Tor network based messaging app Briar Enters Beta Stage

With the concerns about privacy and data protection at an all time high, the one thing users crave for the most is a messaging app that is encrypted and completely safe. Quite a few apps have risen to meet this demand by offering end-to-end encryption but as every avid internet user knows, there is nothing quite like the Tor network when it comes to security on the internet.

Briar clears security hurdle

Briar is the name of this messaging service that has been developed to run over the Tor network. The app is currently available for Android and is in its beta stage today. As with many free to use software, the developers of Briar are in no hurry to give Whatsapp a run for its money so expect a longer development time but a much better end product.

The team has revealed that they had an independent security audit done on their project by Cure53 – the same organization that has reviewed services such as SecureDrop, Cryptocat, and Dovecot in the past. The security report concluded that Briar for Android provides “an overall good handling of matters linked to security and privacy.”  The main aspect of the project – the code that deals with the cryptography – “was found to be exceptionally clear and sound, with no vulnerabilities spotted,” Cure53  said. On a side note, there were bugs detected during the audit but they are said to have been fixed in the version that has been made available.

Cannot be taken down

The major advantage of using the Tor network is that the network cannot be taken down completely by any entity or government and Briar sticks to that notion thus making this a haven for journalists and activists for whom secrecy is key. Under the hood, Briar uses a peer-to-peer network to relay information rather than central servers. In addition, all messages use forward secrecy and do not contain any meta data. These very things also make it censorship resistant. By default, the app will use the Tor network to communicate but in case the network is not accessible, the app can also work on WiFi or Bluetooth networks.

“Like with many Free Software projects, it will be done when it is done,” said Torsten Grote, one of the app’s developers. “Briar is built as modular as possible. There are two libraries that can be used to build apps on top of them. We definitely want to do a desktop app.”

“An iOS app is trickier because iOS is more closed than Android,” Grote added. “There are heavier restrictions on background services for example that are required for P2P apps.We are currently collecting issues to address for a second beta release. Our private beta testers were mostly worried about two things: battery usage and the ability to add contacts remotely.”

He also noted that the app is designed to be agnostic to the data transport that is used which means that the developers can switch from the Tor network to something else if a better medium emerges in the future. The Tor project meanwhile, has its own messenger app but that is restricted to Linux, Windows and Mac. Though Briar is a direct competitor to Tor, the developers are said to be on cordial terms. “Our developers know many of the Tor developers and they know us,” Grote said. “We discuss issues like battery usage of Tor on mobile devices and work together to improve that.”

Source: BleepingComputer

When the team at HOUSEsports LLC decided to expand its offerings to sports fans from podcasts to an online platform for sports fan to talk and connect, the co-founders knew cybersecurity was going to be a key metric on which they would have to focus.

“After we had proof of concept and a clean design, our first concern was to protect the entity and the website platform,” Devin Emory, one of the co-founders of HOUSEsports, said.

They decided to go with Meteor, a JavaScript web framework, to build their platform. The framework not only works across mobile and web platforms, they were also sold on some of the security features built into the code.

“Meteor’s page rendering engine takes care of escaping special symbols when dealing with data bindings which saves us from very basic XSS attacks,” Emory said.

Cross-site scripting attacks, otherwise known as XSS attacks, inject malicious scripts into otherwise benign or trusted websites, according to Excess XSS. This is one of the most common methods hackers employ to gain access to a server.

Another common form of attack, cross-site requests forgery attacks, allows an attacker to force a user who is logged-in to perform an important action without their consent or knowledge, as defined by Tinfoil Security. These attacks are also not possible in Meteor as the framework itself is much harder to spoof, Emory said.

The problem is that not all small businesses have the knowledge required to bake in such protections. And while firms in the finance and technology-related industries tend to have a higher awareness of cybersecurity, overall preparedness is still low, experts say.

