Dropbox commended for its handling of massive data breach involving 68M users
Insec Ethical Hacking Hub Phishing + Ransomware = A Modern Day Threat

The Dropbox credentials in question come from a breach that took place in 2012.
The Dropbox credentials in question come from a breach that took place in 2012.

What started out last week as a warning by Dropbox to its users that some login data may have been compromised has exploded into a massive data breach with an estimated 68 million Dropbox user credentials being exposed on the web, but industry insiders say the company has handled the problem quite well.

Most security professionals praised Dropbox for its reaction to the crisis saying the company reacted quickly and its security arrangements protected the most important customer data that had been stolen.

The Dropbox credentials in question come from a breach that took place in 2012 and were noticed online by the breach notification service Leakbase, which then informed Motherboard. Independent cybersecurity researcher Troy Hunt confirmed on his blog that the credentials are in fact those of Dropbox users by checking some of the data that was found for sale. Dropbox also confirmed the report.

“What we’ve got here is two files with email address and bcrypt hashes then another two with email addresses and SHA1 hashes. Only half the accounts get the “good” algorithm but here’s the rub: the bcrypt accounts include the salt whilst the SHA1 accounts don’t. It’s just as well because it would be a far more trivial exercise to crack the older algorithm but without the salts, it’s near impossible,” Hunt wrote.

Patrick Heim, head of trust and security at Dropbox, told SCMagazine.com in a written statement that the number of users affected is accurate, but there is no indication the exploited information has been used to access any Dropbox accounts.

“We can confirm that the scope of the password reset we completed last week did protect all impacted users. Even if these passwords are cracked, the password reset means they can’t be used to access Dropbox accounts,” Heim said.

Despite the scale of the breach, Hunt and others commended Dropbox on how it is handling the situation.

Hunt noted the excellent communication and the fact the passwords, at least, were decently protected, while another security exec called Dropbox’s action a model for the industry to follow.

“The Dropbox data hit the market recently with all signs pointing towards the credentials encryption remaining intact.  It’s hard to argue that Dropbox managed this situation poorly when the credentials have been protected for four years, which could be indicative of certain cryptographic components remaining intact during the initial compromise,” Josh Feinblum, Rapid7’s VP of information security told SCMagazine.com in an email.

However, not everyone had a positive viewpoint. Chris Roberts Acalvio’s chief security architect, believes Dropbox should have taken stronger action earlier.

“It’s interesting that user accounts taken in an incident in 2012 are only now “coming to light”. That’s an awfully long time to wait before publicly stating that “we have an issue”. It’s frustrating that the organization potentially knew of the problem, but didn’t confirm it, as there was no credible evidence that the data was in the wild?” he told SCMagazine.com in an email.

Dropbox did state in 2012 that usernames and passwords had been stolen, but gave no details as to the potential scale of the problem. At that time the cloud storage company did recommend users change their passwords and implement two-factor authentication.

One of the major takeaways from this incidents, besides the importance of good password management, is the potential danger posed for companies whose employees use cloud-storage.

“Business leaders, especially those in IT risk management, must take this as another alarm bell worth hearing,” said Chris Ensey, COO of Dunbar Security Solutions, adding that the huge number of SaaS applications available merely increases the pathways in and out of a company that have to be secured.

Even though the important information were salted and hashed cybercriminals can still make use of the data that was posted in the clear, such as email addresses.

Matthew Gardiner, Mimecast’s cybersecurity strategist pointed out to SCMagazine.com in an email that these emails could be used down the road as part of a phishing scam. AdamLevin, chairman of IDT911 said email addresses and other, seemingly benign information can still be used against one of the Dropbox users.

“Email addresses are at the foundation of our digital identities, as they often contain significant names and/or numbers, such as your birthday, college, or work. All of this information becomes tiny breadcrumbs that hackers can use to guess passwords and answer security questions to access even more sensitive information,” Levin said.

Read more
Three zero-days found in iOS, Apple suggests users update their iPhone
Insec Ethical Hacking Hub Phishing + Ransomware = A Modern Day Threat

Researchers spotted a triple threat of iOS vulnerabilities exploited in one malware
Researchers spotted a triple threat of iOS vulnerabilities exploited in one malware

Citizen Lab and Lookout researchers detected an active spyware capable of exploiting three iOS zero-day vulnerabilities.

The vulnerabilities, collectively dubbed Trident, were combined into a malware named Pegasus by the NSO Group, an organization that reportedly specializes in “cyber war,” according to an August 25 Lookout blog post.

Pegasus is highly advanced in its use of zero-days, obfuscation, encryption and kernel-level exploitation and the malware has been active for some time, the post said.  Researchers believe the spyware has already been used in the wild for state-sponsored activities, including against a Mexican journalist who reported on corruption by Mexico’s head of state, and an unknown number of targets in Kenya.

