Friday 16 October 2015

A bug in Facebook accidentally shows how popular your posts are

Facebook is diligently attempting to remove a software bug that lets users of their mobile website see view counts for their own and others’ posts within the Facebook social network.

Facebook currently displays the number of views under videos posted on the Facebook site, but this software bug goes beyond that and lets one see the number of views on any article or video link, this also includes those from news media and other official organizational pages. The bottom line of this revelation, is the realization that nothing you say or share will ever be as popular among your friend group as a arbitrary article or a video on how to make ramen fries.

Currently, the software bug, only affects Facebook’s mobile site, and not Facebook for conventional desktop PCs or the company’s official mobile apps. It has been confirmed by Facebook that the software bug is removing the view counts from user posts.

Facebook claims to have no future plans to let individual users see view counts. Part of consequence of using the Facebook social network is the understanding that you’re feeding content into a black box, controlled by a mysterious and proprietary software algorithms the user has no control over and is not allowed to understand.

In 2013, A Stanford University study conducted by assistant professor Michael S. Bernstein and Facebook’s data science team has revealed that the average Facebook user only reaches about 35 percent of their friends with a single post and over the course of a month, the average user will reach barely two out of every three friends.

This problem effects other media organizations and other page owners that have been with Facebook for years. Users that have invested heavily with their followers in obtaining and growing their number of likes on their page are often shocked to only have the social network charge them for reaching more than a small fraction of their audience.

But Facebook holds the control and the keys to their News Feed. For now that’s how it goes. Until, of course a bug comes along, and we see just how popular — or not — you really are in your Facebook network.

Malaysia arrests hacker for stealing U.S. security data

NBC News has learned federal prosecutors have charged a Kosovo man they believe is responsible for assembling an ISIS 'kill list" of more than 1,000 military personnel and U.S. government employees. USA TODAY

A Kosovar man living in Malaysia who accessed the personal data of more than 1,300 government and military employees, and passed that data onto the Islamic State, has been arrested in Malaysia on U.S. charges, the Department of Justice announced Thursday.
Ardit Ferizi also accessed customer data from an unidentified Internet retailer, obtaining credit card information on 100,000 customers, according to a federal indictment unsealed in Virginia. Ferizi, allegedly head of a group of Albanian hackers from Kosovo, even went so far as to admonish employees of the retailer via email when they detected his penetration of their system and blocked him.
According to a lengthy affidavit filed by FBI special agent Kevin Gallagher, who is based out of the Washington field office, Ferizi had unauthorized access to a federal computer and used that access to obtain email addresses, cities of residence, dates of birth and other personal identifying information on 1,351 government and military workers, and passed those names onto the Islamic State terrorist group between April and August.
He transferred the information via links he posted to Twitter, the affidavit said, "for the purpose of encouraging terrorist attacks against against the individuals." He also used the social media site to communicate to two known Islamic State members, Tariq Hamayun — also known as Abu Muslim al-Britani — and Junaid Hussain — also known as Abu Hussain al-Britani. Hussain died in August in an air strike in Raqqah, Syria.
The activity prompted the Islamic State Hacking Division to tweet a message to "crusaders" engaged in a "bombing campaign" against Muslims: "We are in your emails and computer systems, watching and recording your every move, we have your names and addresses … we are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike your necks in your own lands!”
Regarding the retailer, not named in the document, Ferizi accessed a server in Phoenix in June that belongs to an Internet hosting company that maintain's the company's website, according to the affidavit. On Aug. 13, the retailer contacted the FBI to report unauthorized access to its site, Gallagher wrote.
As of spring 2015, Ferizi has been living in Malaysia on a student visa and studying at Limkokwing University of Creative Technology in Cyberjaya, Malaysia.

