And the gang has threatened to out one of the US spy agency's ex-operatives that it claims hacked Chinese targets.…
In most companies, managers don’t have the authority to give you new responsibilities or a pay increase.
They must go through the proper channels to get approval.“While it’s natural to feel antsy while waiting for the raise they asked for, it’s critical to find some more productive, tactful ways to prove their worth in the meantime,” says Vip Sandhir, CEO and founder of HighGround, an HR software company.To read this article in full or to leave a comment, please click here
The research revealed it would also theoretically be possible that such a vulnerability could present an entry point to the wider network, including the aircraft controls domain. “I’ve been afraid of flying for as long as I can remember,” said Santamarta. “It might sound like a sick cure to some but, as a hacker, learning everything I could about how planes work, from the aerodynamics to electronics, has reduced the fear significantly. On a 2014 flight from Warsaw to Dubai, I discovered I could access debug codes directly from a Panasonic inflight display.
A subsequent internet search allowed me to discover hundreds of publicly available firmware updates for multiple major airlines, which was quite alarming. Upon analysing backend source code for these airlines and reverse engineering the main binary, I’ve found several interesting functionalities and exploits.” IFE system vulnerabilities identified by Santamarta might most straightforwardly be exploited to gain control of what passengers see and hear from their in-flight screen, he claimed.
For example, an attacker might spoof flight information values such as altitude or speed, or show a bogus route on the interactive map.
An attacker might also compromise the "CrewApp" unit, which controls PA systems, lighting, or even the recliners on first class seating.
If all of these attacks are applied at the same time, a malicious actor may create a baffling and disconcerting situation for passengers.
Furthermore, the capture of personal information, including credit card details, is also technically possible due to backend systems that sometimes provide access to specific airlines’ frequent-flyer/VIP membership data, said the researcher. Aircraft's data networks are divided into four domains, depending on the kind of data they process: passenger entertainment, passenger-owned devices, airline information services, and finally aircraft control.
Avionics is usually located in the Aircraft Control domain, which should be physically isolated from the passenger domains; however, this doesn’t always happen.
This means that as long as there is a physical path that connects both domains, there is potential for attack.
The specific devices, software and configuration deployed on the target aircraft would dictate whether an attack is possible or not.
Santamarta urged airlines to steer towards a cautious course. “I don’t believe these systems can resist solid attacks from skilled malicious actors,” he said. “As such, airlines must be incredibly vigilant when it comes to their IFE systems, ensuring that these and other systems are properly segregated and each aircraft's security posture is carefully analysed case by case.” IOActive reported these findings to Panasonic Avionics in March 2015.
It only went public this week after giving the firm “enough time to produce and deploy patches, at least for the most prominent vulnerabilities”. Panasonic Avionic’s technology is used by a several major airlines including Virgin, American and Emirates airlines. El Reg asked Panasonic Avionic to comment on IOActive's research but we’ve yet to hear back. We’ll update this story as and when we learn more. The avionics research has some parallels with IOActive’s remote hack of the Jeep Cherokee in 2014, in which hackers took control of the vehicle’s dashboard functions, including steering, brakes, and transmission, through vulnerabilities existing in the automobile’s entertainment system. Once again, it appears entertainment systems have created a potential route into sensitive systems that hackers might be able to exploit. Stephen Gates, chief research intelligence analyst at NSFOCUS, commented: “In the light of this research, physical separation between in-flight entertainment systems and aircraft control systems could never be more important.
As airlines continue to add new customer-based entertainment and information technologies, airlines need to ensure that an impenetrable barrier is in place protecting aircraft control systems. “This research demonstrates that hackers could cause all sorts of issues that could impact a customer’s 'experience' while flying, but have yet to prove they could impact flight control systems,” he added. ® Sponsored: Flash enters the mainstream.
Visit The Register's storage hub
Modern kids have never known a time when they couldn't connect to the whole world using the Internet. They're probably more at home online than you are. The problem is, there are things on the Internet that you'd rather they didn't encounter. Sites promoting violence. Sites full of hate. Pornographic sites that promote a skewed notion of human sexuality. You can't supervise every moment that they're surfing the Web on a PC, much less on a smartphone or tablet. That's where parental control software comes in, with the ability to filter out unwanted content, limit screen time, and in some cases monitor social media interactions.
