Daily Archives: May 10, 2018

Keep Your Mum Safe This Mother’s Day!

On my first Mother’s Day 21 years ago, I received a pair of gorgeous fluffy pink slippers. Last year – it was a sleek shiny green Fitbit! Technology has absolutely transformed our gift giving and Mother’s Day is no exception.

The rising popularity of internet connected gifts means many lucky mums will receive a glossy new device on Mother’s Day. It may be a digital home assistant, a fitness tracker or even a big new Smart TV. Whatever it is, we must understand the potential risks involved when giving or receiving an internet enabled device. Because we don’t want to put our mums (or our families) at risk.

But don’t let this change your shopping plans! Like anything in life, if you’re prepared you can minimise the risks and avoid getting caught out by cyber threats. So, here is the low-down on threats posed by some of the more popular gifts this Mother’s Day and tips on how to protect against them.

Digital Home Assistants

Regardless of which brand you might choose, a digital assistant can be a massive help for any busy mum.  Whether it reading the kids a bedtime story or a recipe while you cook, or setting timers – it’s the closest thing many mums can get to another set of hands!

However, there are risks associated with these mother’s helpers. If your home assistant is hacked, your personal information could be at risk. Which means your  bank accounts details or your identity could be put at risk. And as the device is ‘always on’, your personal assistant can listen to and record what is being said around your house – a definite privacy issue.

What to Do to Stay Safe

  • Protecting your Home Wi-Fi is an essential step to ensuring your home assistant is secure. Solutions such as McAfee’s Secure Home Platform, available soon on D-Link routers, will secure all your devices that connect to your Home Wi-Fi, including your home assistant. So, you have protection and peace of mind.
  • Always change the manufacturer’s default password when setting up the Wi-Fi and ensure you create a complex, unique one instead. A combination of lower and upper-case letters, numbers and special characters is ideal.
  • Don’t allow your home assistant to store your private information. I also advise against allowing your home assistant to store passwords, credit card data, or any of your contact information.

Fitness Trackers

A wearable fitness tracker might be at the top of your mum’s wish list this Mother’s Day. But there are some surprisingly worrying security risks surrounding the popular gift that she should be aware of.

Researchers have found it is possible to crack PINs and passwords by hacking into the motion sensors to track hand movements. Additional research shows that the encryption offered by wearable fitness tracker manufacturers is quite easily intercepted. This means all your personal data stored on the device can easily be hacked. And while info like your calorie intake and step count many not seem valuable to a hacker, information like where you worked out and how long you were away from home can paint a very valuable picture of who you are!

What to Do to Stay Safe

  • Keep your fitness tracker up-to-date. Just like with any connected device, as soon as software updates become available, download them immediately to prevent cyber criminals from hacking your device.
  • Set up your fitness tracker and any associated online accounts with an obscure user name and unique passwords, that are completely unrelated to any of your other accounts.
  • Read the Privacy Policy of the device or app you are considering buying. Make sure you are comfortable with the company’s commitment to protecting your data.
  • Consider disabling certain features of the fitness tracker if you feel that your privacy many be jeopardised.

Smart TVs

Whilst buying mum a smart TV would certainly make her feel spoilt this Mother’s Day, they can come with a more sinister side. In March 2017, news emerged that it may be possible to hack into smart TVs to spy on users. Since then, several critical vulnerabilities have been found in Vestel firmware, which is used in more than 30 popular TV brands. These vulnerabilities could be easily leveraged to spy on smart TV users through the microphones and cameras.

What to Do to Stay Safe

  • Buy smart TVs with security in mind. When purchasing a smart TV, it’s always important to do your homework and read up on any current vulnerabilities.
  • Secure your home’s internet at the source. Smart TVs, like all connected devices, must connect to a home Wi-Fi network to run. If they’re vulnerable, they could expose your network as a whole. Since it can be challenging to lock down all the IoT devices in a home, again a solution like McAfee Secure Home Platform can provide protection at the router-level.

If you are shopping online for mum, please remember to keep your guard up. Only shop from secure websites where the URL begins with ‘https://’ and a lock icon appears in the address bar. NEVER, EVER shop using unsecured Wi-Fi. It can leave you vulnerable to all sorts of nasty attacks and your private information may be hacked by a third party.

Finally, and most importantly, don’t forget to thank your wonderful mum for everything she has done for you. A handwritten card with a few lines of thanks is extremely powerful!!

Happy Mother’s Day!!

Alex xx

 

The post Keep Your Mum Safe This Mother’s Day! appeared first on McAfee Blogs.

Meet Sunder, a New Way to Share Secrets

The moment a news organization is given access to highly sensitive materials—such as the Panama Papers, the NSA disclosures or the Drone Papers—the journalist and their source may be targeted by state and non-state actors, with the goal of preventing disclosures. How can whistleblowers and news organizations prepare for the worst?

The Freedom of the Press Foundation is requesting public comments and testing of a new open source tool that may help with this and similar use cases: Sunder, a desktop application for dividing access to secret information between multiple participants.

Sunder is not yet ready for high stakes use cases. It has not been audited and is alpha-quality software. We are looking for early community feedback, especially from media organizations, activists, and nonprofits.

