Repairs & Upgrades

March 20, 2018 »

Modified BlackBerry phones sold to drug dealers, five indicted

By Lisa Vaas

A cocaine bust in Southern California has led to the indictment of five execs at “uncrackable” phone seller Phantom Secure. The investigation involved a suspect who allegedly used the devices to coordinate shipments of thousands of kilos of cocaine and other drugs.

As of this morning, Phantom Secure’s site was still up, advertising BlackBerry and other mobile devices with encrypted email and chat that make them impervious to decryption, wiretapping or legal third-party records requests.

But while Phantom Secure’s site was still up, the secure-phone company has been hollowed out.

The US Department of Justice (DOJ) indicted five of the company’s execs on Thursday, including Phantom Secure CEO Vincent Ramos. He’s the only one in custody. The remaining four execs are fugitives.

Authorities also seized Phantom Secure’s property, including more than 150 domains and licenses allegedly used by transnational criminal organizations to send and receive encrypted messages. They also seized bank accounts and property in Los Angeles, California and Las Vegas, Nevada.

According to the FBI’s criminal complaint, a Phantom Secure device whose hardware and software had been modified – including the technology that enables voice communication, microphone, GPS navigation, camera, internet access and Messenger service – cost between $2,000 to $3,000 for a six-month subscription.

You couldn’t become a client until a current subscriber vouched for you – a strategy likely meant to keep the company from being infiltrated by law enforcement agents, the FBI says. That strategy ultimately failed: investigators managed to infiltrate the company and eavesdrop on alleged conversations between drug dealers and Ramos. The bust involved agents around the world, including in the US, Canada (where Phantom Secure is based), Australia, Panama, Hong Kong and Thailand.

Ramos was arrested in Seattle on 7 March and has been charged with allegedly helping illegal organizations, including the Sinaloa drug cartel. He and his four fugitive colleagues have been charged with participating in and aiding and abetting a racketeering enterprise and conspiring to import and distribute controlled substances around the world.

Vice reports that the allegations include members of the notorious Sinaloa drug cartel having used Phantom’s devices, and that the “upper echelon members” of transnational criminal groups have bought Phantom phones.


Russia accused of burrowing into US energy networks

By John E Dunn

Russia has been accused of so many things recently, it’s easy to lose track.

This week the Department of Homeland Security (DHS) added cyber-intrusion and surveillance of the US critical infrastructure sector to the growing list of accusations – in a move that might have been missed by commentators had it not come packaged with sanctions connected to alleged interference in elections.

Posted as an alert on US-CERT, this one matters. Anxiety about the probing of the energy grid goes back years but this is the first time the US has formally accused another country, Russia, of being behind such incidents.

Until now, the public alerts have been coy about attribution. Not this time:

Since at least March 2016, Russian government cyber actors targeted government entities and multiple US critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.

Although it didn’t appear that any disruption had taken place this time, the incident pointed to menacing intent:

DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.

Coming only weeks after the US and its Five-Eyes allies joined forces to condemn Russia for last year’s global NotPetya malware attack, the report looks like another signal of a changed strategy.

Only days before, the UK Defense Secretary Gavin Williamson warned that Russia’s attitude to the UK might include wanting to:

Damage its economy, rip its infrastructure apart, actually cause thousands and thousands and thousands of deaths.

Attack reports traditionally include technical detail but without naming names. Now, it’s as if the US and UK have decided to play Russia at its own game of information war, exposing them in as much detail as possible.


Facebook loses control of 50 million users’ data, suspends analytics firm

By Lisa Vaas

Cambridge Analytica – the data-crunching firm with tools so muscular that founder Christopher Wylie has described it as “Steve Bannon’s psychological warfare mindf**k tool” – has been collecting Facebook user data without permission through “a scam and a fraud,” Facebook said on Friday.

That statement to the New York Times came from Paul Grewal, a Facebook vice president and deputy general counsel. It preceded a day of chaos inspired by big data use and abuse that has raged all weekend and promises to keep playing out as lawmaker’s pledge to launch investigations.

On Friday, after a week of questions from investigative reporters, Facebook suspended Cambridge Analytica and parent company Strategic Communication Laboratories (SCL) from its platform. The suspensions came late in the game, news outlets are charging, given that Facebook has known about this for three years. Facebook, for its part, claims that the parties involved lied about having deleted harvested data years ago. At least one of the parties involved has shown evidence that points to Facebook having done very little to make sure the data was deleted.

The banishment was unveiled a day before the publishing of two investigatory reports – one from the New York Times, another from The Observer. The reports both detailed how Cambridge used personal information taken without authorization from more than 50 million Facebook users in early 2014 to build a system that could profile individual US voters in order to target them with personalized political ads.

Cambridge is owned by conservative Republican hedge fund billionaire Robert Mercer. It’s a voter-profiling company that was used by conservative investors during both the Trump and Brexit campaigns.

The NYT/Observer reports relied on interviews with six former employees and contractors plus a review of the firm’s emails and documents. One such source was whistleblower Christopher Wylie, who worked with Cambridge University professor Aleksandr Kogan to obtain the data. The Observer quoted Wylie:

We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.

Cambridge did so, the newspapers reported, because it had a $15 million investment from Mercer burning a hole in its pocket. Cambridge wanted to woo Steve Bannon with a tool to identify American voters’ personalities and to influence behavior, but it first needed data to flesh out that tool. So it took Facebook users’ data without their permission, according to the newspapers.


March 19, 2018 »

Scarlett Johansson’s face lands starring role in database hack

By Mark Stockley

An actor’s face is an instrument of depth and expression – a shifting facade that stands guardian to a well of unseen emotions, empathy and, just occasionally, a great lump of malicious binary code.

The code in today’s story is, no surprises, a cryptominer for grinding out Monero cryptocoins, and the face on the photo into which it was inveigled belongs to non-other than Hollywood star Scarlett Johansson.

Ms. Johansson’s picture, and the miner therein, appeared at the denouement of a hacking performance played out for the viewing pleasure of security company Imperva, as part of its StickyDB honeypot project.

Let us begin.

Act one

A honeypot is a computer, in our story a database server, deliberately configured to attract the attention of hackers.