Small businesses are also at risk

Half of all small and medium businesses have experienced a data breach in the past 12 months, with 55 percent having experienced a cyberattack, according to data from Ponemon Institute’s survey of 598 companies in 2016.

According to the study, these companies spent an average of $879,582 because of damage or theft of IT assets. In addition, disruption to normal operations cost an average of $955,429, said the institute, which conducts independent research on privacy, data protection and information security policy.

Kristin Judge, director of special projects and government relations for the National Cyber Security Alliance said small businesses are not yet sufficiently prepared, but they are listening for the first time.

“Over the past year, I feel like when we are out talking to audiences, the small and medium businesses that didn’t come out before are actually engaging now.They understand that they are under-prepared and are actually paying attention,” she said.

Recent cybersecurity threats, including the U.S. intelligence community’s conclusion that Russia attempted to influence the 2016 U.S. presidential election, and the WannaCry ransomware attack have further raised awareness of the importance of cybersecurity among businesses and individuals.

“As a small business owner and operator, there are so many other things they are managing on a daily basis that it can be easy to overlook and forget that cyber threat is almost a day-to-day, hour-to-hour presence that they have to keep an eye on,” Kaili Harding, president of the Schaumburg Business Association, said.

Businesses cite their top five challenges for growth and survival as growing revenue, increasing profit, managing cash flow, and attracting and retaining qualified employees, according to a study of more than 1,500 businesses in the U.S. and Canada conducted by the Better Business Bureau in September 2016.

Even with a trend of increasing digitalization and cyber incidents, seven out of 10 considered it unlikely that their business will suffer a cyber attack in the next 24 months, according to the report.

“It's definitely adding to an expense that a lot of businesses have not had to deal with in the past 20 or 30 years,” Harding said.

But, she stresses, businesses must be prepared. “The expense on the front end is well worth the time and effort because it gets a lot more expensive once you've been targeted. Not only that, but you could lose your customers' confidence in the company if they feel the company didn't do the most it could to protect the information that they have,” Harding said.

What small businesses can do

At the minimum, companies need to patch their systems, browsers, and plugins on a regular basis, have a firewall in place, ensure that users are using strong passwords, and are doing vulnerability scanning and remediating the findings, however low-level the vulnerabilities seem, Joshua Crumbaugh, founder and CEO of PeopleSec, a cybersecurity firm that offers security awareness training and penetration testing, said.

A vulnerability scanner identifies devices on a network that are open to known vulnerabilities and alerts the user to the weaknesses before they are attacked.

“The biggest thing is if you really have zero information technology expertise and zero information security expertise, which most companies do, you should probably just look at a managed service provider,” Crumbaugh said.

Indeed, this is the most common method employed by small businesses, Judge said.

“I’m very comfortable in suggesting that small and medium businesses use outside vendors that are reputable to handle their cybersecurity because I don’t have any confidence that small and medium businesses are going to be able to afford staff to handle cybersecurity. And there are wonderful companies that can do it at scale to make it more affordable for smaller companies,” Judge said.

The aftermath of a breach

Having a good setup in place is also instrumental to protecting the organization legally.

“If I'm a customer for a retailer and my private information was stolen from their system, it's harder for me to win as an individual in a case against the company if they can show ‘Hey listen we had routine meetings, we have up-to-date insurance, our board always talks to us about these things, we did everything that we could, we maintained our systems and had a plan,’” said Richik Sarkar, litigator and business strategist at McGlinchey Stafford PLLC.

The customer may still have a claim against the business if they can prove actual damages but business owners can fall back on these defenses to protect themselves against individual liability, Sarkar said.

Sarkar also recommended talking with an attorney when reviewing cyber-liability insurance.

“The devil is in the details, when you are looking at all these policies, there may be all sorts of exclusions or riders you need to get. so you need to work with either a really experienced insurance professional or get an attorney to have a look at these policies for you,” Sarkar said.

The benefit of discussing your options with an attorney is that the discussion is privileged.

