fbpx

Adylkuzz is believed to have infected more computers than WannaCry, using the same vulnerabilities (AFP Photo/Damien MEYER)

Paris (AFP) - Another large-scale, stealthy cyberattack is underway on a scale that could dwarf last week's assault on computers worldwide, a global cybersecurity firm told AFP on Wednesday.

The new attack targets the same vulnerabilities the WannaCry ransomware worm exploited but, rather than freeze files, uses the hundreds of thousands of computers believed to have been infected to mine virtual currency.

Following the detection of the WannaCry attack on Friday, researchers at Proofpoint discovered a new attack linked to WannaCry called Adylkuzz, said Nicolas Godier, a researcher at the computer security firm.

"It uses the hacking tools recently disclosed by the NSA and which have since been fixed by Microsoft in a more stealthy manner and for a different purpose," he said.

Instead of completely disabling an infected computer by encrypting data and seeking a ransom payment, Adylkuzz uses the machines it infects to "mine" in a background task a virtual currency, Monero, and transfer the money created to the authors of the virus.

Virtual currencies such as Monero and Bitcoin use the computers of volunteers to record transactions. They are said to "mine" for the currency and are occasionally rewarded with a piece of it.

Proofpoint said in a blog that symptoms of the attack include loss of access to shared Windows resources and degradation of PC and server performance, effects which some users may not notice immediately.

"As it is silent and doesn't trouble the user, the Adylkuzz attack is much more profitable for the cyber criminals. It transforms the infected users into unwitting financial supporters of their attackers," said Godier.

Proofpoint said it has detected infected machines that have transferred several thousand dollars worth of Monero to the creators of the virus.

The firm believes Adylkuzz has been on the loose since at least May 2, and perhaps even since April 24, but due to its stealthy nature was not immediately detected.

"We don't know how big it is" but "it's much bigger than WannaCry", Proofpoint's vice president for email products, Robert Holmes, told AFP.

A US official on Tuesday put the number of computers infected by WannaCry at over 300,000.

"We have seen that before -- malwares mining cryptocurrency -- but not this scale," said Holmes.

The WannaCry attack has sparked havoc in computer systems worldwide.

Britain's National Health Service, US package delivery giant FedEx, Spanish telecoms giant Telefonica and Germany's Deutsche Bahn rail network were among those hit.

While the rate of new infections has slowed, researchers at cybersecurity firm Check Point said the malware continues to spread rapidly.

And another expert added that despite a quick breakthrough that WannaCry to be slowed down, researchers don't fully understand it.

"The problem is that we're still not certain about the origin of the infections" as contrary to many previous attacks it wasn't via emails which deceive users into installing the virus, said the expert on condition of anonymity.

More attacks could be soon be underway as the hacker group TheShadowBrokers that leaked the vulnerabilities used by WannaCry and Adylkuzz has threatened to publish more.

It said in a post it would begin providing information monthly by subscription in June, saying that in addition to Windows 10 vulnerabilities it would include "compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs".

Source: This article was published yahoo.com By Julie CHARPENTRAT

Categorized in Internet Privacy

The new malware emerged exploiting vulnerabilities that a researcher reported in March

Over 100,000 internet-connected cameras may be falling prey to a new IoT malware that’s spreading through recently disclosed vulnerabilities in the products.  

The malware, called Persirai, has been found infecting Chinese-made wireless cameras since last month, security firm Trend Micro said on Tuesday. The malware does so by exploiting flaws in the cameras that a security researcher reported back in March.  

The researcher, Pierre Kim, found that the vulnerabilities can allow an attacker to remotely execute code on the cameras, effectively hijacking them.

At least 1,250 camera models produced by a Chinese manufacturer possess the bugs, the researcher went on to claim.

Over a month later in April, Trend Micro noticed a new malware that spreads by exploiting the same products via the recently disclosed flaws.

“It goes to show that the people behind this are probably more aware of how to use these vulnerabilities,” said Jon Clay, Trend Micro’s director of global threat communications.

The security firm estimates that about 120,000 cameras are vulnerable to the malware, based on Shodan, a search engine for internet-connected hardware.

The Persirai malware is infecting the cameras to form a botnet, or an army of enslaved computers. These botnets can launch DDoS attacks, which can overwhelm websites with internet traffic, forcing them offline.

