Security


Networking


Software


Repairs & Upgrades

January 18, 2018 »

Configuration errors in Intel workstations being labeled a security hole

By Andy Patrizio

Security researchers at an antivirus company have documented another potentially serious security hole in an Intel product, this time in the mechanism for performing system updates. The good news, however, is that it is limited to desktops, is a configuration error, and does not appear to impact servers.

Read more at https://www.networkworld.com/article/3248584/security/configuration-errors-in-intel-workstations-being-labeled-a-security-hole.html

Yes, Hawaii emergency management stuck a password on a sticky note

By Lisa Vaas

A false alarm about a ballistic missile; a panic-stricken populace running for cover; the governor and the FCC chief dissing your agency’s lack of safeguards or process controls; and just to add a dash of ludicrous to the unsavory dish that is this week, a conspiracy theory about how these “accidental” missile alerts aren’t really accidents at all.

Wow. Could things possibly get any worse for the people over at the Hawaii Emergency Management Agency (HI-EMA)?

Why, yes! The worsitude comes in the flimsiest but all too familiar of forms: a yellow sticky note, spotted in an Associated Press photo from July, at the agency’s headquarters at Diamond Head, bearing a password and stuck to a computer screen. While there’s a press photographer in the room, obviously.

Richard Rapoza,a spokesman for HI-EMA, told Hawaii News Now that the password is authentic and was actually used for an “internal application.”

Read more at https://nakedsecurity.sophos.com/2018/01/18/yes-hawaii-emergency-management-stuck-a-password-on-a-sticky-note/

Hijackers DM @realDonaldTrump from former Fox News hosts’ accounts

By Lisa Vaas

The Twitter accounts of two former Fox News hosts were hijacked on Tuesday by somebody or somebodies who filled their feeds with propaganda supporting Turkey’s controversial president, Recep Tayyip Erdogan.

The accounts, which belong to Eric Bolling and Greta Van Susteren, were restored within a few hours, but not before alert Twitter users grabbed screen captures.

The Huffington Post translated one of the propaganda posts that was written in Turkish. It read:

You are hacked by the Turkish cyber army Ayyildiz Tim! We got your DM correspondence! We will show you the power of the Turk!

Another, written in English, from the hijacked Van Susteren account:

We love the Turks and Muslims in the world. We condemn those who persecute them, especially in the United States, and we share their suffering. We love Turkish soldiers, we love Erdogan, we love Turkey.

While they still had control of the accounts, the hackers also posted a screenshot of what appeared to be Bolling’s direct messages.

Read more at https://nakedsecurity.sophos.com/2018/01/18/hijackers-dm-realdonaldtrump-from-former-fox-news-hosts-accounts/

BlackWallet cryptocurrency site loses users’ money after DNS hijack

By John E Dunn

Another site in the booming cryptocurrency wallet sector has been hacked after what looks like a DNS hijacking attack.

The victim this time is BlackWallet, whose users reportedly lost 670,000 of a currency called Stellar Lumens (XLMs) worth around $425,000 at the point they were stolen on the afternoon of 13 January.

News that something was amiss first emerged in a Reddit posting claiming to be from the site’s admin:

BlackWallet was compromised today, after someone accessed my hosting provider account. I am sincerely sorry about this and hope that we will get the funds back.

A security researcher who took a look at blackwallet.co before it was taken down tweeted:

The DNS hijack of Blackwallet injected code, if you had over 20 Lumens it pushes them to a different wallet.

The stolen XLMs were reportedly siphoned off to the Bittrex cryptocurrency exchange, before (most likely) being laundered into another cryptocurrency.

Once they have control over any domain, attackers clearly have a lot of power to manipulate, monitor or redirect users logging in, but the deeper question always comes down to how they got this far.

Read more at https://nakedsecurity.sophos.com/2018/01/18/blackwallet-cryptocurrency-site-loses-users-money-after-dns-hijack/

SkyGoFree malware spies on your Android phone and your messages

By Paul Ducklin

Android threat-of-the-year so far in 2018, at least if you measure by media interest, is the curiously-named SkyGoFree malware.

(The name was apparently invented by researchers at Kaspersky, simply because they “found the word in one of the domains” used in one of the samples they looked at – the malware isn’t targeted at users of the telecommunications company Sky or its Sky Go TV product.)

