Repairs & Upgrades

January 22, 2019 »

Bicycle-riding hitman convicted with Garmin GPS watch location data

By Lisa Vaas

A homicidal cycling and running fanatic known for his meticulous nature in tracking his victims has been undone by location data from his Garmin GPS watch.

Police in Merseyside, in northwest England, announced that a jury last week found Mark Fellows, 38, guilty of two gangland murders: that of “career criminal” John Kinsella last year and gang member Paul Massey in 2015. Fellows was sentenced to life in prison without parole.

Kinsella was gunned down on 5 May 2018 by a masked hitman on a bicycle who was wearing a high-visibility vest with yellow markings and black tape that CCTV cameras easily picked up.

Steven Boyle, 36, also found guilty in the killing of Kinsella, gave testimony against Fellows and acted as his spotter in the slaying, according to the Liverpool Echo. Boyle received a sentence of 33 years to life.

GPS watch

As the Liverpool Echo reported in December, during a search of Fellows’ home following Kinsella’s killing, police had seized a Garmin Forerunner 10 GPS watch. A prosecutor pointed out that the seized watch matched one Fellows had been wearing in photos taken during a road race – the Bupa Great Manchester Run – on 10 May 2015.


WhatsApp fights the spread of deadly fake news with recipient limit

By Lisa Vaas

As of July 2018, dozens of mob lynching’s sparked by rumors – many about child abduction – that had been spread virally on social media had led to 33 deaths and at least 99 injured in 69 reported lynching’s. The wave of violence tore through countries including Myanmar and Sri Lanka but was mostly in India.

At least 18 of those incidents were specifically linked to WhatsApp.

In an effort to limit the type of message forwarding that fuels such fake-news wildfires, in July WhatsApp launched a test in which it limited forwarding of chats to 5 people in India, where people forward more messages, photos and videos than any other country in the world.

WhatsApp also imposed a larger limit globally of 20 recipients. At the same time, WhatsApp also removed a quick-forward button next to media messages in India, and it added a feature to more clearly label forwarded messages.

Now, the private-messaging app is taking those changes, including the lower limit of 5 forwarded messages, worldwide. On Monday, Victoria Grand, vice president for policy and communications at WhatsApp, said at an event in the Indonesian capital of Jakarta that the change went into effect immediately. Reuters quoted her:

We’re imposing a limit of five messages all over the world as of today.

WhatsApp’s head of communications Carl Woog told Reuters that starting on Monday, WhatsApp would roll out an update to activate the new forward limit. Android users will receive the update first, followed by iOS.


DNC targeted by Russian hackers beyond 2018 midterms, it claims

By Danny Bradbury

The Democratic National Committee (DNC) has filed a civil complaint accusing Russia of trying to hack its computers as recently as November 2018.

In its court filing, the DNC argues that not only did the campaign and several Trump operatives collude with Russia to steal electronic information, but that Russia was still attempting to hack DNC systems in the run up to last year’s midterm elections.

The filing describes an alleged Russian cyberattack campaign that began in July 2015 and which stole information after a hack in April 2016, when the Russians allegedly placed proprietary malware known as X-Agent on the DNC network. It claims that they monitored the malware in real time and collected data including key logs and screenshots. Using malware called X-Tunnel, the hackers exfiltrated several gigabytes of DNC data over the following days to a computer located in Illinois leased by agents of Russia’s GRU military unit, it says.

Russian operatives then placed a version of X-Agent on a DNC server in June that year and hacked DNC virtual machines hosted on Amazon Web Services (AWS) in September to steal voter data, the filing also alleges.


Is the Ten Year Challenge a Facebook scam???

By Mark Stockley

If you have an Instagram account, if you’re on Facebook or you if use Twitter, or any other social media, or read the news, own a phone or have eyes, you will probably have encountered the ten-year challenge.

The challenge is the latest social media craze and it simply involves posting a contemporary photo of yourself alongside another from ten years ago. Ostensibly it’s about nostalgia and showing how much things have changed in the intervening years.

Like all good viral crazes, it’s visually interesting, conceptually simple, easy to do and replete with opportunities for poignancy, reflection, virtue signaling, celebrity humble bragging, commentary (…guilty!) and humor.

Here’s Star Trek Discovery and the Walking Dead’s Sonequa Martin-Green showing us how it’s done.

This meme du jour follows in the footsteps of other social media fripperies, such as the similarly self-descriptive Ice Bucket challenge and the No Makeup challenge.

Social media’s capacity to spawn viral crazes isn’t limited to challenges though. Older readers may remember becoming concerned for friends whose speech turned into incoherent jabbering about crop yields around the turn of the last decade, as they battled crippling Farmville addictions.


Twitter bug exposed some Android private tweets to public view

By Lisa Vaas

In October, after Twitter refused to give a user information about how it tracks him when he clicks on links in tweets (as is the right of EU citizens under the newly passed, sweeping General Data Protection Regulation [GDPR] privacy law), Irish privacy authorities launched an investigation into the platform’s privacy practices.

Things could get hairier still, given the major privacy glitch Twitter disclosed on Thursday.

Twitter said that it had become aware of a bug that, under certain circumstances, switched private tweets to public view in Twitter for Android. That bug went unnoticed for four years, from 3 November 2014 until last Monday.

The bug disabled the “Protect your Tweets” setting for Android users if certain account changes were made, Twitter said. Namely, Android users would be well-advised to check their settings if they changed the email address associated with their account during that time period.

This doesn’t affect iOS or web users. Twitter says it fixed the issue on 14 January.


Attackers used a LinkedIn job ad and Skype call to breach bank’s defenses

By John E Dunn

Last week, Chilean Senator Felipe Harboe took to Twitter with alarming news – he had got wind that the company running the country’s ATM inter-bank network, Redbanc, had suffered a serious cyberattack at the end of December.

