Repairs & Upgrades

November 11, 2020 »

“Instant bank fraud” hoax is back – don’t spread fake news!

By Paul Ducklin

Yesterday, we wrote about an SMS phishing scam that targeted mobile phone users by telling them that a payment hadn’t gone through.

The fake SMSes were believable enough, except for the link you were asked to click.

The URL in the text message started with the name of the relevant mobile phone company, to lull you into a false sense of security, but ended in an unrelated scam domain set up as a vehicle for this fraud.

As you can see, clicking through would take you to a convincing facsimile of a real login page, with an HTTPS website name and an “encryption” padlock, with the layout and images ripped off from the real site…

…but with a fake server name in the URL in the address bar.

As you probably know, the idea of a scam like this is to catch you when you’re tired or in a hurry, in the hope that you’ll type in your login details without taking the time to look for telltale signs that the site is a fraudulent clone of the real thing.

Typing in your login data on the fake site exposes your credentials to the crooks because your password is sent to them instead of to your real mobile phone provider.


Smishing attack tells you “mobile payment problem” – don’t fall for it!

By Paul Ducklin

As we’ve warned before, phishing via SMS, or smishing for short, is still popular with cybercriminals.

Sure, old-fashioned text messages have fallen out of favor for personal communications, superseded round the world by instant messaging apps such as WhatsApp, WeChat, Instagram, Telegram and Signal.

But for brief, one-off business communications such as “Your home delivery will arrive at 11:30 today” or “Your one-time login code is 217828”, SMS is still a popular and useful messaging system.

That’s because pretty much every mobile phone in the world can receive text messages, regardless of its age, feature set or ability to access the internet.

Even if you’ve got no credit to send messages or make calls, no third-party apps installed, and no Wi-Fi connectivity, SMSes sent to you will still show up.

Such as this one, fraudulently claiming to be from UK mobile phone provider O2.


Black Friday – stay safe before, during and after peak retail season

By Paul Ducklin

Its three weeks until US Thanksgiving, which happens on the fourth Thursday of November.

As readers around the world now know, the day after Thanksgiving – the “bridge day” that many Americans take as a vacation day to create a long weekend – is popularly known as Black Friday.

To be clear, that’s black as in ink, a metaphor from the days when accountants wrote positive balances in black and negative amounts in red ink.

(To be “in the red” therefore meant to be in debt – still does, in fact, although it’s well before all our lifetimes that anyone actually dipped their quill in a pot of red ink to make the point.)

The day after Thanksgiving became known as Black Friday because it was a day on which so much retail trade was done that many retailers, in a good year at least, would make enough money to bring their annual trading accounts into the black, leaving them with the rest of the Christmas shopping season to make their profit for the year.

As a result, Black Friday is now synonymous with massive sales, huge discounts, and some amazingly good deals, notably on tech gadgets.

Unsurprisingly, however, it’s also a time to be alert for “deals” that are no such thing.

If you’re incautious in your zest to score a “bargain”, you might not only lose your money on an item that never shows up, but also get phished or scammed out of your credit card number, passwords or other personal information.


Another Chrome zero-day, this time on Android – check your version!

By Paul Ducklin

Two weeks ago, the big “zero-day” news concerned a bug in Chrome.

We advised everyone to look for a Chrome or Chromium version number ending in .111, given that the previous mainstream version turned out to include a buffer overflow bug that was already known to cybercriminals.

Loosely speaking, if the crooks get there first and start exploiting a bug before a patch is available, that’s known as a zero-day hole.

The name comes from the early days of software piracy, when game hackers took brand new product releases and competed to see who could “crack” them first.

As you can imagine, in the days before widespread internet access made free games with a subscription-based online component viable, games vendors often resorted to abstruse and complex technical tricks to inhibit unlawful duplication of their software.

Nevertheless, top crackers would often unravel even the most ornery software protection code in a few days, and the lower the number of days before the crack came out, the bigger the bragging rights in underground forums.

The ultimate sort of crack – the gold-medal-with-a-laurel-wreath version – was one that came out with a zero-day delay (more coolly called an 0-day, with 0 pronounced as “oh”, not “zero”), where the game and its revenue-busting crack appeared on the very same day.

And “zero-day” is a term that has stuck, with the word now denoting a period of zero days during which even the most scrupulous sysadmin could have patched proactively – whether the crooks have known about the bug for years, months, weeks or days.

Well, the bad news is that there’s another vital update to Chrome, which means that users on Windows, Linux and Mac should now be looking for a version number of 86.0.4240.183, not for 86.0.4240.111.


