Sony pulls 'The Interview' after 9/11 terror threat

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Sony Pictures is close to monopolizing security news with post-cyber-attack ripples.

Those ripples now include getting sued by ex-employees over privacy violations, being threatened with a terrorist attack similar to 9/11, having its film The Interview pulled from several cinemas as a result, and the subsequent announcement that Sony has cancelled the theatrical release altogether.

On the breathe-one-small-sigh-of-relief side of the ledger, it's received compliance with a DCMA takedown request from Reddit, which has banned users from sharing documents pilfered from the movie studio.

On Tuesday, those purportedly behind the hack threatened a terrorist attack on theaters and movie goers who attend screenings of The Interview.

The GOP had previously promised to deliver a "Christmas gift," which originally sounded like another batch of leaked data.

But in Tuesday's message, which Mashable reports was sent to itself and several other news outlets, along with new batch of Sony Entertainment CEO Michael Lynton's hacked emails, warned people to stay away from the movie, specifically mentioning the 2001 attacks on New York and the Pentagon:

We will clearly show it to you at the very time and places "The Interview" be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to.

Soon all the world will see what an awful movie Sony Pictures Entertainment has made.

The world will be full of fear.

Remember the 11th of September 2001.

We recommend you to keep yourself distant from the places at that time.

(If your house is nearby, you’d better leave.)

A Department of Homeland Security (DHS) official who requested anonymity told Fortune that the DHS isn't aware of any active plot against movie theaters in connection with the attack against Sony.

From his or her statement:

We are still analyzing the credibility of these statements, but at this time there is no credible intelligence to indicate an active plot against movie theaters within the United States. ... As always, DHS will continue to adjust our security posture, as appropriate, to protect the American people.

At least one New York theater canceled the premiere of the film, which is a Seth Rogen/James Franco comedy about a plot to kill North Korea's leader Kim Jong-Un.

Carmike Cinemas, a movie theater chain that's based in Columbus, Georgia, and which has theaters in 41 states, also chose not to show The Interview, according to The Hollywood Reporter.

In addition, the two stars canceled all of their upcoming press events, according to BuzzFeed, which was hosting an event with the two.

Sony announced yesterday that it wouldn't be releasing The Interview on Christmas Day as planned:

In light of the decision by the majority of our exhibitors not to show the film The Interview, we have decided not to move forward with the planned December 25 theatrical release. We respect and understand our partners' decision and, of course, completely share their paramount interest in the safety of employees and theater-goers.

Sony Pictures has been the victim of an unprecedented criminal assault against our employees, our customers, and our business. Those who attacked us stole our intellectual property, private emails, and sensitive and proprietary material, and sought to destroy our spirit and our morale — all apparently to thwart the release of a movie they did not like. We are deeply saddened at this brazen effort to suppress the distribution of a movie, and in the process do damage to our company, our employees, and the American public. We stand by our filmmakers and their right to free expression and are extremely disappointed by this outcome.

In other fallout, two of the movie studio's ex-employees have sued the company for failing to protect their private information.

They'd like to turn it into a class action lawsuit of up to 15,000 former employees.

The plaintiffs haven't been specific about the amount of money they're seeking, but according to Money CNN, they want Sony to provide five years of credit monitoring, bank monitoring, identity theft insurance and credit restoration service. They're also seeking for Sony to be subject to regular privacy audits.

Finally, a ray of hope that somebody on the internet is going to take down Sony's doxed materials.

As it is, Sony on Monday warned the media not to publish the details of anything that was stolen in last month's breach.

By Wednesday, Reddit had acceded to a DMCA takedown request from Sony.

Reddit removed a hub for sharing the company’s hacked files, deleted posts, blocked individual user accounts, and banned a subreddit devoted to sharing the files.

However, as Reddit told Business Insider, "discussions and news stories" about the attack were unaffected by the bans - similar to how Reddit recently banned stolen celebrity nude photos but allowed discussion about the thefts.

Follow @LisaVaas

Follow @NakedSecurity

View the original article here

Google and Facebook under fire from Dutch government over citizens' privacy

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The Dutch government is clamping down on the way in which large organisations use its citizen's personal data.

The Dutch Data Protection Authority (DPA) threatened Google with a fine of €15m (£11.9m, $18.7m) on Monday, saying the search giant had breached various provisions of the Dutch data protection act via a privacy policy it introduced in 2012.

The company has been given until the end of February 2015 to change how it handles personal data, especially in regard to the tailoring of adverts based on keyword search queries, video viewing habits, location data and the content of email messages.

Jacob Kohnstamm, chairman of the Dutch DPA, said:

Google catches us in an invisible web of our personal data without telling us and without asking us for our consent. This has been ongoing since 2012 and we hope our patience will no longer be tested.

Kohnstamm explained how, under Dutch law, Google should have informed users that it was gathering data across a number of platforms - such as YouTube and Gmail - and obtained permission before combining or analysing that data.

The regulator has now demanded that Google obtains "unambiguous" consent from users before combining their data, "via a separate consent screen", rather than through its more generalised privacy policy.

It also ordered the company to add clarification to the policy so that users are better informed as to how each of the company's services is using their data.

Furthermore, Google is required to make it clear that YouTube is part of its setup, though the DPA did note that this already appeared to be underway.

Five other regulators - in France, Germany, Italy, Spain and the UK - have recently received a letter from Google detailing how it intends to comply with European privacy laws but the Dutch DPA says it has yet to establish whether the proposals will suffice within its own jurisdiction.

While the DPA's gripe with Google awaits resolution, it has now moved onto fellow data gatherer Facebook.

In another statement (in Dutch - view Google translate version) released on Tuesday it announced it would investigate Facebook's new privacy policy.

The social network announced last month that it intends to make changes to its policy, effective from 1 January 2015.

As Facebook has a physical presence in the Netherlands, the DPA says it is authorised "to act as supervisor", as per a European Court of Justice ruling on Google vs. Spain on 13 May 2014 (the 'right to be forgotten' case).

As such, it has asked Facebook to hold fire on its new privacy policy until it has had the chance to investigate how the changes may impact Dutch users, including how Facebook obtains permission for the use of their personal data.

The latest iteration of the policy states that Facebook can use:

your name, profile picture, content, and information in connection with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us. This means, for example, that you permit a business or other entity to pay us to display your name and/or profile picture with your content or information, without any compensation to you. If you have selected a specific audience for your content or information, we will respect your choice when we use it.

Given how the key points of the policy have not changed since it was last revised in November 2013, it seems unlikely Facebook will comply with the DPA's wishes.

According to The Telegraph, the company responded by highlighting how it is "a company with international headquarters in Dublin", which routinely reviews its policies and procedures with its own regulator, the Irish Data Protection Commissioner.

Facebook said it is confident that its new privacy policy is compliant with all relevant laws.

Follow @Security_FAQs

Follow @NakedSecurity

Image of Dutch citizen courtesy of Shutterstock.

View the original article here

Teenager pleads guilty to massive Spamhaus DDoS attack

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

A 17-year-old London schoolboy who was arrested last year has pleaded guilty to a distributed denial of service (DDoS) attack of unprecedented ferocity launched against the Spamhaus anti-spam service and internet exchanges, including the London Internet Exchange.

Given that he's a minor, he can't be named.

The Register quoted a police statement that said that the boy also admitted last week to money laundering and possessing child abuse images.

He's out on bail pending sentencing on 9 January, the statement said:

A 17-year-old male from London has this week (Wed 10 Dec) pleaded guilty to [offences under the] Computer Misuse Act, money laundering and making indecent images of children offences, following a National Crime Agency investigation. He was arrested in April 2013 after a series of distributed denial of service (DDoS) attacks which led to worldwide disruption of internet exchanges and services. On his arrest officers seized a number of electronic devices. He has been bailed until 9 January 2015 pending sentencing.

He's admitted to having a hand in the biggest DDoS ever recorded: one that at times was reported to be as large as 300 gigabits per second.

Traditionally, even large botnets are only able to deliver hundreds of megabits or a few gigabits per second, as Naked Security noted at the time.

