A “suicide game” presented in an app sounds like an urban legend or something from a horror flick, but unfortunately the “Blue Whale Challenge” is real. In fact, police and school districts have issued warnings about the app and even Instagram serves up a warning after searching for the #bluewhalechallenge. ![]() Vulnerable young people are the targets for Blue Whale. Once the app is downloaded onto a phone, it reportedly hacks the phone and harvests the user’s information. In the Blue Whale Challenge, a group administrator – also referenced as a mentor or master – gives a young person a task to complete each day for 50 days. If a person balks at the daily task, then the personal information which was stolen is used as a form of blackmail as in do this or else your private information will be released or your family threatened. The task on the last day is to commit suicide. This is supposedly winning the game. The 21-year-old Russian guy who created the app claimed to be “cleansing society” of “biological waste” – but we’ll get back to that. Alabama, New Zealand, UK warn parents about the Blue Whale Challenge Yesterday, Baldwin County Schools in Alabama issued a warning to alert parents to the dangers of the Blue Whale Challenge. It states that “teenagers supposedly ‘tag’ each other on social media (Snapchat primarily) and challenge them to play. The student then downloads the Blue Whale app, which hacks into their personal information and cannot be deleted. The app originators then threaten the teenagers with harm to their families or releasing of personal information until they kill themselves.” WKRG claimed, “The game asks players to complete tasks, as simple as listening to a song, as drastic as cutting themselves or other risky behavior.” A task might be to watch a horror movie or to wake up in the middle of the night and harm themselves. Graphic videos on YouTube, which I won’t link to, suggest that, within a couple days, tasks jump immediately into youths cutting themselves such as on their arm or cutting a blue whale into their leg. The young person is to take an image or video as “proof” that the task was completed and send it to the admin of the game. Yesterday, police in New Zealand also issued a warning about Blue Whale; although it’s no longer available in the Apple App Store in New Zealand, it “had been seen on Android.” Waikato Police Constable Tristan Gerritsen urged parents to delete it from the phones of young people. He said, “Without getting into the nitty gritty, the app is particularly nasty as it targets young people and encourages them to complete self-harm challenges and eventually suicide.” In April, Essex Police in the UK warned a school about the app; in turn, Woodlands School in Basildon sent a letter to parents about Blue Whale. Cambridgeshire and Hertfordshire police have also reportedly urged parents to keep an eye on what their kids are doing on social media. The Blue Whale Challenge is not always run from an app; sometimes it is run from websites or social media groups. Blue Whale first showed up in Russia and India last year. This February, the Siberian Times reported on several teenage girls committing suicide after being prompted to do so via the app by their “master.” Police were looking into possible ties to Blue Whale and the investigation included the girls’ social media contacts as they appeared to be in the same internet group. The report claims there had been 130 suicides of kids between November 2015 and April 2016. “Almost all these children were members of the same internet groups and lived in good, happy families.” Blue Whale creator claimed to be ‘cleansing society’ of ‘biological waste’ Phillip Budeikin, 21, had admitted to being the creator of Blue Whale. He is being held on charges of inciting at least 16 teenage girls to commit suicide. From his sick point of view, he was ‘cleansing society;’ death group admins claim the victims were ‘biological waste’ who were ‘happy to die.’ Budeikin has been at since 2013, perfecting his tactics. Teenagers are told to delete all correspondence in social accounts with the admins before completing the last task to kill themselves. How Blue Whale Challenge works Anton Breido, a senior official from the FBI-esque Investigative Committee, told The Daily Mail that some kids refuse to be manipulated when given weird or boring tasks and left the group, but others “who stayed were given much stronger tasks like cutting their veins, to balance on a roof top, to kill an animal and post a video or pictures to prove it.” There are horrible accountings from girls who participated in Blue Whale such as being up at 4:20 a.m. every night – which makes people so tired all the time that making clear decisions is difficult – and watching gory videos or videos of teens committing suicide accompanied by “haunting music” and screams of animals. The victim would watch until the admin “commanded” her to stop and delete everything. To “win” the game, the challenge, the young person must commit suicide. You may have heard about Blue Whale in the past and thought it sounded too much like an urban legend, but Blue Whale is real. It’s not a thing of the past just because Budeikin has been arrested; he dislikes imitators of the sick trend he set, but they exist. The Blue Whale Challenge is spreading to vulnerable young people in new areas which prompted warnings from police and school officials just yesterday. As the New Zealand police chief said, “Hopefully this app disappears and blue whales can go back to being the majestic creature of the deep that they were intended to be.” But until then, please be aware of the danger and not let your child fall prey to the suicide game. The post Schools in Alabama warn parents about Blue Whale ‘suicide game’ app appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/schools-in-alabama-warn-parents-about-blue-whale-suicide-game-app/
0 Comments