Adobe Flash – it’s the end of the end of the end of the road at last

By Paul Ducklin

There are some cybersecurity issues that just never seem to go away.

As a result, we have written about them, on and off, for years – at first with ever-increasing quizzicality, but ultimately, once we could raise our eyebrows no further, with a sort of saggingly steady fatalism.

Examples include: the fact that Windows still doesn’t show file extensions by default; the prevalence of elementary security blunders in IoT devices; and Apple’s obstinate refusal to say anything at all about security fixes – even whether widely-known bugs are being worked on – until after they’re out.

And Flash. Abobe Flash.

Adobe’s technology for fancy interactive graphics, mostly used to spice up your browser, has drifted towards its demise for so many years that it has almost single-handedly made a cliché out of Mark Twain’s famous remark that “the report of my death was an exaggeration.”


Buer Loader “malware-as-a-service” joins Emotet for ransomware delivery

By Paul Ducklin

If you’ve followed the inglorious history of malware in recent years, you’ll almost certainly have heard the name Emotet.

That’s a long-lived and extensive family of malware that we’ve had the unfortunate necessity to warn you about on many occasions,

Emotet is what’s known as a bot or zombie – malware that regularly and quietly calls home to one or more C&C servers operated by the crooks. (C&C and its synonym C2 are short for Command-and-Control.)

Zombies of this sort generally upload details of each system that they successfully infect, and download instructions on what dastardly deed to do next.

Any collection of zombified computers that is hooked up to the same set of C&C servers is known as a botnet, short for robot network, because the crooks that control those C&Cs can send commands to some, many or all of those infected computers at the same time.

As you can imagine, that gives so-called botmasters an awful lot of unlawful computing power and network bandwidth that they can unleash in parallel.

Example large-scale attacks that can be automated in this way include: mass spam-sending from hundreds of thousands of innocent-looking computers at the same time; distributed denial of service (DDoS) attacks against companies or service providers; click fraud involving millions of legitimate-looking ad clicks; and more.

The Emotet gang, however, have typically used their own botnets in a very service-oriented way: as a pay-as-you-go malware delivery network for other cybercriminals.


Facebook “copyright violation” tries to get past 2FA – don’t fall for it!

By Paul Ducklin

Do you look after any sort of social media content?

If so, especially if its business related, you’ve probably received your fair share of copyright infringement complaints.

No matter how scrupulous you are about correctly licensing and attributing your content, you may be the victim of a scurrilous or over-zealous complainant.

For example, we went through a phase recently during which a spammer took to emailing us about images that we had licensed via Shutterstock, implying that we were using them illegally. (We were not.)

The spammer offered us specious conditions to help “regularize” our use of the image – complete with a thinly-disguised warning that “removing the image isn’t the solution since you have been using our image on your website for a while now.”

Sometimes, however, a complainant may be prepared to make an claim on the record by lodging a formal infringement complaint with the site where your content is hosted.

In such cases, you may indeed be contacted by the relevant social media company to try to sort the issue out.

Ignoring genuine complaints is not really an option, given that the social media site may decide to remove the offending material unilaterally, or even to lock you out of your account temporarily, if you don’t respond within a reasonable time.

As you can imagine, this creates an opening for cybercriminals to frighten you into responding by sending out a fake takedown message.


Phone scamming – friends don’t let friends get vished!

By Paul Ducklin

As regular readers will know, we write up real-world scams fairly frequently on Naked Security.

Despite ever more aggressive spam filtering, including blocking some senders outright without even seeing what they’ve got to say, many of us receive a daily crop of outright dishonest and manipulative messages anyway.

This sort of spam, better known by the openly pejorative terms scam email or malspam, short for malicious spam, isn’t sent by mere online chancers or vaguely dodgy marketing companies.

We’re talking about unreconstructed scams, straight from outright cybercriminals whose goal is to defraud us.

Indeed, phishing, as email scamming is generally known, is still one of the primary ways by which crooks find chinks in your cybersecurity armor – for example, by tricking you into giving away login passwords, persuading you to open malware attachments inside your company network, or convincing you to pay outgoing funds to the wrong bank account.

But this sort of crime isn’t only conducted by email, which is why we have a range of words that sound like “phishing” but refer to other channels of communication.

You’ve almost certainly heard of smishing, which is phishing conducted via SMS or text message.

You probably use SMSes only very sparingly to talk to your friends these days – IM software such as WhatsApp, Facebook Messenger, WeChat, Signal and Snapchat now dominate the personal messaging marketplace.

