2016 Reality: Lazy Authentication Still the Norm — Krebs on Security

2016 Reality: Lazy Authentication Still the Norm — Krebs on Security

My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang tied to the jihadist militant group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.

On Christmas Eve morning, I received an email from PayPal stating that an email address had been added to my account. I immediately logged into my account from a pristine computer, changed the password, switched my email address back to to the primary contact address, and deleted the rogue email account.

I then called PayPal and asked how the perpetrator had gotten in, and was there anything else they could do to prevent this from happening again? The customer service person at PayPal said the attacker had simply logged in with my username and password, and that I had done everything I could in response to the attack. The representative assured me they would monitor the account for suspicious activity, and that I should rest easy.

Twenty minutes later I was outside exercising in the unseasonably warm weather when I stopped briefly to check email again: Sure enough, the very same rogue email address had been added back to my account. But by the time I got back home to a computer, my email address had been removed and my password had been changed. So much for PayPal’s supposed “monitoring;” the company couldn’t even spot the same fraudulent email address when it was added a second time.

PayPal locked the account shortly after the assailant allegedly tried to send my money to the email account of the late Junaid Hussain, a 17-year-old member of the hacktivist group Team Poison. Hussain — who used the nickname “TriCk” and is believed to have been a prominent ISIS propagandist online — was reportedly killed in a U.S.-led drone strike earlier this year in Raqqa, Syria. No doubt, the attempted transfer was a bid to further complicate matters for me by associating my account with known terrorists.

In my second call to PayPal, I insisted on speaking with a supervisor. That person was able to tell me that, as I suspected, my (very long and complex) password was never really compromised. The attacker had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.

Let’s leave aside for a moment the reality that all of this static information about Brian Krebs has been posted online by various miscreants over the years (and probably remains online): Any company that authenticates customers with nothing more than static identifiers — address, SSN, DOB, phone number, credit card number, etc. — is vulnerable to these takeover attempts.

I asked the PayPal supervisor why the company couldn’t simply verify my identity by sending a text message to my phone, or a special signal to a PayPal mobile app? After all, PayPal has had the same mobile number of mine on file for years (the attacker also deleted that number from my profile as well). The supervisor explained that the company didn’t have any mobile authentication technologies, and that in order to regain access to the funds in my account I had to send the company a photocopied or scanned copy of my driver’s license.

Nevermind that it was PayPal’s lack of any modern authentication methods that led to this mess. Also, let’s forget for the moment that there are a half-dozen services online that let customers create fake but realistic looking scans of all types of documents, including utility bills, passports, driver’s licenses, bank statements, etc. This is the ultimate and most sophisticated customer authentication system that PayPal has: Send us a copy of your driver’s license.

http://krebsonsecurity.com/2015/12/2016-reality-lazy-authentication-still-the-norm/

Advertisements

New Google Chrome Extension Lets You Filter Donald Trump From Your Internet – US News

New Google Chrome Extension Lets You Filter Donald Trump From Your Internet – US News

A new Google Chrome extension lets you remove mentions of Donald Trump from your browsing experience.

Trump Filter scans websites for references to the Republican presidential candidate, showing a blank void in the place of Trump-related content.

“I am doing this out of a profound sense of annoyance and patriotic duty,” the extension’s creator, Rob Spectre, writes on the Trump Filter website. “[I was not] put up to this by the Republican or Democratic Parties, the Obama Administration, my mother or any other possible sphere of influence.”

Trump Filter’s code is open source and can be modified on GitHub.

http://www.usnews.com/news/articles/2015-12-28/new-google-chrome-extension-lets-you-filter-donald-trump-from-your-internet

Beyond iTunes: XML boffins target sheet music • The Register

Beyond iTunes: XML boffins target sheet music • The Register

One of the world’s oldest and most successful “standards” – so standard in fact that western musical notation is simply called standard notation – does not yet have a standard way to be displayed on the web.

But a W3C group formed earlier this year, in the summer of 2015, hopes to change that.

The Music Notation Community Group consists of representatives from some of the biggest names in the music notation software business who’ve come together to create a standardised way to display western music notation in your browser.

The group is off to a strong start, having set out a list of what it believes are achievable goals in the next six to 12 months. However, don’t look for the W3C to endorse MusicXML, as the proposed standard is known.

Community groups like the Music Notation group are not officially part of the W3C, so the W3C has not yet endorsed the group’s efforts. The community groups are more of a starting point. That said, other community groups like the Responsive Images Community Group have managed to get their standards not only written but adopted by web browsers.

The MusicXML format is already a de facto standard. According to MakeMusic, “it has been adopted by well over 200 applications, including nearly all the major web, desktop, and mobile notation programs.” If you’ve ever used Soundslice, you’ve likely seen MusicXML in action. Soundslice even offers an amazing (and free) MusicXML Viewer.

