Timesdelhi.com

July 18, 2018
Category archive

Security

Instagram is building non-SMS 2-factor auth to thwart SIM hackers

in Apps/Delhi/India/instagram/mobile/Politics/Security/Social/two factor authentication by

Hackers can steal your phone number by reassigning it to a different SIM card, use it to reset your passwords, steal your Instagram and other accounts, and sell them for Bitcoin. As detailed in a harrowing Motherboard article today, Instagram accounts are especially vulnerable because the app only offers two-factor authentication through SMS that delivers a password reset or login code via text message.

But now Instagram has confirmed to TechCrunch that it’s building non-SMS two-factor authentication system that works with security apps like Google Authenticator or Duo. They generate a special code that you need to login that can’t be generated on a different phone in case your number is ported to a hacker’s SIM card.

Buried in the Instagram Android app’s APK code is a prototype of the upgraded 2FA feature, discovered by frequent TechCrunch tipster Jane Manchun Wong. Her work has led to confirmed TechCrunch scoops on Instagram Video Calling, Usage Insights, soundtracks for Stories, and more.

When presented with the screenshots, an Instagram spokesperson told TechCrunch that yes, it is working on the non-SMS 2FA feature, saying “We’re continuing to improve the security of Instagram accounts, including strengthening 2-factor authentication.”

Instagram actually lacked any two-factor protection until 2016 when it already had 400 million users. In November 2015, I wrote a story titled “Seriously. Instagram needs two-factor authentication.” A friend and star Instagram stop-motion animation creator Rachel Ryle had been hacked, costing up a lucrative sponsorship deal. The company listened. Three months later, the app began rolling out basic SMS-based 2FA.

But since then, SIM porting has become a much more common problem. Hackers typically call a mobile carrier and use social engineering tactics to convince them they’re you, or bribe an employee to help, and then change your number to a SIM card they control. Whether they’re hoping to steal intimate photos, empty cryptocurrency wallets, or sell desireable social media handles that like @t or @Rainbow as Motherboard reported, there are plenty of incentives to try a SIM porting attack. This article outlines how you can take steps to protect your phone number.

Hopefully as knowledge of this hacking technique becomes more well known, more apps will introduce non-SMS 2FA, mobile providers will make it tougher to port numbers, and users will take more steps to safeguard their accounts. As our identities and assets increasingly go digital, its pin codes and authenticator apps, not just deadbolts and home security systems, that must become a part of our everyday lives.

News Source = techcrunch.com

Putin proposes a joint cybersecurity group with the US to investigate Russian election meddling

in Delhi/Government/India/Politics/Russia/Russian election interference/Security/TC/Trump administration by

Over the course of Monday’s controversial Helsinki summit, Russian President Vladimir Putin pushed an agenda that would ostensibly see the U.S. and Russia working side by side as allies. The two countries make stranger bedfellows than ever as just days prior, Trump’s own Department of Justice indicted 12 Russian intelligence officials for the infamous 2016 Democratic National Committee hack.

Nonetheless, the Russian president revived talks of a joint group between the U.S. and Russia dedicated to cybersecurity matters. For anyone with the security interests of the U.S. at heart, such a proposal, which Trump endorsed in a tweet one year ago, would truly be a worst-case scenario outcome of the puzzlingly cozy relationship between the two world leaders.

“Once again, President Trump mentioned the issue of the so-called interference of Russia [during] the American elections and I had to reiterate things I said several times…,” Putin said in Helsinki.

“Any specific material, if such things arise, we are ready to analyze together. For instance, we can analyze them through the joint working group on cyber security, the establishment of which we discussed during our previous contacts.”

Putin added that Russia favors “continued cooperation in counter-terrorism and maintaining cyber security.”

“The most recent example is their operational cooperation within the recently concluded World Football Cup,” Putin said. “In general, the contacts among the special services should be put to a system-wide basis should be brought to a systemic framework. I reminded President Trump about the suggestion to re-establish the working group on anti-terrorism.”

After a loud bipartisan rebuke followed Trump’s proposal of an “impenetrable [cybersecurity] unit” with Russia last year, the U.S. president walked his comments back a few steps, suggesting that they were hypothetical. Whether it ever materializes or not, the whole idea is a somewhat stunning departure from national security norms and one that would be broadly decried as letting the fox into the henhouse, given that evidence establishing Russia as a cyber adversary of the U.S., both currently and historically, is plentiful.

In 2017, the U.S. intelligence community issued such an assertion in no uncertain terms:

Russian efforts to influence the 2016 US presidential election represent the most recent expression of Moscow’s longstanding desire to undermine the US-led liberal democratic order, but these activities demonstrated a significant escalation in directness, level of activity, and scope of effort compared to previous operations.