Google said Tuesday that a permissions flaw that puts Android users at a heightened risk for malware, ransomware and adware attacks will not be fixed until the release of its next mobile OS, Android O. The vulnerability impacts an undisclosed number of apps hosted on Google Play, researchers at Check Point Software Technologies said. “Based on Google’s policy which grants extensive permissions to apps installed directly from Google Play, this flaw exposes Android users to several types of attacks,” Check Point said. Android O is expected to formally debut in the third quarter of 2017; an alpha version was released in March. The vulnerability, Check Point said, was introduced with the release of Android OS Marshmallow. Check Point said the vulnerability exists because a rogue app developer could publish a malicious app on Google Play that would slip by Google’s automated malware scanner called Verify Apps. Once installed, the app could be instructed to always be persistent on the top screen of the Android device when it is active. “This entails a significant potential for several malicious techniques, such as displaying fraudulent ads, phishing scams, click-jacking, and overlay windows, which are common with banking Trojans. It can also be used by ransomware to create a persistent on-top screen that will prevent non-technical users from accessing their devices,” Check Point wrote. The vulnerability is tied to the way Google classifies and grants Android apps permissions to interact with a user’s Android handset. Google lumps system permissions into separate protection levels, one Normal and the other Dangerous. Normal permission levels are given to apps that need to access data or resources outside the app’s sandbox, but represent very little risk to the user’s privacy, according to Google. For example, an app that checks to determine the version of the Android OS running needs Normal permissions. Normal permissions are automatically given to apps, no user interaction is required. Dangerous permissions apply to apps that request access to a phone’s resources such as contacts, calendar, microphone or camera. These apps, when launched for the first time, require a user to explicitly grant permission for system resource access. The vulnerability Check Point discovered applies to apps that pop-up or display windows on top of all other Android apps running on a handset. For example, Facebook has a Chat Head feature tied to its Messenger app. When a user receives a new Facebook message the profile image of the Facebook user pops-up above whatever application window a user is viewing to alert a user of a new message. This functionality is tied to an Android feature called System Alert Window. Starting with its Marshmallow OS, Google classified the System Alert Window permission as Dangerous. However, Google granted an exception to app developers that wanted to access the System Alert Window function with their app, according to Check Point. The only condition to allowing the app developer to forgo asking users for permission to access this Dangerous resource was that the app must be downloaded via the Google Play app store. Android apps available via third-party Android app stores must request this permission. Google allowed the exception because an average Android user would be alarmed and confused by an app permission request asking for access to System Alert Windows, said Daniel Padon, mobile threat researcher at Check Point. “Either users would never grant access System Alert Window or become conditioned to always grant access to Android system resources,” he said. “Either way, that’s not good.” Check Point said with Android O, Google will modify this permission with a new more restrictive permission called TYPE_APPLICATION_OVERLAY, which blocks windows from being positioned above any critical system windows. In one scenario, a victim downloads an app from Google Play that exploits this vulnerability. Now, the first time the app runs, it tries to, and succeeds, access the specific permissions on the device. The user sees no message requesting permissions or warnings, allowing a hacker to display an overlay window that carries out an extortion attack or a credential request. In an analysis of past mobile threats, Check Point said persistent on-top screens are used in 74 percent of ransomware attacks, 57 percent of adware attacks and 14 percent of banker malware abuse. “This is clearly not a minor threat, but an actual tactic used in the wild,” Check Point wrote. “This feature is used by several good apps, and is a feature all apps downloaded from Google Play can take advantage of. The problem is that it can easily be used for wrongdoing,” researchers said. Still unclear is how Google will handle balancing permissions for apps such as Facebook, versus requiring users to step through layers of settings to grant permissions for legitimate apps that utilize this on-top persistence screen feature, Check Point said. Since most users won’t bother to approve the permission manually, legitimate apps could be hurt by the mitigation introduced in Android O, Check Point said. The post Android Permissions Flaw Will Linger Until O Release appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/android-permissions-flaw-will-linger-until-o-release/ Lost in yesterday’s shuffle of emergency updates and regularly scheduled monthly patches was Microsoft’s announcement that it was officially cutting off SHA-1 support in Internet Explorer 11 and Edge. Going forward, both browsers will block webpages signed with a SHA-1 TLS or SSL certificate from loading and users will be shown a warning about an invalid certificate. SHA-1 has long been earmarked for deprecation and other major browsers such as Chrome and Firefox have already taken similar measures to prevent the loading of sites signed with the broken hash function. Crypto experts have warned users for close to a decade that SHA-1 was theoretically broken and the likelihood of a real-world, practical collision attack was imminent. In February, researchers from Google and the Cryptology Group at Centrum Wiskunde and Informatica (CWI) published a paper called SHAttered that described the first such attack. The attack carried out by the researchers involved one of the largest computations ever completed and required nine quintillion SHA-1 computations and 6,500 years of CPU time to complete the first of two phases of the attack. In the end, the researchers were able to derive the SHA-1 hash of a PDF file, and use it to abuse a second. No two hash files should ever match, and by arriving at collision, an attacker could trick a system into accepting a malicious file instead of the intended one. Microsoft said yesterday in an advisory that enterprise or self-signed SHA-1 certs will not be impacted, but reinforced a long-standing recommendation that users