Two days later, not long before a local news site published a story offering more detail, Redbanc issued a public admission that the attack had happened, confirming little beyond the statement that its network had not been disrupted and continued functioning normally.

[translated] This event had no impact on our operations, keeping our services running smoothly. As established in our protocols, we kept the different industry players and authorities informed at all times, with total transparency and spirit of collaboration.

Cyberattacks happen all the time, of course, but this one piqued people’s curiosity for several reasons.

The first was that this was a cyberattack on a company that connects and manages the ATM network for a whole country.

In banking terms, that’s quite a big deal, partly because ATM networks are a juicy target but also because it arrived in the wake of last June’s big ransomware attack against Banco de Chile.

A second bump for the story arrived a few days later when security company Flashpoint said it believed the malware used against Redbanc was PowerRatankba, a platform connected to North Korea’s Lazarus group.


State agency exposes 3TB of data, including FBI info and remote logins

By Danny Bradbury

Oklahoma’s Department of Securities (ODS) exposed three terabytes of files in plain text on the public internet this month, which contained sensitive data including social security numbers, details of FBI investigations, credentials for remote access to computers, and the names of AIDS patients.

Researchers at security company UpGuard found the files using the Shodan search engine, which indexes internet-connected devices. In this case, they ran across an unsecured rsync server registered to ODS.

Rsync is a utility commonly found on Unix and Linux systems that enables administrators to synchronize files between different computers. It is used for ‘delta’ syncing, in which one computer copies to another only the parts of files that have changed, enabling them to maintain identical copies of the files in different locations.

The unsecured computer that UpGuard found to be using rsync meant that anyone could access the data by visiting its IP address. It’s impossible to know who else may have found it first. The one upside is that the data was identified just one week after it was exposed.

The data trove contained millions of files dating back to 1986, according to UpGuard’s report, with the most recent files dated 2016. They offered up sensitive data ranging from personal information (PII) to internal documentation, the researchers explained.

The files included PII on over 100,000 securities brokers, including the social security numbers for around 10,000 of them. One database included the names of AIDS patients.


January 18, 2019 »

Vast data-berg washes up 1.16 billion pwned records

By John E Dunn

The Have I Been Pwned? (HIBP) website has revealed another huge cache of breached email addresses and passwords discovered last week circulating among criminals.

Named “Collection #1” by HIBP’s maintainer Troy Hunt, its statistics are as impressive as they are worrying: 87GB of data, 12,000 files, and 1.16 billion unique combinations of email addresses and passwords.

After cleaning up the data, Hunt reckons 773 million email addresses are unique, as are 21 million of the passwords, which is to say appearing in unhashed form only once within the cache.

Hunt said the data was discovered by “multiple people” on the MEGA cloud service being advertised as a collection made up of 2,000 or more individual data breaches stretching back some time.

Who has the data?

Given that it was being advertised and discussed on a criminal forum, in theory almost anyone visiting that source.


Did you know you can see the ad boxes Facebook sorts us into?

By Lisa Vaas

Fitbit? Pollination? Jaguars? Snakes? Mason jars?

OK, fine, Facebook, I’m not surprised that I’ve clicked on those things. But when did I ever click on anything related to Star Trek: Voyager? Or Cattle?!

My “this feels weird” reaction makes me one of the 51% of Facebook users who report that they’re not comfortable that the ad-driven company creates a list that assigns each of us categories based on our real-life interests.

It’s called “Your ads preference.” You can view yours here. If you drill down, you can see where Facebook gets its categorization ideas from, including the things we click on or like, what our relationship status is, who employs us, and far more.

Most people don’t even know that Facebook keeps a list of our traits and interests. In a new survey from Pew Research Center that attempted to figure out how well people understand Facebook’s algorithm-driven classification systems and how they feel about Facebook’s collection of personal data, the majority of participants said they never knew about it until they took part in the survey.

Overall… 74% of Facebook users say they did not know that this list of their traits and interests existed until they were directed to their page as part of this study.

Once the participants were directed to the ad preferences page, most – 88% – found that the platform had generated material about them. More than half – 59% – said that the categories reflected their real-life interests. But 27% said that the categories were “not very” or “not at all” accurate in describing them.


YouTube bans dangerous and harmful pranks and challenges

By Lisa Vaas

Driving while blindfolded is stupid. Ingesting laundry detergent pods is stupid. Asking your girlfriend to shoot you through an encyclopedia is stupid. And, in the case of Pedro Ruiz III, it’s lethal.

These are all so-called “pranks” that have been filmed and posted on YouTube. After reports of people getting hurt or even killed, YouTube has explicitly called it quits on the genre.

On Tuesday, Google announced that it had updated its dangerous challenges and pranks enforcement.

Specifically, Google updated its external guidelines to clarify that challenges like the Tide pod challenge, that’s when teens dare each other to bite into the laundry pods, which can and has led to poisoning, or the fire challenge which involves pouring flammable liquid onto your skin, then lighting it on fire, resulting in multiple cases of kids giving themselves second- and third-degree burns, “have no place on YouTube.”


Email crooks swindle woman out of $150K from home sale

By Lisa Vaas

In 2014, when Mireille Appert’s uncle died, he left her his house.

After four years of managing the house in Queensland, Australia from her own home in the US, she couldn’t afford it anymore.

As her uncle knew, she loves Australia, she told the Chronicle, but not the fees and the expensive intercontinental slogging:

I wasn’t able to afford a vacation home in Australia anymore. Flights, maintenance, rates, electricity. A lot of fees to pay, for not being able to enjoy my house as much as I wanted.

So Appert, 67, decided to sell. She got a local law firm, KF Solicitors, to help with the $148,554.11 sale. That was on 1 July 2018.

What followed was a flurry of back and forth emailing of legal documents, including Appert’s bank account details, which she says she sent… three times.