The attackers used large-scale DNS reflection, taking advantage of misconfigured DNS servers to amplify the power of a much smaller botnet.

It was very effective. While the attack didn't break the internet's backbone when it launched in March 2013, it managed to slow the internet around the world.

But the 17-year-old didn't pull all that off all on his lonesome. He was reportedly one of multiple arrests.

In April 2013, another suspect was arrested in Spain.

In fact, the teenager's arrest, by detectives from the National Cyber Crime Unit, followed an international police operation against those suspected of carrying out the massive DDoS.

We're on the brink of a new year. Unfortunately, this kid has made choices to put his talents to use in a way that means he'll be in court soon into the coming new year.

Bad choice. Regrettable choice.

Will he do jail time? Will he cough up names of others involved in the attack?

Time will tell.

But if I had been in on this caper, I'd be very, very worried about getting a knock on the door.

Follow @LisaVaas

Follow @NakedSecurity

Image of hacker courtesy of Shutterstock.

View the original article here

Delta Airlines flaw lets others access your boarding pass

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Have you travelled on planes in recent years?

If so, I'm sure you've had your fair share of security seriousness at airports.

One of the strictest, and perhaps the most peculiar, exchanges I've overheard went something like this:

You can't take a 110g tube of toothpaste through security, Sir.But, look! It's close to half empty. There's 60g at most in there. Weigh it, you'll see.Sorry, Sir. If you want to carry more than 100g of toothpaste, buy two 100g tubes.I don't want to carry 200g of toothpaste. I want to carry 60g of toothpaste. In fact, I am carrying 60g of toothpaste.I'm sorry, Sir, I don't make the rules. I'm just following orders.

And as for finding out whether your mother-in-law managed to board her connecting flight in Singapore, having been worried about getting lost in Changi airport?

Forget it.

Actually, unlike the dentifrice disaster story above, the lockdown of passenger lists is a good thing.

The privacy of passengers should be strongly protected, so no complaints there.

So, what a disappointment to read that Delta, and apparently other US airlines, didn't seem to see it that way.

Hackers of NY denizen Dani Grant found that out last week when she received a URL from Delta that led to her boarding pass.

(She didn't say in her post but it looks from the screenshots like a non-HTTPS URL; that's a concern for another time.)

The SNAFU was just like last week's flaw at AliExpress, the online retail portal of Chinese e-commerce megabrand Alibaba.

By changing characters in a parameter in a URL, AliExpress users could retrieve the home address and phone number of other users.

At least in the AliExpress case, you had to login as someone first, before accessing the data of anyone.

In Dani Grant's case, arbitrarily changing even a single character in her URL brought up other people's travel plans, without any authentication stage at all.

A bit more URL fiddling, and she had a boarding card for a third passenger on a different airline:

We'll ignore that this makes a mockery of the security precautions at many airports.

Let's look at why this is a problem in general terms, by forgetting the in-flight safety angle for a moment, and considering the cybercrime side of things.

Both the Delta Airlines and the Alibaba URL vulnerabilities play right into the hands of online scammers and social engineers.

In many, if not most, online scams, the crooks don't need to know that you are flying to Florida this evening, arriving at 19:45.

They just need to know that somebody is going to be on that plane, or some other plane, to be able to tweak their criminality to target that person.

And if they can automate the process of recovering that sort of information by simply scraping URLs until they get lucky, they can attack even more broadly.

Of course, this raises the question, "As a consumer, how can you tell if a website is guilty of this sort of data leakage carelessness?"

Sometimes, you'd be wise to assume there's a problem, for example if the confidentiality of a web page relies on some text in the URL, but the text looks far from random:

But even then, proving there really is a vulnerability is tricky, because:

You might get close by trying nearby strings (e.g. id=32767, id=32768), but not close enough to hit paydirt. (Maybe you needed to try id=42766 instead?) You might actually hit paydirt, and then what? (Whom do you tell? What if you just broke your country's equivalent of the Computer Misuse Act?)

"Having a go" at URLs to see what you can find is not a good idea, and we don't recommend it.

Even if your motivation is pure, you could end up in trouble if you don't have explicit permission.

A court might form the opinion that you knew jolly well you were going after data that wasn't yours, and find you at fault.

All we can recommend is that if you do encounter what you consider to be security through obscurity, report it and ask what the company concerned has to say about it.

Dani Grant did just that in the case above; Delta, bless their hearts, replied to her, and didn't try to brush it under the carpet, either:

[We] certainly understand how insecure you must have felt due to the unpleasant incident you experienced while trying to view and print [your] boarding pass from our website.

That's not as good as a clear statement that the problem is being fixed, and how solidly, but it's a good start, not least because it explicitly admits the flaw as an insecurity.

By the way, if your company deploys "secret" URLs for any purpose, whether customer facing or internal, why not review how they are generated, distributed and used?

Don't make the same mistakes as Alibaba and Delta...

Follow @duckblog

Groovy image of aeroplane courtesy of Shutterstock.

View the original article here

The 12 Days of Christmas - all the answers to the #naksecquiz

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

We've just finished running our 12 Days of Christmas #naksecquiz.

For the first 12 working days of December, we revisited the big stories of 2014, one per day.

Each day, we included a quick quiz question related to the day's material, and invited you to submit your answers.

And each day we gave away Naked Security T-shirts to 5 lucky winners.

We thought this would be a fun way of looking back over the ups and downs of the year.

A huge "Thanks!" to everyone who took part – we received close to 3000 answers to the 12 questions.

Close to 80% of the answers submitted were correct.

Here's how you did:

Lots of you answered more than one question correctly, but only seven people got a perfect 12 out of 12:

We'll let you know who's won the Ueberprize, open to those who got every question correct, once we've told the winner...

...If they want to be identified, of course!

We couldn't include everybody's favourite story, but here's what we chose.

Click on the text Day N to view the story for each day.

Click on the text Day N+1 to view the question and answer for the previous day.

Story: The game "Talking Angela" provoked a stream of comments from people who claimed it was a cover for paedophilia, even though all the evidence (and common sense) said that it was not.

Moral: Make sure brain is in gear before engaging mouth.

Story: XP passed over into unsupported mode in April 2014. But many diehard users said they would neither update to a more secure version of Windows, nor switch to a different operating system.

Moral: Do it for the rest of us, because XP's insecurity doesn't just hurt you.

Story: The "Heartbleed" bug affected any software using OpenSSL. Servers could be tricked into leaking random fragments of private data. No knowing what a hacker might get, so everyone scrambled to patch it.

Moral: Many eyes make all bugs shallow? Piffle. This bug was there for years.

Story: Numerous Aussies woke up one morning to find their iPhones locked and a $100 ransom demand displayed. Crooks had done a remote lock and wanted money to sell you back the unlock password.

Moral: Pick a proper password.

Story: The developers of the free and popular encryption software TrueCrypt suddenly announced, "It's insecure. Don't use it." Seems they just decided they'd had enough. Goodbye users.

Moral: Buy Sophos's SafeGuard product instead.

Story: Mobile malware has been around for ten years already. It all started with Cabir, a Symbian virus for Nokia phones from 2004.

Moral: There's nothing new under the sun.

Story: Law enforcement took out a bunch of servers behind the infamous malware families Gameover and CryptoLocker. Sadly, new crooks appeared to fill the void.

Moral: Keep your guard up.

Story: SophosLabs in Hungary measured a single zombie-infected PC on a regular network connection sending 5,500,000 spams in a single week. 75% of the spam advertised dodgy pharmaceutical sales; the rest sent out malware.

Moral: Kill-a-zombie today.

Story: Apple and U2 signed a deal to give you the new U2 album for free. But they didn't ask you. Whether you wanted it or not, it just turned up in your iTunes.

Moral: Ask for permission. Even if you are Bono.

Story: The "Shellshock" bug was found in Bash, a command processor common on OS X and Linux. You could trick Bash into running commands a server wouldn't notice, even if it was programmed to be really cautious.

Moral: Still think Linux and OS X have some sort of magic security shield?