Note that these applications can't substitute for good communication. If you don't want your kids to visit certain kinds of sites, talk to them about your concerns. And do take time to convince older kids that you'll respect their privacy while monitoring their online actions. Otherwise, you can be sure they'll find ways to evade even the most sophisticated system.
Parental Control Basics
Most parental control tools include content filtering—the ability to block access to websites matching unwanted categories such as porn, violence, and hate. This type of filtering only really works if it's browser-independent, and full coverage requires filtering secure (HTTPS) traffic. With no HTTPS filtering, a smart teen could bypass the system using a secure anonymizing proxy website like MegaProxy or Hide My Ass.
Access scheduling is another very common feature. Some applications let parents set a weekly schedule for Internet access, some control computer use in general, and some offer both as choices. A daily or weekly cap on Internet usage can also be handy.
Devices, Devices, Devices
Long gone are the days when a single parental control utility on the singular Family PC sufficed. Modern kids use all kinds of Internet-connected devices, and modern parental control systems must keep up.
Before settling on a particular parental control utility, you'll want to make sure that it supports all of the device types found in your household. While all the products in the chart above support Windows, support for Mac OS, Android, and iOS varies. Check, too, that any limits on the number of child profiles or devices won't be a problem. And if your kids are strictly mobile, take a look at our roundup of mobile-centric parental control apps.
If getting parental control coverage installed on each of your family's devices starts to seem too difficult, consider a whole-network solution. These systems perform content filtering at the router level, so your settings affect every device on the network. Naturally you don't get the same fine level of control and detailed monitoring that you get with a local agent on each device, but wow, is it ever simple!
Social Media Tracking
As the kids get older, content filtering may start to seem pointless. Hey, you let them watch Game of Thrones, right? At some point you start to worry more about their interaction with the wide, wide world. Sure, if their friends come over to play Street Fighter V or Guilty Gear Xrd in person, you can at least meet them. But what about friends on social media? Who are they, really, and what are your kids discussing with them?
That's where social media trackers come in. Typically you have the option to limit your view to posts and interactions that contain words or phrases that might indicate something inappropriate. Also typically, if you really want to you can dig in and see everything.
In most cases, installation of social media tracking requires that you know your child's login credentials, or that you convince the child to log in and install the tracker's app. Disabling this kind of data collection is a snap for the child, so here, more than ever, you need to get agreement from your child.
Remote Notification and Management
With most parental control systems, you can opt to receive notification via text or email when your child tries to visit a blocked site, makes a post using iffy language, or otherwise bends the rules. Some of these tools let kids remotely request parental override to unblock a particular site, or get extra time online to finish homework.
In most cases, you manage your parental control system by logging in to an online console. From the console, you can tweak settings, review activity reports, or respond to a child's override request. And any changes you make propagate to your children's devices when they connect to the Internet.
When you get beyond the basics, parental control systems start to diverge, with many advanced features to help them stand out from the crowd. Some limit access to games, TV shows, and movies based on ratings. Some let parents control just who the kids can chat with via various instant messaging systems. Blocking specific applications is another advanced feature, as is forcing Safe Search on popular search portals.
You'll also find advanced versions of standard features. For example, the best content filters don't just use a database of categories. They analyze page content in real time so that, for example, they can allow access to a short-story site but block the erotica. To learn about these advanced features, and to make an informed choice for your own family, you'll need to read our full reviews.
FEATURED IN THIS ROUNDUP
With configuration and reporting moved to the Web, ContentWatch Net Nanny 7 is fully at home in the modern multi-device world of parental control, and it still has the best content filtering around. Net Nanny 7 is a parental control Editors' Choice. Read the full review ››
With Qustodio Parental Control 2015, you can keep track of your children's online activity on PC, Mac, iOS, Android, or Kindle devices. Its rich feature set and clever social media tracking make it a new Editors' Choice for parental control. Read the full review ››
Symantec Norton Family Premier lets parents track and manage their children's use of Windows, Android, and iOS devices. Its completely Web-based configuration and wealth of features make it a great choice for parental control. Read the full review ››
Kaspersky Safe Kids offers well-rounded, very affordable parental control and monitoring, and it doesn't limit the number of child profiles or devices you can cover. It's an excellent choice. Read the full review ››
You configure Mobicip's parental control options online, and a local agent enforces the rules on your children's devices. In testing, we hit a few communication problems, but overall it's a good choice for the modern multi-device family. Read the full review ››
OpenDNS Home VIP applies parental control and monitoring at the network level, for all your devices, and its essential features are available for free. Consider using it in conjunction with a more conventional parental monitoring tool. Read the full review ››
When you configure your router to use SafeDNS, you can filter out dangerous or objectionable content for every device that connects using your home network. Just don't expect a full range of parental control features. Read the full review ››
They entrusted our campaign with this information,” Honda campaign lawyer Gautam Dutta told Ars. "We consider it a cyberattack. You basically have your political opponent obtaining and using your confidential information, obtained through the Internet in an illegal manner.” Even after the contract with Arum Group ended in December 2014, the Honda campaign didn't notice that anything was amiss until May 2016.