But standardising the XML format and markup is only half the problem of getting standard notation online. The other half of the problem is displaying the actual notes in the browser.

Getting the notes on your screen requires extending Unicode with something the Steinberg company created, dubbed Standard Music Font Layout or SMuFL, for short. No, it’s not a long-lost Smurf relative, it’s a specification that describes how note symbols get mapped to codes within a score. SMuFL was created by Daniel Spreadbury, now at Steinberg, which has transferred governance of SMuFL to the new W3C Music Notation Community Group.

http://www.theregister.co.uk/2015/12/30/music_as_mark_up/

Do Dogs Know Other Dogs Are Dogs? – Scientific American Blog Network

Do Dogs Know Other Dogs Are Dogs? – Scientific American Blog Network

Does a dog know, merely by sight, that an approaching being is a fellow dog? Before you answer, remember this: Canis familiaris is the least uniform species on the planet. Members of this species come in a wide range of body shapes and sizes from itty bitty teeny weeny to absolutely ginormos. Adult members of this species appear as tight little packages, huge weightlifters, lean ballerinas, elongated hotdogs and everything in between.

Does a Pug look at an Afghan Hound and say to themselves, “Hello, dog!” or does a Pug look at an Afghan Hound and say, “WHAT IN THE WORLD ARE YOU?” and only after olfactory investigation (smelling) does the Pug realize, “Oh my goodness. How silly of me. You’re a dog. Sorry for the confusion my large, long-snouted compatriot.”

A number of researchers have essentially wondered what Pugs think of Afghan Hounds. Are dogs able to identify other dogs solely by appearance, they wondered? If olfactory cues are taken out of the equation, would a dog still know another dog when he sees one?

A team of researchers based in France took on this question, publishing their findings in Animal Cognition in 2013. Nine companion dogs joined as study subjects. They all had basic training and extensive experience with both dogs and people, and notably, the participants weren’t uniform in appearance — two were purebred (Border collie and Labrador), and the rest were mutts. Below are the study subjects in all their photographic glory (while they are all my favorites because they are dogs, I vote Cusco winner of Best Eyeliner and Best Ears, while Babel, Cyane and Sweet tie for Most Photogenic).

Even so, the study suggests that despite their wackadoodle appearances, dogs can identify other dogs by sight alone. Dogs seem to have a sense of who (or at least which images) falls in the category of “dog” and who does not. Exactly which features dogs use when tuning into “dog,” though, the current study can’t say. They offer that as a natural next step in the research.

http://blogs.scientificamerican.com/dog-spies/do-dogs-know-other-dogs-are-dogs/

Coding Styles Survive Binary Compilation, Lead Investigators Back to Programmers

Coding Styles Survive Binary Compilation, Lead Investigators Back to Programmers

Researchers from three universities and the US Army Research Laboratory have created a machine learning algorithm that can accurately detect code written by different programmers, even if the code has been compiled into an executable binary.

Previously, the same researchers managed to put together a similar algorithm that would identify different programmers based on their coding style (code stylometry).

This research continues their previous work and expands the algorithm to support cases where the source code isn’t accessible, and has been compiled into an executable binary.

De-anonymizing programmers may halt the creation of controversial software.

By providing a proof-of-concept in their paper, the researchers are sounding the alarm on situations where programmers may not want to associate their name with controversial software.

The algorithm developed by the researchers is using as training data source code samples (compiled into binaries) from 600 programmers that participated in the Google Code Jam competition.

Because all programmers had to implement the same functionality, but each did it in his own way and using a coding style unique only to him, in the end, the algorithm learned to distinguish different coding styles after decompiling executable binaries (which does not produce 100% clear source code views as many think).

The algorithm has a high de-anonymization accuracy

According to the researchers, the algorithm managed to de-anonymize executable binaries written by 20 programmers with an accuracy of 96%, after the machine learning classifier trained only on 8 executable binaries for each programmer.

After analyzing binaries from all 600 programmers, researchers reported a 52% accuracy, which is more than acceptable for an algorithm that was only recently created, and hasn’t seen years of development.

“Stripping and removing symbol information from the executable binaries reduces the accuracy to 66%, which is a surprisingly small drop,” says Mrs. Caliskan-Islam, one of the researchers. “This suggests that coding style survives complicated transformations.”

The researchers also concluded that the de-anonymization accuracy goes up if the programmer is more skilled, since advanced programmers often create their own style of coding, very distinct from scholastic, standard approaches.