Story: You could bypass Snapchat's claimed "auto-deletion" of photos by fetching them onto a site called SnapSaved.com. Guess what? SnapSaved.com got hacked.

Moral: You uploaded a selfie to the internet. What did you think was going to happen?

Story: We went out of our way to convince you that there's never a good reason to choose a weak password. You may as well choose a good one every time, especially if you use software to help you with the randomness.

Moral: There's never a good reason to choose a weak password.

Because there isn't a Day 13 article, there isn't anywhere to click for the answer to the final question from Day 12.

So here it is.

We asked you to make sense of the six characters MXIPCZ by using what we called a "Caesar Salad" cipher.

Shift 3 letters along 3 places; 2 letters along by 2; and 1 letter by 1.

For example, shifting MXIPCZ with the "shift key" 122333 would give NZKSFC, although that doesn't make sense.

If you treat the possible keys as the permutations of the string 122333, denoting the amount to shift each letter, you'll find there are only 720 (6x5x4x3x2x1) possible keys.

In fact, you only need the unique permutations (or combinations), of which there are just 60.

You could write a quick program to print them all out and then look for the obvious one. (We used Python and its itertools module.)

Or you could just write out three rows of characters, shifting each letter one, two or three characters in each row, like this:

Scrambled = MXIPCZ Shifted 1 = NYJQDA Shifted 2 = OZKREB Shifted 3 = PALSFC

Now choose one character from each vertical column, and see if you can make anything like a word.

If you can, cross-check that it matches the "shift key" pattern of 3 letters by 3, 2 letters by 2 and 1 by 1.

We think the answer's obvious: NAKSEC.

Follow @duckblog

View the original article here

Microsoft deluged with support in its email privacy battle against US government

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Microsoft would prefer if the US Department of Justice (DOJ) refrained from reaching over the ocean and past international law to ransack its Irish servers.

It's been fighting the issue in court since August, when it refused to comply with a warrant for a user's email that was stored in a Dublin data center.

On Monday, much of the tech industry, along with civil rights advocates, backed Microsoft in its legal battle, with more than 75 civil liberties groups, technology companies, trade associations and computer scientists filing legal briefs in support of the software company.

At issue: the DOJ's insistence that it may search Microsoft's overseas servers with a valid US warrant, sidestepping national and international laws that protect such content.

The scope of support for Microsoft's position is unprecedented, its counsel says.

Verizon has said that if the US prevails in this case, it would produce "dramatic conflict with foreign data protection laws."

Apple and Cisco have also come out against the government, saying that the tech sector runs the risk of being sanctioned by foreign governments and that the US should instead seek cooperation with foreign nations via treaties: a position the US has deemed impractical.

The deluge of support that added to these previously filed briefs point to what a precedent-setting case this will be if the company loses - one that would affect the technology world on a global basis, Microsoft Executive Vice President and General Counsel Brad Smith wrote in a blog posting about the outpouring of support:

Seldom has a case below the Supreme Court attracted the breadth and depth of legal involvement we're seeing today. ... This case involves not a narrow legal question, but a broad policy issue that is fundamental to the future of global technology.

Microsoft published the list of backers that filed amicus briefs, including large media outlets such as National Public Radio, The Washington Post, The Guardian, and Forbes; leading technology companies such as Verizon, Apple, Amazon, Cisco, Salesforce, HP, eBay, Infor, AT&T, and Rackspace; professors of computer science; civil rights and free speech advocates such as Digital Rights Ireland, the Electronic Frontier Foundation, and the Center for Democracy and Technology; trade groups such as the National Association of Manufacturers and the Reporters Committee for Freedom of the Press; and even the US Chamber of Commerce.

The groups and companies are all raising issues similar to those already brought up by Apple, AT&T, Cisco and Verizon, Smith said:

These groups raise a range of concerns about the significant impact this case could have both on the willingness of foreign customers to trust American technology and on the privacy rights of their customers, including US customers if other governments adopt the approach to US datacenters that the US Government is advocating here.

Verizon said in its policy blog that the US government is overreaching:

The law does not allow the US government to use a search warrant to obtain customer data stored overseas. The US Supreme Court has reiterated many times that US statutes are presumed not to have extraterritorial application unless Congress "clearly expressed" its "affirmative intention" to the contrary.

There's good reason why Congress hasn't said that domestic US warrants should apply to data stored offshore, Verizon's Randal Milch wrote. For one thing, the content of private email belongs to a customer, not to a provider.

The DOJ has resisted this argument, claiming that email stored in the cloud ceases to belong exclusively to us, becoming instead the business records of a cloud provider.

Because business records have a lower level of legal protection than personal records, the government claims that it can use its broader authority to reach emails stored anywhere in the world.

But if Microsoft were to give in to the government's demands, it would actually be breaking Irish law, Verizon points out:

Ireland's Minister for Data Protection has made clear that "when governments seek to obtain customer information in other countries they need to comply with the local laws in those countries."

In fact, there are treaties in place that would have dictated whether or not the emails could be dug out of Microsoft's offshore servers. Specifically, the DOJ could have followed procedures under the Mutual Legal Assistance Treaty between the US and Ireland to request the information it needed from the government of Ireland "in a manner consistent with Ireland's laws", Verizon points out.

Why didn't the DOJ go that route? Many suggest that the reason is because it knew full well that it wanted something that was inconsistent with Ireland's laws.

In its latest appeal, Microsoft argued that going outside of well-established treaties and partnerships to get at data wherever it's stored sets a precedent for other countries to do the same and thus threaten the privacy of Americans.

There's good reason why Microsoft and other tech companies store customers' data close to them, Smith said:

As we've said since this case began, tech companies such as Microsoft for good reason store private communications such as email, photos, and documents in datacenters that are located close to our customers. This is so consumers and companies can retrieve their personal information more quickly and securely. For example, we store email in our Irish datacenter for customers who live in Europe.

And even if the treaties need an overhaul, that's no reason to ignore them completely, he suggested:

The US has well-established treaties with countries around the world that allow them to seek the information they need while ensuring that citizens of other countries retain the privacy protections offered by their own laws and Courts. And there's ample opportunity for work to modernize these agreements further.

Follow @LisaVaas

Follow @NakedSecurity

Image of data center privacy courtesy of Shutterstock.

View the original article here

Uber: We accessed reporter's private trip info because she was late

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Filed Under: Featured, Privacy

In a letter to Senator Al Franken, Uber says it accessed a reporter's account because "She was 30 minutes late" to a meeting and an executive wanted to know when she'd show up so he could meet her in the lobby.

And flash his iPhone at her. And tell her that he was tracking her, according to a report from The Guardian.

In fact, Uber New York General Manager Josh Mohrer reportedly poked at BuzzFeed reporter Johana Bhuiyan's personal data twice, on both occasions tracking her movements without her permission.

That's just one of a rash of eyebrow-raising reports about Uber's data collection practices and possible misuse of consumers' data that came to light last month and which prompted Sen. Franken to send the company a letter with 10 pointed questions about the company's privacy policies.

(Note: Non-US readers might not be familiar with the American use of the term "rider" as used in these letters. Uber, Senator Franken and American media use the term to indicate "passenger".)

He also asked Uber, which connects passengers with drivers-for-hire using a GPS-based mobile app, to explain how widely it uses its so-called "God View" tool, which allows Uber to track passengers' locations.

In a 3-page response, Uber's Managing Counsel of Privacy, Katherine M. Tassi, reiterated what the company's been saying all along: that it has a "strong culture of protecting rider information" and that the company "prohibits employees from accessing rider information except for legitimate business purposes."

Franken said in a press release on Monday that while he was glad to get a reply, the letter wasn't particularly forthcoming with the details he'd asked for.

To wit:

I am concerned about the surprising lack of detail in their response. Quite frankly, they did not answer many of the questions I posed directly to them. Most importantly, it still remains unclear how Uber defines legitimate business purposes for accessing, retaining, and sharing customer data.

Franken had originally asked what, exactly, would trigger the company to discipline an employee for violating privacy policies and whether any disciplinary actions had been taken on that basis.

