Category: Security

Software portal sued over bad review

fef78e0cc21705723179c3a85d917f2bBleeping Computer has been sued by Enigma Software Group after posting a bad review of their core product SpyHunter in 2014.

Enigma Software claims the review was false, disparaging, and defamatory. A court case is going to be interesting the review provides links to support each claim. What Enigma seems to be hoping is that the jury will be influenced by the fact that Bleeping Computer participates in a number of affiliate programs, including run by its sworn rival Malwarebytes.

The lawsuit says, “Bleeping has a direct financial interest in driving traffic and sales to Malwarebytes and driving traffic and sales away from ESG.”

“Bleeping not only has unlawfully benefited from its spear campaign to the detriment of ESG, it has damaged the reputation of ESG by refusing to take down its false and misleading statements which have been reposted numerous times on the other anti-spyware related forums and websites.”

Bleeping Computer use affiliate links for a number of vendors, not just Malwarebytes. Then there is the small matter that Enigma Software and SpyHunter has a poor reputation because of its spam and er questionable detection rates.

One of the more common complaints about SpyHunter and Enigma Software is that the product is promoted as free, when it really isn’t.

Its free version offers a scanner but if you want the malware removed you have to pay for the full version.

In a statement on Bleeping Computer, owner Lawrence Abrams, says the Enigma Software lawsuit is a SLAPP (strategic lawsuit against public participation) suit.

“Enigma Software has a history of filing lawsuits to censor and bully people into removing reviews or opinions about their products… If BleepingComputer does not get the help we need and we lose this battle, it will only embolden Enigma Software to try to silence other bloggers, IT technicians, or computer security enthusiasts.”

Bleeping Computer has started a fund to gather donations for their legal costs, one of the first donations made came from Malwarebytes, which sent $5,000 shortly after the campaign started which though helpful financially probably is not that useful tactically.

Press and politicians suckered by fake Isis encryption

laughing-camelDeath cult the Islamic state is having a good chuckle after it convinced the main stream media and politicians that it had developed an app which encrypted messages so that intelligence agencies could not read them.

The news was treated as a fact by the mainstream media and created a wave of concern from politicians who are keen to force companies to abandon encryption.

However the app created for Islamic State militants to send private encrypt messages does not exist. So without having to cut anyone’s head off, Islamic State has managed to cause the West to react with fear and in a way that will stuff up business security.

No one has found a copy of the Alrawi app and all the pictures show screenshots of an app which is basically a glorified RSS reader. Even the magazine Defense One which broke the story has not seen a copy.

The Daily Dot managed to get its paws on what was claimed to be the Alrawi encryption app but that did not have the ability to send or encrypt messages.

In fact those who looked at it said that it was based around MIT’s App Inventor, a plug-and-play tool meant primarily for kids. It contains a Bluetooth file transfer button which all smartphones have and that is about it.

No one has seen a version of Alrawi with encrypted communications, there is a jihadist website offering custom-built software where the Alrawi encrypted messaging app was found. The site is now dormant and was created by Al Qaeda, not IS.

Security researchers who closely follow the Islamic State’s online activity say that they haven’t seen the Alrawi app being discussed or shared in any of ISIS’s online channels.

NSA whistleblower Edward Snowden said that nothing IS has shown demonstrates the ability to encrypt anything.

Oracle kills Java plug-in

Ned's_executionOracle has finally announced that it is killing off its Java browser plugin.

The cunning plan is to scale  down the plugin technology in Java Developer Kit 9 and remove it completely from Oracle JDK and Java Runtime Environment in a future Java SE release.

Oracle admitted that plugins were outdated and modern Web browsers don’t need them.  Chrome disabled Java in April last year, while Firefox also announced plans to kill Oracle’s technology.

Oracle has warned developers to find an alternative.

“With modern browser vendors working to restrict and reduce plugin support in their products, developers of applications that rely on the Java browser plugin need to consider alternative options such as migrating from Java Applets (which rely on a browser plugin) to the plugin-free Java Web Start technology,” Oracle said in a blog post to users.

Oracle acquired the Java plugin, in 2010. It is a bit like Flash and  Silverlight in that it uses NPAPI, which is an ancient Netscape Plugin API. These plugins have caused more trouble than good and using one is like painting a large bullseye on your back and screaming “hack me”.

Some will be miffed at the plug-in’s exist. Some enterprises are likely still running older Web browsers that need Java, and created plenty of applets for it.