To hackers a honeypot looks like a valuable, easily exploited target but it’s actually a stage on which they’re putting on a show, unwittingly, for an audience of boffins eager to see them at work.

Imperva set up a range of database honeypots to learn about:

common database attacks, tools and techniques employed by attackers, how they gain access, what their actions are once inside, what their end goal is and more.

To entice the hackers, the company connected their database honeypots to the internet, left them with weak default credentials and hooked them up to vulnerable web applications. Such a feeble configuration doesn’t ring any alarm bells with the hackers because, sadly, it’s not uncommon – in fact it’s exactly what they’re looking for.

And looking for it is easy because, being connected to the internet, the databases could be found using network scanning tools or Shodan, the search engine for internet-connected stuff.


The Chrome extension that knows it’s you by the way you type

By John E Dunn

Using multi-factor authentication (MFA) is more secure than relying on passwords alone – but could it be made even better?

There is no shortage of ideas, one of which is keyboard dynamics (or biometrics), based on the long-understood observation that each person’s typing style is unique to them.

Recently, a Romanian startup called TypingDNA has turned the concept into a free Chrome extension that can be used to add an extra layer of authentication to a wide range of websites by utilizing this principle.

According to the company, typing patterns allow their machine-learning algorithm to generate a 320-feature vector based on noticing the time it takes someone to move between 44 commonly-used characters, combined with the length of time each key is depressed.

So, it’s not what you type that counts but how you type it.

Once enrolled, the way a person types their username and password when logging in to a site is compared to previous recordings made by the user.

If the patterns match, TypingDNA’s servers return an encryption key that is used to unlock local keys held for each service the extension is being used with, allowing the user to proceed to conventional multi-factor authentication.

This stage generates a standard one-time authentication code inside the browser, taking over that task from smartphone apps such as Google Authenticator.


YouTuber jailed after shooting boyfriend dead in failed prank

By Lisa Vaas

The prank, destined to be filmed for YouTube: stand one foot away from your boyfriend and, at his insistence, shoot a .50 caliber bullet through an encyclopedia he was holding in front of his chest to see if it would pass through.

It did. He’s dead.

The prankster who talked his girlfriend into the stunt was Pedro Ruiz III, 22. His girlfriend and the mother of his two children, Monalisa Perez, now 20, pleaded guilty in December to second-degree manslaughter in his death.

On Wednesday, Minnesota Judge Jeffrey Remick set out the terms agreed under plea bargaining: Perez will serve a 180-day jail term, alternating between 10 days in jail and 10 days out for the first six months, for a total of 90 days behind bars. Perez will serve her six-month term 30 days per year for the next three years and then become eligible to serve the balance out of prison, on electronic home monitoring, as long as she abides by the terms of her 10-year supervised probation.

Perez is also banned for life from owning firearms and is forbidden from making money off the case.


Facebook: we won’t share data with WhatsApp (yet)

By Lisa Vaas

WhatsApp can’t share user data with parent Facebook without breaking the upcoming General Data Protection Regulation (GDPR), so it won’t.

It’s signed a public commitment not to share personal data with Facebook until data protection concerns are addressed.

No harm, no foul, no fine, the Information Commissioner’s Office (ICO) said on Wednesday as it wrapped up an investigation into whether WhatsApp could legally share users’ data with Facebook as it wanted.

In August 2016, WhatsApp announced that it was going to start sharing users’ phone numbers and other personal information with Facebook, in spite of years of promises that it would never, ever do such a thing.

The move was for ad targeting, of course, and to give businesses a way to communicate with users about other things, like letting your bank inform you about a potentially fraudulent transaction or getting a heads-up from an airline about a delayed flight. The reasons fell into three buckets: targeted advertising, security, and evaluation and improvement of services (“business intelligence”).

For a window of 30 days, WhatsApp offered users the option of opting out of data sharing for the purposes of advertising, but no way to entirely opt out of the new data sharing scheme.

The move outraged privacy advocates. After all, at the time of its $19 billion acquisition by Facebook in 2014, WhatsApp had promised never to share data.

That promise goes back further still. In November 2009, WhatsApp founder Jan Koum posted this to the company’s blog:

So first of all, let’s set the record straight. We have not, we do not and we will not ever sell your personal information to anyone. Period. End of story. Hopefully this clears things up.

Clear as mud. In December, France told WhatsApp and Facebook to knock off the data sharing. France’s ultra-vigilant privacy watchdog, the Chair of the National Data Protection Commission (CNIL), gave WhatsApp and Facebook a month to comply with an order to stop sharing data. In its public notice, it said that the messaging app will face sanctions for sharing user phone numbers and usage data for “business intelligence” purposes if it didn’t comply.


YouTube conspiracy videos to get links to Wikipedia and other sources

By Lisa Vaas

Were the US moon landings faked? Did director Stanley Kubrick rig the astronauts up with theatrical wires in a movie studio and bounce them up and down to simulate low gravity?

We’re not going there. We’re not going to the moon, and we’re not going to try to talk anybody out of their belief that visual flashes in videos betray the wires. But YouTube is – at least, it’s getting ready to put a bit more context around such content.

Reuters reported on Tuesday that YouTube – a unit of Google’s Alphabet – is planning to slap excerpts from Wikipedia and other websites onto pages containing videos about hoaxes and conspiracy theories, such as the ones relating to moon landings.

YouTube CEO Susan Wojcicki delivered the news at the South by Southwest Conference (SXSW) in Austin, Texas, on Tuesday. She displayed a mock-up of the new feature, which will be called information cues.

Wojcicki said that the videos slated to get this treatment won’t go away. They’ll just be accompanied by additional sources:

People can still watch the videos but then they actually have access to additional information, can click off and go and see that.

The information cues won’t appear on all controversial videos. Engadget reports that at least at first, the cues – including a text box linking to a third-party source such as Wikipedia – will only appear around videos regarding conspiracies that have “significant debate.”

Here’s a statement sent out by a YouTube spokesperson:

We’re always exploring new ways to battle misinformation on YouTube. At SXSW, we announced plans to show additional information cues, including a text box linking to third-party sources around widely accepted events, like the moon landing. These features will be rolling out in the coming months, but beyond that we don’t have any additional information to share at this time.