In the case of the twice-tracked BuzzFeed reporter, Uber says that Mohrer "believed he had a legitimate purpose for looking at" Bhuiyan's location as she travelled to his office, but that Uber "regarded his judgment in this instance to be poor" and has "disciplined him accordingly".

Franken had also asked about Uber SVP of Business Emil Michael having suggested spending $1 million to mine personal data for dirt to discredit a journalist who criticized the company.

Franken had noted in his letter that Michael's statements sound like they were intended to have a chilling effect on journalists covering Uber and had asked if he'd been disciplined as a result.

Apparently not.

Uber mentioned in its letter that if the company had in fact used account details to discredit journalists, it would have been a "gross invasion of privacy" and a "violation of our commitment to our users", but in fact the executive's comments were just "ill-considered" given his "frustration with reporters" and "don't reflect company policies or practices."

Uber has publicly apologized for the incident, Tassi notes.

With regards to the "God View" function, which allows Uber to see where all of its cars and all of its passengers are at any given time, the letter says that the company's scaled it back so that only employees in "operations or other areas, like fraud prevention" can use it.

Uber also stated that the company had shown God View to “third parties” in the past because it has a "compelling visual display," but when showing it to those outside the company, it's stripped down to "presentation view, which has been available for about a year now and makes rider personal data inaccessible."

Franken said that he's “concerned” by the response and will continue “pressing for answers.”

Earlier this month, the senator also sent a letter to Uber competitor Lyft to clarify its own privacy policies.

Follow @LisaVaas

Follow @NakedSecurity

Image of taxi courtesy of Shutterstock.

View the original article here

Did computer security get better or worse in 2014? Have your say...

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

It's the end of the year and time to reflect on the events of 2014. There were some high profile wins, like the apparent defeat of the GameOver botnet, and some dreadful loses such as the Heartbleed bug - but what was the final score?

Did the forces for good win, lose or draw in 2014?

It's a big subject and there are many, many points of view. So we'd really like to read about your perspective on the year just gone - what did you think of computer security in 2014? You can vote in our poll and leave your thoughts on the year in our comments.

To whet your appetite I asked our regular contributors to give you some food for thought, starting with me.

It seems to me that popular, mature software is getting harder to crack with encryption, bug bounties, responsible disclosure and frequent, predictable - often automatic - updates increasingly accepted as best practice. We know how we should be writing software, even if we're not all doing it yet.

Users remain our Achilles' heel though - year after year, we continue to choose terrible passwords and to click on links and attachments we shouldn't, and 2014 was no better.

So long as security is reliant on good behaviour from users who adapt at a slower rate than software, we're standing still at best.

Mark is founder of independent web consultancy Compound Eye.

I'd say things have got better, although not necessarily more secure just yet.

It may feel bad that there have been so many horrible vulnerabilities in vital software, epic leaks of all sorts of personal data, awful privacy decisions by sites and services people trust, mass doxing of celebrities, huge scams and frauds and lots and lots of general misery, which in themselves are of course not a good thing.

But the scale and frequency of incidents this year feels like it has really pushed us over a tipping point and made security a topic everyone is thinking about, rather than just a few specialists.

People everywhere, from technophobic moms and pops to tight-fisted business leaders, are starting to realise the dangers they can stumble into, and are making efforts to make themselves more secure. In the long run that means fewer easy targets and more demand for better protections, so eventually everyone will end up safer.

John Hawes is Chief of Operations at Virus Bulletin and sits on the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO).

This year has been a mixed bag. We won some battles on the privacy front with an increasing number of websites using HTTPS as a default.

It also appears we fatally wounded the GameOver/CryptoLocker infrastructures.

Like high-waisted "mom" jeans, macro viruses are back making us wary of opening Word documents again. Hipster beards and fixies seem to be going strong and so does ransomware. Now we have viral ransomware with hybrid action mechanisms. A little dose of the old sprinkled with some new flavour.

It appears as though we are also staring down the barrel of 64-bit malware which is giving us something new to worry about. Let's not forget that (really) old code though! Something written 20 years ago by someone with a different kind of beard is now front page news with a catchy name, a website and a PR agent.

It certainly was a bad year for retail but a great teaching opportunity on how not to do security. So it seems awareness is increasing but we still have a long way to go before we can claim any kind of decisive victory, so let's call 2014 a draw.

John Shier is a Senior Security Expert at Sophos, a popular presenter at security events and a hands-on technical guru for Sophos partners and customers.

The Snowden rash keeps itching, and the industry's immune system is kicking in to make this a year where security took some performance-enhancing drugs.

Big tech is hosing itself down trying to rid itself of any whiff of government collusion, as in, perish the thought that we knew about backdoors allowing law enforcement to prance into our products. Or, as Google and Apple would put it, Encryption-R-Us. Good stuff for consumers, unless of course the US government succeeds in stabbing warrantless search to death once and for all.

Cyberbullying got a tiny bit better in some corners, such as Facebook apologising to the LGBT community over its real-name policy and promising to fix its cluelessness over the importance of pseudonyms in protecting people from harassment and violence.

But it was still damn hard to be a teacher. Or a kid. Or a female game developer. Or a victim of cyberbullying, bomb threats, stalking, Sony or Sony-like data doxing, or nude photo theft and publishing.

Let's not pat ourselves on the back for a job well done just yet. There's still an enormous amount of work to be done to make the internet a more safe place for all.

Lisa Vaas is a freelance technology writer and former executive editor of eWeek whose credits include CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and HP's Input/Output.

The 2014 computer security glass is half-empty because...

We spent a lot of time in 2014 energetically repeating the worst blunders of 2013. Case in point: malware breaches on point of sale networks via the same holes we had last year, including contractors or vendors with pathetically insecure remote access to our own networks. "Those who cannot remember the past are condemned to repeat it," so it's time to stop living in the past!

The 2014 computer security glass is half-full because...

We're ready to try out security procedures that we rejected last year. Case in point: two-factor authentication. Two or three years ago, lots of people were telling us that they weren't willing to put up with inconvenience to help someone else do security better. Today, we're hearing the same people saying, "Where is it? Bring it on!" It's great that we're no longer living in the past!

Paul Ducklin is Naked Security's security-proselytiser-in-chief and winner of the inaugural 'AusCERT Director's Award for Individual Excellence in Computer Security' in 2009.

2014 was the year that the data breach went mainstream. From JP Morgan to Home Depot, Victoria's Secret to Sony, the news was filled with ever-increasing stories of doom, payment card theft and personal information exfiltration.

But you know what? There is a silver lining.

Security awareness is still in its infancy and mainstream news coverage may just prompt users and organisations to choose stronger passwords, review security policies and adopt a non-checkbox approach to security standards and regulations.

So while 2014 hasn’t been a great year for computer security, I do have some optimism for the new year ahead.

Lee Muson is a writer, social media manager and founder of the popular computer security website Security FAQs.

That's enough fence-sitting from our writers, now tell us what you think!

Follow @NakedSecurity

Image of signpost courtesy of Shutterstock.

View the original article here

Feds swoop in, snatch mobile phone tracking records away from ACLU

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The American Civil Liberties Union (ACLU) filed a run-of-the-mill public records request about cell phone surveillance with a local police department in Florida.

The US Marshals Service last week reacted by swooping in and snatching those records out from under the ACLU's nose just hours before they were supposed to review them.

After the Feds seized the surveillance records, US Marshals then moved the physical records 320 miles away, meaning the ACLU wouldn't be able to learn how, and how extensively, police use snooping devices.

The ACLU promptly filed an emergency motion to get local police to disclose the records, which detailed how police had used a stingray to track nearby phones to a suspect’s apartment without getting a warrant.

A Florida judge last Tuesday granted the ACLU's emergency motion.

A stingray is a surveillance device that sends powerful signals to trick cell phones - including those of innocent bystanders - into transmitting their locations and their IDs.

The ACLU called the records grab an "extraordinary attempt to keep information from the public".

Even a former judge and a former United States magistrate judge found the US Marshals' action "weird" and "out of line", they told Ars Technica.

Former US magistrate judge Brian Owsley had this to say:

This one is particularly disturbing given the federal government's role in coming in and taking all of these records that were at issue in a state open government act.

