Repairs & Upgrades

June 18, 2019 »

90% off Ray-Bans? It’s a 100% Instagram SCAM!

By Lisa Vaas

A scam ad for Ray-Ban sunglasses has been making the rounds on Instagram.

There are many versions, but they tend to feature the Ray-Ban logo and photos of sunglasses, along with the “whoa, what a crazy deal!” offers of “90% off”. We’ve seen one that dangles the cheap-cheap price tag of £17.65 (that’s US $22.13 – for glasses that typically go for over $100).

And of course, you better hurry, since this offer won’t last – it’s one day only! … And has been for a few weeks!

Not everybody is going to see the fake ads and write them off as being the scams that they are, unfortunately. After all, the ads bear the name of a (self-proclaimed) “official” website. Plus, you’ve likely seen these ads being posted by your Instagram friends.

Don’t fall for it, though. It seems too good to be true, which means it is.


Bella Thorne steals hacker’s thunder, publishes nude photos herself

By Lisa Vaas

The forces of extortionist scumbaggery have had the rug pulled out from them yet again: last week, it was Radiohead, releasing 18 hours of music rather than pay up to whoever hacked it away.

This week, it’s American actress Bella Thorne. Her approach: Oh, so you’re threatening to publish nude pics you hacked out of my accounts? Too late – I did it myself.

Thorne posted the images to Twitter on Saturday. She said in the tweet, which included screenshots of text messages with the alleged hacker, that “all of her s**t” got hacked on Friday. Then, she had to put up with 24 hours of threats “with my own nudes.”

I feel gross. I feel watched, I feel someone has taken something from me that I only wanted one special person to see.

Oh, and by the way, the FBI will be at your door shortly, she also said.

By Sunday, Thorne was still angry and hurt, but feeling a bit more compassionate toward whatever nimrod tried to blackmail her. In an interview with Hollywood Reporter, she said that she thinks whoever hacked her is a kid – somebody who made a bad choice and shouldn’t have his life ruined because of it:

This kid sounds like he’s 17, as much as I’m so angry and wanted to [f**k] him up over doing this to people I just wanted to teach him a lesson, He’s still a kid and we make mistakes, this mistake is a bad one. But I don’t want some 17-year-old’s whole life ruined because he wasn’t thinking straight and [was] being a dumbass.

“If she hadn’t taken them in the first place…”


The US is reportedly seeding Russia’s power grid with malware

By Danny Bradbury

The US has been quietly planting malware throughout Russia’s energy networks in response to years of Russian attacks on its own power grid, the New York Times reported on Saturday.

Quoting officials interviewed over the last three months, the paper said that the latest moves represent a turning point for the US policy on interfering with Russia’s electricity infrastructure. Under the Obama administration, the US had used reconnaissance tools to monitor Russia’s electricity control systems. The Trump administration has escalated this activity to an offensive campaign, placing software that could destabilize electrical services within Russia.

The move follows years of provocation by Russia, which has reportedly run recurring cybercampaigns targeting the US energy grid.

In March 2019, the Department of Homeland Security (DHS) reported that Russian hackers had been targeting US infrastructure including not just energy and nuclear facilities, but also water, aviation, and critical manufacturing sectors. The hackers would infiltrate the targets’ trusted partner organizations and use them as staging grounds for their attacks, the report warned.

That report updated a similar warning in October 2017, although that one did not single Russia out for blame.

Most recently, security firm Dragos alleged that Xenotime, a hacking group thought to be linked to Moscow, has been using its Triton (also known as Trisys) malware to explore US power networks in possible preparation for a future attack. It identified…

… a persistent pattern of activity attempting to gather information and enumerate network resources associated with US and Asia-Pacific electric utilities.

This behavior could indicate the activity group was preparing for a further cyberattack, or at minimum satisfying the prerequisites for a future ICS-focused intrusion.


Phishing attack lures victims with encrypted message alert

By John E Dunn

What is it about phishing emails that makes them so enduringly popular with the bad guys?

The standard answer is they exploit fear, alarm and annoyance to persuade users to click on them, which explains the horde of campaigns using fictitious legal threats or warnings about bank accounts to get a foot in the door.

However, a new campaign covered by Bleeping Computer reminds us that there is another psychological impulse that works just as well if skillfully deployed – curiosity.

This one is couched as an email, apparently from Microsoft, alerting the recipient to an encrypted message which must be viewed by accessing OneDrive for Business.

It used to be said that the best phishing attacks gamed their victims in the shortest possible time and the fewest steps but that was before cloud services were invented where, arguably, introducing more steps now aids authenticity.

This one has several, including a faked-up OneDrive-branded email with a blue ‘Open’ button plastered in the middle of it, followed by – of course – a pretend OneDrive login page that asks users to enter their account credentials to download the file.

It’s like being asked to follow a trail of sweets to find out what’s at the end only to discover it’s a pit filled with spikes.

A big giveaway is that Microsoft business accounts should be protected by two-factor authentication (2FA), which this fake login lacks, but it’s possible some users won’t notice its absence if they’re not familiar with it.


June 17, 2019 »

Yubico recalls FIPS Yubikey tokens after flaw found

By John E Dunn

Security token maker Yubico has issued an important advisory affecting high-end versions of its YubiKey authentication key, arguably the most significant vulnerability discovered in this class of product to date.

Yubico describes the bug in its FIPS series as being:

Where the first set of random values used by YubiKey FIPS applications after each device power-up have reduced randomness … for the first operations performed after YubiKey FIPS power-up. The buffer holding random values contains some predictable content left over from the FIPS power-up self-tests which could affect cryptographic operations which require random data until the predictable content is exhausted.

In other words, for the first operation after power-up at least, the cryptographic material produced by the key isn’t as random as it should be for secure encryption, creating a hypothetical short-term weakness that is only ironed out when that data has been consumed.

This affects cryptographic algorithms to different extents. For RSA it’s a modest 80 bits out of a minimum of 2,048 while for ECDSA it’s more like 80 bits out of 256 which could:

Allow an attacker who gains access to several signatures to reconstruct the private key.