But plenty of businesses still use SMS for contacting customers, on the grounds that pretty much every mobile phone in the world can receive text messages – regardless of what other IM software may or may not be installed.

If all the company needs to do is say, “Your one-time login code is 314159” or “We couldn’t get hold of you, click here for more”, an SMS is simple, fast, needs no internet coverage, and will reach you even if your phone is out of credit.

That’s why we’ve regularly written this year about SMS smishing campaigns that take these short, sharp and simple business messages and turn them into lures that trick you into clicking links or texting back, whereupon you get sucked into the scammers’ grasping tentacles.


October 7, 2020 »

Gone phishing: workplace email security in five steps

By David Mitchell

David Mitchell, Senior Director of Email Product Management at Sophos, shares his top tips to optimize workplace email security.

How many work emails have you sent and received today? Despite the rise of workplace chat and instant messaging apps, for many of us email continues to dominate business communications both internally and externally.

Unfortunately, email is also the most common entry point for cyberattacks – sneaking malware and exploits into the network, and credentials and sensitive data out.

Email security threats: the new and the enduring

The latest data from SophosLabs shows that in September 2020, 97% of the malicious spam caught by our spam traps were phishing emails, hunting for credentials or other information.

The remaining 3% was a mixed bag of messages carrying links to malicious websites or with booby-trapped attachments, variously hoping to install backdoors, remote access trojans (RATs), information stealer or exploits or to download other malicious files.

Phishing remains a frighteningly effective tactic for attackers, regardless of the final objective.

This is in part because the operators behind them continue to refine their skills and enhance the sophistication of their campaigns.


If you connect it, protect it

By Paul Ducklin

If you connect it, protect it” is a short and simple slogan that we’ve taken straight from this year’s Cybersecurity Awareness Month (CSAM).

We wrote about CSAM last week, on the first of the month, to explain why we think CSAM is still worth supporting, for two main reasons.

The first reason is that it’s an annual prod to all of us to reach out to our friends and family who still think that “it’ll never happen to me”, or that “I’m too unimportant for the crooks to go after my data.”

The thing is, as we explained last week, that the crooks don’t have to “go after you” to get hold of your data.

After all, they might get hold of it, along with personal information about thousands or even millions of other people, as the side-effect of a blunder by a company that didn’t protect its customers’ data well enough.


Serious Security: Phishing without links – when phishers bring along their own web pages

By Paul Ducklin

In the past few days we received two phishing campaigns – one sent in by a thoughtful reader and the other spammed directly to us – that we thought would tell a useful visual story.

As far as we can tell, these scams originated from two different criminal gangs, operating independently, but they used a similar trick that’s worth knowing about.

The phishing scammer’s three-step

Most straight-up email phishing scams – and you’ve probably received hundreds or even thousands of them yourself in recent times – use a three-stage process:

  • Step 1. An email that contains a URL to click through to.

The message might claim to be telling you about an unpaid electricity bill, an undelivered courier item, a suspicious login to your online banking account, a special offer you mustn’t miss, or any of a wide range of other believable ruses.

Sometimes the crooks actually know your name and perhaps even your phone number and your address.


#BeCyberSmart – why friends don’t let friends get scammed

By Paul Ducklin

Cybersecurity is important.

In fact, it was already important way back in the years before cybercriminals started making money out of malevolent software – before we needed terminology such as phishing, botnets, attack chains, exploit kits, spyware and ransomware.

Back when computer viruses were almost entirely about showing off to imaginary chums, or having a destructive joke at everyone else’s expense on Friday the Thirteenth by deleting their programs one by one…

…well, even back then, cybercrime (as we unexceptionably call it now) was neither witty nor innocent.

Then, starting in about 2000 or 2001, cybercrooks figured out not only how to spread mayhem with malware, but also how to make money illegally, too.

Lots of money. Lots and lots and lots of money.


September 21, 2020 »

A real-life Maze ransomware attack – “If at first you don’t succeed…”

By Paul Ducklin

You’ve probably heard terms like “spray-and-pray” and “fire-and-forget” applied to cybercriminality, especially if your involvement in cybersecurity goes back to the early days of spamming and scamming.

Those phrases recognize that sending unsolicited email is annoyingly cheap and easy for cybercrooks, who generally don’t bother running servers of their own – they often just rent email bandwidth from other crooks.

And those crooks, in turn, don’t bother running servers of their own – they just use bots, or zombie malware, implanted on the users of unsuspecting computers to send email for them.

