Home Tags Finger

Tag: Finger

9 superheroes for crack security teams

As a traveling enterprise security consultant, I get to see security teams at their best and their worst. Under stress, some teams work like a well-oiled machines, while others devolve into inefficient, finger-pointing bureaucracies.Every great computer security team has a synergistic collection of skilled professionals who work well together to meet common goals.

The team may debate a solution, but once a decision is made, everyone works hard to execute with no hard feelings.

Good teams expect constant change and disruption.

They know whatever it is they are trying to accomplish will likely be harder than anticipated.[ 18 surprising tips for security pros. | Discover how to secure your systems with InfoWorld’s Security Report newsletter. ]When I encounter successful teams, distinct roles emerge among the group.

Different organizations require different mixes of players, but these archetypes pop up again and again.To read this article in full or to leave a comment, please click here

Clips is the Apple-made video sharing app that’s not a social...

Can Apple convince video sharers to move their filmmaking to its app?

42% off Yeti Rambler 18 oz Bottle – Deal Alert

The Rambler 18 oz. bottle is next-level, and the perfect addition to your rough commutes, day hikes, or kayak sessions.

Features a no-sweat design, tough 18/8 stainless steel construction and a leakproof, 3-finger grip, insulated TripleHaul cap to protects your truck cab or day pack from spills. The Rambler 18 oz. bottle stands 9 1/2 inches high, has a diameter of 3 inches, sized to fit in standard sized cup holders.

The popular Yeti bottle's list price has been reduced a significant 42% to $23.25.
See the deal now on Amazon.To read this article in full or to leave a comment, please click here

Our new (mixed) reality: Early adopters have become HoloLens believers at...

Whether it involved trucks, buildings, or banquettes, AR/MR headset has made life easier.

Trump inauguration DDoS protest is ‘illegal’, warn securobods

Whitehouse.gov down? A software engineer is calling on netizens opposed to Donald Trump to visit the Whitehouse.gov site and overload it with traffic tomorrow. The call to mark inauguration day by "occupying" whitehouse.gov as a form of protest against Donald Trump’s presidency is likely to succeed only in getting participants into trouble, security experts warn. Kyle Wilhoit, senior security researcher at DomainTools, commented: “Protestors across the globe continue to utilize denial of service and DDoS attacks to propagate their viewpoints and spread the concept of civil disobedience.
In this situation, the White House likely has protections in place to help prevent simple page refresh denial of service attacks, so in order for this style of attack to succeed, it would require a very large volume of traffic from thousands of personal machines.” Amichai Shulman, CTO and co-founder of Imperva, compared the protest campaign to similar action by the Anonymous hacker collective in 2010 / 2011. Anonymous, which declared "total war" on Trump before the US election last November, this week called on supporters to dig up and release any damaging information they could find on the incoming US president, The Daily Telegraph reports. The separate “call for protestors” to gather at whitehouse.gov is being hosted on a website using the .io domain, which is assigned to the British Indian Ocean Territory.

The person behind the protest, who is calling themselves Juan Soberanis, describes it as an act of civil disobedience akin to marching on Washington DC. Security experts caution that what has been proposed amounts to organising a distributed denial-of-service attack, an illegal act under anti-hacking laws in the US, UK and other countries. Stephen Gates, chief research intelligence analyst at NSFOCUS IB, warned: “Participating in a DDoS attack is a crime, regardless if you use a tool, a script, a botnet for hire, or a finger and a keyboard.  If protesters move forward with this demonstration, they must remember that their source IP addresses in most cases will not be spoofed, meaning law enforcement can easily track those who participate.” The protester site hosting the action is up and running, even though the whitehouse.gov down campaign itself was unavailable when El Reg checked it on Thursday morning. ® Sponsored: Next gen cybersecurity.
Visit The Register's security hub

Court rules against man who was forced to fingerprint-unlock his phone

EnlargeKārlis Dambrāns reader comments 84 Share this story A Minnesota appellate court ruled Tuesday against a convicted burglar who was forced by a lower state court to depress his fingerprint on his seized phone, which unlocked it. This case, State of Minnesota v. Matthew Vaughn Diamond, marks the latest episode in a string of unrelated cases nationwide that test the limits of digital privacy, modern smartphone-based fingerprint scanners, and constitutional law. In 2015, Diamond went to trial and was convicted of the burglary and two other lesser charges. He was sentenced to 51 months in prison.