In one word, SkyGoFree (or SkyFree as Sophos products detect it) is easily described: spyware.

A quick look in the decompiled Java code of the malware reveals the range of data it knows how to steal.

There’s loads more treacherous functionality in the malware, including a function called StartReverse() that connects your phone up to a server run by the crooks to given them what’s called a reverse shell.

Normally, to logon into a command prompt (known in Unix and Linux as a shell) you need to initiate a connection to a device, which means getting through any firewalls and network address translation that’s in the way.

Many mobile networks, and almost all Wi-Fi networks, let you make outbound connections to other people, but don’t let others connect inbound directly to you – you’re supposed to be a data consumer (client) on the network, not a data producer (server).

Hackers get around this with a reverse shell: a common intrusion trick that turns the logon process on its head.

Read more at https://nakedsecurity.sophos.com/2018/01/18/skygofree-malware-spies-on-your-android-phone-and-your-messages/

January 17, 2018 »

Twitter rejects claims that it snoops on your private messages

By Lisa Vaas

Twitter has pushed back after the release of undercover videos in which Twitter employees – primarily senior network security engineer Clay Haynes – are depicted as saying that they “view everything” users post on their servers, including private messages and sexual photos, and that employees are more than happy to participate in a Department of Justice investigation into Donald Trump.

The videos were posted by Project Veritas, an independent media outlet known for doctored clips it promotes as exposés on mostly liberal organizations.

The videos look like they were recorded via hidden camera while Haynes shared drinks with members of Project Veritas. The outlet claims to have met with him multiple times.

In one video, Haynes said Twitter is…

More than happy to help the Department of Justice in their little investigation [by providing them with] every single tweet that [Trump] has posted, even the ones he’s deleted. Any direct messages, any mentions.

In another meeting, Haynes says that Twitter has the ability to disclose…

Every single message, every single tweet, whatever you log into, what profile pictures you upload.

That second meeting was attended by Veritas Project founder and Donald Trump ally James O’Keefe, disguised in a wig and glasses. According to the New York Times, Trump has been supporting O’Keefe’s work for years, having donated $10,000 from his foundation to O’Keefe’s group.

During the meeting – a video of which O’Keefe posted here on Twitter – O’Keefe suggests that Haynes peek into direct messages in the accounts of both Donald Trump Senior and Junior. Haynes responds by emphasizing that such access is only permissible as part of the “subpoena process.”

It’s within the context of the subpoena process that Haynes says that Twitter can look at “every single message, every single tweet, whatever you log into, what profile pictures you upload.”

Read more at https://nakedsecurity.sophos.com/2018/01/17/twitter-rejects-claims-that-it-snoops-on-your-private-messages/

Firefox locks down its future with HTTPS ‘secure contexts’

By John E Dunn

Mozilla’s embrace of HTTPS, the secure form of HTTP, has ratcheted up a notch with the news that Firefox developers must start using a web security design called ‘secure contexts’ “effective immediately.”

This isn’t a surprise –  Mozilla mandated that security-sensitive geolocation be added as a secure context last March – but the signal is still significant.

Announced Mozilla:

All the building blocks are now in place to quicken the adoption of HTTPS and secure contexts, and follow through on our intent to deprecate non-secure HTTP.

Everyone involved in standards development is strongly encouraged to advocate requiring secure contexts for all new features on behalf of Mozilla.

The odd thing is that while secure contexts (also called ‘secure origins’) matter a lot to end user security, almost nobody beyond web devs has ever heard of the mechanism or pondered why it might be a big deal.

This could be about to change thanks to the publicity generated by the much better-known campaign by Google and others to migrate websites from insecure HTTP connections to encrypted HTTPS.

The principle of secure contexts is an incredibly simple one – that certain powerful web capabilities and APIs (whose risks users are often barely aware of) should be forced to work over HTTPS.

These mostly hidden functions currently include:

  • Geolocation
  • Bluetooth
  • HTTP/2
  • Web notifications API
  • Webcam and microphone access
  • Google’s Brotli web compression algorithm
  • Google’s Accelerated Mobile Pages (AMP)
  • Encrypted Media Extensions (EME)
  • The Payment Request API
  • Service Workers used for background sync and notification

(Another three – the AppCache API, Device motion/orientation, and Fullscreen – will follow in time.)