The report notes that this information is sourced broadly, stating that “insights into Russian efforts—including specific cyber operations—and Russian views of key US players derive from multiple corroborating sources.”

CrowdStrike, the security firm involved in investigating the 2016 DNC hack, uncontroversially included Russia on a list of “notable nation-state adversaries” of the U.S. alongside China, North Korea and Iran.

Just days ago, U.S. Director of National Intelligence Dan Coats cautioned that “warning lights are blinking red again” when it comes to attacks on federal, state and local U.S. entities. Coats named Russia, China, Iran and North Korea as cyber aggressors against the U.S., adding that “Russia has been the most aggressive foreign actor, no question.”

It’s unclear what, if anything, the U.S. would stand to gain from such an arrangement, though it would stand to lose quite a bit, given the likelihood that Russia’s interest in influencing U.S. elections is ongoing. Putin’s comments in Helsinki indicate the spirit of such an effort lives on, misguided as it may be.

News Source = techcrunch.com

3D printed guns are now legal… What’s next?

in ar-15/austin/belgium/cartridge/China/Column/dark web/defense distributed/Delhi/doj/firearms/Germany/India/milan/Open Web/Politics/printing/Security/TC/United Kingdom/United States by

On Tuesday, July 10, the DOJ announced a landmark settlement with Austin-based Defense Distributed, a controversial startup led by a young, charismatic anarchist whom Wired once named one of the 15 most dangerous people in the world.

Hyper-loquacious and media-savvy, Cody Wilson is fond of telling any reporter who’ll listen that Defense Distributed’s main product, a gun fabricator called the Ghost Gunner, represents the endgame for gun control, not just in the US but everywhere in the world. With nothing but the Ghost Gunner, an internet connection, and some raw materials, anyone, anywhere can make an unmarked, untraceable gun in their home or garage. Even if Wilson is wrong that the gun control wars are effectively over (and I believe he is), Tuesday’s ruling has fundamentally changed them.

At about the time the settlement announcement was going out over the wires, I was pulling into the parking lot of LMT Defense in Milan, IL.

LMT Defense, formerly known as Lewis Machine & Tool, is as much the opposite of Defense Distributed as its quiet, publicity-shy founder, Karl Lewis, is the opposite of Cody Wilson. But LMT Defense’s story can be usefully placed alongside that of Defense Distributed, because together they can reveal much about the past, present, and future of the tools and technologies that we humans use for the age-old practice of making war.

The legacy machine

Karl Lewis got started in gunmaking back in the 1970’s at Springfield Armory in Geneseo, IL, just a few exits up I-80 from the current LMT Defense headquarters. Lewis, who has a high school education but who now knows as much about the engineering behind firearms manufacturing as almost anyone alive, was working on the Springfield Armory shop floor when he hit upon a better way to make a critical and failure-prone part of the AR-15, the bolt. He first took his idea to Springfield Armory management, but they took a pass, so he rented out a small corner in a local auto repair ship in Milan, bought some equipment, and began making the bolts, himself.

Lewis worked in his rented space on nights and weekends, bringing the newly fabricated bolts home for heat treatment in his kitchen oven. Not long after he made his first batch, he landed a small contract with the US military to supply some of the bolts for the M4 carbine. On the back of this initial success with M4 bolts, Lewis Machine & Tool expanded its offerings to include complete guns. Over the course of the next three decades, LMT grew into one of the world’s top makers of AR-15-pattern rifles for the world’s militaries, and it’s now in a very small club of gunmakers, alongside a few old-world arms powerhouses like Germany’s Heckler & Koch and Belgium’s FN Herstal, that supplies rifles to US SOCOM’s most elite units.

The offices of LMT Defense, in Milan, Ill. (Image courtesy Jon Stokes)

LMT’s gun business is built on high-profile relationships, hard-to-win government contracts, and deep, almost monk-like know-how. The company lives or dies by the skill of its machinists and by the stuff of process engineering — tolerances and measurements and paper trails. Political connections are also key, as the largest weapons contracts require congressional approval and months of waiting for political winds to blow in this or that direction, as countries to fall in and out of favor with each other, and paperwork that was delayed due to a political spat over some unrelated point of trade or security finally gets put through so that funds can be transfered and production can begin.

Selling these guns is as old-school a process as making them is. Success in LMT’s world isn’t about media buys and PR hits, but about dinners in foreign capitals, range sessions with the world’s top special forces units, booths at trade shows most of us have never heard of, and secret delegations of high-ranking officials to a machine shop in a small town surrounded by corn fields on the western border of Illinois.

