Dirty tricks during political campaigns are nothing new, but the Internet and the proliferation of mobile devices have allowed tricksters to up their games a notch. It came to light last week, for example, that Donald Trump's campaign app was hoovering the address books on his supporters' phones.
Trump's app wasn't doing anything illegal. It wasn't even trying to hide what it was doing. The app seeks the user's permission to download all contacts before it does so. However, both the ACLU and the Electronic Privacy Information Center have rapped the practice.
Asking for more permissions for an application than are necessary for the app to function is common among mobile apps. The classic example is the flashlight app that seeks permission to access the address book on a phone. Why would a flashlight app need address book access to function?
Nevertheless, impatient users often give overreaching apps the green light for such activity.
Too Many Permissions
"Users do not pay much attention to what apps are asking for," said Slawek Ligier, vice president for security engineering at Barracuda Networks.
"They're used to being asked for three, four, five permissions before they can use something, so the majority of users just click OK so they can get on with their lives," he told TechNewsWorld. As a result, "apps have a tendency to ask for way more permissions than they really need to provide the service that they're built for."
For the most part, developers aren't trying to be malicious with their permission grabs, Ligier maintained. They just might be planning for the future.
For example, when they were introduced, banking apps requested permission to use a device's camera -- even though those early apps had no use for the camera. Eventually, the banks took advantage of the camera to let users deposit checks into their accounts, so the camera permission was pertinent to the software's functionality.
"Developers would rather ask for permissions now than later," Ligier said.
Trump Mule Scams
Information-hungry apps aren't the only tech tools targeting the body politic during election years. There typically are a number of scams that accompany events dominating the news.
In the current cycle, scammers are using Donald Trump's name to attract people to "get rich while working at home" schemes, Ligier noted. Those scams usually seek to enlist people to be "money mules" for online bandits outside the U.S.
Other cons try to steer a candidate's supporters to a website that infects their computers with malware. One such scheme used a headline about Hillary Clinton giving money to ISIS. When curious readers clicked on the link to the story, they were sent to a website that planted a remote access trojan on their computer. RATs allow hackers to take control of computers remotely.
Several scams with a political twist found their way to Brad Bussie, director of product management at Stealthbits Technologies. One was a solicitation from a Republican Party organization asking for a donation -- plus his Social Security number.
"A huge red flag should go up anytime an organization calls you and asks to verify any type of personal identifiable information," he told TechNewsWorld.
Voter Info Scam
Another pitch came from a company purportedly conducting a phone survey about the election, Bussie recalled. For taking the survey, participants would be rewarded with a trip to the Bahamas.
"How could a survey company offer everyone that takes a survey a trip to the Bahamas?" he asked.
A phishing email that appeared to come from Bussie's state government asked him to update his voter information.
"The link looked legitimate in the email -- but once I looked at the link in more detail, it would have redirected me to a site that had a different URL but similar looking background to the real site," he said. The site wanted not only his personal information, but also common passwords he might be using for other sites.
"Many people who are scammed will enter three to five different passwords, thinking that they simply forgot what the password they used might have been before clicking on the 'I forgot my password link,'" he said.
Clicking on the I-forgot-my-password link on the bogus state site took Bussie to a "server not found" page.
Visa Waiver Controversy
A proposed change in the information gathered from people seeking to enter the United States without a visa has created a stir in some privacy circles. The proposal would add questions about the applicant's social media activity to the visa waiver request form.
Answering the questions would be optional, and the information provided by the applicant would be used only to vet the application, according to a U.S. Customs and Border Protection notice published in the Federal Register.
"Collecting social media data will enhance the existing investigative process and provide [the Department of Homeland Security] greater clarity and visibility to possible nefarious activity and connections by providing an additional tool set which analysts and investigators may use to better analyze and investigate the case," the notice explains.
Since submitting social media information is optional, the proposal appears to be relatively benign, but not everyone sees it that way.
Chilling Expression
The proposal would chill expression by both foreign nationals entering the United States and U.S. citizens, maintained the Center for Democracy and Technology.
The social media information could be used not only to submit foreign nationals to "unspecified review and monitoring of their public online activity," but also to increase surveillance of U.S. citizens who might be connected to those nationals, CDT noted in comments submitted to CPB last week.
"This proposal would move the world of security theater online," warned Emma Llansó, director of the CDT's Free Expression Project. "Not only would the program be unnecessarily invasive -- it would also be incredibly ineffective and expensive."
If the data can be used effectively and without violation of individual rights, however, collecting it can make sense, noted Daniel Castro, director of theCenter for Data Innovation.
