Category Archives: Security

MJR Digital Cinemas has upgraded, but what’s wrong with this picture?



Despite the ever-increasing tab at the box office, we all, or most of us, enjoy seeing an occasional movie on the big screen. There are just some flicks that lend themselves to the immersive experience. 

The good news is theaters around the country have been upgrading recently – improved seating and digital systems along with a wider selection of (overpriced) goodies to choose from and dine on during your show. Some now even have bars. 

One theater chain in Michigan, MJR, has been among those to upgrade, however they apparently failed to consult any sort of IT professional, or at least one who knows anything about security. Take a look at the image below and see if any problems seem apparent. 

At least they made the job easy for hackers. In fact, there’s no real job at all, it’s just handed over to them. 


VLC patches multiple security flaws, two critical



There are many options out there for media playback, we’ve come a long way since Windows Media Player and Quicktime.  Alternatives abound, and some of them quite compelling.

Take the Video Lan Client, better known to everyone as VLC, which is capable playing almost any format a user can throw at it. Like any software, however, there are always bugs, and sometimes security holes  that could allow bad things to happen to good people.

VLC is issuing a number of security fixes, 33 of them to be exact, designed to keep your system healthy. Two of these are considered critical, designed to patch an out-of-bound write vulnerability and a stack-buffer-overflow bug.

According ThreatPost “Details are scant on the two high-severity bugs and how they could be exploited. Impacted is VLC 3.0.7 and the EU-FOSSA release of the player, along with code tied to the upcoming 4.0 release of the player.”

The high number of patches comes on the heels of a new bug bounty program started by the European Commission on January 7, 2019.

The updates are being pushed out so users shouldn’t need to do anything except wait, and actually, you may already have it.


Facebook and Twitter Disabled a Disinformation Campaign with Ties to Iran



The Washington Post reported that both Facebook and Twitter said they had disabled a “sprawling disinformation campaign that appeared to originate in Iran”. It included two Twitter accounts that mimicked Republican congressional candidates and may have sought to push pro-Iranian political messages.

According to The Washington Post, a private security firm called Fire Eye “did not attribute the activity to either Iranian state leaders or malicious actors operating within the country.” However, some of the tweets supported the Iranian nuclear deal, which President Trump withdrew from a year ago.

Some of the disabled account appeared to target their propaganda at specific journalists, policymakers, dissidents and other influential U.S. figures online. Those tactics left experts fearful that it could mark a new escalation in social-media warfare, with malicious actors stealing real-world identities to spread disinformation beyond the web.

Facebook posted on its Facebook Newsroom that it had removed 51 Facebook accounts, 36 Pages, seven Groups, and three Instagram accounts involved in coordinated inauthentic behavior that originated in Iran.

Facebook said the individuals involved misled people about who they were and what they were doing. “They purported to be located in the US and Europe, used fake accounts to run Pages and Groups, and impersonated legitimate news organizations in the Middle East. The individuals behind this activity also represented themselves as journalists or other personas and tried to contact policymakers, reporters, academics, Iranian dissidents and other public figures.”

Yoel Roth, Head of Site Integrity at Twitter, posted a thread of tweets that began with: “Earlier this month, we removed more than 2,800 inauthentic accounts originating in Iran. These are the accounts that FireEye, a private security firm, reported on today. We were not provided with this report or its findings.”

In another tweet, he wrote: “These accounts employed a range of false personas to target conservatives about political social issues in Iran and globally. Some engaged directly through public replies with politicians, journalists, and others.”

People need to be smarter about how they consume content on Facebook and Twitter. Think before you click a link. Seek out the real news website instead. Don’t retweet or share something without first taking the time to verify that it isn’t “fake news”.


UK Government Consults on IoT Security



The UK Government’s Department for Digital, Culture, Media & Sport (aka Ministry of Fun) has announced plans to introduce new laws governing internet-connected devices, i.e. Internet of Things.

Given that there have been some high-profile instances involving connected toys and cameras, this is welcome news. In a perfect world, users should be educated in the basics of IT security such as changing the default password, but sadly it’s case of getting a gadget out of the box and setup as fast as possible.

The Government is consulting on a “Secure by Design” initiative which intends for basic cyber security features to be built into products and for consumers to get better information on how secure the devices are.

Much like food packaging or the energy ratings on white goods, the Government is proposing a mandatory labelling scheme that states the security level of the gadget. Only goods with the applicable “IoT” label could be legally sold in the UK.

The consultation proposes three essential requirements for internet-connected gadgets.

  1. Device passwords must be unique without any standard factory setting
  2. The minimum duration for which the device will receive security updates must explicitly stated
  3. A public point of contact as part of a vulnerability disclosure policy must be given

Point 3 isn’t directly for consumers but rather for security researchers who will be able to directly contact organisations about security issues. All of these points will be a significant deterrent to the “cheap’n’cheerful” IoT gadgets that typically come in from China with zero support.

Overall, this is a very welcome consultation and I would encourage readers to review the proposals and feedback on the options. This is very much about protecting ourselves and our families and reducing the risk of being hacked. For too long, manufacturers have got away with having little responsibility for their devices after they’ve been bought and these ideas address that balance.

