Tag Archive for: Won’t

US won’t prosecute ‘good faith’ security researchers • The Register

/in


The US Justice Department has directed prosecutors not to charge “good-faith security researchers” with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical — things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing.

Good-faith, according to the policy [PDF], means using a computer “solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability.”

Additionally, this activity must be “carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

The update clarifies that conducting security research for the purposes of finding flaws in devices or software, and then extorting the owners, “is not in good faith.”

Hopefully, the policy changes will make security researchers’ lives less stressful

“Computer security research is a key driver of improved cybersecurity,” stated Deputy Attorney General Lisa Monaco. “The Department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

The new policy clarifies CFAA language that prohibits accessing a computer “without authorization,” but has long been criticized by security researchers and some lawmakers for not defining what the term means. Anyone charged with violating the law can face up to a long time behind bars.

Critics of the CFAA often point to the death of Aaron Swartz, who died by suicide in 2013 after federal prosecutors charged him under the computer-fraud law for…

Source…

Prosecutor won’t charge reporter who uncovered database flaw

/in


Posted:

Prosecutor Wont Charge Reporter Who Uncovered Database Flaw
KOAM Image

ST. LOUIS, Mo. – A Missouri prosecutor will not charge a journalist who exposed a state database flaw. That flaw he discovered allowed public access to thousands of teachers’ Social Security numbers. The Governor had ordered a criminal investigation into the journalist.

(Previous Article: Missouri Governor accuses reporter of hacking DESE website)

The Database Flaw

In October of 2021, the State shut down the Missouri Department of Elementary and Secondary Education webpage. It happened after St. Louis Post-Dispatch reporter uncovered a security flaw that could have potentially exposed teachers’ sensitive information.

State officials say someone took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security numbers of those specific educators.

The St. Louis Post-Dispatch reported it discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials.

The newspaper held off publishing a story about the flaw until the state fixed it.

The Investigation into the Database Flaw

Governor Parson announced a criminal investigation in October of 2021. He alleged the newspaper journalist was “acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet. We will not let this crime against Missouri teachers go unpunished.”

Democratic state Rep. Ashley Aune, of Kansas City, accused Parson of a “smear campaign” against the Post-Dispatch journalist when it was Parson’s administration that stored the private information and left it unprotected.

“This fiasco perfectly illustrates why Missouri needs to get serious about confronting 21st century cyberthreats,” Aune said.

Aune helped write a section of Senate Bill 49 that created the Missouri Cybersecurity Commission.

The Post-Dispatch released a statement in which it said the reporter in question did the right thing by reporting the issue.

“A hacker is someone who…

Source…

Virgin Media just won’t take no for an answer, NFT apes, and bad optics • Graham Cluley

/in


Smashing Security podcast #256: Virgin Media just won't take no for an answer, NFT apes, and bad optics

After a brief discussion of the Log4Shell vulnerability panic, we discuss how Virgin Media has got itself into hot water, a fat-fingered fumble at the Bored Ape Yacht Club, and how to hack around your girlfriend’s facial recognition.

All this and more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Mark Stockley.




Hosts:

Graham Cluley – @gcluley
Carole Theriault – @caroletheriault

Guest:

Mark Stockley – @markstockley

Show notes:

Sponsor: 1Password

The first annual 1Password “State of Access” benchmark study illuminates the grave dangers unwittingly posed by checked-out, apathetic employees — including security professionals.

Burned-out employees are 3 times more likely to say security rules and policies “aren’t worth the hassle,” and nearly half of burned-out security professionals say it’s unrealistic for companies to be aware of and manage all apps and devices that employees use.

Read the report and find out what you can do at 1password.com/resources

Sponsor: Uptycs

Uptycs is a cloud-native security analytics platform built to protect the modern attack surface.

Uptycs zeros in on the blind spots that are preventing you from rapidly identifying and responding to existing threats and vulnerabilities in your ecosystem.

Uptycs normalizes telemetry from across macOS, Linux, Windows, and containers; records system activity for historical investigation even when no alert has fired; and enables you to build complex custom detections in addition to its industry-leading MITRE ATT&CK mapping.

Uptycs provides observability across both cloud workloads and endpoints in a single centralized platform.

Find out more and try it for free at uptycs.com

Follow the show:

Follow the show on Twitter at @SmashinSecurity, on the Smashing Security subreddit, or visit our website for more episodes.

Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Found this article interesting? Follow…

Source…

Tor2Mine cryptominer has evolved: Just patching and cleaning the system won’t help

/in


Sophos released new findings on the Tor2Mine cryptominer, that show how the miner evades detection, spreads automatically through a target network and is increasingly harder to remove from an infected system. Tor2Mine is a Monero-miner that has been active for at least two years.

Tor2Mine cryptominer

In the research, Sophos describes new variants of the miner that include a PowerShell script that attempts to disable malware protection, execute the miner payload and steal Windows administrator credentials. What happens next depends on whether the attackers successfully gain administrative privileges with the stolen credentials. This process is the same for all the variants analyzed.

For example, if the attackers manage to get hold of administrative credentials, they can secure the privileged access they need to install the mining files. They can also search the network for other machines that they can install the mining files on. This enables Tor2Mine to spread further and embed itself on computers across the network.

Tor2Mine cryptominer can execute the miner remotely and filelessly

If the attackers cannot gain administrative privileges, Tor2Mine can still execute the miner remotely and filelessly by using commands that are run as scheduled tasks. In this instance, the mining software is stored remotely rather than on a compromised machine.

The variants all attempt to shut down anti-malware protection and install the same miner code. Similarly, in all cases, the miner will continue to re-infect systems on the network unless it encounters malware protection or is completely eradicated from the network.

“The presence of miners, like Tor2Mine, in a network is almost always a harbinger of other, potentially more dangerous intrusions. However, Tor2Mine is much more aggressive than other miners,” said Sean Gallagher, senior threat researcher at Sophos.

“Once it has established a foothold on a network, it is difficult to root out without the assistance of endpoint protection software and other anti-malware measures. Because it spreads laterally away from the initial point of compromise, it can’t be eliminated just by patching and cleaning one system. The miner will continually attempt…

Source…