Ubisoft sues DDoS-for-hire operators for ruining game play

By Lisa Vaas

Mega-big online gaming company Ubisoft, maker of mega-hit games including Assassin’s Creed, Far Cry, Just Dance and Tom Clancy’s RainbowSix: Siege (R6S), is suing four operators of the DDoS-for-hire sites that have been launched against its RainbowSix servers.

These guys aren’t just launching attacks that kick all players on a targeted server out of a game, or degrade the game performance down to sludge, Ubisoft alleges. They also allegedly went so far as to throw up a bogus domain seizure notice on one of their sites, claiming that the domain had been seized by “Microsoft Inc. and Ubisoft Entertainment” pursuant to a fictional “Operation(D)DoS OFF”, according to the complaint (posted courtesy of Polygon) that Ubisoft filed on Thursday in the US District Court of Northern California.

Ubisoft says it was part of the operators’ attempts to rub out their tracks:

Defendants are well aware of the harm that the DDoS Services and DDoS Attacks cause to Ubisoft. Indeed, knowing that this lawsuit was imminent, Defendants have hastily sought to conceal evidence concerning their involvement.

It’s not just alleged DDoS-for-hire operators who knew this lawsuit was coming. Everybody in the gaming world knew. Ubisoft picked up on an increase in DDoS attacks in September 2019, banned the worst offenders, and said that it was talking to its legal team about legal action.

Last week, Ubisoft filed the complaint against five people whom it thinks run a network of four distributed denial of service- (DDoS)-for-hire services via various domain names and websites – the websites SNG.one, R6S.support, r6ddos.com, and (could they possibly be more redundant?) stressed-stresser-stressing-stressers.com – and that they hide behind various anonymous online aliases to do so.

Read more at https://nakedsecurity.sophos.com/2020/01/22/ubisoft-sues-ddos-for-hire-operators-for-ruining-game-play/

NIST’s new privacy rules – what you need to know

By Danny Bradbury

You’ve waded through the relevant privacy regulations until your brain hurts, and you understand the basic requirements under GDPR, CCPA, or whatever industry rules you must abide by. But how do you ensure that you’re compliant? Worry no more. NIST has released a Privacy Framework to help you get your house in order.

The federal US government’s National Institute of Standards and Technology (NIST) has a good track advising organization’s on cybersecurity. It published a set of password rules in 2016. It also publishes a Cybersecurity Framework that has become a litmus test for those trying to secure their data.

The brand-new Privacy Framework 1.0 is the equivalent document for protecting peoples’ personal privacy. As NIST points out, cybersecurity and privacy are connected, but different. Some privacy events aren’t related to cybersecurity incidents, but stem from other issues like over-aggressive data collection, poorly thought-out marketing practices, or manual mishandling of data.

You can use the Privacy Framework when developing new products and services to ensure that they tick all your privacy boxes. It’s a good tool when conducting the privacy impact assessments that regulations like GDPR demand. It isn’t a compliance toolkit for meeting the requirements of specific regulations. Instead, it’s a voluntary toolkit that you can use to think about your approach to privacy. You can use bits of or all of it – NIST isn’t prescriptive.

The Framework breaks down into three broad areas: the core, the profiles, and the implementation tiers. The core contains a set of five functions that you work through as part of your privacy assessment process.

Read more at https://nakedsecurity.sophos.com/2020/01/22/nists-new-privacy-rules-what-you-need-to-know/

Regus spills data of 900 staff on Trello board set to ‘public’

By John E Dunn

Another company has ended up accidentally spilling sensitive data from business collaboration tool Trello.

According to a Daily Telegraph report, the company that put the boot to its own throat this time is office space company Regus, which posted performance ratings of 900 managers to a public Trello board.

Trello boards come in three types – private (password needed), approved (i.e. visible to specific people), and public.

It seems the Regus parent company IWG carried out covert video assessments using researchers from a company called Applause posing as clients looking for office space.

The evaluations from this were gathered into a spreadsheet which was inadvertently set to ‘public’.

Because search engines index public Trello boards that meant that anyone with a browser could, in theory, see the data, which included names, addresses, performance ratings, and company training videos.

These would normally be shown only to the employee concerned as part of company assessments.

In addition to exposing Regus’s own staff, the personal details and email addresses of the external researchers working for Applause were also leaked. IWG issued a statement that appeared to shift the blame to the research company:

We are extremely concerned to learn that an external third-party provider, who implemented the exercise, inadvertently published online the outcomes of an internal training and development exercise.

The data had now been taken down:

As our primary concern we took immediate action and the external provider has now removed the content.