Once Persirai infects, it’ll also block anyone else from exploiting the same vulnerabilities on the device.

Security firm Qihoo 360 has also noticed the malware and estimated finding 43,621 devices in China infected with it. 

Interestingly, Persirai borrows some computer code from a notorious malware known as Mirai, which has also been infecting IoT devices, such as DVRs, internet routers, and CCTV cameras, but by guessing the passwords protecting them. 

Specifically, Persirai lifts certain functions Mirai relies on to scan the internet for new devices to infect, said Marshal Webb, CTO of BackConnect, a DDoS protection provider.

Although the resulting Persirai-powered botnet is capable of launching DDoS attacks, it’s largely refrained from assaulting any websites for the moment, probably because the malware developers are still testing how to use it. 

“The security researcher, a white hat, may have had the best intentions with releasing a full disclosure on these vulnerabilities,” Webb said. “But now they're just out there, making it convenient for anyone to exploit.”

The researcher, Pierre Kim, didn't immediately respond to a request for comment, but he noted "difficulties" with finding and contacting all the vendors involved, in a blog post about the disclosure. 

However, Trend Micro has identified the primary Chinese manufacturer behind the cameras and is working with it to roll out a patch. 

The security firm is declining to name the manufacturer until the patch is published. Until then, it’s hard to know what exact products and brands may be vulnerable, since so many models appear to be affected.

However, owners can protect a vulnerable device by placing it behind a firewall, and blocking access to the malware’s command and control servers, which are located in Iran. Trend Micro has provided more technical details to Persirai in a blog post.  

Source : This article was published itworld.com By Michael Kan

Categorized in Internet Privacy

Think your password is secure? You may need to think again. People's perceptions of password strength may not always match reality, according to a recent study by CyLab, Carnegie Mellon's Security and Privacy Institute.

For example,  expected ieatkale88 to be roughly as secure as iloveyou88; one said "both are a combination of dictionary words and are appended by numbers." However, when researchers used a model to predict the number of guesses an attacker would need to crack each password, ieatkale88 would require four billion times more guesses to crack because the string "iloveyou" is one of the most common in passwords.

"Although participants generally had a good understanding on what makes passwords stronger or weaker, they also had some critical misunderstandings of how passwords are attacked and assumed incorrectly that their passwords need to withstand only a small number of guesses," said Blase Ur, the study's lead author and a Ph.D. student studying societal computing in Carnegie Mellon's School of Computer Science.

Participants, on average, also believed any password with numbers and symbols was a strong password, which is not always true. For example, p@ssw0rd was thought to be more secure than pAsswOrd, but the researchers' attacker model predicted that it would take 4,000 times more guesses to crack pAsswOrd than p@ssw0rd. In modern day password-cracking tools, replacing letters with numbers or symbols is predictable.

"In order to help guide users to make stronger passwords, it is important for us to understand their perceptions and misperceptions so we know where interventions are needed," said Lujo Bauer, a co-author on the study and a professor in Carnegie Mellon's Department of Electrical and Computer Engineering and Institute for Software Research.

The CyLab researchers' study was presented and awarded an honorable mention at this week's Association for Computing Machinery (ACM) Conference on Human Factors in Computing Systems in San Jose, California.

The team of researchers, based in the CyLab Usable Privacy and Security (CUPS) Lab, asked 165 online participants—51% male, 49% female from 33 U.S. states ranging from 18 to 66 years of age—to rate the comparative security and memorability of 25 carefully juxtaposed password pairs. In addition, participants were asked to articulate how they would expect attackers to try to guess their passwords.

"As companies are designing tools that help people make passwords, they should not only be giving users real-time feedback on the strength of their , but also be providing data-driven feedback on how to make them stronger," Ur said.

The team will incorporate these findings into an open-source password feedback tool, which they aim to release before the end of the year.

Other authors of the study included Research Assistant Sean Segreti, Institute for Software Research and Engineering and Public Policy professor Lorrie Cranor, Electrical and Computer Engineering Assistant Research Professor Nicolas Christin and Penn State undergraduate engineering student Jonathan Bees.

Test your perceptions of password security through an online passwords quiz, produced by Nature

Source : This article was published in techxplore.com By Daniel Tkacik

Categorized in Internet Privacy
An unusually sophisticated identity phishing campaign appeared to target Google's roughly 1 billion Gmail users worldwide, seeking to gain control of their entire email histories and spread itself to all of their contacts, Google confirmed Wednesday.
 