migrate to SHA-2 signed certs. “This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1,” Microsoft said. Last November, Microsoft had set a Feb. 14 deadline for SHA-1 support in its browsers, but said it April that it would finally cross the finish line yesterday. Microsoft also said that the Windows 10 Creators Update also blocks SHA-1 by default. Mozilla and Google have already implemented similar steps, starting in January. The browser makers accelerated their plans to deprecate the hash function as new research surfaced that increased the likelihood of a collision before early 2018 projections. A 2015 paper from CWI and Nanyang Technological University of Singapore described tweaks to known attacks against SHA-1 that could theoretically reduce the time required to generate a collision. In 2012, experts projected that practical collisions would arrive by 2018 and cost $700,000 and continue to freefall given the declining costs of CPU time. Those totals, at the time, were well within reach of nation-state actors and even some well-funded criminal outfits. The 2015 paper, however, sliced into those projections and cut significantly into the time necessary to generate a collision (78 days) and brought the cost to under $120,000 USD. A Threatpost report in January found that only 536 of the Alexa top 1 million websites were still running SHA-1, and experts called the migration away from the hash function “an unmitigated success.” The post Microsoft Makes it Official, Cuts off SHA-1 Support in IE, Edge appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/microsoft-makes-it-official-cuts-off-sha-1-support-in-ie-edge/ The Tuesday updates for Internet Explorer and Microsoft Edge force those browsers to flag SSL/TLS certificates signed with the aging SHA-1 hashing function as insecure. The move follows similar actions by Google Chrome and Mozilla Firefox earlier this year. Browser vendors and certificate authorities have been engaged in a coordinated effort to phase out the use of SHA-1 certificates on the web for the past few years, because the hashing function no longer provides sufficient security against spoofing. SHA-1 (Secure Hash Algorithm 1) dates back to 1995 and has been known to be vulnerable to theoretical attacks since 2005. The U.S. National Institute of Standards and Technology has banned the use of SHA-1 by U.S. federal agencies since 2010, and digital certificate authorities have not been allowed to issue SHA-1-signed certificates since Jan. 1, 2016, although some exemptions have been made — for example, for outdated payment terminals. A hash function like SHA-1 is used to calculate an alphanumeric string that serves as the cryptographic representation of a file or a piece of data. This is called a digest and can serve as a digital signature. It is supposed to be unique and non-reversible. In February, researchers from Google and CWI (Centrum Wiskunde & Informatica, a math research center in The Netherlands) have proved the first practical collision attack against SHA-1, producing two PDF files with the same SHA-1 digest. This proved without a doubt that the aging hashing function is effectively broken and should not be used for sensitive applications. Browser vendors have planned since 2015 to flag SHA-1 certificates as insecure and block them. Google Chrome and Mozilla Firefox used a staged approach: Since early 2016 the browsers blocked SHA-1 certificates issued after Jan. 1, 2016 and since January this year they started blocking all existing SHA-1 certificates, including old ones that have long validity periods. Chrome version 56, released in January, started blocking all SHA-1 certificates that chain back to publicly trusted certificate authorities. In version 57 it also started blocking SHA-1 certificates that chain back to a local root CA. However, it provides a policy mechanism for organizations to disable this restriction. That’s because enterprises might run their own internal certificate infrastructures that rely on self-generated SHA-1 root certificates and cannot easily replace them due to legacy systems that don’t support newer hashing functions like SHA-2. The ban on SHA-1 certificates introduced Tuesday in IE and Edge will only impact certificates that chain to a root certificate in the Microsoft Trusted Root Program, Microsoft said in a security advisory. Enterprise and self-signed SHA-1 certificates will not be affected for now, but Microsoft’s long-term plan is to phase out SHA-1 from all usages in Windows, including the function’s use for verifying the integrity of downloaded files. The post Microsoft finally bans SHA-1 certs in IE and Edge appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/microsoft-finally-bans-sha-1-certs-in-ie-and-edge/
President Trump informed FBI Director James Comey he had been dismissed on May 9, stemming from a conclusion by Justice Department officials that he had mishandled the probe of Hillary Clinton’s emails. (Bastien Inzaurralde/The Washington Post)
White House press secretary Sean Spicer wrapped up his brief interview with Fox Business from the White House grounds late Tuesday night and then disappeared into the shadows, huddling with his staff behind a tall hedge. To get back to his office, Spicer would have to pass a swarm of reporters wanting to know why President Trump suddenly decided to fire the FBI director. For more than three hours, Spicer and his staff had been scrambling to answer that question. Spicer had wanted to drop the bombshell news in an emailed statement, but it was not transmitting quickly enough, so he ended up standing in the doorway of the press office around 5:40 p.m. and shouting a statement to reporters who happened to be nearby. He then vanished, with his staff locking the door leading to his office. The press staff said that Spicer might do a briefing, then announced that he definitely wouldn’t say anything more that night. But as Democrats and Republicans began to criticize and question the firing with increasing levels of alarm, Spicer and two prominent spokeswomen were suddenly speed-walking up the White House drive to defend the president on CNN, Fox News and Fox Business. “Another Tuesday at the White House,” Sarah Huckabee Sanders quipped as she finished speaking on Fox News from its outdoor set, as the voice of Kellyanne Conway continued to spar with CNN’s Anderson Cooper from the next booth over.