These differences mean that the weakness is worse in some products than in others, for example the PIV Smart Card and OpenPGP implementations (which use RSA) compared to the FIPS FIDO U2F keys (whose authentication depends on ECDSA).

FIPS with everything

The weakness exists only in the YubiKey FIPS, YubiKey Nano FIPS, YubiKey C FIPS, and YubiKey C Nano FIPS, that is products that have the ‘FIPS’ prefix printed on them. Consumer and most business YubiKeys are not affected.


Privacy foul for soccer league app that eavesdropped on users

By Danny Bradbury

A privacy violation case this month has illustrated the dangers of giving apps access to your smartphone sensors. Spain’s data protection agency is reportedly fining Spanish football league LaLiga €250,000 (around $280,000) for co-opting users’ smartphones as digital eavesdropping tools.

The organization’s app, available on both the iPhone and iOS platforms, provides users with soccer commentary, news, and data. Unbeknownst to those who didn’t read the fine print, it also used their GPS functions to determine where they were during football matches.

The app would then use their smartphones’ microphones to record ambient noise and see if it matched game noise. If the app found a match, and discovered that you were in a public place like a bar, it could deduce that the game was being broadcast illegally.

This approach is similar to the Shazam app’s technique of matching ambient noise with known songs to tell you what music your coffee shop is playing. The difference is that this is Shazam’s primary and publicized purpose. LaLiga’s app was doing its matching unobtrusively in the background while it provided users with another service.


I’d like to add you to my professional network of people to spy on

By Lisa Vaas

We’re sorry to inform you that if you were looking for some insight into Russian and Eurasian politics in the Washington political scene, or if you were sniffing around for a job with, say, the Brookings Institution, you won’t have 30-year-old Katie Jones to cozy up to anymore.

She’s disappeared off of LinkedIn. Actually, “she” – as in, a corporal being, as opposed to a deepfake created by artificial intelligence (AI) –  was never there to begin with, according to an investigation by the Associated Press.

This is what her LinkedIn profile looked like before Katie Jones, an extremely well-connected redhead and purportedly a Russia and Eurasia Fellow at the top think-tank Center for Strategic and International Studies (CSIS), blinked out of existence.

AP reporter Raphael Satter says that the profile was removed from LinkedIn about 36 hours after he contacted the networking platform about it.

Most people, upon seeing a connection request from such a highly placed and accomplished young woman, would likely accept. After all, there’s a strong element of self-promotion with LinkedIn networking, as pointed out by many of the 40 or so people whom the Jones profile managed to connect with and whom Satter interviewed.


Widely used medical infusion pump can be remotely hijacked

By Lisa Vaas

Researchers have found two security vulnerabilities, one severe, in Becton Dickson (BD) infusion pumps: the devices used in hospitals for supplying power and network connectivity to multiple infusion and syringe pumps that deliver fluids, including intravenous fluids, painkillers and medications such as insulin.

Such pumps are often hooked up to a central monitoring station so that hospital staff can check on multiple patients at the same time.

The flaws, in BD’s Alaris Gateway Workstation (AGW), were discovered by the healthcare cybersecurity firm CyberMDX in September 2018. The firm’s researchers said on Thursday that one of the security flaws – the most critical, according to an advisory issued by the Department of Homeland Security (DHS), also on Thursday – could allow the devices to be remotely hijacked and controlled.

The researchers said that the exploit could be carried out by…

… anyone who gains access to the hospital’s internal network. Files transferred via the update are copied straight to the internal memory and allowed to override existing files.

The vulnerable part of the pumps is the firmware in the onboard computer, which powers, monitors and controls the infusion pumps. The pumps run on Windows CE, which is Microsoft’s operating system for embedded devices and devices with minimal memory. That operating system later came to be known as Windows Embedded Compact.


Android phones can now be security keys for iOS devices

By Danny Bradbury

Hey, iOS users. Got a spare Android phone lying around? Now, you can use it as a secure access key for online services.

In April, Google announced that it was making secure access keys available on its Android phones. These software-based keys are based on the FIDO2 standard, which is a community attempt by several industry players to make secure logins easier.

Instead of having to remember a password when logging into a website, you can use a digital key stored on a piece of suitable hardware. Google and other vendors offer small hardware dongles that connect either via a computer’s USB port, or via Bluetooth. Your browser reads the digital key from the device and sends it to the website to prove that you’re legit.

Letting users store this digital key in their Android phones turns it into a secure access device that requires you to be in physical control of your phone to authenticate to a site on your computer. By using the Bluetooth connection in their phones, they can authenticate themselves when logging into Google services.

These phone-based keys also stop phishers from mounting man-in-the-middle attacks. The phone stores the key against the URL of the website it’s trying to access so it isn’t available to the wrong (phishy) URL.


Facebook got 187,000 users’ data with snoopy VPN app

By Lisa Vaas

In January, Apple’s App Store gave the heave-ho to Facebook’s snoopy Research VPN (virtual private network) app.

Now we know how many users Facebook Research got personal and sensitive device data from: 187,000, according to a letter sent by Facebook to Senator Richard Blumenthal and obtained by TechCrunch. That’s 31,000 US users – 4,300 of whom are teenagers – and with the rest being from India.

The now-defunct Research app used its access to get what security researcher Will Strafach called “nearly limitless access.” That includes web browsing histories, encrypted messages and mobile app activity of not just the volunteer users but also, potentially, data from their friends.

It was kicked from the App Store for violating Apple’s Developer Enterprise Program License Agreement by installing a root certificate. Something that’s supposed to be limited to “for use by your employees”.

Facebook pushed back at the negative coverage it received following the eviction, pointing out that it wasn’t the snoopiness of the app that saw it discarded, and that users were well aware they were being snooped on:

…there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate.

The data was used for competitive analysis. Facebook used an earlier version of VPN app, Onavo, to track its competition and scope out new product categories. Private, internal emails from Facebook staff that were published in December 2018 revealed that Facebook had relied on the Onavo data when it decided to purchase WhatsApp, for example. The company also used the Onavo data to track usage of its rivals and to block some of them – including Vine, Ticketmaster, and Airbiquity – from accessing its friends data firehose API.


