Home Tags Takeover

Tag: Takeover

Check Point Discovers Media Subtitle Vulnerability Impacting Millions

200 million users could potentially be at risk from vulnerabilities in streaming media players that can enable malicious subtitles to takeover systems.

Flickr Vulnerability Worth $7K Bounty to Researcher

Yahoo has patched an account takeover vulnerability on its Flickr image-hosting service that earned an independent security researcher a $7,000 bounty.

Amazon opens up Alexa voice and text tech for developers to...

New "Lex" platform makes Alexa's intelligence available to all.

Android devices can be fatally hacked by malicious Wi-Fi networks

Broadcom chips allow rogue Wi-Fi signals to execute code of attacker's choosing.

WhatsApp, Telegram Vulnerabilities Exposed Users to Account Takeover

WhatsApp and Telegram patched vulnerabilities in the last week that could have let an attacker take over a user's account.

Sift Science releases account takeover prevention tool

As we move more of our lives online, fraudsters are using account takeover attacks, which allows them to access richer information and cause more damage.

Now there’s a better way to prevent Facebook account takeovers

Site enhances two-factor authentication with crypto keys that plug into USB slots.

DHS Adds Elections Machines, Systems to Critical Infrastructure List

Individual states will still have oversight and control over their election systems, but the move makes a statement “domestically and internationally” that the U.S. considers its elections critical, the agency says. The U.S.

Department of Homeland Security designated the nation's election technology and systems as critical infrastructure, giving state election officials access to technical and policy aid from the agency.The move, announced Jan. 6, makes the election infrastructure in the United States part of the government-facilities critical infrastructure sector, one of the 16 sectors deemed crucial by the U.S. government. Other sectors include health care, energy and the defense industrial base.While some states have reportedly opposed the designation, the DHS assured election officials that states would still have full oversight and responsibility for running elections.The designation “makes clear both domestically and internationally that election infrastructure enjoys all the benefits and protection of critical infrastructure that the U.S. government has to offer,” DHS Secretary Jeh Johnson said in a statement announcing the decision. “Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure, in fact and in law.” The announcement comes three months after top intelligence officials issued a statement, attributing attacks against the Democratic National Committee, the campaign of Hillary Clinton, and state election systems to Russia.

The Obama administration released additional details of the attacks and the evidence gathered by intelligence and law enforcement officials earlier this month. The act of designating election systems as critical infrastructure means that the DHS will be able to work more closely with states to secure a variety of election-related technologies, processes and locations, including storage facilities and polling places, information and communications technology related to voting, and the voting machines themselves.Election-security groups have long called for the infrastructure to be designated critical.
Verified Voting, a group of voting experts, pushed for election systems to be deemed critical since 2013, Pamela Smith, president of Verified Voting, told eWEEK in an e-mail.“Voting systems should receive at least as much attention and care as other critical infrastructure systems do,” Smith said. “The fact that all or nearly all of the 50 states as well as more than 30 local jurisdictions availed themselves of support from Department of Homeland Security this year in the run-up to the election makes it clear that cyber-security considerations in elections are serious.”DHS' Johnson acknowledged the concerns that many state election officials have raised about that DHS designating election technology as critical infrastructure.  “It is important to stress what this designation does and does not mean,” Johnson said. “This designation does not mean a federal takeover, regulation, oversight or intrusion concerning elections in this country.

This designation does nothing to change the role state and local governments have in administering and running elections.”While the change in status is a good initial step, Verified Voting’s Smith stressed that election officials should still require that audits of the all voting be conducted following an election, as a defense against fraud and machine error.“Even where voting systems are recount-able and auditable— we don't have robust audit requirements in place in at least half of those locations—we are not yet able to say authoritatively that our elections are secure,” she said. “We can do better.”