Six months later, she still hasn’t seen a dime of that money.

Unfortunately, somebody else has: it looks like it wound up in the pocket of an email fraudster who inserted themselves into the exchange and tricked Appert into sending an electronically signed PDF with her bank details. The scammer(s) apparently also convinced the solicitors to deposit Appert’s money into a purported “corporate” bank account that they controlled.


Two charged with hacking company filings out of SEC’s EDGAR system

By Lisa Vaas

The Securities and Exchange Commission (SEC) on Tuesday indicted two Ukrainians for allegedly hacking its Electronic Data Gathering, Analysis and Retrieval (EDGAR) filing system and stealing corporate secrets from thousands of companies’ filings before they were made public.

The SEC also filed a civil complaint against a network of securities traders in the US, Ukraine and Russia with whom the hackers allegedly shared the hacked information and who allegedly used it to illegally profit by snapping up or selling off securities before the filings were public.

The 16-page indictment charges the alleged hackers – Artem Radchenko, 27, and Oleksandr Ieremenko, 26, both of Kiev, Ukraine – with securities fraud conspiracy, wire fraud conspiracy, computer fraud conspiracy, wire fraud, and computer fraud.

According to the US Attorney’s Office for the District of New Jersey, the two indicted men aren’t in custody. Nor are they believed to be in the US, the Washington Post reports.

According to the indictments, Radchenko, Ieremenko and others conspired to pry open the SEC’s EDGAR system, which is used by publicly traded companies to file required financial disclosures, such as annual and quarterly earnings reports. Those reports are full of information that can lead to profit for those who get their hands on them, including details about companies’ financial health, operations and earnings. Such information can and often does affect companies’ stock prices when it’s publicly disclosed.


January 16, 2019 »

Are you sure those WhatsApp messages are meant for you?

By Danny Bradbury

Senior Amazon technical expert Abby Fuller had a bit of a shock when she logged into WhatsApp using a new telephone number earlier this month. She found someone else’s messages waiting for her.

WhatsApp, which Facebook purchased for $19bn in 2014, advertises itself as a secure, reliable messaging app.

The service prides itself on not retaining messages on its servers once they have been delivered. Fuller was using a new telephone number on a new mobile device. Her SIM card was new, and she hadn’t restored any backed-up messages from anywhere. So what gives? How did messages meant for someone else get onto her phone?

WhatsApp ties user accounts to their phone numbers. The problem is that people don’t always keep their phone numbers forever. When someone stops using a number, by ending their smartphone contract for example, it goes back into a pool of numbers and under FCC rules it can be reassigned to someone else after 90 days.


Intel patches another security flaw in SGX technology

By John E Dunn

Intel last week released six advisories covering a range of products, the most interesting of which is a flaw discovered in the company’s Software Guard Extensions (SGX) built into all Intel processors since the company’s sixth-generation Skylake processors in 2015.

Discovered by independent researcher SaifAllah benMassaoud, the latest SGX vulnerability (CVE-2018-18098) is a weakness in the software layer that enables SGX hardware that could allow what Intel euphemistically describes as “escalation of privilege or information disclosure.”

SGX makes possible ‘secure enclaves’ that can be used for a variety of purposes, including Digital Rights Management (DRM). Essentially, an application can put whatever data it is working on into one of these so that no other application can access, compromise or copy it.

Intel offers few details as to how this flaw affects that integrity. However, benMassaoud told The Register that a simple batch script sent via email could be used to launch an attack exploiting the flaw:

Once the file is opened by the victim who uses the affected software, it will automatically download and execute a malicious code from attacker’s server to the vulnerable setup version of Intel SGX SDK and Platform Software on the victim’s machine.

There’s also a video that demonstrates the proof of concept.


Beware buying Fortnite’s V-Bucks, you could be funding organised crime

By Lisa Vaas

Crooks are laundering money through Fortnite’s in-game currency, known as V-Bucks, according to an investigation carried out by The Independent and cybersecurity firm Sixgill.

They’re using stolen credit cards to purchase V-Bucks, then selling the currency at a discount to players on the Dark Web and thereby cleaning the money.

Why do we keep hearing about yet more scams that revolve around Fortnite? Same reason that robbers rob banks: that’s where the money’s at.

Be they young, old, and/or dressed up in the skin of an anthropomorphic tomato, players worldwide flock to the free Fortnite Battle Royale, to the tune of what its maker, Epic Games, said was more than 125 million players across all platforms as of June 2018.

Before its release, we saw fraudsters exploit gamers’ keen anticipation to get invitations to the release, flogging their fictional “extra free invites!!!” as they looked for profit or for pumped-up Twitter followers/likes/retweets/comments.

Then we saw scammers seed the internet with fake Fortnite apps that never loaded the actual game and instead churned victims through the downloading of other apps that the fraudsters got paid to disseminate.

Then, within a year of its 2017 launch, we saw hijacked Fortnite accounts being hawked on Instagram: what Kotaku called a “booming industry”.


Feds can’t force you to unlock your phone with finger or face, says judge

By Lisa Vaas

A Northern California federal judge ruled last week that police can’t force suspects to unlock their phones with their fingers, eyes or face, even with a warrant, because it amounts to the same type of self-incrimination as being forced to hand over your passcode.

If other courts apply her decision, it could set an important precedent in Fifth Amendment interpretation and the debate between compelling suspects to use “what they are” (i.e., forced use of their bodies) vs. “what they know” (i.e., forcing suspects to unlock their brains to get at their passcodes).

As Forbes reports, Judge Kandis Westmore ruled that compelled testimony is compelled testimony, regardless of whether it’s a passcode uttered aloud or a forced finger swipe. In this day and age, multiple forms of authentication unlock treasure troves of personal data, she wrote.

If a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device.