Hackers steal £20 million from UK bank accounts using malware

Law enforcement agencies with the help of several cybersecurity firms took control of a botnet network of machines that distributed malicious software known as “Bugat,” “Cridex” or “Dridex. The Dridex malware was used by cyber criminals to steal some £20 million ($30 million) from UK bank accounts according to the National Crime Agency (NCA).
NCA has issued issued a warning Internet users especially those from United Kingdom to protect themselves against the Dridex and said that they are chasing down the “technically skilled” cyber criminals.According to NCA this malware preyed on unsuspecting people by slipping into their computers, stealing passwords and siphoning money from bank accounts. For distribution, it relied on a network of enslaved computers. Experts say the botnet infected maybe 125,000 computers a year.Separately, the U.S. Department of Justice also filed criminal charges against Andrey Ghinkul, a 30-year-old man who is believed to have been the hacker at the helm of the operation. Ghinkul was recently arrested in Cyprus, and American prosecutors are seeking to have him extradited to stand trial in the United States.U.S. Attorney David J. Hickton of Pennsylvania said: “We have struck a blow to one of the most pernicious malware threats in the world.”According to the indictment, Ghinkul’s high tech cyber crimes have been going on for years now. Investigators believe Ghinkul and others sent official-looking spam that tricked people to open poisonous email attachments. Using that method, they were able to steal $3.5 million from Penneco Oil in Pennsylvania in 2012 and send that to bank accounts in Belarus and Ukraine, according to the indictment.Bugat evolved over the years into smarter and more capable versions. Researchers called later it Cridex, then eventually Dridex. The massive botnet distribution system — the one that was just shut down — made Dridex the most popular malware bombarding corporate computer networks. If work email got hit with spam, it’s likely much of it was Dridex.

Security researchers have been collaborating with the law enforcement agencies for this operation.  Researchers from Proofpoint said that the hackers sent out waves of up to 350,000 Dridex-laced spam emails every day, while, researchers at Dell SecureWorks started working on a project to disrupt the monstrous botnet. It teamed up with law enforcement, and received legal permission to hack the botnet, according to the company.

In United Kingdom, Mike Hulett from the NCA said: “This is a particularly virulent form of malware and we have been working with our international law enforcement partners, as well as key partners from industry, to mitigate the damage it causes.

Think your mobile calls and texts are private? It ain't necessarily so

 Silhouette of spy discerning password from code uses a command on graphic user interface

Mobile networks around the world have been penetrated by criminals and governments via bugs in signalling code.
Security holes have been found in a technology known as Signalling System 7 (SS7), which helps to interconnect international mobile networks across the globe.
AdaptiveMobile has uncovered evidence of global SS7 network attacks causing damage to mobile operators around the world after partnering with mobile operators and networks to analyse and secure the SS7 traffic across their networks.
Exploits, including location tracking and call interception, are said to be rife. The study also uncovered evidence of attempted fraud, focusing on Europe, Middle East and the Americas.
The results are a serious concern but not entirely surprising. Flaws in SS7 have been known about for years and readily lend themselves to surveillance, both targeted and on a grand scale, allowing miscreants to tap into calls, read text messages and divert traffic.
In one well documented case, SS7 flaws were used to redirect sensitive conversations of targeted individuals on the MTS Ukraine network to a Russian mobile operator.
By contrast, SS7 is far more robust when it comes to the security and integrity of billing functionality. Even so, some studies have suggested SS7 loopholes can be abused to move credit between mobile accounts.
Attacks such as ”silent SMS pings" can be used to locate mobile phones anywhere in the world via SS7. With the right request it might be possible to trick a mobile network into handing over the crypto keys from any SIM/session. This rumoured – but unverified – capability would be restricted to the more capable intel agencies.
Details of SS7 vulnerabilities were publically revealed for the first time at the Chaos Communication Congress hacker conference in Hamburg last December. El Reg's story on the CCC presentation provides more info on how the ageing SS7 protocol works as well potential attacks.
AdaptiveMobile’s SS7 Protection service, launched in February 2015, aims to analyse and secure the SS7 traffic travelling through operator networks. The firm uses the combination of an SS7 Firewall, advanced reporting and threat intelligence to identify and combat threats. Sitting on the systems of 75 operator networks worldwide, AdaptiveMobile protects one fifth of the world’s subscribers, witnessing in excess of 30 billion mobile events every day, according to the mobile network security firm.
Unauthorised access to the SS7 network can cause significant financial and reputational damage to the operator community, according to AdaptiveMobile. Fraudulent roaming configurations can cost operators millions of dollars without any opportunity to recapture this revenue. Without appropriate preventative measures being put into place, operators are allowing adversaries to know exactly where a subscriber is at any given moment and to intercept and reroute device communications, listening to every call and reading every text message, the firm warns.
“Through our analysis of SS7 traffic we’ve detected numerous types of SS7 requests and responses being received and sent from one operator network to another,” said Cathal McDaid, head of AdaptiveMobile’s Threat Intelligence Unit. “From the Americas to MENA, Europe to APAC, the operator networks analysed have all shown evidence of suspicious SS7 activity. We’re working with operators to secure their networks as none are exempt from these types of attacks.”
Chris Wysopal, CISO and CTO at application security firm Veracode, commented: “The SS7 vulnerabilities are just another example of software-based systems that weren’t built for the rich interconnectivity and threats of the modern mobile infrastructure.”
“Development teams need to go into projects with the expectations that what they’re creating will live in a hostile environment where attackers will look to exploit vulnerabilities. We’ve seen this across every industry and it’s no surprise it’s occurring in the telco industry,” he added.
The potential for abuse for any group capable of breaking SS7 are rich, according to Wysopal.
“A core protocol like SS7 provides governments and rogue actors wide access to the world’s communications infrastructure making it an incredibly attractive system to break into,” Wysopal explained. “Until software developers change their approach and build security into their code from the start, we’re going to continue to see these problems.”
A worldwide map of SS7 international roaming infrastructure vulnerabilities – put together following an earlier study by telecom security specialist P1 Labs late last year – can be found here. China is among the countries with the worst security rating for SS7 security, alongside the likes of Uzbekistan. Somalia and Yemen as well as (more surprisingly) Bolivia and Greenland are also highlighted.