According to Dutta, that’s when Dropbox sent an e-mail notification about file access that the current fundraiser could not understand. “He went to our former fundraiser about this, and she made the discovery that Mr. Parvizshahi still had access to that account, and she immediately revoked it,” Dutta said. CFAA strikes again In addition to Parvizshahi, Khanna and the “Ro for Congress” campaign were named in the suit as defendants. Khanna and his campaign were officially served with the lawsuit Thursday night at a campaign event in Fremont, California. Parvizshahi resigned from his position on Thursday evening and has yet to be served with the lawsuit. He has not responded to Ars’ requests for comment. The Khanna campaign did not immediately respond to Ars’ requests for comment, but Khanna spokesman Hari Sevugan provided a statement to the Los Angeles Times. He wrote: By filing this lawsuit with six weeks to go and down in the polls, [Parvizshahi] believes Mike Honda is trying to distract voters from the ongoing ethics investigation into how he sold special governmental access to his VIP donors after accepting $3 million in PAC contributions.
And Brian will not let Mike Honda use him to distract voters from the need for real change. The criminal portions of the Computer Fraud and Abuse Act have drawn scrutiny in recent years, as they have been the vehicle for numerous high-profile prosecutions, including that of Matthew Keys. The CFAA is the same law that was used to prosecute activist Aaron Swartz, which ultimately resulted in his suicide.
It is the same law that President Barack Obama has said he would like Congress to expand to encompass broader reach and longer prison sentences.
After Swartz’s death, some lawmakers proposed Aaron’s Law, a Congressional bill that would aim to rein in some of the expansions of the CFAA, but it has languished in Congress. The CFAA also has a civil portion, which is nearly identical to the criminal section.
It allows anyone to bring a lawsuit. Ahmed Ghappour, a law professor at San Francisco’s University of California, Hastings, said that the Honda campaign has a strong case. He told Ars: Under 9th Circuit law, Parvizshahi’s access to the files was arguably “unauthorized” for two reasons.
First, Honda’s termination of Arum Group effectively rescinded any previous grant of permission to Arum Group employees to access the dropbox files.
Second, Arum Group’s termination of Parvizshahi (or his voluntary departure, as may be the case) likely had the effect of rescinding permission to access Arum Group’s client files, past or present. Professor Ghappour pointed to a notable civil CFAA decision at the 9th Circuit Court of Appeals from 2009, LVRC Holdings v.
Brekka. In Brekka, the 9th Circuit held that a person uses a computer without authorization “when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” This opens up liability in the post-employment context.
Courts in the Northern District of California have found that the employer doesn’t need to revoke the employee’s access credentials for there to be unauthorized access post termination. Under this interpretation, termination is sufficient to provide notice. Beyond the civil liability, Parvizshahi could still face criminal prosecution. “This is a very serious matter, and we would urge the federal authorities to look into it,” Dutta added.
The later destruction of the e-mails during the continuing investigation was apparently, as Combetta told investigators, an "oh-shit moment." On July 24, 2014, a reddit user with the screen name "stonetear" posted to r/exchangeserver looking for advice on a vexing problem: Hello all- I may be facing a very interesting situation where I need to strip out a VIP's (VERY VIP) email address from a bunch of archived email that I have both in a live Exchange mailbox, as well as a PST file.
Basically, they don't want the VIP's email address exposed to anyone, and want to be able to either strip out or replace the email address in the to/from fields in all of the emails we want to send out. I am not sure if something like this is possible with PowerShell, or exporting all of the emails to MSG and doing find/replaces with a batch processing program of some sort. Does anyone have experience with something like this, and/or suggestions on how this might be accomplished? ...The issue is that these emails involve the private email address of someone you'd recognize, and we're trying to replace it with a placeholder address as to not expose it. Based on other social media profiles and a Google e-mail address, "stonetear" appears to have been Paul Combetta, according to the work of members of Reddit's r/conspiracy.
