Sep 302013
 

Google Begs Court to Reconsider Ruling That Wi-Fi Sniffing Is Wiretapping

 

WIRED / Threat Level
by David Kravets
September 25, 2013

 

 

Google Begs Court to Reconsider Ruling That Wi-Fi Sniffing Is Wiretapping (Photo: dspain/Flickr)

Google Begs Court to Reconsider Ruling That Wi-Fi Sniffing Is Wiretapping (Photo: dspain/Flickr)

 

Google is asking a federal appeals court to reconsider a recent ruling finding Google potentially liable for wiretapping when it secretly intercepted data on open Wi-Fi routers.

The Mountain View-based company said the September 10 decision by the 9th U.S. Circuit Court of Appeals will create “confusion” (.pdf) about which over-the-air signals are protected by the Wiretap Act, including broadcast television.

The case concerns nearly a dozen combined lawsuits seeking damages from Google for eavesdropping on open Wi-Fi networks from its Street View mapping cars. The vehicles, which rolled through neighborhoods around the world, were equipped with Wi-Fi–sniffing hardware to record the names and MAC addresses of routers to improve Google location-specific services. But the cars also gathered snippets of content.

The search giant petitioned the San Francisco-based appeals court to reconsider its decision that allowed the case to proceed at trial — a ruling that upended Google’s defense.

Google claimed it is was legal to intercept data from unencrypted, or non-password-protected Wi-Fi networks. Google said open Wi-Fi networks are “radio communications” like AM/FM radio, citizens’ band and police and fire bands, and are “readily accessible” to the general public and exempt from the Wiretap Act — a position the appeals court rejected.

“This error is exceptionally important. It promises to have a substantial, long-lasting effect on the application of the Wiretap Act in an environment of rapid technological change. If allowed to stand, the panel’s ruling will create confusion about the Wiretap Act’s prohibitions, threaten the development of new radio-based technologies, and raise questions about whether activities that Congress intended to protect may now be deemed unlawful,” Google wrote the appeals court late Monday.

The court has the option of rejecting Google’s petition. Or, it could rehear the case with the same three-judge panel or decide the issue en banc with an 11-judge panel. The 9th Circuit is the nation’s largest appeals court, and covers Arizona, California, Montana, Alaska, Hawaii, Idaho, Oregon, Washington and Nevada.

Google said the decision makes it unclear whether intercepting broadcast television might be deemed wiretapping, as might the interception of “public safety communications” or “any marine or aeronautical communications systems.”

“That makes no sense, will create confusion about what radio-based signals can be lawfully received, and is not what Congress intended,” Google wrote in its petition.

Google was sniffing packets of data on unsecured Wi-Fi networks in about a dozen countries over a three-year period, until German privacy authorities began questioning in 2010 what data Google’s Street View cars were collecting. Google, along with other companies, use databases of Wi-Fi networks and their locations to augment or replace GPS when attempting to figure out the location of a computer or mobile device. Google had claimed the lawsuit was “without merit,” and has abandoned the practice of payload sniffing from open networks.

The flap, meanwhile, has wide-ranging implications for the millions who use open, unencrypted Wi-Fi networks at coffee shops, restaurants or any other businesses that try to attract customers by providing free Wi-Fi.

Hanni Fakhoury, an Electronic Frontier Foundation staff attorney, said the court’s decision had some pluses and minuses. One fallout is that security researchers face the risk of civil penalties or even criminal prosecution for intentionally capturing payload data traveling over open Wi-Fi networks.

 

On the other hand, the decision also provides a strong argument that the feds and other law enforcement agencies that want to spy on data transmitted over unencrypted Wi-Fi will need to get a wiretap order to do so. We’ve seen the government use a device called a ‘moocherhunter’ without a search warrant to read Wi-Fi signals to figure out who’s connecting to a particular wireless router. This decision suggests that to the extent the government uses a device like this (or even a ‘stingray’ to the extent it can capture Wi-Fi signals) to capture payload data — even if just to determine a person’s location—they’ll need a wiretap order to do so. That’s good news since wiretap orders are harder to get than a search warrant.