The worm — which arrived in users' inboxes posing as an email from a trusted contact — asked users to check out an attached "Google Docs," or GDocs, file. Clicking on the link took them to a real Google security page, where users were asked to give permission for the fake app, posing as GDocs, to manage users' email account.
 
 
 
To make matters worse, the worm also sent itself out to all of the affected users' contacts — Gmail or otherwise — reproducing itself hundreds of times any time a single user fell for it.
Screenshot 3 
The strategy is a common one, but the worm that was released Wednesday caused havoc for millions of users because of its unusually sophisticated construction: Not only did the malicious link look remarkably realistic and trustworthy, but the email that delivered it also appeared to come from someone users already know — and the payload manipulated Google's real login system.
 
 
Google said it had "disabled" the malicious accounts and pushed updates to all users. The vulnerability was exposed for only about one hour, and a spokesperson told NBC News on Wednesday night that it affected "fewer than 0.1 percent of Gmail users" — which would still be about 1 million.
 
"While contact information was accessed and used by the campaign, our investigations show that no other data was exposed," the spokesperson said.
 
It could have been a potential calamity for unsuspecting victims: With control of your Gmail account, scammers can harvest any personal data you've ever sent or received in an email. That can allow them to generate password-reset requests on scores of other services, potentially letting the hackers take over, for example, your Amazon, Facebook or online bank accounts.
View image on Twitter
View image on Twitter
Phishing (or malware) Google Doc links that appear to come from people you may know are going around. DELETE THE EMAIL. DON'T CLICK. 
 
Employees and others connected to large companies, especially educational institutions and journalism organizations, began flooding social media about 2:30 p.m. ET reporting that they'd received the malicious email.
 
 
Employees and others connected to large companies, especially educational institutions and journalism organizations, began flooding social media about 2:30 p.m. ET reporting that they'd received the malicious email.
View image on Twitter
 
View image on Twitter
Be careful, Twitter people with Gmail accounts! Do not click on the "doc share" box. It's a solid attempt at phishing. 

What you can do

While the malicious email was a dead ringer for a real message from a trusted friend, there was one key giveaway: The mail was sent to a fake email address in the main recipient field — This email address is being protected from spambots. You need JavaScript enabled to view it.. Users' addresses were included in the BCC field.
 
If you received a Gmail message with the mailinator.com address as the main recipient, report it as phishing by clicking the down arrow beside the reply button and selecting "Report phishing." Then delete it.
 
If you do click on the malicious link, don't grant permission when the fake GDocs app asks for it.
 
If, unfortunately, you fell for the scam and granted permission to the hackers, go to your Google connected sites console and immediately revoke access to "Google Docs." (If you don't trust the embedded link here — which is generally a good thing — you can manually type the address into your browser: https://myaccount.google.com/security?pli=1#connectedapps)
 
While you're at it, it's a good idea to revoke permission for any app listed there that you don't recognize.
 
Finally, change your Google password.
 
Source : This article was published in cnbc.com By Alex Johnson
Categorized in Internet Privacy

President Trump will be watching and listening. Time to batten down the hatches.

Protecting individual privacy from government intrusion is older than American democracy. In 1604, the attorney general of England, Sir Edward Coke, ruled that a man’s house is his castle. This was the official declaration that a homeowner could protect himself and his privacy from the king’s agents. That lesson carried into today’s America, thanks to our Founding Fathers’ abhorrence for imperialist Great Britain’s unwarranted search and seizure of personal documents.

They understood that everyone has something to hide, because human dignity and intimacy don’t exist if we can’t keep our thoughts and actions private. As citizens in the digital age, that is much more difficult. Malicious hackers and governments can monitor the most private communications, browsing habits and other data breadcrumbs of anyone who owns a smartphone, tablet, laptop or personal computer.

President-elect Donald Trump’s criticism of encryption technology and interest in expanding government surveillance have technologists and civil libertarians deeply concerned.

As an ethical hacker, my job is to help protect those who are unable, or lack the knowledge, to help themselves. People who think like hackers have some really good ideas about how to protect digital privacy during turbulent times. Here’s what they – and I – advise, and why. I have no affiliation or relationship with any of the companies listed below, except in some cases as a regular user.