Facebook keeps deepfake of Mark Zuckerberg

By Lisa Vaas

After a fake video of House Speaker Nancy Pelosi depicting her drunkenly slurring her words went viral last month, Facebook said nope, we’re not taking it down.

We’ve flagged it as fake, Facebook said, we’ve de-prioritized it so doesn’t show up (all that much) in users’ feeds, and we slapped third-party fact-checker information next to it.

Facebook VP for Product Policy and Counterterrorism Monika Bickert, from a grilling by CNN’s Anderson Cooper:

We think it’s important for people to make their own, informed choice about what to believe. Our job is to make sure we are getting them accurate information. And that’s why we work with more than 50 fact-checking organizations around the world.

Oh, reeeeeally?

Well, Facebook’s bluff has been called. Facebook, meet your CEO’s evil deepfake twin, the Zucker-borg who implies that he’s in total control of billions of people’s stolen data and ready to control the future. To rub a bit of salt into the wound, it was distributed on Facebook’s own Instagram platform, and it was gussied up with official CBS trademarking so it looked like a bona fide interview.


Critical Adobe Flash player bug and more in June’s Patch Tuesday

By Danny Bradbury

The June patch Tuesday is out, featuring 88 CVE-level fixes, including 21 rated critical. Adobe, meanwhile, fixes several critical vulnerabilities, including a flaw in Adobe Flash Player marked critical because it could be exploited remotely. 

Adobe published a patch for a Flash Player bug  (CVE-2019-7845), affecting versions and earlier, that lets an attacker exploit the program through a malicious website or an ActiveX control. A successful attacker could run their own code remotely as the current user. The bug affects the Flash Player desktop runtime on Windows, macOS and Linux, along with the Google Chrome, Microsoft Edge, and IE 11 Flash Player plugins.

Also out from Adobe on Tuesday was a fix for critical vulnerabilities in its ColdFusion rapid web application development product. CVE-2019-7838 enables an attacker to bypass a file extension blacklist when uploading a file, while CVE-2019-7839 is an unspecified command injection vulnerability. The third, CVE-2019-7840, is a bug that allows for deserialization of untrusted data (deserialization means unpacking data from a format used to send it somewhere efficiently).

Finally, Adobe patched a critical vulnerability in its Campaign product for marketing professionals which could allow for remote code execution via a command injection flaw. It fixed this vulnerability (CVE-2019-7850) along with several other flaws rated either moderate or important.

Microsoft Edge

Microsoft’s other critical bug this month was in the scripting engine underpinning Microsoft Edge. This is the program that processes scripting languages like JavaScript. The engine doesn’t handle objects properly when running scripts in the Edge browser, meaning that a malicious website could cause it to spill its memory contents.


June 12, 2019 »

Radiohead releases ‘OK Computer’ sessions that hacker tried to ransom

By Lisa Vaas

Well, bless your heart, the band Radiohead said after it was hacked and asked to pay a ransom for 18 hours of unheard music – a request that it eschewed, instead releasing the music on Bandcamp in order to aid Extinction Rebellion.

Want it? Here you go. It will cost you an £18 (around $23) donation to aid the climate advocacy group.

The extortionist demanded $150,000 after stealing 18 hours of music last week, according to a tweet from Radiohead guitarist Jonny Greenwood on Tuesday. It was stolen from Radiohead frontman Thom Yorke’s archive from around the time of the release of the 1997 album OK Computer.

Act fast: this offer won’t last. Greenwood said it’s good only for the next 18 days.

So, for £18 you can find out if we should have paid that ransom.

Though the music wasn’t intended for public consumption and is only “tangentially interesting,” Greenwood said, some clips did reach the cassette in the OK Computer reissue. Not only is it not particularly interesting, it’s also “very, very long,” he said – “not a phone download.”

One last blasé shrug from Greenwood:

Rainy out, isn’t it though?


FBI warns users to be wary of phishing sites abusing HTTPS

By John E Dunn

Would you trust a website simply because the connection to it is secured using HTTPS backed by the green padlock symbol?

Not if you’re informed enough to understand what HTTPS signifies (an encrypted, secure connection with a server) and doesn’t signify (that the server is therefore legitimate).

This week the FBI issued a warning that too many web users view the padlock symbol and the ‘S’ on the end of HTTP as a tacit guarantee that a site is trustworthy.

Given how easy it is to get hold of a valid TLS certificate for nothing, as well as the possibility that a legitimate site has been hijacked, this assumption has become increasingly dangerous.

Unfortunately, cybercriminals have spotted the confusion about HTTPS, which accounts for the growing number of phishing attacks deploying it to catch people off guard. The FBI alert confirms:

They [phishing attackers] are more frequently incorporating website certificates – third-party verification that a site is secure – when they send potential victims’ emails that imitate trustworthy companies or email contacts.

How we got here

Today, all competently managed websites use HTTPS, a big change from even a handful of years ago when its use was limited overwhelmingly to sites either allowing password login or conducting transactions as required by the industry PCI-DSS card standard.


Hackers stole photos of travelers and license plates from subcontractor

By Lisa Vaas

Images of travelers and license plates that a subcontractor copied from a database maintained by the US Customs and Border Protection (CBP) to his own network have been ripped off by hackers, the agency confirmed on Monday, adding yet more reasons for critics to warn about the perils to privacy that come with the government’s burgeoning use of facial recognition (FR) surveillance technologies.

A CBP spokesperson told news outlets that the agency learned on 21 May 2019 that the subcontractor “transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network.”

That transfer was done in “violation of CBP policies and without CBP’s authorization or knowledge,” the spokesperson said.

First hop: improperly copied to the contractor’s network. Second hop: hacked away by malicious actor(s). The CBP spokesperson:

The subcontractor’s network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised.

All eyes turn to Perceptics

If it’s got any more details, the CBP isn’t giving them out. The agency hasn’t publicly named the subcontractor, nor exactly how many photos were involved.


Critical flaws found in Amcrest security cameras

By John E Dunn

Looking at the spec sheet, it’s not hard to understand why someone in search of an affordable but well-specified home security camera would choose the wireless IPM-721 series from US company Amcrest.