The malware is spread, the post said, through a basic phishing attack sequence which includes a text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information

The issue was disclosed to Apple 10 days before the update was rolled out and judging by the speed by which Apple responded, the vulnerabilities were treated as critical within Apple, Guillaume Ross, a senior security consultant at Rapid 7, told SCMagazine.com via emailed comments.

“This attack basically exploits an issue in Safari, exploits the kernel to effectively jailbreak the phone, and then persists on to the device,” Ross wrote. “Jailbreak software is regularly released publicly, and exploits such vulnerabilities, but with a major difference: this software exploits the iOS device locally, over USB or such an interface, and not simply by clicking a link, though that has also occurred in the past.”

Ross said detecting attacks such as this is extremely difficult after the fact. “We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5.,” an Apple representative told SCMagazine.com on Thursday via emailed comments. “We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits”

Zero-days attacks like Trident are extremely valuable in a world where IT is used as a weapon, and the vulnerabilities are especially valuable to nation-states looking to obtain data, Cesare Garlati, chief security strategist at the prpl Foundation, told SCMagazine.com on Thursday via emailed comments.

“The one thing that surprises me is the ease with which we attribute vulnerabilities to mistakes/errors in coding,” Garlati said. “I’m more and more convinced that some of these vulnerabilities are introduced on purpose, without the knowledge of the vendor, to serve nation-states.” 

California Congressman Ted Lieu (D-Ca.) said in an Aug 25. press release that he is alarmed but not surprised by the discovery of the vulnerability.

“I am pleased that Apple was able to quickly address this security breach, but it is clear that Congress must do more to address the issues of mobile security,” Lieu said. “I believe a congressional hearing is in order and plan to work with my colleagues to examine these critical security concerns.”

Read more
USAA members hit with multiple phishing attacks
Insec Ethical Hacking Hub ISRO Will Use Satellites To Map & Create 3D Visualizations of Indian Heritage Sites 2

The goal is to obtain customers' USAA login credentials.
The goal is to obtain customers’ USAA login credentials.

Multiple phishing campaign that play off consumers’ fear of having their financial information being hacked are hitting customers of United Services Automobile Association (USAA).

Paul Tolbert, email security specialist at AppRiver, said in a blog, that his team has noticed a steady increase in spam blasts involving USAA members, each using a socially engineered note asking the victim to click on a link where certain personal information would be requested. Two recent examples displayed by AppRiver show USAA customers receiving emails stating that either a pending transaction was cancelled or that their account must be updated.

The goal is to obtain the customer’s USAA login credentials, Tolbert told SCMagazine.com in an email, adding that no other malware was downloaded.

In order to garner a response from the victim, the malicious actor makes certain to clearly state that the new information is required to keep the account in question safe from being accessed by unauthorized personnel.


An example of a phishing email sent to USAA members.

However, Tolbert noted that the emails are flawed, can be spotted by an observant person and that the bad guys in question also depended on having some luck to make their scheme work.

“During our investigation, however, we found several red flags that proved otherwise,” he wrote. “The email also contains the usual discrepancies found in many phishing campaigns like a rogue sending IP, spoofed sender address, etc.”

The part of the campaign requiring luck involves the “spray and pray” methodology used to find USAA members.

“We are not able to confirm that these were being sent only to USAA members,” Tolbert said. “Most of the time these are sent in mass to a list of email addresses and the attackers are playing the percentage that some of their messages will reach the inbox of some actual members.”

Tolbert closed telling SCMagazine.com that this type of attack is back in vogue again. “USAA is one of many financial institutions that we see targeted around the clock.”

USAA said it is seeing an uptick in such activity and has responded by attempting to educate its members tot he dangers of phishing and other online scams through a series of articles on the topic. 

Updated to include USAA comment.

Read more
Epic data breach revealed, but was your password stolen?
Insec Ethical Hacking Hub BadOnions : Bad TOR exit nodes attempts to login with sniffed password

Epic Games, probably best known for the Unreal games programming system and the Xbox game Gears of War, has just admitted to a data breach.

Two breaches, in fact:

We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext.


Also, we believe a compromise of our legacy forums covering Infinity Blade, UDK, previous Unreal Tournament games, and archived Gears of War forums revealed email addresses, salted hashed passwords and other data entered into the forums.

We’re glad that Epic Games has published this notification and not swept the breach under the carpet, but in cases like this, we think it helps to be clearer about what happened.

In the second half of the breach notification, for example, the company admits that “salted hashed passwords” were stolen, but missed the chance of saying how they were salted and hashed.