In order to spirit away the records, the ACLU explains, the US Marshals waved a wand over Sarasota police detective Michael Jackson and transmogrified him - and the records - into their own property:

The Sarasota Police set up an appointment for us to inspect the applications and orders, as required by Florida law. But a few hours before that appointment, an assistant city attorney sent an email cancelling the meeting on the basis that the US Marshals Service was claiming the records as their own and instructing the local cops not to release them. Their explanation: the Marshals Service had deputized the local officer, and therefore the records were actually the property of the federal government.

The ACLU called the Marshal’s actions highly irregular:

The Sarasota detective created the applications, brought them to court, and retained the applications and orders in his files. Merely giving [the detective] a second title ('Special Deputy US Marshal') does not change these facts. But regardless, once the Sarasota Police Department received our records request, state law required them to hold onto the records for at least 30 days, to give us an opportunity to go to court and seek an order for release of the documents.

Last week, Ars Technica reported how use of the stingray in a Tallahassee, Florida, rape case only came out once testimony from a local police officer was unsealed.

The detective had told the court that he would only testify about how the stingray was used if his testimony was not made public.

That's because, the assistant attorney general told the court, the police were under a non-disclosure agreement (NDA).

Late last Tuesday, the judge ordered unsealing of the entire transcript of the suppression hearing.

The ACLU published the portion that, it says, the government tried to keep secret.

The ACLU says the released information "confirms key information about the invasiveness of stingray technology", including that:

Stingrays "emulate a cellphone tower" and "force" cell phones to register their location and identifying information with the stingray instead of with real cell towers in the area.Stingrays can track cell phones whenever the phones are turned on, not just when they are making or receiving calls.Stingrays force cell phones in range to transmit information back "at full signal, consuming battery faster."When in use, stingrays are "evaluating all the [cell phone] handsets in the area" in order to search for the suspect’s phone. That means that large numbers of innocent bystanders' location and phone information is captured.In this case, police used two versions of the stingray - one mounted on a police vehicle, and the other carried by hand. Police drove through the area using the vehicle-based device until they found the apartment complex in which the target phone was located, and then they walked around with the handheld device and stood "at every door and every window in that complex" until they figured out which apartment the phone was located in. In other words, police were lurking outside people's windows and sending powerful electronic signals into their private homes in order to collect information from within.The Tallahassee detective testifying in the hearing estimated that, between spring of 2007 and August of 2010, the Tallahassee Police had used stingrays "200 or more times."

I agree with a commenter on Ars's coverage, CQLanik, who noted that if a local police department can't allow the public to know the shady methods used to come by their evidence, then that method shouldn't be legal:

People have a right to face their accuser, and that right is being taken away by the use of secret evidence gathering.

What do you think?

Follow @LisaVaas

Follow @NakedSecurity

Image of Statue of Liberty courtesy of Shutterstock.

View the original article here

Patch Tuesday for June 2014 - 7 bulletins, 3 RCEs, 2 critical, and 1 funky sort of hole

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The elevator pitch for this month's Microsoft Patch Tuesday is as follows:

Seven bulletins. Three remote code execution (RCE) holes, of which two are deemed Critical. Patches apply to Windows, Internet Explorer (IE), Office, Live Meeting and Lync. All supported versions of IE get patches. All Windows versions, including Server Core and RT, get at least one Critical RCE patch. All patched systems need a reboot.

Even more briefly: you'll need to patch and reboot every Windows system on your network.

OK, except for your Windows XP computers.

But why not reboot them all in solidarity, anyway?

Some of them might not come back up, and then you'll have an excuse to tell your boss that you can't put off updating them any more.

One of the patches, number seven, is a security hole of a type you don't see announced very often in Microsoft bulletins: Tampering.

You're probably used to seeing vulnerability tags like RCE (remote code execution), EoP (elevation of privilege, where a regular user can get unauthorised administrative or system powers), DoS (denial of service, where an outsider can crash software that you rely on), and Information Disclosure (where data that should stay private can be accessed without authorisation).

If you've listened to our Understanding Vulnerabilities podcast, you'll know that RCE bugs usually get the most attention, because they offer a break-and-enter path to attackers who are outside your network.

(Audio player above not working? Listen on Soundcloud.)

But the other sorts of vulnerability can be combined with RCE into a much more dangerous cocktail.

For example, a Disclosure bug might allow crooks to steal authentication data that makes it much easier for them to pull off an RCE; a cunningly timed DoS might knock out intrusion detection software that would otherwise trigger an alert; and an EoP might add system administrator powers to a user-level compromise.

? Here's an analogy: a Disclosure bug tells a crook where you live and when you won't be home; the RCE lets him pick your front door lock and get inside; the DoS means he knows how to turn off your burglar alarm; and the EoP gets him into your safe as well, once he's in the house.

Tampering is another sort of security hole that may help crooks, either by allowing them to initiate their attack more easily, or by making things worse for you once they have broken in.

Very loosely, tampering means that you can make a security-related change that should raise an alarm, but doesn't.

For example, you might be able to add malware to someone else's digitally signed software and have the system still accept it as trusted.

You might be able to make your own digital certificate, for example for a fake web page, but pass it off as someone else's.

Or you might be able to tamper with a protected configuration file, thus altering the settings and behaviour of software such as a web server, without being noticed.

One well-known example of a tampering exploit is last year's MasterKey malware for Android, which bypassed Google's Android Package (APK) cryptographic verifier, making the malware look legitimate.

This didn't just allow the malware to get the blessing of Google's compulsory install-time security check, but also allowed the crooks to put the blame on a innocent vendor, whose digitally signed package they started with.

Another famous tampering exploit is the announcement by security researchers in 2008 that they had succeeded in creating a fake Certification Authority web certificate by finding a collision in the MD5 hashing algorithm.

Their home-made certificate appeared to have been signed by one of the top-level "root authorities" that almost every browser trusts by default, and would have allowed them to sign apparently-trusted certificates for any website they liked.

? Don't use MD5 in any new project. We knew it was cryptographically flawed before 2008, but the abovementioned certificate crack made it quite clear that it was dangerously unsafe in real life, not just in the lab.

We can't yet say exactly what form this latest Windows tampering vulnerability takes, but it affects Windows 7; 8 and 8.1; Server 2008 R2 (not Itanium, and not Server Core); and all supported flavours of Server 2012, including Server Core.

Watch this space: we'll tell you more after we've spoken officially to Microsoft on Patch Tuesday itself.

The final item of interest about the June 2014 Patch Tuesday is that the update to IE fixes a security hole known as CVE-2014-1770.

Technically, this became a zero-day in IE 8 when it was disclosed by HP's Zero Day Initiative during May 2014, after Microsoft hadn't managed to come up with a fix for six months. (More precisely, after 180 days.)

The discoverer of the bug, who sold it to HP for an undisclosed sum, was careful to point out that all that was published last month was an advisory, not a proof of concept; indeed, he said that "it won’t be easy reproduce the vulnerability based on the advisory alone."

Even after you have uncovered a vulnerability, there is almost always a lot of work (and sometimes it proves as good as impossible) to weaponise the vulnerability by actually coming up with a way to exploit it.

According to Microsoft, writing on its Security Response Center blog, no in-the-wild exploit using CVE-2014-1770 was ever seen, and thankfully the issue becomes moot on 10 June 2014, when the latest IE patches come out.

As we said at the outset: you'll need to patch and reboot every Windows system on your network this month.

Except XP, but that's another can of worms altogether.

Have a happy Tuesday!

Follow @duckblog

View the original article here

Ransom-taking iPhone hackers busted by Russian authorities

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The mystery of the ransom messages from "Oleg Pliss," and the iDevice locking attack that popped up in Australia and the US last month, appears to have been solved.

Authorities in Russia said they detained two criminals behind ransom attacks on Apple users that locked their devices remotely and demanded payment to unlock them.

I say "seems to have been solved" because Russian police said the hackers were responsible for the same scam on users in Russia, without mentioning victims in other countries.

