FTC: It Takes Criminals Just 9 Minutes to Use Stolen Consumer Info

FTC: It Takes Criminals Just 9 Minutes to Use Stolen Consumer InfoFederal Trade Commission experiment lured hackers to learn about how they use stolen consumer information.The Federal Trade Commission (FTC)’s Office of Technology conducted an experiment to learn how hackers use stolen information. Experts created a database of fake consumer credentials and posted them twice on a site that hackers use to make stolen data public.
This false information was made realistic by using popular names based on Census data, US-based addresses and phone numbers, common email address naming strategies, and one of three types of payment info (online payment service, bitcoin wallet, and credit card). Following the second posting of fake data, it took hackers just nine minutes to try and access it.
There were more than 1,200 attempts to access the information, which hackers tried to use to pay for things like food, clothing, games, and online dating memberships. The FTC advises consumers to stay safe with two-factor authentication, which prevented the thieves from gaining access.

Read more details here.


Sphre Air ICO:使用区块链技术解决身份认证难题
网络安全法宣传片 002 国家网络安全的现状与重要性概述
韩媒:崔顺实女儿将从丹麦出发 5月31日抵达韩国

Android ‘design shortcomings’ allow for Cloak and Dagger series of attacks

A series of “vulnerabilities and design shortcomings” in the Android user interface sets the stage for a new class of attacks called “Cloak and Dagger.”
Discovered by Chenxiong Qian, Simon P. and Chung, Wenke Lee of Georgia Tech and Yanick Fratantonio of UC Santa Barbara, the issues stem from two Android app permissions. The first, SYSTEM_ALERT_WINDOW (“draw on top”), allows an app to draw overlays on top of every other app. The second, BIND_ACCESSIBILITY_SERVICE (“a11y”), is a powerful privilege designed to assist users with disabilities in that it can notify an app of any event that affects the device and access the view tree.
Regarding these app rights, there’s good news and bad news. Both tidbits boil down to Google’s design choices.
First, the good news. Google understands the potential security implications of BIND_ACCESSIBILITY_SERVICE, which explains why the researchers found the privilege requested by only 24 of the top 4,455 apps on Google Play.
But the bad news is that Google grants SYSTEM_ALERT_WINDOW automatically. An attacker can exploit this fact in a malicious app to lure the user into granting a11y, access which they can then leverage to conduct a series of attacks including context-aware clickjacking, security PIN stealing, and the silent installation of a God-mode app.
Here’s a video of one such attack in action.
That’s not even the worst part.

An examination of these so-called “Cloak and Dagger” attacks not only demonstrates their practicality but also reveals most users aren’t the wiser that any malicious activity transpired. As the researchers explain in their paper:
“To test the practicality of these attacks, we performed a user study that consisted of asking a user to first interact with our proof-of-concept app, and then login on Facebook (with our test credentials). For this experiment, we simulated the scenario where a user is lured to install this app from the Play Store: thus, SYSTEM_ALERT_WINDOW is already granted, but BIND_ACCESSIBILITY_SERVICE is not. The results of our study are worrisome: even if the malicious app actually performed clickjacking to lure the user to enable the BIND_ACCESSIBILITY_SERVICE permission, silently installed a God-mode app with all permissions enabled, and stole the user’s Facebook (test) credentials, none of the 20 human subjects even suspected they have been attacked. Even more worrisome is that none of the subjects were able to identify anything unusual even when we told them the app they interacted with was malicious and their devices had been compromised.”
Now that we know the full extent of these attacks, what is Google doing to prevent them?
Well, the tech giant has known about the issues since August 2016. With some of the vulnerabilities, Google has said it simply “won’t fix” them. For some of the other design flaws associated with the Android UI, it could take researchers a while to address them.
According to a statement provided to Softpedia, the company is working on it:
“We’ve been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer. We have updated Google Play Protect — our security services on all Android devices with Google Play — to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues moving forward.”
That’s great…for Android users who receive OS updates on a regular basis. As we know with other Android security issues, most users don’t get those fixes from their manufacturers until weeks, months, or years after their release. For those unlucky many, they won’t see the “new security protections” built into Android O for quite some time.
While they wait for their share of the pie, all Android users can do is go into their device settings and check to see which apps have “draw on top” and “a11y” access. Not all apps that use these privileges will announce it to you. (Thank Google for that.) For those apps that do show up, think long and hard about keeping them installed on your device.