Our recommendation (last updated in June 2016) is to use a password storage system called PBKDF2, and the hash HMAC-SHA-256, salted with at least 16 bytes, stretched with at least 20,000 iterations.

(This meets and exceeds the latest guidelines for US public sector passwords from the US National Institute for Standards and Technology, better-known as NIST.)

Don’t worry if you don’t follow all this talk of salting-hashing-and-stretching.

The idea is that you don’t store the actual password entered by the user, in case it’s ever stolen.

Instead you store a unique, cryptographically-scrambled version that can be checked quickly enough for convenience, but not so quickly that crooks can easily try billions of passwords a second if the scrambled passwords are stolen.

Simply put, salting-hashing-and-stretching using 20,000 repetitions takes 20,000 times longer than just a straight hash of the password.

So, all things being equal, crooks who steal the database for an offline attack will recover passwords 20,000 times more slowly, and passwords that might have been cracked after minutes or hours of guessing might now take weeks or years.

In breach notifications like this, then, it’s helpful to say what sort of hashing system was used.

Technically savvy users can then use this information to make a more informed decision about the likelihood of their passwords being cracked.

Also, Epic advises, in respect of the second breach, that:

If you have been active on these forums since July 2015, we recommend you change your password on any site where you use the same password.

We’re a little confused here.

This implies that your data was compromised when you used the forums (e.g. while logging in or posting), rather than simply because you had an account on one of them.

Otherwise, accounts created before July 2015 would be at risk of password recovery, too, assuming the crooks plundered the forum databases.

And if that’s how it went down, with the crooks keeping tabs on users as they logged in, then the crooks may have grabbed plaintext passwords from memory during the login process.

We think Epic should consider making a clearer statement about how the July 2015 “cutoff” enters the equation.

What to do?

  • Change your Epic passwords, even if Epic thinks you don’t need to.
  • Assume that anything you wrote in the affected forums is now public.
  • Consider asking Epic for a bit more detail on what happened, notably whether July 2015 is when the breach started, and whether that date applies to the first breach as well.

Oh, before you go, in case you ever find yourself in a breach disclosure situation, be sure to read the satirical but helpful advice in our article What you sound like after a data breach.

And, if you’re one of the users who needs to change your password, here’s a short and straight-talking video that shows you not only how to do choose a good one, but also why you should bother:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

Read more
Facial recognition can be tricked with Facebook photos

Here’s a bit of irony: the vast array of photos collected on Facebook and crunched by its powerful facial recognition technology can be used to trick facial recognition.

It’s done by creating 3D facial models using just a handful of publicly available photos, such as those that people post to Facebook and other social media accounts.

The news comes from researchers at the University of North Carolina who’ve been working on ways to get around biometric authentication technologies such as facial recognition.

From a paper describing their technique, which incorporates virtual reality (VR):

Such VR-based spoofing attacks constitute a fundamentally new class of attacks that point to a serious weakness in camera-based authentication systems.

Unless they incorporate other sources of verifiable data, systems relying on color image data and camera motion are prone to attacks via virtual realism.

This is far from the first time we’ve seen facial recognition defeated.

Static photos are easy to spoof by holding up a 2D picture to a camera. But even moving photos are spoofable. Google recently filed a patent for “Liveness Checks,” but researchers using the most basic of photo editing tools managed to fool it with just a few minutes of editing and animating photos to make them look like subjects were fluttering their eyelashes.

None of this has stopped tech companies from exploring, and investing in, facial recognition as a method of security authentication that could displace passwords: the oft-derided (but persistently popular) whipping boy in the realm of authentication.

Advances in facial recognition technologies keep coming, and the money invested in this field keeps growing: Gartner research estimated in 2014 that the overall market will grow to over $6.5 billion in 2018 (compared to roughly $2 billion today).

Some of the fruits of that investment including Facebook tuning its systems to the point where it doesn’t even have to see your face to recognize you.

Microsoft, for its part, has been showing off technology that can decipher emotions from the facial expressions of people who attend political rallies, recognize their genders and guesstimate their ages.

Facial recognition is everywhere.

Local law enforcement are using it in secret, a sports stadium used it to try to detect criminals at the Super Bowl, retail stores are tracking us with it, and even churches are using it to track attendance.

Researchers recently demonstrated that algorithms can also be trained to identify people by matching previously observed patterns around their heads and bodies, even when their faces are hidden.

And the money keeps coming:

In January, Apple picked up a startup called Emotient that uses artificial intelligence (AI) to read people’s emotions by analyzing their facial expressions.

Google, for its part, last month acquired Moodstocks: a French company that develops AI-based image recognition technology for mobile phones.

The UNC researchers demonstrated how their facial recognition workaround can defeat pretty much all of those facial recognition checks – be they based on recognizing 2D or 3D images or oriented at “liveness” checks – at the USENIX security conference earlier this month.