Six years ago, when home networks were generally a lot slower than they are today, SophosLabs researchers measured a real-life bot sending more than 5 million emails a week from a single consumer ADSL connection, distributing 11 different malware campaigns as well as links to nearly 4000 different fake domains that redirected via 58 different hacked servers to peddle phoney pharmaceutical products. Best, or worst, of all – because outbound emails are mostly uploaded network packets – the bot barely affected the usability of the connection, making it unlikely that the legitimate user of the ADSL account would notice from traffic alone.

The theory was simple: the cost of failure was so low that the crooks could pretty much dial-a-yield by setting their spamming rates as high as needed to suit the campaign they were running.

So the “spray-and-pray” equation was simple: to get 100 people interested with a click-rate of one in a million, the crooks had to send 100 million emails.

And with a zombie network capable of doing more than 5 million emails per computer per week, you could spam out those 100 million emails in the course of a single hour with a 3000-strong botnet.

(Some notorious zombie networks have given their botmasters remote control over hundreds of thousands or millions of devices at the same time.)

What has all this got to do with contemporary targeted ransomware like Maze?


Zerologon – hacking Windows servers with a bunch of zeros

By Paul Ducklin

The big, bad bug of the week is called Zerologon.

As you can probably tell from the name, it involves Windows – everyone else talks about logging in, but on Windows you’ve always very definitely logged on – and it is an authentication bypass, because it lets you get away with using a zero-length password.

You’ll also see it referred to as CVE-2020-1472, and the good news is that it was patched in Microsoft’s August 2020 update.

In other words, if you practice proper patching, you don’t need to panic. (Yes, that’s an undisguised hint: if you haven’t patched your Windows servers yet from back in August 2020, please go and do so now, for everyone’s sake, not just your own.)

Nevertheless, Zerologon is a fascinating story that reminds us all of two very important lessons, namely that:

  1. Cryptography is hard to get right.
  2. Cryptographic blunders can take years to spot.

The gory details of the bug weren’t disclosed by Microsoft back in August 2020, but researchers at Dutch cybersecurity company Secura dug into the affected Windows component, Netlogon, and figured out a bunch of serious cryptographic holes in the unpatched version, and how to exploit them.

In this article, we aren’t going to construct an attack or show you how to create network packets to exploit the flaw, but we are going to look at the cryptographic problems that lay unnoticed in the Microsoft Netlogon Remote Protocol for many years.

After all, those who cannot remember history are condemned to repeat it.


Serious Security: Hacking Windows passwords via your wallpaper

By Paul Ducklin

Our cybersecurity antennae always start vibrating when we see warnings about attacks that involve a new type of file.

We’re sure you have the same sort of reaction.

After all, if a file type that you’ve treated for years as mostly harmless suddenly turns out to be possibly very dangerous, you’re faced with a double dilemma:

  • How long will it take to unlearn an ingrained habit of trusting those files?
  • How long will the crooks take to start abusing this new-found knowledge?

We’re all aware of the risks posed by unknown EXE files, for example, because EXE is the extension for native Windows programs – even the operating system itself is implemented as a collection of EXEs.

Most of us also known to be wary of DLLs, which are actually just a special type of EXE file with a different extension to denote that they’re usually used in combination with other programs, rather than loaded on their own.

We’ve learned to be wary of DOCs and DOCXs and all the other Office filetypes, too, because they can include embedded programs called macros.

We’re also aware of a range of risky script files such as JS (for JavaScript), VBS (Visual Basic Script), PS1 (Powershell) and many others that are plain old text files to the untrained eye, but are treated as a series of system commands when processed by Windows itself.


Fake web alerts – how to spot and stop them

By Sean Gallagher

Internet scammers are always looking for a better way to separate unwitting device users from their money. And as with all other endeavors, they’ve learned that it pays to advertise.

At SophosLabs we recently researched a collection of scams that exploit web advertising networks to pop up fake system alerts on both computers and mobile devices. The goal: to frighten people into paying for a solution—to a problem they don’t even have.

It’s not exactly a new trick. “Scareware” pop-ups have been used for years to prompt people into downloading fake virus protection and other malicious software, including ransomware.

But the latest variations find other ways to cash in on fake alerts: using them as the entry point to technical support scams or prompting their victims to purchase fraudulent apps or “fleeceware” off a mobile app store.

Browser developers have done a lot to limit the damage that can be done by malicious pop-up sites, including recent fixes by Mozilla that attempt to limit the ability of malicious web pages to slow down and lock up the Firefox web browser.

But even if the scammers don’t lock up your web browser, they can make it appear that something has gone terribly wrong—and that you need to do something immediately about it.