Judge Westmore wrote the decision in denial of a warrant to police who were investigating alleged extortion in Oakland, California. The suspects allegedly used Facebook Messenger to threaten a man with the release of an embarrassing video unless he coughed up money.


Windows 7 users get fix for latest updating woe

By John E Dunn

Microsoft has vexed its users with another misbehaving update.

The latest problem occurred on 8 January when enterprise users running Windows 7 or Windows Server 2008 R2 with a Key Management Service (KMS) started complaining on Microsoft’s TechNet forums and Reddit that they were seeing two errors, the first relating to licensing, the second networking.

In the first, users were seeing a “Windows is not genuine” error dialogue after logging in, which allowed them to run their copy with this message embedded as a desktop watermark.

The second error appears to have been a problem with different symptoms resulting in users not being able to access SMB2 shares or start remote desktop connections through both admin and non-admin accounts.

At first it was assumed that the problems were connected to separate security and feature updates for Windows 7 – KB4480960 and KB4480970 – which were issued as part of Patch Tuesday.

It later transpired that the problem wasn’t with either of those updates and was instead connected to a change made to the Microsoft Activation and Validation servers affecting anyone who had installed an old update, KB971033, which originally appeared last April.


Blockchain burglar returns some of $1m crypto-swag

By Danny Bradbury

It isn’t often that the villains show their soft side, but a blockchain burglar apparently did just that last week. An unidentified thief who stole over $1 million from the Ethereum Classic blockchain has given some of it back.

The thief exploited a loophole that exists in Ethereum Classic along with several other cryptocurrencies called a “51% attack”, which enables attackers to rewrite the blockchain and spend cryptocurrency twice. They used the technique to attack several cryptocurrency exchanges with fraudulent transactions.

Then, less than a week later, they returned some of the cash, said affected exchange in a statement:

On Jan.10, we found that the recent ETC 51% attacker returned 100k USD value of ETC back to

Cryptocurrencies like Ethereum Classic are based on a proof-of-work algorithm, in which many different computers compete to solve a mathematical problem. The computer that wins the competition gets to seal the last few minutes’ transactions into a block (a little like a page in an accounting ledger).


Shutdown hits government websites as certificates begin to expire

By Danny Bradbury

The US government shutdown is affecting more than just physical sites like national parks and monuments. Now, government websites are shutting down as their TLS certificates expire, according to internet security and statistics company Netcraft. In an online post, the company says that more than 80 websites using the .gov domain have been made insecure or inaccessible thanks to expired certificates.

TLS certificates are used by websites communicating over encrypted, HTTPS connections. A certificate is used to sign a website’s public encryption key, which ensures that your communication with that website is private and secure: you know which site you’re talking to, and that nobody else is listening in.

The website’s certificate is itself signed for by a CA (Certificate Authority) that your browser trusts. Site owners have to renew their certificates every so often, to prove that they’re still the legitimate owners of the site’s encryption keys.

If you visit a site with an expired certificate then your browser will notice and issue a strong warning.

The US government isn’t doing anything deemed nonessential under the current shutdown, and that seems to include renewing TLS certificates. As they expire, sites are beginning to throw expired certificate warnings, and in many cases become unavailable altogether.

One example is NASA’s rocket testing site at, which throws what’s called an interstitial warning. This means that the certificate has expired, but the browser gives you the option to ignore the warning and visit the website anyway at your own risk. Another site taking this approach to its expired certificate is, a site used by the US Court of Appeals.


January 14, 2019 »

USB-C Authentication sounds great, so why are people worried?

By John E Dunn

What do Stuxnet, BadUSB, USB Killer, and rubber duckies have in common?

The common theme isn’t hard to spot – they’re all computer attacks that launch from USB flash drives.

The problem with USB devices (or the attraction, if you’re a cybercriminal) is that they’re a devastatingly simple way to sneak malware on to computers, especially important ones protected by air gaps.

There are so many malicious possibilities, in fact, that Israeli researchers were recently able to list no fewer than 29 different ways USB devices can compromise almost anything they’re plugged into.

In 2016, the USB 3.0 Promoter Group (Apple, Microsoft, Intel and others) announced its solution in the form of the USB Type-C Authentication specification.

This protocol would, they promised, cryptographically verify the identity of USB-C devices such as flash drives and chargers before a data or power connection is made, making it impossible for fake or malicious drives to exploit a computer.

At a stroke, organisation’s would have a way of blocking rogue devices from being plugged into their computers by disallowing unverified devices by policy.

Consumers, meanwhile, would be able to use chargers at airports without fear of attacks and know that any chargers, cables, docks, adapters, and drives they bought were the real deal and not fakes.


Facebook exec gets SWATted

By Lisa Vaas

A man identified as a Facebook executive got SWATted on Tuesday night.

The Palo Alto Daily Post reports that police, fire department and public safety agents swarmed the exec’s home in Palo Alto, California, in response to a hoax call from a man claiming to be him who said he’d shot his wife with an assault rifle, tied up his kids, put “pipe bombs all over the place,” and that he’d kill police or anyone else if they came near.

Police said in a statement that the prank call came in at 9:16pm.

When officers – including trained crisis negotiators – responded, they surrounded the exec’s home and ordered the residents to come out. Two befuddled but calm people emerged: the executive and a woman who lives in a separate unit. They had no idea what was going on, and police found no children, tied-up or otherwise.

“The entire call was a hoax,” the police department said, with the suspect having impersonated the man by using his name.

Police Agent Marianna Villaescusa, who spoke as a negotiator with the prankster, said she stayed on the phone with the SWATter for about an hour, though he didn’t talk much. The Palo Alto Police Department said that the man placed the call to a 24-hour dispatch center using an untraceable number.