Phone calls, text messaging and email

When you’re communicating with people, you probably want to be sure only you and they can read what’s being said. That means you need what is called “end-to-end encryption,” in which your message is transmitted as encoded text. As it passes through intermediate systems, like an email network or a cellphone company’s computers, all they can see is the encrypted message. When it arrives at its destination, that person’s phone or computer decrypts the message for reading only by its intended recipient.

For phone calls and private text-message-like communication, the best apps on the market are WhatsApp and Signal. Both use end-to-end encryption, and are free apps available for iOS and Android. In order for the encryption to work, both parties need to use the same app.

For private email, Tutanota and ProtonMail lead the pack in my opinion. Both of these Gmail-style email services use end-to-end encryption, and store only encrypted messages on their servers. Keep in mind that if you send emails to people not using a secure service, the emails may not be encrypted. At present, neither service supports PGP/GPG encryption, which could allow security to extend to other email services, but they are reportedly working on it. Both services are also free and based in countries with strong privacy laws (Germany and Switzerland). Both can be used on PCs and mobile devices. My biggest gripe is that neither yet offers two-factor authentication for additional login security.

Avoiding being tracked

It is less straightforward to privately browse the internet or use internet-connected apps and programs. Internet sites and services are complicated business, often involving loading information from many different online sources. For example, a news site might serve the text of the article from one computer, photos from another, related video from a third. And it would connect with Facebook and Twitter to allow readers to share articles and comment on them. Advertising and other services also get involved, allowing site owners to track how much time users spend on the site (among other data).

The easiest way to protect your privacy without totally changing your surfing experience is to install a small piece of free software called a “browser extension.” These add functionality to your existing web browsing program, such as Chrome, Firefox or Safari. The two privacy browser extensions that I recommend are uBlock Origin and Privacy Badger. Both are free, work with the most common web browsers and block sites from tracking your visits.

Encrypting all your online activity

If you want to be more secure, you need to ensure people can’t directly watch the internet traffic from your phone or computer. That’s where a virtual private network (VPN) can help. Simply put, a VPN is a collection of networked computers through which you send your internet traffic.

Instead of the normal online activity of your computer directly contacting a website with open communication, your computer creates an encrypted connection with another computer somewhere else (even in another country). That computer sends out the request on your behalf. When it receives a response – the webpage you’ve asked to load – it encrypts the information and sends it back to your computer, where it’s displayed. This all happens in milliseconds, so in most cases it’s not noticeably slower than regular browsing – and is far more secure.

For the simplest approach to private web browsing, I recommend Freedome by F-Secure because it’s only a few dollars a month, incredibly easy to use and works on computers and mobile devices. There are other VPN services out there, but they are much more complicated and would probably confuse your less technically inclined family members.

Additional tips and tricks

If you don’t want anyone to know what information you’re searching for online, use DuckDuckGo or F-Secure Safe Search. DuckDuckGo is a search engine that doesn’t profile its users or record their search queries. F-Secure Safe Search is not as privacy-friendly because it’s a collaborative effort with Google, but it provides a safety rating for each search result, making it a suitable search engine for children.

To add security to your email, social media and other online accounts, enable what is called “two-factor authentication,” or “2FA.” This requires not only a user name and password, but also another piece of information – like a numeric code sent to your phone – before allowing you to log in successfully. Most common services, like Google and Facebook, now support 2FA. Use it.

Encrypt the data on your phone and your computer to protect your files, pictures and other media. Both Apple iOS and Android have settings options to encrypt your mobile device.

And the last line of privacy defense is you. Only give out your personal information if it is necessary. When signing up for accounts online, do not use your primary email address or real phone number. Instead, create a throw-away email address and get a Google Voice number. That way, when the vendor gets hacked, your real data aren’t breached.

This article was originally published on The Conversation. Read the original article.By Timothy Summers

Categorized in Internet Privacy

It looks like security researchers have reached an important milestone in the ongoing war against malware. A new search engine has been revealed which can be used to sniff out malware command-and-control servers around the world. Under the Malware Hunter banner – not to be confused with the Malware Hunter software – this search engine looks to bring malware distribution to a halt in the near future.