DHS Designates Election Systems As Critical Infrastructure

The Department of Homeland Security has deemed the nation's voting system as part of its critical infrastructure, citing security reasons. The US Department of Homeland Security (DHS) has designated the nation's election system as part of its critical infrastructure, a status change it has been debating for the past few months. There are 16 critical infrastructure sectors and 20 subsectors. In a statement issued Jan. 6, DHS Secretary Jeh Johnson explained why the US voting system will become a subsector of the Government Facilities critical infrastructure division. "Election infrastructure is vital to our national interests, and cyber attacks on this country are becoming more sophisticated, and bad cyber actors -- ranging from nation states, cyber criminals and hacktivists -- are becoming more sophisticated and dangerous," he said. This infrastructure spans all systems used to manage elections, including storage facilities, polling locations, and voter registration databases. As critical infrastructure, these are eligible for prioritized security assistance from the DHS, if requested. Further, voting systems will be part of US efforts to improve incident response capabilities, as well as streamlined access to both classified and unclassified information shared by critical infrastructure operators. Information sharing is a key benefit in this case, says Travis Farral, director of security strategy at Anomali and former elections judge in Texas. The United States' infrastructure for tallying votes is decentralized, which is a "double-edged sword" in terms of security. "It's harder for someone to attack a single authority," he says, because voting systems are different in each state. "But when trying to dictate security for varying apparatuses, it's difficult for the federal government to protect all that." The elevation to critical infrastructure will enable local and state election organizations to quickly share information and connect with the DHS to receive updates related to elections, security events, or the geopolitical environment, Farral continues. It’s a benefit to local municipalities where funding is low and officials want to ensure the integrity of elections. The critical infrastructure designation will give them multiple resources to stay connected and receive a coordinated, streamlined flow of information. Johnson noted many state and local officials were against the designation, due to concerns about federal takeover of local election processes. He explained how the designation "does not mean a federal takeover, regulation, oversight or intrusion concerning elections in this country. This designation does nothing to change the role state and local governments have in administering and running elections." Farral echoes this, noting how the power of election processes still resides with each state. Greater steps would have to be taken in order to change how elections are run. However, the future is unclear. "This may not be where things end," he notes, acknowledging the uncertainty of a new president and administration. "It's possible there may be additional changes, or some legislation in Congress designed to make more changes." Individual states may implement their own changes to improve election security, he adds. This news arrived at a critical time for US cybersecurity. On the same day it was issued, the US Office of the Director of National Intelligence released a report explaining Russia's role in conducting cyberattacks to interfere with the US election. This likely wasn’t by chance. "This announcement was probably timed to coincide with the release of the report, but it's hard to say for certain," says Farral. Related Content: Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance & Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she's not catching up on the latest in tech, Kelly enjoys ... View Full Bio More Insights

It’s official: US election systems designated as critical

reader comments 24 Share this story On Friday, US Homeland Security Secretary Jeh Johnson designated election systems to be part of the nation's critical US infrastructure. He said this move would better protect elections from increasingly sophisticated hacking. "Now more than ever, it is important that we offer our assistance to state and local election officials in the cybersecurity of their systems," Johnson wrote in a statement published late Friday afternoon. "Election infrastructure is vital to our national interests, and cyber attacks on this country are becoming more sophisticated, and bad cyber actors—ranging from nation states, cyber criminals and hacktivists—are becoming more sophisticated and dangerous." The designation came the same day that US intelligence officials published an unclassified version of a report concluding that Russian Federation president Vladimir Putin directly ordered intelligence agencies to collect data from the Democratic National Committee, the Hillary Clinton presidential campaign, and other organizations. The agencies then oversaw an effort to discredit Clinton, the Democratic party, and the US democratic political process through “information operations," according to the report, which was jointly written by the Central Intelligence Agency, the National Security Agency, and the FBI. Friday's declassified report says that Russian intelligence services "obtained and maintained access to elements of multiple US state or local electoral boards," but went on to conclude that none of the affected systems was involved in vote tallying. In August, voter registration systems in Arizona and Illinois were reportedly targeted by hackers. Election officials in Arizona said the FBI warned them the attempted intrusion was carried out by Russians, but they didn't say if the hackers were state-sponsored or financially motivated. Sixteen US sectors are classified as critical infrastructure, including chemical manufacturing, dams, and emergency services. Friday's designation adds election systems as a subsection to the existing government facilities sector. The DHS published a fact sheet concerning the move here. Johnson sought to head off criticism from some state officials opposed to the new designation. "This designation does not mean a federal takeover, regulation, oversight, or intrusion concerning elections in this country," he wrote. "This designation does nothing to change the role state and local governments have in administering and running elections." Listing image by Fairfax County

