Monthly Archives: January 2018

The Cyber Law of War

A recent article in the New York Times postulated America may choose to respond to a devastating cyberattack with a nuclear response. In November of 2017, a widely viewed social media video entitled Slaughterbots suggested “swarms of AI-controlled drones [could] carry out strikes on thousands of unprepared victims with targeted precision.” Both of these articles raised alarm in the general public and identified a need for military thought on the future of kinetic and cyber warfare, and the convergence of these types of warfare.

Lost in these recent media pieces are thoughts on the rules of warfare, called the “Law of War,” and the application of these laws to cyber warfare. Given recent attacks, specifically in Ukraine allegedly conducted by Advanced Persistent Threat (APT) group 28 (known as Fancy Bear, Pawn Storm, Sandworm, Sednit, and Sofacy) and the as-of-yet-unknown actors who launched the malware known as Triss or Triton against civilian targets, the discussion of a “Cyber Law of War” is both timely and necessary.


Sanctioned and structured military operations conducted in accordance with international law have a rigorous approval structure and command authority. It’s certainly true some nations have a wider interpretation of the lawful use of force than others. However, it’s generally accepted that indiscriminate attacks on civilian, civilian infrastructure, places of worship, and locations of cultural or historical significance are to be avoided and respected when it comes to armed conflict between belligerent parties.

It becomes significantly problematic when belligerent parties exploit the above protected civilians and designated places. The 1899 and 1907 Hague Conventions created the primary body of work (with significant contributions and foundational work from the Oxford 1880 “Manual of Laws and Customs of War”) known as the Law of War. From this genesis, we have the first Principle of the Law of War, the Principle of Distinction.

The Principle of Distinction is the governing principle when it comes to the legal targeting and use of weapons, including cyber weapons. Under international humanitarian, law it is required that belligerents distinguish between combatants and civilians. Implicit in this principle is the extension – which could be contentious – of the principle to infrastructure in the combat zone.

A Principle of Proportionality in the use of force is also applicable to the legal targeting and use of weapon systems, including cyber weapons. The legal targeting and use of weapons must consider the damage to civilians and their property. The damage cannot be excessive in relation to the military advantage gained. This principle requires the combatant to consider the ramifications of weapon release in terms of the potential damage to civilian (and civilian infrastructure) vs combatant (and military infrastructure).

The Principle of Military Necessity is another consideration when assessing the legality of targeting and use of weapon systems. This principle prohibits wounding or permanently injuring an opponent except during the fight. It also prohibits torture to exact confessions and other activities simply used to inflict additional damage on the enemy that does not further the military objective. Although perhaps it is far-fetched to consider cyber weapons in the above context, The Principle of Military Necessity is augmented by The Liber Code. The Liber Code further defines prohibited activity under this Principle as “in general, … any act of hostility that make the return to peace unnecessarily difficult.”

Finally, governing the targeting and use of weapons including cyber weapons is the Principle of Unnecessary Suffering. Article 35.2 of the Additional Protocol I declares it is prohibited to employ weapons, projectiles and materials ,and methods of warfare of a nature to cause superfluous injury or unnecessary suffering.”

Thus, when reviewing these four principles of The Law of War (called “The Principles” hereafter), a weapon or cyber weapon released by a belligerent party which is indiscriminate, disproportionate (more damage to civilian than combatant lives and infrastructure), makes a return to peace more difficult, and inflicts unnecessary suffering is in contravention of the Law of War.


Nations considering doctrine that incorporates cyber weapons as part of military operations will need to spend considerable efforts in ensuring the current (unclassified) technology of exploits, worms, and trojan rootkits in use today are compliant with The Principles.

  • Exploit – Generally (in cyber weapon terms), an undisclosed zero-day vulnerability that software can leverage to allow an adversary to establish control over an information technology device. In the aforementioned malware known as “Triss or Triton,” a 0-day attack was used.
  • Worms – Self-replicating cyber weapons that seek out specific vulnerabilities, exploit them, and potentially infect any connected host. The 2017 “WannaCry” ransomware outbreak exhibited this characteristic.
  • Trojan rootkits – Persistent malware that is difficult to remove and will place a targeted computer system under control of an adversary. The alleged NSA “Double Pulsar” trojan is an example of this type of malware.