Read more at https://nakedsecurity.sophos.com/2018/01/17/firefox-locks-down-its-future-with-https-secure-contexts/

Man charged with selling billions of breached records on LeakedSource

By Lisa Vaas

A year ago, LeakedSource – a site that sold access to credentials stolen in data breaches – suddenly blinked out of sight, reportedly after the FBI raided it and seized its servers.

On Monday, the Royal Canadian Mounted Police (RCMP) announced that a man who was allegedly the site’s sole operator appeared in a Toronto court that day.

27-year-old Jordan Evan Bloom, of Thornhill, Ontario, was arrested on 22 December 2016 and charged on Monday with selling people’s data for a “small fee,” according to the RCMP. Those small fees must have added up: Bloom allegedly raked in approximately $247,000 from administering the site, which allegedly trafficked approximately three billion stolen personal identity records.

LeakedSource sold subscriptions to any and all comers. That allowed breach-as-a-service customers to browse through troves of data breach files. Buyers could also easily search for a victim’s name, username and email address so as to access other information, including their cleartext passwords.

The investigation into LeakedSource – an investigation Canadian authorities dubbed Project “Adoration” – began in 2016. That’s when the RCMP learned that LeakedSource was being hosted on Quebec servers. The Dutch National Police and the FBI helped out with the investigation.

LeakedSource was initially set up in 2015 and shut down in early 2017 – a lifespan during which it collected and sold those three billion personal identity records and their associated passwords from a string of major breaches. According to the International Business Times, the breaches included those at LinkedIn, MySpace, DropBox and AdultFriendFinder.

Bloom is facing charges of trafficking in ID information, unauthorized computer use, mischief to data, and possession of property obtained by crime.

Reuters talked to Toronto cybersecurity lawyer Imran Ahmad, who said that the charges against Bloom carry maximum sentences of between five and 10 years in prison.

Read more at https://nakedsecurity.sophos.com/2018/01/17/man-charged-with-selling-billions-of-breached-records-on-leakedsource/

It’s raining fake missiles: Japan follows Hawaii with mistaken alert

By Paul Ducklin

No sooner had we written up that fake missile alert in Hawaii than another fake missile alert was sent out, this time in Japan.

Japan’s national broadcaster, NHK, published an apology:

NHK is apologizing after issuing a false alert that said North Korea had probably launched a missile and warned people in Japan to take cover.

The false message was sent in Japanese shortly before 7 PM local time on Tuesday. It went out through the public broadcaster’s Japanese apps and website.

A few minutes later, NHK corrected the wrong information. There are no reports of problems caused by the mistake. NHK says a switching error is to blame.

The incident comes just days after officials in the US state of Hawaii issued a false missile alarm and caused panic.

In the Hawaii incident at the weekend, a public servant who was supposed to perform a routine test of the state’s missile warning system apparently selected the “send real alert” option instead.

Despite the dreadful implications of a real alert, and the unlikelihood of a real alert compared to the regularity of a test alert, there was apparently no additional oversight needed – no supervisor approval or peer review requiring confirmation from a second person.

However, there was a precaution in place in Hawaii to prevent the inadvertent cancellation of warnings.

Read more at https://nakedsecurity.sophos.com/2018/01/16/its-raining-fake-missiles-japan-follows-hawaii-with-mistaken-alert/

FBI expert calls Apple ‘jerks’ as encryption tension simmers

By John E Dunn

Apple has been called many things in its time but never, as far as anyone can remember, “jerks” by an FBI employee speaking at a public conference.

The man who made these remarks – senior FBI forensic expert Stephen R. Flatley – reportedly followed this up by describing the company as “pretty good at evil genius stuff.”

We don’t have the full context of these remarks – was Flatley perhaps being humorous? – but the seriousness of the conflict that prompted the barbs is not in doubt.

It began on the day in September 2014 when Apple launched iOS 8, after which the company said it could no longer access data on an encrypted iOS device – even if asked to by a government agency handing it a warrant.

The technical backdoor that had always been there as a last resort for investigators was sealed. As the company explained this new world:

Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.

As far as the FBI was concerned, shutting out investigators was an obstructive decision by Apple, while from Apple’s point of view, it had no choice. It was following the logic of encryption, which is that a security design in which a backdoor exists will end up being equivalent to no security at all.

