State Department email breach leaks employees' personal data


AFP/Getty Images

The latest government data breach affected State Department employee emails. On September 7th, workers were notified that their personally identifiable information was obtained by an unnamed actor, according to a recent report from Politico. It apparently impacted “less than one percent” of employees and direct victims of the breach were alerted at the time. Apparently, this didn’t affect classified information, so at least there’s that.

In a statement to Politico the State Department confirmed the breach and said that it was working with other government agencies to determine the source of the attack, in addition to tapping a firm from the private sector to aid the investigation.

Tuesday morning, news came out that Government Payment Service — more or less an online clearing house local governments use for accepting funds — compromised 14 million customer records dating back some six years. From the sounds of it, the State department breach is much narrower in scope, at least. That doesn’t change Uncle Sam’s reputation for digital security though, nor does it reverse the breach regardless of how small it may have been.

TechCrunch reports that two-factor authentication is only in place on around 11 percent of required devices at the State Department, citing a study from earlier this year. The wheels of bureaucracy move slow, sure, but that doesn’t mean we should simply accept our government’s willingness to wallow in ineptitude and let hackers make away with sensitive data.

Let’s block ads! (Why?)

Link to original source

US government payment site leaks 14 million customer records


Getty Images/iStockphoto

Government Payment Service Inc — the company thousands of local governments in the US use to accept online payments for everything from court-ordered fines and licensing fees — has compromised more than 14 million customer records dating back to 2012, KrebsOnSecurity reports. According to the security investigation site, the leaked information includes names, addresses, phone numbers and the last four digits of credit cards.

KrebsOnSecurity alerted the company — which does business as GovPayNow.com — to the problem on September 14th. The site found that it was possible to view millions of customer records simply by tweaking the digits in the web address displayed by each receipt. Two days later, the payment site released a statement saying it had addressed a “potential issue,” and that while there was “no indication that any improperly accessed information was used to harm any customer” the company has nonetheless updates its systems to prevent the issue reoccurring.

Government Payment Services Inc was acquired by Securus Technologies at the start of 2018. The Texas-based company provides telecommunications services to prisons, among other things, and has come under fire a number of times for data breaches this year alone. In May, it emerged that Securus was abusing its cell phone-tracking capabilities, then just weeks later hackers broke into its system and stole the online credentials of multiple law enforcement officials. As KrebsOnSecurity notes, fixing these information disclosure issues is relatively simple, so it’s remarkable how many organizations are falling foul of these basic vulnerabilities — especially if their name, ‘Securus’ suggests they should really be on top of their game.

Let’s block ads! (Why?)

Link to original source

Symantec offers free anti-spoofing services to US political campaigns and election groups

Symantec is the latest private security company to offer its expertise to vulnerable political targets on the house. Today the company announced that it would extend its “Project Dolphin” service (dolphins eat phish, get it) to political campaigns, candidates and election officials, all “prime target[s] for malicious actors seeking to influence the outcome of the upcoming U.S. midterm elections.” The service allows for anyone to run a check on their own website to make sure no illegitimate or “spoofed” versions of it are floating around and luring unsuspecting victims.

Individuals in those qualifying groups can sign up for free for Project Dolphin, Symantec’s AI-powered system that scans for and notifies users of illegitimate websites pretending to be the real thing — just one flavor of the common hacking technique called “spoofing.” Through spoofed sites, much like spoofed email accounts, hackers can steal login credentials and other sensitive data and wreak whatever kind of havoc they want, much like they did with the DNC prior to the 2016 US presidential election.

The company will also offer some educational services on a new dedicated election security site, including best practice for poll workers and election officials, anti-tampering training, and an election security news hub.

Whether the intended audience for these materials and services will actually take note of them remains to be seen, but cobbling together election security guides now could help smooth the path to more secure elections by 2020.

“The issues that plagued the 2016 election are still prevalent today and are likely to continue to persist through the midterm elections, into 2020, and into elections globally,” Symantec CEO Greg Clark said.