September 9, 2020 »

Phishing tricks – the Top Ten Treacheries of 2020

By Paul Ducklin

Sophos Phish Threat, in its own words, is a phishing attack simulator – it lets your IT department send realistic-looking fake phishes to your own staff so that if they do slip up, and click through…

…it’s not the crooks on the other end.

The crooks are testing you all the time, so you might as well test yourself and get one step ahead.

(Don’t panic – this isn’t a product infomercial, just some intriguing statistics that have emerged from users of the product so far this year.)

You can knit your own scam templates to construct your own fake phishes, but the product includes an extensive collection of customizable templates of its own that we update regularly.

The idea is to to track the look and feel of real-world scams of all types, all the way from Scary Warnings of Imminent Doom to low-key messages saying little more than Please see the attached file.


Vishing scams use Amazon and Prime as lures – don’t get caught!

By Paul Ducklin

Well-known US cybercrime journalist Brian Krebs recently published a warning about vishing attacks against business users.

The FBI promptly followed up on Krebs’s article with a warning of its own, dramatically entitled Cyber criminals take advantage of increased telework through vishing campaign.

So, what is vishing?

And how does it differ from phishing, something that most of us see far to much of?

The V in vishing stands for voice, and it’s a way of referring to scams that arrive by telephone in the form of voice calls, rather than as electronic messages.

Of course, many of us use voicemail systems that automatically answer and record messages when we aren’t able or willing to take a call in person, and many modern voicemail systems can be programmed to package up their recordings and deliver them as email attachments or as web links.

So the boundary between voice calls and electronic messages is rather blurred these days.

Nevertheless, many of still routinely pick up calls in person when we can – especially those of us who run a business, or who have family members we’re supporting through coronavirus lockdown or who aren’t well and might need urgent help.

We know several people who keep a landline especially as a contact point for family and friends.

They give out their landline number sparingly on what you might call a “need-to-know” basis, and use their mobile number – which is comparatively easy to change if needed, and easy to monitor and filter using a suitable app – for day-to-day purposes where giving out a working number can’t easily be avoided.

As you can imagine, however, the crooks only need to uncover your phone number once, perhaps via a data breach, and they can call it forever, especially if it’s a landline that you’re keeping because people who are important to you know it and rely on it.


Phishing scam uses Sharepoint and One Note to go after passwords

By Paul Ducklin

Here’s a phishing email we received recently that ticks all the cybercriminal trick-to-click boxes.

From BEC, through cloud storage, via an innocent-sounding One Note document, and right into harm’s way.

Instead of simply spamming out a clickable link to as many people as possible, the crooks used more labyrinthine techniques, presumably in the hope of avoiding being just one more “unexpected email that goes directly to an unlikely login page” scam.

Ironically, while mainstream websites concentrate on what they call frictionlessness, aiming to get you from A to B as clicklessly as possible, and some cybercrooks deliberately add extra complexity into their phishing campaigns.

The idea is to require a few extra steps, taking you on a more roundabout journey before you arrive at a website that demands your password, so that you don’t leap directly and suspiciously from an email link to a login page.

Here’s the phish unraveled so you can see how it works.


September 1, 2020 »

Russian cybercrime suspect arrested in $1m ransomware conspiracy

By Paul Ducklin

Here’s a cybercrime conspiracy story with a difference.

When we write about network-wide ransomware attacks where a whole company is blackmailed in one go, two burning questions immediately come up:

  • How much money did the crooks demand?
  • Did the victim pay up?

The answers vary, but as you have probably read here on Naked Security, modern ransomware criminals often use a two-pronged extortion technique in an attempt to maximise their asking price.

First, the crooks steal a trove of company files that they threaten to make public or to sell on to other crooks; then they scramble the data files on all the company’s computers in order to bring business to a halt.

Pay up the blackmail money, say the crooks, and they will not only “guarantee” that the stolen data will never be passed on to anyone else, but also provide a decryption program to reconstitute all the scrambled files so that business operations can resume.

Recent reports include an attack on fitness tracking company Garmin, which was allegedly blackmailed for $10m and did pay up, though apparently after wangling the amount down into the “multi-million” range; and on business travel company CWT, which faced a similar seven-figure demand and ended up handing over $4.5m to the criminals to get its business back on the rails.

In contrast, legal firm Grubman Shire Meiselas & Sacks faced a whopping $42m ransomware extortion demand but faced it down, likening the crooks to terrorists and refusing to pay a penny.

More recently, US liquor giant Brown-Forman took a similar stance, refusing to deal with criminals after its network was infiltrated.