While Sunder is a new tool that aims to make secret-sharing easy to use, the underlying cryptographic algorithm is far from novel: Shamir's Secret Sharing was developed in 1979 and has since found many applications in security tools. It divides a secret into parts, where some or all parts are needed to reconstruct the secret. This enables the conditional delegation of access to sensitive information. The secret could be social media account credentials, or the passphrase to an encrypted thumb drive, or the private key used to log into a server.

Sunder is currently available for Mac and Linux, and in source code form. See the documentation for installation and usage instructions. We also invite you to complete a short survey which will influence the future direction of this tool.

If you are interested in getting involved in development, we welcome your contributions! Please especially take a look at issues marked "easy" or "docs". Sunder is based on the open source RustySecrets library, which is also open to new contributors.

Sunder screenshot
Sunder allows you to divide a secret into shares, a certain number of which are required to reconstruct it


How could Sunder be useful for journalists, activists and whistleblowers?

Until a quorum of participants agrees to combine their shares (the number is configurable, e.g., 5 out of 8), the individual parts are not sufficient to gain access, even by brute force methods. This property makes it possible to use Sunder in cases where you want to disclose a secret only if certain conditions are met.

The most frequently cited example is disclosure upon an adverse event. Let's say an activist's work is threatened by powerful interests. She provides access to an encrypted hard drive that contains her research to multiple news organizations. Each receives a share of the passphrase, under the condition that they only combine the shares upon her arrest or death, and that they take precautions to protect the shares until then.

Secret sharing can also used to protect the confidentiality of materials over a long running project. An example would be a documentary film project accumulating terabytes of footage that have to be stored safely. By "sundering" the key to an encrypted drive containing archival footage, the filmmaking team could reduce the risk of accidental or deliberate disclosure.

But most importantly, we want to hear what you think. Please give Sunder a spin by downloading one of the releases and following the documentation, and please take our survey!


Disclaimer

As noted above, Sunder is still alpha quality software. It's very possible that this version has bugs and security issues, and we do not recommend it for high stakes use cases. Indeed, Sunder and the underlying library have not received a third party audit yet.

Furthermore, any secret sharing implementation is only as robust as the operational security around it. If you distribute or store shares in a manner that can be monitored by an adversary (e.g., online without the use of end-to-end encryption) this could compromise your security.


Inquiries

For inquiries, please contact us at sunder@freedom.press.



Credits

Sunder was primarily developed by Gabe Isman and Garrett Robinson. Conor Schaefer has acted as a maintainer and release manager; Lilia Kai recently also joined the project as a maintainer. RustySecrets was developed by the RustySecrets team. Conversations between Ed Snowden and Frederic Jacobs were the original impetus for the project.

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge

Posted by Ivan Fratric, Project Zero

With Windows 10 Creators Update, Microsoft introduced a new security mitigation in Microsoft Edge: Arbitrary Code Guard (ACG). When ACG is applied to a Microsoft Edge Content Process, it makes it impossible to allocate new executable memory within a process or modify existing executable memory. The goal of this is to make it more difficult for an attacker who already gained some capabilities in the browser’s Content Process to execute arbitrary code.

Since modern web browsers rely on Just-In-Time (JIT) compilation of JavaScript to achieve better performance and the code compilation in JIT is incompatible with ACG, a custom solution was needed to enable ACG in Microsoft Edge: The JIT engine was separated from the Edge Content Process into a separate, JIT Process.

We analyzed ACG and tried to answer the question of how useful this mitigation is going to be in preventing an attacker from exploiting Microsoft Edge. Additionally, we examined the implementation of the JIT server and uncovered multiple issues in it (that have been fixed at the time of publishing this). While the paper focuses on Microsoft Edge, we believe that any other attempt to implement out-of-process JIT would encounter similar problems. Thus we hope that this work would be useful for other vendors who might consider employing similar mitigations.

We published the result of this work in a whitepaper that can be found here. All related materials (tools, PoC code) can be found here.

Malware spam: "New documents available for download" / service@barclaysdownloads.co.uk / barclaysdownloads.com

This fake Barclays spam seems to lead to the Trickbot banking trojan. From:    Barclays [service@barclaysdownloads.co.uk]Date:    10 May 2018, 13:16Subject:    New documents available for downloadSigned by:    barclaysdownloads.co.ukSecurity:    Standard encryption (TLS) Learn moreBarclays Bank PLC Has Sent You Important Account Documents to SignYou can view the document in your Barclays

Airbash – Fully Automated WPA PSK Handshake Capture Script

Airbash – Fully Automated WPA PSK Handshake Capture Script

Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing. It is compatible with Bash and Android Shell (tested on Kali Linux and Cyanogenmod 10.2) and uses aircrack-ng to scan for clients that are currently connected to access points (AP).

Those clients are then deauthenticated in order to capture the handshake when attempting to reconnect to the AP. Verification of a captured handshake is done using aircrack-ng.

Read the rest of Airbash – Fully Automated WPA PSK Handshake Capture Script now! Only available at Darknet.