The date of the post is interesting because it is the day after the State Department and the House Select Committee on Benghazi reached an agreement on producing records related to the Benghazi investigation—but months before the State Department actually requested private e-mails related to work from Clinton and former Secretaries of State Colin Powell and Madeline Albright. That is also the timeframe during which Clinton's chief of staff Cheryl Mills told Platte River Networks to export all of the e-mails sent by Clinton to ".gov" e-mail addresses to a separate .PST mailbox file in preparation for the investigation, according to FBI interviews (PDF) with Mills and a redacted Platte River Networks employee—Combetta.
The report does not say whether Mills requested Combetta do anything else with the e-mails before turning them over—such as scrubbing the incriminating personal domain name from the e-mails before they were passed to Congress to avoid revealing Clinton was using a personal domain for her e-mail, or allowing her e-mail address to become public record. In any case, it turned out that Combetta could not easily erase that information without directly editing the contents of the e-mail files.
A number of tools were suggested by reddit posters as a way to perform some fixes or to correct the problem in the future, but none of the suggestions would have easily stripped e-mail addresses from within a .PST file of the size he was dealing with. In the end, the .PST archive file was passed to Clinton's lawyers.
Clinton's use of a private e-mail domain was exposed before by the New York Times in March of 2015—though it had previously been exposed by the Romanian hacker Marcel Lazar Lehel (aka "Guccifer") two years earlier, without being widely investigated. Captain BleachBit In December of 2014, after the e-mails were provided, Mills apparently requested a change to the retention policy for e-mails on the private server, telling Combetta that Clinton didn't want any of her e-mails going forward to be retained for more than 60 days.
But as had happened with many requests from Clinton's staff—including the request to encrypt the contents of the mail repositories to protect them—the Platte River Networks technicians never implemented the policy. Combetta gave conflicting information several times about Clinton's e-mails on the server.
But in a final follow-up interview this May, Combetta came clean to the FBI and "indicated he believed he had an 'oh shit' moment" when he realized he had not implemented the 60-day policy for Clinton's post-State Department e-mails. Instead of purging e-mails in her current mailbox, "sometime between March 25-31, 2014 [Combetta] deleted the Clinton archive mailbox from the [Platte River Networks] server and used BleachBit to delete the exported .PST files he created on the server system containing Clinton's e-mails," the FBI report on the investigation recounted. He then realized that he had deleted e-mails he was supposed to retain because of the investigation's preservation request, even though he was aware that "he should not disturb Clinton’s email data," the FBI noted.
This shady marketplace has done everything a legitimate “digital” business should do. Hitherto, what are euphemistically called “booter” services have been pretty obscure.
But if anything deserves an as-a-service “-aaS” (“software as a service, SaaS; platform as a service, PaaS) created in its honour, it’s the 'DDoSaaS' or perhaps 'DoSaaS' industry: Denial-of-service-as-a-service. We now know much more about the marketplace because its leading business, vDOS, was hacked this year, and security expert Brian Krebs has been joining the dots. Krebs has documented the DaaS business for some years, a thankless job resulting in regular attacks on Krebs' own website.
The key business and technical architects also helpfully described it in an academic paper. Two Israelis allegedly behind vDOS, both 18, were arrested after an FBI investigation.
The site had been operating for four years. vDOS offered four retail tiers: from a $19.99 “bronze” plan to a $199/month “VIP plan”. Just as blogs and social media “democratised” the media, by making the tools of production and distribution cheap and readily available, so too did booter services. To take a site you didn’t like offline you used to have to have a network of contacts and great technical expertise.
But the booter services put a DDoS attack into anyone’s hands, and all it took was a quick retail transaction -as low as $20.
Booter services were the Uber of DDoS. How’s that for disruption? “To say that vDOS has been responsible for a majority of the DDoS attacks clogging up the Internet over the past few years would be an understatement.
The various subscription packages to the service are sold based in part on how many seconds the denial-of-service attack will last,” Krebs noted, adding: And in just four months between April and July 2016, vDOS was responsible for launching more than 277 million seconds of attack time, or approximately 8.81 years worth of attack traffic. Like many “booter” services, vDOS had been hiding behind CloudFlare’s CDN.
The CloudFlare CDN acts as a cloaking service, and has been criticised for keeping pro-ISIS sites online.