"This could be useful, so we should allow [CPB] to experiment with this data," he told TechNewsWorld.
DHS can not determine whether it could use social media data as an effective method of screening travelers unless it first conducts a pilot program, Castro noted in comments submitted to CPB.
It would be prudent for DHS to proceed with the data collection in order to study the merits of such an effort, he continued, but it should refrain from using the data on a widespread basis until it can verify that it has produced a system that delivers beneficial results.
Breach Diary
- August 22. Epic Games announces its Unreal Engine and UnrealTournament forums have been put in maintenance mode while it investigates the compromise of data at the sites. The data breach could affect more than 80,000 users, according to one report.
- August 23. GTAgaming, the website operated by the makers of the popular Grand Theft Auto game franchise, announces it is resetting the passwords of all users of the site due to the compromise of its forum database.
- August 23. Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner release joint report finding information security safeguards of infidelity website Ashley Madison were insufficient or absent at time hackers stole account information of 32 million users of the site.
- August 24. DCNS, a French submarine maker, announces it may have been the target of "economic warfare" after an Australian newspaper publishes documents containing details of six submarines DCNS is building for the Indian Navy.
- August 24. LeakedSource.com posts to its website databases pertaining to more than 25 million accounts associated with Internet giant Mailru. The databases were stolen from three game-related forums by two hackers in July and August, according to ZDnet.
- August 24. Funcom announces it is resetting the passwords of users of its AgeofConan.com, AnarchyOnline.com, LongestJourney.com and TheSecretWorld.com forums after it discovered data associated with those sites had been compromised.
- August 25. Apple releases iOS 9.3.5 to address vulnerabilities that allow hackers to read text messages and emails, track calls and contacts, record sounds, collect passwords, and trace the whereabouts of a device's operator.
- August 25. An apparent data breach at Active Network in Texas forces fish and wildlife services in Oregon, Washington, Idaho and Kentucky to suspend online sales of hunting and fishing licenses and tags.
- August 25. After receiving alerts from the U.S. Secret Service, Millennium Hotels and Resorts North America and Noble House Hotels and Resorts confirm point-of-sale systems at their properties were compromised.
- August 25. Five years after the accounts of 77 million PlayStation Network users were compromised, Sony deploys two-factor authentication on the network.
- August 26. Dropbox alerts users it is resetting all passwords that haven't been changed since 2012. Credentials from a 2012 data breach at Dropbox are being offered for sale by a hacker on the Internet, according to Motherboard.
- August 26. Opera alerts its users that it's resetting all passwords for its sync system following its discovery earlier in the week that the system was breached by attackers.
Upcoming Security Events
- Sept. 6. 2016 Threat Analysis: Learning from Real-World Attacks. 10 a.m. ET. Webinar by SecureWorks. Free with registration.
- Sept. 6. Experts show how hackers perform Web attacks that kill your site ranking. 11 a.m. ET. Webinar by Symantec and Imperva Incapsula. Free with registration.
- Sept. 6. From Passive to Aggressive: Taking a Surgical Approach to Security Operations. Noon ET. Webinar by Raytheon Foreground Security. Free with registration.
- Sept. 7. FTC Fall Technology Series: Ransomware. 1 p.m. Constitution Center, 400 7th St. SW, Washington, D.C. Free.
- Sept. 7. Shut the Traps: Take the Win out of Recon for an Attacker. 6 p.m. ET. Webinar by Sibertor Forensics. Free with registration.
- Sept. 7-8. International Cyber Security & Intelligence Conference. Ontario College of Management and Technology, 510-240 Duncan Mill Rd., Toronto, Ontario, Canada. Registration: students, US$400.01; others, $700.
- Sept. 8. SecureWorld Cincinnati. Sharonville Convention Center, 11355 Chester Rd., Cincinnati, Ohio. Registration: conference pass, $195; SecureWorld plus, $625; exhibits and open sessions, $30.
- Sept. 10. B-Sides Augusta. J. Harold Harrison MD, Education Commons, 1301 R.A. Dent Blvd., Augusta, Georgia. Tickets: $20.
- Sept. 13. Tarleton School of Criminology Cyber Security Summit. George W. Bush Institute, 2943 SMU Blvd., Dallas. Registration: $149.
- Sept. 13. How Today's Financial Institutions Are Overcoming Fraud. 10 a.m. ET. Webinar by Iovation. Free with registration.
- Sept. 13. DDoS Fossils to Future: A Brief History and What to Expect. Noon ET. Webinar by Arbor Networks. Free with registration.
