Category: Security

UK coppers break encryption with staged muggings

copper UK coppers have decided it is not worth the effort of trying to break the encryption on a suspect’s mobile phone. Instead they are just stealing the phone before the suspect can stick their security up.

Scotland Yard’s cybercrime unit smashed a fake credit card fraud racket recently but appeared to use some unorthodox methods to do it.

Inspector Knacker of the Yard realised crucial evidence in the investigation was concealed on a suspect’s iPhone – but it would be unobtainable if the device was locked. So they waited for him to be on a call and then seized the phone in the street. This beat all the security settings.

Gabriel Yew had been under investigation for the suspected manufacture of fake cards that gangs were using across Europe to buy luxury goods. Detectives suspected that he was using an iPhone exclusively to communicate to other members of the network but knew if they arrested him, he could refuse to unlock it and they would never see incriminating evidence.

It was all because they knew they could not legally force a suspect’s finger or thumb on to the device’s fingerprint reader to unlock it.

However, for some reason UK law did allow them to stage their own lawful “street robbery” – using a similar snatch technique to a thief – and in June a team set out to do precisely that.

Undercover surveillance officers trailed Yew and waited for him to unlock his phone to make a call – thereby disabling the encryption.

One officer then rushed in to seize the phone from Yew’s hand – just as would happen in a criminal mugging. As his colleagues restrained the suspect, the officer continually “swiped” through the phone’s screens to prevent it from locking before they had downloaded its data.

Det Ch Insp Andrew Gould who led the operation said the evidence was crucial to the prosecution.

The phone revealed shed-loads of data on  Yew’s  business practices. He had orders for fake cards and there was evidence linking him to four men who were subsequently convicted and a further 100 potential suspects.
Yew pleaded guilty to fraud and weapons offences and at a sentencing hearing this week at Blackfriars Crown Court was jailed for five and a half years.

Reddit finally to crack down on Trump trolls

Donald-Trump-funny

The social notworking site Reddit is finally going to crack down on Orangemen carrying out online harassment campaigns against those who fail to support Donald “Prince of Orange” Trump.

The problem has been ongoing for a while based around a collection of trolls who inhabit a couple of groups dedicated to Trump the biggest being r/The_Donald. The attacks are often racist, sexist and bullying, but Reddit has been attempting to negotiate treaties with the main participants. After all the site is supposed to be about free speech.

However, all that changed when the trolls, empowered by their election win, decided to attack the Reddit Chief Executive Steve Huffman. Suddenly the gloves are coming off.

Huffman said that Reddit’s content policy prohibits harassment, but that it had not been adequately enforced.

“Personal message harassment is the most cut and dry. Right now we are in an interesting position where my inbox is full of them, it’s easy to start with me.”

Reddit will also  monitor user reports, add greater filtering capacity, and be more proactive role in policing its platform rather than relying on community moderators.

Last week, Reddit banned Pizzagate, a community devoted to a conspiracy theory, with no evidence to back it up, that links Clinton to a pedophile ring at a Washington, DC pizza parlour.

Reddit has a more permissive attitude than Facebook and Twitter when it comes to what it allows on its site, but r/The_Donald users frequently crossed a line, Huffman said, including by trying to manipulate voting to ensure their posts appear on prominent Reddit pages.

Reddit has stepped up its efforts to combat abuse on the site over the past year, creating what it called an “anti-evil” team of engineers dedicated to fighting harassment.

“The fact I was saying that combating harassment was important and then letting that openly happen to me, the CEO, there’s a disconnect there,” Huffman said.

In the past, Reddit has worked with moderators of communities to try to enforce its rules.

With r/The_Donald in particular, “we haven’t found that to be particularly effective. We might see flashes of success, but things kind of revert,” Huffman said.

Huffman said he had been asked by many Reddit users “to ban r/The_Donald outright, but he had rejected that idea, because “if there is anything about this election that we have learned, it is that there are communities that feel alienated and just want to be heard, and Reddit has always been a place where those voices can be heard”.

 

 

VPN outfits expect to make a fortune out of Theresa May

teresa may evilVPN outfits are rubbing their paws with glee thanks to the UK government’s Investigatory Powers Bill.

Theresa May and her Conservative minions hope to save the UK from terrorists by insisting that ISPs keep detailed records of their customer’s online doings.

The Investigatory Powers Bill was approved by the House of Lords on 19 November and is due to become law before the end of 2016.

Now, several virtual private network (VPN) operators have seized on its introduction to promote their offerings.

For those who don’t know, VPNs digitally scramble a user’s internet traffic and send it to one of their own servers before passing it on to a site or app in a form they can make sense of. ISPs would only have a log to the VPN.

The VPNs can be based outside the UK in countries with no data retention laws.  Even if servers are confiscated, there would be nothing on them. To make matters worse for Mrs May, the UK government would find it difficult to prevent the use of such workarounds.