Their paper describes how the team took a handful of pictures of a target user from social media and created realistic, textured, 3D facial models.

To trick liveness detection technologies into interpreting the images as a live human face, they used VR systems to animate the photos, making it appear that the subject was moving: for example, raising an eyebrow or smiling.

The synthetic face of the user is displayed on the screen of the VR device, and as the device rotates and translates in the real world, the 3D face moves accordingly. To an observing face authentication system, the depth and motion cues of the display match what would be expected for a human face.

Using the 3D models, they were able to fool four out of five security systems 55% to 85% of the time.

Out of 20 participants, there were only 2 subjects whom the researchers couldn’t spoof on any of the facial recognition systems using the social media-based attack.

They really like moderate to high-resolution photos, as they “lend substantial realism to the textured models,” the researchers said.

In particular, they just adore photos taken by professional photographers, such as wedding photos or family portraits. These images not only lead to high-quality facial texturing, but such photos are also often posted by users’ friends and made publicly available.

Hence they’re readily available for researchers (or anybody!) to pick up and spoof.

What’s more, the researchers noted that group photos “provide consistent frontal views of individuals, albeit with lower resolution.” Even if such photos are low-resolution, the researchers found they got enough information from the frontal view to accurately recover a user’s 3D facial structure.

Here’s the million-dollar question: what are those two unspoofable users doing with their photos to foil these types of social media attacks?

It wasn’t necessarily that they posted fewer photos. Rather, they had few forward-facing photos and/or their photos had insufficient resolution.

Maybe we should we all start taking bad photos!

Read more
Leaked Cisco security vulnerability found in NSA exploit stockpile
Insec Ethical Hacking Hub Cyber crime goes up by 103.2 percent in UP

A researcher found an exploit in the dump of NSA-linked cyberweapons which abuses a Cisco security vulnerability and highlights the dangers of using hardware that is no longer supported by the manufacturer.

The exploit, called BENIGNCERTAIN, revealed by Mustafa Al-Bassam, former black hat hacker and current security researcher, is a remote exploit for the Cisco PIX router which could allow an attacker to decrypt the VPN traffic passing through the device. The exploit was found in the dump of Equation Group exploits said to include a stockpile of NSA cyberweapons.

According to Al-Bassam, the exploit “sends an Internet Key Exchange packet to the victim machine, causing it to dump some of its memory. The memory dump can then be parsed to extract an RSA private key and other sensitive configuration information.”

In his original blog post, Al-Bassam said the BENIGNCERTAIN tool referenced Cisco PIX versions 5.2(9) to 6.3(4), but later confirmed on Twitter that the Cisco security vulnerability was also present in PIX 6.3(5).

Omar Santos, principal engineer for the Cisco Product Security Incident Response Team (PSIRT), acknowledged the vulnerability in a blog post.

“Our investigation so far has not identified any new vulnerabilities in current products related to the exploit,” Santos wrote. “Even though the Cisco PIX is not supported and has not been supported since 2009, out of concern for customers who are still using PIX we have investigated this issue and found PIX versions 6.x and prior are affected. PIX versions 7.0 and later are confirmed to be unaffected by BENIGNCERTAIN. The Cisco ASA is not vulnerable.”

Al-Bassam noted Cisco ended support altogether for PIX version 6.3 in 2013, but there are still more than 15,000 vulnerable devices deployed in the wild.

Santos warned of the risks of using unsupported products.

“Just as technology advances, so too do the nature and sophistication of attacks,” Santos wrote. “Prolonging the use of older technology exponentially increases risk.”

Garve Hays, solutions architect for Micro Focus, told SearchSecurity that enterprises should not use unsupported products because they will be vulnerable.

“The concept of the ‘long tail‘ applies to vulnerabilities as well, so it should come as no surprise that there is someone out there still using something they probably shouldn’t,” Hays said. “Given that notion, in this case Cisco actively provided patches well into 2009, so there is no excuse for not keeping their appliances patched and up to date. In general, an organization should presume they are vulnerable and follow a process that includes policy, review, and remediation.”

Hays also noted it is likely that the NSA wasn’t the only actor with this exploit.

“Cisco is a high value target for many actors, so it is likely that others are cognizant of it and have used the exploit,” Hays said. “In my opinion the NSA should have disclosed the flaw to Cisco. That is at the very heart of responsible disclosure.”

Rebecca Herold, CEO of Privacy Professor, agreed the NSA should have disclosed the Cisco security vulnerability.