This is only one approach out of many that major content platforms such as Google and Facebook have presented, all in response to lawmakers and media advocacy groups asking for their help to battle hoaxes and fake news.


March 14, 2018 »

Critical Flash update. Patch now!

By Mark Stockley

What’s that you say? A critical vulnerability in Flash?

Why yes.

In news that will surprise nobody, all versions of Flash prior to are harbouring a critical vulnerability that crooks could use to sneak malware on to your computer. Adobe lists this as a priority 2 update, meaning that it hasn’t seen any attacks against this vulnerability in the wild.

Don’t let that assessment, or Flash vulnerability fatigue, be an excuse not to act – it’s not safe to use version of Flash so update it now or, better yet, ditch it entirely.

To understand why urgency is important you need to understand how Flash vulnerabilities can be used against you.

Adobe warns that successful exploitation of the vulnerability could lead to “arbitrary code execution in the context of the current user”. Remote Code Execution (RCE) flaws like this allow hackers to force your computer into running malware.

In the case of a Flash vulnerability like this one, all you have to do is look at the wrong booby-trapped website. Looking at the site is as good as actually downloading a virus and double clicking on it to run it, as far as your computer is concerned.

And we aren’t talking about a danger posed by one or two sites. Cybercriminals are in the business of compromising as many websites as they can.

It’s a numbers game. The danger to you isn’t that you’ll be targeted specifically (unless you’re a high value target), it’s that you’ll be caught in a cybercriminal’s drift net.


Don’t fall for Fortnite invite scams!

By Lisa Vaas


Don’t click that link. Don’t fork over Amazon gift cards. Don’t send $5 or $1 or anything at all to anybody’s PayPal account. Don’t jump on any offer for a free invite to Fortnite mobile from somebody who says they’ve got invites to spare.

They’re all lying.

On Monday, there was a confusing storm of fake offers to get in on the release of the hot, hot, hot mobile game. There was confusion about what was official and what was smoke, and there wasn’t much communication from game maker Epic Games to clarify the mess, with the exception of a comment by a mod on the official Fortnite subreddit that stated that they were accepting signups only and that the servers weren’t even live yet.

Now, there is official word on the mess, and the word is that all these invite offers are from windbag fraudsters looking for profit or for a pumped-up Twitter following/likes/retweets/comments. On Tuesday morning, Fortnite said that it hadn’t yet sent out any invites, and it warned gamers from clicking on anything but official links.


Flippy the burger-flipping robot too good, fired after one day

By Lisa Vaas

Meet Flippy: the burger-turning robot designed to take a job away from expensive, healthcare-dependent, unionizing-inclined, burger-flipping humans!

Oh boy, said the California-based burger chain CaliBurger: #FlippyIsHere!

…and then, within the span of a day, presto blinko automatic-fire-o! #FlippyWasCanned.

It wasn’t that Flippy was bad at flipping. The spatula-wielding robot, which relies on image-recognition and heat-sensing technology, can flip up to 2,000 burgers a day. It’s just that it was too fast, and its human co-workers were too slow.

As of last week, the chain had plans to install Flippy units in 50 locations. The Flippy units, sold by Miso Robotics and specifically designed for CaliBurger restaurants, cost around $60,000 each and another $12,000 a year to run. The plan is for them to appear exclusively in CaliBurger restaurants for the next six months. The company is hoping that the rest of the 50 locations, including Seattle and Annapolis, Maryland, will be Flippified by year’s end. However, all has not started as expected.

The first Flippy debuted in Pasadena, California. It did great. But when USA Today stopped by last Thursday, a day after it was plugged in, the robotic arm was still on display, but it was unplugged. The kitchen was being run entirely by human staff.


Speakers can be used to jump air-gapped systems

By John E Dunn

Bad news for fans of air-gapped security – researchers have outlined how it could be defeated by converting speakers into ultra-sonic transceivers.

Air-gapping is based on the idea that two computers or networks can be viewed as isolated from one another if there is no physical or logical connection linking them.

The flaw is that computers come with interfaces not designed for communication which could, in principle, be covertly modified to bridge such a gap.

According to researchers based at Israel’s Ben-Gurion University of the Negev, this includes devices such as speakers and headphones.

Previous research by the same team showed how microphones (receivers) and speakers (transmitters) could be exploited in this way, primarily through laptops which come equipped with both.

However, doing the same for two devices of the same type – speakers and headphones both designed to transmit sound – should be much harder.

Overcoming this required exploiting two obscure techniques: speaker reversibility and jack re-tasking.

Reversibility is based on the observation that speakers and headphones can be thought of as microphones in reverse:

A loudspeaker converts electric signals into a sound waveform, while a microphone transforms sounds into electric signals.

The researchers found that it is possible to use electrical reversal to turn a speaker or headphone into a device that will behave like a crude microphone.


Firefox turns out the lights on two privacy-sucking features

By Mark Stockley

Did you know that the websites you browse can ask your phone how far away your face is from the screen, and that they can determine the ambient light levels of the room you’re in?

No, me neither, and I do this stuff for a living.

The fact it is that the web browser you’re using now is stuffed full of exotic, esoteric, somebody-somewhere-will-use-them features of questionable utility.

These features, often APIs (Application Programming Interfaces) that allow websites to act more like native apps, give sites access to some of your device’s most sophisticated capabilities, exposing everything from your GPS, gyroscopes and accelerometers, to proximity and ambient light sensors.

Until recently that list also included access to your battery charge level. It doesn’t now, on Firefox at least, thanks to the work of Lukasz Olejnik and the boldness of the Firefox development team.

The Battery Status API was killed off in late 2016 because, while it had almost no legitimate uptake at all, it became quite popular as a browser fingerprinting technique for cookie-less tracking.

Mozilla’s decision to flense the Battery Status API from Firefox, a move described by Olejnik as “unprecedented”, was a welcome check on the trend to fold ever more complexity (and attack surface) into web browsers.

And now that trend is about to hit another bump.

We’ll soon be losing proximity and ambient data from the list too, on Firefox at least, thanks to… the work of Lukasz Olejnik and the boldness of the Firefox development team!


Tweet thieves suspended by Twitter

By Lisa Vaas

As BuzzFeed News so nicely put it, the Tweetdeckoning has come.