网络安全法网络宣传片 002 国家网络安全的现状与重要性概述
法院发放5亿老赖欠款 壮汉抬钱抬到手酸





网络安全法视频宣传片 第二集 国家网络安全的现状与重要性概述

Draft Hacking Back Bill Gets Modifications Prior to Imminent Introduction

Rep. Tom Graves (R-Ga.) has released an updated version (PDF) of his draft Active Cyber Defense Certainty (ACDC) Act, incorporating feedback from the business community, academia and cybersecurity policy experts. “I look forward to continuing the conversation and formally introducing ACDC in the next few weeks,” he said yesterday.

The original discussion draft was released in March 2017.
ACDC is designed to amend the existing Computer Fraud and Abuse Act (CFAA). CFAA, enacted in 1986, currently prohibits individuals from taking any defensive actions other than preventative actions; that is, cyber defenders are only legally allowed to defend passively. ACDC would allow controlled ‘active’ defense — something often called, somewhat misleadingly, ‘hacking back’ — by excluding prosecution for the exempted actions under the CFAA.
The modifications now introduced are largely designed to tighten control and avoid collateral damage. For example, entities using active-defense techniques will need to report to the FBI. “A victim who uses an active cyber defense measure… must notify the FBI National Cyber Investigative Joint Task Force prior to using the measure.”
Similarly, modifications make it clear that active defense restrictions against causing physical injury include financial injury; and provide additional safeguards for ‘intermediate computers’. The latter term is defined as “a person or entity’s computer that is not under the ownership or control of the attacker but has been used to launch or obscure the origin of the persistent cyber-attack.”
These intermediate computers have always been considered the weak point in any form of hacking back — it is not easy for anyone to be certain of the precise source of an attack, leading to the possibility that active-defense measures could be launched against an innocent target.
National Security Agency and Cyber Command head Admiral Mike Rogers is one of those with such concerns. “My concern is,” he said during testimony before a House Armed Services subcommittee on Tuesday, “be leery of putting more gunfighters out in the street in the Wild West. As an individual tasked with protecting our networks, I’m thinking to myself — we’ve got enough cyber actors out there already.”
Perhaps in recognition of the inherent difficulties in such an Act, Graves has also introduced a sunset clause: “The exclusion from prosecution created by this Act shall expire 2 years after the date of enactment of this Act.”
“Although ACDC allows a more active role in cyber defense,” says an associated statement released yesterday, “it protects privacy rights by prohibiting vigilantism, forbidding physical damage or destruction of information on anyone else’s computer, and preventing collateral damage by constraining the types of actions that would be considered active defense.”


Cyber Security Law 网络安全法宣传视频系列001

TX: 2 Additional Cameron Co. Servers Missing

Steve Soliz reports:
Cyber Security Law 网络安全法宣传视频系列001
Cameron County said they’ve mistakenly sold more computer servers than previously thought. Those servers, filled with personal information, were sold off at auctions.

CHANNEL 5 NEWS reported how one of those servers was up for sale at a Brownsville flea market.
In a statement, Cameron County Judge Eddie Trevino announced two more servers were sold at an auction in December.
He added the county also auctioned off computers, printers and monitors.
County leaders don’t know whether those two other servers had people’s information in them or where they are, according to Trevino.
Read more on KRGV.