Flatley also complained that Apple keeps ratcheting up iOS security, recently changing password iterations from 10,000 to 10m. This meant:

Password attempts speed went from 45 passwords a second to one every 18 seconds. […] At what point is it just trying to one up things and at what point is it to thwart law enforcement?

Not coincidentally, Flatley’s boss and FBI director Christopher Wray used the same event last week to argue that encryption backdoors would not compromise wider security, a viewpoint that many in the security industry have vigorously disagreed with for years.

According to Wray, encryption prevented the FBI from accessing 7,775 mobile devices in 2017, without saying how many of these were Apple’s.

Read more at https://nakedsecurity.sophos.com/2018/01/16/fbi-expert-calls-apple-jerks-as-encryption-tension-simmers/

Man charged over fatal “Call of Duty” SWATting

By Lisa Vaas

Tyler Barriss, the 25-year-old Los Angeles man who was arrested last month for his involvement in a SWATting incident, has now been charged.

He was charged with involuntary manslaughter in placing a SWATting call that resulted in a fatal police shooting of 28-year-old Andrew Finch in Wichita, Kansas on 28 December.

SWATting, which takes its name from elite law enforcement units called SWAT (Special Weapons and Tactics) teams, is the practice of making a false report to emergency services about shootings, bomb threats, hostage taking, or other alleged violent crime in the hopes that law enforcement will respond to a targeted address with deadly force.

In a police briefing the day following the fatal shooting, Wichita Deputy Police Chief Troy Livingston said that the result of the Wichita SWAT has been a “nightmare” for everyone involved: police, the community and Finch’s family.

After his arrest, Barriss didn’t admit to placing the call that led to Finch’s death. He did, however, express remorse in an interview from Sedgwick County jail that he gave to a local TV station.

From the recording:

As far as serving any amount of time. I’ll just take responsibility and serve whatever time, or whatever it is that they throw at me… I’m willing to do it. That’s just how I feel about it.

Barriss said that whatever punishment results from his role in the death of Andrew Finch, it doesn’t matter: it won’t change what happened.

Whether you hang me from a tree, or you give me 5, 10, 15 years… I don’t think it will ever justify what happened.

In the emergency call recording, a man said he’d shot his father in the head. The caller also said he was holding his mother and a sibling at gunpoint in a closet. He said he’d poured gasoline all over the house and that he was thinking of lighting the house on fire.

Police surrounded Finch’s Wichita home, prepared to deal with a hostage situation. When Finch answered the door, he followed police instructions to put up his hands and move slowly. But at some point, authorities said, Finch appeared to be moving his hand toward his waistband as if he was going to pull out a gun.

Read more at https://nakedsecurity.sophos.com/2018/01/16/man-charged-over-fatal-call-of-duty-swatting/

January 16, 2018 »

Netflix phishing campaign goes after your login, credit card, mugshot and ID

By Paul Ducklin

Think of the big security stories of recent months.

Security holes like F**CKWIT and KRACK; a plethora of ransomware attacks ending in extortion; data breaches that were big, bigger or biggest

…there are plenty of candidates for the story that got the most attention.

In contrast, phishing attacks rarely make the news these days, even though (or perhaps precisely because) there are so many of them.

Somehow, phishing seems to have turned into an “obvious” problem that everyone is expected to have experienced, learned from, got the better of, and moved on.

But phishing is still big business for cybercriminals: in the last week alone, for example, SophosLabs intercepted phishing attacks that abused the brands of many financial institutions.

Organizations that had their brands hijacked in this way in the past few days include: eBay, PayPal, VISA, American Express, Bank of America, Chase, HSBC, National Australia Bank – and that’s just a random subset of the list, in one industry sector.

Protecting your brand against abuse by phishers is, sadly, as good as impossible, especially if your brand is well-known and widely advertised.

Every time you send out an email of your own, or publish a blog article, or pen a PR statement, or put a logo on your website, you provide raw material for cybercrooks to copy-and-paste to produce simulacrums of their own.

Ironically, the less original and inventive they try to be, the more legitimate they’ll look, and the less likely they’ll be to introduce spelling, grammar and visual mistakes that clue you in to the deception.

Read more at https://nakedsecurity.sophos.com/2018/01/15/netflix-phishing-campaign-goes-after-your-login-credit-card-mugshot-and-id/

House votes for six more years of warrantless surveillance

By Taylor Armerding

If you’re a member of the US “intelligence community” – the FBI, CIA and NSA – this past Thursday was a great day for homeland security.