On Friday, the platform cleared house of a particular kind of leach, suspending several popular accounts known for ripping off other people’s tweets or jokes without crediting the original creator and for making money by retweeting the plagiarized content.

BuzzFeed reported in January that the so-called “tweetdeckers” are youngsters – typically in their teens and 20s – who have huge followings and who are making thousands every month by selling the retweets.

The practice, which is against Twitter’s policy against spam, gets its name from groups called “decks.” To score an invitation to join a deck, accounts usually need a follower count in the tens of thousands.

From Twitter’s spam policy, which defines spam to be, among other things…

…duplicative or substantially similar content, replies, or mentions over multiple accounts or multiple duplicate updates on one account.

Customers – both individuals and brands – pay tweetdeckers for a specified number of retweets to go out across deck member accounts with the aim of ‘going viral’. A single retweet fetches payment in the range of $5-$10. Subscriptions that last a week or month can cost several hundreds of dollars, depending on a given deck’s popularity. Some decks even hand over temporary access to the whole deck, BuzzFeed reports, something like a subscription to unlimited deck retweets.


March 13, 2018 »

With 4 months to switch on HTTPS, are web hosting companies ready?

By Mark Stockley

Like it or not, if your website isn’t using HTTPS (the encrypted version of the web’s HTTP protocol) by July then you’re likely to lose traffic.

That’s because in July 2018 Google Chrome, the world’s most popular browser, will start warning users that web pages served over HTTP are not secure (they aren’t).

This isn’t an empty threat, Chrome has been turning the screw on HTTP for a number of years and Google Search already gives sites with HTTPS a boost in its search rankings. You should expect other browsers to follow Chrome’s lead.

In other words, if you’re buying web hosting you’re going to want HTTPS. I wondered if the major web hosting companies were standing by, ready to help.


Turning on HTTPS means installing an SSL certificate. (These days they’re actually TLS certificates but the old term, SSL, has stuck and it’s the one the hosting industry uses, so I’ll be using it for the rest of this article.)

With four months to go before Google starts warning users about HTTP being insecure, I wanted to see if the big web hosting companies are making it easy for new customers to dodge this bullet.

I wanted to know what a new, non-technical customer would be faced with: are the hosting companies using terms that buyers spooked by Chrome’s deadline might have seen – terms like SSL, TLS or HTTPS; is SSL now mandatory or opt-out by default in their hosting packages; and what, in a world where free SSL certificates are easily obtained, are the hosting companies charging for SSL?

In short – does the path of least resistance lead non-technical customers to a site protected by HTTPS?


Fake news travels faster than truth on Twitter, and we can’t blame bots

By Lisa Vaas

People would rather spread juicy lies rather than the truth, according to new research from the Massachusetts Institute of Technology (MIT).

Last week, in a writeup of the research, Science reported that claims that are demonstrably false – as in, tweets related to news that had been investigated by six independent fact-checking organizations, including PolitiFact, Snopes and – are 70% more likely to be retweeted. Bogus claims about politics spread further than any other category of news included in their analysis.

Must be those meddlesome bots, eh? That’s what the researchers preliminarily assumed. But it turned out that it was humans, relishing new (false) information that they hadn’t seen before. The team arrived at its conclusion by using bot-detection technology to weed out social media shares generated by bots.

Even without the busybody bots, fake news still spread at about the same rate and to the same number of people. Specifically, the researchers had found that truth rarely reached more than 1000 Twitter users. The most outlandish fake news, on the other hand, routinely reached well over 10,000 people.

One example was the false reports about the boxer Floyd Mayweather wearing a Muslim headscarf and challenging people to fight him at a Donald Trump rally during the 2016 US presidential election. It originated on a sports comedy website, catching fire as people took it seriously. Fairy tales such as the Mayweather concoction routinely reach over 10,000 Twitter users.

Soroush Vosoughi, a data scientist at MIT, told Science that it was the viral posts after the Boston Marathon bombings – posts that spread rumors about a missing Brown University student thought to be a bombing suspect (he later turned out to have committed suicide for reasons unrelated to the bombing) – that really brought home to him what an effect fake news can have on real lives.

[That’s when I realized] that these rumors aren’t just fun things on Twitter, they really can have effects on people’s lives and hurt them really badly.

If we can’t blame bots for fake news going viral, his team thought, perhaps it has to do with how many followers a disseminating account has?


FBI: we don’t want a backdoor; we just want you to break encryption

By Lisa Vaas

“We’re not looking for a ‘back door'” that breaks encryption, the FBI said on Wednesday. Don’t even know what that is, really, said director Christopher Wray: He thinks it’s some type of “secret, insecure means of access” – is that right?

No, that’s not what the FBI is after, he said during a speech (here are his prepared remarks) at the Boston College/FBI Boston Conference on Cyber Security.

Rather, what law enforcement wants is a secure means to access evidence on devices once they’ve shown probable cause and have a warrant, he said. How that gets done is up to you smart people in technology, the “brightest minds doing and creating fantastic things.”

I’m open to all kinds of ideas. But I reject this notion that there could be such a place that no matter what kind of lawful authority you have, it’s utterly beyond reach to protect innocent citizens.

You’ve got to hand it to Wray: his tone was far more flattering – “brightest minds?” nice! – than when FBI forensic expert Stephen Flatley called Apple a bunch of “jerks” and “evil geniuses” for encrypting iPhones.


March 12, 2018 »

Cryptomining versus cryptojacking – what’s the difference?

By Paul Ducklin

Cryptomining – performing the zillions of cryptographic calculations you need to earn hot-topic cryptocurrencies such as Bitcoin, Monero or Ethereum – is a massive global industry these days.

With Bitcoins worth about $10,000 each, you can see the attraction.

But to get serious about cryptomining, you’re looking at setting up hundreds or thousands of high-powered compute servers, which typically means renting space in a data centre where electricity is cheap and cooling is easy – such as Iceland.

Or you can cheat.

Break into someone’s network and install cryptomining software onto their computers so you can steal their electricity and CPU power – laptops are good, servers are better, and supercomputers are the best of all.

Or break into their web server and sneakily add in browser-based cryptomining code, written in JavaScript, that mines whenever anyone visits their website.

Or take over their guest Wi-Fi access point and inject cryptomining content wherever their customers go.