“Given the huge vulnerability and exposure to everyone using these specific types of PIX firewalls, yes, they definitely should have [disclosed it]. Especially for technology that was created specifically to be used for security purposes, and is being widely used by huge organizations, which have the data of millions of individuals,” Herold told SearchSecurity via email. “Failure to notify a security technology vendor of a security flaw, and indeed even to exploit it and use it for their own purposes for many years is quite frankly unethical and diametrically opposed to the NSA’s mission to ‘defend vital networks.’ The NSA claims to be doing surveillance in the name of security, when their very actions have put the security of all those using the affected PIX firewalls at very real risk.”

Next Steps

Learn more about the fallout from the Equation Group cyberweapons leak.

Find out how Juniper firewall backdoors added fuel to the encryption debate.

Get info on the risks of using unsupported software.

Read more
Who needs software vulnerabilities when you can find lame passwords?
Insec Ethical Hacking Hub Rahul Yadav Fired As Housing CEO. No Association With The Company Anymore!

True, attackers can have a lot of fun exploiting software vulnerabilities, but they’re nowhere near the top when it comes to the list of their favorite toys.

That’s the finding of a new report (registration required), from the US security firm Praetorian, based on 100 penetration tests covering 75 unique organizations and 450 real-world attacks.

The report, from Josh Abraham, a practice manager for Praetorian, compiles the top internal attacks used in pen tests over the past three years that have resulted in successfully accomplishing goals such as a sitewide compromise and/or access to specific, sensitive information.

Not to shrug off software vulnerabilities. They’re quite real, and they can obviously be quite dangerous.

But organizations tend to focus on them too much, at the expense of considering risk elements that are even worse, according to the report:

The fixation on patch management is compounded by professional service firms who equate a penetration test to little more than running a vulnerability scan against an organization’s network.

In a nutshell, dumb passwords and stolen credentials are a lot handier when it comes to cracking enterprise networks.

These are Praetorian’s top five attack vectors:

  1. Weak domain user passwords (a root cause of compromise in 66% of cases).
  2. Broadcast name resolution poisoning (aka WPAD, or Web Proxy Autodiscovery Protocol: 64%). We reported on WPAD a few months ago: the protocol is designed to find browser configuration files on the internal network, but recent research shows that attackers may be able to trick WPAD into downloading booby-trapped versions of those configuration files from the public internet instead.).
  3. Local administrator attacks (aka Pass the Hash: 61%).
  4. Cleartext passwords stored in memory (aka Mimikatz, an open-source password stealer that can grab a memory dump of password data from a Windows computer: 59%. It featured in a recent Mr. Robot episode).
  5. Insufficient network access controls (52%).

What makes weak passwords even worse is Active Directory, Microsoft’s directory service for Windows domain networks, which Praetorian says prevents users from selecting strong passwords. Compounding the issue even further is that most organizations give administrative permissions to users, according to the report.

Most successful attacks don’t have just one root cause, the report noted. In fact, 97% of the attacks had two or more root causes.

The report notes that the top four attack vectors are based on exploiting stolen credentials.

The last finding in Praetorian’s list boils down to insufficient network segmentation, the report says:

Attackers can use credentials wherever they are allowed, even in places the users might not need or know about. This is why it is important to restrict access at the network level based on business requirements.

True that: a lack of internal segmentation is regularly cited as a contributing factor in many data breaches, as cited, yet again, by Verizon in its recent Data Breach Investigations Report.

The Praetorian report quoted Rob Joyce, who Wired refers to as the nation’s “hacker-in-chief” but who’s also known as the head of the National Security Agency’s (NSA’s) Tailored Access Operations – the government’s top hacking team:

…attackers don’t rely on zero-day exploits extensively – unique attacks that take advantage of previously unknown software holes to get into systems. That’s because they don’t have to.

[With] any large network, I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero days.

There’s so many more vectors that are easier, less risky and quite often more productive than going down that route.

Read more
Wikipedia co-founder Jimmy Wales’ Twitter account hijacked
Insec Ethical Hacking Hub Wassenaar Cybersecurity Rules – How India Must Respond

Wikipedia co-founder Jimmy Wales has joined the celebrity list nobody wants to be on, the list of hijacked Twitter accounts.

On Saturday, his verified account tweeted out a rather premature message about Wales’ demise: “RIP Jimmy Wales, 1966 – 2016.”

Within the hour, as people started to wonder about Wales’ whereabouts and whether they should take the message seriously, the hijacked account followed with a new tweet that read…

I confirm that Wikipedia is all lies, OurMine Team is the true

… along with a link to a website displaying the group’s logo and an ad for social media security services.

Wales regained access to his account later on Saturday, and the tweets were deleted.

But according to Mashable, in addition to the fake messages-cum-marketing, Wales’ Twitter bio had been changed to read “hacked by OurMine.”