Lawmakers react after President Trump fired FBI director James Comey on May 9. (Victoria Walker/The Washington Post)
[Is the Tuesday night firing of Comey Nixonian or uniquely Trumpian?] After Spicer spent several minutes hidden in the bushes behind these sets, Janet Montesi, an executive assistant in the press office, emerged and told reporters that Spicer would answer some questions, as long as he was not filmed doing so. Spicer then emerged. “Just turn the lights off. Turn the lights off,” he ordered. “We’ll take care of this. … Can you just turn that light off?” Spicer got his wish and was soon standing in near darkness between two tall hedges, with more than a dozen reporters closely gathered around him. For 10 minutes, he responded to a flurry of questions, vacillating between light-hearted asides and clear frustration with getting the same questions over and over again. The first question: Did the president direct Deputy Attorney General Rod J. Rosenstein to conduct a probe of FBI Director James B. Comey? As Spicer tells it, Rosenstein was confirmed about two weeks ago and independently took on this issue so the president was not aware of the probe until he received a memo from Rosenstein on Tuesday, along with a letter from Attorney General Jeff Sessions recommending that Comey be fired. The president then swiftly decided to follow the recommendation, notifying the FBI via email around 5 p.m. and in a letter delivered to the FBI by the president’s longtime bodyguard. At the same time, the president personally called congressional leaders to let them know his decision. Comey learned the news from media reports. “It was all him,” Spicer said of Rosenstein, as a reporter repeated his answer back to him. “That’s correct — I mean, I can’t, I guess I shouldn’t say that, thank you for the help on that one. No one from the White House. That was a DOJ decision.” The news Tuesday was surprising for a number of reasons, especially since the president once delighted in Comey’s investigation of Democrat Hillary Clinton’s use of a private email server — an investigation that is now at the heart of Trump’s explanation for firing Comey. Some have then wondered aloud if the president is instead trying to punish Comey for investigating ties between his campaign and Russia. [Comey’s removal sparks fears about future of Russia probe] When pressed on this, Spicer would put forth Rosenstein’s résumé: a prosecutor with more than 30 years of experience who served as a U.S. attorney during the Obama administration and was overwhelmingly confirmed for his new position as deputy attorney general by Congress. Spicer said he’s not aware of any of Rosenstein’s superiors who might have directed him to do this — although he then said that such questions should be directed to Justice officials, not him. Spicer did a lot of referring. Was Sessions involved? “That’s something you should ask the Department of Justice,” Spicer said. Was Rosenstein’s probe part of a larger review of the FBI? “That’s, again, a question that you should ask the Department of Justice,” he said. Did the president discuss Rosenstein’s findings with Rosenstein? “No, I don’t believe, I don’t know how that sequence went — I don’t know,” he said. What was the president’s role? “Again, I have to get back to you on the tick-tock,” he said. When’s the last time Trump and Comey spoke? “Uh, I don’t know. I don’t know. There’s some — I don’t know. I don’t know,” he said. What were the three occasions on which the president says Comey assured him that he was not under investigation? “I don’t — we can follow — I can try, yeah,” he said. How long did the president deliberate? “I don’t, I don’t … I can look at the tick-tock. I know that he was presented with that today. I’m not sure what time,” he said. Why wasn’t Comey given the news in a personal phone call? “I think we delivered it by hand and by email and that was — and I get it, but you asked me a question and that’s the answer,” he said. Did Comey’s testimony last week — which contained inaccuracies — influence the decision? “You’d have to ask the Department of Justice. They’re the ones that made the recommendation,” he said. Why didn’t the president do this months ago? “Again, I would refer you to the Department of Justice,” he said. Does he know about grand-jury subpoenas that have reportedly been issued in an investigation involving Michael Flynn, Trump’s previous national security adviser? “I’m not — I’m not aware of any,” he said. Is it true that the president will meet on Wednesday with Russia’s foreign minister, Sergei Lavrov? “We’ll see what the schedule says. I don’t — I just — I’ve been a little tied up.” Spicer repeatedly batted down bipartisan calls that an independent prosecutor be assigned to handle the investigation into ties between Trump’s campaign and Russian officials, saying that the current system is working just fine. CNN’s Sara Murray noted that Trump has now fired Comey, who is leading the investigation, and Sessions has had to recuse himself. “Right now, on multiple occasions, they said that the president wasn’t under investigation. What are we investigating?” Spicer said. “…What are you investigating?” As Murray continued to press him, Spicer told her: “Hold on, Sara, I get it, you’re right there. You don’t have to yell.” With Murray quieted, Spicer continued to explain why there’s no need for a special prosecutor. “There is clearly at this point no evidence of a reason to do that,” Spicer said. “You have a system that’s working.” Exactly 10 minutes after he started answering questions, Spicer stopped. “Anyway,” Spicer