“It is important for all parties, public and private, to contribute to protecting the security and integrity of our elections and democracy.”

While it’s quite late to the game — at least for 2018 midterms — Symantec joins a number of security companies that have extended free or deeply discounted services to candidates and election bodies, including Cloudflare, Valimail and Synack.

Let’s block ads! (Why?)

Link to original source

This is what Americans think about the state of election security right now

A wide-ranging new poll yields some useful insight into how worried the average American feels about election threats as the country barrels toward midterms.

The survey, conducted by NPR and researchers with Marist College, polled 949 adult U.S. residents in early September across regions of the country, contacting participants through both landlines and mobile devices. The results are a significant glimpse into current attitudes around the likelihood of foreign election interference, election security measures and how well social media companies have rebounded in the public eye.

Attitudes toward Facebook and Twitter

As the most recent dust settles around revelations that Russia ran influence campaigns targeting Americans on social media platforms, just how much do U.S. voters trust that Facebook and Twitter have cleaned up their acts? Well, they’re not convinced yet.

In response to a question asking about how much those companies had done since 2016 “to make sure there is no interference from a foreign country” in the U.S. midterm elections, 24 percent of respondents believed that Facebook had done either “a great deal” or “a good amount,” while 62 percent believed the company had done “not very much” or “nothing at all.”

When asked the same question about Twitter, only 19 percent thought that the company had made significant efforts, while 57 percent didn’t think the company had done much. Unlike nearly every other question in the broad-ranging survey, answers to this set of questions didn’t show a divide between Republicans and Democrats, making it clear that in 2018, disdain for social media companies is a rare bipartisan position.

When it comes to believing what they read on Facebook, only 12 percent of voters had “a great deal” or “quite a lot” of confidence that content on the platform is true, while 79 percent expressed “not very much confidence” or none at all. Still, those numbers have perked up slightly from polling in 2018 that saw only 4 percent of those polled stating that they were confident in the veracity of content they encountered on Facebook.

Midterm perspectives

In response to the question “Do you think the U.S. is very prepared, prepared, not very prepared or not prepared at all to keep this fall’s midterm elections safe and secure?,” 53 percent of respondents felt that the U.S. is prepared while 39 percent believed that it is “not very prepared” or not prepared at all. Predictably, this question broke down along party lines, with 36 percent of Democrats and 74 percent of Republicans falling into the “prepared” camp (51 percent of independents felt the U.S. is prepared).

An impressive 69 percent of voters believed that it was either very likely or likely that Russia would continue to “use social media to spread false information about candidates running for office” during the midterm elections, suggested that voters are moving into election season with a very skeptical eye turned toward the platforms they once trusted.

When it came to hacking proper, 41 percent of respondents believed that it was very likely or likely that “a foreign country will hack into voter lists to cause confusion” over who can vote during midterm elections, while 55 percent of respondents said that hacked voter lists would be not very likely or not at all likely. A smaller but still quite significant 30 percent of those polled believed that it was likely or very likely that a foreign country would “tamper with the votes cast to change the results” of midterm elections.

Election security pop-quiz

Political divides were surprisingly absent from some other questions around specific election security practices. Democrats, Republicans and independent voters all indicated that they had greater confidence in state and local officials to “protect the actual results” of the elections and trusted federal officials less, even as the Department of Homeland Security takes a more active role in providing resources to protect state and local elections.

A few of the questions had a right answer, and happily most respondents did get a big one right. Overall, 55 percent of voters polled said that electronic voting systems made U.S. elections less safe from “interference or fraud” — a position largely backed by election security experts who advocate for low-tech options and paper trails over vulnerable digital systems. Only 31 percent of Democrats wrongly believed that electronic systems were safer, though 49 percent of Republicans trusted electronic systems more.