Fake Android notifications – first Google, then Microsoft affected

By Paul Ducklin

If you’re a Google Android user, you may have been pestered over the past week by popup notifications that you didn’t expect and certainly didn’t want.

The first mainstream victim seems to have been Google’s own Hangouts app.

Users all over the world, and therefore at all times of day (many users complained of being woken up unnecessarily), received spammy looking messages.

The messages didn’t contain any suggested links or demand any action from the recipient, so there was no obvious cybercriminal intent.

Indeed, the messages did indeed look like some sort of test – but by whom, and for what purpose?

The four exclamation points suggested someone of a hackerish persuasion – perhaps some sort of overcooked “proof of concept” (PoC) aimed at making a point, sent out by someone who lacked the social grace or the legalistic sensitivity of knowing when to stop.


“Chrome considered harmful” – the Law of Unintended Consequences

By Paul Ducklin

An excellent article appeared last week on the APNIC blog.

Researched and written by Matthew Thomas of Verisign, the article is entitled Chromium’s impact on root DNS traffic, and it has raised some important issues amongst the Chromium browser development community relating to a feature in the browser code that’s known as the Intranet Redirect Detector.

To explain.

APNIC is the Asia Pacific Network Information Centre, headquartered in Brisbane, Australia, one of five internet number registries around the world.

These Regional Internet Registries (RIRs) look after global IP number allocations, maintain definitive internet domain name databases for their regions, and generally concern themselves with the health of the global internet.

As you can imagine, anything that upsets the balance of the internet – from spamming and cybercrime to misconfigured servers and badly-behaved network software – is of great concern to the RIRs.

The root DNS servers form the heart of the global Domain Name System, which automatically converts human-friendly server names such as into network numbers that computers can use to send and receive traffic, such as (that was our IP number when I looked it up today, as shown below).

As you can imagine, any unnecessary load on the root DNS servers could slow down internet access for all of us, by stretching out the time taken convert names to numbers, something that our browsers need to do all the time as we click from link to link online.

Chromium, as you almost certainly know, is a Google open-source project that produces the software at the core of many contemporary browsers, notably Google’s own Chrome Browser, which accounts for the majority of web traffic these days on laptops and mobile phones alike.

Chromium is also used in many other browsers, including Vivaldi, Brave and – recently, at least – Microsoft Edge. (Of today’s mainstream browsers, only Safari and Firefox aren’t based on a Chromium core.)


August 19, 2020 »

US liquor giant hit by ransomware – what the rest of us can do to help

By Paul Ducklin

US hard liquor giant Brown-Forman is the latest high-profile victim of ransomware criminals.

Even if the company’s name doesn’t ring a bell, some of its products are well-known to spirits drinkers world-wide: Brown-Forman is a multi-billion dollar business that owns Jack Daniel’s whiskey, Finlandia vodka and other global brands.

It’s a multi-billion dollar business, headquartered in Louisville, Kentucky – a US state that’s famous for American whiskey, better known as bourbon – and you can see why today’s big-money ransomware crooks might go after a company of that size and sort.

According to business media site Bloomberg, which claims to have received an anonymous tip-off from the crooks behind the attacks, the ransomware crooks involved are the infamous REvil or Sodinokibi gang.


Tor and anonymous browsing – just how safe is it?

By Paul Ducklin

An article published on the open-to-allcomers blogging site Medium earlier this week has made for some scary headlines.

Written as an independent research piece by an author going only by nusenu, the story is headlined:

How Malicious Tor Relays are Exploiting Users in 2020 (Part I)

[More than] 23% of the Tor network’s exit capacity has been attacking Tor users

Loosely speaking, that strapline implies that if you visit a website using Tor, typically in the hope of remaining anonymous and keeping away from unwanted surveillance, censorship or even just plain old web tracking for marketing purposes…

…then one in four of those visits (perhaps more!) will be subject to the purposeful scrutiny of cybercriminals.

That sounds more than just worrying – it makes it sound as though using Tor could be making you even less secure than you already are, and therefore that going back to a regular browser for everything might be an important step.

So let’s look quickly at how Tor works, how crooks (and countries with strict rules about censorship and surveillance) might abuse it, and just how scary the abovementioned headline really is.


Facial recognition – another setback for law enforcement

By Paul Ducklin

So far this year, the use of facial recognition by law enforcement has been successfully challenged by courts and legislatures on both sides of the Atlantic.

In the US, for example, Washington State Senate Bill 6280 appeared in January 2020, and proposed curbing the use of facial recognition in the state, though not entirely.

The bill admitted that:

[S]tate and local government agencies may use facial recognition services in a variety of beneficial ways, such as locating missing or incapacitated persons, identifying victims of crime, and keeping the public safe.