Launched around 2015, it offers 720p HD quality, two-way audio, the ability to pan and tilt, night vision, rounded off with four hours of cloud storage for your video footage at no extra cost.

This week, we learned that the camera had another less welcome characteristic in the form of six security flaws discovered back in 2017 by a researcher at security outfit Synopsys.

The 721 family has since been superseded by newer designs, which doesn’t, of course, mean that the many thousands of people who bought the product will stop using it just because a researcher has turned up security issues.

Those cameras are out there, an unknown number of which are in a vulnerable state that an attacker might identify using the Shodan search engine if they are configured to be accessible via the internet. Ideally, these cameras need to be identified and patched as soon as possible.

There are really three issues in play here – the nature and severity of the flaws, how users should go about updating the firmware to secure their cameras, and why it’s taken until 2019 for owners to hear about them.

The flaws

According to Threatpost, which spoke to the Synopsys researcher who uncovered the flaws, there are six vulnerabilities, now identified as CVE-2017-8226, CVE-2017-8227, CVE-2017-8228, CVE-2017-8229, CVE-2017-8230 and CVE-2017-13719.

We weren’t able to track down an advisory from Amcrest, but Synopsys posted outlines of each on Bugtraq.


iOS 13 will map the apps that are tracking you

By Lisa Vaas

As Apple continues its privacy march, the upcoming iOS 13 mobile update will be right there, and it’s pulling tracking apps along.

Apple showed off iOS 13 last week at its Worldwide Developers Conference (WWDC).

Beta testers at 9to5Mac have discovered that the upcoming release, now in preview, will tell you what apps are tracking you in the background and will give you the option of switching them off. Ditto for iPadOS.

The new feature comes in the form of a map that displays how a given app – 9to5mac showed screenshots of popup notifications about tracking apps from Tesla and the Apple Store – has been tracking you in the background, as in, when you’re not actually using the app.

The notifications show a map of the specific location data a given app has tracked, displaying the snail-slime trails that we all leave behind in our daily travels and which so many apps are eager to sniff at for marketing purposes.

Or for other reasons, as well. Besides the map, the popups will also provide the app’s rationale for needing access to a user’s background location.


June 10, 2019 »

The GoldBrute botnet is trying to crack open 1.5 million RDP servers

By John E Dunn

Even its most optimistic users would have to concede that it’s been a bracing few weeks for anyone who relies on Microsoft’s Remote Desktop Protocol (RDP).

The latest round of bad news emerged last week when Morphus Labs’ researcher Renato Marinho announced the discovery of an aggressive brute force campaign against 1.5 million RDP servers by a botnet called ‘GoldBrute’.

That came hot on the heels of Microsoft’s urgent warning in May about the risk of a dangerous “wormable” vulnerability called BlueKeep (CVE-2019-0708) in Windows XP and 7’s Remote Desktop Services (RDS) which use RDP.

Underlining the worry, two weeks after the initial alert, Microsoft issued a second anxious nudge when it discovered at least one million vulnerable systems had yet to apply the available patch.

By the time the US National Security Agency (NSA) chipped in with its own mildly apocalyptic BlueKeep alert on 4 June 2019, it was clear they believed something unpleasant might be brewing.

It’s behind you

The mega-attack exploiting BlueKeep has yet to materialize, but what users have got in the meantime is GoldBrute, a much more basic threat that targets the problem of RDP servers left exposed to the internet.

A search on Shodan puts the number of servers in this vulnerable state at 2.4 million, 1,596,571 of which, Morphus discovered, had been subjected to an attempted brute force attack targeting weak credentials.


Cryptocurrency attack thwarted by npm team

By Danny Bradbury

Cryptocurrency users narrowly escaped losing all their funds last week after an attacker poisoned a digital wallet with malicious code that stole their blockchain access details.

The attacker injected malicious code into Agama, a cryptocurrency wallet created by Komodo. If successful, they could have stolen around $13m of Komodo’s KMD cryptocurrency, which is a privacy-centric coin. Luckily, they were thwarted by quick action from both Komodo and software repository npm.

On 8 March 2019, the sneaky developer published what appeared to be a useful update to a software component used by the Agama wallet. The attacker, who called themselves ‘sawlysawly’, posted the update on the GitHub developer collaboration website where Komodo hosts its source code.

Open source developers like to reuse each other’s’ software rather than reinventing the wheel. When a software application relies on a third party to do something, it’s called a dependency. The third-party building blocks on which applications depend are known as packages or modules, and people publish them in central repositories for developers to find. One of those repositories is npm. Started in 2009, it deals with JavaScript packages.

A npm package called electron-native-notify was introduced by sawlysawly as a dependency in the Agama wallet, meaning that the new version of the wallet would use that code.

At the time of the commit, the version of electron-native-notify (1.1.5) on npm was legit, but 15 days after making the commit, the npm package was updated to 1.1.6, which included a malicious payload. The next version of Agama was released on 13 April 2019.

The change in electron-native-notify enabled the attacker to steal the wallet seed, which is a secret phrase that enables users to retrieve their coins using any wallet.


Laptops used in 2016 NC poll to be examined by feds – after 2.5 years

By Lisa Vaas

More than two and a half years after the fact, the Feds are finally going to investigate the failure of voter registration software Рfrom a ­company that had been cyber-attacked by Russians just days before the November 2016 US presidential election Рin the swing state of North Carolina.

Politico has reviewed a document and spoken to somebody with knowledge of the episode, both of which suggest that the vendor, VR Systems, “inadvertently opened a potential pathway for hackers to tamper with voter records in North Carolina on the eve of the presidential election.”

Specifically, VR Systems used remote-access software to connect for several hours to a central computer in Durham County so as to troubleshoot problems with the company’s voter registration software. In fact, election officials would come to find out that this was common practice, according to Politico’s source, in spite of the fact that election technology security experts agree that it opens up systems to hacking.

Election Day 2016: Dunham County

When the polls opened in Dunham County on 8 November 2016, election officials discovered that the laptop computers used by precincts to verify voter registration had malfunctioned. They were forced to cross-check voter registration with old-fashioned paper poll registries and to extend voting hours.