When these systems are used to conduct espionage activities on targeted infrastructure, they are not (arguably) weapons as their destructive capacity has not been realized. However, in an instant, the machines under control can be ordered to download an execute a destructive payload, thus becoming a “cyber weapon” by damaging or destroying the infrastructure they have compromised and degrading the systems attached. It is the systems that are attached to the targeted computer system that are problematic and which need to be identified prior to triggering destruction.

Fortunately, FM 3-12 “Cyberspace and Electronic Warfare Operations” provides guidance to U.S. soldiers on the use and targeting of cyber weapons with the same rigorous command structure and authority applied to physical weapons systems. To see these cyber weapons receive specific direction implies from the US Armed Forces that the Principles are being applied to the use and targeting of cyber weapons.

Here are some cyber weapon technical control requirements that during time of conflict and post-conflict should be aligned to The Principles:

  1. Exploits used in a cyber-attack need to be disclosed after the cessation of hostilities to aid in clean up
  2. Diligent record keeping of any targeted and infected combatant and civilian assets must be maintained
  3. Positive Identification of Target (PID) is required for cyber weapon destructive payloads to be activated
  4. Additional non-cyber intelligence and legal authority must support and confirm the activation of a destructive payload is in accordance with The Principles
  5. Destructive payloads cannot be activated indiscriminately
  6. The Trojan rootkits should be designed to uninstall themselves after a pre-determined amount of time
  7. Self-replication technologies (worms) are only deployed when there is an extremely low probability of moving into non-targeted infrastructure
  8. The targeted infrastructure is primarily military in nature
  9. Use of exploit, worms, and trojan rootkits on Industrial Control Systems and SCADA is done with the utmost targeting rigor

Generally, weapons are overt and not difficult to discern: bombs, missiles, and tanks are all easily identifiable as weapons of destructive capacity. When discussing weapons, it’s inevitable the issue of dual-use technology is broached. Ground-based missile systems, as an example, require some sort of power source; so too do civilian generator trucks and backhoe diggers used to dig fortifications. Both are useful for military and civilian purposes, and the argument can be made that targeting these systems makes the “return to peace unnecessarily difficult.” (Liber Code).

Cyber weapons are extremely difficult to discern; until a destructive payload is activated, they are generally deployed in an espionage capacity which is not in contravention to The Principles and according to The Tallinn Manual from Rule 30: Sections 2-3 do not constitute an attack:

The notion of an ‘attack’ is a concept that serves as the basis for a number of specific limitations and prohibitions in the law of armed conflict. For instance, civilians and civilian objects may not be ‘attacked’ (Rule 32). This rule sets forth a definition that draws on that found in Article 49(1) of Additional Protocol 1: ‘attacks means acts of violence against the adversary, whether in [offense or defense].

By this widely accepted definition, it is the use of violence against a target that distinguishes attacks from other military operations. Non-violent operations, such as psychological cyber operations or cyber espionage, do not qualify as attacks.

As recent global cyber security attacks have illustrated, the failure to secure the alleged NSA cyber exploits and trojans lead to outbreaks like Wannacry, NotPetya, and the BadRabbit attacks. The responsibility for these malware attacks, according to the consensus view of the IT security community, falls on North Korean for WannaCry and Russian actors for NotPetya and BadRabbit. These are examples of mass, self-replicating and indiscriminate cyber weapon usage. Had these attacks inflicted physical damage on infrastructure resulting in a loss of life as opposed to just financial damages, the consequences could have been significant.

Urgent work is required by international organizations such as the International Committee of the Red Cross, NATO, and the UN to ensure the development and use of a destructive cyber weapon is done in accordance with the same legal and security rigor applied to nuclear, biological, and chemical weapons.



via:  tripwire

Cisco Fixes 10.0 CVSS-Scored RCE Bug Affecting Its ASA Software

Cisco has patched a remote code execution (RCE) vulnerability bearing a “perfect” CVSS score of 10.0 that affects its Adaptive Security Appliance (ASA) software.

On 29 January, the American multinational technology conglomerate publicly recognized the security issue (CVE-2018-0101) and revealed that it affects the ASA software found in the following 10 Cisco products:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software (FTD)

ASA software delivers firewall capabilities for ASA devices at the enterprise level. It also offers integrated VPN capabilities and facilitates site-to-site VPN on a per-context basis. Essential to the Cisco ASA Family, ASA software makes up part of the Firepower Threat Defense platform, unified software which offers next-generation firewall solutions.