MALWARE HUNTER IS A POWERFUL TOOL

It is not hard to see why security researchers around the globe are quite excited about the Malware Hunter search engine. Having a viable solution to discover command-and-control servers will provide to be useful when it comes to thwarting malware and ransomware attacks in the future. The tool is created by Shodan and Recorded Future, who are trying to become an industry leader in the fight against global cybercrime.

The way malware Hunter works is as follows: it uses search bots crawling the Internet for computers configured to act as a command-and-control server. It remains unclear if this will yield a lot of positive results, though, as C&C servers may very well reside on the darknet for all we know. Moreover, not every server will easily give up its location either, which could prove to be quite problematic.

The Malware Hunter search engine comes with a feature that will trick these servers into giving up their location, though. To be more specific, the search engine will pretend to be an infected computer reporting back to the server in question. Assuming the server will acknowledge the request and respond, the search engine will log its IP and update the Shodan interface in real time. This provides researchers with invaluable information when it comes to locating these servers and shutting them down as quickly as possible.

What makes the search engine so powerful is how it is capable of probing virtually every IP address on the Internet today. This means the algorithm is constantly looking for new computers that may act as a malware command-and-control server. Quite an intriguing development, as it should reduce the amount of time during which malware remains a problem.

In most cases, once the C&C server is shut down, the malware will no longer cause harm. Then again, some newer types of malware have shown a way tor remains a big threat even when they fail to communicate with the central server. It remains unclear if Malware Hunter will be capable of doing anything about these attacks as well. For now, this search engine is a big step in the right direction, though.

It is important to note Malware Hunter is capable of identifying several dozen C&C servers used for Remote Access Trojans. Given the recent surge in Remote Access Trojan distribution, this is quite a positive development, to say the least. The team is hopeful Malware Hunter will detect other major threats in the future, including botnets, cryptominers, and backdoor trojans.

This article was published in themerkle.com By JP Buntinx

Categorized in Search Engine

Hiring a hacker could reveal security flaws in your organisation.

The global cost of cybercrime could reach £4.9 trillion annually by 2021, according to a recent report from Cybersecurity Ventures. Cyber crime incidents continue to plague organisations globally, even as businesses pour money into boosting their security. 

But how do businesses deal with vulnerabilities they cannot identify? It only takes one smart hacker to discover a backdoor and get access to your sensitive data and systems. 

Organisations must identify the weaknesses in their cyber security, before -- not after -- they’re exploited by hackers. However, to beat a hacker you’ll need to think like one. Here’s how -- and why -- you should hire a hacker in 2017.

 

The stakes have never been so high 

State sponsored hacking wreaked havoc in 2016 when Yahoo revealed that 1billion accounts were compromised in the largest data breach in history. And as cyber crime becomes increasingly advanced, the threat hackers pose to businesses will only increase. 

Leave your organisation open to a data breach and it could cost you a massive £4.25m (on average). And that’s without considering the painful remediation and brand damage you’ll be subject to as a result. 

These attacks aren’t restricted to huge multinationals, the latest Government Security Breaches Survey found that 74% of small organisations reported a security breach in the past year. 

For any organisation, a security flaw passing undetected is a huge risk, and when GDPR hits in 2018 the stakes will only increase.    

The EU General Data Protection Regulation will come into force in 2018 and will govern how businesses handle customer data. Compliance won’t be easy, and the risk of non-compliance is massive, with potential £17million fines.

  

Big businesses aren’t safe from this, and they’ll need to boost their data security to ensure compliance. Tesco were recently lucky to escape a £1.9bn fine for a recent data breach. 

How hackers will boost your cyber security 

Not every hacker wants to attack your business and leak your sensitive data. There are hackers out there who are paid to protect, not provoke. 

Known as ‘white hat’ or ‘ethical hackers’, these security professionals strive to defend organisations from cyber criminals.   

They’re not your conventional dark web lurking delinquents. Ethical hackers are IT security experts -- trained in hacking techniques and tools -- hired to identify security vulnerabilities in computer systems and networks.   

According to ITJobsWatch, the average salary for an ethical hacker is £62,500. Considering the average cost of a data breach sits at £4.23m, that’s a small price to pay.  

Businesses and government organisations serious about IT security hire ethical hackers to probe and secure their networks, applications, and computer systems. 

But, unlike malicious ‘black hat’ hackers, ethical hackers will document your vulnerabilities and provide you with the knowledge you need to fix them.  