 

Ironically, the Federal Communications Commission last year cleared Google of wrongdoing in connection to it secretly intercepting Americans’ data on unencrypted Wi-Fi routers.

The commission said that, between 2008 and 2010, “Google’s Street View cars collected names, addresses, telephone numbers, URL’s, passwords, e-mail, text messages, medical records, video and audio files, and other information from internet users in the United States.”

The commission, however, fined Google $25,000 for stonewalling the investigation.

 

Direct Link:  http://www.wired.com/threatlevel/2013/09/google-wi-fi-do-over/

Jul 022013
 

Ubisoft Database Hack Exposes Email Addresses, Passwords

PC Magazine
by  Chloe Albanesius
July 2, 2013

 

Ubisoft Database Hack Exposes Email Addresses, Passwords

Ubisoft Database Hack Exposes Email Addresses, Passwords

 

Ubisoft today revealed that a hack of its systems exposed user names, email addresses, and encrypted passwords, but not financial data.

The attackers exploited one of Ubisoft’s websites “to gain unauthorized access to some of our online systems,” the company said in a statement. Ubisoft shut down the hackers’ access, but discovered that they had infiltrated the company’s account database.

“It’s important to note that no personal payment information is stored with Ubisoft, so fortunately all credit/debit card information was safe from this intrusion,” according to Ubisoft.

Ubisoft is recommending that all account holders change their passwords on ubi.com, as well as on other websites where they might have used the same password.

Although passwords were encrypted, they “could be cracked, in particular if the password chosen is weak. This is the reason we are recommending that our users change their password,” Ubisoft said.

Ubisoft declined to go into specifics about the attack “for security reasons,” but denied that it originated via any Uplay services. The company has alerted the necessary authorities and said it taking steps to shore up its systems. But “no company or organization is completely immune to these kinds of criminal attacks,” Ubisoft said. Access to Ubisoft games was not affected.

Ubisoft is one of several high-profile gaming firms that will be rolling out games for the upcoming Xbox One and PlayStation 4, including Watch Dogs, which ironically requires players to hack into various electronic systems. In May, Ubisoft revealed that it worked with Kaspersky Lab to make sure the hacking in the game looked authentic.

Direct Link:  http://www.pcmag.com/article2/0,2817,2421311,00.asp

Oct 292012
 

Why Phishing Works And How To Avoid Becoming a Victim

 

Security Week
by Jon-Louis Heimeri
October 20, 2012

 

 

 

Teach Someone to Phish and They Can Feed Themself Forever…

Or maybe, we work harder to avoid phishing.

Phishing is a form of social engineering that attempts to steal sensitive information. An attacker’s goal is to compromise systems to obtain usernames, passwords, and other account and/or financial data. They most frequently accomplish phishing attacks via email. The attacker sends crafted emails to people within an organization. The email usually pretends to be from someone trustworthy, like your bank, UPS/FedEx, a credit card company or an airline, or some other site for which you may have login credentials. The email includes a link to an “official” website that is actually a fake site operated by the attacker.

Once the user visits the fake site, they may be asked overtly to enter account information such as usernames, passwords, credit card details, social security or bank account numbers. The victim may also be exposed to malware by the fake site. Taking advantage of a variety of vulnerabilities in the browser, the attacker may be able to install a Trojan Horse on the user’s computer. If done correctly, the attack can capture sensitive information without the victim even knowing that they have been compromised.

 

Why Phishing Works

Such attacks are especially troublesome when the victims are privileged users within an organization. Suppose a user has privileges to approve or send checks, or authorize a bank transfer such as an ACH transfer. If that user can be tricked into giving up their username and password, then an imposter can potentially re-use the official username/password to initiate their own transfer. Since the transfer is being authorized by an appropriate account holder (as far as the system is concerned, with a valid username and password) it is harder to identify this as fraud without additional monitoring and validations.

Attackers utilize more advanced and more determined phishing methods if they are sure they have identified high value account holders. “Spear phishing” includes techniques to ensure that the attacks are successful. An attacker might, for instance, develop their target employee list, and then check social media pages like Facebook for interests, children’s names and schools, and other available information to gather detailed intelligence that they can use to craft a targeted email. You may not automatically respond to an email from your bank, but would an email from your dealer about an emergency recall notice on your new car, or a notice from a pharmaceutical company about critical side effects of a prescription drug you are taking, or an email about your daughter’s financial aid at college be likely to get some attention? These targeted emails are usually highly effective.