said abruptly, “thank you, guys.” As Spicer made his way toward the White House door, the swarm of reporters moved with him, shouting questions along the way: Why is the White House suddenly giving statements after pledging to not do so? Did Trump’s bodyguard really deliver the message to the FBI? Can NBC get some one-on-one time? “Thank you,” Spicer said again. “Thank you.” Spicer walked with his head down. As he approached the door, aides warned reporters not to get too close. He then disappeared inside, enveloped by the warmly lit White House. Robert Costa contributed to this report. The post After Trump Fired Comey, White House Staff Scrambled To Explain Why appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/after-trump-fired-comey-white-house-staff-scrambled-to-explain-why/ Cisco released an update this week that addresses a vulnerability in software running in more than 300 of its switches. The flaw was disclosed among the WikiLeaks Vault 7 dump of alleged CIA offensive hacking tools, and proof-of-concept exploit code exists that targets the vulnerability. Cisco said the vulnerability was in the Cluster Management Protocol (CMP) processing code running in its IOS and IOS XE software, the company’s longstanding networking operating system. In an advisory, Cisco cautioned that attackers could remotely execute code with elevated privileges, or cause a vulnerable switch or networking device to reload. Cisco acknowledged the vulnerability, CVE-2017-3881, shortly after investigating the WikiLeaks dump. Attackers could abuse the code’s use of telnet in the software to access a switch and gain full control. Cisco said CMP uses telnet as a signaling and command protocol between devices in a cluster. It conceded that it failed to properly restrict the use of CMP-specific telnet to only internal communication, and that the code incorrectly processed malformed CMP telnet options. “An attacker could exploit this vulnerability by sending malformed CMP-specific telnet options while establishing a telnet session with an affected Cisco device configured to accept telnet connections,” Cisco said in its advisory. “An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device.” Cisco published a long list of switches from its Catalyst product line, as well as Cisco Embedded Service, IE 2000-5000, ME, RF and SM-X models. The switches are vulnerable, Cisco said, only if its CMP subsystem is present and running on IOS XE and the device is configured to accept telnet connections. This, Cisco said, is the default configuration. The Vault 7 leaks began in March when WikiLeaks released more than 8,000 documents that describe secret methods allegedly used by the CIA’s Center for Cyber Intelligence to penetrate everything from cellphones and televisions, to enterprise hardware. The documents described many alleged vulnerabilities, but WikiLeaks did not released any of the tools or exploits associated with the disclosures. That was the first of several Vault 7 leaks, and was followed up two weeks later with a cache of documents and information indicating the CIA had the capability to track iPhone users and had at its disposal malware implants for Apple firmware running on Macbooks. The so-called Dark Matter release also included documentation for a tracking beacon that could be implanted on factory-fresh iPhones. The agency also concentrated on developing malware and exploits that would attack firmware running on Macs and iPhones, specifically EFI and UEFI firmware, giving it persistence on a target’s device. The post Cisco Patches IOS XE Vulnerability Leaked in Vault 7 Dump appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/cisco-patches-ios-xe-vulnerability-leaked-in-vault-7-dump/ President Trump fired FBI Director James Comey on Tuesday evening, just a day before Russian Foreign Minister Sergey Lavrov was set to meet with Secretary of State Rex Tillerson, and Trump himself in the White House. Those meetings are likely to come under even more scrutiny from Democrats, many of whom are worried that Comey’s firing puts at risk a fair investigation into what they say are Trump’s close ties to Russia. Late Tuesday, the White House said Trump would also meet with Lavrov in the White House. That rare meeting of a foreign minister at the White House is set for the same day that the State Department said Tillerson and Lavrov would meet to discuss “Ukraine, Syria, and bilateral issues.” “On Ukraine, the sides will discuss the need to stop the violence in eastern Ukraine and resolve the conflict through the full implementation of the Minsk agreements,” the department said. “On Syria, the secretary intends to discuss efforts to de-escalate violence, provide humanitarian assistance to the Syrian people, and set the stage for a political settlement of the conflict.” Democrats were warning that Comey’s firing was worrying, and that Congress must create a special counsel to assess Trump’s ties to Russia. Democrats believe Trump colluded with Russia in an effort to defeat Hillary Clinton in last year’s election. However, former Director of National Intelligence James Clapper told the Senate on Monday that there was still no evidence of this collusion. Many Republicans say there is no evidence, and that Democrats are using Russia to attack Trump in the wake of Clinton’s defeat. The post James Comey Fired One Day Before US-Russia Meetings appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/james-comey-fired-one-day-before-us-russia-meetings/ The U.S. Social Security Administration will soon require Americans to use stronger authentication when accessing their accounts at ssa.gov. As part of the change, SSA will require all users to enter a username and password in addition to a one-time security code sent their email or phone. In this post, we’ll parse this a bit more and look at some additional security options for SSA users. The SSA recently updated its portal with the following message: ![]() The Social Security Administration’s message to Americans regarding the new login I read that to mean even though an email address is required to sign up at ssa.gov, the SSA also is treating email as a second authentication factor. But the above statement seemed open to interpretation, so I put my questions to the SSA: Here’s what SSA’s press office came back with:
