Thursday, 17 November 2016

Google and Facebook ban fake news sites from their advertising networks

While it would have been nice to tackle this issue before the election, Google and Facebook are finally taking a tiny step in order to fight back against fake news. According to multiple statements, both companies have updated their policies to ban fake news sites from using Facebook’s and Google’s advertising networks.
With the U.S. election, fake news became incredibly popular on social networks, such as Facebook, Twitter and YouTube, as well as news aggregating services, such as Google News and news articles in Google search results. We’re not talking about opinion articles — we’re talking about reports spreading blatantly inaccurate information.
Google first updated its policy saying that the company will try to ban sites that “misrepresent, misstate, or conceal information.” Websites who don’t comply with this rule will get banned from using Google AdSense.
When it comes to Facebook, the company has also updated its policy to rule out fake news sites from using Facebook Audience Network.
Google AdSense and Facebook Audience Network let content publishers display ads on their websites. Google and Facebook manage the ad inventories, content publishers get a cut for clicks or impressions.
Both companies already have strict policies for their ad networks. For instance, you can’t use Google AdSense on a porn website. Google uses a combination of algorithms and human moderation to decide whether a site is eligible to use its advertising service.
By removing a potential revenue stream, it makes the business of fake news a bit less lucrative. For instance, Buzzfeed discovered that more than 100 fake news sites were created in a tiny city in Macedonia. So it’s clear that it’s not just about influencing the election — people are taking advantage of social networks to make money using fake news.
But there will always be alternative revenue streams, so this move is not enough. Reducing the reach of these websites is the best way to prevent fake news sites from popping out. If Facebook, Twitter, Google News and other websites flagged fake news appropriately, then there would be no reason to create fake news sites in the first place.

FIFA Hackers Steal $16 Million from EA

A hacker has been convicted of embezzling $16 million from gaming bigwig Electronic Arts, using “FIFA coins,” an in-game virtual currency for a soccer-themed video game.
Anthony Clark, 24, of Whittier, Calif., was convicted of wire fraud by a jury sitting in Fort Worth, Texas. Clark and three co-conspirators gamed the game, as it were. You see, in the FIFA Football game, players can earn FIFA coins based on the time they spend playing. People like soccer, and due to the popularity of FIFA Football, a secondary market has developed whereby FIFA coins can be exchanged for US currency. 
Clark and his buddies managed the ultimate hat trick: They circumvented multiple security mechanisms created by EA in order to fraudulently obtain FIFA coins worth over $16 million. Specifically, the group created software that fraudulently logged thousands of FIFA Football matches within a matter of seconds, and as a result, EA computers credited them with improperly earned FIFA coins.  They then subsequently exchanged their FIFA coins on the secondary market for over $16 million.  
Co-conspirators Nick Castellucci, 24, of N.J.; Ricky Miller, 24, of Arlington, Texas; and Eaton Zveare, 24, of Lancaster, Va., previously pleaded guilty and they await sentencing. 
Interesting, the issue with FIFA coins in not new. In 2014, a member of an international hacking ring responsible for stealing between $100 and $200 million in intellectual property and other proprietary data from Microsoft’s Xbox gaming platform developed a software exploit that did something similar to what Clark and crew accomplished. The exploit generated millions in in-game, virtual currency for Electronic Arts’ FIFA line of soccer games, which he then sold in bulk quantities on the black market.
That same ring was also accused of stealing a pre-release version of Epic’s video game, Gears of War 3; and a pre-release version of Activision’s uber-popular video game, Call of Duty: Modern Warfare 3. Gaming is a high-profile target given the billions that the industry rakes in every year.