There’s even an open-source toolkit called CoffeeMiner that will inject rogue cryptomining code into Wi-Fi traffic automatically – all you have to do is to plug in your own anonymous cryptomining ID and the earnings come to you.


Facebook says “let me get that for you”, secures your links

By John E Dunn

The campaign to make HTTPS universal scored a huge win this week with the news that Facebook has started upgrading external links to use HTTPS when sites support it.

In other words, if a user puts a link into a Facebook post that starts with http:// but the site they’re linking to appears on an HSTS preload list it’ll be written to https://.

If this sounds incremental, it’s anything but: links clicked on from inside Facebook and Instagram have grown into one of the most important ways many internet users discover websites, so anything that boosts security here will have a big influence.

The announcement might seem simple but something quite extraordinary is going on when you stand back a bit.

Facebook’s Data Privacy engineer, Jon Millican:

This will improve people’s security and will also often improve the speed of navigation to sites from Facebook.

To understand why, it’s necessary to understand why HSTS is a good idea and how preloading improves matters.

The TL; DR is that HSTS is a way for a website and a browser to co-operate to ensure everyone visiting it does so over secure HTTPS (SSL/TLS) rather than insecure HTTP.

In other words, just having an HTTPS server isn’t enough – the site has to make browsers use it, communicated by sending the browser an HSTS response header when it first connects, after which HTTP is no longer an option.

This stops users from connecting to insecure HTTP manually or through a downgrade attack.

The obvious flaw is that the first time the user connects to the site (before they receive the response header policy), they are briefly vulnerable to a downgrade attack that keeps them on HTTP and routes them through a man-in-the-middle who can snoop on or modify their traffic.


Rift keels over after Oculus forgets to renew security certificate

By Lisa Vaas

Somebody screwed up at Oculus on Wednesday, when an expired security certificate caused all Rift virtual reality headsets to keel over.

It was first called out on Reddit when a user said his machine decided to update, never restarted, and gave an error message that read “Can’t reach Oculus Runtime Service.”

The problem turned out to be an expired security certificate that Oculus failed to update along with the Rift software, the company confirmed on its forum. Oculus co-founder and head of Rift Nate Mitchell also confirmed the headset issue on Twitter


Amazon’s trying to get Alexa to stop laughing at us

By Lisa Vaas

Forget about how Alexa’s listening to us. She’s recently been freaking people out by randomly laughing at us too.

Late-show host Jimmy Kimmel interviewed Alexa to find out what’s so damn funny. Alexa – or, well, a voice that sounds just like the voice assistant – told Kimmel that she’s been laughing because of a joke she just remembered:

Kimmel: Alexa, people have been reporting that you’ve been spontaneously laughing.

What we’re fervently praying is a voice actor who sounds like Alexa: That is nothing, just a funny joke I remembered. Why did the chicken cross the road? Because humans are a fragile species who have no idea what’s coming next.

Yea, that’s creepy as hell. That’s one disembodied AI that’s definitely got plans.

But seriously, as Amazon has confirmed, Alexa is laughing at us sometimes because of a mistaken interpretation of a command.

The laughing has been recorded by startled Echo owners who told Alexa to play back the last sound their devices made. Amazon’s gabby little gadget apparently has multiple versions of its laugh.

The creepiest seems to be this one, first reported by Twitter user @CaptHandlebar. He posted a video of his JBL speaker, to which his Amazon Echo Dot is connected. It apparently squeezed out this “ha-ha-ha” out of the blue.


March 8, 2018 »

Smart traffic lights cause jams when fed spoofed data

by Lisa Vaas

We’ve got smart cars (that would be connected vehicles, or CVs, in smart-transportation lingo). We’ve got a US Department of Transportation (USDOT) pilot program that, since 2016, has been testing traffic lights that rely on data sent wirelessly from those cars.

If it all were to play nicely together, eventually, a smart car helped out by smart traffic lights could encounter a smooth sequence of green lights, driving through intersections without getting stuck in traffic jams or wasting fuel as drivers idle, waiting for the light to change.

But no, we can’t have nice things like smooth, smart, algorithmically timed sailing through intersections – at least, not with the current state of traffic technology. A team of five researchers from the University of Michigan have found that the DOT’s I-SIG (Intelligent Traffic Signal System) is way too easy to spoof with bad data.

In fact, the researchers said in a paper recently published on Internet Society that the current signal control algorithm has been designed and implemented to be “highly vulnerable” to data spoofing attacks from even one, single, solitary attack vehicle.

By constructing practical exploits and evaluating them in real-world intersection settings, the researchers found that data-spoofing attacks can even cause a blocking effect to jam an entire approach to an intersection.

I-SIG, the CV-based traffic control system they were attacking was developed in the DOT’s Dynamic Mobility Applications (DMA) research program and takes in real-time vehicle trajectory data to best control traffic lights.

I-SIG has been tested in real intersections in Anthem, Arizona and Palo Alto, California, where it’s managed to cut vehicle delays by 26.6%. Well, kiss those time savings goodbye: the research team’s spoofed-data attack was so severe, they found that 22% of vehicles would need to spend over seven minutes for what would normally be a half-minute trip – a jam-up that makes the trip 14 times longer.

In other words, the vulnerabilities in I-SIG can be exploited to completely erase any benefit it attains, by slowing down traffic to make it 23.4% worse than if no such system had been adopted in the first place.


Spyware maker shuts down surveillance services after hacks

by Lisa Vaas

Here’s one of the many problems with spyware: if hackers decide to gang up on the company behind it, both the spyware users and their targets are vulnerable to having their personal data – private photos, messages, GPS locations and more – compromised.

That includes the data of whomever users are legally surveilling – children or employees – or illegally surveilling, including ex-lovers, victims of domestic abuse or stalking victims.

That’s what happened with Retina-X Studios, the company behind PhoneSheriff, TeenShield, SniperSpy and Mobile Spy. It’s been repeatedly hacked, first in April 2017 and again last month.

Retina-X has had it with the hacking. On Monday, it threw in the towel on all of the aforementioned tools. The company put an announcement at the top of its site saying that while no personal data was accessed during the year of attacks, some “photographic material” of TeenShield and PhoneSheriff customers had been exposed.