The technology company explains how this particular flaw works in a security advisory:

The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device.

There are no workarounds for this flaw, which has received a CVSS score of Base 10.0.

While the Cisco Product Security Incident Response Team (PSIRT) is aware of “public knowledge of the vulnerability,” it is not currently aware of any malicious exploits.

Customers with ASA devices running ASA software releases prior to 9.1 as well as 9.3 and 9.5 should move to a supported release. There are also updates available for Firepower Threat Defense 6.2.2, the version which first introduced the remote access VPN feature.


Organizations need to make sure their systems are protected against this vulnerability and others. They can do so by investing in a vulnerability management solution that helps them profile all their network assets and prioritizes bugs based on their business needs.


via:  tripwire

Locations of Military Bases Inadvertently Exposed by Fitness Tracker Users

Users of a fitness tracking app have inadvertently exposed the locations of military bases by publicly sharing their jogging/cycling routes.

Many service people who use Strava, an app which allows them to record their exercise activity using GPS plotting, are sharing their data publicly. Their movements have ended up in Strava Labs’ Global Heatmap consisting of three trillion latitude and longitude points. That resource provides crucial information about how service people move and, by extension, yields insight into where they are stationed.


For instance, Adam Rawnsley of The Daily Beast used the information to hone in on the location of a possible installation for the U.S. Central Intelligence Agency:


Others have leveraged the Heatmap to identify patrol routes and bases:


Nathan Rouser, a student of international security, first came across on the map on a mapping blog and decided to look deeper, The Washington Post reports. Such curiosity led to his discovery of what appeared to be U.S. soldiers’ activity in Syria. He began tweeting about his findings on Twitter, which led other users of the social media platform to do their own digging. Those investigations have uncovered the locations of potential Patriot missile sites and supply routes connecting bases in Afghanistan.


In response to Rouser and others’ revelations, the Central Command for the U.S.-led coalition against the Islamic State said it is in the process of revising its guidelines for service people’s use of wireless devices in and around military bases. As quoted by The Washington Post:

The rapid development of new and innovative information technologies enhances the quality of our lives but also poses potential challenges to operational security and force protection. The Coalition is in the process of implementing refined guidance on privacy settings for wireless technologies and applications, and such technologies are forbidden at certain Coalition sites and during certain activities.

Strava has in the meantime said it is “committed to working with military and government officials to address sensitive areas that might appear.” It’s also urging some users like service people to adjust their app settings to private, which will effectively limit their data-sharing to just the app itself.

News of this discovery comes more than three years after ISIS supporters hacked the U.S. Central Command’s Twitter account.


via:  tripwire


These programs will save your behind when Mac users need you to remove malware

No wonder they moved on to High Sierra. Thanks again, XKCD.

Yes Virginia, Macs do get viruses. By 2017, McAfee said they have detected over 700,000 malware strains so far. The lion’s share of Mac malware is adware. It’s certainly better to get infected by adware than ransomware (although Mac ransomware is a thing, too). But adware is also something you want to get rid of. Some adware can engage in spyware actions which violate your privacy and put your sensitive data at risk. All malware pretty much uses CPU cycles and memory which can be better allocated toward the applications you actually want to run!

Now that the “Macs don’t get malware” myth is gradually starting to fade away, it’s likely you will be called upon to remove malware from someone’s Mac.

My Windows malware removal post was very popular. I said I would write similar posts for other computing platforms if people liked the Windows one. So, I’m a woman of my word and I aim to please.

Before I start recommending programs, I’ll show you a couple of little procedures I was taught that may help users and tech support with very mild forms of Mac malware. If a user’s Mac behaves suspiciously, I would try these steps first first and run malware removal applications as your second step.

This is what you can do if a user’s Mac gets “you’ve got a virus” scareware in their web browser. (This applies to any web browser in macOS, not just Safari.)

Close the web browser right away. The user can always retrieve the tabs they were using later.

Open the Downloads folder. Drag every installer file and unfamiliar file into Trash. Empty the Trash. Then relaunch the web browser. If you don’t see the scareware pages again, chances are you removed the web malware. But I would still run malware removal tools afterwards.