Organisations hire ethical hackers to conduct penetration tests - safe attacks on your computer systems designed to detect vulnerabilities.   

To test their security, businesses often set goals or win states for penetration tests. This could include manipulating a customer record on your database, or getting access to an admin account –potentially disastrous situations if they were achieved by malicious hackers. 

Ethical hackers leverage the same techniques and tools used by hackers. They might con employees over email, scan your network for vulnerabilities or barrage your servers with a crippling DDoS attack.   

But instead of exploiting your business, ethical hackers will document security flaws and you’ll get actionable insight into how they can be fixed. It’s your responsibility to act on the ethical hacker’s guidance - this is where the hard work begins. 

Without these harmless penetration tests security holes remain unseen, leaving your organisation in a position that a malicious hacker could exploit.   

Not your typical dark web delinquents 

Thankfully, the days of hiring underground hackers and bartering with bitcoins are over. There’s now a rich pool of qualified security professionals to choose from, complete with formal ethical hacking certifications.   

Ethical hackers, or penetration testers, can be hired just like any other professional, but be certain to get tangible proof of your ethical hacker’s skills.   

Ethical hackers, or penetration testers, can be hired just like any other professional, but be certain to get tangible proof of your ethical hacker’s skills. 

Candidates with the CEH certification have proved they know how to use a wide range of hacking techniques and tools.     

What’s more, CEH certified professionals must submit to a criminal background check. These experts are committed to their profession and do not use their hacking knowledge maliciously. 

Despite the relative youth of the ethical hacking field, these professionals have already proved their worth to some of the largest businesses in the world. 

This year Facebook awarded a white hat hacker £32000 -- its largest ever bounty -- for reporting one ‘remote code execution flaw’ in their servers.   

That’s not the first time Facebook have paid out either. They’ve long supported the efficacy of bug bounties, having paid more than £4 million to ethical hackers since it’s program debuted in 2011. 

How to hire a hacker (legally) 

It’s important to understand what you actually want from your ethical hacker. Do this by creating a clear statement of expectations, provided by the organisation or an external auditor. 

Ethical hackers shouldn’t be hired to provide a broad overview of your policies, these professionals  are specialised experts with a deep knowledge of IT security. Instead, ask specific questions like “Do we need to review our web app security?” or “Do our systems require an external penetration test?” 

Before hiring an ethical hacker to conduct a penetration test, businesses should ensure an inventory of systems, people and information is on-hand.   

Instead of hiring, many organisations develop ethical hacking skills in their own businesses by up-skilling team members through ethical hacking courses, like EC-Council’s CEH or the more advanced ECSA.   

Your staff will get the skills they need to conduct ethical hacking activities on your own businesses, finding and fixing security flaws that only a hacker could find.   

Secure your business now 

Complex threats -- like rapid IoT expansion -- are set to dominate 2017. To defend your organisation in 2016, you’ll need to think like a hacker. 

Source : itproportal.com

Categorized in Internet Privacy

When it comes to internet trolls, online harassment and fake news, there’s not a lot of light at the end of the online tunnel. And things are probably going to get darker.

Researchers at the Pew Research Center and Elon University’s Imagining the Internet Center asked 1,537 scholars and technologists what they think the future of the Internet – in terms of how long people will continue to treat each other like garbage – holds. An overwhelming 81 percent said the trolls are winning.

Specifically, the survey asked: “In the next decade, will public discourse online become more or less shaped by bad actors, harassment, trolls, and an overall tone of griping, distrust, and disgust?”

Forty-two percent of respondents think the internet will stay about the same over the next 10 years, while 39 percent said they expect discourse to get even more hostile. Only 19 percent predicted any sort of decline in abuse and harassment. Pew stated that the interviews were conducted between July 1 and August 12 – well before the term “fake news” started making daily headlines.

“People are attracted to forums that align with their thinking, leading to an echo effect,” Vint Cerf, a vice president at Google, said. “This self-reinforcement has some of the elements of mob (flash-crowd) behavior. Bad behavior is somehow condoned because ‘everyone’ is doing it.”

Respondents could submit comments with their answers, and the report is chock full (literally hundreds) of remarks from professors, engineers and tech leaders.

Experts blamed the rotting internet culture to every imaginable factor: the rise of click-bait, bot accounts, unregulated comment sections, social media platforms serving as anonymous public squares, the hesitation of anyone who avoids condemning vitriolic posts for fear of stepping on free speech or violating first amendment rights — and even someone merely having a bad day.

