Monday, 28 August 2017

‘Welcome Messi!’ – hacked Real Madrid Twitter account announces signing

Real Madrid’s official Twitter account was hacked after a post welcoming Lionel Messi to the club appeared on their feed.

Only days after Barcelona’s account was taken over by the hackers OurMine, which announced Paris Saint-Germain’s Ángel Di María had joined the club as a hoax, the group was at it again, this time on the Champions League winners’ account.

Lionel Messi scores 350th La Liga goal as Barcelona canter past Alavés
 Read more
At 5.30am BST, accompanied by a video of Messi scoring for Barcelona against Real Madrid, a post on Real’s Twitter said: “Benvingut Messi! Bienvenido Messi! Welcome Messi! Bienvenue Messi! #Messi.”

The group, which has hacked a series of high-profile accounts over the last 12 months, then followed it up with a series of tweets claiming responsibility for the hacking, saying: “Internet security is shit and we proved that.”

The post went viral, with over 27,000 retweets in the first 45 minutes of it being up. The tweets remained public for around 90 minutes before they disappeared from Real’s Spanish and English language feeds.

Friday, 24 February 2017

Mysterious Gmail account lockouts prompt hack fears

Something happening here, what it is ain't exactly clear

Mysterious Gmail account lockouts prompt hack fears

A substantial number of Gmail users have been affected by a potential but unconfirmed hack of unknown origin or purpose.

El Reg learnt of the issue following a tip from a self-described "very security conscious" IT professional who got locked out of his Gmail account. This happened after one of his security phone numbers was changed.

Apparently others have suffered somewhat similar problems and have posted their experiences to Reddit and elsewhere. Users are receiving messages saying that their account has been changed, and asking them to re-sign into Google on their mobile. It's not clear if some sort of glitch or a hack is to blame.

This is more a case of being bounced out of accounts than being locked out as such.

In response to a thread on one of its official forums, Google said it was investigating the issue while downplaying concerns.

We've gotten reports about some users being signed out of their accounts, unexpectedly. We're investigating, but not to worry: there is no indication that this is connected to any phishing or account security threats.
El Reg requested comment directly from Google on Friday morning but we're yet to hear back. While we've been waiting for a response, we've canvassed security folks through Twitter, two of whom have said they've been been asked to reauthenticate themselves and log back into their Google accounts. ®

Verizon’s risky business: Acquiring the world’s biggest hack

The latest cost-per-breach calculation on the massive Yahoo! hack is $350 million. That’s how much Verizon lowered its offer to buy the victim of the biggest hack ever.

