for clues.

The prospect has alarmed privacy advocates, who say too many consumers are unaware of the revealing information these devices are harvesting. They also point out there are few laws specifically crafted to guide how law enforcement officials collect smart-device data.

Andrew Ferguson, a University of the District of Columbia law professor, says we are entering an era of “sensorveillance” when we can expect one device or another to be monitoring us much of the time. The title of a law paper on the topic put the prospect this way: “Technology is Killing Our Opportunity to Lie.”

The business research company Gartner estimates 8.4 billion devices were connected to the internet in 2017, a 31 percent increase over the previous year. By 2020, the company estimates there will be roughly three smart devices for every person on the planet.

“Americans are just waking up to the fact that their smart devices are going to snitch on them,” Ferguson said. “And that they are going to reveal intimate details about their lives they did not intend law enforcement to have.”

– – –

The Dabates’ yellow Colonial was festively decorated with wreaths on the windows the morning of Dec. 23, 2015. Richard, Connie and their two boys, ages 6 and 9, bustled around getting ready for the day.

To many of their acquaintances, the family appeared to be an ordinary one in a quiet bedroom community. Richard was a network administrator, and Connie worked as a pharmaceutical sales representative.

Joann Knapp, a former neighbor of the Dabates, fondly recalls Connie popping over to her house to ask her out for walks while Knapp was having a difficult pregnancy. Knapp said Connie and Richard appeared to have a happy – even passionate – marriage.

“They couldn’t keep their eyes off each other,” Knapp said. “It was a look that you would want.”

But behind that public face, Connie’s killing would reveal a darkly tangled relationship and a major secret.

Richard and his attorney did not respond to requests for comment. Richard gave a detailed — but shifting — account of Connie’s killing to detectives over six hours on the day of the slaying. It is contained in his arrest warrant.

On the drive to work that morning, Richard said, he got an alert on his phone that the home’s alarm had been triggered. He said he shot an email to his boss and returned home, arriving there between 8:45 a.m. and 9 a.m.

Richard told police he heard a noise on the second floor and found a hulking intruder wearing camouflage and a mask inside the walk-in closet of the master bedroom. The intruder demanded his wallet at knifepoint.

Soon after, Connie returned home from an exercise class; Richard told investigators he yelled at her to run. Connie fled into the basement, and the intruder followed.

When Richard arrived on the lower level, he made his way through darkness, finding the man pointing a gun at Connie’s head. Richard said that the gun was his own and that Connie must have removed it from a safe to defend herself.

Richard said he charged but heard a deafening blast and fell. When he got up, Connie was slumped on the ground. Police would later determine the gunshot hit her in the back of her head.

The intruder disabled Richard and then zip-tied one of Richard’s arms and one of his legs to a folding chair, according to the account.

The intruder jabbed Richard with a box cutter. The man also started a fire in a cardboard box using a blow torch, which he then turned on Richard’s ankle.

Richard told investigators he saw an opening: He jammed the blow torch in the man’s face and singed it. The intruder ran out.

Richard said he crawled upstairs with the chair still attached, activated the panic alarm, called 911 and collapsed. The firefighter found him soon after.

– – –

The chaotic scene inside the Dabate home had all the hallmarks of a home invasion, but a few details would prompt investigators to take a closer look.

Dogs brought in to track the suspect could find no scent trails leaving the property and circled back to Richard, according to arrest records. Richard also aroused suspicion when detectives asked whether their probe would reveal any problems between him and Connie.

He took a deep breath and offered: “Yes and no.”

Richard told a bizarre story. He said that he had gotten a high school friend pregnant and that it was Connie’s idea. He said the three planned to co-parent the child, since his wife wanted another baby but could not have one for health reasons.

Later, Richard changed his story, saying that the pregnancy was unplanned and that he had a romantic relationship with the friend. Detectives found no evidence Connie knew of the pregnancy.

“This situation popped up like a frickin’ soap opera,” Richard told detectives.

The admission pointed toward a possible motive for Connie’s killing, but it would be the data detectives uncovered that would give them evidence to conclude his story was a lie.

Detectives had noticed Connie was wearing a Fitbit when they found her body.

They requested the device’s data, which showed she had walked 1,217 feet after returning home from the exercise class, far more than the 125 feet it would take her to go from the car in the garage to the basement in Richard’s telling of what happened.

The Fitbit also registered Connie moving roughly an hour after Richard said she was killed before 9:10 a.m. Facebook records also cast doubt on Richard’s timeline, showing Connie had posted as late as 9:46 a.m.