The two Russian hackers - a 23-year-old and a 17-year-old from Moscow - reportedly confessed to scamming users into giving away their Apple IDs and using the Find My iPhone feature to lock the devices until the victims paid a ransom of up to $100 USD.

According to The Sydney Morning Herald, Russian media reported the pair of hackers were caught on CCTV when they withdrew victims' payments from an ATM.

Russia's Ministry of Internal Affairs stated on its website that agents searched the hackers' apartments and seized computers, phones, SIM cards and "literature" on hacking.

Russian authorities said the hackers used "two well-known schemes" to perpetrate their attacks, which affected Apple users in Russia.

It seems the two hackers tricked Apple users into giving away their Apple IDs with a phishing scam that asked them to sign up for an online video service that required their Apple IDs.

If a hacker gets hold of your Apple ID they can create an iCloud account which they can then use then lock your iPhone, iPad, iPod or iMac device remotely.

The Sydney Morning Herald reports that victims who locked their phones with passcodes could simply enter it, change their iCloud password and avoid having to pay a ransom.

Users who didn't set passcodes were less fortunate and had to resort to wiping their devices and restoring them from backups.

If you've been hacked by 'Oleg Pliss' then we recommend you follow the advice in our earlier article Apple ransomware strikes Australia.

In the security industry we call cyber attacks that take over your computer and demand payment "ransomware".

The most famous ransomware is the notorious CryptoLocker, which authorities recently knocked out by taking over the cybercriminals' command and control servers.

Only recently, however, have crooks figured out how to turn the success of ransomware for PCs into a lucrative racket on mobile devices.

Technically, since the "Oleg Pliss" hackers didn't drop any malware onto the devices of their victims, the iDevice-locking attack isn't a real example of ransomware, but it has the same devious purpose - to extort victims for money.

It's a much different story for Android, which is more susceptible to mobile malware.

A file-encrypting ransomware for Android called Simplelocker was recently discovered, and another kind of ransomware known as a "police locker" has hit Android users who download an infected file claiming to be a video player.

As a security precaution, you should make sure you lock your phone with a secure passcode.

Your Apple ID is the key to your iDevices, so make sure you hold onto it tight (don't use your Apple ID for a suspicious media-download website, for example).

You should also make sure your iDevices are up to date with the latest iOS software version to stay safe from known exploits.

For Android users, we also recommend using an anti-virus such as Sophos Antivirus and Security, our free app for smartphones and tablets.

For more information on keeping your phones and tablets safe take a look at our 10 tips for securing your smartphone.

Follow @JohnZorabedian
Follow @NakedSecurity

Image of locked iPhone courtesy of Shutterstock.

Tags: apple ID, hacking, iCloud, ios, iPhone, Ministry of Internal Affairs, oleg pliss, passcode, phishing, ransomware, russia

View the original article here

Facebook stupidity leads to largest gang bust in NYC history

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Kids can be street-smart and Facebook-stupid, to paraphrase how Vice News put it.

Police love that naive, completely misplaced trust in the supposed anonymity of social media postings.

In fact, it was a long trail of quite helpful Facebook postings about crimes that lead New York City police to what authorities are calling "the largest gang takedown in New York City's history".

After a 4-year-long investigation by the New York Police Department (NYPD), 103 gang members were indicted on Wednesday, thanks mostly to the evidence teenagers left on their Facebook profiles.

Five hundred NYPD officers descended on two housing projects in the NYC neighborhood of West Harlem Wednesday morning to arrest 40 of those who were indicted.

.@CommissBratton: Great work & coordination by the #NYPD this morning in West Harlem. pic.twitter.com/rMf68bNkas

— NYPD NEWS (@NYPDnews) June 4, 2014

Police told reporters that 23 more alleged gang members are still being sought, while the rest were apprehended prior to the Wednesday bust.

Most of those arrested are between 15 and 20 years old, while some were as old as 30.

Prosecutors say the boys and men belong to three gangs: the two allied gangs of Make It Happen Boys and Money Avenue, and their rivals, 3 Staccs.

The gangs have waged war over the past four years, with the carnage now resulting in accusations of two homicides, 19 non-fatal shootings and about 50 other shooting incidents, according to a press release put out by Manhattan District Attorney Cyrus R. Vance, Jr.

According to the indictments (which can be read here and here), the gang members fought tooth and nail to control their territory - the two housing projects are only a block away from each other - and to climb the gangster hierarchy via shootings, stabbings, slashings, assaults, gang assaults, robberies, revenge shootings, and murders.

They were also busy chronicling it all via social media, posting hundreds of Facebook updates, direct messages, mobile phone videos, and calls made from Rikers Correctional Facility to plot the deaths of rival gang members.

They used postings to publicise and claim credit for - and to rub their enemies' noses in - their crimes, prosecutors say.

One of the gangs's victims - 18 year-old Tayshana "Chicken" Murphy - was a promising basketball star. Her father has said that she was being recruited by several colleges.

Ms. Murphy was gunned down in her building in September 2011. One of the gang members allegedly bragged about it on Facebook.

A second victim, Walter "Recc" Sumter, who owned the gun used to kill Ms. Murphy, was murdered that December in apparent retaliation.

Prosecutors say that two days after the death of Ms. Murphy, alleged gang member Davon "Hef" Golbourne wrote to a 3Staccs rival that they had "fried the chicken."

The rival, Brian "Pumpa" Rivera, replied "NOW IMAAA KILL YUHH."

In fact, investigators pored over more than 40,000 phone calls between gang members already in jail and those on the outside, hundreds of hours of surveillance video, and "more than a million social media pages," Vance said in his statement.

According to Vice News, the word "Facebook" shows up 162 times in one of the indictments and 171 in the second.

Rev. Vernon Williams, a Harlem pastor who has spent years trying to curb youth violence in the neighborhood and who personally knows many of the indicted teens, told Vice News that they're not the brightest bulbs on the tree when it comes to social media:

They are Facebook dummies.

Because the stuff that they were saying, that was gonna come back to bite them, especially admitting participating in crimes, admitting getting the weapons that were gonna be used in crimes, and then calling someone in a state prison and giving them a report of what they did.

But while the kids were undeniably stupid about Facebook, Williams also criticised the law for letting this battle wage for so long instead of stepping in earlier:

The indictment is almost 200 pages long and I would say 75-80 percent of [one of the indictments] is Facebook posts and similar activity.

The DAs office was helped by the accused. All [the police] did was watch and document it. I don’t know what took them so long, but once they had enough, they scooped them up.

That is a very good question. Why did police need four years to round these guys up when they had alleged criminals posting about it on social media?

Stupidity about social media is a gift to investigators. One would hope that the gift gets turned into protection for the community as fast as practicable.

Follow @LisaVaas

Follow @NakedSecurity

Image of Facebook gun courtesy of Shutterstock.

View the original article here

Gameover and CryptoLocker revisited - the important lessons we can learn

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

We recently wrote about an international takedown operation, spearheaded by US law enforcement, against the Gameover and CryptoLocker malware.

That led to a resurgence of interest in our earlier articles about these threats.

So we thought it would be handy to revisit the lessons that this sort of crimeware can teach us.

If we're honest, Gameover is the more serious threat to worry about.

It's a bot, or zombie, meaning that its function is to hand covert remote control of your computer over to cybercriminals.

They can go after your online banking credentials (and the Gameover gang did, to the tune of some $100m in the US alone), but they can also read your mail, mess with your social networking accounts, record your voice, turn on your webcam, and more.

In fact, the crooks can do pretty much anything they like, not least because Gameover, like most zombie malware, includes a general-purpose "download, install and launch yet more malware" function.

(Audio player above not working for you? Listen on Soundcloud.)

In other words, finding out you've had Gameover for the past month is like realising you forgot to hang up the phone and your boss has been listening in to the last 30 minutes of garrulous tittle-tattle you've been having with your chums.

You can't be sure just how badly things might end up, but you know it's not going to be good.

And one way that Gameover ended for many victims was with a CryptoLocker attack.

That's because the crooks used the Gameover botnet to infect selected victims with the CryptoLocker ransomware, which promptly called home, downloaded a disk-scrambling encryption key, and locked up their data.