10 years for Boston Children’s Hospital DDoSer

By Lisa Vaas

Martin Gottesfeld, the hacker who attacked Boston Children’s Hospital (BCH), fled the US when the Feds came knocking, was subsequently plucked off a sailboat bobbing off the coast of Cuba, and who says his only regret is that he “didn’t get to Justina sooner,” has been sentenced to 10 years in jail.

Gottesfeld represented himself at a hearing in US District Court in Boston on Thursday. After the hearing, he told Judge Nathaniel Gorton that he believes that he made a big difference in the life of Justina Pelletier.

Starting 14 February 2013, then-15-year-old Justina was held in custody as a ward of the state in Massachusetts, at the order of a Boston hospital that decided her illness was all in her head, aggravated by what some doctors perceived to be medical abuse doled out by her parents.

In April 2014, hacktivists who slapped themselves with the Anonymous brand of hacktivism decided to inject themselves into the situation by launching #opJustina.

That #op entailed flooding multiple hospitals’ computer networks with distributed denial of service (DDoS) e-garbage and the standard, monotone, Guy Fawkes mask-wearing call for others to join in.

Gottesfeld was charged in February 2016 and found guilty in August 2018.

He’s never publicly expressed remorse.

Gottesfeld’s first target was Wayside Youth and Family Support Network, the Framingham residential facility where Justina had been living under state custody. Then he went after BCH.


Old tweets reveal hidden secrets

By Danny Bradbury

Old Twitter posts could reveal more about you than you think, according to a research paper released this month. Tweets could reveal places you visited and things you did, even if you didn’t explicitly mention them.

Researchers from the Foundation for Research and Technology in Greece and the University of Illinois found all this out after writing a tool called LPAuditor. The software mines publicly available tweet data that anyone can download from Twitter via its application programming interface (API).

Using the tool, they analyzed the metadata – hidden information about a tweet embedded in the post – to identify users’ homes, workplaces and sensitive places that they visited. In dozens of cases, they were also able to identify the users behind anonymous Twitter accounts.

In the paper, entitled Please Forget Where I Was Last Summer: The Privacy Risks of Public Location (Meta)Data, the researchers said:

even if users are cautious and nothing sensitive is disclosed in the tweets, the location information obtainable with our duration- based approach can result in significant privacy loss.

The insecurity stems from historical Twitter data posted prior to April 2015. Before this date, if a user geotagged themselves in a broad area such as a city, the social network embedded their exact GPS coordinates in the tweet’s metadata. Users simply looking at the Twitter app or web site would not have been aware of this because it only shows up in the raw data obtained via the API. Although Twitter stopped embedding this data in 2015, the historical information is still publicly available via the API.


2FA codes can be phished by new pentest tool

By John E Dunn

With every new hack, it’s becoming clearer that older forms of two-factor authentication (2FA) are no longer the reassuring security protection they once were.

The latest and perhaps most significant is that researcher Piotr Duszynski has published a tool called Modlishka (Polish: “Mantis”) capable of automating the phishing of one-time passcodes (OTPs) sent by SMS or generated using authentication apps.

On one level, Modlishka is simply a tool that sits on the same server as a phishing site capturing any credentials and 2FA tokens the user can be tricked into sending it.

But instead of cloning the phished site (Gmail, say), it behaves like a reverse proxy, cleverly feeding the user content from the real site to make an attack look more convincing.

The user thinks they are interacting with the real site because they are – Modlishka, meanwhile, proxies all of this without the user realizing.

A video demo shows how Modlishka could be used to phish a Google user but it could just as easily be used against any service where the same authentication is in use.

Explains Duszynski:

This tool should be very useful to all penetration testers, that want to carry out an effective phishing campaign (also as part of their red team engagements).

Was it right to publish such a powerful tool? Arguably, yes. When used for its intended purpose – simulating phishing attacks against 2FA as part of a penetration or social engineering test – it offers an important insight into the vulnerability of this type of security.


January 9, 2019 »

How to share photos – without using Facebook

By Maria Varmazis

Ah, Facebook. We don’t know how to quit you.

Some pundits tell us blithely: Just delete the app, delete your account! Extricate yourself forever. If only it was that easy.

Many of us who want to quit would do it in a heartbeat if we could replicate the functionality that keeps us coming back. Aside from its massive user base, the other major hook Facebook has for many of us is that it’s an one-stop-shop for a number of different tasks.

One of the key features that keeps people going back to Facebook seems to be photo sharing. Especially with far-flung family and friends, folks with little kids and/or much-loved pets at home really, really want to share those photos with their adoring grandmama. And since grandmama is on Facebook, and all the aunties and uncles are too, photo sharing there is the path of least resistance.

But there are other options for photo sharing that don’t hand over every pixel to the Facebook megamind. These options fall under a few categories, so let’s explore:


Politicians who block social media users are violating First Amendment

By Lisa Vaas

Keep your hands off that “block” button, an appeals court told a government bureaucrat who temporarily blocked a constituent who’d posted criticism on one of her Facebook Pages. Blocking is unconstitutional, the court declared, given that aspects of the page in question “bear the hallmarks of a public forum.”

The ruling was handed down on Monday by the US Court of Appeals for the Fourth Circuit and could serve as a precedent, given that it’s the first decision from an appellate court that addresses the applicability of the First Amendment to social media accounts run by public officials.

A similar case, in which a New York judge banned President Donald Trump from blocking Twitter users on the grounds that it’s a violation of free-speech rights, is pending appeal in the Second Circuit Appeals Court.

The Trump Administration argues that the @realDonalTrump account is a personal one, meaning that the First Amendment doesn’t apply. The appeal is due to be heard soon. The case could wind up in the Supreme Court, as US courts deal with the question of what constitutes an “official” account on social media.

The difference between a personal vs. an official social media account was at the crux of the case decided on Monday.

That case was about what Phyllis Randall, Chair of the Board of Supervisors in Loudoun County, Virginia, got up to with one of her Facebook pages.