While the legislation specifically mentions connection service providers and not just ISPs, and the assumption is that VPNs based in the UK must give up their logs under this law. However that does not apply to foreign companies who can just ignore it.

Even if the UK government made VPN’s illegal, it could not stop those services being available.  Lots of businesses use VPNs to provide staff with remote access to their email and other work-related files would also make it difficult to restrict the technology’s use.

 

Lots of Americans would give up sex to avoid being hacked

8d64f8b6-7567-4d48-b0ac-b6438cdef185More than 40 percent of Americans would give up sex for a year to never have to worry about being hacked, according to one new study.

Emmanuel Schalit, CEO of online password management firm Dashlane, which commissioned the survey of 2,000 U.S adults, said that the company used the “quirky angles” of food and sex to show just how much in mind cybersecurity is for Americans today.

Apparently, 41 percent of Americans would rather give up their favourite food for a month than go through the password reset process for all their online accounts — a process that is recommended as routine for all online account holders to help prevent hacks.

Schalit said that cybersecurity was a very real concern for a large portion of the population.

“A vast proportion of people understand the threat of hacking in daily life, and would sacrifice something fundamental to avoid it.”

The study found that 43 percent of millennials would trade in sex for online safety; while 64 percent of those aged 18-34 showed themselves to be “more trusting,” said Schalit, saying they’ve shared or received passwords to other people’s accounts; 37 percent of those 35 and older said they’d shared passwords.

“The youngest people in our sample tend to be more trusting than older people for all sorts of reasons. This is in part that has to do with having a different attitude toward life, as a result, of being  being younger and having been born in an age when the internet already existed,” said Schalit.

While the study shows that millennials are more inclined to share passwords, Schalit asserts that this doesn’t necessarily mean they’re doing so blindly or irresponsibly.

“It’s not a bad thing to share a password within a family or a company that has a [shared] Facebook account. The real problem is how you share it. If you share it over email that’s a bad idea because email is always the first thing to get hacked.”

Dashlane’s survey found that in their passwords, 31 percent of Americans have used a pet’s name, 23 percent have used number sequences, 22 percent have used a family member’s name, and 21 percent have used a birthday.

Three was hacked

maxresdefaultOne of Blighty’s biggest mobile phone companies, Three, has been hacked and its customer upgrade database may have been nicked.

The cyber security breach could put the private information of two thirds of Three’s nine million customers at risk.

A spokesthree said that the upgrade system does not include any customer payment, card information or bank account information.

However, the company said that is not the only bad thing that has been happening to the outfit. For the last month, it has been hit by a wave of attempted handset fraud.

“To date, we have confirmed approximately 400 high-value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity,” Carter said.

“This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.”

At least the hackers appear have been identified. Three men have been arrested in connection with the breach at Three, the BBC said this morning.

The National Crime Agency arrested a man from Kent and two men from Manchester on Wednesday, the Beeb said. All three have been bailed pending further enquiries

Trump fans get cybersecurity CEO fired

AAEAAQAAAAAAAAZnAAAAJDk5YzljMTYwLWFjNGUtNGUxOS1iNDc2LTIxZjYxODgzY2Q3ZATrump fans demanded that the CEO of the cybersecurity firm PacketSled was fired or arrested for posting on his personal Facebook page that he would get a “sniper rifle” and kill the Donald Prince of Orange.

What is even more amazing is that his company PacketSled accepted Matt Harrigan’s resignation over the comments.

Harrigan made the statement on his personal Facebook page but the Trump supporters found the comments and contacted the cops.

“The PacketSled Board of Directors accepted the resignation of President and CEO Matthew Harrigan, effective immediately. We want to be very clear, PacketSled does not condone the comments made by Mr. Harrigan, which do not reflect the views or opinions of the company, its employees, investors or partners.”

In a previous statement, the company said it reported the information to the Secret Service and placed Harrigan on administrative leave.

Eh?  What?

Harrigan said the comments were meant to be a joke.

“My recent Facebook comment was intended to be a joke, in the context of a larger conversation, and only privately shared as such. Anyone who knows me, knows that I do not engage in this form of rhetoric with any level of seriousness and the comment most certainly does not represent my real personal views in any regard. I apologise if anything that I said was either taken seriously, was offensive, or caused any legitimate concern.”

It was bloody obviously a joke, or frustration expressed on Facebook.  Since when did that require you to lose your job?  Suddenly the US has lost its sense of humour completely.

There are lots of reasons to be concerned by this. Firstly, that humourless Trump supporters could get someone fired by mounting campaigns on social media and secondly that PacketSled can’t tell when the bloke who is leading them that he is joking and grass him up to Homeland security? This is so 1984 it is not funny.

Has the world gone bonkers? [Yes. Ed]

Tech companies ask Trump to backtrack on encryption

orangeUS internet companies including Facebook and Amazon have penned a letter to president elect Donald “Prince of Orange” asking him to be a little more accommodating to their policy priorities – particularly strong encryption.