CloudFlare has also been under fire for doxing; a sample of CloudFlare’s clients can be found here.) In a January post entitled Spreading the disease and selling the cure, Krebs observed: “The booter services are proliferating thanks mainly to free services offered by CloudFlare, a content distribution network that offers gratis DDoS protection for virtually all of the booter services currently online.” As well as providing protection for the DoS [denial of service] industry, CloudFlare operates a DoS-protection service for clients worried about DoS attacks. Krebs added: “If CloudFlare adopted a policy of not enabling booter services, it could eliminate a huge conflict of interest for the company and – more importantly – help eradicate the booter industry.” CloudFlare says it responds to individual law enforcement requests and will not proactively police its network for DDoS-ers. What made vDOS particularly interesting was that it operated in both “retail” and “wholesale” markets. “PoodleStresser, as well as a large number of other booter services, appears to rely exclusively on firepower generated by vDOS,” Krebs notes. This isn’t unusual in legitimate sectors.
A food manufacturer may sell white label versions of its goods to supermarkets, and mobile networks have for years made better use of their capacity by wholesaling to MVNOs, mobile virtual network operators). The vDOS pair maintained a network of PayPal accounts but many of the participants are US based. Damon McCoy, cited at Krebs' blog, notes that vDOS blocked clients from disabling Israeli sites, most likely to avoid unwanted attention from authorities at home: “The main reason was they didn’t want to make trouble in their local jurisdiction in the hopes that no one in their country would be a victim and have standing to bring a case against them.” The cover story offered by booter operations is that the software has a legitimate use: for sites to stress test their own web servers.
In reality, the “democratization of DDoS” – with kits available on the dark web for a fiver – means that buying DDoS protection offered by CloudFlare is almost mandatory. ®
The audio and visuals are undeniably impressive.
The tech features an eight-core processor, a Qualcomm Snapdragon 810. Sirin Labs’ hardware features Koolspan’s TrustChip processor.
The phone operates in two modes: a regular high-end Android phone where users can download apps and an encrypted mode isolated from the operating system and connected devices. A switch on the back of the device enables "shielded mode" for encrypted texts and calls.
This enclave comes with a walled garden.
Sirin Labs is a Swiss firm but its R&D team is based in Israel and its marketing and sales team is based in London.
The device is pitched at business users, tech lovers and high net worth individuals. Chief executive officer Tal Cohen, whose background is in internet advertising startups rather than mobile or security, said his firm had identified a niche market comparable to the high-end watch market but for smartphones.
Its potential customers wanted ease of use, a general purpose phone and security in one device.
The device is pitched at investment bankers, lawyers, accountants and investment houses. The smartphone features mobile security from Zimperium and support for Qualcomm’s TrustZone technology.
Cohen described the devices as Mobile Device Management “friendly” but wasn’t immediately able to provide details even when pressed on this point. MDM technology allows corporate IT managers to support the BYOD trend, aspects of which involve people using personal devices instead of relying on company-issued kit. Such execs looking for the last word in security can already use the Blackphone, which comes from crypto wars hero Phil Zimmermann and former Navy SEALs, a formidable combination. Much is known about the security aspects offered by the Blackphone, whereas the Solarin handset’s security bona fides are yet to be substantiated or even specified.
Cohen told El Reg that smartphone featured anti-tampering on the ROM as well as app protection from anything below “agency-level attacks”. Post Enron and after the LIBOR rate-fixing scandal, the use of the technology in investment banking or other heavily regulated industry seems problematic. Yet that’s not really the market the Solarin is aimed at, even though the marketing blurb may say otherwise.
The Solarin handset is a gold-plated iPhone for those who prefer Android. “It’s the most advanced technology for those where cost is not an issue,” according to Cohen.
Asked by El Reg what car the Solarin would be if it was an automobile, Cohen said it would be a “Lamborghini, McLaren or Bugatti.” Initial sales outlets include a store in Mayfair and the Heathrow VIP area. Independent security experts remain unconvinced about Sirin Labs' proposition – especially in the absence of details.
Security through obscurity isn't going to win hearts and minds among mobile security experts. “The anti-virus will be essentially a waste of time, and expecting a plug-in card to secure Android's microphone and speaker is fundamentally flawed logic,” a mobile security expert who asked not to be named told El Reg. “There might be some value in some of it, but Blackphone is a much more sound approach overall.” ® Sponsored: Rise of the machines