Want it back? That'll be $300.

For the most part, as far as we can see, victims who paid up did get their data back, and word quickly spread that the crooks were (if you will pardon the oxymoron) men of their word, with the result that business boomed.

Fellow Naked Security writer Chester Wisniewski, who speaks at a lot of conferences and seminars, even met people who shrugged and admitted that they'd handed over $300 to the crooks because it was less hassle than restoring from backup, and they'd heard that the crooks would probably honour the payment.

Honour, indeed!

So CryptoLocker ended up as better-known and more feared than Gameover, even though, for many people, Gameover was actually the cause of their CryptoLocker trouble.

You can see why CryptoLocker captured the imagination more than Gameover: CryptoLocker is one of those in-your-face, "so near but so far" threats.

If you get hit, your computer still works, your files are still there, and you can even open them up.

But if you do you will find they consist of the digital equivalent of shredded cabbage.

Worse still, CryptoLocker doesn't limit itself to scrambling files on your hard disk.

Any drives, shares and folders that you can find with Explorer are visible to the malware, and if it has write access to any of those places, the data stored there is shredded cabbage, too.

USB drives, secondary hard disks, network shares, perhaps even your cloud storage, if you have software loaded that makes it appear as a directory tree on your computer: all of these can end up ruined after a visit from CryptoLocker.

If your user account has Administrator privileges, or worse still, System Administrator privileges, you might end up spreading the ruination far and wide through your organisation.

At worst, a single user who is infected could leave all his work colleagues affected, even those who don't use Windows and couldn't get infected themselves, even if they tried.

Here are four suggestions that you can try yourself, and recommend to your friends and family.

• Don't rely on reactive virus scanning.

Reactively scanning your computer once a week, or once a month, cannot, by definition, prevent malware. It's a handy way of getting a "second opinion" about what's on your computer, but make sure you also use a proactive anti-virus program with an on-access or real-time scanner for both files and web pages. Real-time protection steps in before infection happens, so it doesn't just detect malware and malicious websites, it blocks them, too.

• Do consider email and web filtering.

Most businesses perform some sort of web or email filtering, to protect both the data and the staff in the organisation. If you have children to look after at home, or are the IT geek in a shared house, you might want to do the same sort of thing at home. (Sophos's UTM Home Edition is our full-featured business product, totally free for non-commercial use at home. It even includes 12 Sophos Anti-Virus for Windows licences for your desktops and laptops.)

Blocking suspicious websites needn't be about censoriousness or being a judgmental Big Brother. Instead, think of it as something you do because you're a concerned parent, or because you're watching your buddies' backs.

• Don't make your normal user account into an Administrator.

Privileged accounts can "reach out" much further and more destructively that standard accounts, both on your own hard disk and across the network. Malware that runs as administrator can do much more damage, and be much harder to get rid of, than malware running as a regular user.

For example, on Windows 8.1, you need to have at least one Administrator account, or else you wouldn't be able to look after after your computer. But you can create a second account to use for your day-to-day work and make that account into a Standard user.

• Do make time for regular, off-line backups.

Even cloud backups can be considered "off-line," as long as you don't keep your cloud storage mounted as if it were a local disk, where it can be accessed all the time, by any program. Also, consider using backup software that can keep multiple versions (revisions) of regularly-changing files such as documents and spreadsheets, so that if you ruin a file without realising it, you don't end up with a backup that is equally ruined.

If you use the cloud for backup, we nevertheless recommend taking regular physical copies, for example onto removable USB disks, that you can keep somewhere physcially secure, such as a safe-deposit box. Don't risk losing everything if you lose your computer together with your cloud storage password, or if your cloud provider goes bust (or gets shut down).

Encrypting your backups as you save them to removable disks or before you upload them to the cloud is also wise. That way they are shredded cabbage to everyone else.

The operation against Gameover and CryptoLocker by law enforcement is most welcome, andshould be applauded.

But the mopping-up part of the operation is down to us.

The criminal business empires that have grown up around botnets like Gameover would rapidly fall apart if we kept our computers clean in the first place.

Kill-a-zombie today!

Follow @duckblog

Image of Killer Zombie Robot courtesy of Shutterstock.

View the original article here

Google to flag 'right to be forgotten' censored search results

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Google may be forced to forget about you, but it just might stick a flag on the search results it's reluctantly expunged.

According to The Guardian, the search giant plans to put an alert at the bottom of every page where it's been compelled to remove links in the wake of the recent, landmark "right to be forgotten" court ruling.

Last month, at the command of the EU's Court of Justice, Google reluctantly put out a "forget me" form to enable European Union citizens to request that it remove links that include their name and that are deemed "inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed."

By the end of the first day, 12,000 Europeans had submitted the form.

As of last week, that number had hit 41,000 requests, at the rate of about 10,000 per day.

According to the Financial Times, those familiar with the search results removal process say that the takedown requests are coming in from across the EU, with a particularly high proportion coming from Germany and the UK.

The requests reportedly include one from a man who tried to kill his family and wanted a link to a news article about it taken down.

Other requests have come in from a politician with a murky past and a convicted paedophile, the Guardian reports.

Google chief executive Larry Page has said that nearly a third of the 41,000 requests received related to a fraud or scam, one-fifth concerned serious crime, and 12% are connected to child pornography arrests.

The Guardian says that Google plans to flag censored search results much like it alerts users to takedown requests over copyright infringing material.

When links have been removed from a list of search results, Google provides a notification at the bottom of that page and links to a separate page at chillingeffects.org, an archive of cease-and-desist notices meant to protect lawful online activity from legal threats.

On the site, each listing displays the name of the complainant, the title of the copyrighted content and a list of allegedly infringing URLs. The site at the link given above, for example, lists 640 URLs that allegedly infringe on Walt Disney's "Maleficent" film.

Google considers the enforced expunging to be censorship, and it's got some heavyweights on its side.

Wikipedia founder Jimmy Wales has condemned the ruling, telling Tech Crunch in an interview over the weekend that it was a "terrible danger" that could make it more difficult to make "real progress on privacy issues."

Wales is one of a seven-person advisory committee set up by Google to issue recommendations about where the boundaries of the public interest lie in the requests.

Wales told Tech Crunch that in spite of the tens of thousands of people eager to have their pasts erased from search results, the ruling simply amounts to censorship of knowledge, packaged in "incoherent legislation":

In the case of truthful, non-defamatory information obtained legally, I think there is no possibility of any defensible 'right' to censor what other people are saying.

We have a typical situation where incompetent politicians have written well-meaning but incoherent legislation without due consideration for human rights and technical matters.

I've asked Google if it will begin placing notifications on pages where it has removed links due to "right to be forgotten" requests. I'll update the story if any comment is forthcoming.

Follow @LisaVaas

Follow @NakedSecurity

Images from Shutterstock and Creative Commons.

View the original article here

Kim Dotcom offers $5M (£3M) for whistleblower help

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Avast! Kim Dotcom, alleged King 'o the Pirates, be offerin' a $5 million (£3 million) bounty t' any of ye bilge rats who can blow yer whistle sweet enough t' skewer his extradition!

As followers of this summer-blockbuster-esque saga will recall, Dotcom's Megaupload file-sharing empire was shut down in 2012, leaving him fighting extradition to the USA to face charges of racketeering, money laundering and copyright theft - charges with potential jail terms of 20 years.

Now, Dotcom's offering mega-bucks to anybody who can help him prove his long-argued contention that Hollywood studios illegally set the US authorities on him, aided and abetted by the country's close ally, New Zealand.

Dotcom tweeted that he has few options as he fights one of the biggest copyright infringement cases ever brought:

My case is unfair: I was declined discovery I didn't get my own data back I need Whistleblowers I am offering USD $5M http://t.co/OhE7k3KlUL

— Kim Dotcom (@KimDotcom) June 8, 2014

My case is unfair:
I was declined discovery
I didn't get my own data back
I need Whistleblowers
I am offering USD $5M

In his tweet, Dotcom included a link to a Torrent Freak article about how the bounty will go to "anyone prepared to reveal behind-the-scenes wrongdoing and corruption."