The Verizon RISK Team – which publishes the popular Data Breach Investigations Report (DBIR) and performs cyber investigations for hundreds of commercial enterprises and government agencies across the globe – just released its 2017 Data Breach Digest.
Yahoo suffered the biggest known hack of user data ever, with more than 1 billion user accounts exposed.
Talk about polar opposites. And to think, Verizon Communications, Inc. will be acquiring Yahoo, Inc.’s core business for nearly $4.5 billion. The price tag is roughly $350 million less than what Verizon – the market leading U.S. wireless carrier – originally offered.
The cost per breach – as Verizon’s RISK group calls it when determining the fallout in connection with a hack – on the Verizon and Yahoo! deal is staggering. $350 million is just for starters.
A story in Marketing Week this past summer reported that YouGov’s BrandIndex – which measures corporate reputations – gave Yahoo a score of less than 4, compared with Google’s score of 36.
Yahoo already has a shrunken reputation as an old school internet company trying to go new school with its Flickr, Tumblr, and other digital properties. The value of its business is tied to how many people are tuning their PCs, laptops, tablets, and smartphones into Yahoo channels.
Google’s Gmail is used by more than 1 billion people and poses a major threat to Yahoo’s user base. Switching from Yahoo Mail to Gmail is easy, and offers users more data security and peace of mind – with comparable services for photo sharing and other social activities. A mass defection of its email users would be a huge and costly blow to Yahoo.
Brian Krebs, author of the immensely popular blog Krebs on Security, a top source for deep-dive investigations into the latest hacks and breaches launched against corporations and governments, has been urging his friends and family to migrate off Yahoo mail for years. His blog states that Yahoo appeared to fall far behind its peers in blocking spam and other email-based attacks. A recent CSO story reports that Google’s state-of-the-art email classifier detects abusive messages with 99.9 percent accuracy.
The big picture for Verizon – which originally offered nearly $5 billion to buy Yahoo – is taking over a massive (and hopefully loyal) user base. The more eyeballs for Verizon, the more advertising dollars for them.
An interesting twist on the deal – and one that Verizon corporate may not be thinking through – is how its own RISK Team may further devalue the Yahoo brand. The cybersecurity industry is sure to press for a DBIR assessment on the total cost-per-breach in connection with the Yahoo hacks.
Reputational harm due to a major data breach can be devastating. Target’s reputation took a post-hack beating in 2013… and to this day the company remains inextricably linked to the list of biggest hack victims ever. Target, Sony, OPM, Yahoo, etc. – not the kind of list that any company wants to be on.
When the deal closes, will Verizon’s RISK Team provide a report on the total damage costs involved with the Yahoo hacks? Is it possible that the total cost per breach would add another zero to the end of that $350 million? And what if they fail to provide a report? That could damage the RISK Team’s brand.
In 2016, Verizon’s RISK team investigated more than 500 cybersecurity incidents in more than 40 countries. The Verizon Enterprise Security group has been securing enterprise-level networks and infrastructure for decades. They provide professional services, network and gateway security, security monitoring and operations, incident response, and other security services. That’s a big business in of itself – and one with lots of headroom for growth if Verizon corporate is serious about cybersecurity, a market that is projected to be worth $1 trillion over the next five years.
Security is at the core of Verizon’s business – which includes network security around its customers wireless data. The trustworthiness of the Verizon brand is central to its market value.
Cybersecurity Ventures conducted a Twitter poll – asking is the Yahoo acquisition good or bad for Verizon’s security business. Seventy-seven percent of respondents voted bad, and 23 percent voted good. (Disclaimer: Steve Morgan is founder and Editor-In-Chief at Cybersecurity Ventures, and he votes Good – more on that in a future story.)
One respondent, Thomas Doty, Esq., wrote “Bad. If the major oversight exhibited in the security and technical due diligence portion of this M&A action is any indication of Verizon’s security IAM, then it indicates no benefit from that side of either organization. The breach liability tail surrounding this acquisition should have killed the deal, and may highlight that Verizon DBIR really is not reputable when it comes to actual security advice at a board level.” Doty describes himself as a cyber evangelist with over 30 years technology experience as startup adviser, legal strategist, entrepreneur, attorney and military veteran.
Most of the other respondents – which included corporate executives, CISOs, and IT security team members – chose to remain anonymous.
By any measure, the Yahoo deal is risky business for Verizon.

India Post payments bank is likely to tap World War-era tech to garner business

India Post Payments bank is tapping into World War-era phone-based technology and its vast network of postman to target a customer base of around 850 million

It is back to basics for India Post Payments Bank (IPPB). It is tapping into World War-era phone-based technology and its vast network of postman to target a customer base of around 850 million, which either have no access to telephony or still depend on feature phones.

"Banks and payments banks are two different things. Over 90% households have access to bank accounts. So, we are targeting remittances and bill payments," said an officer at the bank, which launched operations a month ago, offering 5.5% interest on deposits.

Unlike full-fledged banks, payments banks can accept deposits up to Rs 1 lakh and have to mandatorily park 75% of funds in government bonds. They are not allowed to offer loans either.

With its network of over 1.5 post offices, IPPB is seen to be a major competitor for banks, especially in rural areas and small towns. The bank, floated by India Post, is running behind schedule as it is yet to tie up with a technology vendor for its banking services.

But it is still targeting 2 crore customers in the first year with business of around Rs 450 crore. By the fifth year, the bank hopes to have eight crore customers with a business of Rs 2,500 crore.

A key focus area for IPPB is one billion bills that are paid every month, with the average ticket size being Rs 300. This is where Giro - an electronic fund transfer tool used in Europe and Japan - will come in handy.

Apart from helping customers settle bills, a worker in a city can add his wife or mother as a beneficiary and transfer funds into their accounts by issuing instructions to a call centre.

The wife or the mother will then use Aadhaar based authentication to withdraw funds either at a post office or ask a postman to deliver cash at home, for which a small fee may be levied.

IPPB is also in talks with the rural development ministry for accessing details of NREGA beneficiaries and pensioners getting funds under the National Social Assistance Programme. Again, idea is to make the payments Aadhaar-based to minimise leakages.

While apps to compete with Paytm and Airtel Payments Bank are also planned, IPPB may not offer credit card to its customers. "My market is going to be very large in the feature phone and those without phones," said an officer.

He added that those with some savings will also have the option to buy from a simple portfolio of insurance and mutual funds. Unlike banks, which hawk complex products, IPPB intends to confine itself to term assurance plans from all the companies and plain vanilla index funds for equities and a debt plan.