This isn’t the first we’ve heard of OurMine. In June, somebody or somebodies going by that name hijacked the Twitter and Pinterest feeds of Mr. Social Media himself, Mark Zuckerberg.

Whoever OurMine is, they boasted about allegedly having found Zuck’s password – the worryingly simple “dadada” – by sifting through the recent password dump of stolen LinkedIn accounts.

As Quartz reports, nobody in the hacking world seems to like OurMine, which relishes hacking high-profile accounts at random, boasting about the attacks, and asking followers for future targets.

It’s been connected to hijackings of Twitter feeds belonging to Twitter co-founder Evan Williams, Google CEO Sundar Pichai and Twitter co-founder and CEO Jack Dorsey.

Other high-profile users who’ve seen their Twitter accounts whisked out from under their noses, not necessarily by OurMine, include Sarah Silverman, NASA (those weren’t your typical moon shots!), Tesla and Elon Musk (with the hijackers offering free cars), a teacher who unwittingly got turned into a porn star, Twitter CFO Anthony Noto, and Black Lives Matter activist DeRay Mckesson, whom the account kidnappers turned into a Donald Trump supporter, to name just a few.

Twitter’s ongoing war to clean up its dark underbelly

Besides account hijackings, Twitter has an abuse and troll problem, and it’s been going on for quite a while.

In February 2015, then-CEO Dick Costolo admitted that Twitter “sucked” at dealing with abuse and trolls.

The company’s done a lot of work to clean up its act, and the work continues. Last week, it said that it had taken down 235,000 terrorist accounts, for one thing.

It also announced that it was rolling out two new features to “give you more control over what you see and who you interact with on Twitter.”

According to Twitter product manager Emil Leong, a new “quality filter” can improve the quality of tweets you see “by using a variety of signals, such as account origin and behavior.”

Also, new notifications settings now give users the ability to limit notifications to only people they follow on mobile and on Twitter.

In a blog post, Leong said that starting last Thursday, the new, optional Quality Filter will sift out lower-quality content, like duplicate tweets or content that appears to be automated, from notifications and other parts of Twitter.

How do attackers get our Twitter accounts?

As far as the hijackings are concerned, there are many ways that these accounts could have been taken over. Likely suspects include:

Password reuse. This is why we urge you not to reuse passwords on different sites: if one of those sites gets breached, crooks can use the same login to get into wherever else you’ve used it. They can get into your social media accounts to embarrass you, get access to your contacts, commit identity theft, and drain your banking accounts, while they’re at it.

It’s really a bad idea to use a password twice, and here’s why.

Willy-nilly clicking on links in email is another way to get into trouble. Phishing might sound old-school, but some of the true classics are still extremely successful. In fact, a study from Google and the University of California, San Diego, found that there are some phishing sites that are so convincing, they work on an eye-popping 45% of visitors.

Bad password etiquette. Perhaps a staffer gave the password away to someone, or maybe it was the name of somebody’s pet?

How to protect against account hijacking

Enable multifactor authentication  what Twitter refers to as login verification – should help defend against account hijackings. If you haven’t yet set it up for your Twitter account, why not do it today?

Use a strong, unique password. Here’s how to cook one up:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

Read more
Has Microsoft “broken” millions of webcams? (And how to fix yours.)
Insec Ethical Hacking Hub Facebook’s New Security Tool Will Remove Malware From Your Computer

It’s not a good /day, week, month, quarter, year/ to be working in Microsoft Support.

The company has been on a bit of a hiding to nothing over updates for a year or more, following the launch of Windows 10.

Admittedly, some of our readers have told us that they simply can’t see what the fuss is about: latest version, modern look, more secure, free of charge, what’s the problem?. (Not any more, of course: from 30 July 2016 onwards, you’ve had to pay.)

But there’s been a very vocal contingent – a minority, we suspect, but a significant minority at the very least – who have fallen out hard with Microsoft over the move to Windows 10.

From unannounced “pre-downloads“, where files totalling more than 3GB were silently stashed locally in case you wanted them later, through ambiguous dialogs that upgraded you when you thought you’d declined, to unexpected popups in the middle of weather report live on TV, it seemed that Microsoft just couldn’t get it right.

Even when Microsoft listened to its users and made the wording in the upgrade dialog much clearer, some of our readers still had negative things to say.

So, now that the free upgrade is over (so you definitely can’t get it by mistake) and the next big version update, known as the Anniversary Edition rather than Windows 11, you’d think that Microsoft might have cut itself some slack.

Except that there’s a huge brouhaha going on as users report, “My webcam’s busted.”

If the vitriol poured out in the comments (300 and counting) of a Thurrott blog article entitled “Microsoft Has Broken Millions Of Webcams With Windows 10 Anniversary Update” is anything to go by, this one’s a super-big problem.