Diamond appealed largely on the grounds that being ordered to unlock his phone constituted a violation of his Fifth Amendment rights against self-incrimination. Being enticed or even compelled to hand over passcodes or fingerprint-enabled passcodes gets to the heart of what law enforcement calls the “going dark” problem.

Authorities say that modern “unbreakable” encryption frustrates lawful investigations aimed at tech-savvy criminals who refuse to unlock their data. As Ars has reported before, under the Fifth Amendment, defendants cannot generally be compelled to provide self-incriminating testimony (“what you know”).

But giving a fingerprint (“what you are”) for the purposes of identification or matching to an unknown fingerprint found at a crime scene has been allowed.
It wasn’t until relatively recently, after all, that fingerprints could be used to unlock a smartphone.

The crux of the legal theory here is that a compelled fingerprint isn’t testimonial, it’s simply a compelled production—like being forced to hand over a key to a safe. Had the defendant been forced to disclose his passcode (instead of depressing his fingerprint) to his phone, the constitutional analysis likely would have been different. “Instead, the task that Diamond was compelled to perform—to provide his fingerprint—is no more testimonial than furnishing a blood sample, providing handwriting or voice exemplars, standing in a lineup, or wearing particular clothing,” the appellate court found. Give ’em the finger Within weeks of the October 2014 burglary, Diamond was arrested, and the Chaska Police Department got a warrant to search his seized phone. However, investigators were initially stymied by Diamond’s passcode on his phone.

They then went back to the court and obtained a motion to compel Diamond to press his finger on the phone's fingerprint reader to open the device. He refused and was found in contempt of court—and then finally complied.

Diamond provided his fingerprint, and the phone was “immediately searched,” months after it was initially seized. After unlocking the phone, a detective obtained “incriminating evidence” of the burglary.

The specific make and model of the phone is not specified in the court’s opinion, but it is likely to have been an Android phone.
Since the introduction of the fingerprint scanner on iPhones, a passcode is required after 48 hours or after a reboot of the device. According to the appellate court’s opinion, however, there was a slight twist in what the court actually ordered.

During an April 2015 contempt of court hearing, there was confusion about which of his fingerprints would actually unlock the phone.

Addressing the prosecutors, the district court ordered, “Take whatever samples you need." The appellate court’s opinion continued: Diamond then asked the detectives which finger they wanted, and they answered, “The one that unlocks it.” It is clear that the district court permitted the state to take samples of all of Diamond’s fingerprints and thumbprints.

The district court did not ask Diamond whether his prints would unlock the cellphone or which print would unlock it, nor did the district court compel Diamond to disclose that information.

There is no indication that Diamond would have been asked to do more had none of his fingerprints unlocked the cellphone. Diamond himself asked which finger the detectives wanted when he was ready to comply with the order, and the detectives answered his question.

Diamond did not object then, nor did he bring an additional motion to suppress the evidence based on the exchange that he Initiated. In sum, because the order compelling Diamond to produce his fingerprint to unlock the cellphone did not require a testimonial communication, we hold that the order did not violate Diamond’s Fifth Amendment privilege against compelled self-incrimination. Diamond’s attorney, Cathryn Middlebrook, did not immediately respond to Ars’ request for comment as to whether she would appeal further up to the Minnesota Supreme Court.