Here’s something you can try if you see the UI of an app that you suspect is malicious. Note the name of the app. Then try to close it. If you can’t close it and are forced to drag the window elsewhere, that’s a good reason to be suspicious. Open the Utilities folder and launch Activity Monitor. Look under All Processes for the name of the suspicious app or anything else you don’t recognize. Click Quit Process for each of them. Check your Applications folder and see if you can find the suspicious app’s name there. If so, drag the icon into Trash, then empty Trash. Whether or not you were able to Trash the malicious application, you should still run malware removal tools afterwards. My malware removal experience has taught me that removed malware can still leave malicious files and unwelcome changes to configuration files.

As in my Windows piece, I recommend putting these apps onto USB sticks and DVDs as well. Have them available to carry with you in both mediums just in case you can only access one method or the other on a Mac. Many Macbooks lack optical drives, and you may also find a Mac with a functioning optical drive with malfunctioning USB ports. As I said, be prepared for anything.


Malware removal

Malwarebytes for Mac

I recommended Malwarebytes in my Windows piece. The Mac version is great, too! The free version of Malwarebytes for Mac will scan your disks and remove any malware it recognizes, and the UI is nice and simple. You can download it from here.

No consumer malware removal tool will help with zero day or fileless attacks. But the majority of Mac malware can be removed with Malwarebyes for Mac, provided you have updated its signatures recently.


Mac Rogue Remover Tool

Some versions of macOS still have a serious problem with Mac Defender, Mac Security, Mac Protector, and Mac Guard rogue anti-spyware programs. If your user runs the Leopard, Snow Leopard, Lion, or Mountain Lion versions of OS X, BleepingComputer’s tool will remove those particular trojans which plague those operating systems.

Download BleepingComputer’s free tool here.


Kaspersky Virus Scanner for Mac

Kaspersky’s freeware tool for Mac can detect and remove malware for Windows and Android. Windows and Android malware may not noticeably affect your Mac, but you don’t want to be sharing that malware to Windows PCs or Android devices if they connect to your Mac over the internet, by being mounted, or by sharing disks.

Kaspersky Virus Scanner will also remove malware that targets macOS specifically, so it’s worth a try. You can learn more here.


Bootable OS

It’s not unheard of for Macs to be difficult or impossible to boot into macOS properly. Some Mac malware may damage the file system or boot sector. Put a DVD or USB stick with the following OS into the user’s Mac and reboot it. Before the Mac tries to boot into macOS or OS X, hit the Option(⌥) key. You will execute Startup Manager, and you can select the optical or USB disk from there.

Disk images on a USB stick need to be written with software which makes them bootable. Again, you can use UNetbootin to make a bootable USB drive. There are Windows, Mac, and Linux versions of UNetbootin you can download from here.



I recommended PartedMagic for Windows. But as it supports HFS and HFS+ as well, you can also use PartedMagic to fix broken file systems on a Mac. PartedMagic can partition, rescue data, fix how your HDD boots, and even do disk cloning.

You can download it here.


As a side note: For any Comcast XFinity customers: they offer FREE copies of Norton Internet Security Suite for Mac and Windows:


For those wanting to get savvier with their OSX security, maybe you should mention some of the small little tools that can make a difference:

via:  Kim Crawley at peerlyst

Chrome desktop update remedies 53 bugs, adds Spectre and Meltdown mitigations

Google’s latest stable channel update for the Chrome browser on Windows, Mac and Linux desktop machines includes fixes for 53 security issues, including three high-severity vulnerabilities.

Issued on Jan. 24, Chrome 64.0.3282.119 addresses, among other bugs, CVE-2018-6031, a use-after-free flaw in the PDF software library PDFium; CVE-2018-6032, a same origin bypass error in Shared Worker; and CVE-2018-6033, a race condition vulnerability when opening downloaded files.

Additionally, the release includes additional protections against speculative side-channel attack techniques that exploit the CPU vulnerabilities known as Spectre and Meltdown.


via:  scmagazine

How an Arizona couples innocent bath-time photos of their kids set off a 10-year legal saga

Lisa and A.J. Demaree’s decade-long legal ordeal started with, by all accounts, an utterly innocent family moment.