Trump took an anti-encryption stance during the election, demanding tech companies provide spooks with back-doors. While some tech-companies are visibly upset about Trumps election, it appears that Facebook and Amazon hope they can get him to change his mind with a nice letter.

The letter sent by the Internet Association, a trade group whose 40 members also include Alphabet’s Google, Uber and Twitter, represents an early effort to repair the relationship between the technology sector.

Michael Beckerman, president of the Internet Association said that the internet industry looks forward to engaging in an open and productive dialogue.

Some of the policy goals stated in the letter may align with Trump’s priorities, including easing regulation on the sharing economy, lowering taxes on profits made from intellectual property and applying pressure on Europe to not erect too many barriers that restrict U.S. internet companies from growing in that market.

The association seeks immigration reform to support more high-skilled workers staying in the United States. Trump made tougher immigration policies a central theme of his campaign, but he has shied away from arguing against more H-1B visas for skilled workers. In March, he said he was “softening the position because we need to have talented people in this country.”

Trump has also urged a boycott of Apple products over the company’s refusal to help the Federal Bureau of Investigation unlock an iPhone associated with last year’s San Bernardino, California, shootings, threatened antitrust action against Amazon, and demanded Apple manufacture its products in the United States.

In a statement, Beckerman said the internet industry looked forward to working closely with Trump and lawmakers in Congress to “cement the internet’s role as a driver of economic and social progress for future generations.”

Boffins work out how your fingers can grass you up

Fingers crossedA team of insecurity experts has worked out that that it is possible to hack a smartphone by listening into the way a user’s fingers move across the keypad.

If you listen carefully to a phone, usually with specialist gear, you can hear the way your fingers move across a phone’s touchscreen. This is because the wifi signals transmitted by a mobile phone change when the touchscreen is activated, causing interruptions that an attacker can intercept, analyse, and reverse engineer to accurately guess what the user has typed on his phone or in password input fields.

Dubbed WindTalker, the attack sounds like the user is suffering from a bad case of beans.  Fortunately it is less smelly and can only be done when the attacker controls a rogue wifi access point to collect WiFi signal disturbances.

This control is needed because the attacker must also know when to collect WiFi signals from the victim, to work out the exact moment when the target enters a PIN or password.

The attacker uses access over the WiFi access point to sniff the user’s traffic and detect when he’s accessing pages with authentication forms.

The attack uses radio signals called Channel State Information(CSI) which is part of the WiFi protocol, and it provides general information about the status of the WiFi signal.

When the user’s finger moves across the smartphone his hand alters CSI properties for the phone’s outgoing WiFi signals, which the attacker can collect and log on the rogue access point.

According to Bleeping computer  the attack as a 68 per cent accuracy.

Microsoft fixes huge Windows 10 bug

bugSoftware King of the World, Microsoft has fixed a rather juicy security flaw in its Windows 10 operating system, which it found only last week.

The security flaw itself allowed for attackers to take advantage of privilege settings which would allow them to potentially install and run applications. Apparently Russian hackers were already taking advantage of the situation. Vole said the security update resolves vulnerabilities in Microsoft Windows.

“The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system. This security update is rated Important for all supported releases of Windows. The security update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.”

The security update should have already installed in the background on most Windows 10 devices. If not, an update can be force by opening up Settings, Update & security, and clicking on ‘Check for updates’.

China brings in tough new cyber security law

ChinaThe glorious People’s Republic of China has bought in new tough new cybersecurity regulations on companies operating behind the bamboo curtain.

The proposed Cybersecurity Law features with data localisation, surveillance, and real-name requirements. It will require instant messaging services and other internet companies to require users to register with their real names and personal information, and to censor content that is “prohibited”.  Real name policies restrict anonymity and can encourage self-censorship for online communication.

There is also an element of data localisation, which would force “critical information infrastructure operators” to store data within China’s borders.

According to Human Rights Watch, an advocacy organisation that is opposing the legislation, the law does not include a clear definition of infrastructure operators, and many businesses could be lumped into the definition.

Sophie Richardson, Human Rights Watch’s China director said the new law will effectively put China’s Internet companies, and hundreds of millions of Internet users, under greater state control.

Many of the regulations are not new, most were informally carried out or specified in low-level law. However, implementing the measures on a broader level will lead to stricter enforcement.

Companies are required to report “network security incidents” to the government and inform consumers of breaches, but the law also states that companies must provide “technical support” to government agencies during investigations. “Technical support” is not clearly defined, but might mean providing encryption backdoors or other surveillance assistance to the government.

The Cybersecurity Law also criminalises several categories of content, including that which encourages “overthrowing the socialist system,” “fabricating or spreading false information to disturb economic order,” or “inciting separatism or damage national unity.”