When the question was framed a different (and clearer) way, the results were overwhelmingly in favor of paper ballots — a solution that experts widely agree would significantly secure elections. Indeed, 68 percent of voters thought that paper ballots would make elections “more safe” — an attitude that both Republican and Democratic Americans could get behind. Unfortunately, legislation urging states nationwide to adopt paper ballots has continued to face political obstacles in contrast to the wide support observed in the present poll.

On one last election security competence question, respondents again weighed in with the right answer. A whopping 89 percent of those polled correctly believed that online voting would be a death knell for U.S. election security — only 8 percent said, incorrectly, that connecting elections to the internet would make them more safe.

For a much more granular look at these attitudes and many others, you can peruse the poll’s full results here. For one, there’s more interesting stuff in there. For another, confidence — or the lack thereof — in U.S. voting systems could have a massive impact on voter turnout in one of the most consequential non-presidential elections the nation has ever faced.

Let’s block ads! (Why?)

Link to original source

Facebook expands security measures for political campaign staff


Reuters/Brendan McDermid

The US midterm elections are just weeks away, and Facebook is still scrambling to prevent election meddling with every means at its disposal. It’s launching a pilot program that will expand its protections for American political campaigns. Candidates at the federal or state levels, as well as their staff and party committees, can apply to receive extra protection for their Pages and individual accounts. Facebook will help activate two-factor authentication, proactively monitor accounts (through both automation and human staff), and prioritize reports of suspicious activity from campaign members. If there’s an attack against one person, Facebook will check other related accounts.

The company might spread the pilot to other elections and other high-profile users, including existing government staff.

There’s no mystery as to why Facebook is making this available, even as late as it is in the campaign season: it’s trying to prevent John Podesta-style account breaches from Russia and other actors that might try to meddle in the election. Facebook has admitted that it was too slow to act on election threats in the 2016 presidential election, and it doesn’t want to be accused of a similar shortcoming this year. While these and other measures won’t guarantee a hack-free election (especially not when they’re optional), Facebook could at least say that it offered help.

Let’s block ads! (Why?)

Link to original source

Five security settings in iOS 12 you should change right now

iOS 12, Apple’s latest mobile software for iPhone and iPad, is finally out. The new software packs in a bunch of new security and privacy features you’ve probably already heard about.

Here’s what you need to do to take advantage of the new settings and lock down your device.

1. Turn on USB Restricted Mode to make hacking more difficult

This difficult-to-find new feature prevents any accessories from connecting to your device — like USB cables and headphones — when your iPhone or iPad has been locked for more than an hour. That prevents police and hackers alike from using tools to bypass your lock screen passcode and get your data.

Go to Settings > Touch ID & Passcode and type in your passcode. Then, scroll down and ensure that USB Accessories are not permitted on the lock screen, so make sure the setting is Off.

2. Make sure automatic iOS updates are turned on

Every time your iPhone or iPad updates, it comes with a slew of security patches to prevent crashes or data theft. Yet, how often do you update your phone? Most don’t bother unless it’s a major update. Now, iOS 12 will update your device behind the scenes, saving you downtime. Just make sure you switch it on.

Go to Settings > General > Software Update and turn on automatic updates.

3. Set a stronger device passcode

iOS has gotten better in recent years with passcodes. For years, it was a four-digit code by default, and now it’s six-digits. That makes it far more difficult to run through every combination — known as brute-forcing.

But did you know that you can set a number-only code of any length? Eight-digits, twelve — even more — and it keeps the number keypad on the lock screen so you don’t have to fiddle around with the keyboard.

Go to Settings > Touch ID & Passcode and enter your passcode. Then, go to Change password and, from the options, set a Custom Numeric Code.

4. Now, switch on two-factor authentication

Two-factor is one of the best ways to keep your account safe. If someone steals your password, they still need your phone to break into your account. For years, two-factor has been cumbersome and annoying. Now, iOS 12 has a new feature that auto-fills the code, so it takes the frustration step out of the equation — so you have no excuse.