In 2008, the couple took their three daughters, then ages 5, 4 and 1½, on a vacation to San Diego. They snapped more than 100 photos during the trip, like parents do, including several of the girls playing together during bath time. When they returned to their home in Peoria, Ariz., they dropped the camera’s memory stick off at a Walmart for developing.

Within a day, a police detective came knocking.

A Walmart employee had flagged the bath-time photos as pornographic, the detective told the parents. One showed the girls wrapped in towels with their arms around each other; another showed their exposed bottoms.

The Demarees said they were harmless shots of the children goofing around, no different than what you’d expect to find in any family scrapbook. But police and social workers launched a full-blown sex abuse investigation, raiding the couple’s home and putting the girls in protective custody for a month while they interviewed dozens of family members and friends about whether the Demarees were child sex offenders.

When authorities declined to bring charges — judges who reviewed the pictures found they were, in fact, harmless family photos — the couple sued two Child Protective Services employees, among others, alleging constitutional violations.

On Tuesday, after a series of defeats in the case, a federal appeals court affirmed what the Demarees have argued all along: that their children were taken from them for no good reason.

“The social workers did not have reasonable cause to believe the children were at risk of serious bodily harm or molestation,” a three-judge panel of the U.S. Court of Appeals for the 9th Circuit wrote. “Therefore, viewing the record most favorably to the Demarees, the defendants acted unconstitutionally in taking the three children away from home without judicial authorization.”

The decision, which came nearly 10 years after the parents’ initial encounter with police, revived the case against the two social workers after a lower court dismissed it in 2014. That court ruled that the social workers, as employees of the Arizona government, were entitled to “qualified immunity,” meaning they were protected from liability in lawsuits arising from their professional duties.

But the San Francisco-based 9th Circuit panel disagreed, ruling in a 47-page opinion that the social workers presented no evidence that the children were in danger of being abused.

“The risk identified by the defendants did not include taking photos of a nude child in an exploitative situation and distributing them, because there was no allegation or indication that A.J. and Lisa had distributed, or were likely in the future to distribute, nude pictures of their children to anyone,” the three-judge panel wrote. “Nor did the identified risk include taking photos of a nude child engaging in sexual conduct, because there was no allegation A.J. and Lisa had ever taken, or were likely to take, photos of their children engaging in sexual conduct.”

“And the risk was not that the Demarees would see their own children, ages five, four, and one-and-a-half, nude, including their genitalia,” the judges added, “as caring for children of those ages necessitates doing so.”

The lawsuit originally named as defendants the detective, Walmart, the state attorney general and the town of Peoria. The detective settled with the parents and the other parties were dismissed during earlier proceedings.

A shocking amount of child pornography changes hands every day in the dark corners of the Internet and whatever other channels pedophiles use to traffic sexually exploitative images of minors, as evidenced by the steady drum beat of arrests and sting operations by law enforcement. “Rarely a week goes by,” the FBI wrote in a memo last year, “that a child pornographer is not charged or sentenced for federal crimes related to the sexual exploitation of children.”

The growth of social networks and photo- and video-sharing sites has facilitated the trade of child pornography, and offenders have found increasingly sophisticated ways to avoid detection, according to the Department of Justice. For obvious reasons, authorities take a zero-tolerance approach.

The drawback, of course, is that people like Lisa and A.J. Demaree get caught up in the dragnet. As Lisa Belkin, a former New York Times parenting blogger, wrote of the couple’s case: “The downside of society’s increased awareness that bad things happen to children is an increased tendency to see those bad things everywhere.”

When the detective showed up at the couple’s door in August 2008, he brought photocopies of the bath-time photos and pressed the parents about them, according to court documents. One showed the three girls lying on a towel with their bare backsides visible.

“Obviously you’re not going to share it with anybody, I would hope,” the detective said, according to court documents.

“No, absolutely not!” A.J. Demaree responded.

The 9th Circuit noted that neither that picture nor any other portrayed the children in a sexually suggestive manner or showed their genitalia frontally.

After questioning the parents, police took the children in for interviews and medical exams to look for signs of sexual abuse. While the exams were being conducted, they got a search warrant and raided the couple’s home, seizing computers, cellphones, undeveloped film and other materials relevant to a child pornography probe, the court wrote.