Got an SMS offering $$$ refund? Don’t fall for it…

By Paul Ducklin

SMS, also known as text messaging, may be a bit of a “yesterday” technology…

…but SMS phishing is alive and well, and a good reminder that KISS really works.

If you aren’t familiar with the acronym KISS, it’s short for “keep it simple, stupid.”

Despite the rather insulting tone when you say the phrase out aloud, the underlying ideas work rather well in cybercrime.

Don’t overcomplicate things; pick a believable lie and stick to it; and make it easy for the victim to “figure it out” for themselves, so they don’t feel confused or pressurized anywhere along the way.


January 8, 2019 »

Facial recognition on 42 Android phones beaten by photo test

By John E Dunn

How easy is it to bypass the average smartphone’s facial recognition security?

According to the Dutch consumer protection organization Consumentenbond, in the case of several dozen Android models, it’s a lot easier than most owners probably realise.

Its researchers tested 110 devices, finding that 42 could be beaten by holding up nothing more elaborate than a photograph of a device’s owner.

Consumentenbond offers little detail of its testing methodology but it seems these weren’t high-resolution photographs – almost any would do, including those grabbed from social media accounts or selfies taken on another smartphone.

While users might conclude from this test that it’s not worth turning on facial recognition, the good news is that 68 devices, including Apple’s recent XR and XS models, resisted this simple attack, as did many other high-end Android models from Samsung, Huawei, OnePlus, and Honor.

Confusingly, many of the models that failed were from the same vendors, including Asus, Huawei, Lenovo/Motorola, LG, Nokia, Samsung, BlackBerry, and Xiaomi. In the case of Sony, every model tested failed. A further six – an Honor and six LG models – only passed the test when put into a ‘strict’ mode.

Generally, expensive handsets performed better than cheaper ones but this wasn’t always the case. For example, Sony’s $1,000 Xperia XZ2 Premium (US version) failed while Motorola’s Moto G6 costing less than a third of that price tag passed. A full list of the models that passed the photo test can be found on Consumentenbond’s website.


How to spot a social media hoax

By Lisa Vaas

Well, well, well, if it isn’t the WhatsApp Gold/’martinelli’ video scam, back again, as half-bunk and half-real-threat as ever.

Excellent! It’s a great opportunity to offer some advice on pulling the rug out from under these and other scammers. For the dissection of Gold/martinelli, read on. For some advice to forward to the prey of the scammers, jump on further down!

The current bunk

As Snopes tells it, the WhatsApp Gold scam messages have been kicking around since at least 2016 in varyingly worded messages, claiming that some new “premium service” would get users extra goodies, such as video calling and new emojis.

Hey Finally Secret WhatsApp golden version has been leaked, this version is used only by big celebrities. Now we can use it too.

Users who clicked on the link got no goodies. They got baddies, in the form of a malware-rigged, non-WhatsApp website. The malware, nicknamed WhatsApp Gold, was designed to break into phones and steal victims’ messages and other private data.

Bad enough, eh? Well, the mad cyber scientists decided to make it a bit more poisonous when they wrapped a true warning about the real WhatsApp Gold malware around a bogus warning about a fictional video called martinelli.


Hacker uses early warning system for fake message campaign

By Danny Bradbury

Australians got scary texts, emails and phone calls from a trusted emergency warning service late last week after a hacker broke into its systems and used it to send fake messages.

On 5 January, the intruder compromised systems operated by the Early Warning Network, an Australian company that provides early warning information about severe weather events and bushfires to clients across the country. Started in 2007, the company provides emergency warning services to federal, state and municipal government clients to help protect their citizens.

The hacker used EWN’s systems to send messages to citizens via email, landline phone calls, and SMS. The messages, sent from, were titled “EWM Hacked – Privacy Alert” and read:

EWM has been hacked. Your personal data stored with us is not safe. We are trying to fix the security issues. Please email if you wish to subscribe. ASX AER

The company moved quickly to fix the problem, catching the attack and shutting off the system. Nevertheless, a “small proportion” of its database received the alert, it said in a Facebook notice. Reports indicated that tens of thousands of people had been affected.


LA sues The Weather Channel over selling users’ location data

By Lisa Vaas

Los Angeles has sued The Weather Channel (TWC), claiming that it’s been posing as a “personalized local weather data, alerts and forecasts” app but in truth makes profits by tracking users “throughout the day and night” so as to sell their private, personal location data.

The lawsuit calls The Weather Company’s practices “fraudulent and deceptive” and says they violate California’s Unfair Competition Law. TWC fails to disclose that it collects users’ location data and sends it to third parties, the suit maintains.

It isn’t about analyzing the clouds above our heads for a personalized weather forecast, LA says. Rather, it’s about collecting location data for “advertising and other commercial purposes unrelated to weather data, alerts and forecasts.”

None of the marketing purposes of collecting geolocation data are disclosed on either Apple’s App Store or Google’s Android Play Store versions of the free app, which is also available in an ad-free version for $3.99, the lawsuit notes.

When users download the app, TWC prompts them to allow it to access their location data, but it doesn’t say anything about sharing that data, the lawsuit says:

The permission prompt also fails to reference or link to any other source containing more detailed information about what users’ geolocation information will be used for.

Granted, the app’s privacy policy does note that data could be used for targeted advertising and might be shared with “partners,” the lawsuit says. But why would users even think to look at the policy, given that the prompt doesn’t mention that their data will be used in those ways?


Hacker doxes hundreds of German politicians

By Lisa Vaas

Since 1 December, one or more hackers have been publishing data and documents from hundreds of German politicians in a Twitter advent calendar – a massive assault on the government that wasn’t discovered until Thursday night.

Apparently, nobody noticed until the hacker hijacked the Twitter account of German YouTube star Simon Unge.