It was suspicious, and it wasn’t an isolated incident. Five or six precincts reported the same problem with the computerized check-in system from VR Systems, a Florida-based e-voting vendor with customers in eight states. The county, which leans heavily to the Democrats, had delivered 75% of its votes to Barack Obama during both of his presidential runs, and North Carolina was considered a key swing state in the 2016 presidential election.


Online shops fear 2FA at checkout will increase abandoned carts

By Lisa Vaas

You’re sitting at your computer when it occurs to you that you really need to buy more tube socks, so you click yourself on over to and fill your cart full of socks.

But wait, what’s this? You’re being asked for another sign of authentication before you can check out? Why, that means you have to get up! You need to go get your phone for that one-time PIN! And that darn phone is all the way over there! Well, just forget it, you say, and yet another abandoned cart gets added to the heaps of can’t-be-bothered purchase exhaustion that’s (reportedly) the stuff of online merchant nightmares.

Well, that’s the dystopian, dys-profitable e-commerce future envisioned by Stripe, at any rate. Stripe, maker of online payment technology, recently commissioned research from 451 Research. Based on input from 500 businesses and 1,000 consumers, 451 Research concluded that the EU’s online economy risks losing €57 billion (US $64.6 billion) when Strong Customer Authentication (SCA) goes into effect on 14 September 2019 and ushers what will potentially be forget-the-socks-inducing friction into the checkout process.

SCA is all about protecting consumers by clamping down on fraud. One of the new requirements of the second Payment Services Directive (PSD2) that was passed by the EU in November 2015, it involves introducing additional authentication into online checkout. That can be as simple as a one-time PIN code generated by, say, a text message, by a code generator with an authenticator app such as Sophos Authenticator, or it could be fingerprint confirmation on those devices that support it.


Action required! Exim mail servers need urgent patching

By John E Dunn

Researchers have discovered another dangerous security hole hiding in recent, unpatched versions of the popular mail server, Exim.

Uncovered in May 2019 by security company Qualys, the flaw (CVE-2019-10149) affects Exim versions 4.87 to 4.91 inclusive running on several Linux distros, the latter released as far back as 15 April 2018. The next release, version 4.92, fixed the problem on 10 February 2019 although that wasn’t realized by the software’s maintainers at the time.

The low down: anyone still running a version from April 2016 to earlier this year will be vulnerable. Versions before that might also be vulnerable if EXPERIMENTAL_EVENT is enabled manually, Qualys’s advisory warns.

The issue is described as an RCE, which in this case stands for Remote Command Execution, not to be confused with the more often-cited Remote Code Execution.

As the term implies, what that means is that an attacker could remotely execute arbitrary commands on a target system without having to upload malicious software.

The attack is easy from another system on the same local network. Pulling off the same from a system outside the network would require an attacker to…

Keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes). However, because of the extreme complexity of Exim’s code, we cannot guarantee that this exploitation method is unique; faster methods may exist.

Remote exploitation is also possible when Exim is using any one of several non-default configurations itemized in the Qualys advisory.


What’s the best approach to patching vulnerabilities?

By Lisa Vaas

New research shows that most vulnerabilities aren’t exploited and those that are tend to have a high CVSS score (awarded on the basis of how dangerous and easy to exploit the vulnerability is). So, not surprisingly, the most easily exploited flaws are the ones exploited most frequently.

What’s more surprising is that there’s apparently no relationship between the proof-of-concept (PoC) exploit code being published publicly online and the start of real-world attacks.

The numbers: the researchers collected 4,183 unique security flaws used in the wild between 2009 and 2018. That’s less than half of the 9,726 discoveries of exploit code that had been written and posted online.

Those numbers come from a study in which a team of researchers from Cyentia, Virginia Tech, and the RAND Corporation took a look at how to balance the pluses and minuses of two competing strategies for tackling vulnerabilities.

What’s the best way to herd cats?

Fixing them all would get you great coverage, but that’s a lot of time and resources spent on sealing up low-risk vulnerabilities. It would be more efficient to concentrate on patching just some high-risk vulnerabilities, but that approach leaves organizations open to whatever vulnerabilities they didn’t prioritize.

How do you know which vulnerabilities are worth fixing? The researchers sought to figure that out by using data collected from a multitude of sources, along with machine learning to build and then compare a series of remediation strategies to see how they perform with regards to the tradeoff between coverage vs. efficiency.


June 6, 2019 »

Microsoft dismisses new Windows RDP ‘bug’ as a feature

By Danny Bradbury

Researchers have found an unexpected behavior in a Windows feature designed to protect remote sessions that could allow attackers to take control of them.

The issue, discovered by Joe Tammariello at the CERT Coordination Center (CERT) at Carnegie Mellon’s Software Engineering Institute, is documented as CVE-2019-9510. It stems from Network Level Authentication (NLA), which is a feature that you can use to protect Windows installations that have the Remote Desktop Protocol (RDP) enabled. NLA stops anyone from remotely logging into the Windows computer by requiring them to authenticate first.

Starting with Windows 10 release 1803 in April 2019, and with Windows Server 2019, Microsoft changed the way NLA works. Now, the authentication mechanism caches the client’s login credentials on the RDP host so that it can quickly log the client in again if it loses connectivity. The change enables an attacker to circumvent a Windows lock screen, warns CERT/CC, which disclosed the issue, in an advisory.

Let’s say you remotely log in to a Windows box using RDP. Then, you lock that remote desktop to stop an attacker from accessing it from your machine while you leave the room.

The attacker could interrupt the network connection between the local machine and the remote Windows box and then reestablish it, by unplugging the network cable and plugging it in again (or disabling and re-enabling Wi-Fi).


YouTube bans kids live-streaming without an adult present

By Lisa Vaas

In yet another step to scrape pedophiles off the bottom of its shoe, YouTube announced on Monday that it’s banning youngsters from live-streaming without adult supervision and that it’s limiting recommendations of videos that depict “minors in risky situations.”