“If you’re only having that conversation with your insurance company and something happened later on and somebody wanted to attack what you did and how reasonable it was, there’s no privilege between a small business and their insurance company. There is privilege between a small business firm and their attorney,” Sarkar said.

Source: Mindy Tan

Today’s cars are complex machines comprised of tens of thousands of interconnected parts. Among those parts are microprocessors, broadband chips and sensors, designed to collect valuable information about the way a connected car operates and how its driver behaves.

All of this information is used to help connected cars function, but is the data utilized for anything else? And who has access to it? Those are important questions to answer, since many drivers are wary about sharing in the first place. A recent CARFAX study revealed that drivers are hesitant to share specific types of info, depending upon who is seeing it. Let’s explore the who, what and why of car data sharing.

What Data Is Collected?

Connected cars have a range of technology features designed to make driving safer and more convenient. Most of these are not standard offerings (buyers must opt for driver-assist packages); however, demand for these features is growing. The CARFAX study showed that while a small percentage of drivers considered driver assist as “must-have” features in their current car, when they go to buy their next car that demand will grow by 80 percent. Driver override features, such as automatic breaking, will see the “must-have” demand increase by 70 percent. The study showed a general overall positive view of technology, which means more connected cars on the road – and more collected data – in the future. 

Depending on the car technology features you have, the data your car collects is used to help you avoid heavy traffic, stay in your lane, maintain a safe distance between vehicles, increase fuel economy and quickly notify 911 if you’re in an accident. However, that might not be all.

In 2015, the Fédération Internationale de l'Automobile (FiA), which represents auto and motoring clubs across the globe, conducted independent research to gauge how much information new vehicles are able to collect and share. Researchers found that the information gathered included driver profiles, vehicle location, maintenance details and trip length. Moreover, synced smartphones (think Bluetooth) also supplied manufacturers with personal information, such as contact details.

Who Sees The Data?

At present, all that data stays with the automakers and is not disclosed to third parties. This is good news, since drivers are hesitant to share with specific groups due to privacy concerns. According to the CARFAX study, 56 percent of respondents are not willing to share any data with app companies and 72 percent want to protect their data from advertisers. On the other hand, respondents were more amenable to other third parties: three out of four drivers were willing to disclose some level of data with insurance companies, vehicle manufacturers or law enforcement.

How Is the Data Protected?

Car manufacturers are sensitive to these consumer concerns. In fact, the Alliance of Automobile Manufacturers (Auto Alliance), which represents 12 car manufacturers, has issued automotive privacy principles enacted to reassure car owners about collecting data. The Auto Alliance bases its three hallmarks on such sources as the White House Consumer Privacy Bill of Rights and the Federal Trade Commission.

The three principles are:

• Transparency: Automakers have pledged to be candid about data collection and promulgation. In particular, owner’s manuals and company websites are two sources where consumers may find policy information.
• Sensitivity: Utmost care for collecting information is of critical concern to consumers. Indeed, manufacturers say more sensitive information receives heightened protection. Information gathered is for legitimate business purposes only and retained only for as long as it’s needed.
• Limitations: Only under limited circumstances is information shared with government authorities; however, what those circumstances are and precisely what data gets shared isn’t clear. Consequently, ongoing consumer vigilance is recommended to ensure privacy policies get the job done.

Looking Ahead

Ultimately, connected car technologies serve as a harbinger of what is to come – namely autonomous vehicles. Driverless cars will add a layer of connectivity not employed today, specifically vehicle-to-vehicle (V2V) technology. Truly, V2V will save lives as it keeps autonomous cars from crashing into each other, perhaps overriding whatever public concerns may persist over data sharing.

Source: CARFAX

New photos of an early iPhone 8 prototype suggests the phone may be the first Apple phone to have a rear fingerprint scanner. Two new photos claiming to show the prototype casing of the iPhone 8 appeared on Chinese social networking site Baidu and the biggest change is the appearance of a slot that looks like a hole for a rear-facing fingerprint scanner.