Greatest Hits Of 2016: Readers' Picks For The Years' Best Commentary

Here's what topped the Dark Reading page-view charts from the security industry's brightest minds, coolest rock stars, and up-and-coming leaders. The hacking thriller Mr. Robot may have been snubbed by the 2017 Golden Globe Award nominating committee this month, but security researcher Sarah Vonnegut’s blog -  5 'Mr. Robot' Hacks That Could Happen in Real Life - about the award-winning season one, pulled in the highest numbers of readers of all the contributed content we published in 2016. Vonnegut, an application security community specialist at Checkmarx, offered a reality check to anti-hero Elliot’s premier season hacking prowess, and garnered a whopping 14,738  page views from Dark Reading fans of the show.   Other 2016 favorites from our roster of contributors include:  Rethinking Application Security With Microservices Architectures (6,804 views, 4/15/2016)Ranga Rajagopalan, Chief Technology Officer, Avi NetworksThe advantages offered by the container model go against many of the assumptions of traditional security mechanisms. Here are 5 new concepts & 4 best practices you'll need to understand. Security Portfolios: A Different Approach To Leadership (6,802 views, 8/11/2016) Adam Shostack, Founder, Stealth Startup How grounding a conversation around a well-organized list of controls and their goals can help everyone be, literally, on the same page. Part seven of an ongoing series. How To Stay Safe On The Black Hat Network (6,722 views, 7/28/2016) Neil R. Wyler (Grifter), Threat Hunting and Incident Response Specialist, RSABlack Hat attendees may have changed their titles and now carry business cards but hackers gotta hack and there's no better place to do it than Black Hat. The Secret Behind the NSA Breach: Network Infrastructure Is The Next Target (6,683 views, 8/25/2016) Yoni Allon Research Team Leader, LightCyberHow the networking industry has fallen way behind in incorporating security measures to prevent exploits to ubiquitous routers, proxies, firewalls, and switches. Anatomy Of An Account Takeover Attack (6,389 views, 2/23/2016)Ting-Fang Yen, Research Scientist, Datavisor, Inc.How organized crime rings are amassing bot armies for password-cracking attacks on personal accounts in retail, financial, gaming, and other consumer-facing services. 20 Endpoint Security Questions You Never Thought to Ask  (5,696 views, 10/26/2016)Joshua Goldfarb. VP & CTO - Emerging Technologies, FireEyeThe endpoint detection and response market is exploding! Here's how to make sense of the options, dig deeper, and separate vendor fact from fiction. 5 Soft Skills Young Cybersecurity Professionals Need to Get Ahead (5,615 views 6/14/2016)Todd Thibodeaux, President & CEO, CompTIAToday's employers aren't looking for recruits who can maintain firewalls and mitigate risk. They want well-rounded professionals who can apply security expertise across the business to yield bottom-line results. Why Social Media Sites Are The New Cyber Weapons Of Choice (5,387 views, 9/6/2016)Nick Hayes, Analyst, ForresterFacebook, LinkedIn, and Twitter can't secure their own environments, let alone yours. It's time to sharpen your security acumen. Changing IoT Passwords Won't Stop Attacks. Here's What Will (5,173 views, 11/7/2016)Paul Madsen, Senior Technical Architect, Ping IdentityThe solution will take an industry-wide effort, it won't happen overnight, and the problem is not the users' fault! Do you have a favorite contributor commentary of 2016? Share it in the comments! Related Content: Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio More Insights