A majority vote in the US House of Representatives to renew Section 702 of the Foreign Intelligence Surveillance Act (FISA) for six years will, in their view, give them continued access to the indispensable tools they need to prevent major foreign terrorist attacks. Without them, they would be blinded to terrorist plots within the US, and US soldiers could be at much greater risk on foreign battlefields.

If you’re a privacy/civil liberties advocate, it was an unwelcomed win for Big Brother and a shameful, ominous day for everybody else – a reauthorization of warrantless spying on US citizens that amounts to a back door around the Fourth Amendment’s prohibition against unreasonable search and seizure.

According to a bipartisan “letter to colleagues” from four senators – Republicans Rand Paul (KY) and Michael Lee (R-UT); and Democrats Ron Wyden (OR) and Patrick Leahy (VT) – Section 702 in its present form…

…does nothing substantive to protect the Fourth Amendment rights of innocent Americans. This bill allows an end-run on the Constitution by permitting information collected without a warrant to be used against Americans in domestic criminal investigations.

Most of the debate over Section 702 is not about its stated intent, but about how it is interpreted. The provision allows the NSA to monitor the communications of foreigners located outside the country to gather what was the agency’s original mission: foreign intelligence. That goal gets general, bipartisan support.

But, as has been widely reported since the law was created in 2008, and as the revelations of former NSA contractor Edward Snowden documented, that collection has been both foreign and domestic. The communications of millions of Americans who were not specific targets have been “incidentally” included. And much of that data, critics say, has been made available to other intelligence agencies like the FBI and CIA.

That is what has prompted the intensity of debate over Section 702’s renewal that ramped up last fall.

Read more at https://nakedsecurity.sophos.com/2018/01/15/house-votes-for-six-more-years-of-warrantless-surveillance/

Typosquatting and the risks of one wrong keystroke

By Matthew Phillion

It’s easy to do – you quickly type a URL you use every day, whether it’s Google or Facebook or Amazon, and in your haste, you accidentally swap, add, or delete a single letter and hit enter. Suddenly you’re not where you wanted to be, and often that new strange piece of the internet isn’t a 404 message, but rather an unexpected, and often sinister, website.

Or even stranger, a spoofed version of the site you wanted to visit in the first place.

Registering common misspellings of popular websites to catch users unaware is known as typosquatting, and it’s exactly what it sounds like – cybercriminals scoop up these frequently mis-spelled domain names, knowing that some innocent users will end up on their page.

Typosquatting is so common that businesses often register common typos themselves to redirect users to the correct page – Google, for example, owns the dot-com domains for its name spelled with one, two and three Os.

Typosquatting is a huge industry – over 80% of all possible one-character variants of Facebook, Google, and Apple are registered.

It’s easy to make jokes about typosquatting – the human error component can be amusing, and some of the satirical page’s users stumble across are occasionally clever – but the risks posed by typosquatting are very real. NBC Nightly News recently highlighted the dangers of these typos and what you can do to avoid these malicious sites in a video featuring Sophos’ James Lyne.

But what really happens when someone makes their way to the wrong page? That depends on the intentions of the typosquatter. Sometimes it’s simply domain parking or domains for sale, or “related search” pages. Others are riskier to encounter, like competitions and surveys asking for personal information, or bait-and-switch sites. Others still truly are benign, like humor or satire sites or sites maintained by typosquatting researchers.

Read more at https://nakedsecurity.sophos.com/2018/01/15/typosquatting-and-the-risks-of-one-wrong-keystroke/

How to set up 2FA on your Facebook account

By Maria Varmazis

As Facebook continues to embed itself into the fabric of our social and online lives – or, perhaps it’s more correct to say, as we let Facebook continue to embed itself in our lives – it’s increasingly important that we keep our accounts safe from unauthorized use.

If you barely ever log in to Facebook, you might not be too concerned about what could happen if someone gets into your account. But with Facebook being the biggest social media network on the planet with more than two billion users, and even if not all of those users are active or tied to a real person, it is increasingly used as a service to prove we are who we claim to be.

Facebook is entrenching itself to be indelibly tied to our entire identity online: How often have you seen Facebook authentication offered as a way to post comments on websites, or to register or log in to an app or service?