Previously it was rumored Apple wanted to include the fingerprint scanner within the screen for the iPhone 8, so it's interesting Apple has now made prototypes with the Touch ID tech on the rear.

Not long now

Where exactly the photos came from is unclear though, so it may turn out these photos aren't accurate.

Another rumor has suggested the iPhone 8 is on schedule for its rumored September announcement and release date, despite recent reports of a delay for the upcoming phone.

Rod Hall, an analyst at JP Morgan, has said he believes the delay to be real but it won't have much of a material affect on sales.

He believes the rumored upgrade to an OLED screen will cause Apple to start production slower after the September announcement and only release two million units in the same month.

Then when production has ramped up, Apple will be ready to sell a lot more devices and the analyst firm will be ready to sell 42 million devices before the end of 2017.

The report does suggest the price for the next iPhone will be higher than average though with an expected cost of $1,100 up from the estimated $1,000 as production costs are higher than originally expected.

Source: techradar

There are three versions of GhostCtrl. The first stole information and controlled some of the device’s functionalities without obfuscation, while the second added more device features to hijack. The third iteration combines the best of the earlier versions’ features—and then some. Based on the techniques each employed, we can only expect it to further evolve.

What can it do to your android?

• Clearing/resetting the password of an account specified by the attacker
• Getting the phone to play different sound effects
• Specify the content in the Clipboard
• Customize the notification and shortcut link, including the style and content
• Control the Bluetooth to search and connect to another device
• Set the accessibility to TRUE and terminate an ongoing phone call

The data GhostCtrl steals is extensive, compared to other Android info-stealers. Besides the aforementioned information types, GhostCtrl can also pilfer information like Android OS version, username, Wi-Fi, battery, Bluetooth, and audio states, UiMode, sensor, data from camera, browser, and searches, service processes, activity information, and wallpaper.

It can also intercept text messages from phone numbers specified by the attacker. Its most daunting capability is how it can surreptitiously record voice or audio, then upload it to the C&C server at a certain time. All the stolen content will be encrypted before they’re uploaded to the C&C server.

GhostCtrl’s first version has a framework that enables it to gain admin-level privilege. While it had no function codes at the time, the second version did. The features to be hijacked also incrementally increased as the malware evolved into its second and third iterations.

GhostCtrl’s second version can also be a mobile ransomware. It can lock the device’s screen and reset its password, and also root the infected device. It can also hijack the camera, create a scheduled task of taking pictures or recording video, then surreptitiously upload them to the C&C server as mp4 files.

Mitigation

GhostCtrl’s combination with an information-stealing worm, while potent, is also telling. The attackers tried to cover their bases, and made sure that they didn’t just infect endpoints. And with the ubiquity of mobile devices among corporate and everyday end users, GhostCtrl’s capabilities can indeed deliver the scares.

But more than its impact, GhostCtrl underscores the importance of defense in depth. Multilayered security mechanisms should be deployed so that the risks to data are better managed. Some of the best practices that information security professionals and IT/system administrators can adopt to secure bring-your-own devices (BYOD) include:

• Keep the device updated; Android patching is fragmented and organizations may have custom requirements or configurations needed to keep the device updated, so enterprises need to balance productivity and security
• Apply the principle of least privilege—restrict user permissions for BYOD devices to prevent unauthorized access and installation of dubious apps
• Implement an app reputation system that can detect and block malicious and suspicious apps
• Deploy firewalls, intrusion detection, and prevention systems at both the endpoint and mobile device levels to preempt the malware’s malicious network activities
• Enforce and strengthen your mobile device management policies to further reduce potential security risks
• Employ encryption, network segmentation and data segregation to limit further exposure or damage to data
• Regularly back up data in case of device loss, theft, or malicious encryption

Source: Trend Micro