“It was a nightmare, it was unbelievable,” Lisa Demaree said through tears in an interview with ABC News a year after the raid. “I was in so much disbelief. I started to hyperventilate. I tried to breathe it out.”

The children’s exams came back normal, showing no signs of abuse, and the girls were returned to their parents.

But toward the end of the search of the couple’s house, a Child Protective Services investigator showed up and discussed the case with police. Anticipating child exploitation charges to be brought, she decided to take the children into emergency temporary custody. Though she lacked a court order or warrant, her supervisor approved the decision. The two older children were driven to one foster home, the 18-month-old to another, according to court documents. Eventually, they were moved to their grandparents’ house.

Police interviewed about three dozen friends, family members and co-workers of the Demarees in the course of their sex-abuse investigation, according to the lawsuit. The Demarees also underwent psychological evaluation, according to ABC News. After a month, their daughters were returned to them.

The parents were not arrested or charged with any crimes, and a juvenile court never adjudicated the girls abused or neglected, as the appeals court ruling stated. But Lisa was suspended from her job at a school for a year, and the couple’s names were included on a sex offender registry, according to ABC News.

“As crazy as it may seem,” Lisa Demaree told the network, “what you may think are the most beautiful innocent pictures of your children may be seen as something completely different and completely perverted.”


via:  washingtonpost

Bitcoin Mining Puts Crimp In Quebec’s Energy Capacity

Hydro Québec, the largest utility in Canada, is being forced to review its energy strategy amid the surging demand caused by mining of digital currencies.

According to last week’s report in Reuters, Hydro Québec’s spokesman said that it won’t have enough long-term capacity to meet the expected demand, given the fact that potential mining projects are now at 70, more than doubling in one week alone. The energy company expects to have an energy surplus equal to 100 terawatt hours during the course of the next decade. One terawatt hour can power 60,000 homes in Québec for a year.

Bitcoin mining of digital tokens requires a significant amount of computing processing, which in turn requires a large amount of energy. WithChina cracking down on cryptocurrencies and cryptocurrency mining, many bitcoin mining operations are now looking for sites in Québec, which is rich in energy.

Bitmain Technologies, which runs some of China’s biggest cryptocurrency mining farms, is one of the companies looking for Québec locations. GMO Internet, the Japanese bitcoin mining company, is also looking, but hasn’t yet decided if it will set up operations in Québec.

“We are receiving dozens of demands each day. This context is prompting us to clearly define our strategy,” said Hydro Québec spokesman Marc-Antoine Pouliot in an interview with Reuters. “We won’t be able to power all the projects that we’re receiving. This is evolving very rapidly, so we have to be prudent.”

The company is also interested in luring data centers to the region, which creates more job opportunities than bitcoin mining. Concerns about energy demand in Québec is resulting in some startups breaking down their bitcoin mining projects into smaller ones.

“This is the tip of the iceberg, as only a fraction of the initiatives have [sic] reached out to Hydro Québec yet,” said Laurent Feral-Pierssens, executive director of emerging technologies at KPMG Canada. The executive works with digital currency miners that want to open operations in Québec.


via:  pymnts

Amazon Goes Nuts For Sqrrl (And Buys Them)

A month after rumors swirled that Amazon was seeking to acquire Massachusetts-based cybersecurity startup Sqrrl, the deal has come to fruition, according to BostInno.

The Information reported that Amazon Web Services (AWS) has acquired Sqrrl, according to multiple sources familiar with the deal. Terms of the acquisition have not been made public, although the rumored buy price in December was in the neighborhood of $40 million.

Spokespeople for Sqrrl and Amazon did not immediately respond to a request for comment from BostInno on Tuesday (Jan. 23).

Founded by Natural Security Agency (NSA) alumni in 2012, Sqrrl offers software that analyzes big data streams to pinpoint and expose cyberthreats. The firm has brought in around $28.5 million in venture funding, with investments from Accomplice, Matrix Partners, Rally Ventures and Spring Lake Equity Partners.

News of the Sqrrl acquisition comes a year after AWS reportedly acquired, a cybersecurity startup based in San Diego. According to a GeekWire report citing Fred Wang – a general partner with Trinity Ventures, which is an investor in – AWS quietly acquired the company to increase the security of its cloud offering for its customers. Wang said AWS acquired the company early in 2016 and has invested a little under $2 million in the startup.