In February, YouTube disabled comments on millions of videos featuring minors, in response to reports that creeps were leaving disgustingly sexual comments on videos featuring kids doing things like yoga or gymnastics, or playing games such as Twister.

At the same time, YouTube also implemented a classifier – a machine learning tool that helps to identify specific types of content – that it says helped it remove a significant number of violative comments.

It didn’t catch them all. On Monday, the New York Times published a writeup of research showing that YouTube’s automated recommendation system (which suggests what to watch next and which drives most of YouTube’s billions of views) was, months after the move to disable comments on kids’ videos, suggesting videos of partially clothed kids (think two-piece swimsuits) to users who watched “other videos of prepubescent, partially clothed children.”

Three researchers at Harvard’s Berkman Klein Center for Internet and Society – Jonas Kaiser, Yasodara Córdova and Adrian Rauchfleisch – stumbled onto the videos while looking into YouTube’s impact in Brazil, the Times reports.


Gang charged with $19 million iPhone scam

By Lisa Vaas

A gang in New York allegedly spent the past seven years using the ripped-off identities of cellphone subscribers to steal $19 million worth of iPhones, according to a now-unsealed complaint originally filed by federal prosecutors at the end of April 2019.

The six defendants have been charged with felony counts of mail fraud, conspiracy, and aggravated identity theft.

New York City Police Department (NYPD) detective Armando Coutinh, from the NYPD-FBI Joint Major Theft Task Force, said in the complaint that the ring of alleged fraudsters kept it up from at least 2012 to the present, selling new devices – mostly iPhones – through fencing operations.

A simple plan

Here’s how it worked, Coutinh explained: the fraud ring members would break into the accounts of existing cellphone subscribers and add their names as “authorized users.” Later on, they used stolen personally identifying information (PII) instead of their own names to cook up new, fraudulent accounts.

Then, they’d “upgrade” their phones, paying only a pittance, or nothing at all, in-store and putting the rest of the purchase price on pay-by-month plans on the identity theft victims’ dime.

The victims included both the service providers, which typically picked up the cost of the stolen phones, and the customers whose identities were stolen and/or whose accounts were broken into. The complaint didn’t specify which providers were targeted, nor how many people were defrauded.

Using the stolen PII, the fraudsters created fake ID cards and fraudulent credit and debit cards. Using those cards, they’d pose as legitimate subscribers and fan out across the country to waltz into phone stores for their “upgrades.”


June 5, 2019 »

Patch Android! June 2019 update fixes eight critical flaws

By John E Dunn

Unbeknown to most users, devices running supported versions of Android are supposed to get small amounts of new software every month, mostly security updates.

Unfortunately, as we pointed out in May, when and whether that happens is a matter of whim for each device’s manufacturer.

Updates for Google’s Pixel smartphones will arrive sometime this week – covering functional issues as well as security patches.

But if your device is made by another vendor, June’s Android patches could turn up any time from next month to some point later this year.

Given that June’s two patch levels (2019-06-01 and 2019-06-05) comprise only 13 CVEs plus another 9 from Qualcomm, this might not sound like that big a loss.

But if the same device is also missing previous updates, as many will be, the number of missing patches rises to dozens.

Amplifying the update confusion is Android’s version fragmentation, which gave Apple CEO Tim Cook cause to gloat when he mentioned at this week’s WWDC 2019 conference that the newest version of Android is still only running on 10% of Google’s mobile devices compared to 85% of iPhones running the latest iOS.


Apple bans ads, third-party tracking in apps meant for kids

By Lisa Vaas

On Monday, at its World Wide Developers Conference (WWDC), Apple had a big on-stage announcement of its new Sign In with Apple offering.

But it also made a less ballyhooed tweak: the company swept kids up in its privacy march.

On Monday, Apple updated the Kids category in its App Store developer guidelines to include a new ban on third-party advertising or analytics (which are ostensibly used for tracking) in content aimed at younger audiences.

Previously, the guidelines only restricted behavioral advertising tracking – e.g., advertisers weren’t allowed to serve ads based on kids’ activity, plus ads had to be appropriate for young audiences.

The current guidelines also (still) stipulate that apps can’t include links that take a user outside of the app, or other things that would “distract” kids, unless they’re behind a parental gate: a feature used in apps targeted at kids that keeps them from buying stuff or following links out of an app to websites, social networks, or other apps without the knowledge of their parent or guardian.

Apple also reminded developers to pay attention to privacy laws around the world when it comes to the data they collect from kids.


ATM skimming crook behind bars after draining bank accounts for 2 years

By Lisa Vaas

A Boston federal court on Monday sentenced a Romanian national to 65 months in federal prison for a multi-state ATM card-skimming scheme through which he and his gang drained $868,706 from 531 people’s bank accounts.

The Justice Department said that Bogdan Viorel Rusu, 38, was also sentenced to five years of supervised release and ordered to pay restitution and forfeiture of $440,130.

Rusu pleaded guilty in September 2018 to one count each of conspiracy to commit bank fraud, bank fraud, and aggravated identity theft. He had been arrested November 2016 and has been in custody since then.

ID’ed through his asylum application photos

According to court documents, video surveillance cameras picked up a man installing a pinhole camera and a skimmer device on a bank ATM machine located in Chicopee, Massachusetts in August 2014.

Thomas Roldan – a special agent with Homeland Security’s Immigration and Customs Enforcement (ICE) within the US Department of Homeland Security (DHS) – said in an affidavit that he identified Rusu based on photos that Rusu submitted in support of an asylum application to US Citizenship and Immigration, as well as Roldan’s own physical surveillance of the suspect.

The skimming devices were plugged in at around 16:26, and then the video cameras picked up footage of somebody else picking up the pinhole camera and skimmer a few hours later, at 20:01. Bank records showed that 85 customers used the ATM during that time, and 12 of them later reported losses totaling $8,399.43.

Next day, same thing, but this time, Rusu plugged in the skimming devices and picked them back up himself after a few hours. That time, customers lost $9,823.50.


Apple battles Facebook and Google with rival sign in service

By Danny Bradbury

Apple’s World Wide Developers Conference (WWDC) on Monday was full of surprises. One of them was a new feature designed to make signing in to apps and websites more private: ‘Sign In with Apple’.