ANALYSISThe idea that one can reset the password using the same email account that will receive the one-time code seems to lessen the value of this requirement as a security measure. Notice the SSA isn’t referring to its new security scheme as “two-factor authentication,” which requires user to supply something he knows and something he is or has. The former is usually a password or PIN; “something he is” most often refers to biometric components (fingerprint, iris scan); whereas the “something he has” factor generally refers to the output of one-time code from a key-fob or mobile app like Google authenticator or Duo [full disclosure: Duo is a longtime advertiser on this blog]. The move comes almost a year after the SSA enacted and then rescinded a requirement that all Americans who wish to manage their retirement benefits at ssa.gov provide a mobile phone number. Less than two weeks after that new requirement went into effect last year, the SSA reversed itself and did away with the requirement. The policy was reversed following a rollout marred by technical difficulties and criticism that the new requirement did little to prevent identity thieves from siphoning benefits from Americans who hadn’t yet created accounts at ssa.gov for themselves. SIGN UP AT SSA BEFORE SOMEONE DOES IT FOR YOUIn September 2013, I warned that SSA and financial institutions were tracking a rise in cases wherein identity thieves register an account at the SSA’s portal using a retiree’s personal information and have the victim’s benefits diverted to prepaid debit cards that the crooks control. Because it’s possible to create just one my Social Security account per Social Security number, registering an account on the portal is one basic way that Americans can avoid becoming victims of this scam. So what else beyond the basic measures being enacted in June 2017 does the SSA offer Americans concerned about someone hijacking their SSA account online? The SSA offers a set of options that it calls “extra security.” These extra options by the way include the sending users a special code via the U.S. Mail that has to be entered on the agency’s site to complete the signup process. If you choose to enable extra security, the SSA will then ask you for:
Sadly, crooks won’t go through the more rigorous signup process — they’ll choose the option that requires less information. That means it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online. What else does the SSA require to prove you’re you when creating a new account at my Social Security? Assuming you can buy or supply the above personal data, the agency relays four multiple-guess, so-called “knowledge-based authentication” or KBA questions from credit bureau Equifax. In practice, many of these KBA questions — such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. What’s more, very often the answers to these questions can be found by consulting free online services, such as Zillow and Facebook. In addition to the SSA’s optional security measures, Americans can further block ID thieves by placing a security freeze on their credit files with the major credit bureaus. Readers who have taken my ceaseless advice to freeze their credit will need to temporarily thaw the freeze in order to complete the process of creating an account at ssa.gov. Looked at another way, having a freeze in place blocks ID thieves from fraudulently creating an account in your name and potentially diverting your government benefits. Alternatively, citizens can block online access to their Social Security account. Instructions for doing that are here. Tags: Duo Security, Google Authenticator, ssa.gov, two-factor authentication, U.S. Social Security Administration
You can skip to the end and leave a comment. Pinging is currently not allowed. The post SSA.GOV To Require Stronger Authentication appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/ssa-gov-to-require-stronger-authentication/ FBI Director James B. Comey has been dismissed by the president, according to White House spokesman Sean Spicer. “The president has accepted the recommendation of the Attorney General and the deputy Attorney General regarding the dismissal of the director of the Federal Bureau of Investigation,” Spicer told reporters in the briefing room. Spicer also said that Comey was “notified a short time ago.” This is effective “immediately,” he said. Earlier in the day, the FBI notified Congress that Comey misstated key findings involving the Hillary Clinton email investigation during testimony last week, saying that only a “small number’’ of emails had been forwarded to disgraced congressman Anthony Weiner, not the “hundreds and thousands’’ he’d claimed in his testimony. The letter was sent to the Senate Judiciary Committee on Tuesday, more than a week after Comey testified for hours in defense of his handling of the Clinton probe.