WikiLeaks’ Assange confident of winning 'any fair trial' in the US

WikiLeaks said that its founder Julian Assange is confident of winning ‘any fair trial’ in the U.S. and indicated that the founder of the whistleblowing website would stand by all the promises he had made in return for clemency to Chelsea Manning, the former U.S. soldier who disclosed classified data relating to the Iraq War to the site. On Tuesday, Manning’s prison sentence was commuted by U.S. President Barack Obama raising questions whether Assange would keep his part of a deal he proposed online, and agree to extradition to the U.S. WikiLeaks has recently also been a thorn in the side of the Democrats in the U.S. by releasing embarrassing emails leaked from the Democratic National Committee that showed that the organization had favored candidate Hillary Clinton over her rival Senator Bernie Sanders for the party nomination for the presidential elections.
It also published mails from the account of John Podesta, chairman of Clinton’s campaign. U.S. government officials including from the Department of Homeland Security and the Office of the Director of National Intelligence have pointed a finger to Russia for orchestrating the leaks, though WikiLeaks has said it does not collaborate with states in the publication of documents. Last week, WikiLeaks had tweeted that if “Obama grants Manning clemency Assange will agree to US extradition despite clear unconstitutionality of DoJ case.” On Tuesday, WikiLeaks tweeted that Assange was confident of winning any fair trial in the US. “Obama’s DoJ prevented public interest defense & fair jury,” it added.

The new administration of President-elect Donald Trump takes charge on Friday. WikiLeaks also quoted Assange’s counsel Melinda Taylor as saying that Assange is standing by everything that he has said on the “Assange-Manning extradition ‘deal’.” Assange is holed in the embassy in London of the government of Ecuador as U.K. police say they will arrest him if he comes out, to meet an extradition request from Sweden where he is wanted for questioning in a sexual assault investigation. His supporters have expressed concern that if he he is sent to Sweden he could be extradited from there to the U.S. to face espionage charges. A wrinkle is that WikiLeaks claims it does not know of an extradition request sent by the U.S.
In a tweet on Tuesday, Taylor wrote that “US authories consistently affirmed is ongoing national security prosecution against him, but refused 2 affirm/deny sent extradition request.” She added that the U.K. also refuses “to affirm or deny that they have received an extradition request -not the same thing as there being no extradition request.”  Government officials in both countries could not be immediately reached for comment after business hours. In a letter to Loretta E. Lynch, U.S.

Attorney General, Assange’s lawyer in the U.S., Barry J. Pollack, wrote in August that although the Department of Justice had publicly confirmed through court documents and statements to the press that it was conducting an on-going criminal investigation of Assange, the department did not provide him substantive information on the status of the investigation.

The letter was published online by WikiLeaks. The pending investigation into Assange, mentions of which are said to have been made in court documents in the Manning case, is plainly based on his news gathering and reporting activities, Pollack wrote.
Its intention was not to aid U.S. enemies or obstruct justice but to inform people about “matters of great public interest,” he added. In a statement on Obama’s decision to commute Manning’s sentence, Assange said that “in order for democracy and the rule of law to thrive, the Government should immediately end its war on whistleblowers and publishers” such as WikiLeaks and himself.

The statement did not refer to his promise to face extradition to the U.S. “Mr.

Assange should not be the target of any criminal investigation.
I would welcome the opportunity to discuss with the DOJ the status of its investigation, any request it wants to make for extradition, and its basis for such a request,” Pollack wrote in an email late Tuesday.

Flash the Peace Sign, Get Your Phone Hacked?

Stop flashing the peace sign, giving a thumbs up, or waving at the camera. Flashing the peace sign may put smartphone users at risk, according to Japan's National Institute of Informatics (NII). Biometric details are readable in images taken from as ...

Programmer finds way to liberate ransomware’d Google Smart TVs

1. Enter recovery mode2. Reset TV3. Laugh at VXers Television production factory LG has saved Darren Cauthon's new year by providing hidden reset instructions to liberate his Google TV from ransomware. The company initially demanded more money than the idiot box was worth to repair the TV and relented offering instructions for resetting the telly after Cauthon took to Twitter to express his displeasure. The infection came after the programmer's wife downloaded an app to the TV promising free movies. Instead, it installed the ransomware, with a demand of US$500 to have the menace removed. Cauthon said LG offered factory reset steps which are not publicly revealed nor known to its customer support technicians. He says a family member showed him the TV over Christmas laden with ransomware purporting to be a FBI message bearing a notice that suspicious files were found and the user has been fined. The lame ransomware rendered the TV inoperable which he managed to fix using the below simple steps that may apply to other Google TVs. With the TV powered off, place one finger on the settings symbol then another finger on the channel down symbol. Remove finger from settings, then from channel down, and navigate using volume keys to the wipe data/ factory reset option. ® Youtube Video Sponsored: Customer Identity and Access Management