For many Facebook users, if someone were to gain access to their account, this would go beyond a mere annoyance – that person could also have access to their accounts on other apps, access to all sorts of sensitive information about them, their families, friends, and coworkers. From a reputation perspective alone, there’s a lot of potential for real-life consequences.

That’s why it’s a very good idea to take the security of your Facebook account seriously, and thankfully Facebook has made it reasonably easy to manage. A complex, unique password for Facebook is a great starting point – and if you haven’t changed it in a long while, take a moment to do it – but we also encourage you to take the security of your account to the next level and enable two-factor authentication as well.

Two-factor authentication (2fA) isn’t just a good idea, it’s a great idea: Someone trying to log in to your account needs more than just your password (“something you know”), they also need access to a phone or device that you own (“something you have”). This extra layer of security is simple to set up – we’ll walk you through it below – and can provide great peace of mind.

Read more at https://nakedsecurity.sophos.com/2018/01/15/how-to-set-up-2fa-on-your-facebook-account/

More SCADA app vulnerabilities found

By John E Dunn

A big motivation for pulling software apart to find security flaws is the idealistic hope that developers will get the message and do a better job next time.

But what happens if they don’t?

It’s something that must have researchers at security consultancies IOActive Labs and Embedi pulling out their hair, assuming they have any left.

Two years ago, they jointly found 50 weaknesses in the security of 20 mobile apps used by a plethora of SCADA Industrial Control Systems (ICS) sectors covering things like power, water, and manufacturing.

Not good news exactly, but at least the problems were public domain and that meant they’d be fixed.

Now a follow-up test of 34 ICS apps from Google Play has found that far from improving, things have got worse – this time they found 147 security vulnerabilities in apps and backend systems designed for the same job.

Classifying them using OWASP’s Top Ten Mobile risk categories, 32 of the 34 lacked root or code protection, 20 had poor authorization, 20 implemented insecure data storage, and 18 lacked obfuscation to protect code from reverse engineering.

Less frequent but still serious issues included poor-quality coding (12), insecure communication (11), insufficient cryptography (8), and insecure authentication (6).

In addition, the team noticed that seven apps exposed vulnerabilities on backend servers, for example SQL injection or cross-site scripting (XSS). And:

One of the reviewed applications had write permissions for the tables, allowing an attacker to tamper with station configurations and user statistics.

Overall, in the period between the two tests, researchers saw an average increase of 1.6 vulnerabilities per application.

Clearly, there’s a problem, but what is it?

Read more at https://nakedsecurity.sophos.com/2018/01/15/more-scada-app-vulnerabilities-found/

iPhone’s Apple Health data used as evidence in murder trial

By Lisa Vaas

If you have an iPhone running iOS 6S or later, you’ve got Apple’s Health App, which accurately records steps. You’ve also got the Altimeter app, which keeps track of changes in elevation, to track how many stairs you’ve climbed.

And it is that health data that’s been used in the trial of an Afghani refugee in Germany who has admitted to raping and murdering 19-year-old medical student Maria Ladenburger in October 2016.

The refugee, Hussein Khavari, admitted to raping Ladenburger and to drowning her in the river Dreisam. But as the BBC reported on Friday, although he’s admitted his guilt, he’s disputed some details.

He was identified by a long strand of hair found in bushes close to the crime scene and by DNA recovered from a scarf that was found on the river bed nearby. In spite of those and other pieces of evidence, Khavari refused to provide police with the PIN to unlock his phone.

So, similar to the case of the FBI trying to get into the iPhone of the San Bernardino terrorists in the US, German investigators turned to an unnamed company from Munich that has a reputation for being able to crack locked phones. The unnamed cyber forensics firm did, in fact, manage to get into Khavari’s phone after months of work, according to German newspaper Welt. The case had begun in September.

Getting into the phone meant getting at details of its owner’s geodata.

Read more at https://nakedsecurity.sophos.com/2018/01/15/iphones-apple-health-data-used-as-evidence-in-murder-trial/

Your Facebook News Feed is getting an overhaul

By Lisa Vaas

One week after Facebook CEO Mark Zuckerberg pledged to spend the new year fixing Facebook – as in, attempting to tackle problems of abuse/hate/nation-state meddling/couch potato syndrome – he again took to blogging to announce a “major change” to the way Facebook is built.