(Sarah Parnass/The Washington Post)
“This letter is intended to supplement that testimony to ensure that the committee has the full context of what was reviewed and found on the laptop,’’ wrote FBI Assistant Director Gregory A. Brower. In defending the probe at last week’s hearing, Comey offered seemingly new details to underscore the seriousness of the situation FBI agents faced last fall when they discovered thousands of Clinton aide Huma Abedin’s emails on the computer of her husband, Anthony Weiner. “Somehow, her emails were being forwarded to Anthony Weiner, including classified information,” Comey said, adding later, “His then-spouse Huma Abedin appears to have had a regular practice of forwarding emails to him for him I think to print out for her so she could then deliver them to the secretary of state.” [Comey says he feels ‘mildly nauseous’ about possibility he affected election, but has no regrets] At another point in the testimony, Comey said Abedin “forwarded hundreds and thousands of emails, some of which contain classified information.’’ Neither of those statements is accurate, said people close to the investigation. Tuesday’s letter said “most of the emails found on Mr. Weiner’s laptop computer related to the Clinton investigation occurred as a result of a backup of personal electronic devices, with a small number a result of manual forwarding by Ms. Abedin to Mr. Weiner.’’ ![]() The letter also corrected the impression Mr. Comey’s testimony had left with some listeners that 12 classified emails were among those forwarded by Abedin to Weiner. “Investigators identified approximately 49,000 emails which were potentially relevant to the investigation,” the letter said. “All were reviewed with a particular focus on those containing classified information. Investigators ultimately determined that two e-mail chains containing classified information were manually forwarded to Mr. Weiner’s account.’’ Ten other emails chains that contained classified information were found on the laptop as a result of backup activity. The letter also clarified some of the figures Comey gave regarding ongoing terrorism probes. The issue of Comey’s misstatements was first reported by ProPublica. At the hearing, the statements about Abedin’s email practices were immediately seized on by Sen. Ted Cruz (R-Texas) and others, who demanded to know why Abedin wasn’t charged with a crime. Comey said it was difficult finding evidence those involved in Clinton’s use of private email knowingly engaged in wrongdoing, and that traditionally the Justice Department has not prosecuted such cases without some indicator of intent. Comey’s incorrect comments about Abedin surfaced again this week at a different Senate hearing, when Cruz pressed former director of national intelligence James R. Clapper Jr. to say how he would handle an employee who “forwarded hundreds or even thousands of e-mails to a non-government individual, their spouse, on a non-government computer.’’ Clapper said such conduct “raises all kinds of potential security concerns.’’ At the hearing last week, Comey spent hours defending his handling of the investigation of Clinton’s use of a private server for work while she was secretary of state, saying it made him “mildly nauseous” to think his decisions might have affected the outcome of the presidential election, but insisting that he had no regrets and would not have handled it differently. Comey’s decision-making during the Clinton inquiry has come under sustained criticism from Democrats — including Clinton — who say it was a major factor that contributed to her presidential election defeat in November to Donald Trump. On Oct. 28, less than two weeks before Election Day, the director notified Congress that new Clinton-related emails had been found on a laptop belonging to Weiner. Days later, investigators obtained a search warrant to examine about 3,000 messages on the device that were work-related. Of those, Comey said, agents found a dozen that contained classified information, but they were messages investigators had already seen. Comey’s public comments about the Clinton case have been a source of public debate since he first announced last July that he would not recommend charges against anyone in connection with her use of a private server for government business. At the time, he called the use of the server “extremely careless’’ but said it did not rise to the level of a crime. The misstatements in testimony aren’t the first time Comey has overstated a key fact in a high-profile probe. A year ago, while speaking at a security forum in London, the director miscalculated the price the FBI had paid for a technique to crack into a locked iPhone belonging to one of the dead suspects in a terrorist attack in San Bernardino, Calif. At the event, he said the cost of the phone hacking tool was “more than I will make in the remainder of this job, which is seven years and four months, for sure.’’ Based on Comey’s salary, his comment strongly implied the bureau paid at least $1.3 million to get into the phone, which belonged to Syed Rizwan Farook. Farook and his wife killed 14 people during a December 2015 terrorist attack. People close to that case said the FBI actually paid about $900,000. Read more: Read the full testimony of FBI Director James B. Comey Computer seized in Weiner probe prompts FBI to take new steps in Clinton email inquiry The post Trump Fires FBI Director Comey appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/trump-fires-fbi-director-comey/ Microsoft released security patches Tuesday for 55 vulnerabilities across the company’s products, including for three flaws that are already exploited in targeted attacks by cyberespionage groups. Fifteen of the vulnerabilities fixed in Microsoft’s patch bundle for May are rated as critical and they affect Windows, Microsoft Office, Microsoft Edge, Internet Explorer, and the malware protection engine used in most of the company’s anti-malware products. System administrators should prioritize the Microsoft Office patches because they address two vulnerabilities that attackers have exploited in targeted attacks over the past two months. Both of these flaws, CVE-2017-0261 and CVE-2017-0262, stem from how Microsoft Office handles Encapsulated PostScript (EPS) image files and can lead to remote code execution on the underlying system. According to researchers from FireEye, the CVE-2017-0261 vulnerability has been exploited since late March by an unidentified gang of financially motivated attackers and by a Russian cyberespionage group called Turla. Also known as Snake or Uroburos, the Turla group has been active since at least 2007 and has been responsible for some of the most complex cyberespionage attacks to date. Its targets are usually government entities, intelligence agencies, embassies, military organizations, research and academic institutions, and large corporations. The CVE-2017-0261 exploits came in the form of Word documents with embedded malicious EPS content that were distributed via email. The attacks also attempted to exploit a Windows privilege escalation vulnerability tracked as CVE-2017-0001 that Microsoft patched on March 14. Later, in April, researchers from FireEye and ESET discovered a different cyberespionage campaign exploiting the second EPS-related Microsoft Office vulnerability that was patched Tuesday: CVE-2017-0262. Those attacks were traced back to a Russian cyberespionage group known in the security industry as APT28, Fancy Bear, or Pawn Storm. APT28 is the group blamed for hacking into the U.S. Democratic National Committee last year during the presidential election. The group’s selection of targets over the years has reflected Russia’s geopolitical interests leading many researchers to believe that APT28 is tied to the Russian Military Intelligence Service (GRU). APT28’s past attacks have demonstrated that the group has access to an arsenal of zero-day exploits — exploits for previously undisclosed vulnerabilities. Its exploit for CVE-2017-0262 was distributed in a decoy document about President Donald Trump’s decision to launch an attack in Syria last month and was chained with another zero-day exploit for a Windows privilege escalation vulnerability (CVE-2017-0263) that was also patched Tuesday. Even though the CVE-2017-0262 EPS vulnerability was technically patched Tuesday, users who installed the Microsoft Office updates released in April were protected against it. That’s because those updates disabled the EPS filter in Office as a defense-in-depth measure, Microsoft researchers said Tuesday in a blog post. System admins should also prioritize this month’s security updates for Internet Explorer and Edge, because they fix critical vulnerabilities that could be exploited by visiting malicious websites or by viewing specially crafted advertisements inside the browsers. One of the patched IE flaws is already exploited by attackers, while one patched in Edge has been publicly disclosed. The updates for Windows should come next on the priority list because they address several remote code execution vulnerabilities in the SMB network file-sharing protocol. These vulnerabilities put Windows desktop and server installations at risk of hacking if they use SMBv1. Finally, users of Microsoft’s anti-malware products, including Windows Defender and Microsoft Security Essentials should make sure that their engine is updated to version 1.1.13704.0. Older versions contain a highly critical vulnerability that can be easily exploited by attackers to take complete control of computers. The post Microsoft fixes 55 flaws, 3 of them exploited by Russian cyberspies appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/microsoft-fixes-55-flaws-3-of-them-exploited-by-russian-cyberspies/ |
ABOUT USFree, secure collections for I.T recycling and CESG approved data erasure for individuals, businesses and large-scale projects. I.T Asset Disposal | Computer Recycling | Re-marketing & Cashback | Secure Data Erasure. Archives
May 2017
Categories |