The steady decline of the public’s trust in media is another not-helpful factor. People have, historically, adopted their barometer for civil discourse from news organizations – which, with social media and the cable news format, just isn’t the case anymore.

“Things will stay bad because to troll is human,” the report states. Basically humanity’s always been awful, but now its in the plainest sight.

But setting up system to simply punish the bad actors isn’t necessarily the solution, and could result in a sort of “Potemkin internet.” The term Potemkin comes from Grigory Potemkin, a Russian military leader in the 18th century who fell in love with Catherine the Great and built fake villages along one of her routes to make it look like everything was going great. A “Potemkin village” is built to fool others into thinking a situation is way better than it is.

“The more worrisome possibility is that privacy and safety advocates, in an effort to create a more safe and equal internet, will push bad actors into more-hidden channels such as Tor,” Susan Etlinger, a technology industry analyst, told Pew. “Of course, this is already happening, just out of sight of most of us.”

Tor is free, downloadable software that lets you anonymously browse the web. It’s pretty popular among trolls, terrorists and people who want to get into the dark web or evade government surveillance.

But these tools aren’t always employed for dark purposes.

“Privacy and anonymity are double-edged swords online because they can be very useful to people who are voicing their opinions under authoritarian regimes,” Norah Abokhodair, an information privacy researcher at the University of Washington, wrote in the report. “However the same technique could be used by the wrong people and help them hide their terrible actions.”

Glass-half-full respondents did offer a glimmer of hope. Most of the experts on the side of “it’s going to get better” placed their bets on technology’s ability to advance and serve society. One anonymous security engineer wrote that “as the tools to prevent harassment improve, the harassers will be robbed of their voices.”

But for now, we have a long way to go.

“Accountability and consequences for bad action are difficult to impose or toothless when they do,” Baratunde Thurston, a fellow at MIT Media Lab who’s also worked The Onion and Fast Company, wrote. “To quote everyone ever, things will get worse before they get better.”

Source : nypost.com

Categorized in Internet Privacy

Researchers at Ben-Gurion University in Israel have developed a new technique to combat cyber attacks, which they say can protect against any attack carried out through internet photo and video.

A new technique for combating cybercriminals, developed by a researcher at Ben-Gurion University of the Negev (BGU), could offer 100% protection against "cyberattacks launched through internet videos or images," the university announced Monday.

Despite recent concerns about the safety of connected smart devices and the Internet of Things (IoT), a BGU press release claimed that attacks via internet video are currently a bigger threat to users. Ofer Hadar, chair of BGU's Department of Communication Systems Engineering, said in the release that downloaded photos and videos are increasingly becoming the pathway for hackers to deliver a cyberattack.

"Hackers like videos and pictures because they bypass the regular data transfer systems of highly secure systems, and there is significant space in which to implant malicious code," Hadar said in the release.

The latest group of WikiLeaks documents claim that organizations like the CIA are relying on IoT devices to spy on US citizens. However, the release said, attacks through video are a more concerning and far-reaching threat. BGU cited a recent Cisco report that claims video will make up 82% of all internet traffic by 2020, adding weight to the potential threat.

 

The technique to combat the threat, which was developed by Hadar, relies on a set of algorithms to essentially keep the attack from extracting personal information through the compromised photo or video. These kind of threats are known as steganography, or attacks that hide malicious content in an unassuming carrier, such as a video or image file.

"We are dealing nowadays with the use of steganography to insert malicious codes within videos and photos to attack the viewer," Hadar said in the release. "We have developed algorithms to find a solution to that problem in the 'compressed domain.' The idea is to manipulate the file's 'payload' to remove the malicious code without damaging the data quality."


The approach is known as the The Coucou Project, the release said. If basic malware is present on a victim's server and is gathering classified information, the approach can prevent it from embedding that classified information in uploaded content. Additionally, if other types of compromised content are uploaded to a shared server, the technique could prevent them from extracting and running the malicious code embedded in the file, the release said.

"Preliminary experimental results show that a method based on a combination of Coucou Project techniques results in virtually 100 percent protection against cyberattacks," Hadar said in the release. "We envision that firewall and antivirus companies will be able to utilize Coucou protection applications and techniques in their products."