Facebook charged with misleading EU over $22 billion WhatsApp takeover

samazgorreader comments 13 Share this story Facebook has been accused of misleading the European Commission over its $22 billion takeover of WhatsApp in 2014—when the Mark Zuckerberg-run company claimed that it wouldn't be able to knit together user IDs, thereby combining the data of the two services. Brussels' competition officials issued a charge sheet against Facebook on Tuesday, in which it is alleged that the free content ad network failed to disclose that "the technical possibility of automatically matching Facebook users' IDs with WhatsApp users' IDs already existed" at the time of the merger. Antitrust chief Margerthe Vestager said that companies must provide "accurate information" during routine competition probes into planned acquisitions. "They must take this obligation seriously," she said. "In this specific case, the commission's preliminary view is that Facebook gave us incorrect or misleading information during the investigation into its acquisition of WhatsApp.

Facebook now has the opportunity to respond." Facebook has been slapped with a so-called Statement of Objections by the commission, which claims that the multinational "intentionally, or negligently, submitted incorrect or misleading information" to the competition wing of the EC, thereby allegedly breaching its obligations under the EU Merger Regulation. It comes after WhatsApp confirmed in August that it planned to merge user phone numbers with Facebook user accounts—much to the chagrin of privacy campaigners in Europe. At the time, it claimed that the information would be used to offer users "more relevant" Facebook ads, new "ways for people to communicate with businesses" via the app, and new friend suggestions. By mid-November, Facebook had stopped sharing WhatsApp user data across Europe, after it was forced to respond to regulatory pressure in the UK and Germany. Weeks earlier, data watchdogs across the EU who sit on the Article 29 Working Group urged Facebook "not to proceed with the sharing of users' data until the appropriate legal protections can be assured." Now Vestager's office has separately entered the fray with tentative charges brought against Facebook that could lead to it being fined up to one percent of its annual turnover. The commission also explained the rationale behind its decision to wave through Facebook's buyout of WhatsApp unchallenged in late 2014.
It said: With respect to consumer communications services, the commission found that Facebook Messenger and WhatsApp were not close competitors and that consumers would continue to have a wide choice of alternative consumer communications apps post-merger.

Although consumer communications apps are characterised by network effects, the investigation showed that a number of factors mitigated the network effects in that case. As regards social networking services the commission concluded that, no matter what the precise boundaries of the market for social networking services are and whether or not WhatsApp is considered a social network, the companies are, if anything, distant competitors. With respect to online advertising, the commission concluded that, regardless of whether Facebook would introduce advertising on WhatsApp and/or start collecting WhatsApp user data for advertising purposes, the transaction raised no competition concerns.

This is because, besides Facebook, a number of alternative providers would continue to offer targeted advertising after the transaction, and a large amount of Internet user data that are valuable for advertising purposes are not within Facebook's exclusive control. Facebook now has until the end of January to respond to the EC's charge sheet. "We respect the commission's process and are confident that a full review of the facts will confirm Facebook has acted in good faith," Facebook said. "We've consistently provided accurate information about our technical capabilities and plans, including in submissions about the WhatsApp acquisition and in voluntary briefings before WhatsApp's privacy policy update this year." It added: "We're pleased that the commission stands by its clearance decision, and we will continue to cooperate and share information officials need to resolve their questions." Vestager warned at the start of this year that she was eyeballing US tech giants that hoard vast amounts of user data.
She said that following close scrutiny, Google's acquisition of DoubleClick and Facebook's buyout of WhatsApp both got the go-ahead, adding that data issues did not, and should not, be linked only to investigations into alleged privacy abuses. However, her concerns about the lack of clarity around how much data is being used by online services, such as messaging apps and video-streaming sites, clearly left the commission flat-footed given that it has only now spotted an alleged discrepancy with Facebook's takeover of WhatsApp. This post originated on Ars Technica UK