But it also insisted that:

Unconstrained use of facial recognition services by state and local government agencies poses broad social ramifications that should be considered and addressed. Accordingly, legislation is required to establish safeguards that will allow state and local government agencies to use facial recognition services in a manner that benefits society while prohibiting uses that threaten our democratic freedoms and put our civil liberties at risk.

And in June 2020, Boston followed San Fransisco to become the second-largest metropolis in the US – indeed, in the world – to prohibit the use of facial recognition.

Even Boston’s Police Department Commissioner, William Gross, was against it, despite its obvious benefits for finding wanted persons or fugitive convicts who might otherwise easily hide in plain sight.

Gross, it seems, just doesn’t think it’s accurate enough to be useful, and was additionally concerned that facial recognition software, loosely put, may work less accurately as your skin tone gets darker:

Until this technology is 100%, I’m not interested in it. I didn’t forget that I’m African American and I can be misidentified as well.


Business Email Compromise – fighting back with machine learning

By Paul Ducklin

If you’re interested in artificial intelligence (AI) and how it can be used in cybersecurity…

…here’s a DEF CON presentation you’ll like, coming up this weekend!

DEF CON is perhaps the ultimate “come one/come all” hackers’ convention, now in its 28th year, and it famously takes place in Las Vegas each year in a fascinating juxtaposition with Black Hat USA, a corporate cybersecurity event.

Black Hat, where tickets cost thousands of dollars, runs during the week, and then DEF CON, where tickets are just a few hundred dollars, takes over for the weekend that follows, resulting in what can only be described as a Very Massive Week for those who attend both.

At least, that’s how it was last year, and for many years before that.

This year is different, of course – holding a physical conference and running all the many DEF CON Villages would have been impracticable due to coronavirus social distancing regulations, if it would even have been possible at all. (Though you would surely have seen the funkiest facemasks ever!)

The DEF CON Villages are breakout zones at the event where likeminded researchers gather to attend talks and discussions in research fields all the way from Aerospace, Application Security and AI to Social Engineering, Voting Machines and Wireless.

But DEF CON doesn’t give up easily and, like many other events in 2020, has gone virtual, wittily dubbing this year’s event DEF CON 28 SAFE MODE.


Porn blast disrupts bail hearing of alleged Twitter hacker

By Paul Ducklin

One of the alleged Twitter hackers faced a bail hearing in a Florida court yesterday.

ICYMI, the Twitter hack we’re referring to involve the takeover of 45 prominent Twitter accounts, including those of Joe Biden, Elon Musk, Apple Computer, Barack Obama, Kim Kardashian and a laundry list of others with huge numbers of followers.

The hacked accounts were then used to send out bogus Bitcoin investment messages along the lines of “pay in X bitcoins, get 2X back!”, although as an investigator in the criminal case wryly pointed out in his affidavit, “No bitcoin was ever returned, much less doubled.”

Amongst other things, the alleged crooks are said to have ended up with more than $100,000 of bitcoins sent in by trusting Twitter users who’d been duped by the upbeat messages that apparently came from celebrities.

As you can imagine, given current coronavirus concerns, even though the hearing took place before the court, not all the participants were actually in the courtroom.

Instead, the courtroom was hooked up to a Zoom meeting that was, it seems, not adequately secured against – how shall we put this? – external interference…

…with sadly predictable results.

Zoombombers, as they’ve become known, are miscreants who join in Zoom calls not to participate but to disrupt, something that’s all too easy if the call is set up with the same sort of implicit behavioral trust that everyone expects in face-to-face meetings.


July 8, 2020 »

Mozilla turns off “Firefox Send” following malware abuse reports

By Paul Ducklin

What do you do when you need to send a file to someone you don’t interact with a lot?

Many of us use email attachments for small files, because it’s quick and easy to share modest amounts of data that way.

Sure, the attachment will probably lie around in the recipient’s mailbox for days, or months, or even years, which might not be quite what you had in mind…

…but when you send someone else a file, you can’t control what they do with it anyway, or how long they keep it, or how widely visible it is on their corporate network after they save it.

Nevertheless, most emails are end-to-end encrypted these days, which at means that files sent by email are unlikely to lie around (intentionally or otherwise) at your ISP, or at one or more third-party servers along the way.

But email is no good for large files such as audio data or videos, because most email servers quite reasonably have a low limit on message sizes to stop the system getting clogged up by attachments.

So the usual fallback for sending files that you can’t or don’t want to transmit via email is to use a file sharing service instead, which is rather like using webmail, only without the messaging part.