Researchers said that when the algorithm was tested on GitHub repositories, it managed to achieve a 62% de-anonymization accuracy. They did say that the algorithm is quite useless in collaborative projects where multiple programmers contribute to the same source code.

http://news.softpedia.com/news/coding-styles-survive-binary-compilation-lead-investigators-back-to-programmers-498237.shtml

Model predicts ‘shelf life’ for library, archival collections — ScienceDaily

Model predicts ‘shelf life’ for library, archival collections — ScienceDaily

Heritage scientists at UCL have developed demographic models of decay and loss to predict when a large library or archival collection might age beyond repair.

Lead author, Professor Matija Strlic (UCL Institute for Sustainable Heritage) explained: “Although some library materials might easily survive thousands of years some have internal clocks triggering faster decay. Using the demographic models we can now easily predict how much more degradation will be induced by a hotter and more humid climate in the future, and perhaps more importantly, how this can be mitigated.”

The three part report ‘Damage Function for Historic Paper’ published in Heritage Science explores what makes an historical paper unfit for use, the degradation of historical documents due to handling, and how heritage resources can be managed and stored with more economical and environmental sustainability.

The team developed an equation describing how the length of cellulose, the dominant macromolecule in paper, decreases with time depending on the acidity of paper and the environmental conditions during storage. Another model described how wear and tear accumulates with instances of reading of a book or an archival folder.

The scientists looked at more than 600 historic documents from all over Europe to arrive at a general demographic model describing how aging progresses and fitness is lost. Professor Strlic said: “We considered a heritage collection as a population of people and used census methods and aging models to predict how a large library or archival collection might age beyond repair.

“In relation to the outcomes of the recent COP 21 climate change conference in Paris, the projected average increase of 2 degrees centigrade in the global climate will increase the rate of degradation of some heritage collections by around 50%, and a 4 degrees centigrade increase would halve their lifetime. We can either pump more energy into indoor climate control, which is evidently unsustainable, or use our demographic models to improve collection conservation and reduce energy use at the same time.”

In addition to looking at the wear and tear of historic paper the reports also looked at the public’s perception of the documents’ fitness for use. Almost 800 members of the public in the UK, the Netherlands and the US were surveyed on what aging and damage to heritage collections meant to them. Only 10% of those asked believe it is necessary for collection items to remain in a usable state for more than 500 years and about 50% think 100 years is enough. The level of acceptance of degradation was dependent on whether the object had an historical or personal value.

Professor Strlic added: “The public can be quite forgiving, and they often consider that if there are signs of degradation these are signs of the ‘good life’ the object has had.”

Nancy Bell, Head of Collection Care for the National Archives, UK said: “We have shown that it is possible to optimise the preservation of a collection while reducing energy consumption, and meeting carbon reduction targets. Using the developed demography models we can manage heat and humidity more smartly during long-term storage.”

[Asking the public about life times for documents may be interesting but it is not useful.  The public does not use historic documents and rarely has an understanding of the issues involved in historic research.]

http://www.sciencedaily.com/releases/2015/12/151223141155.htm

‘Spectre’ villain fails neuroanatomy in latest Bond film — ScienceDaily

‘Spectre’ villain fails neuroanatomy in latest Bond film — ScienceDaily

James Bond’s nemesis in the most recent film likely failed neuroanatomy, said real-life neurosurgeon and scientist Dr. Michael Cusimano of St. Michael’s Hospital.

Ernst Stavro Blofeld, played by Christoph Waltz, tortured the famed hero using restraints and a head clamp system fused with a robotic drill, intending to first inflict pain and then erase 007’s memory bank of faces.

But Blofeld didn’t quite know his brain anatomy and would’ve probably hit Daniel Craig’s vertebral artery and likely killed his character instead, said Dr. Cusimano.

“Aiming to erase Bond’s memory of faces, the villain correctly identified the lateral fusiform gyrus as an area of the brain responsible for recognizing faces,” said Dr. Cusimano. “But in practice, the drill was placed in the wrong area, where it likely would have triggered a stroke or massive hemorrhage.”

“Although the filmmakers identified the correct part of the brain thought to be involved in the recognition of faces, the placement of the drill was incorrect, wrote Dr. Cusimano. The lateral fusiform gyrus is located in the temporal area just in front of the left ear; however Blofeld aimed the drill just below and behind the left ear, where the vertebral artery and bones of the neck are located.

“In terms of today’s precision brain surgery, the villain was nowhere near the brain,” said Dr. Cusimano.

http://www.sciencedaily.com/releases/2015/12/151229204642.htm

Seller Dodges Adobe’s Wrath in Software Saga

Seller Dodges Adobe’s Wrath in Software Saga

Clarifying copyright law’s “first-sale doctrine,” the Ninth Circuit held Wednesday that Adobe Systems didn’t meet its burden of proof in a lawsuit claiming copyright and trademark infringement.

The software giant sued Joshua Christenson and his company Software Surplus in 2009, claiming that Christenson sold Adobe software – which he purchased from a third-party distributor – on his website without Adobe’s authorization and infringed Adobe’s copyrights and trademarks in the process.