And, in December, Amazon inked a deal to acquire Blink, the wireless security camera company that launched in early 2016. The move could be part of its strategy to push into the smart home and connected security markets. In late 2017, Amazon launched a video camera that lets consumers view deliveries that are being placed in their homes.

With its Echo devices, which are powered by its voice-activated digital assistant, Alexa, Amazon is trying to control the smart home, where all sorts of internet-connected devices communicate with each other. While the Echo is widely popular, some industry watchers have said there is limited use for smart speakers without the connected home market taking off.


via:  pymnts

From Stamps To Clicks: Notaries Join The 21st Century

Notaries with their stamps and embossers as ID authenticators have been slow to embrace ID tech, despite a slew of tools at their disposal. Darcy Mayer, DocVerify EVP, calls this the industry’s “chicken or the egg” problem. Mayer explains the types of notary innovations that are slowing gaining ground — and why — in this month’s Digital Identity Tracker. In this issue, we also take a look at biometrics, border control and the Olympics — and profile the comings and goings of 147 solutions providers in the space.


Whether it’s a consumer wanting to get insurance paperwork attested or a business looking to properly process signatures, when the need for document notarization arises, it’s often urgent — a need that must be fulfilled quickly.

Despite major advancements in technology, however, the notarization process continues to be slow and outdated. It hasn’t changed for decades, if not longer, and still involves finding a local notary service provider, printing out physical copies, racing to make an in-person appearance and using a rubber stamp to seal the deal. It’s a time-consuming process, to say the least.

Slowly but surely, though, things are finally beginning to change, according to Darcy Mayer, executive vice president of electronic signature and notarization solutions provider DocVerify. In a recent interview with PYMNTS, Mayer explained that many in the industry are interested in seeing the technology take off, but there are legal and other challenges that can get in the way.

“Notaries are really eager to adopt new technologies — and the companies we deal with, a lot of them are very interested in moving forward with [it],” he said. “Adoption can be slow, even within that institution or organization, because of the scope of what it all entails.”

From Bill to Law

In the mid-2000s, roughly 25 U.S. states passed laws allowing documents to be notarized electronically if the participants were in the same room as the notary, thus opening the market for solutions like DocVerify’s.

In 2012, Virginia became the first state to legalize remote notarization and allow participants in different states — or even different countries — to have documents notarized electronically. The passing of Virginia’s law was followed by similar legislation in Texas, clearing the way for even further adoption.

But, while legislative progress has been made, there is still work to be done to get the industry up to speed, Mayer noted. That includes changing the way some companies think about electronic notarization technology.

“It’s been slow in terms of adoption, but we’ve found that is because people are already ingrained in their old habits,” he said. “Notarizations have been done using a rubber stamp for at least 100 years now, and before that it was wax. So, that’s the process people are used to, and the process they trust.”

Securing the Signatures

DocVerify offers both in-person and remote electronic notarization solutions to remain compliant with the laws passed by all 50 state legislatures, Mayer noted. Both solutions rely on knowledge-based authentication (KBA) protocols, like those used by banks or other financial players.

“If the notary doesn’t personally know the participant, which they typically don’t, they are required to perform an ID verification,” he said. “That entails a knowledge-based authentication, which is similar to what a bank does.”

As part of that KBA process, notaries collect personal information, including a participant’s driver’s license and partial or whole Social Security number. That information is then used to create a series of five questions to verify the identities of notarization participants.

To complete the process, participants must answer four of the five KBA questions correctly. If they can’t? No notarization for them – at least according to the law.

The Challenge of Changing Consumer (and Company) Habits

But clearing legal hurdles isn’t the only challenge in accelerating adoption of modern notary solutions.

While many notaries and their clients are eager for new technology, many have been slow to actually adopt it due, in large part, to legal and financial concerns. Simply put, decades-old habits die hard – even when new advances come along.

To give users incentives to change those habits, DocVerify and other software solutions are designed to provide benefits for both parties. That includes a more efficient and expedited process, as well as savings on costs and fees.

“The businesses or consumers that need documents notarized don’t usually have the manpower or know-how to deal with the individual requirements to get past the legislation,” Mayer explained. “We solve that problem by enabling [them] to provide this service to their end users or have this service as part of their workflows.”