Although the newspaper says this didn’t happen until they contacted IWG and Applause. It’s not clear how long the data was left in its public, exposed state.

Read more at https://nakedsecurity.sophos.com/2020/01/22/regus-spills-data-of-900-staff-on-trello-board-set-to-public/

Nobody boogies quite like you

By Lisa Vaas

That spasmodic jerking around that some of us refer to as “dancing?”

It’s the latest biometric: we can be identified by our twerking, our salsa, our rumba or our House moves with an impressive 94% accuracy rate, according to scientists at Finland’s University of Jyväskylä.

To be specific, the researchers asked 73 volunteers to dance to eight music styles: Blues, Country, Dance/Electronica, Jazz, Metal, Pop, Reggae and Rap. The dancers weren’t taught any steps; rather, they were simply told to “move any way that felt natural.”

Their study, described in a paper titled Dance to your own drum, was published in the Journal of New Music Research last week.

Identifying people by their dance moves is not what the researchers were after. They had set out to determine how music styles affect how we move:

Surely one does not move the same way in response to a song by Rage Against the Machine as to one by Bob Dylan – and research has indeed shown that audio features extracted from the acoustic signal of music influence the quality of dancers’ movements.

The original question: could they determine the style of music just by watching how people are dancing? Previous research has indicated that you can: low-frequency sound generated by kick drum and bass guitar relates to how fast you bop your head around, while high-frequency sound and beat clarity have been associated with a wider variety of movement features, including hand distance, hand speed, shoulder wiggle and hip wiggle. Dancers also increase their movements as a bass drum gets louder. Jazz is associated with lesser head speed.

It could all have to do with music’s audio features, but then again, cultural norms tell us how we’re supposed to move. Jazz? Let’s swing dance! Metal? HEADBANG!

Read more at https://nakedsecurity.sophos.com/2020/01/22/nobody-boogies-quite-like-you/

Citrix ships patches as vulnerable servers come under attack

By John E Dunn

Citrix has issued its first set of patches fixing a nasty vulnerability that’s been hanging over some of its biggest products.

The flaw, identified as CVE-2019-19781 on 17 December 2019, affected Citrix’s Application Delivery Controller (ADC) load and application balancer, and the Citrix Gateway Virtual Private Network (VPN) appliance (previously known as the NetScaler ADC or NetScaler Gateway).

Citrix was vague about what the flaw might allow an attacker to do beyond saying that it “could allow an unauthenticated attacker to perform arbitrary code execution.”

However, it’s been clear from the start that it was serious, an impression reinforced by speculation (based on analysis of Citrix’s proposed mitigations) that the issue allows directory traversal, that is offering attackers a way to access to restricted directories without having to authenticate.

That’s potentially disastrous – the Citrix Gateway, for example, is used to enable VPN remote access so an attacker able to crawl into a network through that route could exploit that in numerous horrible ways.

Read more at https://nakedsecurity.sophos.com/2020/01/21/citrix-ships-patches-as-vulnerable-servers-come-under-attack/

China and US top user data requests in Apple transparency report

By Lisa Vaas

Governments in the US and China are at the front of the line when it comes to knocking on Apple’s door to request user data relating to fraud/phishing, according to the company’s latest transparency report.

Like any tech company that handles user data, Apple gets different types of requests: those that are made when an account holder is in imminent danger, those from law enforcement agencies (LEA) trying to help people find their lost or stolen devices, those asking for Apple’s help when thieves rip off credit card data so they can buy Apple products or services on somebody else’s dime, and in situations where investigators think an account’s been used to do something illegal.

That last category has proved particularly controversial: the FBI has come knocking on Apple’s door in notable, headline-grabbing cases, including when the FBI was looking to unlock the iPhone of the San Bernardino terrorist and, more recently, when it was looking for help in breaking encryption on the iPhones of the killer in the recent Pensacola mass shooting.

In these instances, Apple famously said no to weakening encryption. Those requests didn’t involve subpoenas, though. The San Bernardino iPhone unlocking request involved a weird court order issued under the dusty All Writs Act of 1789, while the Pensacola unlocking request came in the form of a plain old letter sent from the FBI’s lawyer to Apple’s lawyer.

As far as worldwide government account requests go for the first half of 2019, Apple says that it got a high number from China’s mainland – a total of 15,666 requests – mostly due to financial fraud and phishing investigations. When it comes to phishing attacks, a single request can cover several devices. Apple counts and reports the number of accounts identified in each request, received from each country/region.

Read more at https://nakedsecurity.sophos.com/2020/01/21/china-and-us-top-user-data-requests-in-apple-transparency-report/