The problem, he said in a post published on Thursday, is that an explosion of corporate posts – be they from corporations, businesses or media – are overcrowding the platform, squeezing out personal content from friends and family.

Well, that isn’t what we intended, he said. And it hasn’t made Facebook into something that’s necessarily good for people. From his post:

The balance of what’s in News Feed has shifted away from the most important thing Facebook can do – help us connect with each other… We feel a responsibility to make sure our services aren’t just fun to use, but also good for people’s well-being.

“Research shows that strengthening our relationships improves our well-being and happiness,” he said, making us feel more connected and less lonely – markers that correlate to long-term measures of happiness and health… as opposed to passively reading articles or watching videos, which can make us depressed and isolated.

Read more at https://nakedsecurity.sophos.com/2018/01/15/your-facebook-news-feed-is-getting-an-overhaul/

January 15, 2018 »

Cryptocurrency as the lure, an ISO as the attachment – why not open it?

By Paul Ducklin

You can’t move these days without bumping into words such as cryptocurrency, Bitcoin, coinminer and blockchain.

With Bitcoin’s value up more than 1000% in the past year, and with companies multiplying their share price simply by adding “Blockchain” to their names, you can see why these words are everywhere.

As you’ll have seen in many Naked Security articles, cryptocurrency is popular with cybercrooks, too.

Usually, cryptocurrency is the end, rather than the means of the crime, for example when crooks infect your computer with coinmining software to hijack your CPU to earn them money, or scramble your data with ransomware and demand that you pay them in cryptocoins to get it back.

But here’s something a bit different that ‘we’ve seen recently: cryptocurrency as the means to a malware infection, not the end of that infection.

These phishing campaigns are also slightly unusual in that they include attachments that are ISO files.

You probably associate ISO files with ripped music CDs or movie DVDs, and with bootable Linux (or Windows) distros – ISOs are just byte-for-byte copies of the raw content of an optical disk.

You usually use them as CD backups, or as a source to burn new CDs.

However, many Windows users have utilities that can open ISO files as though they really were CDs; in fact, Windows 10 will open up ISOs simply by double clicking on them, which allocates them a regular drive letter in the system.

Read more at https://nakedsecurity.sophos.com/2018/01/12/cryptocurrency-as-the-lure-an-iso-as-the-attachment-why-not-open-it/

Man charged with spying on thousands of Mac users for 13 years

By Taylor Armerding

The technical description of the “Fruitfly” malware is “spyware.” But given the way it has allegedly been used, a better label would be creepware – creepware that should have easily been detected, but somehow stayed under the radar for more than a decade.

According to a 16-count indictment unsealed on Wednesday in US District Court for the Northern District of Ohio, its creator, Phillip R. Durachinsky, 28, used it to spy on thousands of victims for more than 13 years. Durachinsky spent this time not only collecting personal data but also watching and listening to victims through their webcams and microphones, and using some of what he collected to produce child abuse imagery.

Durachinsky, of North Royalton, Ohio, was charged with Computer Fraud and Abuse Act violations, Wiretap Act violations, production of child abuse imagery, and aggravated identity theft, according to a Department of Justice (DoJ) press release.

The victims ranged from individuals to companies, schools, a police department and government entities including one owned by a subsidiary of the US Department of Energy.

According to the DoJ:

(It) enabled him to control each computer by accessing stored data, uploading files, taking and downloading screenshots, logging a user’s keystrokes, and turning on the camera and microphone to surreptitiously record images and audio.

(He) used the malware to steal the personal data of victims, including their logon credentials, tax records, medical records, photographs, banking records, internet searches, and potentially embarrassing communications.

The indictment charges that while Durachinsky primarily used Fruitfly to infect Macs, he also wrote variants of Fruitfly that were capable of infecting computers running Windows.

It said he saved millions of images, kept detailed notes on what he observed, and designed it to alert him if a user typed words associated with pornography.

Besides the creep factor, a stunning thing about Fruitfly is that it is both unsophisticated and relatively easy to spot, yet according to the DoJ, Durachinsky was able to use it undetected from 2003 until January 2017, when he was arrested and jailed on another charge. He remains in custody.