For notaries, many of whom run small business operations without a budget for major tech overhauls, the service offers new capabilities that can be used to market to prospective clients – and at a rate that won’t break the bank.

“From the notaries’ point of view, if they had to go out and build the technology themselves, or acquire it, it would be unattainable or, at the very least, unaffordable,” Mayer said. “So, we work to provide a very affordable solution for [them]. All they have to do is quickly sign up, go through an application approval process with us and then they can market these services to their customers.”

Chicken or the Egg?

There’s also another, less obvious issue plaguing electronic notarization adoption, though, and it’s one that Mayer called the “chicken or the egg” problem.

Large companies often drive adoption in the space because they can deliver a big impact to the market based on the size of their notarization needs. But those big companies need for notaries in their local areas to use DocVerify’s solution to meet those needs – and notaries are wary of adopting and paying for a solution before they are assured they have a client to serve with it.

“So, the notary is apprehensive about doing that until they know the business is on board, and the business isn’t going to do that unless there’s the right number of notaries to serve them,” Mayer explained. “It’s a vicious cycle that most of the industry has been dealing with for over a decade.”

For its part, DocVerify is fighting back.

When it does see interest from a large company, Mayer said DocVerify will incentivize notaries to adopt the solution with waived fees or expedited application processes. This helps DocVerify to meet the needs of notaries’ largest potential clients, and also increases the number of notaries using the solution.

While that has worked on occasion, legal concerns and the “chicken and egg” problem persist. If those dual challenges can soon be solved, it likely won’t be long before even the most desperate document authentication needs can be filled in minutes.


via:  pymnts

Critical Flaw in All Blizzard Games Could Let Hackers Hijack Millions of PCs


A Google security researcher has discovered a severe vulnerability in Blizzard games that could allow remote attackers to run malicious code on gamers’ computers.

Played every month by half a billion users—World of Warcraft, Overwatch, Diablo III, Hearthstone and Starcraft II are popular online games created by Blizzard Entertainment.

To play Blizzard games online using web browsers, users need to install a game client application, called ‘Blizzard Update Agent,’ onto their systems that run JSON-RPC server over HTTP protocol on port 1120, and “accepts commands to install, uninstall, change settings, update and other maintenance related options.

Google’s Project Zero team researcher Tavis Ormandy discovered that the Blizzard Update Agent is vulnerable to a hacking technique called the “DNS Rebinding” attack that allows any website to act as a bridge between the external server and your localhost.

Just last week, Ormandy revealed a similar vulnerability in a popular Transmission BitTorrent app that could allow hackers to remotely execute malicious code on BitTorrent users’ computers and take control of them.

By simply creating a DNS entry to bind any attacker-controlled web page with localhost ( and tricking users into visiting it, hackers can easily send privileged commands to the Blizzard Update Agent using JavaScript code.

Although a random website running in a web browser usually cannot make requests to a hostname other than its own, the local Blizzard updater service does not validate what hostname the client was requesting and responds to such requests.

Blizzard DNS Rebinding Attack — Proof of Concept Exploit

Ormandy has also published a proof-of-concept exploit that executes DNS rebinding attack against Blizzard clients and could be modified to allow exploitation using network drives, or setting destination to “downloads” and making the browser install malicious DLLs, data files, etc.

Ormandy responsibly reported Blizzard of the issue in December to get it patched before hackers could take advantage of it to target hundreds of millions of gamers.

However, after initially communication, Blizzard inappropriately stopped responding to Ormandy’s emails and silently applied partial mitigation in the client version 5996.

“Blizzard was replying to emails but stopped communicating on December 22nd. Blizzard is no longer replying to any enquiries, and it looks like in version 5996 the Agent now has been silently patched with a bizarre solution,” Ormandy says.

“Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exename and then check if it’s in a blacklist. I proposed they whitelist Hostnames, but apparently, that solution was too elegant and simple. I’m not pleased that Blizzard pushed this patch without notifying me, or consulted me on this.”

After the Ormandy’s report went public, Blizzard contacted and informed him that a more robust Host header whitelist fix to address the issue entirely is currently being developed for deployment.

Ormandy is also checking other big games vendors with a user base of over 100 Million to see if the problem can be replicated.


via:  thehackernews