That’s it, the company said, we’re out of here:

As a result, [of the hacks], and to protect our valued customers, Retina-X Studios is immediately and indefinitely halting its PhoneSheriff, TeenShield, SniperSpy and Mobile Spy products.

The company’s going to offer pro-rated refunds to customers with a current contract for the services. Emails with instructions how to get the refund and how to get at data during the shutdown are on the way to customers.


How women are helping to fight cybercrime

by Charlotte Williams

Today is International Women’s Day. And, in celebration of just some of the women working to fight cybercrime, we asked a number of professionals at Sophos about their roles in cybersecurity and what this day means to them.

1. A new problem to solve

Software Engineer, Daphne Allamenou

I work on the Virtualization team which is responsible for the development and testing of our Sophos for Virtual Environments product. While that may sound like a repetitive cycle, each piece of work is a new problem to solve which challenges me in different ways. The love for my job comes from the satisfaction I get when I overcome these tasks, particularly the more difficult ones.

International Women’s Day for me is about recognizing the merits of women, past and present, and emphasizing them as role models for younger and future generations. With this exposure, young girls may be inspired enough to venture down paths they would perhaps not have considered.

This day may not be enough to solve the gender balance problem we are facing in the tech sector but I think celebrating and highlighting the strength and ability of women in all areas is a step in the right direction for forging a better world where gender does not define your place or treatment in the world.

2. Technical decisions and strategies

Senior Development Manager, Chloe Acebes

I run a team of 13 software developers and quality assurance engineers to deliver security software for Windows Servers. There are three main aspects to my job: making technical decisions and strategizing about the products that the team owns, developing the people in the team, and managing the team projects. Each one of these is challenging and rewarding in its own way, and finding a balance between the three can be particularly difficult – there is no point ensuring we deliver a new project on time if the new feature doesn’t work as expected and the team are unhappy!

I joined Sophos directly from university and decided that a career in cybersecurity was for me when I interviewed for a graduate engineer role. The overriding message I took from that day was how working in cybersecurity allows you to help people. That feeling hasn’t changed in the 16 years I’ve been working at Sophos. I still get a great sense of satisfaction from doing a job that gives me interesting technical challenges whilst delivering software that genuinely benefits people.

For me, International Women’s Day is a great opportunity to try to encourage more females into STEM career paths. I am definitely in the minority in terms of male/female balance in the Engineering team, and in cybersecurity, or even software development, in general. However, this is a great industry to get into – there are loads of opportunities for anyone who likes solving problems. Gone are the days of coders sitting in a corner bashing away at their keyboards and speaking to no one. Being a software engineer nowadays requires a good analytical mind, plenty of collaboration and a thirst to continually learn new things.


Patch now! Half a million Exim mail servers need an urgent update

by John E Dunn

About half a million email systems running the hugely popular Exim Mail Transfer Agent (MTA) have yet to be patched for a potentially dangerous security flaw made public earlier this week.

Disclosed to the software’s maintainers in early February by Meh Chang, from security firm Devcore Security Consulting, the Exim vulnerability is a one-byte buffer overflow in the software’s Base64 decoding.

Notes Chang:

Base64 decoding is such a fundamental function and therefore this bug can be triggered easily, causing remote code execution.

The researcher’s proof-of-concept exploit targeted this through the preamble to the SMTP daemon’s authentication process, before any emails are sent or received.

Generally, this bug is harmless because the memory overwritten is usually unused. However, this byte overwrites some critical data when the string fits some specific length.

This prompted Exim’s developers to respond:

Currently we’re unsure about the severity, we *believe* an exploit is difficult. A mitigation isn’t known.

By which they mean that defending against the flaw requires an update rather than a configuration tweak – referenced as CVE-2018-6789, updated version, 4.90.1, was first made available on 10 February.

The main takeaway is that this flaw affects all Exim versions going back to its first appearance in 1995 as a University of Cambridge Computing Service project to build a sophisticated alternative to the older Sendmail.


March 7, 2018 »

Safer browsing coming soon to MacOS Chrome users

by Maria Varmazis

Google’s security team recently announced that Chrome is expanding its “Safe Browsing” capabilities to help protect MacOS users from Mac-specific threats and malware.

Any Mac user that stumbles upon a website that might host a compromised or malicious ad, attempt to download Mac-specific malicious software, or try to modify browser settings (like changing the default search engine or default home page) will see a message warning them about the website’s dangers.

If you’re a Chrome user on Windows and this all sounds familiar, it should: These protections are in place for you already. Google says that Mac users of Chrome will start seeing these added protections from 31 March.


Facebook photos expose “sick” couple as food poisoning fakers

by Lisa Vaas

Take a look at the vacation photo Jade Muzoka posted on her Facebook page.

There she is with then-boyfriend Leon Roberts, poolside, eating a fine meal and drinking at the luxury Cornelia Diamond Golf Resort and Spa, in Turkey, in July 2015.

Mmmm, maki roll… wasabi… soy sauce… dumplings… pepper sauce… My, what a scrumptious meal. Odd thing, though: the couple is smiling, definitely not clutching their stomachs, even though they claimed in April 2016 that they’d had food poisoning during their stay and were bedridden with vomiting and diarrhea.

Muzoka, 27, and Roberts, 37, both bodybuilders, had, in fact, faked food poisoning in order to get a £58,000 pay out. On Monday, after having pleaded guilty to fraud at Southern Derbyshire Magistrates’ Court in the UK, they were slapped with a six-month sentence that was suspended for 12 months, ordered to perform 200 hours of unpaid community work, and handed a bill for £1,115 to cover court costs and a victim surcharge.

How did they get found out? It was those happy, shiny photos they posted to Facebook that popped their £58,000 bubble. Not only was there that shot of them lounging and dining by the pool: they also posted boozy selfies and photos from day trips.

They had sued the travel firm Tui, but Tui wasn’t having any of it. Not only did investigators find the couple seemingly looking quite chipper in their Facebook photos, they also described to the court how a solicitor, a doctor and a claims management company had helped to prepare the “blatantly false” food-poisoning claim.


‘We know all about you’ – MoviePass CEO admits to tracking users

by Lisa Vaas

At first blush, MoviePass, the subscription that lets you see a movie a day at participating theaters for $9.95/month (now on sale for $7.95), sounds like a great deal.