The civilian gun market, with all of its politics- and event-driven gyrations of supply and demand, is woven into this stable core of the global military small arms market the way vines weave through a trellis. Innovations in gunmaking flow in both directions, though nowadays they more often flow from the civilian market into the military and law enforcement markets than vice versa. For the most part, civilians buy guns that come off the same production lines that feed the government and law enforcement markets.

All of this is how small arms get made and sold in the present world, and anyone who lived through the heyday of IBM and Oracle, before the PC, the cloud, and the smartphone tore through and upended everything, will recognize every detail of the above picture, down to the clean-cut guys in polos with the company logo and fat purchase orders bearing signatures and stamps and big numbers.

The author with LMT Defense hardware.

Guns, drugs, and a million Karl Lewises

This is the part of the story where I build on the IBM PC analogy I hinted at above, and tell you that Defense Distributed’s Ghost Gunner, along with its inevitable clones and successors, will kill dinosaurs like LMT Defense the way the PC and the cloud laid waste to the mainframe and microcomputer businesses of yesteryear.

Except this isn’t what will happen.

Defense Distributed isn’t going to destroy gun control, and it’s certainly not going to decimate the gun industry. All of the legacy gun industry apparatus described above will still be there in the decades to come, mainly because governments will still buy their arms from established makers like LMT. But surrounding the government and civilian arms markets will be a brand new, homebrew, underground gun market where enthusiasts swap files on the dark web and test new firearms in their back yards.

The homebrew gun revolution won’t create a million untraceable guns so much as it’ll create a hundreds of thousands of Karl Lewises — solitary geniuses who had a good idea, prototyped it, began making it and selling it in small batches, and ended up supplying a global arms market with new technology and products.

In this respect, the future of guns looks a lot like the present of drugs. The dark web hasn’t hurt Big Pharma, much less destroyed it. Rather, it has expanded the reach of hobbyist drugmakers and small labs, and enabled a shadow world of pharmaceutical R&D that feeds transnational black and gray markets for everything from penis enlargement pills to synthetic opioids.

Gun control efforts in this new reality will initially focus more on ammunition. Background checks for ammo purchases will move to more states, as policy makers try to limit civilian access to weapons in a world where controlling the guns themselves is impossible.

Ammunition has long been the crack in the rampart that Wilson is building. Bullets and casings are easy to fabricate and will always be easy to obtain or manufacture in bulk, but powder and primers are another story. Gunpowder and primers are the explosive chemical components of modern ammo, and they are difficult and dangerous to make at home. So gun controllers will seize on this and attempt to pivot to “bullet control” in the near-term.

Ammunition control is unlikely to work, mainly because rounds of ammunition are fungible, and there are untold billions of rounds already in civilian hands.

In addition to controls on ammunition, some governments will also make an effort at trying to force the manufacturers of 3D printers and desktop milling machines (the Ghost Gunner is the latter) to refuse to print files for gun parts.

This will be impossible to enforce, for two reasons. First, it will be hard for these machines to reliably tell what’s a gun-related file and what isn’t, especially if distributors of these files keep changing them to defeat any sort of detection. But the bigger problem will be that open-source firmware will quickly become available for the most popular printing and milling machines, so that determined users can “jailbreak” them and use them however they like. This already happens with products like routers and even cars, so it will definitely happen with home fabrication machines should the need arise.

Ammo control and fabrication device restrictions having failed, governments will over the longer term employ a two-pronged approach that consists of possession permits and digital censorship.

Photo courtesy of Getty Images: Jeremy Saltzer / EyeEm

First, governments will look to gun control schemes that treat guns like controlled substances (i.e. drugs and alchohol). The focus will shift to vetting and permits for simple possession, much like the gun owner licensing scheme I outlined in Politico. We’ll give up on trying to trace guns and ammunition, and focus more on authorizing people to possess guns, and on catching and prosecuting unauthorized possession. You’ll get the firearm equivalent of a marijuana card from the state, and then it won’t matter if you bought your gun from an authorized dealer or made it yourself at home.

The second component of future gun control regimes will be online suppression, of the type that’s already taking place on most major tech platforms across the developed world. I don’t think DefCad.com is long for the open web, and it will ultimately have as hard a time staying online as extremist sites like stormfront.org.

Gun CAD files will join child porn and pirated movies on the list of content it’s nearly impossible to find on big tech platforms like Facebook, Twitter, Reddit, and YouTube. If you want to trade these files, you’ll find yourself on sites with really intrusive advertising, where you worry a lot about viruses. Or, you’ll end up on the dark web, where you may end up paying for a hot new gun design with a cryptocurrency. This may be an ancap dream, but won’t be mainstream or user-friendly in any respect.