You may be asked to switch on two-factor when you set up your phone. You can also go to Settings and tap your name, then go to Password & Security. Just tap Turn on Two-Factor Authentication and follow the prompts.

5. While you’re here… change your reused passwords

iOS 12’s password manager has a new feature: password auditing. If it finds you’ve used the same password on multiple sites, it will warn you and advise you to change those passwords. It prevents password reuse attacks (known as “credential stuffing“) that hackers use to break into multiple sites and services using the same username and password.

Go to Settings > Passwords & Accounts > Website & App Passwords and enter your passcode. You’ll see a small warning symbol next to each account that recognizes a reused password. One tap of the Change Password on Website button and you’re done.

Let’s block ads! (Why?)

Link to original source

Surveillance camera vulnerability could allow hackers to spy on and alter recordings

In newly published research, security firm Tenable reveals how popular video surveillance camera software could be manipulated, allowing would-be attackers the ability to view, disable or otherwise manipulate video footage.

The vulnerability, which researchers fittingly dubbed “Peekaboo,” affects software created by NUUO, a surveillance system software maker with clients including hospitals, banks, and schools around the globe.

The vulnerability works via a stack buffer overflow, overwhelming the targeted software and opening the door for remote code execution. That loophole means that an attacker could remotely access and take over accounts with no authorization, even taking over networked cameras connected to the target device.

“This is particularly devastating because not only is an attacker able to control the NVR [camera] but the credentials for all the cameras connected to the NVR are stored in plaintext on disk,” Tenable writes.

Tenable provides more details on potential exploits tested with one of NUUO’s NVRMini2 devices on its Github page. One exploit “grabs the credentials to the cameras that are connected to the NVR, creates a hidden admin user, and disconnects any cameras that are currently connected to the NVR.” Not great.

Tenable set its disclosure to NUUO in motion on June 1. NUUO committed to a September 13 patch date to fix the issue but the date was later pushed to September 18, when anyone with affected equipment can expect to see firmware version 3.9.0.1. Organizations that might be vulnerable can use a plugin from the researchers to determine if they’re at risk or contact the manufacturer directly. TechCrunch reached out to NUUO about its plans to push a patch and notify affected users.

What what makes matters worse with this vulnerability is that NUUO actually licenses its software out to at least 100 other brands and 2,500 camera models. Tenable estimates that the vulnerability could put hundreds of thousands of networked surveillance cameras at risk around the world and many of the groups that operate those devices might have no idea that the risk is even relevant to the systems they rely on.

Let’s block ads! (Why?)

Link to original source

Facebook expands bug bounty program to include third-party apps and websites

Facebook announced this morning it’s expanding its bug bounty program – which pays researchers who find security vulnerabilities within its platform – to now include issues found in third-party apps and websites. Specifically, Facebook says it will reward valid reports of vulnerabilities that relate to the improper exposure of Facebook user access tokens.

Typically, when a user logs into another app using their Facebook account information, they’re able to decide what information the token and, therefore, the app can access and what actions it can take.

But if the token becomes compromised, users’ personal information could be misused.

Facebook says it will pay a minimum reward of $500 per vulnerable app or website, if the report is valid. The company also noted it wasn’t aware of any other programs offering rewards of this scope for all eligible third-party apps.

If a vulnerability is determined to be legit, Facebook will then work with the affected app developer or website operator to fix their code. Any apps that don’t comply with Facebook’s request to address the issue will be suspended from the platform until the problem has been solved and undergoes a security review.

In addition, Facebook says it will revoke all the access tokens that could have been compromised in order to prevent potential misuse. If it believes anyone has actually been impacted by the problem, it will notify them, if need be.

The company spells out what sort of information researchers (the white hat hackers) should include in their reports in order to receive the reward. It also says it’s only accepting reports where the bug is discovered by passively viewing data sent to and from a device and the affected app or website – not through any more of manipulation on the researchers’ part.