Current phishing attacks against financial institutions are very customized. They are designed to be effective in these environments by targeting large numbers of financial institution employees. The goal is to infect and compromise enough users that the attacker can get end-to-end control of financial transaction approval systems, allowing him to initiate and approve transactions that appear to be properly authorized. These attacks use tailored techniques, dynamic websites, and regularly update the methods used. The result is a series of attacks that have an alarmingly high success rate, yet a relatively low detection rate.

As far as we know right now, these attacks have mostly been conducted against small-to-medium sized banks and credit unions, but some large banks and other financial organizations have been specifically targeted. The resulting compromises have allowed fraudulent wire transfers of sizeable amounts – $400,000 to 900,000, and sometimes more. Attackers are often able to browse an organization’s accounts and specifically select accounts with the highest balances.

 

Avoid Becoming a Victim

Organizationally, there are things you can do to help avoid becoming a victim, and to minimize damage if you are victimized:

1. Consider using dedicated systems for payment requests and approval processes. Consider disabling email access on any system involved with payment processing. If an attacker cannot compromise the systems in payment processing, he will have a harder time obtaining payment usernames and passwords, and a harder time actually requesting/approving a transfer.

2. Consider using a strong authentication mechanism on all payment processing systems. This would include replacing or augmenting username/password combinations with a hardware token and PIN, or with biometrics such as a fingerprint reader. An attacker will be unable to copy and reuse strong authentication such as a token or biometrics.

3. Consider blocking Internet access for systems involved in payment processing. If the system genuinely has no Internet access, malware would be unable to talk back to its controlling systems and attacker.

4. Consider disabling the use of USB flash drives in payment processing systems. In some circles USB flash drives are often referred to as “malware delivery devices.” Disabling USB flash drives removes one more potential avenue for infection.

5. Use tools available in your email client. Outlook, for instance, has the ability to help filter potentially harmful links. In Outlook, go to Tools/Options/Preferences/Junk E-mail/Options, and check “Disable links and other functionality in phishing messages” and “Warn me about suspicious domain names in e-mail addresses.” These are not perfect solutions but they can help.

6. Be diligent in your use of anti-virus and anti-malware software, including regular updates and scans. Most of the malware used as part of a phishing attack is not detected by standard anti-virus software, but some of it is. Some malware indicators may not be changed before an anti-virus update is available, and sometimes older versions of malware are distributed. Additionally, anti-virus software can help identify secondary infections that may be related to an attack.

7. Use reputation-based website, IP address, and URL filtering to help ensure that any systems accessed from within the company are not considered “bad” sites. You can extend this further by allowing only “white-list” access – access to addresses that have specifically been recognized as “good” sites (note that this has the potential to inhibit some Internet capability).

8. Consider enforcing time-of-day login and payment processing. Many fraudulent transactions occur after normal working hours. For instance, a series of large transfers that completed at 7:00PM Friday evening might be functionally ignored until staff return and see abnormal activities Monday morning.

9. Consider limiting access to payment processing systems from mobile devices, laptops, and systems based in home offices. These distributed systems are typically more vulnerable to threats.

10. Do not allow access to any internal organization system, especially payment processing systems, from a personally owned home computer. There is simply no way the organization can enforce proper control over such a system.

11. Conduct employee security awareness sessions to instruct employees on how to identify phishing emails and avoid falling victim to them. Any reduction in exposure slows compromise and increases your organization’s capability to identify an escalating threat.

12. Explicitly communicate to employees, partners and clients that you will never solicit account information via email, or send a link to update account information.

 

Individually, there are things employees can do to help avoid becoming a victim and compromising the integrity of organizational operations:

1. Never open attachments or links in unsolicited emails.

2. In general, be suspicious of all emails containing links. If you get an email with a link for you to click, do not click it. Navigate independently to the destination site (for example, by typing www.mybigbank.com into a new browser window) and find the referenced location without using the conveniently included link.