You know how you’ve signed up for dozens of accounts on websites over the years? You have to enter your email address, choose a  password that meets requirements, store it (hopefully with a password manager)… and soon after comes the flood of junk mail from the site’s needy marketing team.

Some folks use a throwaway-email address service for each new account. But what if you want to see some of that mail? And how sure are you that the dummy address won’t get reused in the future by someone else? And how do you know if the website’s going to store your password securely?

The other option is to use a single sign-on service from one of the two big providers: Google or Facebook. When you see a ‘Sign In With Google’ or ‘Sign In With Facebook’ button on a web site, it’s offering to let you use your Google or Facebook ID for a quick, one-click sign up or sign on, no password required, as long as you’re signed into Google or Facebook.

The problem with services like these is that the companies running them (and their hidden partners) end up knowing more about you than your grandmother.

Sign In with Apple is Cupertino’s privacy-conscious version of those services. The idea is to make signing in – and signing up – to websites as simple as possible, without having to provide any personal information.


Synthetic clicks and the macOS flaw Apple can’t seem to fix

By John E Dunn

What’s more embarrassing than a researcher revealing a security oversight in a company’s software?

In the case of Apple, it would be when that software, macOS 10.15 ‘Catalina’, hasn’t even shipped to users yet.

The bearer of bad news was noted researcher Patrick Wardle of Digita Security, who used last weekend’s Objective by the Sea conference in advance of macOS 10.15’s launch this week to reveal a weakness through which malicious apps could exploit ‘synthetic clicks’ – automated clicks or keystrokes made by an app in the interests of accessibility.

Hijacking this, malware could automatically generate synthetic clicks to bypass prompts that ask the user to authorize actions such as installing software, hijacking webcams and microphones, or accessing Apple’s Keychain password manager, none of which would be a good thing.

Because macOS security depends on the response to such alerts, malware that can simulate these clicks on behalf of the user would have a dangerous amount of power.

In 2017 it was realized that FruitFly malware had adopted the technique as far back as 2008, as did DevilRobber in 2011 and Genieo in 2014, so the threat is more than theoretical.

The flaw

To counter this, Apple introduced a whitelist that limited access to synthetic clicks to applications approved by the user.

However, for reasons of backwards compatibility it was discovered that Apple had built in some exceptions to this rule through the Transparency Consent and Control system (TCC), including for the open source VLC media layer, Adobe Dreamweaver, and the Steam games platform.


June 4, 2019 »

GandCrab ransomware crooks to shut up shop

By Danny Bradbury

The authors of the GandCrab ransomware strain are shutting their ransomware-as-a-service portal, allegedly walking away with a cool $150m.

The announcement appeared on a hacker forum, and cybersecurity researcher ‘Damian’ tweeted the news on 1 June.

GandCrab, which first appeared in January 2018, operated using a ransomware-as-a-service (RaaS) model – meaning the authors aren’t the only people using it (if they use it at all). Instead, they let others launch their own campaigns with it and take a small cut of the profits.

In a message on the hacking forum, the perpetrators explained that their broader community of customers had made far more money:

For all the good things come to an end. For the year of working with us, people have earned more than $2 billion.

They said that the community earned $2.5m per week on average, adding that they personally earned over $150m per year as part of the cybercrime venture.

We successfully cashed this money and legalized it in various spheres of white business both in real life and on the internet.

GandCrab is a slick operation and its logo, modern web interface, vanity Dark Web URL and unusual choice of the Dash cryptocurrency for payments gives it an innovative and professional veneer.


US visa applicants required to hand over social media info

By Lisa Vaas

Visa applicants to the US are now required to submit five years of social media account information.

This will give the government access to personal data we share on social media, such as photos, locations, dates of birth, dates of milestones and more.

For now, the State Department is only requesting account names. Thus, the access to social media account handles will enable the government to get at whatever data we’ve publicly shared.

No passwords required (yet)

However, the idea to request passwords has been floated in the past: In 2017, then-Homeland Security Secretary John Kelly suggested that asking for passwords was under consideration.

The US State Department already collects information on visa applicants such as previous addresses and contact information. The new policy, which went into effect on Friday, requires “most” visa applicants, including temporary visitors, to list their social media “identifiers” in a drop-down menu along with other personal information, the Hill reported.

Those social media identifiers will be used as one part of a background check that includes reviews of watchlists maintained by the US. At this point, the drop-down menu only includes the big social media platforms, though an official told the Hill that the form will soon accommodate all sites that visa applicants may use.

Visa applicants have the option of saying that they don’t use social media, but the official told the publication that lying could lead to “serious immigration consequences.”


Apple sunsets iTunes

By Lisa Vaas

Sayonara, music lovers: you won’t have Apple’s much-maligned, bloated iTunes to kick around anymore. Instead, you’ll have to aim your kicks in three directions, since Apple has decided to split its 18-year-old digital hub into three standalone desktop apps called Music, Podcasts and TV.

The move was announced on Monday at Apple’s Worldwide Developer Conference.

Splitting up iTunes into three desktop apps will be similar to how those services are already divided on iPhones and iPads. According to CNN, Apple is keeping iTunes as a standalone iOS app and on Windows PCs.

Content storefronts like iTunes have pulled disappearing acts on content before. Like, say, when Apple removed movies from its Canadian Store and left a miffed Canadian man purchased-movie-less.

Fear not (or rather, fear as much as normal, given the above content whisk-aways), for iTunes’ disappearance isn’t going to mean that your libraries or previous purchases are going up in smoke. They’ll be maintained in each new app on Mac computers, an Apple spokesperson told CNN.


June 3, 2019 »

Your phone’s sensors could be used as a cookie you can’t delete

By John E Dunn

Researchers keep finding new ways that advertisers can track users across websites and apps by ‘fingerprinting’ the unique characteristics of their devices.

Some of these identifiers are well known, including phone and IMEI numbers, or the Wi-Fi and Bluetooth Mac addresses, which is why access to this data is controlled using permissions.