Students, graduates, amateurs: Win £10,000 in Cyber 10K challenge






 
 NCC Group is running the Cyber 10K security challenge to encourage young people and security amateurs to join the industry – and The Register is the exclusive media partner.
You can scroll down for details of how to enter the competition.
As a background, the UK, as many of us know, has an ongoing shortage of skills in science, technology, engineering and mathematics (STEM), despite the best efforts of government-inspired education initiatives.
Vocational training and apprenticeships are a good foundation for acquiring practical skills and also deliver a demonstrable career path. Competition-based funds are one way industry can encourage young people to consider and embark upon careers in STEM, NCC Group’s Cyber 10K being a good example.
Ollie Whitehouse, technical director at NCC Group, explains: “We are continuously being reminded of the importance of STEM subjects and the ground-breaking innovations that can be created in these areas. Similarly to its STEM counterparts, the topic of computer science, and more specifically cyber security, is one that is difficult to fully grasp in a classroom or lecture theatre.
“Often, learning through experience is much more valuable. And if we are to develop the next generation of talent in the cyber security industry, it’s important that we offer IT amateurs the opportunity to gain real practical experience in order to better their skills.
“That’s where competitions like the Cyber 10K come in. These types of competition based funds create a win-win situation for both ambitious amateurs and the sector – they help to nurture and encourage talent, resulting in a pipeline of knowledgeable, experienced and creative security professionals for the industry.”
Competition details are below. Get cracking!

Timing

Timing Duration: September – November 2015

Entry criteria

  • Description of the problem you are trying to solve.
  • Description of your solution and how it addresses the problem.
  • In addition to the above for an entry to qualify you must include a working prototype – a functional solution which can be used to demonstrate the idea in a reliable manner that accurately shows the idea working.
It is recommended that you also include Design documentation for the solution<

Categories

There are no strict categories. Anything goes as long as it hits the entry criteria, but some areas that you might want to think about include:
  • cloud security
  • cyber incident response and clean-up
  • IoT and mobile security
  • consumer and user awareness, training and support
  • cyber security on small budgets

The judging panel includes the following experts:

  • John Leyden, security reporter, The Register
  • Professor Steve Schneider, director, Surrey Centre for Cyber Security
  • Professor Tim Watson, director at University of Warwick’s cyber security centre
  • Alex van Someran, managing partner at Amadeus Capital Partners
  • Paul Vlissidis, director of .trust at NCC Group