Kentucky pried chicken: Fried grease chain’s loyalty club hacked

Not so finger-lookin' good now are we, Colonel Sanders? Anti-artery campaigners KFC have urged 1.2 million customers in its Colonel’s Club loyalty scheme in the UK to ditch their account passwords for new ones after its site was hacked. The club includes an app that lets fried grease fans login and collect Chicken Stamps to “earn ... free food rewards.” Today, KFC sent an email urging drumstick scoffers to overhaul their login details as their credentials, along with any personal information stored with their club account, may have been lifted by miscreants. “Our monitoring systems have found a small number of Colonel’s Club accounts may have been compromised as a result of our website being targeted,” the email added. “Whilst it’s unlikely you have been impacted, we advise that you change your password as a precaution.
If you use the same email address and password across other services, you should also reset them, just to be safe." Only about 30 of the 1.2 million members had been targeted, but KFC decided to inform everyone, the biz told ITV News.
It did not store credit card details in the reward scheme, so no financial information had been stolen, KFC added. The email added that the Colonel was very “sorry for any inconvenience” caused and KFC was shoring up its database defences against the dark arts. “As this type of problem is becoming more common online, we’ve now introduced additional security measures to further safeguard our members’ accounts and to stop this kind of thing happening again.” ® Sponsored: Flash enters the mainstream.
Visit The Register's storage hub

Sigh… ‘Hundreds of thousands’ of… sigh, web CCTV cams still at...

It's been two years and no patches, say researchers Vid Amid ongoing malware infections of IoT gadgets and armies of commandeered gizmos attacking server, glaring security holes in web-connected CCTV cameras are going unpatched. So say researchers with Cybereason, who claim a pair of high-profile vulnerabilities they spotted in surveillance cams two years ago have been completely ignored by vendors – thus leaving the door wide open for miscreants to hijack potentially "hundreds of thousands" of devices and use them for attacks. Cybereason's Amit Serper says he and fellow researcher Yoav Orot exploited flaws in off-the-shelf internet-connected cameras back in 2014 in an effort to show how poor IoT security was at the time. Since then, Serper says, the bugs have not only gone unpatched, but the insecure code has popped up in network camera firmware shipped by dozens of manufacturers selling their weak wares on Amazon.

The Cybereason pair finger VStarcam as one vendor of vulnerable kit. "I’m also not releasing the names of all the camera vendors," said Serper. "This would encourage hackers to look for the software flaws.
I named VStarcam since their cameras are readily available from eBay and Amazon.

Their cameras are also sold under the name Eye4." You can use this handy web widget to find out if you have an insecure cam from its serial number and other bits of information. "Most of the cameras run older versions of Linux, like version 2.6.26, while a few run the most recent version from around 3.0 and up," Serper continued. "While the OS is somewhat modern, all the cameras were running extremely old and vulnerable software ... the web server software found in many of the cameras, for example, was from around 2002." Thanks to programming blunders left in this crusty old code, attackers can bypass authentication checks to access the camera's stored files and pull the administrator password.

From there, the camera's web server could be accessed and a second exploit could be used to gain root privileges that would allow the hacker complete control over the camera, including the ability to execute code, spy on the hardware's owners, and pressgang the cam into joining a botnet. Serper notes that even if the dozens of different camera vendors using this vulnerable software were to deploy the fix, cameras already in use would remain vulnerable, as they lack the ability to properly receive and install software updates. Thus, the only solution to fully close the flaw is to throw out the cameras and buy units with patched software.