Apple wrestles with Safari crashing feature

Alex Scheffler's Flip Flap SafariThe software genii at the fruity cargo Apple are in hot water after it turns out the browser they came up with crashes easier than a drunken emu.

The Tame Apple Press has done its best to put a lid on the whole matter, but the problem is a little difficult to hide. The problem is worldwide and means that searching from the address bar in both iOS and OS X is causing the browser to crash.

Even the Verge which spun yesterday’s terrible results for Apple ans “the best ever” has confirmed the problem on one of the many iOS devices and OS X machines it has in the office.

The problems are related to a feature on Safari which tells you what you should be looking at as you start typing.  You can fix the problem by disabling this feature but it does mean that you will not have the benefit of having Apple to tell you what to do. This will mean that countless fanboys will be in the difficult position of having to think, rather than think different.

The Verge claims that not everyone is affected, but actually everyone is. It is just that they might have the search suggestions cached locally or they can reach Apple’s servers thanks to their DNS cache. TApple is not saying anything of course.  But it is just the latest in a number of embarrassing programming errors on some of its products.

A couple of months ago Mac users were forced to reinstall software from the App Store following a security glitch. An expired security certificate used by Apple to verify apps forced a number of Mac users to reinstall certain pieces of software after the company attempted to move from the older SHA-1 standard, to the newer, more secure, SHA-2. Some apps in the App Store did not support the SHA-2 standard, resulting in the forced reinstall.

US government hands cyber-security to military

2010-12-20-wwiipropagandaridiculousThe US government has handed over the its sensitive cybersecurity role to the military.

The move is seen as a snub to the Office of Personnel Management, the agency at the center of last year’s scandal over one of the worst government data breaches known to the public.

US officials believe a Chinese espionage operation infiltrated OPM’s records accessing information on 21.5 million current and former employment or job applicants. Fingerprint images belonging to some 5.6 million people were stolen.

The Pentagon has been called in to overhaul the federal security clearance system. A new government office, called the National Background Investigations Bureau, will take over the job of running background checks on all federal employees, contractors and others.

The Defense Department will design, build and operate the computer system that houses and processes people’s personal information, Director of National Intelligence James Clapper and other officials said.

The White House wanted to use  ththe Pentagon’s expertise in national security and protecting US secrets.

OPM spokesman Samuel Schumach said that since the hack, the agency has started real-time computer monitoring, installed protections against unknown devices and adopted two-factor authentication, which adds a level of security beyond a single password.

The computer networks that hackers breached last year had been left vulnerable for years without basic cybersecurity protections, its internal watchdog told Congress.

In the new system, the Pentagon will encrypt data where appropriate and consider which information should be kept separate from the rest of the network.

The administration didn’t say when they expecte system to be operational. President Barack Obama planned to ask Congress in his budget next month for $95 million to build the computer system, but officials said development would start using the personnel office’s existing funds.

 

Open sauce has zero-day bugs too

maxresdefaultA zero-day vulnerability in the FFmpeg open-source multimedia framework, which is used by shedloads of Linux kernel-based operating systems and software applications and Mac OS X and Windows platforms has been spotted.

The vulnerability was discovered on January 12, 2016, by Russian programmer Maxim Andreev. Anyone who has the necessary skills to hack a computer to read local files on a remote machine and send them over the network using a specially crafted video file.

The hole is limited to reading local files and sending them over the network, not to remote code execution, but it’s rather embarrassing. The FFmpeg developers are aware of the issue, and they are trying to patch it. If you are worried about it you can disable HLS (HTTP Live Streaming) while building the package while the sort out a fix. The FFmpeg team are expected to release a patch or a new version of the software later today.

The attack does not even require the user to open the dodgy file. KDE Dolphin thumbnail generation is enough to start the hack. Desktop search indexers, ffprobe or any operations that involve ffmpeg reading are affected.

US invaded by industrial cyber attacks

920x920The US government has noticed an increase in attacks that penetrate industrial control system networks over the past year.

Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT said he systems are vulnerable because they are exposed to the Internet.

ICS-CERT spokesman Marty Edwards said that more hackers were gaining access to that control system layer.

ICS-CERT helps US firms investigate suspected cyber attacks on industrial control systems as well as corporate networks.

The issue has gained attention after Ukraine authorities blamed a power outage on a cyber attack from Russia, which would make it the first known power outage caused by a cyber attack.

Experts attending the S4 conference of some 300 critical infrastructure security specialists in Miami said the incident has caused U.S. firms to ask whether their systems are vulnerable to similar incidents.