The news comes at a time when Facebook is still dealing with the fallout from the Cambridge Analytica scandal, which compromised the personal data from as many as 87 million Facebook users. This was followed by news this summer that a quiz app had been leaking data on 120 million users for years.

Since then, the company has been tightening its API platform, reviewing all apps, suspending hundreds of apps deemed suspicious, rolling out tools to help people better manage their apps, and more.

As a part of those changes, Facebook said earlier this year that its bug bounty program would be expanded.

Separately from this new program, the company now also runs a Data Abuse Bounty program which rewards first-hand knowledge of third-parties that collect user data in order to pass it off to malicious parties.

“We would like to emphasize that our bug bounty program does not replace the obligations on app developers to maintain appropriate technical and organizational measures to protect personal data — either regulatory obligations (for example, if the app developer is a data controller for the purposes of GDPR) or the rigorous controls we require through our terms of service and policies that apply to all developers on the Facebook platform,” wrote Dan Gurfinkel, Facebook Security Engineering Manager, in an announcement.

More details on the program are here.

Let’s block ads! (Why?)

Link to original source

Facebook will reward those who report bugs in third-party apps


SOPA Images via Getty Images

Facebook is expanding its bug bounty program and will begin offering rewards to those that report vulnerabilities in third-party apps that connect to its platform. Specifically, the company is concerned with the misuse of access tokens, which allow Facebook users to log into other apps and websites with their Facebook account. “If exposed, a token can potentially be misused, based on the permissions set by the user,” Dan Gurfinkel, Facebook’s security engineering manager, said in a blog post. “We want researchers to have a clear channel to report these important issues, and we want to do our part to protect people’s information, even if the source of a bug is not in our direct control.”

In the wake of the Cambridge Analytica scandal, Facebook made some changes to its privacy policies and stepped up some of its security efforts. In April, it began offering rewards to those reporting data abuse on the part of app developers. Gurfinkel noted in today’s blog post that app developers are still required to protect users’ data and the expanded bug bounty program isn’t meant as a replacement for those obligations.

Those with valid reports will be given a minimum of $500, with that amount increasing in line with the impact of the report. “Importantly, we will only accept reports if the bug is discovered by passively viewing the data sent to or from your device while using the vulnerable app or website,” wrote Gurfinkel. “You are not permitted to manipulate any request sent to the app or website from your device, or otherwise interfere with the ordinary functioning of the app or website in connection with submitting your report.” Affected apps will be notified and Facebook will work with them to fix the issue. Those that don’t respond will be suspended until the problem has been addressed and a security review has been completed. Facebook will also notify any users affected by reported vulnerability.

Let’s block ads! (Why?)

Link to original source

North Koreans have been hiding their identities to evade sanctions


KCNA KCNA / Reuters

The US Department of the Treasury recently warned IT companies and individuals that individuals from North Korea are using fake online information in order to win employment for technology projects. These individuals often hide behind businesses that are nominally Chinese owned, but often are completely controlled and managed by North Koreans.

The Treasury Department specifically identified two guilty companies, China Silver Star and Volsys Silver Star. Doing business with North Korea, or any business that employs North Korean citizens is, of course, against US and UN sanctions.

The Wall Street Journal expanded on this issue by looking into a North Korean operated business out of China that developed apps, mobile games and more for people and businesses across the world. The companies and individuals that did business with them through avenues such as Facebook, LinkedIn, Upwork and Freelancer.com thought they were Chinese programmers; they had no idea they were doing business with North Koreans.

It’s possible that, using these fake profiles, these North Korean companies have made millions of dollars off of unsuspecting clients, using apps like Slack, Github and PayPal to remain as anonymous as possible. The Wall Street Journal notes that these tactics are similar to the ones that Russians were able to use to influence the 2016 US elections.

Let’s block ads! (Why?)

Link to original source