"We do not want to be accused of mis-selling and therefore want to keep it simple. If someone wants an annuity plan or money back, he or she can go to an agent or a company," the officer said

Chrome hack relies on 'missing fonts' to font your Windows PC into next week

Chrome hack relies on 'missing fonts' to font your Windows PC into next week

HEY CHROME USERS, if anything prompts you to download a missing font, grab a hammer and start smashing something.

It's best not to hit your computer, despite the message and despite the fact that its source is some bedroom bastard and the font is actually malware.

There are some clues. The font you are missing is called ‘Hoefler Text', so if you thought about it you would probably realise that you can live without it. But under some circumstances, for example, after a prompt interrupts your plans to read something on Chrome, we can see how some people might be encouraged to try and download it.

Don't just trust us though, trust the security blog that raised the alarm. Mahmoud Al-Qudsi from cybersecurity firm NeoSmart Technologies went through the process of installing the Hoefler crap, after coming across it on a compromised Wordpress site, and found that it was pretty convincing but ultimately very cruddy.

"This attack gets a lot of things right that many others fail at. The premise is actually believable: the text doesn't render, and it says that is caused by a missing font (HoeflerText, which is a real font, by the way!), which it then prompts you to download and install," he said.

"The usage of a clean, well-formatted dialog to present the message with the correct Chrome logo - and, more importantly, - the correct shade of blue for the update button. The shape of the update button seems correct, and the spelling and grammar are definitely good enough to get a pass."

So he went with it, finding that ultimately he got an executable and some nudges in the direction of a download. It's all pretty bleak, like most of this stuff, and ultimately if you were to fall victim, you would regret ever hearing of the Hoefler thing.

"Clicking ‘Update' (merely out of curiosity!) results in a file "Chrome Font v7.5.1.exe" to be downloaded, and the webpage morphs to "helpfully" encourage the user to run the virus," added our trepid explorer.

"The file in question is not caught by Windows Defender or Chrome as being malicious. An upload to VirusTotal reveals it as never-before-seen, with only 9 out of the 59 antivirus scanners in its database correctly identifying the file as malware." µ

Snapchat parent IPO gets oversubscribed

Snapchat parent IPO gets oversubscribedNext week's planned $3.2 billion IPO of Snap Inc, maker of the popular Snapchat app, is oversubscribed, market sources told IFR on Friday.

The much-awaited deal is scheduled to price on Wednesday, with the company set to begin trading on the New York Stock Exchange the following day.

Sources said underwriters told investors that the deal is oversubscribed at the marketing range of US$14-$16 per share, but they have yet to offer more specific pricing guidance.

Potential buyers have been plentiful at lunches in New York and London this week during the IPO's roadshow, though many have reservations about the company's future.

Investors have questioned the company's slowing user growth, which was just 3% in the latest quarter versus the prior quarter.

There are also doubts about Snap's ability to sell ads to the 158M daily active users of Snapchat, and how sticky these users will be amid competing products from the likes of Facebook and Google.

Some have also expressed reservation about the shares themselves, which do not come with voting rights. Snap is planning to sell 200 million shares in all, 55 million of them by company insiders.

Should Net Neutrality Be Silicon Valley's Next Big Fight?