A federal judge found for Christenson on both the copyright and trademark claims, holding that Adobe could not prove that “it merely licenses and does not sell” the relevant software and that Adobe’s trademark claim was barred by Christenson’s fair-use defense.

The Circuit’s three-judge panel affirmed the ruling, finding that “in the face of an otherwise slam-dunk copyright violation,” Christenson successfully shifted the burden of proof to Adobe under the first-sale doctrine.

The doctrine provides that once a copy of a work is lawfully sold or transferred, the new owner has the right to sell or otherwise dispose of that copy without the copyright owner’s permission.

Writing for the panel, Circuit Judge Margaret McKeown said in the 21-page opinion that “broadly construed, the licensing exception in the software context could swallow the statutory first-sale defense.”

“We have recognized, however, that some purported software licensing agreements may actually create a sale,” she said.

In a case like this one, McKeown said “the party asserting the first-sale defense bears the initial burden of satisfying the statutory requirements,” and that party must therefore show ownership through lawful acquisition.

She said that for the purposes of this case, this means that “the party asserting a first-sale defense must come forward with evidence sufficient for a jury to find lawful acquisition of title, through purchase or otherwise, to genuine copies of the copyrighted software.”

http://www.courthousenews.com/2015/12/30/seller-dodges-adobes-wrath-in-software-saga.htm

Liquid salts deliver drugs through the skin with enhanced efficacy, reduced toxicity — ScienceDaily

Liquid salts deliver drugs through the skin with enhanced efficacy, reduced toxicity — ScienceDaily

Formulating drugs as liquid salts may provide a safe and efficient strategy for topical delivery of drugs that cause skin toxicity. A team of researchers from the University of California, Santa Barbara (UCSB) in Santa Barbara, CA has demonstrated a novel formulation of propranolol as a liquid salt which enables delivery through skin with reduced toxicity. The report appears in the December 2015 issue of the journal TECHNOLOGY.

Skin toxicity remains a major challenge in the design and use of new topical drug formulations. Many drugs must be dissolved in organic solvents which are typically toxic to the skin. In addition, many drugs such as propranolol itself show dose-dependent skin toxicity. Formulating drugs as liquid salt mitigates both sources of toxicity. Given their fluid nature, liquid salts eliminate the necessity of organic solvents. In addition, counter ions used to form the liquid salts shield the drug charge, which further reduces drug-induced toxicity.

“Propranolol is positively charged which is a likely source of its toxicity. Shielding of this charge by association with a counter species in the liquid salt reduces its toxicity. These findings are broadly applicable to many charged drugs” says Professor Samir Mitragotri, Ph.D., of the University of California, Santa Barbara and senior author of the paper.

http://www.sciencedaily.com/releases/2015/12/151229204650.htm

Marijuana derivative reduces seizures in people with treatment-resistant epilepsy: New open-label trial of prescription cannabidiol shows overall safety, efficacy — ScienceDaily

Marijuana derivative reduces seizures in people with treatment-resistant epilepsy: New open-label trial of prescription cannabidiol shows overall safety, efficacy — ScienceDaily

Cannabidiol (CBD), a medical marijuana derivative, was effective in reducing seizure frequency and well-tolerated and safe for most children and young adults enrolled in a year-long study led by epilepsy specialists at NYU Langone Medical Center.

These latest findings provide the first estimates of safety, tolerability and efficacy of prescription CBD in children and adults with severe, highly treatment-resistant epilepsy. Led by Orrin Devinsky, MD, professor of neurology, neurosurgery, and psychiatry and director of the Comprehensive Epilepsy Center at NYU Langone, the study is published in the December 23 issue of Lancet Neurology. While early findings have been released at medical meetings — including the 2015 American Academy of Neurology conference — these are the first findings from the trial to be published in a peer-reviewed journal.

The study took place at 11 epilepsy centers across the country. Patients were given the oral CBD treatment Epidiolex over a 12-week treatment period. Results showed a median 36.5 percent reduction in monthly motor seizures, with the median monthly frequency of motor seizures falling from 30 motor seizures a month at the study’s start to 15.8 over the 12 weeks. Equally important, CBD was shown to have a sufficient safety profile and was well-tolerated by many patients, despite some isolated adverse events.

“We are very encouraged by our trial results showing that CBD was safe and well-tolerated for most patients, and that seizures dropped significantly,” says Devinsky. “But before we raise hopes for families who regularly deal with the devastation of treatment-resistant epilepsy, more research, including further studies through our ongoing randomized controlled trial, are needed to definitively recommend CBD as a treatment to patients with uncontrolled seizures.”

http://www.sciencedaily.com/releases/2015/12/151223221532.htm