You upload the file to a file sharing site, optionally setting various options that describe which other users can see it, and for how long, and then send the recipient an email that contains a download link where they can fetch the file at their leisure.


Kinda sorta weakened version of EARN IT Act creeps closer

By Lisa Vaas

There are gut-churning tales of online child sexual abuse material (CSAM).

Last week, when a bill designed to strip legal protection from online abusers sailed through the Senate Judiciary Committee, UC/Berkeley Professor Hany Farid passed on this example from investigators at the Department of Justice’s Child Exploitation and Obscenity Section: a man had “expressed excitement for his soon-to-arrive ‘new material,’ sharing an in-utero picture of his unborn child with an online network of abusers.”

Now that the EARN-IT Act has crept closer to a full Senate hearing, we’re that much closer to finding out whether the bill can really help stem the flood of online CSAM, whether it’s a barely veiled attack on online privacy and end-to-end encryption, or all of the above.

During Thursday’s hearing on the bill, which they’d amended the day before, the proposed law’s co-sponsors stressed that it’s not a wooden stake to stick in encryption’s heart. Senator Richard Blumenthal claimed that the bill “is not about encryption and it never will be.” The other co-sponsor, Senator Lindsey Graham, said that his goal “is not to outlaw encryption”. Well, at least not at this point, maybe: he called that “a debate for another day.”

The critics of the proposed law aren’t swallowing it.

The day before the hearing, the co-sponsors amended the act to make it appear, at least, to be more of a nudge than a cudgel. As explained by the Electronic Frontier Foundation (EFF)— – a staunch critic of the bill – the new version now gives state legislatures the power to regulate the internet in the quest to battle CSAM, as opposed to a 19-person federal commission.

Nonetheless, it still threatens encryption, its critics say, albeit less blatantly.

In its first iteration, the EARN-IT Act proposed a commission to come up with best practices to battle CSAM. That commission would have been controlled by Attorney General William Barr. Given how often Barr has said that he thinks that encrypted services should be compelled to create backdoors for police, it was easy to see the legislation as an embodiment of a threat from Graham and other senators to regulate encryption in lieu of tech companies willingly creating those backdoors.


July 7, 2020 »

Flashy Nigerian Instagram star extradited to US to face BEC charges

By Lisa Vaas

The US has dragged a fancy-pants, Instagram-star, high-fashion-flaunting, alleged Nigerian scammer out of the United Arab Emirates (UAE) and into Chicago to face charges that he helped launder beaucoup bucks gouged out of businesses in email compromise (BEC) scams.

His name is Ramon Olorunwa Abbas, aged 37, also known as “Ray Hushpuppi” and “Hush.” Abbas, a Nigerian national, arrived in Chicago Thursday evening after being extradited from the UAE. He made an initial court appearance in Chicago on Friday, but his case is expected to be transferred to Los Angeles in coming weeks.

As of Monday, you could still check out his public, uber-blingy Instagram account, where Abbas has 2.4 million followers. It lists him as a real estate developer. The photos show him slouching on pricey couches in luxury hotels, riding in charter jets, wearing fancy sneakers and designer clothes, sporting expensive watches, posing in or with Richie Rich cars – think Bentleys, Ferraris, Mercedes and Rolls Royces – and lavishing pictorial love on Dior this and Gucci that.

So much Gucci. In fact, Abbas’s Instagram account listed his Snapchat contact name as “The Billionaire Gucci Master!!!”


Company web names hijacked via outdated cloud DNS records

By Paul Ducklin

US security researcher Zach Edwards recently tweeted about finding 250 company website names that had been taken over by cybercriminals.

He didn’t name the brands, but insists that the organizations affected include banks, healthcare companies, restaurant chains, civil rights groups and more:

I reported ~250 enterprise subdomains I've found compromised over the last ~7 days // some of these orgs are MASSIVE (banks, tons of healthcare orgs, critical infrastructure, huge restaurant chains, power companies, insurance, civil rights groups). This story needs to be written.

— Z?????? ?????????????? (@thezedwards) July 3, 2020

The issue here is that the websites themselves haven’t been hacked, but their DNS entries have.

These attacks, known as DNS hijacks, happen when crooks don’t actually break into and take over a site itself, but instead simply change the “internet signposts” that point to it.

As you probably know, DNS, short for domain name system, is the distributed, global name-to-number database that automatically turns human-friendly server names such as nakedsecurity DOT sophos DOT com into computer-friendly IP numbers that are needed to send and receive network packets on the internet.


« older