Should Net Neutrality Be Silicon Valley's Next Big Fight?
Silicon Valley is rightly focused on President Donald Trump's immigration order. But it should be gearing up for another fight that's vital to both tech companies and their customers.
Net neutrality is in the crosshairs again. Ajit Pai, the new chairman of the Federal Communications Commission, has made it clear that he's no fan. He's already halted a net neutrality-related investigation launched by his predecessor and recently reaffirmed his belief that, one way or another, the "days are numbered" for the Open Internet rules.
Pai was not available for comment, but advocates on both sides of the net neutrality debate believe it's only a matter of time before he tries to undo the rules.
If the courts or Congress don't overturn them, Pai will, said Berin Szoka, president of Tech Freedom, a group that advocates against regulations affecting the technology and telecom industries, at a forum in Menlo Park, Calif., on net neutrality last week.
"It's no mystery what Ajit is going do," he said.
How exactly Pai will go after the rules is an open question, said Craig Aaron, CEO of Free Press, a consumer advocacy group that lobbied for them.
But he added, "I think he's making it pretty clear that he's not interested in enforcing them and that he would welcome pretty much any opportunity to undermine or defang them."
The net neutrality rules say that internet service providers shouldn't unreasonably discriminate against particular internet sites or services. That has been spelled out in three big prohibitions: broadband providers are barred from blocking, throttling or prioritizing for a fee access to particular sites and services. Under the rules, providers are also required to disclose how they manage their networks.
The threat that those rules might be overturned should be of utmost concern to Silicon Valley and the broader tech industry. Tech companies including Google, Facebook, Netflix and Apple have thrived in an environment ruled by the principles of net neutrality, where they don't have to worry about whether they'll be able to reach their customers over the internet or whether broadband providers might slow down access to their sites, services or apps.
Without the net neutrality protections, larger companies likely will be forced to pay broadband providers to guarantee their customers will be able to access their sites and services. Not only could those fees be significant, they almost certainly will be passed along to consumers in the form of higher costs. Meanwhile, smaller companies could easily lose out by being unable to afford to pay such premiums.
"There are lot of companies that benefit from having well-repaired roads," said John Bergmayer, a senior staff attorney at Public Knowledge, a consumer advocacy group that long pressed for strong net neutrality rules. Similarly, he added, broadband access "is such basic infrastructure. Everyone needs it."
Pai isn't sitting still. Earlier this month, in one of his first actions as chairman, he shut down an inquiry his predecessor had launched into so-called zero-rating plans. Under those plans, broadband providers allow consumers to access particular sites and services without using any of their limited buckets of data bandwidth.
Consumer advocates have charged that such plans can violate the principles of net neutrality, because they can distort the market by allowing providers to give preferential treatment to their own sites and services or those of paid partners.
Last year, a federal appeals court panel upheld the Open Internet rules. But opponents of the rules are seeking to have the entire court rehear the case and will likely appeal to the Supreme Court if it doesn't. Under Pai, the FCC could choose to stop defending the rules.
Some congressional Republicans have been seeking to overturn the net neutrality rules and to strip the FCC of much of its authority. Pai could press them to go forward. Or he could simply launch a new rulemaking effort in the FCC itself to overturn the rules.
Those rules were the result of years worth of lobbying by advocates, companies and individual citizens. All three are going to be needed to defend them now that they are in place. Silicon Valley companies in particular could play an important role through public advocacy, private lobbying and the funding of opposition efforts.
Advocates think internet users -- who flooded the FCC with comments in support of net neutrality -- played the key part in getting the rules in place and will play a crucial role in defending them. But they are hopeful the tech industry will have their backs.

John Legend's Twitter Hacked, Posts Series of Bizarre Anti-Trump Tweets

 The singer's twitter account began posting bizarre, and explicit, anti-Trump comments on Friday night, as well as references to party drugs and performing sexual acts wth Hillary Clinton.

John Legend, who has been vocal in his disapproval of president Donald Trump in the past, had his Twitter account apparently hacked on Friday night.

After tweets on the singer's account called Trump "Liar-in-Chief" and referenced "crises in Bowling Green and Sweden", a knock on recent comments about a terror attack that never occurred by Trump cabinet member Kellyanne Conway and a gaff made by Trump himself citing erroneous reports of attacks in Sweden, Legend posted "Someone just hacked my account."
However, minutes later a series of bizarre and explicit tweets came pouring in. "I can not stand by and be silent. @realDonaldTrump , you're a bitch ass n— and if I see you, I'm stomping your shit you f—ing cheetoh," one tweet read, while others referenced Hillary Clinton and a desire to perform lewd actions with the former presidential candidate as well as references to drugs and strip clubs.
 Another tweet read: "i will follow 5 who follow @Owen755." The linked account was an unverified user, who soonafter claimed responsibility for the hack with a tweet of his own: "That was fun."

    That was fun.
    — Owen. (@Owen755) February 25, 2017

Within a few minutes, the tweets were promptly deleted from Legend's account.

Thursday, 23 February 2017

A top military officer summed up the unique nature of cyber warfare in one sentence

SAN DIEGO, Calif. - The US military recognizes cyber as a war fighting domain in the same league as ground and air war now, but its unique nature can be a bit hard to comprehend.

Fortunately, Coast Guard Vice Adm. Marshall Lytle gave the perfect analogy that demonstrates how unique, and difficult it can be, for the US military to operate in the cyber realm.

"Cyberwarfare is like a soccer game with all the fans on the field with you and no one is wearing uniforms," Lytle, who serves as the Chief Information Officer of the Joint Staff, said during a panel discussion on information warfare at the AFCEA West 2017 conference on Wednesday.

Lytle's remark highlights the "wild west" nature of the cyberwarfare, where the US, Russia, China, and many other non-state actors routinely hack into each others' networks, steal critical information, and deceive or propagandize for their side.