Of course, your webcam isn’t “broken” in the dropped-on-the-floor-and-in-two-pieces sense of the word.

However, a bunch of Windows software, apparently including Microsoft Skype itself, no longer works properly with some well-known webcams on the market, notably those that implement video compression inside the camera itself.

High-definition webcams, like the popular USB-based Logitech C930e that can stream video at 1920x1080p, often include built-in compression so that there’s less data to send down the USB cable in the first place, usually using one of two common lossy compression formats known as MJPEG and H.264.

That’s the same sort of compression that digital TV uses, and it’s like listening to an audio track as an MP3 instead of straight off a CD or in an uncompressed form such as FLAC: for most people the difference is modest or even undetectable, but the savings in bandwidth and storage can be huge.

Anyway, as far as we can tell, until Windows 10 Anniversary Edition (10AE), Windows apps that handled video input could ask the operating system for the compressed data straight out of the camera, and process it directly.

There are a few disadvantages to doing this:

  • Every app needs to do its own video decoding, instead of letting the operating system take care of it centrally.
  • If two apps want to access streaming video at the same time, they have to be careful not to use different video compression settings, or they’ll interfere with each other.
  • If multiple apps are processing live video, they’ll all end up decompressing the data at the same time, imposing extra load.

So, Microsoft decided that in Windows 10AE, your app would no longer be able to request video streams in compressed-out-of-the-camera format.

Instead, you’d have to accept already-decompressed video from the operating system itself, decoded into one of two common formats: YUY2 or NV12.

YUY2 data has a brightness level (luminance) for every pixel, and colour information for each pair of horizontal pixels. NV12 is similar, with brightness data for every pixel but colour only for every 2×2 square in the image. Encoding brightness and colour separately, compared to modern formats such as RGB and HSV, was a neat solution when colour TV came out in the 1950s. By transmitting the luminance and sound as before and splitting the colour data into a separate signal, black-and-white TVs continued to work normally, blissfully ignorant that colour TVs existed at all. The reason for sampling the colour data at a half or a quarter of the rate used for brightness is that the human eye is much less sensitive to variations in colour than in luminance. (That’s the reason why moonlit scenes look like black-and-white photographs: in low light, we can hardly distinguish colour at all.)

In theory, an app working directly with uncompressed data shouldn’t make any difference to what you see, because an app can’t display compressed data without decompressing it anyway.

In practice, however, it means that unless your app has an option to use uncompressed video, or automatically adjusts itself if a compressed stream is not available from a camera from which it expected one, the app will no longer work at all.

And that’s what lots of software vendors are complaining about on Microsoft’s support forums, because lots and lots of those vendors’ own users are complaining that “my web cam broke after the update.”

That’s because some vendors prefer pre-compressed data, and rely on using cameras that support it, especially if they are capturing data from multiple webcams, as a surveillance system might.

Pre-compressed data greatly reduces the amount of data coming in via USB, and USB bandwidth can become a bottleneck if it’s shared between many devices.

Also, multi-source video recording apps that use uncompressed video inputs have to compress multiple webcam streams at the same time before saving them – a CPU-intensive job that in the past could be left to each camera to do in parallel.

With Microsoft’s own Skype app apparently on the list of affected apps, there are plenty of reports of “blank screens of death” during Skype video calls.

What to do?

  • Test early, test often. If you’re a software developer whose product is locked into using specific operating system hardware settings, don’t get taken by surprise. Get onto Microsoft’s early access program so you can come up with a Plan B before the official launch date if needed.
  • Ask your vendor if there’s a workaround. Some developers may have configuration settings that can deal with the problem without waiting for a fix.
  • Keep your eye on Microsoft’s support forums. Word on the street is that Microsoft is going to change this change as soon as possible (though not before September 2016) so that apps relying on direct access to compressed video will work unchanged once again.
  • For Skype calls, consider switching back to your built-in webcam if you have one. This may work, because the built-in webcam probably doesn’t support compression in the first place. Of course, many users will have bought USB webcams to improve both sound and video quality, making this a compromise and not a fix.
  • For Skype calls, try using Skype Preview, included with Windows 10AE. This is essentially a pre-release version, so it won’t please everyone, but many report that it works with USB webcams just fine. We tested with a Logitech C930e HD camera and had no trouble.

There’s also a registry hack going round, where you use the registry editor to set the following entry:

Microsoft\Windows Media Foundation\
PlatformEnableFrameServerMode = 0

We haven’t tried this, not least because we only wanted to use Skype, and the new Skype Preview did the job fine for us.

We’re assuming that this is a hidden tweak that turns off the new “you can no longer get data pre-compressed from the camera” option, but please bear in mind that it’s not officially document by Microsoft far as we know [as at 2016-08-22T16:15Z], and we’ve not tested it ourselves.