On Friday, Berlin public broadcaster RBB Inforadio was the first to report on the hack.

RBB reported that it’s not yet known who the culprit(s) are. But there are theories: A YouTuber named Tomasz Niemiec told news outlet that a guy who’s out to gain attention is behind the attacks.

Niemiec said that he knew the hacker strictly through online communications and that the man has been active for years, collecting data and hacking YouTube accounts.

Niemiec says he talked to the hacker on Friday in an effort to get him to surrender Unge’s hijacked account: a highly valuable one with two million YouTube followers. According to what Niemiec told, the hacker has hinted that he hijacked Unge’s account by exploiting a supposed bug in two-factor authentication – a purported bug that he doesn’t intend to publish, Niemiec said.


Update now! Adobe Acrobat and Reader have critical flaws

By John E Dunn

Adobe has patched two critical flaws in Acrobat and Reader that warrant urgent attention.

Officially, Adobe patches security vulnerabilities around the middle of each month to coordinate with Microsoft’s Patch Tuesday, but recently it’s become almost routine for the company to issue out-of-band updates in between.

APSB19-02, the first of such updates to reach customers in the new year, addresses critical flaws with a priority rating of ‘2’.

That means that the flaw is potentially serious, but Adobe hasn’t detected any real-world exploits (the latter would entail issuing an ‘emergency’ patch with a ‘1’ rating).

The first flaw, identified as CVE-2018-16011, is described by Adobe as a use-after-free bug that could be exploited using a maliciously crafted PDF to take control of a target system with their malware of choice.

The second, CVE-2018-16018 (replacing CVE-2018-19725), is a security bypass targeting JavaScript API restrictions on Adobe Reader DC and seems to have been in the works since before Christmas.


January 4, 2019 »

Vein authentication beaten by wax hand and photograph

By John E Dunn

For anyone who believes vein authentication is more secure than fingerprints or facial recognition, we have good news – researchers have just showed how the technology can be beaten.

Before we explain why that statement isn’t a contradiction, let’s dive a bit deeper into what researchers Jan Krissler and Julian Albrecht reportedly outlined at last weekend’s Chaos Communication Congress (CCC) in Germany.

As with fingerprints, faces, or the iris of the human eye, the complex shape, size and position of veins in someone’s palm is unique to each person, including for identical twins.

These patterns are read using near-infrared light (i.e. almost visible as opposed to the non-visible ‘far’ infrared emitted by warm objects) and are less prone to physical injury than fingerprints. Unlike fingerprints, we also don’t leave them on the objects we touch for someone to copy.

There are disadvantages: vein patterns change slightly as people age, ambient light can interfere with recognition, and the precision needed to make the technology work makes it expensive.

That last issue might explain why, beyond a handful of banks and high-end users such as the HQ of Germany’s Bundesnachrichtendienst (BND) intelligence agency, few people are currently likely to encounter the use of vein authentication.


Don’t fall victim to the Chromecast hackers – here’s what to do

By Paul Ducklin

If you ever used dial-up networking to access the internet, you probably remember it mostly for being cumbersome and slow.

But it was also astonishingly insecure, because your computer – which was probably running Windows 95, Windows 3, or even good old DOS – ended up with a public-facing IP number, connected straight onto to the internet.

Other users out there could, literally and figuratively, reach out and probe your computer directly.

In recent years, however, we’ve got used to the idea that home computers don’t get plugged directly onto the internet – they typically connect through a router instead, and it’s the router that’s plugged into the internet connection.

Indeed, it’s tempting to assume that home routers came about specifically to address the security risks inherent in connecting laptops and other home devices straight onto the internet…

…but the truth is that the main reason for having a home router is to support multiple devices through connection sharing.

That means your ISP only needs to hand out one IP number per household, rather than one IP number per device.


EU to offer nearly $1m in bug bounties for open-source software

By Lisa Vaas

The internet runs on open-source, and it’s often hardworking volunteer developers who spend long hours keeping the projects alive. Unfortunately, they don’t always have the time or resources they need to hunt down the bugs that inevitably spring up in these large, complex code bases.

The European Commission (EC) just made a move to improve the situation: it’s ponying up serious money for bug hunters who track down vulnerabilities in some of the most popular free and open source software around.

The full list of 15 bounty programs includes the file archiver 7-zip, the Java servlet container Apache Tomcat, the content management framework Drupal, the cross-platform FTP application Filezilla, the media player VLC, the password manager KeePass, the text/source code editor Notepad++, plus other popular tools. Rewards start at €25,000 and go on up to €90,000 ($28,600 to $103,000), for a total offered amount of €851,000 ($973,000).

Fourteen of the programs will launch this month, while the 15th will start in March.

As with other bug bounties, the amount paid by the EC will depend on the severity of the discovered vulnerabilities and how important the given software is.


US newspapers battle ransomware

By John E Dunn

As if the US newspaper industry doesn’t have enough to contend with, on the morning of 29 December one of its largest publishing groups, Tribune Media, found itself battling a major ransomware attack.

This caused big problems for many newspapers in its stable including the Chicago Tribune and New York Daily News, as well as the Los Angeles Times and San Diego Union-Tribune, sold last year but share Tribune Media’s publishing platform.

The disruption varied from title to title, but in most cases, Saturday’s delivery was delayed for up to 24 hours while others were printed without regular sections.

Even The New York Times and The Wall Street Journal, which were not directly affected but share an LA printing press for some editions, were disrupted.

But who was to blame?

A report in the Los Angeles Times said an informed source had identified a “foreign entity,” before going on to mention an important detail:

One company insider, who was not authorized to comment publicly, said the corrupted Tribune Publishing computer files contained the extension “.ryk,” which is believed to be a signature of a “Ryuk” attack.