While its application is fairly broad, the new approach doesn't necessarily account for all types of cybersecurity attacks. However, if successful as a commercial product, the technique could become a valuable weapon in enterprises across the world.

The 3 big takeaways for TechRepublic readers

  1. A Ben-Gurion University researcher has developed a new method for cybersecurity defense that he claims provides 100% protection against cyberattacks coming in through internet photo and video.
  2. The technique uses algorithms to prevent attacks that utilize steganography, where a malicious file is transported within a carrier like a photo or video file.
  3. The new technique could prevent sensitive data from being extracted, or malicious code from being run on a server once it gets there.

source : techrepublic.com

Categorized in Internet Privacy

A US House committee is set to vote today on whether to kill privacy rules that would prevent internet service providers (ISPs) from selling users’ web browsing histories and app usage histories to advertisers. Planned protections, proposed by the Federal Communications Commission (FCC) that would have forced ISPs to get people’s consent before hawking their data – are now at risk. Here’s why it matters.

What kind of personal data do internet service providers want to use?

Your web browsing patterns contain a treasure trove of data, including your health concerns, shopping habits and visits to porn sites. ISPs can find out where you bank, your political views and sexual orientation simply based on the websites you visit. The fact that you’re looking at a website at all can also reveal when you’re at home and when you’re not.

If you ask the ISPs, it’s about showing the user more relevant advertising. They argue that web browsing history and app usage should not count as “sensitive” information.

What’s changed?

The FCC has privacy rules for phones and cable television, but they didn’t apply to internet service providers. In October 2016 the agency introduced broad new privacy rules that prevent companies such as AT&T, Comcast and Verizon from collecting and selling digital information about individuals including the websites they visited and the apps they used.

The new rules – dubbed the Broadband Consumer Privacy Proposal – would require broadband providers to get permission from subscribers before collecting and selling this data. Currently broadband providers can track users unless individuals opt out. The new rules were due to come into play as early as December 2017.

“Getting these rules was probably the biggest win in consumer privacy in years. If the repeal succeeds it would be pretty bad,” said Jeremy Gillula, from the Electronic Frontier Foundation.

How could ISPs use my personal data?

They sell it to advertisers. Having all the data relating to your browsing behavior allows them to offer highly personalized targeted advertising at a premium to big brands, which are injected into your browsing experience. AT&T already tried such a program but killed it just before the FCC introduced the new privacy rules.

Meanwhile, Verizon attempted to insert undetectable “supercookies” into all of its mobile customers’ traffic, which allowed them to track all their browsing behavior – even if a web user was browsing in incognito mode or clearing their cookies and history. The company was sued for $1.35m by the FCCfor not getting customer permission to track them.

Do all ISPs want to harvest our data?

No, not all ISPs want to abolish the privacy protections. A list of several smaller providers – including Monkeybrains.net, Cruzio Internet and Credo Mobile – have written to representatives to oppose the decision. “One of the cornerstones of our businesses is respecting the privacy of our customers,” they said.

How does this differ from the way Google and Facebook use our data?

It’s much harder to prevent ISPs from tracking your data. You can choose not to use Facebook or Google’s search engine, and there are lots of tools you can use to block their tracking on other parts of the web, for example EFF’s Privacy Badger.

Consumers are generally much more limited for choice of ISP, in some cases only having one option in a given geographical area. This means they can’t choose one of the ISPs pledging to protect user data.

Are any rules keeping ISPs in check?

In January the major ISPs signed a voluntary set of privacy principles, pledging to insist on opt-in consent before sharing “sensitive” information such as social security numbers and opt-out choice for “non-sensitive” customer information. Unfortunately, browsing history was included as “non-sensitive”.

These principles are based on rules created by the Federal Trade Commission, which used to be able to punish ISPs for violating customers’ privacy but is prohibited from regulating common carriers.

So how can users protect their browsing history?

You need to encrypt all your internet traffic. Some websites (like the Guardian) are already encrypted – marked out with HTTPS at the beginning of the URL – but ISPs would still be able to see which websites you have visited, just not the individual pages.

To mask all of your browsing behavior you can use a VPN service (which incurs a subscription cost) or try using Tor.

“Both make everyday browsing more complicated,” Gillula said.

Author : Olivia Solon

Source : theguardian.com

Categorized in News & Politics
Page 3 of 7

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media