Below is a video showing how easy it is to exploit an at-risk, internet-facing surveillance camera remotely. Youtube Video While these flaws are a serious issue on their own, Serper says that they reflect an even larger problem: the ongoing lack of proper security practices and patching techniques on the part of IoT hardware manufacturers and the researchers who help them find and fix holes. "A smart (insert device here) is still a computer, regardless of its size.
It has a processor, software and hardware and is therefore vulnerable to malware just like a laptop or desktop," Serper explained. "Whether the device records The Walking Dead or lets you watch your cat while you're at work, attackers can still own it." ® Sponsored: Next gen cybersecurity.
Visit The Register's security hub

Threat and Records Management to Dominate in 2017; With Artificial Intelligence,...

Press Release Roy Russell, CEO of Ascertus Limited, highlights his view on the technology trends in the legal sector in 2017: Threat management will play a key role in security efforts – With the continued onslaught of cyber-crime in all its various guises – phishing, ransomware, whaling, smishing and so on – security will be high up on the agenda in the legal sector.
In addition to traditional reactive security measures, law firms will look to actively make pre-emptive security a priority.

To support this requirement, legal technology vendors will embed threat monitoring and management into the core business applications that firms use. Linking big data with behavioural intelligence based on system history, such tools will create, study and monitor the finger print of every single user and alert the organisation to unusual actions and activities.

These threat management solutions will very accurately highlight the usage patterns of employees based on their role in the organisation.

Consequently, any peculiar or untoward activity will be relatively easy to spot to potentially identify attacks in process and even improve the ability to detect future breaches. Records management systems will grow in importance and functionality – Records management is becoming essential for regulatory compliance and data security, driven to the forefront of firms’ agendas by the impending arrival of the General Data Protection Regulation (GDPR).

The ability to automatically apply company retention policies to physical files, electronic documents and email correspondence based on good governance practices in both controlled and uncontrolled environments, from a range of device types, as well as inside and outside the corporate firewall, will become essential. Historically, records management has been viewed as a burdensome elective process, relying upon users to manually apply the correct retention policies to their individual records.

This has rarely been effective.

To support the more widespread use of records management in view of the business imperatives, software vendors will make their systems more affordable and processes more user friendly and intuitive.

For example, in recent times we have seen the rise of separate record management systems that can auto-categorise and automatically apply retention policies, thus eliminating manual effort. Unfortunately, to date these types of solutions have been very expensive.

The new breed of records management systems will provide such functionality as standard.

They will also provide full management of many types of data repositories, both physical paper and electronic based, including tight integration with document management systems, network file shares, SharePoint repositories, and other data stores. Artificial intelligence (AI) initiatives will continue, but in the vein of commoditisation – AI is garnering interest in the legal sector, but a closer inspection of the tools and apps being made available reveal that they are presently more similar to commoditised legal services in the form of packaged, low cost modules for areas such as wills, contracts, pre-nuptials and non-disclosure agreements for the benefit of consumers. Undoubtedly, AI offers tremendous potential and some large law firms have launched initiatives to leverage the technology. However, there’s a significant amount of work to be done in defining the ethical and legal boundaries for AI, before the technology can truly be utilised for delivering legal services to clients with minimal human involvement. Until then, in 2017 and perhaps for a few more years yet, we will continue to see incremental innovative efforts to leverage the technology, but in the vein of commoditisation – similar to what we have seen in the last 12 months. Note to the editor: Roy Russell is available to discuss and substantiate his view with further detail. About Ascertus LimitedAscertus provides information and document lifecycle management consultancy; software solutions and IT support services to law firms and corporate legal departments.

Based in Central London, the company offers a full range of professional services – from consultancy, business analysis and project management; to software implementation, training, documentation and technical support – delivering bespoke email, contract and document management solutions in on-premises and privately hosted environments.

The company has successfully delivered and managed some of the largest iManage Work installations at customer sites in the UK.

For more information, visit: www.ascertus.com. Media contact:TagusPRVidushi Patelvidushi@taguspr.co.uk+44 7958474632