Detectives would also come to doubt that Richard left home that morning, after examining data from his home alarm system and his email account.

Records indicate he used a key fob to activate his home alarm from his basement at 8:50 a.m. and then disabled it at 8:59 a.m. from the same location.

Richard also told investigators he emailed his boss from the road after getting the alert about the alarm. But records from his Microsoft Outlook account showed he sent the email from the IP address associated with his home.

Combined, the data punched major holes in Richard’s story. Police obtained an arrest warrant for him in April.

The high school friend of Richard’s told authorities he had said he planned to serve divorce papers on Connie the week she was killed. Richard had texted her the night before Connie’s death: “I’ll see you tomorrow my little love nugget.”

– – –

The Dabate case is just one of a handful in which law enforcement officials have resorted to smart-device sleuthing.

In September 2016, an Ohio man told authorities he awoke to find his home ablaze, but police quickly suspected he set the fire himself. They filed a search warrant to get data from his pacemaker.

Authorities said his heart rate and cardiac rhythms indicated the man was awake at the time he claimed he was sleeping. He was charged with arson and insurance fraud.

Prosecutors in a 2015 Arkansas murder case sought recordings from the suspect’s Amazon Echo when a 47-year-old man was found floating in the suspect’s hot tub after a night of partying. Authorities thought the voice-activated assistant may have recorded valuable evidence of the crime.

Amazon.com challenged the search warrant in court, saying that the request was overly broad and that government seizure of such data would chill customers’ First Amendment rights to free speech. But the challenge was eventually dropped because the suspect agreed to allow Amazon to turn over the information.

(Amazon chief executive Jeffrey Bezos is the owner of The Washington Post.)

Virginia State Police Special Agent Robert Brown III of the High Technology Division said the current trickle of such smart-device cases will probably soon become a flood.

“It will definitely be something in five or 10 years, in every case, we will look to see if this information is available,” Brown said.

Amazon and Fitbit said in statements that they won’t release customers’ data to authorities without a valid legal demand, but they declined to say how many such requests they have received from law enforcement.

“Respect for the privacy of our users drives our approach,” Fitbit said in its statement.

Ferguson, the law professor, said a case before the Supreme Court could be key in determining how exposed smart-device data is to searches by law enforcement.

In 2011, investigators in Detroit obtained months of cellphone location data on a suspect in a robbery investigation without a search warrant. Timothy Carpenter was later convicted, in part on this information gleaned from cellphone companies.

Carpenter is arguing in his appeal that such cellphone location data is so powerful it should be covered by the protections of the Fourth Amendment and that police should be required to get a search warrant to obtain it.

Courts have long held that people who voluntarily disclose information to a bank, cellphone company or other third party have no reasonable expectation of privacy. Ferguson said that since many smart devices transfer data to company servers, this third-party doctrine could apply to them, as well.

Ferguson said a ruling against Carpenter might clear the way for authorities to seek smart-device data stored on those servers without a warrant.

“In a world of truly ubiquitous connectivity where we are recording our heartbeat, our steps, our location if all of that data is now available to law enforcement without a warrant, that is a big change,” he said. “And that’s a big invasion of what most of us think our privacy should include.”

 

via: chicagotribune


Save pagePDF pageEmail pagePrint page

Hyatt Hotels discovers card data breach at 41 properties

Hyatt Hotels Corp (H.N) said on Thursday it had discovered unauthorized access to payment card information at certain Hyatt-managed locations worldwide between March 18, 2017 and July 2, 2017.

Hyatt said the incident affected payment card information, such as, cardholder name, card number, expiration date and internal verification code, from cards manually entered or swiped at the front desk of certain Hyatt-managed locations. (bit.ly/2yHBSfr)

The owner of Andaz, Park Hyatt and Grand Hyatt chain of hotels said a total of 41 properties were affected in 11 countries, with China accounting for 18 properties, the most among impacted countries.

Seven Hyatt properties were affected at U.S. locations, including three in Hawaii, three in Puerto Rico and one in Guam.

The Chicago, Illinois-based company said its cyber security team discovered signs of the unauthorized access in July and launched an internal investigation, completed on Thursday, that resolved the issue and took steps to prevent this from happening in the future.

This is not the first time Hyatt is facing data breach problem at its hotels.

In late 2015 Hyatt said its payment processing system was infected with credit-card-stealing malware, that had affected 250 hotels in about 50 countries.

 

via:  reuters


Save pagePDF pageEmail pagePrint page