But iOS and Android devices have a lot of other hardware that could, in theory, be used to achieve the same end.

In the study SensorID: Sensor Calibration Fingerprinting for Smartphones, Cambridge University researchers give some insight into the latest candidate – sensor calibration fingerprinting.

If sensors don’t sound like a big deal, remember that today’s smartphones are stuffed with them in the form of accelerometers, magnetometers, gyroscopes, GPS, cameras, microphones, ambient light sensors, barometers, proximity sensors, and many others.

Researchers have been looking at whether these sensors could be used to identify devices for some time using machine-learning algorithms without much success, but the Cambridge researchers finally cracked the problem with a novel proof of concept for iOS devices using M-series motion co-processors.

And there’s a good reason why sensors represent an attractive target, say the researchers:

Access to these sensors does not require any special permissions, and the data can be accessed via both a native app installed on a device and also by JavaScript when visiting a website on an iOS and Android device.

In other words, unlike traditional fingerprinting nobody is going to stop them, ask for permission to do what they’re doing, or even notice it’s happening at all, rendering the whole exercise invisible.


New controversy erupts over Chrome ad blocking plans

By Danny Bradbury

Google Chrome extension developers were fuming last week over a new approach in the way that the browser will handle extensions. It will limit the way that Chrome lets browsers block content – unless you’re an enterprise user.

In November 2018, Google proposed an update to the Manifest system, which restricts what extensions can do in Chrome. In its forthcoming Manifest v3, it wants to change the way that browser extensions intercept and modify network requests from the browser.

The proposed change would limit the functions of a specific application programming interface (API). APIs define how a piece of software can be spoken to by other bits of software.

Today, extensions running on the Chromium browser use the webRequest API to intercept network requests. They can use it to analyze and block requests from online domains like advertising networks.

Chromium’s developers want to limit the blocking form of webRequest, instead allowing only a neutered version that simply observes network requests. If developers want to block a site, they’d need to use another API called declarativeNetRequest.

The move would improve performance and improve user privacy, said Chromium’s developers. When using webRequest, Chrome gives the network request to the extension and waits for its decision. Under declarativeNetRequest, the extension tells Chromium its rules and lets the browser use those to handle the decisions itself.


Fake news writer: If people are stupid enough to believe this stuff…

By Lisa Vaas

In 2017, Facebook banned several fake news sites. One of them was the one that “Tamara” (not her real name) was writing for.

Poof! went her livelihood. Poof! went her boss’s Facebook Messenger account. When she finally got through to him, he sounded “shook up,” said Tamara, a Macedonian fake-news writer who recently described to the BBC what it’s like to manufacture mental sludge.

She didn’t hear from him again until last summer, when “Marco” – an awkward young man who seemed to be embarrassed about being younger than his employee – called to see if Tamara wanted to write for another website. She declined.

It’s not that she was overwhelmed with guilt that her job consisted of copying and pasting obviously made-up stories from other sites after searching for strings such as “Muslim attacks,” then creating a mashup of fact and fiction and searching Google for images to attach to the articles she published.

My take was that if people are stupid enough to believe these stories, maybe they deserve this. If they think this is the truth, then maybe they deserve this as a way of punishment.

And it’s not that she agreed with the content she was writing. Tamara says she’s a liberal, and she was “horrified” by the content she had to rewrite. She told the BBC that she basically turned off her brain and became a set of hands at a keyboard as she rewrote US articles to hide them from being flagged as plagiarized content.

I try to split myself and my own beliefs from the stuff I was writing. So I tried to stay as out of it as I can. I just saw it as writing words. I tried not to think about writing propaganda.

So why did she stop?


G Suite users will have ‘confidential’ Gmail mode set to ON by default

By Lisa Vaas

Google announced on Wednesday that on 25 June 2019, its Gmail confidential mode will be switched on by default as the feature becomes generally available.

The feature gives G Suite users who use Gmail the option to send emails with expiration dates or to revoke previously sent messages. It also prevents recipients from forwarding, copying, printing, or downloading messages. Since confidential mode will be switched on by default, admins will have to switch it off if they so choose – for example, if they’re in industries that face regulatory requirements to retain emails.

Google introduced confidential mode for personal Gmail accounts last year and made the beta available in March 2019.

The screenshot/photo caveats still apply

As with other ephemeral-messaging services, including Snapchat and ProtonMail, there’s nothing stopping recipients from doing a screen grab of a message or simply taking a photo of it.

And as we noted in April 2018, when Google first gave admins a heads-up about confidential mode, there’s a reason why the company called it “confidential” rather than “private.”

For one thing, an email sent in confidential mode isn’t encrypted end-to-end. That’s unlike ProtonMail, the end-to-end, encrypted, self-destructing email service.


Unpatched Docker bug allows read-write access to host OS

By Danny Bradbury

There are lots of books on tools and techniques to secure software containers, but what happens when someone discovers a basic architectural flaw? And what do you do when there’s no working patch for it?

That’s the situation in the Docker universe this week after Suse developer Aleksa Sarai uncovered a bug in the way that the container framework handles path names.

The bug lies in FollowSymlinkInScope, which resolves file paths given to the Docker container system. Because the function doesn’t immediately use the file path after resolving it, it creates a race condition. An attacker who can interfere with the resolved file path could change it, potentially giving them read-write access to the host OS as a root user.

Containers are a software packages that contain an application and its dependencies. They’re designed to run in exactly the same way, regardless of infrastructure and work by virtualizing an operating system (unlike Virtual Machines that virtualizing hardware). Like Virtual Machines, Containers are not supposed to be able to influence their host container.

This all sounds very serious, and the National Vulnerability Database (NVD) ranks the bug severity as high. Nevertheless, Docker security engineer Justin Cormack had his own context for the flaw, in a statement mailed to Naked Security:

The vulnerability is a rare/unlikely scenario that would require an already compromised container, a copy being made without pausing the container, and a bad actor that knows when that copy is being made.

Someone would have to be using docker cp, a docker command used to copy files between the host OS and the container. The attacker would have to modify the files at the same time the copy was being made. That window is just a few milliseconds long, the company pointed out in its mail.


« older