Edwards said he believed the increase in attacks was mainly because more control systems are directly connected to the Internet.

“I am very dismayed at the accessibility of some of these networks… they are just hanging right off the tubes,” he said in an on-stage interview with conference organizer Dale Peterson.

Edwards did not say whether those attacks had caused any service disruptions or threatened public safety.

 

Hacker called Cracka hacked Clapper

clapperApparently the head of the US Director of National Intelligence’s security  was so good that he could be hacked by pranking teens.

One of the “teenage hackers,” Cracka who broke into the CIA director’s AOL email account last year said his latest victim is the Director of National Intelligence James Clapper.

The teen is part of a group of hackers calling themselves “Crackas With Attitude” or CWA.  It made headlines in October, hacking into CIA Director John Brennan’s email account and apparently getting access to several online tools and portals used by US law enforcement agencies.

One if the group, Cracka said he had Clapper’s home telephone, internet connection, his personal email, and his wife’s Yahoo account.

As a gag he changed Clapper’s Verizon FiOS account so that every call was t forwarded to the Free Palestine Movement.

“I’m pretty sure they don’t even know they’ve been hacked,” Cracka told me in an online chat.  Well they do now. Brian Hale, a spokesperson for the Office of the Director of National Intelligence, confirmed the hack to Motherboard.

“We’re aware of the matter and we reported it to the appropriate authorities,” Hale said, declining to answer any other questions on the record. (The FBI declined to comment.)

 

French conservatives say “non” to encryption

french-revolution-pictures-22-622x415The French Parliament is considering surrendering to a idea put forward by the conservative Republican party which would ban strong encryption.

Tech companies will have to configure their systems to allow Inspector Clouseau and other “inspectors of the ler” to have access to their data.

The amendment to the vast “Digital Republic” bill was introduced in the French National Assembly, parliament’s lower house, by eighteen politicians from the conservative Republican Party.

The Digital Republic bill, which covers everything from net neutrality to the online publication of scientific research, will be examined and debated this week along with 400 amendments to it.

The anti-encryption amendment is largely seen as a response to the two deadly Paris terrorist attacks in 2015.  The attackers repeatedly used unencrypted communications in the leadup to the killings but that does not matter.

The French government has come under sustained criticism for sacrificing liberty for security. The country has been in a state of emergency for two months, a legal status that gives President François Hollande vast new law-enforcement powers.So it appears that Hollande cant win.

 

New terror algorithm developed

spyBoffins at the University of Pennsylvania have developed an algorithmic framework for conducting targeted surveillance of individuals within social networks which do not net “untargeted” people.

Presenting the code to the Proceedings of the National Academy of Sciences (PNAS) the team say that the tools could facilitate counterterrorism efforts and infectious disease tracking while preserving the privacy of those who should not be looked at.

The boffins said that the need for useful or essential gathering and analysis of data about citizens and the privacy rights of those citizens was little tricky.

“The most striking and controversial recent example is the revelation that US intelligence agencies systemically engage in ‘bulk collection’ of civilian ‘metadata’ detailing telephonic and other types of communication and activities, with the alleged purpose of monitoring and thwarting terrorist activity.”

The Penn researchers said that there are similar problems around medical data and targeted advertising. They said that in every case, the friction is between individual privacy and some larger purpose, whether it’s corporate profits, public health, or domestic security.

They said that there is a protected subpopulation that enjoys (either by law, policy, or choice) certain privacy guarantees.

“Protected individuals might be nonterrorists, or uninfected citizens (and perhaps informants and health care professionals). They are to be contrasted with the ‘unprotected’ or targeted subpopulation, which does not share those privacy assurances.”

It claims that its algorithms can output a list of confirmed targeted individuals discovered in the network, for whom any subsequent action (e.g., publication in a most-wanted list, further surveillance, or arrest in the case of terrorism; medical treatment or quarantine in the case of epidemics) will not compromise the privacy of the protected.”

The algorithms are based on a few basic ideas. The first is that every member of a network has a sequence of bits indicating their membership in a targeted group. The algorithms have a budget where it can only reveal so many bits and no more. The algorithms then optimise this scenario so that as many bits-of-interest are revealed as possible.

Using real social networks with stochastically (randomly) generated, artificial target groups, the Penn team found that they could indeed search a network for targeted members while not revealing information about individuals in privacy-protected populations.

“Our work is of course not a complete solution to the practical problem, which can differ from our simple model in many ways. It is just one interesting modeling question for future work.”