As our recent article on the topic noted, Ryuk has been connected to North Korea on the basis of some similarities (such as the encryption used) between it and another ransomware called Hermes, which some people attribute to North Korea’s Lazarus Group.


Dark Overlord hackers release alleged 9/11 lawsuit documents

By Lisa Vaas

Bright new year, slimy return of The Dark Overlord (TDO), a well-known group of highly self-amusing cyber extortionists who’ve now chosen 9/11-related firms to pick on.

The group announced on Pastebin (content now removed) on New Year’s Eve that it had hacked a law firm that handles cases relating to the 11 September 2001 terrorist attacks. It threatened to publicly release what it claimed are gigabytes of confidential, litigation-related documents:

E-mails, retainer agreements, non-disclosure agreements, settlements, litigation strategies, liability analysis, defense formations, collection of expert witness testimonies, testimonies, communications with government officials in countries all over the world, voice mails, dealings with the FBI, USDOJ, DOD, and more, confidential communications, and so much more.

The gang is apparently expanding its repertoire to include capitalizing on conspiracy theories. It tweeted on Monday about “providing many answers” about such conspiracies with the document cache.

Come and get ’em, TDO said to terrorists and enemy states:

If you’re a terrorist organization such as ISIS/ISIL, Al-Qaeda, or a competing nation state of the USA such as China or Russia, you’re welcome to purchase our trove of documents.

Then, on Wednesday morning, TDO announced on Pastebin (content now removed) that it had released a teaser’s worth of documents to verify its claims. It presented a tiered plan to “release each layer of damaging documents that are filled with new truths, never before seen.”

Each layer contains more secrets, more damaging materials, more SSI [Sensitive Security Information], more SCI [Special Compartment Information], more government investigation materials, and generally just more truth. Consider our motivations (money, specifically Bitcoin), we’re not inclined to leak the juiciest items until we’re paid in full.

As of yesterday afternoon, the group’s bitcoin wallet had received three payments. Also yesterday, Twitter suspended an account, @tdo_h4ck3rs, that recently began selling access to stolen legal documents.


Warn your friends they can’t bypass Facebook with this hoax

By Lisa Vaas

Sorry to say, but 2019 has not ushered in new “tips to bypass FB” as it supposedly limits posts on your news feed.

Nor has Facebook ushered in a new algorithm that “chooses the same few people – about 25 – who will read your posts”, at least not that we’ve heard.

Rather, we’re still stuck with whatever murky, stubbornly unfathomable algorithms Facebook uses to determine the order of content in our feeds, regardless of what the latest, breathless spin on this wheezy old hoax wants you to believe. To wit:

Thanks for the tips to bypass FB – it WORKS!! I have a whole new news feed. I’m seeing posts from people I haven’t seen in years.

Here’s how to bypass the system FB now has in place that limits posts on your news feed.

Their new algorithm chooses the same few people – about 25 – who will read your posts. Therefore, Hold your finger down anywhere in this post and “copy” will pop up. Click “copy”. Then go your page, start a new post and put your finger anywhere in the blank field. “Paste” will pop up and click paste. This will bypass the system. Hi new and old friends!


January 2, 2019 »

How to secure your Instagram account using 2FA

By Maria Varmazis

With our archives full to bursting with stories of hijacked social media accounts, it’s a very good idea to set up two-factor authentication (2FA) on all the platforms you use. 2FA combines your password with something else – a text message to your phone, a code generated by an authenticator app, or a physical key.

Although Instagram is part of Facebook, and Facebook supports several 2FA methods, the 2FA setup process isn’t exactly the same as it is for Facebook, so if you need a bit of help on how to get two-factor authentication on your Instagram account, we’ve outlined the steps in detail below.

While you can browse Instagram and use some Instagram features from a web browser, it’s really meant to be accessed within the Instagram app. To follow the steps below, you’ll need to be logged into the Instagram app on your smartphone or tablet.

    • Go to your Profile by tapping the person icon in the bottom right of the app.
    • Open the “hamburger” menu in the top right of the screen. Tap Settings at the very bottom of that menu.
    • Scroll down to the Privacy and security section and open it up.
    • Under the Security section you’ll find the Two-factor authentication option.


How to secure your Twitter account

By Maria Varmazis

Intrusions into your Twitter account might range from mild annoyance, to a serious PR fail, to an international political gaffe.

Regardless of how you use it, there’s no need to make it easier for someone who wants to hijack your Twitter account. It’s quite easy to improve the security of your Twitter account and it only takes a few minutes.

Enable two-factor authentication (2FA)

Having a strong, unique password is an important first step to securing your account, but passwords can be easily guessed or generated by an attacker, so by themselves they’re not enough to stop someone in their tracks.

Your best bet to keep someone out of your account is to also enable two-factor authentication, which means you’ll need a second factor – like a numerical code or physical key – to prove it’s you when you log in to your account. It’s extremely unlikely that someone trying to break into your account has both your password AND access to your unlocked phone, so it significantly reduces the chance of an account break-in by enabling two-factor authentication.


How to protect your Facebook account: a walkthrough

By Maria Varmazis

Those of you who have joined team #DeleteFacebook may avert your eyes. There are some of us – okay, many of us – who remain on the ubiquitous social media platform, and if you’re one of them, there are some things you can do to make your account more secure from prying eyes.

Here we walk you through the important settings you can change and behaviors you can implement to lock down your privacy on the social network.

Note: To change many of the settings below, Facebook will ask you to input your password. It’s a good reminder that if your password isn’t strong or unique to the site, now is the perfect time to change it!

Enable 2FA

If you only do one thing on the list in this article, do this: enable two-factor authentication (2FA). This means someone trying to break into your Facebook account needs more than just your password, they also need a second token that you own, be it a code or a physical key. The chances of someone having this in their possession are pretty small, so this step will stop most intruders in their tracks.


« older