Cyber soldiers are now an integral part of military strategy, but unlike pilots who can see targets of their bombs and can see their effects, or infantrymen who wear uniforms and fight along much clearer lines, cyber warfare is much messier.

As Lytle explained, cyberwarfare doesn't have clear battle lines. It's not like football, he said, where there's an offensive line and a defensive line, and you're going up against the opposition that's composed in a similar fashion.

Instead, the Pentagon's hackers don't always know who they're up against, since technology exists to obfuscate online identities. There is also a noticeable lack in defined rules of engagement for militaries operating online, such as the law of war that keeps most militaries from committing war crimes.

"The rules don't fit. When you think of traditional areas of hostility," said Marine Brig. Gen. Dennis Crall, the CIO for the Department of the Navy. "It doesn't really fit in the world of cyber."

As US military leaders warn of the growing progress of Russia, China, and North Korea in cyberspace, the Pentagon has ramped up its own efforts in what it calls the "cyber domain" after the release of a new cyber strategy in April 2015 .
The cyber strategy stood up 133 teams comprising some 4,300 personnel for its "cyber mission force," 27 of which were directed to support combat missions by "generating integrated cyberspace effects in support of ... operations."

They are up against China's own " specialized military network warfare forces ," North Korea's secretive Bureau 121 hacker unit , other nation-states, hacktivists like Anonymous , and criminal enterprises alike.

They have been further tasked with breaking into the networks of adversaries like ISIS, disrupting communications channels, stopping improvised explosive devices from being triggered through cellphones, or even, as one Marine general put it, just "trying to get inside the enemy's [head]."

But, as Lytle noted, lawmakers have so far not offered clearly-defined policies and processes for how the military operates in cyberspace. There have been some attempts, such as the Army's cyberwarfare "bible" and a top secret presidential policy directive requiring approval for hacks that could potentially result in loss of life, such as the 2009 Stuxnet attack against Iranian nuclear sites.

"There are no internationally agreed upon peacetime norms on cyberspace that keep a tamp on an arms race," Navy Vice Adm. Michael Gilday said at the conference on Tuesday. "There is no significant deterrent to malicious activity in cyberspace."

Russian military admits significant cyber-war effort

Russian military admits significant cyber-war effort
Russia's military has admitted for the first time the scale of its information warfare effort, saying it was significantly expanded post-Cold War.

Defence Minister Sergei Shoigu said that Russian "information troops" were involved in "intelligent, effective propaganda", but he did not reveal details about the team or its targets.

The admission follows repeated allegations of cyberattacks against Western nations by the Russian state.

Nato is reported to be a top target.

During the Cold War both the USSR and the West poured resources into propaganda, to influence public opinion globally and sell their competing ideologies.

Speaking to Russian MPs, Mr Shoigu said "we have information troops who are much more effective and stronger than the former 'counter-propaganda' section".

Keir Giles, an expert on the Russian military at the Chatham House think-tank, has warned that Russian "information warfare" occupies a wider sphere than the current Western focus on "cyber warriors" and hackers.

"The aim is to control information in whatever form it takes," he wrote in a Nato report called "The Next Phase of Russian Information Warfare".

"Unlike in Soviet times, disinformation from Moscow is primarily not selling Russia as an idea, or the Russian model as one to emulate.

"In addition, it is often not even seeking to be believed. Instead, it has as one aim undermining the notion of objective truth and reporting being possible at all," he wrote.
Russia has been testing Nato in various ways, including targeting individual soldiers via their social media profiles, Mr Giles told the BBC.

"They have been reaching out to individuals and targeting them as if it comes from a trusted source," he said.

There have been reports of Russian information attacks targeting Nato troops in the Baltic states, the Polish military, and Ukrainian troops fighting pro-Russian rebels.

'Bloodless paralysis'

Russia rejects Western narratives about its "disinformation", instead accusing Nato of aggressive expansion and support for anti-Russian nationalists in Ukraine.

Russia's effort in cyberspace is under intense Western scrutiny following high-level US accusations that Russian hackers helped to swing the presidential election in favour of Donald Trump.

According to Mr Giles, the Russian military decided to prioritise information warfare after the 2008 Russia-Georgia conflict. The country's security apparatus drew lessons from its "inability to dominate public opinion about the rights and wrongs of the war", he said.

Commenting on Mr Shoigu's remarks, former Russian commander-in-chief Gen Yuri Baluyevsky said a victory in information warfare "can be much more important than victory in a classical military conflict, because it is bloodless, yet the impact is overwhelming and can paralyse all of the enemy state's power structures".

The EU has a special team to combat Russian "myths" spread on social media, called the East StratCom Task Force.