If you want to know more on the consultation and comment on the proposals, it’s over here.

Photo by Dan LeFebvre on Unsplash.


23 Million People Use 123456 as a Password



Despite all the warnings, 23 million people worldwide use the password “123456”. This is according the UK’s National Cyber Security Centre which analysed the Have I Been Pwned data set to produce a list of the top 100,000 passwords.

It’s frankly embarrassing – here’s the top 10. Anyone who uses any of these should have their computer, tablet and phone taken away from them immediately.

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 111111
  6. 12345678
  7. abc123
  8. 1234567
  9. password1
  10. 12345

Looking through the full list, there’s a reasonable selection of expletives, and for Brits, variations on “Liverpool” appear twenty eight times. For non-Brits, Liverpool is not only a city in the North of England but a premier league football (soccer) team. James Bond 007 is rich pickings too, with variations into the teens. No matter how smart or unique you think you are, there’s someone else who thinks the same.

The NCSC recommends using three random words for passwords such as “tablehouseblue” and  not to re-use passwords between accounts. It particularly suggests to always have a different password for your email account.

Dr Ian Levy, NCSC Technical Director, said: “Password re-use is a major risk that can be avoided – nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band. Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.

You can read the full UK Cyber Survey and there’s more analysis on the password list in this article.

Photo by Kristina Flour on Unsplash


Alphabet’s Chronicle Launched Backstory



Chronicle, a new Alphabet company, announced the launch of Backstory. It is a global cloud service where companies can privately upload, store, and analyze their internal security telemetry to detect and investigate potential cyber threats.

Chronicle is focused entirely on enterprise cybersecurity. Their mission is: “Give Good the Advantage”. That mission is fueled by their ability to leverage significant resources to give security professionals an entirely new class of tools, perspectives, and abilities that aim to counter, and even leap ahead of, the capabilities of their antagonists.

Backstory compares your network activity against a continuous stream of threat intelligence signals, curated from a variety of sources, to detect potential threats instantly. It also continuously compares any new piece of information against your company’s historical activity, to notify you of any historical access to known-bad web domains, malware-infected files, and other threats.

In short, Backstory is designed to be used by companies, not individuals. The purpose is to provide companies with data that they probably cannot get on their own so they can use it to detect breaches and to improve their security efforts.

Overall, I think Backstory sounds like a useful thing. In their Medium Post, Chronicle used the DNC hack as an example, and showed how easy it is to miss a data breach. In addition to noticing a breach, Backstory can give a company information about whether or not any of their computers communicated with that web domain.

It seems unlikely that nefarious entities will stop trying to access data and information that they have no right to steal. Hopefully, Backstory can make it harder for hackers to harm people.


Six Hundred and Twenty Two Advertising Partners



If you still think that privacy and data sharing isn’t an issue, then take a look at this…
The other day I was visiting a popular gaming website and up popped the the usual notice about use of cookies. Normally I would dismiss these without a second thought but I  was on a tablet and accidently tapped on the link to their privacy notice. Noodling around, I discovered on this page that they listed all their advertising partners…..and there were SIX HUNDRED AND TWENTY TWO of them.

Here’s just those that begin with “A”.
A1 Media Group, A1platform, Aarki, abilicom, Acuityads, Adacado, Adadyn, Adara Media, Adbalancer, Adblade, ADBOX,Adcash, AdClear, Adclouds, AdColony, Addictive Mobility, Addition Plus, Addroid, AdElement, Adello, ADEX, Adform, AdGibbon BV, adhood, Adikteev, AdKernel, AdLedge, adlocal.net, Adloox, Adludio, AdMaster/LnData, AdMaxim,Admedo, Admetrics, Admixer, Adnami ApS, adnanny.com, Adnetic, Adobe Advertising Cloud, AdPlay, AdPredictive, AdRetarget, Adriver, AdRoll Inc., adrule, Adsniper, Adssets, adTarget.me, Adtelligence, Adtelligent Inc., AdTrader, AdTriba, advanced STORE GmbH, Advanse, Adventive, Adventori, Adverline, Advertserve, Advmaker, advolution.control, Adways SAS, Adzerk, Adzymic, AE Media, Aedge Performance S.L. , AerServ, affilinet, Aidata, Airtory, Akamai, AKTYVUS SEKTORIUS, Alkemics, All In Views LTD, Alooma, Amazon, Amino Payments, Inc., Amobee, Analights, Aniview Inc., Answer Media, AntVoice, APNIC, AppGrowth Inc., Appier, AppLift, AppLovin Corp., AppNexus, Appreciate, appTV, Arbigo Inc., Arrivalist, Art of Click, Artsai, Audience2Media, AudienceProject, Audiencevalue, Aunica, Avocet, Azameo

Recognise many? Adobe, Amazon?

And from the website’s privacy policy, “We share your personal information with our affiliates and with exhibitors, sponsors, media partners, joint venture partners and other third parties.” which can be summarised as “We share your personal information with anyone we like.”

Let me get this straight. I visit one gaming website and my information could be shared with up to 622 other organisations that, really, I know nothing about. Who knows where this data will eventually land?

There’s something very wrong here.

Women Look at Security Cameras photo by Matthew Henry on Unsplash.