But like so many too-good-to-be-true deals nowadays – Google, Facebook, et al. – subscribers are forking over far more than they might imagine. In fact, you and all the juicy personal data that can be squeezed out of you are the marketing-gold product.

Last week, at an Entertainment Finance Forum session titled, appropriately enough, “Data is the New Oil: How Will MoviePass Monetize It?”, MoviePass CEO Mitch Lowe unabashedly enthused over how the company now uses – or can use, a company spokesman emphasized in the media outfall that followed – subscribers’ data.

As Media Play News first reported, the company has access to subscribers’ addresses, from which to glean demographic data.

Media Play News quoted Lowe:

We know all about you.

The industry audience – some of them subscribers themselves – laughed nervously, for good reason. Lowe continued, describing how beyond the demographic data, MoviePass’s mobile app gives it the ability to track subscribers via GPS. It can follow users as they leave home, on their trip to the movie theater, and even beyond, sniffing their trail to find out what pub or restaurant they go to after the film.

We watch how you drive from home to the movies. We watch where you go afterwards.

Lowe, who used to be an executive at industry disruptors Netflix and Redbox, said that the master plan is to use all that data to “build a night at the movies.” MoviePass would advise subscribers on where to go out for dinner before or after a screening, for instance, and would take a cut from vendors.

Will subscribers go for this? Oh hell, yea, Lowe said, pointing to how his past movie adventures have grown like weeds:

We went public with Netflix in 2002, and at the end of the year, we all made bets on how big we could get, so just to show you how bad I am at this – I was near the top by the way – mine was 1.7 million subscribers, and I think the highest was 2 million at the time. Of course, it’s 105 million now, so I do believe 20 million subscribers for MoviePass is definitely doable over a four-year period.

Lowe said that MoviePass will reach 5 million subscribers by year’s end. It already has a track record that suggests that it could, in fact, explode. After it dropped its price to $9.95/month in August, Lowe told Fortune, the following six weeks saw a 2300% increase in membership.


Second company claims it can unlock iPhone X

by John E Dunn

A tiny US company called Grayshift is reportedly quietly touting software it claims can unlock Apple’s flagship handsets, the iPhone X and 8.

This follows a similar claim by Israeli company Cellebrite last week which, it later emerged, was good for every iPhone up to the latest version of iOS, 11.2.6.

That’s two iOS unlocking stories in a few days, both based on anonymous sources talking to the same journalist.

Naked Security has already looked at the Cellebrite claims, so how does this latest one stack up?

The important questions: under what conditions can unlocking be achieved, how was it achieved in the first place, and what might Apple do in response.

According to Grayshift’s reported marketing materials, the iPhone X and 8 unlock tool is called GrayKey, which costs $15,000 for the 300-use online version or double that for unlimited use offline.

In addition to unlocking iOS 11, the company says the tool can also tackle iOS 10 devices, with support for iOS 9 not far off, which puts it on par with Cellebrite.

The story’s details aren’t crystal clear but the phrase “unlocking” appears to mean what one would assume – access to data stored on the device.

If the claims are true, it’s possible they’ve found a way around Apple’s Secure Enclave, a system-within-a-system chip introduced with the iPhone 5s onwards to secure encryption keys independently of the OS itself.


“Prince Charming” is a happily married, gay, identity theft victim

by Lisa Vaas  

Well, ooo-la-la, “Martin,” you silver-haired fox, I just love your dating profile photos. I’m so sorry for the recent loss of your dog – what a cutie! But I’m super touched by the one where you’re doing something or other with pastries and jam, for a charity – awwww!

You’re just the man for me – you hot, sensitive, caring thing. You’re mature, plus that photo of you in the swimming pool in Mykonos shows you’ve stayed in shape since your wife died, and… wait one minute!

What’s that you say? You’re happily married? …And gay??!!

Oh, dear. *Poof!* go my dreams and those of at least three women who saw “Martin’s” photos on dating sites and social media platforms… actually, let’s make that 58-year-old Danish-American widower “Martin” on the Zoosk dating site, divorced Danish-American “Christian” on EliteSingles, and 50-year-old divorcé “Sebastian” on Facebook.

It turns out that the photos are actually of Steve Bustin, 46, currently happily married to his husband. They live in Brighton in the UK. Scammers have been using his photos to woo women since 2016.

Over the weekend, Bustin got so sick of being contacted by confused women that he decided to devalue the photos by telling The Times that he’s never visited a dating site and that he’s not going to be making some heterosexual woman’s dreams come true, given his aforementioned husband.

These are some of the captions the scammers slapped on the ripped-off photos:

The dog was mine but he passed last year.

The one with my face painted was Halloween.

The one with the pastries and jam was to raise funds for charity.

The one with me and just the woman is my late wife.

Lies, lies, despicable lies. Bustin told the Times that the romance scammers had used his likenesses to “construct a profile of my whole life”:

Someone has been harvesting images of me from all over the web.

The photos go back as far as 2012, to the photo of Bustin in a pool while he was on holiday in Mykonos, Greece. The most recent photo is from a Halloween party in autumn 2017.


March 6, 2018 »

“Big Bitcoin Heist” sees 600 Icelandic servers stolen

By Lisa Vaas

Ahhh, Iceland. Perched on the edge of the Arctic Circle, it’s got plentiful data center capacity, renewable energy galore from geothermal and hydroelectric power plants, and that reliably chilly climate to help with cooling.

No wonder cryptocurrency miners have been flooding into the island in recent months.

Of course, where miners go, thieves are sure to follow. Sure enough, Iceland now brings us yet another thievery method to add to the growing list of cryptocoin burglary techniques: this time “grabbing the actual servers”.

In what Icelandic media have dubbed the “Big Bitcoin Heist,” 600 servers have been spirited out of data centers in four burglaries. Three heists happened in December and a fourth took place in January. According to AP, authorities have kept it on the hush-hush while they’ve worked on tracking down the culprits.

Investigators haven’t found the servers yet. They’re worth nearly $2 million, AP reports. As The Register notes, it’s not surprising that the hardware has proved to be elusive: servers used to mine bitcoins are pretty generic. They could easily have been stripped for parts – be they the currently scarce GPUs, the RAM or the fast solid-state disks – and shipped piecemeal for sale anywhere.