Cybersecurity – Just Like Sex, Drugs & Rock ‘n’ Roll

There is no technical solution to a behavioral problem.
In light of relentless data breaches is endpoint protection software still fit for purpose? People naturally behave in insecure ways, and addressing this through education and awareness is a key challenge for the cybersecurity industry. Focusing solely on technological measures to defeat cyber-criminals will always be a losing battle, so instead of trying to resolve the symptoms we must address the root cause. 
Early social engineering tactics, such as the “Nigerian Prince needs your help” 419 scam, involved little technology. The cyber-criminals would send vast numbers of spam emails and simply wait for a victim to respond. The remainder of the scam would be executed via emails, phone calls or in person; it relied on the greed or gullibility of the victim to ensure they continued co-operating with the criminals.
Over time the cyber-criminal’s tactics have evolved and become more sophisticated, using complex social engineering techniques and malware. Nevertheless, the root cause remains the same. The victim must actively participate in the initiation of the scam, by opening an attachment, clicking on a link, or responding to an email. Our collective obedience in the face of perceived authority, desire to help others, willingness to get our jobs done in a high intensity business environment and natural curiosity simply work against us.
Over time the cyber-criminal’s tactics have evolved and become more sophisticated, using complex social engineering techniques and malware. Nevertheless, the root cause remains the same. The victim must actively participate in the initiation of the scam, by opening an attachment, clicking on a link, or responding to an email. Our collective obedience in the face of perceived authority, desire to help others, willingness to get our jobs done in a high intensity business environment and natural curiosity simply work against us.
However, we shouldn’t throw our hands in the air, accept the inevitable and give up just. There are simple but effective approaches to reducing the risk, and it starts with education. Within the anti-phishing and secure email platform space, vendors are now offering training and awareness technologies with their security solutions. Instead of simply blocking attacks and quarantining emails, they give the user the opportunity to open the email, click on the malicious link to provide their real username and password to a fake website, or perform an otherwise insecure action – after the threat has already been quietly neutered. These platforms then direct the user to an educational system that explains why the email was malicious and what the user should have done instead.
These very effective systems are mainly confined to email and web security services. Extending these systems to endpoint security platforms is considerably more complex and somewhat impractical, especially in the context of unknown threats.
Modern anti-virus packages are extremely efficient. Based on AVTest results, the market leaders boast a 99.9% or higher detection rate for common malware. So, assuming the user doesn’t simply ignore the warnings and allows malware to launch, a decent up-to-date anti-virus package will protect against the vast majority of threats. That just leaves the difficult 0.1% to deal with – the zero-day threat.
Zero-day malware is unknown to traditional anti-virus products that use ‘known bad’ signatures to detect and identify malicious code. If these zero-day threats are unknown and undetectable, how can they be defeated? In theoretical terms there is an easy solution: whitelisting. Instead of taking the normal anti-malware approach of allowing all software to run and trying to detect which may be malicious, whitelisting defines a specific set of ‘known good’ applications. This whitelisted software is allowed to run unimpeded, and everything else is blocked.
This is a strong way to prevent malicious software from executing, but for many it’s impractical, expensive, time consuming and inflexible. The level of effort combined with the impact it has on organizations’ ways of working is something many aren’t willing or able to undertake.
So what is the solution?
Bluntly, there isn’t one panacea. Applications, operating systems and hardware will continue to become more complex, the Internet of Things will continue to expand and provide new routes for attackers to exploit, and with greater complexity comes greater opportunity for vulnerability. People will always slip and behave in insecure ways, regardless of vigilance. We can produce the usual list of ‘best practices’:
•    back up your data
•    don’t re-use passwords
•    ensure your anti-virus, email software, web browser and other security technologies are up to date
But these are messages people have heard many times before, and they mostly address the symptoms, not the root cause.
The key is to reduce that root cause risk as much as possible, and this brings us back to behavior. Technology and the internet is a fact of life and the majority of people are well aware that ‘cybercrime exists’: it’s a mainstream media story with incidents reported on a near-daily basis. However, it’s a minority of people who can reliably spot a carefully crafted phishing email, or a spoof website designed to steal usernames and passwords, and that’s one of the big reasons why cyber-criminals continue to succeed in their malicious endeavors.
This is why education and awareness is key. People must accept that although they are not expected to be technology experts, they have a personal responsibility to educate themselves on spotting issues and safely using the technology they work with every day – just as they may not be mechanics, but they still know how to own and operate a vehicle safely. Experience has shown that companies with the greatest success against cybersecurity threats usually run security awareness programs for their staff, which inevitably go hand in hand with a carefully thought out cybersecurity strategy.
As stated within Objective 4 of the UK Government’s cybersecurity strategy:
“Raise awareness amongst the public and businesses of the threat and the actions they can take to protect themselves.” Just like sex, drugs & rock ‘n’ roll – we have to adapt our own behavior to get all of the benefits and minimize the chance of short, medium or long-term damage.