Are you affected by this issue?

If so, did you try any workarounds, and if so, were they successful? (You may remain anonymous.)

Read more
Trust exercise: Symantec’s new website security expert is reaching out to hacker community

Tarah Wheeler
Tarah Wheeler

Tarah Wheeler, whom Symantec recently hired as principal security advocate and senior director of engineering for its Website Security team, is already making her presence felt, reportedly pledging to foster ties with the independent hacker community for inspiration and ideas.

“I’m joining to talk to the independent hacker community and find crazy and interesting research that isn’t showing up on the corporate radar,” Wheeler told The Register in a recent report that referred to her position as ostensibly a “cybersecurity czar.”

The CEO and co-founder of HR Automation software firm Fizzmint, whose LinkedIn profile includes special skills in “Supervillainy,” is no stranger to the concept of leveraging expertise from outside resources, having founded Red Queen Technologies, a service that outsources web development for up-and-coming, budget-conscious website operators.

The corporate IT strategy of actively engaging hackers is not without its detractors. Some experts believe the risk is too great, especially as one negotiates the slippery slope from white hats to gray hats to black hats.

But the consensus among multiple experts who spoke with SCMagazine.com, was that the strategy makes perfect sense for Symantec, especially in light of the staggering workforce shortage within the cybersecurity industry.

“Our industry has 1 million cybersecurity job openings in 2016, and that is expected to rise to 1.5 million by 2019. There’s practically a zero percent unemployment rate within the top 10 percent of cyber professionals,” said Steve Morgan, founder and CEO of research market and intelligence firm Cybersecurity Ventures, in an email interview with SCMagazine.com. “I think Symantec is on the right track if they have very specific internal criteria they use to determine which hackers can and which hackers cannot engage with them. The talent pool within the gray and black hat community is too great to unilaterally dismiss as unsuitable to work with.”

Companies looking to become more creative, aggressive and proactive in their network defenses may also have reason to strengthen ties with hackers. Nathaniel Gleicher, head of cybersecurity strategy at the network security firm Illumio, told SCMagazine.com that as attackers – especially nation-state threat groups – continue to raise the bar with new sophisticated offensive threats, network defenders keep playing at a disadvantage. But by turning to the hacker community, companies may finally be able to “drive serious innovation on defense in the same way that the last decade has seen serious innovation on offense,” said Gleicher, the former director for cybersecurity policy at the White House’s National Security Council.

Bug bounty platform provider HackerOne has built an entire business around the interaction between security-minded organizations and the hackers who responsibly disclose vulnerabilities in their products and websites. According to the company, its 2016 Hack the Pentagon bug bounty pilot program – coordinated with the U.S. Department of Defense – resolved 138 vulnerabilities over the course of a 24 days, but at only around 1 percent of the cost of a typical government contract.

“Traditional security best practices are not enough, and organizations need to have the mindset that there is always something that will be missed. The companies that are absent from the breach headlines are the ones that are working closely with the hacker community to see where they are most vulnerable,” said Michiel Prins, co-founder of HackerOne, in an interview with SCMagazine.com.

Of course, this does not mean companies shouldn’t employ common sense or set sensible policies when interacting with hackers. “If Symantec hires the wrong hackers, it can cause irreparable reputational damage, so much so that it could have a material, adverse effect on its stock. They could in fact be hacking themselves,” said Morgan. “On the other hand, with the right people, Symantec can build an elite cyber core of engineers.”

Morgan recommended that companies seek out only those gray and black hats whose actions indicate that they are now well-intentioned and reformed. “If someone intentionally hacked into a company and stole confidential data from a corporation or government agency recently, and sold that data in the dark web underground, I’d probably hesitate” engaging with them, he explained.

As for Wheeler, Morgan praised the hire. “Symantec is tapping someone who is well respected and connected into the hacker community, and she has deep domain experience across the key security sectors where the company is looking for people. I believe this will help overcome the stigma associated with Symantec as a big software company, as opposed to a hot cyber company,” he said.

Prior to Fizzmint and Red Queen, Wheeler  – author of the new book Women in Tech – spearheaded projects at Microsoft Game Studios and architected systems at encrypted communications firm Silent Circle.

“We’re thrilled to have Tarah join us…at Symantec,” said Roxane Divol, SVP and GM of Website Security at Symantec, in comments emailed to SCMagazine.com. “Her passion for security and unique blend of development and domain expertise is a huge asset that will help inform our strategy and system architecture, and will play a critical role in influencing our roadmaps as champions of encrypting the entire web and setting a high bar industry-wide.”

Per Symantec policy, Wheeler  declined to participate in this article.

Read more