3. Do not respond to suspicious emails in any manner.

4. Do not access emails on the same computers used to initiate or approve payments.

5. Make management aware when you receive a suspicious email.

 

Examples of Phishing Emails

You can refer back to a previous column I wrote on here for a detailed breakdown of a phishing email. But what if the email is not as blatant as the one I dissected before?

 

 

For purposes of this analysis, we will assume that “Account Operator” is a reasonable role in your organization. The attacker has gathered enough intelligence to know that the salutation is appropriate. Also assume that the organization name replaced with xxxxx.com is the name of your organization. What is wrong with this email?

1. Effectively, not much. By all appearances this is an email that came from your own security department providing notice that your ACH privileges have been at least temporarily revoked.

2. Checking the email address will show nothing as the email address has been spoofed.

3. Your first clue should be that the email has a generic salutation. If this email actually came from your own security department, it would probably be addressed to “Martin”, or “Mr. Reyes”, and not to the job role.

4. The only real clue in this email is the hyperlink available at “view details.” In most browser-based email clients and some clients like Outlook, hovering over the hyperlink field will show the embedded link without actually opening it. The hyperlink pointed to a site that was completely unrelated to the organization, something similar to this: “http://jkdev.nodonenet.com/forwarding.htm”

Chances are that you have been the target of a phishing attack. If you are in the financial community, chances are that you have been exposed to dedicated attacks – and will be again. Your best protection against phishing attacks is a combination of training and awareness that can limit the success of phishing attacks, and technical controls that will help identify compromised systems and attempts by those systems to talk to hostile servers on the Internet.

 

Direct Link:  http://www.securityweek.com/why-phishing-works-and-how-avoid-becoming-victim

Jun 042012
 

Firefox 13 leaks ahead of release, plays catch-up to other browsers

 

Los Angeles Times

By Salvador RodriguezJune 4, 2012

 

 

Firefox 13 

 

Firefox 13, the latest version of Mozilla’s browser, leaked a day ahead of its official release. (Firefox / June 4, 2012)

 

 

Welcome to the 2010s, Firefox.

The latest version of Mozilla’s Web browser, Firefox 13, leaked onto the Internet a day ahead of its official release, and is available for download to anyone.

But unlike previous versions of Firefox that trail blazed new ways to surf the Web, this version is more about bringing Firefox up to par with its peers. It’s not a bad browser, but it’s nothing special either.

The official version will become available from Mozilla on Tuesday, but the early version, which is available here, appears to be the full, real thing.

The latest Firefox rendition, which has been available in Beta form for some time, brings a couple of new features with it to make the browser more helpful as well as faster.

The most notable changes will be visible to users on the browser’s default home page and its new tab page.

The default home page has been redesigned to include more than the Firefox logo and Google search bar. It now also includes thumbnail shortcuts to your downloads, bookmarks, history and other pages.

The new tab page is no longer a white, blank waste of real estate, but rather, it shows you your nine most visited websites, which as WebProNews notes, is nothing we haven’t seen before but something Firefox was definitely missing. And for those users who do like the blank page, there’s a button on the top right corner that brings it back.

Another addition to Firefox is a feature called Tabs on Demand, which is great for users who like to leave millions of tabs open. Tabs on Demand works when a user reloads a previous session that had numerous open tabs.

But rather than open each of them up simultaneously, inevitably making your computer crash or drag, Tabs on Demand only opens each tab as you get around to using it.

And there’s also Reset Firefox. This feature works when Firefox stops working by migrating your bookmarks, passwords, cookies and other data to a new profile while resetting everything else to default.

It’s a near-nuke option for when everything else fails to fix the problem.

So check out the latest version of Firefox or wait for Tuesday and get it officially from its makers. It’s nice and fresh, but it’s not a standout as Firefox once was.

ALSO:

Google Chrome becomes most used Web browser

Google Chrome heading to iPhone, analysts predict

Is Facebook going to buy Opera, make its own browser?

 

Direct Link:  http://www.latimes.com/business/technology/la-fi-tn-firefox-13-leaks-20120604,0,16098.story