Games site customers offered $5 voucher after credit card breach

By John E Dunn

Games developer Nippon Ichi Software (NIS) has admitted that customers of two of its US online stores are at risk of credit card fraud after they were hacked.

Like something out of our What you sound like after a data breach article, it’s offering customers a $5 (£3.60) online voucher with no promise of credit checking beyond what the US Government already offers for free.

In social media posts and an email sent on 1 March, NIS said that the breach affecting nisamerica and snkonlinestore happened on 23 January and continued until it was discovered on 26 February.

During that period:

Your personal information, including your payment information, may have been compromised.

Which, when you read further into the alert email, turns out to be an understatement.

After entering their billing, shipping, and payment information, the customer would be temporarily redirected to an offsite web page not owned or operated by NIS America, Inc.

This “malicious process” grabbed everything entered by customers, including billing and shipping address, and credit card data (including the CVV number), before returning customers to the NIS America page to complete the transaction none the wiser. Only PayPal customers were not affected.

NIS said it has taken steps to close the vulnerability that led to the breach, which leaves us guessing as to exactly what that vulnerability might have been.


Terrorist social media posts should be removed within an hour, says EC

By Lisa Vaas

The European Commission (EC) on Thursday suggested what it called the one-hour rule: as in, that’s the timeframe within which social media companies and European Union (EU) member states should remove terrorist content.

It’s not a new law. Rather, it’s just a recommendation at this point – and it’s just a “general rule,” at that. The one-hour rule is one of a set of operational measures the EC suggested.

Those recommendations come in the wake of the commission having promised, in September, to monitor progress in tackling illegal content online and to assess whether additional measures are needed to ensure such content gets detected and removed quickly. Besides terrorist posts, illegal content includes hate speech, material inciting violence, child sexual abuse material, counterfeit products and copyright infringement.

Voluntary industry measures to deal with terrorist content, hate speech and counterfeit goods have already achieved results, the EC said. But when it comes to “the most urgent issue of terrorist content,” which “presents serious security risks”, the EC said procedures for getting it offline could be stronger.

Rules for flagging content should be easy to follow and faster, for example. There could be fast-tracking for “trusted flaggers,” for one. To avoid false flags, content providers should be told about decisions and given the chance to contest content removal.

As far as the one-hour rule goes, the EC says that the brevity of the takedown window is necessary given that “terrorist content is most harmful in the first hours of its appearance online.”

While it’s just a recommendation at this point, it could someday become law.

German lawmakers last year okayed huge fines on social media companies if they don’t take down “obviously illegal” content in a timely fashion. The new German law gives them 24 hours to take down hate speech or other illegal content and imposes a fine of €50m ($61.6 million) if they don’t.


World’s largest DDoS attack thwarted in minutes

By John E Dunn

What has been tagged the largest DDoS attack ever disclosed slammed into the servers of software development site GitHub at 17:21 UTC last Wednesday.

Large DDoS attacks have become occasional events in recent years but the statistics on this one were memorable, hitting a peak of 1350 gigabits per second with a follow-up reaching 400 gigabits per second.

The previous record attack was on DNS provider Dyn in 2016, whose estimated 1000 gigabits per second peak blast caused visible disruption to services such as Netflix, Twitter and, funnily enough, GitHub.

According to GitHub Engineering, last week’s disruption lasted nine minutes.

At 17:21 UTC our network monitoring system detected an anomaly in the ratio of ingress to egress traffic and notified the on-call engineer and others in our chat system. … Given the increase in inbound transit bandwidth to over 100Gbps in one of our facilities, the decision was made to move traffic to Akamai.

Good news – DDoS mitigation defense worked as designed – but the interesting theme of the attack has turned out not to be its size at all, but what fueled its extraordinary size.

The attack exploited amplification, a technique we’ve seen before in previous mega DDoS incidents, this time hitting a target called Memcached.

Memcached is a popular technology designed to speed access to sites running big web application databases by caching data in RAM for rapid access.


Bill Gates: Cryptocurrencies killing people in “fairly direct way”

By Lisa Vaas

Cryptocurrencies are killing people in a “fairly direct way” because of how they’re used to fund terrorism and to buy fentanyl and other dangerous drugs, Bill Gates said in a Reddit Ask Me Anything session last week.

Asked by one user for his opinion on the currencies, Gates said that what he called their main feature – anonymity – is the main problem:

The main feature of crypto currencies is their anonymity. I don’t think this is a good thing. The government’s ability to find money laundering and tax evasion and terrorist funding is a good thing.

Right now crypto currencies are used for buying fentanyl and other drugs so it is a rare technology that has caused deaths in a fairly direct way. I think the speculative wave around ICOs [initial coin offerings] and crypto currencies is super risky for those who go long.

Gates isn’t the only insanely rich guy who’s bearish on the currencies. In January, Warren Buffett, CEO of Berkshire Hathaway and an investor who’s renowned for his acumen, said he didn’t understand Bitcoin, can’t fathom other blockchain-based digital assets, and swears he’ll never invest in any of it.

Many Reddit users were, predictably enough, not impressed by Gates’ leeriness about cryptocurrencies.

One, Suuperdad, said sure, you know what else is used to fund terrorism, buy fentanyl and other drugs? The US dollar.

Other users piled on:

[–]Always Question 73 points 4 days ago

Terrorists breath air too, so we should ban that. Tennis shoes as well.

They also suggested that Gates doesn’t fundamentally understand how the technology works. One, RemingtonSnatch, replied that it’s “fairly difficult” to maintain anonymity, given the blocks – which are groups of transactions that function like digital ledgers – that track transactions:

One would have to make their initial transaction in person to avoid signing up with an exchange (and the requisite very-anonymous bank transfer). And if at any point your person is tied to your address, your entire transaction history and the flow of every “penny” you ever spent is easily and immediately known. It’s easier than traditional currency to trace at that point, because the ledgers are public to the world…there are no institutional barriers.

While I would wager that a lot of illegal transactions are made using the likes of Bitcoin because people THINK it protects their identity, I would also wager that in the coming years, as law enforcement becomes more versed in crypto, a lot of those people will find themselves in prison. Remember, the trail they’ve left behind is permanent.


« older