- Sept. 13. Intelligent Authentication Conference. Palace Hotel, 2 Montgomery St., San Francisco, California. Registration: $799.
- Sept. 13-16. HPE Protect 2016. Gaylord National Resort and Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: through Sept. 12, $1595; Sept. 13-16, $1795; public sector, $797.50.
- Sept. 14-15. SecureWorld Detroit. Ford Motor Conference and Event Center, 1151 Village Rd., Dearborn, Michigan. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
- Sept. 15. Preventing Online Fraud with Identity Insights and Device Intelligence. Webinar by Iovation. Free with registration.
- Sept. 15. B-Sides St. John's. Capital Hotel, 208 Kenmount Rd., St. John's, Newfoundland, Canada. Free with registration.
- Sept. 17. B-Sides St. Louis. Moolah Shrine, St. Louis, Missouri. Free.
- Sept. 19-21. Iovation Presents Fraud Force "Fast Forward." Portland Armory, 128 NW Eleventh Ave., Portland, Oregon. Tickets: $495.
- Sept. 21. New York Cyber Security Summit. Grand Hyatt New York, 109 E. 42nd St., New York, New York. Registration: $250.
- Sept. 26-28. The Newport Utility Cybersecurity Conference. Pell Center and Ochre Court, Salve Regina University, Newport, Rhode Island. Registration: before July 26, $1,200; after July 25, $1,600.
- Sept. 27. Prevent Account Takeover (without Making Customers Hate You). 10 a.m and 1 p.m. ET. Webinar by Iovation. Free with registration.
- Sept. 27-28. SecureWorld Dallas. Plano Centre, 2000 E. Spring Creek Pkwy., Plano, Texas. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
- Sept. 29-30. B-Sides Ottawa. RA Centre, 2451 Riverside Drive, Ottawa, Canada. Free with registration.
- Oct. 5-6. SecureWorld Denver. Colorado Convention Center, 700 14th St., Denver. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
- Oct. 7-8. B-Sides Delaware. Wilmington University, New Castle Campus, 320 North Dupont Highway, New Castle, Del. Free.
- Oct. 8. B-Sides Denver. SecureSet, 3801 Franklin St., Denver. Free, but tickets limited.
- Oct. 11-14. OWASP AppSec USA. Renaissance Marriott, 999 9th St. NW, Washington, D.C. Registration: Non-member, $925; single day, $500; student, $80. Oct. 14-16. B-Sides Warsaw. Panstwomiasto, Andersa 29, Warsaw, Poland. Free.
- Oct. 17-19. CSX North America. The Cosmopolitan, 3708 Las Vegas Blvd. South, Las Vegas. Registration: before Aug. 11, ISACA member, $1,550; nonmember, $1,750. Before Oct. 13, member, $1,750; nonmember, $1,950. Onsite, member, $1,950; nonmember, $2,150.
- Oct. 18. IT Security and Privacy Governance in the Cloud. 1 p.m. ET. Webinar moderated by Rebecca Herold, The Privacy Profesor. Free with registration.
- Oct. 18-19. Edge2016 Security Conference. Crowne Plaza, 401 W. Summit Hill Drive, Knoxville, Tennessee. Registration: before Aug. 15, $250; after Aug. 15, $300; educators and students, $99.
- Oct. 18-19. SecureWorld St. Louis. America's Center Convention Complex, 701 Convention Plaza, St. Louis. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
- Oct. 20. Los Angeles Cyber Security Summit. Loews Santa Monica Beach Hotel, 1700 Ocean Ave., Santa Monica, California. Registration: $250.
- Oct. 20. B-Sides Raleigh. Marbles Kid Museum, 201 E. Hargett St., Raleigh, N.C. Registration: $20.
- Oct. 27. SecureWorld Bay Area. San Jose Marriott, 301 S. Market St., San Jose, California. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
- Nov. 1-4. Black Hat Europe. Business Design Centre, 52 Upper Street, London, UK. Registration: before September 3, Pounds 1,199 with VAT; before Oct. 29, Pounds 1,559 with VAT; after Oct. 28, Pounds 1,799 with VAT.
- Nov. 9-10. SecureWorld Seattle. Meydenbauer Center, 11100 NE 6th St., Bellevue, Washington. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
- Nov. 28-30. FireEye Cyber Defense Summit 2016. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Registration: through Sept. 30, general admission, $495; government and academic, $295; Oct. 1- Nov. 21, $995/$595; Nov. 22-30, $1,500/$1,500.
No comments:
Post a Comment