网络安全法动漫宣传片 002 国家网络安全的现状与重要性概述

Ca: Website hack exposed Prairie Mountain Health  patients personal, medical info

The Brandon Sun reports:
Personal and medical information of more than 1,000 Prairie Mountain Health patients are at risk after an internal website was hacked.
The regional health authority, in a statement Friday, said they do not believe the intent of the hack was to access personal information, but conceded they cannot exclude the possibility that identifiable personal details were viewed or copied.
中兴通讯高级副总裁、首席信息官陈杰 服务”一带一路” 5G和”智慧…

Subscription required to read the full story.
Now you shouldnt need a subscription to a news outlet to find out about a breach involving your information, right? So I went to Prairie Mountain Healths site to find a breach disclosure or notice, but NOTHING was mentioned on their site.
Cmon folks: if you can send a press release to your local media, you can post a copy of the damned statement on your web site. In fact, you should be posting something on your web site and notifying patients even before you notify media.
So I tweeted an inquiry to their Twitter team asking where the notification is. If I find out more, Ill update this.


Cyber Security Law 网络安全法宣传视频《网络安全法》背景知识

GDPR Industry Roundup: One Year to Go

GDPR Roundup: New Products, Surveys and Industry Commentary
Thursday May, 25 2017 commenced the final countdown to the General Data Protection Regulation (GDPR): there is just one year before it comes into force. GDPR imposes complex new personal data protection requirements on any organization doing business in or with the European Union; and it is doubtful if many, or any organization is automatically compliant. The result is a serious challenge for business and a major opportunity for the security industry.
What follows is a roundup of this week’s new products, survey and comments on GDPR.
New Products/Services
IBM Resilient – “GDPR is ushering in some of the most important changes to European data privacy regulations in twenty years, much of it involving policies and documentation that are difficult to improve with technology. The Resilient Incident Response Platform is designed to help businesses comply with GDPR. It prescribes and can orchestrate people, process and technology in specific responses to data breaches.”
Forcepoint: GDPR-focused cloud service extensions – “We see the partnership growing between the CIO and CISO to implement solutions that securely enable the business shift to cloud computing while remaining in compliance with data privacy laws such as GDPR.”
Wombat Security: new GDPR training module – “Within this module, end users will learn why they need to be active participants in overall GDPR compliance; how to make the right decisions about the data they create and handle; and what the consequences of non-compliance are for your organization.”
New Surveys/Reports
Varonis: One Year Out: Views on GDPR  – “What’s most worrying about the findings is that one in four organizations doesn’t have a handle on where its sensitive data resides.   These companies are likely to have a nasty wake-up call in one year’s time.  If they don’t have this fundamental insight into where sensitive data sits within their organizations and who can and is accessing it, then their chances of getting to first base with the regulations are miniscule and they are putting themselves firmly at the front of the queue for fines.”
Kaspersky Lab: The IT department’s GDPR journey towards good data health – “With less than a year to go, firms are in various stages of compliance preparation. But the regulation doesn’t have to be a burden on one department alone. Every function in a business – from marketing to legal – has its role to play. Now is the time for IT departments to help them all on a journey towards good data health.”
Blancco Technology Group: EU GDPR: Countdown to Compliance – “If an organization cannot find their customers’ data, how will they be capable of erasing the data and complying with the EU GDPR’s requirement? Once they do finally locate their customers’ data, the next step is erasing the data permanently so that it can never be recovered. But as our study reveals, it’s quite common for organizations to use insecure and unreliable data removal methods, such as basic deletion and free data wiping software, which further undermines their security and compliance to EU GDPR.”
Guidance Software survey – “Only 15.7% of companies surveyed are in advance planning for GDPR, while 24% of organizations say they will not be ready by the May 2018 deadline.”
Trend Micro: WannaCry Highlights Major Security Shortcomings Ahead of GDPR D-Day – “The unpalatable truth is that many of those organizations caught out by WannaCry earlier this month could face punitive fines if the same kind of thing happens again in a year’s time… because an official Microsoft patch was available for weeks before the attack, the victim organizations could be said to have failed to take adequate security measures given the evident risks. Even virtual patching technologies exist to protect unpatched or unsupported systems.”
 Industry Commentary
Dr Jamie Graves, CEO at ZoneFox:
“The starting gun has officially been fired and one thing is for sure: from day one, the EU will not be accepting excuses. They believe organizations have had more than enough time to prepare. Those companies that haven’t started to unravel what GDPR means for them need to get proactive. GDPR is all about data, and that’s where companies need to start. It is imperative that they have a full, 360-degree view of data entering, leaving and being stored within their business. This visibility can then be used as a foundation to assess and restructure processes in order to ensure compliance. Although complicated, GDPR also presents companies with an opportunity. With data breaches becoming increasingly common and personal, by being compliant companies can demonstrate their commitment to data security and privacy. Afterall it’s not just money companies have to lose – their reputations are also on the line.”
Richard Stiennon, chief strategy officer, Blancco Technology Group
On day one of when the law goes into effect (May 25, 2018), a company can be held liable and subject to the fines, which are not specifically enforced for breaches, but for being out of compliance with the various requirements, including failure to appoint a DPO, failure to adhere to the ‘right to be forgotten,’ failure to notify the Supervisory Authorities of a data breach within 72 hours, to name a few.”
Black Duck Software
“If your organization needs to comply with the General Data Protection Regulation, you’ll need to examine the software eco-system you’re using and include open source identification and management in your GDPR security program. As well as examining custom source code for vulnerabilities, ensure that the open source you or your vendor companies use is not introducing hidden security vulnerabilities.”