About a year ago, Dotcom was supposed to have gotten back some of his seized property. A judge also granted him the right to see all of the evidence against him before, rather than after, extradition.

In April, Hollywood came after him again, as six mammoth movie studios filed suit against what they say is the former file-sharing site's mind-numbingly-massive copyright infringement.

Now, after several delays, a Supreme Court hearing on Doctom's extradition is set to begin in Auckland on 7 July 2014.

And just as his assets were about to be released in New Zealand and Hong Kong, Hollywood sought to get Dotcom's assets re-frozen.

Now, Dotcom is hoping to fight back by getting some dirt on his legal enemies.

Here's what he says in the Torrent Freak article:

Let me be clear, we are asking for information that proves unlawful or corrupt conduct by the US government, the New Zealand government, spy agencies, law enforcement and Hollywood.

...and he suggests taking any such dirt to a newspaper that's done quite a lot of dirt-handling in the past year, with all its Edward Snowden-fueled whistleblowing:

I have been in touch with the Guardian editor and he has kindly retweeted my offer and told me that he hopes that someone will reply to that offer.

...preferably by using a new whistleblower tool released by The Guardian last week.

Dotcom also recommends that whistleblowers take even more caution in covering their tracks by using the whistleblower tool on an internet cafe computer, using a memory stick, instead of doing it from work, from home, or via a personal computer or phone.

Then again, he says, you could just buy a disposable laptop or netbook and destroy it when you're done.

I guess that disposable computers are a reasonable investment, really, for anybody who stands a chance of earning $5 million for helping out a famous, and infamous, alleged pirate.

Follow @LisaVaas
Follow @NakedSecurity

Image of whistle courtesy of Shutterstock.

View the original article here

"Turing Test" allegedly defeated - is it time to welcome your robot overlords?

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

I'm sure you have heard of, and indeed at some time faced up to and solved, a CAPTCHA.

All over the web, you'll see people telling you CAPTCHA is a pun on "capture," since it's meant to catch out automated software, but actually stands for Completely Automated Turing Test for Telling Computers and Humans Apart.

That's nonsense, of course, or else the acronym would be CATTTCHA, which would be a perfectly good play on words itself.

CAPTCHA is better expanded as Completely Automated Procedure for Telling Computers and Humans Apart.

Briefly put, a CAPTCHA falls a long way short of a real Turing Test, which sets much higher human-like behavioural standards on computers that attempt it.

The Turing Test, as you can probably guess, is named after British computer pioneer Alan Turing.

Turing proposed his now famous test back in a seminal paper published in 1950, entitled Computing Machinery and Intelligence.

The test was presented as a way of answering the question, "Can machines think?"

To bypass the complexity of defining "thinking," and of deciding through philosophical argument that an entity was engaging in it, Turing proposed a practicable systematic alternative in the form of a test.

He based it on an imaginary contest called The Imitation Game.

A man and a woman are sitting in separate rooms, each in front of a teleprinter, so they can't be seen or their tone of voice heard.

One of them is denoted by X and the other by Y; a questioner gets to interrogate them, directing each question at either X or Y.

That means he can group all of X's answers together, and all of Y's answers together; at the end, he has to work out who's who.

But here's the tricky part: the man must convince the questioner he's the woman, and so must the woman. (You could do it the other way around, but one person is being themselves, and the other is trying to imitate someone they aren't.)

The idea is that if the questioner can tell them apart, the man hasn't played a convincing enough role.

Since the woman's job is to convince the questioner that she is, indeed, female, thus exposing the man as a fraud, her best approach is to be as truthful and accurate as possible.

She is effectively on the questioner's side, so misleading him won't help.

It sounds like a parlour game - it might even have been a 1940s parlour game - but once you think about the sort of tactics the man would need to adopt, you can see where Turing was going.

Replace the man in the game with a computer, and see if the questioner can distinguish the computer from the woman. (Or from a man. This time the differentiation is not gender based: it's computer versus human.)

Turing's suggestion was that if you can't tell the computer from the human, then you have as good as answered the question, "Can computers think?" with the word, "Yes."

In other words, given the right sort of questions, the human participant would have to perform what we call "thinking" in order to answer.

So, if a computer could give sufficiently human-like answers, you'd have to concede it was "thinking," too.

Clearly, to pass a proper Turing test, a computer program would need a much broader set of skills than it would need to read the following CAPTCHA:

Make no mistake: programming the sort of software than can read modern CAPTCHAs is a serious challenge in its own right.

You might even decide to refer to a computer that could do it as "clever," but it still wouldn't be thinking.

Interestingly, in the paper in which he introduced the Imitation Game, Turing estimated that by the year 2000, computers would able to survive his eponymous test for five minutes at least 30% of the time.

? Generally speaking, the longer the questioning goes on, the more likely the questioner will tell the human and the computer apart, as he has more opportunity to catch the computer out. So the longer a computer can last, the more we should accept that it is "thinking."

Furthermore, Turing guessed that his fin de siècle test-beating computers would need about 128MB (1Gbit) of memory to do the job.

He was a trifle optimistic, but nevertheless surprisingly close.

It actually took until 07 June 2014 for a serious claim to surface that a computer, or more precisely a program, had passed a Turing Test.

It happened in a contest organised by the University of Reading in England, and the "thinking software" was called Eugene Goostman.

Just how seriously the world of computer science will take the claim remains to be seen: Reading University's machine intelligence experts are no strangers to controversy.

Indeed, the spokesman in Reading's latest press release is none other that Professor Kevin Warwick, a media-savvy cyberneticist who promotes himself as the man who "became the world's first Cyborg in a ground breaking set of scientific experiments."

And University of Reading research fellow Mark Gasson proudly announced, in 2010, that he was the first human to infect himself with a computer virus.

? What Gasson actually did, as far as we can see, is to inject himself with an RFID chip containing executable code that could, in theory, be considered an exploit against a vulnerable RFID reader, if Gasson were to find (or build) a vulnerable RFID reader to match his "infected" chip.

The Eugene Goostman software was developed in Saint Petersburg, Russia, by a team including Vladimir Veselov, an American born in Russia, and Eugene Demchenko, a Russian born in Ukraine.

This year's competition took place, fittingly if slightly sadly, on the 60th anniversary of Turing's death.

Eugene, reports the University of Reading, tricked 33% of the judges into thinking he was human in a series of five-minute conversations.

Fans of TV Sci-Fi shows will enjoy that fact that one of the judges was Robert Llewellyn, the actor who played the intelligent robot Kryten in the cult comedy series Red Dwarf.

Will 07 June 2014 become, as one of my Naked Security colleagues joked (at least, I assume he was joking), the day we first welcomed our robot overlords?

I'm saying, "No."

One trick the programmers used was to make Eugene a 13-year-old boy, which almost certainly gave them much more leeway for "believable mistakes" than if they had simulated a person of adult age.

As Veselov pointed out:

Eugene was 'born' in 2001. Our main idea was that he can claim that he knows anything, but his age also makes it perfectly reasonable that he doesn't know everything. We spent a lot of time developing a character with a believable personality.

As Turing Tests go, this one feels a bit more like getting a learner's permit for a moped than qualifying for your unrestricted car licence.

Eugene has a few years to go before he can do that.

So Naked Security's message to our new robot overlord is, "Stop showing off on the internet and go and tidy your bedroom!"

That's what it told me to say, anyway.

Follow @duckblog

View the original article here

Mobile malware, Gameover, CryptoLocker, and SSL/TLS holes - 60 Sec Security [VIDEO]

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

• How long has mobile malware been around?

• Is it really game over for Gameover and CryptoLocker?

• Which cryptographic security libraries need patching?

Find all the answers in this week's 60 Sec Security - 07 June 2014.

? Can't view the video on this page? Watch directly from YouTube.

Follow @duckblog

Tags: 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, Android, cabir, caribe, cryptolocker, doj, FBI, gameover, gnutls, heartbleed, Mobile, openssl, Patch, ransomware, rce, simplelocker, Symbian, takedown

View the original article here