Borders are increasing their digital searches of travellers. This includes asking (forcing?) travellers to unlock devices and share passwords. People are often cynical of many physical security measures that are undertaken in airports, such as removal of belts and shoes. But as the saying goes, you can make me take off my shoes, but there’s no way I’m letting you read the group chat conversations on my phone.
While there has been much advice (some good, some bad) provided, 1Password has stepped up its game by introducing a feature called Travel Mode which effectively removes passwords, except those marked safe for travel from the device. Which can then be re-added once successfully crossed the border. It’s not a perfect solution, but it will be interesting to see how other vendors cater to this growing need.
Target to pay $18.5m in Settlement
Remember back in 2013 when Target suffered a huge security breach whereby millions of customer card details were compromised. Well, after much legal wrangling that apparently cost Target $202m in legal fees and other costs since the breach, according to the company’s annual statement. It has settled to pay $18.5m to 47 states.
While the fine may be one of the largest for a data breach, one has to consider that the company made $69.5 billion in revenue.
- To put it in a different context, £18.5m (pound sterling) was the price tag of a 23 year old footballer (soccer) in 2015
- Which coincidently was the same year football star Christiano Ronaldo purchased an $18.5m loft in NYC
- Target reaches breach settlement: $18.5 million fine, security controls
- Target will pay $18.5M to 47 states to close investigations tinto 2013 data breach
Twitter flaw allowed you to tweet from any account
Perhaps the closest thing to a dormant cyber pathogen we will see had a twitter flaw go undetected for years that allowed attackers to post messages masquerading as any user they chose.
Fortunately, the researcher who discovered the flaw disclosed privately to Twitter to allow the company to fix the issue before announcing it. Twitter rewarded the researcher with $7,560 for his efforts.
Is it just me or does $7,560 seem like a completely random number? Couldn’t they have rounded it up or something?
- Twitter flaw allowed you to tweet from any account
- Critical flaw in Twitters code could let hackers take over your account
- Twitter flaw could have allowed attacker to tweet from any account
Diversity in recent Mac Malware
While Apple may continue to market itself as a company those products are safe, the number of reports about Mac malware continues to grow. Malware such as OSX/Dok and OSX.Proton.B have made the headlines.
- Eddie Lee has a detailed roundup of the latest Mac Malware doing the rounds, its functionality, and detection techniques that include some Yara rules
- OSX Malware is catching up and it wants to read your HTTPS traffic
- OSX/Proton.B – a brief analysis, at 6 miles up
Integrity in the CIA
Confidentiality, Integrity, Availability. The CIA triad is impossible to avoid if you’ve worked in information security.
Confidentiality and availability are pretty easy to prove when they go wrong. A document in the hands of unauthorised parties, or a service being unavailable can be noticed.
However, integrity is a bit more difficult to prove or disprove. As Qatar’s Sheikh Tamim Al Thani is finding out. A report stated that the Sheikh had posted comments praising Iran, and other politically insensitive comments for the region.
The quotes were spread widely across the UA and caused quite a reaction. Even though the Qatar government said the agency had been hacked and the story had no merit.
But opinions are flowing wildly, speculating on who could have posted the comments originally, or whether the Sheikh is simply blaming hackers in an attempt to backpeddle.
That’s kind of the beauty of a well-crafted integrity attack. Getting to the truth can take some time, and can cause a lot of “he said, she said” finger-pointing in the meantime.
- Qatar says state news agency hacked after report cites emir crticising US
- Proof that Qatar news agency was not hacked
- Gulf rift reopens as Qatar decries hacked comments by emir
Biometrics fooled again
There’s a reason why, despite its many flaws, passwords still remain a good authentication option. Many manufacturers have been rushing to implement biometrics to streamline and secure authentication, but most have inevitably run into issues.
Biometrics require a lot of tuning to reach an acceptable level of balance between false positives and false negatives.
- HSBC rolled out voice ID authentication service, during which it may have tested many parameters, but as the BBC demonstrated have some way to go.
- Samsung introduced an iris scanner in its Galaxy S8 smartphone, but has also been shown to be bypassed trivially.
When Subtitles read you
Streaming media players such as VLC, Kodi, Popcorn Time, and Stremio are vulnerable to an unusual attack vector, subtitles.
The attack could lead to total compromise of a host system warns the researchers at CheckPoint who discovered the attack. I guess it’s time to crank the volume up, or learn some new languages.
- Hacked in translation - from subtities to complete takeover
- Kodi, popcorn tune and VLC vulnerable to 'widespread' subtitle hack
- Hackers can use subtitles to take over millions of devices running VLC, Kodi, Popcorn Time and Stremio
Insider threats are real. As this story illustrates, Xu Jiaqiang, 30, a former software engineer for IBM, pleaded guilty on Friday to charges of economic espionage after the FBI had caught him attempting to sell IBM's source code, and later discovered he sold it to parties in China.
The worrying aspect of this story is the fact that Xu had worked for IBM for about 4 years, thats a long time to gain access to a lot of information.
One of the challenges in companies is that once an employee has been around for a number of years, a certain level of trust is built and people seldom question access levels needed or odd working patterns.
Xu pled guilty and could face up to 15 years for economic espionage.