Jason Hart, CTO, data protection at Gemalto
“Up until the 25th May 2018, EU businesses will be able to get away with keeping breaches from their customers, but this will change as the focus will be on protecting data going forward. Time is running out for businesses to get their house in order before GDPR comes into effect. Once that happens, we’ll start to see the true picture of data breaches within Europe and the impact that will have on the reputation of a multitude of businesses. Companies need to realize that being breached is an inevitability and customers will not put up with those that can’t protect their data. In order to be compliant, business must follow the six-step process outlined in the legislation.”
Ross Brewer, vice president and managing director at LogRhythm
“With only 72 hours to notify authorities and, in some cases those affected, companies will be under greater amounts of pressure to have full insight into the scope and scale of an attack as soon as it’s been identified. Time will be of the essence and it will be essential for organizations to have an accurate idea of the ‘who’, ‘what’, ‘how’ and ‘how big’ within those three days… businesses will require a more coordinated and efficient approach to threat detection that goes far beyond simply deploying firewalls or anti-virus. Having an end-to-end threat lifecycle management process that gives businesses the insight and full facts of a compromise from the offset will be vital, and businesses need to make sure they are adapting their strategies now so that they are fully prepared this time next year.”
Richard Henderson, global security strategist, Absolute
“To describe the new rules as an update or a refinement in the data protection regime is not accurate – this is not a fine-tuning of the law. A far more fundamental change is taking place. Under EU GDPR, businesses will not be able to get away without having complete visibility into endpoint assets at all times so they can identify suspicious activity and take action – whether a device is connected to the corporate network or not. In this hyper-connected world, businesses cannot afford devices to ‘go dark.’ They need to maintain a constant connection, and have the ability to remotely control data stored on endpoint devices to stop them becoming the gateway to a damaging breach, and subsequently protecting themselves from the repercussions of lax security.”
Richard Lack, managing director EMEA, Gigya
“GDPR, love it or hate it, is the EU’s attempt to put consumers back in control of their online data and compel businesses to keep that data safe from hackers. No more obscure service agreements that we all accept with a single click and never read. Consumers know they’re being mistreated and aren’t happy about it; a recent survey by Gigya found 68 per cent of consumers don’t trust brands to respect their privacy. How many will accept the terms to give away their data, given they have no obligation to do so? My prediction is zero… Businesses must, therefore, ensure that they have compliant systems in place to prevent a mass consumer ‘opt-out’ when the new regulations are enforced or even worse, face hefty penalties for non-compliance, with fines as large as four per cent of annual revenue.”
Gerard Allison, VP of EMEA at Gigamon
“While EU GDPR is a positive step forwards in data protection, organizations need to be aware of new ways cyber criminals could take advantage of the situation. Ransomware is a popular tool for hackers yet this tactic could evolve into a different, more dangerous beast. Let’s say for instance a hacker successfully breaches a network, but the business doesn’t have the tools in place to detect the breach or simply doesn’t report it. The hacker could threaten to report the organization to the ICO for non-compliance unless they paid them. Is it likely that a business would rather pay for a hacker’s silence than pay eye watering fines for being non-compliant?”
Mike Palmer, executive vice president and chief product officer, Veritas
“In order to achieve compliance, the biggest challenge for many organizations globally is understanding what data resides in their complex IT environments, how to protect it and delete it from the network when requested or it’s no longer needed. According to Veritas research, 32 per cent of organizations globally do not have the right technology in place to cope with GDPR. With one year to go, organizations should look to establish a clearly-defined governance strategy with data management tools at the core… The clock is ticking and it’s not just fines that are at stake, but jobs, brand reputation and the livelihood of businesses globally.”
Legal Comments
Callington Chambers
“The General Data Protection Regulation (“GDPR”) is the biggest reform of data protection legislation in the last two decades. When it comes into effect on 25 May 2018, in addition to applying to businesses within the EU, the GDPR will also affect any businesses outside the EU that offer products or services to EU customers or monitors EU citizens.”
Pillsbury Winthrop Shaw Pittman LLP
“These new laws will significantly impact any companies doing business in Europe, even those without a physical EU presence (e.g. U.S. companies targeting Europe). If you have a website, use customer or staff data or engage in almost any form of marketing you will likely be caught. The new very high fine levels for breaches and the need to be able to prove compliance mean companies, regardless of size, must take steps now to prepare.”
Article 29 Working Party
The European regulators have published a series of guidelines on data portability, data processing officers, and supervisory authorities; and a draft guideline on impact assessments.
DLA Piper LLP – “The aim is to be compliant by 25 May 2018 but this may be challenging so it is sensible to focus on the most important and risky areas first.”
Ashfords LLP – “The GDPR is an opportunity to streamline data protection practices and should enable organizations to strip back data which is inaccurate, out of date or irrelevant.”
Squire Patton Boggs
“[GDPR] is aimed primarily at commercial progressing of customer data but still has significant ramifications for HR’s handling of employee data… and the new law will represent fertile ground for employees looking to blow the whistle on something. The numbers being waved around as possible fines are enormous, but even though we think they will be the tiny exception rather than the rule, this isn’t an area for HR to treat casually.”
Kingsley Napley
Referencing the UK’s NHS and WannaCrypt, many victims were probably in breach of existing data protection regulations by using unsupported or unpatched Windows systems. “The EU General Data Protection Regulation (the ‘Regulation’) coming into effect on 25 May 2018, which replaces the DPA largely repeats the security principles set out in the DPA. However, the GDPR enforces a much tougher and stricter regime, with more severe penalties for data breaches.”