As for what comes after that, this is the same question as the question of what comes next for politically disfavored speech online. The gun control wars have now become a subset of the online free speech wars, so whatever happens with online speech in places like the US, UK, or China will happen with guns.

News Source = techcrunch.com

Court victory legalizes 3D-printable gun blueprints

in 3d printing/defense distributed/Delhi/Gadgets/Government/guns/India/lawsuit/Politics/Security by

A multi-year legal battle over the ability to distribute computer models of gun parts and replicate them in 3D printers has ended in defeat for government authorities who sought to prevent the practice. Cody Wilson, the gunmaker and free speech advocate behind the lawsuit, now intends to expand his operations, providing printable gun blueprints to all who desire them.

The longer story of the lawsuit is well told by Andy Greenberg over at Wired, but the decision is eloquent on its own. The fundamental question is whether making 3D models of gun components available online is covered by the free speech rights granted by the First Amendment.

This is a timely but complex conflict because it touches on two themes that happen to be, for many, ethically contradictory. Arguments for tighter restrictions on firearms are, in this case, directly opposed to arguments for the unfettered exchange of information on the internet. It’s hard to advocate for both here: restricting firearms and restricting free speech are one and the same.

That at least seems to be conclusion of the government lawyers, who settled Wilson’s lawsuit after years of court battles. In a copy of the settlement provided to me by Wilson, the U.S. government agrees to exempt “the technical data that is the subject of the Action” from legal restriction. The modified rules should appear in the Federal Register soon.

What does this mean? It means that a 3D model that can be used to print the components of a working firearm is legal to own and legal to distribute. You can likely even print it and use the product — you just can’t sell it. There are technicalities to the law here (certain parts are restricted, but can be sold in an incomplete state, etc.), but the implications as regards the files themselves seems clear.

Wilson’s original vision, which he is now pursuing free of legal obstacles, is a repository of gun models, called DEFCAD, much like any other collection of data on the web, though naturally considerably more dangerous and controversial.

“I currently have no national legal barriers to continue or expand DEFCAD,” he wrote in an email to TechCrunch. “This legal victory is the formal beginning to the era of downloadable guns. Guns are as downloadable as music. There will be streaming services for semi-automatics.”

The concepts don’t map perfectly, no doubt, but it’s hard to deny that with the success of this lawsuit, there are few legal restrictions to speak of on the digital distribution of firearms. Before it even, there were few technical restrictions: certainly just as you could download MP3s on Napster in 2002, you can download a gun file today.

Gun control advocates will no doubt argue that greater availability of lethal weaponry is the opposite of what is needed in this country. But others will point out that in a way this is a powerful example of how liberally free speech can be defined. It’s important to note that both of these things can be true.

This court victory settles one case, but marks the beginnings of many another. “I have promoted my values for years with great care and diligence,” Wilson wrote. It’s hard to disagree with that. Those whose values differ are free to pursue them in their own way; perhaps they too will be awarded victories of this scale.

News Source = techcrunch.com

SolarWinds acquires real-time threat-monitoring service Trusted Metrics

in Delhi/Enterprise/India/M&A/Politics/Security/SolarWinds/Startups/Trusted Metrics by

SolarWinds, the company behind tools like Pingdom, Papertrail, Loggly and a number of other IT management tools, today announced it has acquired Trusted Metrics, a company that helps businesses monitor incoming threats to their networks and servers. This move follows SolarWinds’ acquisition of Loggly earlier this year. Among other things, Loggly also provides a number of security tools for enterprises.

Today’s acquisition of Trusted Metrics is clearly part of the company’s strategy to build out its security portfolio, and SolarWinds is actually rolling Trusted Metrics into a new security product called SolarWinds Threat Monitor. Like Trusted Metrics, SolarWinds Threat Monitor helps businesses protect their networks by automatically detecting suspicious activity and malware.

“When we look at the rapidly changing IT security landscape, the proliferation of mass-marketed malware and the non-discriminatory approach of cybercriminals, we believe that real-time threat monitoring and management shouldn’t be a luxury, but an affordable option for everyone,” said SolarWinds CEO Kevin Thompson in today’s announcement. “The acquisition of Trusted Metrics will allow us to offer a new product in the SolarWinds mold—powerful, easy to use, scalable—that is designed to give businesses the ability to more easily protect IT environments and business operations.”

SolarWinds did not disclose the financial details of the transaction. Trusted Metrics was founded in 2010; although it received some seed funding, it never raised any additional funding rounds after that.

News Source = techcrunch.com

1 2 3 27
Go to Top