UNM4SK3D: FCC, WhatsApp, and GiftGhost

#privacyrules

Ladies and gentlemen, start your VPNs. As of March 28th, the House of Representatives and the Senate agreed to repeal the FCC’s recent privacy rules. And while those rules still need President Trump’s likely signature, many are rushing to Google ‘Private network how-tos,’ with VPN subscriptions in the US surging by 239% since Tuesday.

Admittedly, privacy is a sensitive topic and one many are worried about, but before we all reach mass panic, let’s look at the facts. Congress didn’t pass any new laws on broadband privacy. They simply repealed an Obama-era rule that hadn’t gone into effect yet. The repealed privacy rules aren’t the only protections against misconduct by your internet provider, and they aren’t even the FCC’s only means of cracking down. So, in the immediate future, it’s really more of the same. What is cause for worry, is what can happen later on. The Congressional Review Act doesn’t just terminate these pending privacy rules, but also prevents the agency from creating similar privacy protections down the line.

Carriers are getting the chance to tie your online activities closer to your real identity, drawing on the name and address you gave when you signed up for service. It’s a signal to service providers that if they want to bolster their ad business with consumer data, the FCC won’t stop them. That means ISPs are getting the opportunity to challenge Google and Facebook’s current stranglehold on the marketplace. Some predict the shift could also have profound consequences for the structure of the internet. Civil liberties groups fear that could lead to the repeal of rules prohibiting the FTC from regulating common carriers or ISPs. The common carrier classification of ISPs was used to impose net neutrality rules imposed by the FTC.

“Privacy advocates, like those at Fight for the Future see the the weakening of privacy rules as having a domino effect putting net neutrality into the legislative crosshairs of Republicans who see the FCC regulatory oversight of ISPs as too broad. With the rollback, ISP privacy enforcement moves from the FCC to the FTC,” reports The Verge.

61% said they believed the rollback of ISP privacy provisions makes it more challenging for them to protect business data -A study of 320 IT professionals by Spiceworks

Want a marketer’s perspective on these new rules? Read ‘OverTurning FCC Privacy Ruling’ in the blog.

#backdoor

In wake of last week’s terror attack in London, the UK Government is demanding a backdoor for encrypted services after their investigation into the attack uncovered the killer, Khalid Masood, was active on WhatsApp just minutes before he attacked Britain’s Houses of Parliament in Westminster and killed four people.

The Government has gone as far as to accuse technology firms of giving terrorists “a place to hide,” saying Intelligence Agencies must have access to encrypted messaging applications to prevent future attacks. If your immediate thought was, ‘Am I having Deja Vu?’ the answer is yes. Back in 2015, the US Justice Department made a similar move after the San Bernardino terrorist attack, demanding Apple to write code that could help them unlock an iPhone belonging to one of the terrorists.

Once again, these incidents have highlighted a clash between national security and digital privacy. True end-to-end encryption can’t be intercepted in transit, at least not without the sender or recipient noticing. And, in order to reach a quick solution, Amber Rudd, the UK home secretary, was due to meet some of the biggest tech companies on Thursday to tell them they must do more to tackle extremism and terrorism. Rudd proposed access to encrypted messaging services, with many experts saying her demands simply won’t work. The “decrypt and disclose on due demand” regulations that apply to industries like online banking and mobile telephony don’t apply to services like WhatsApp.

It used to be that people would steam-open envelopes or just listen in on phones when they wanted to find out what people were doing, legally, through warranty. But on this situation we need to make sure that our intelligence services have the ability to get into situations like encrypted WhatsApp -Amber Rudd

To dig deeper on this topic, read ‘Encryption Software and Combatting Cyber Crime.’

#botnet

You’ve heard of the Ghost of Christmas Past, but now there’s GiftGhost, a botnet which is much scarier than any ghost from another life. This recently discovered bot is able to check more than 4 million giftcards per hour in search of cards with active balances.

Discovered by researchers at Distil Networks, GiftGhost is causing a major headache for retailers as it has managed to hit nearly 1,000 websites to date and is still active. “The websites of retailers all over the globe are targets. Gift cards are usually associated with a particular company and can be used to purchase any item sold by that company. Any website with gift card processing capability, including checking your gift card balance or replenishing funds, is a potential target,” the security firm shares. The bot works using token cracking attacks where automation is leveraged to test a list of potential account numbers and request the balance. When such a balance is provided, the attacker knows that the account number exists and contains funds. Distil Networks classifies GiftGhostBot as an Advanced Persistent Bot (APB), because it has many capabilities. The bot rotates user-agent strings to hide its identity and is heavily distributed across various hosting providers and data centers worldwide.

Bot operators can use the information they obtain to purchase goods, or they can sell the accounts on the Dark Web. In addition to stealing user’s funds, the bot can cause site downtime. While retailers shouldn’t be blamed for these attacks, they can avoid them by implementing a CAPTCHA on the page where consumers check their balances, by keeping an eye on their traffic to determine if they are targeted, and by limiting the number of requests on gift card pages. Consumers are advised to always keep track of their balance and to not leave money unused.

We detected on average 6,400 unique fingerprints per hour. Because the device fingerprint is more accurate than an IP address and user agent, you see the average number of user agents detected were higher at 6,500 per hour, and that IP addresses were detected at an average rate of 29,000 per hour. All of these numbers indicate that the bot was distributing itself widely and trying to hide -Distil researcher

If bots have your brain on overload, check out ‘Understanding How Botnets Work.’

#factbyte

Around one-in-five online adults indicate they are not sure how to identify the most secure password from a list (17%), how to identify multi-factor identification (18%) or whether public Wi-Fi is safe for sensitive activities (20%), according to a new Pew Research Study.

#certspotlight

The primary reason websites are hacked is because they present a large attack surface. A web app, more specifically, is a client–server software application in which the client (or user interface) runs in a web browser.

Typically, developers are working under cost constraints where the priority is to ship product, rather than to ensure it is secure. In this case, security is an afterthought.

The Web App Security Fundamentals Micro Certification requires that you have a basic understanding of Linux and are comfortable using the command line. It’s a very hands-on course with labs included in each module. Throughout the material, we examine packet responses in the form of HTML status codes. The importance of packets in web app exploits are discussed concerning hidden HTML form fields and how apps are tricked into giving up sensitive info via packet manipulation.

This issue of UNM4SK3D was originally posted on the Cybrary.it blog and has be republished with permission. To access the original version, click here.

Olivia Lynch (@Cybrary_Olivia) is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the field of cyber security. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.

Show your support

Clapping shows how much you appreciated Olivia Lynch’s story.