Squire Patton Boggs
Subject access requests (SARs) from employee to employer are complex. “Breach of the right to access personal data falls under a ‘top tier’ breach carrying a fine of up to €20million or 4% of global turnover (whichever is higher), but it is self-evident that the sort of ordinary slips which employers make in responding to SARs from employees will not get within a hundred miles of this sort of number. Factors that could aggravate the situation are listed under the GDPR to include the intentional or negligent character of the infringement, any previous infringements, any losses or damage to the data subject. The examples of mitigating factors listed, on the other hand, are any actions taken by the controller to mitigate the damage suffered by data subjects and the degree of cooperation with the supervisory authority.”
Osborne Clarke
Profiling: “The interpretation of Article 22 is imperative. Defined broadly, it will place significant burdens on organizations undertaking profiling for advertising and marketing purposes; defined narrowly, there is less cause for concern. We can expect guidance from the Article 29 Working Party later this year. In due course, we might also expect a common standard for measuring the effects of profiling.
In any case, with a year to go, organizations should be reviewing their profiling activities in light of the GDPR, and ensuring that they are taking the necessary steps to ensure compliance from (no later than) 25 May 2018.”
Squire Patton Boggs
“A good way to get started on these tasks is to first educate and obtain C-level buy-in. While the possible sanctions are a strong motivator, it is important that your organization understands that GDPR compliance will add value by ensuring better data management. Once buy-in is secured, you should create a GDPR Core Group consisting of key stakeholders from major departments in your organization. Your GDPR Core Group will be essential in driving these tasks to completion.”


[增持评级]通信行业周报:信息安全与卫星导航催化剂众多 物联网持续…

Botnets: Inside the race to stop the most powerful weapon on the internet

The attack attempted to make 100,000s of routers part of a botnet.
Image: iStock
Even one of the simplest forms of cyberattack has the potential to catastrophic damage; a large DDoS attack by an army of hijacked devices is capable of knocking networks offline, leaving organisations and their customers unable to access services.
The impact of such an attack was made clear by the Mirai botnet incident late last year. The Mirai botnet used everyday internet-connected devices, such as routers and security cameras, to bring large chunks of the internet to its knees, slowing or outright bringing down popular websites and services.
Mirai botnet attack hits thousands of home routers, throwing users offline

Germany’s federal security office confirmed that almost a million customers in the country were affected by internet outages as a result of the attack.
Read More
But that wasn’t the end of Mirai’s malicious intent. A month later a million internet users in Germany were thrown offline in late November as part of a coordinated cyberattack which also impacted the UK, Ireland, Turkey, Iran, and Brazil, among others.
Internet provider Deutsche Telekom bore the brunt of much of the attack within German borders. Matthias Rosche, SVP of solution sales and consulting at Deutsche Telekom’s telecom security group, described it as “the biggest attack” against the company which had a “major” impact on its customer base.
Almost five percent of its 20 million customers suffered internet outages as a result of the botnet attack, which targeted ZYxel and DLink routers, exploiting an open port. In total, 900,000 routers were affected by the attack.
The attack wasn’t capable of stealing data, but it still created massive problems, resulting in 30 hours of downtime for 900,000 internet connections in homes and businesses across Germany.
“What we saw was that there were specific routers which had issues and problems. Looking at the statistics, we saw that a significant number went down immediately,” Rosche said, speaking at a conference arranged by security company Check Point in Milan.
The malware contained a link designed to upload malicious software to the devices in order to connect them to the botnet, but Deutsche Telekom quickly moved to minimise the potential damage of this threat.
“We started to investigate into the attack and figured out there was a download link embedded to upload to malicious software. So the first thing we did was block that to make sure that even if the infection is successful, nothing can be uploaded from that specific link,” said Rosche.
The company’s security team set up a war room to coordinate activities and block the key target open port across the network, in order to ensure no attack could target it anymore, he explained.
In addition to this, an agreement between Deutsche Telekom and the router vendors meant as soon as the telecoms firm knew how to close the vulnerability, they contacted the vendors and provided them with the information required to update devices and protect them against the botnet.
“Within 12 hours we had a new software version available for our routers,” said Rosche, adding that users were informed they had to turn routers on and off again and to protect themselves from the attack.
“This was a simple patching process and we were happy this was our worst-case scenario,” he said of the incident.
If the attack had been fully successful, the results would’ve been dire and a danger to the internet.
“It’s a simple calculation. We’d have had a new botnet of 1.8 terabits per second, which is big enough to carry out a DDoS attack against any state in the world. This would’ve been the most powerful weapon on the internet, it would have been incredible,” said Rosche.
“We apologised to our customers and the question we had to ask ourselves was, ‘Can we guarantee that this won’t happen again in the future?’ The answer is ‘probably not’. But we’ll be prepared,” he said.READ MORE ON CYBERSECURITY History repeating: How the IoT is failing to learn the security lessons of the pastInternet-connected devices will always pose a risk, experts say [CNET]Is ‘admin’ password leaving your IoT device vulnerable to cyberattacks? Homeland Security warns of ‘BrickerBot’ malware that destroys unsecured internet-connected devicesEverything old is new again: Experts predict a flood of denial-of-service attacks [TechRepublic]


网络安全法动漫宣传片 002 国家网络安全的现状与重要性概述
棒打子女母亲情绪崩溃 将做精神鉴定






How to use Connects to know where your apps are calling out to




万万没想到这两国在南海爆发冲突 互相扣押对方人员