Read more at https://nakedsecurity.sophos.com/2018/01/12/man-charged-with-spying-on-thousands-of-mac-users-for-13-years/

Bitcoin conference won’t let you pay with Bitcoin

By Lisa Vaas

Sure, as of Thursday, you could still get a last-minute ticket to attend next week’s North American Bitcoin Conference, to be held in Miami. That will be $1,000, if you please.

But if you expect to pay with Bitcoin – or with any other cryptocurrency, for that matter – prepare to be bit-crushed. The conference organizers said on the event’s site that it’s just too slow and pricey to accept at the last minute.

We have, and always will, accept cryptocurrencies for our conferences, up to fourteen days before the event. However, due to the manual inputting of data in our ticketing platforms when paid in cryptocurrencies, we decided to shut down bitcoin payments for last minute sales due to print deadlines.

The organizers blamed “network congestion and manual processing” for the decision. In other words, the fees are painful, and network congestion is gumming everything up. They said that they hope next year brings “more unity in the community about scaling” and that “global adoption becomes reality.”

As Bitcoin.com has reported and Redditors confirm, transaction fees have risen to $30-$60/per transaction at certain times of the day. The fees have skyrocketed from what was a few cents per transaction a few years back.

Moe Levin, the conference organizer, told Bitcoin.com that the organizers are “scrambling” to get bitcoin cash or a digital asset with cheaper fees integrated into the ticketing system. At this point, ticket service operators like Eventbrite or others just haven’t managed to integrate cryptocurrencies yet, he said.

We wish this was easier, but no ticketing options exist which can handle large volumes of ticket sales, and transaction fees on the Bitcoin blockchain exceed $30 at certain times of the day.

The conference certainly isn’t the only merchant that’s been forced to rethink cryptocurrency payments.

Read more at https://nakedsecurity.sophos.com/2018/01/12/bitcoin-conference-wont-let-you-pay-with-bitcoin/

Police give out infected USBs as prizes in cybersecurity quiz

By Lisa Vaas

So ironic. You work hard to win a cybersecurity award, and what do you get? A USB drive stuffed with creepy-crawly nasty, that’s what.

The Taiwanese government last month celebrated its crackdown on cyber crime. The national police – the Criminal Investigation Bureau (CBI) – picked up 250 blank USB drives, each with an 8G capacity, to give out as prizes at the data security expo, hosted by the Presidential Office on 11-15 December.

According to the Tapei Times, an employee at a New Taipei City-based contractor, Shawo Hwa Industries Co., transmitted the malware to the drives when testing their storage capacity… from his infected work station.

Oops! the CBI said after investigating the infection, which wound up on 54 of the drives that were handed out to winners of a quiz about cybersecurity knowledge. “Winners of a quiz about cybersecurity knowledge,” as in, “people who hopefully know enough not to plug in random USB drives conveniently scattered throughout the parking lot but not necessarily those handed on a silver platter at a security expo.”

According to the CBI, the 54 drives picked up an executable malware file that goes by the name of XtbSeDuA.exe. The CBI said that the malware was designed, years ago, to suck up personal data and transmit it to a Poland-based IP address that would then bounce the information to unidentified servers.

Read more at https://nakedsecurity.sophos.com/2018/01/12/police-give-out-infected-usbs-as-prizes-in-cybersecurity-quiz/

January 10, 2018 »

Meltdown and Spectre: How much are ARM and AMD exposed?

By Andy Patrizio

As the chip vendors wrestle to get their arms around the Meltdown and Spectre vulnerabilities, we’re slowly determining the exposure of AMD and ARM to the exploit. Intel, unfortunately, is totally vulnerable. With AMD and ARM, though, it gets complicated.

Read more at https://www.networkworld.com/article/3246707/data-center/meltdown-and-spectre-how-much-are-arm-and-amd-exposed.html

Is single tenancy the fix for the Meltdown flaw?

By Andy Patrizio

As the fallout continues over the Meltdown and Spectre exploits in Intel and now some ARM processors, the issue of what to do about it is coming front and center. Clearly there is no fixing a silicon problem; Intel will have to adjust future chips to deal with it. So, for now, we have the software fixes.

Read more at https://www.networkworld.com/article/3246008/data-center/is-single-tenancy-the-fix-for-the-meltdown-flaw.html

Smart-toymaker VTech fined over charges of violating child privacy law

By Lisa Vaas

In 2015, smart toymaker VTech tripped. And it fumbled a whole lot of frighteningly specific data about children when it did.

Well, allegedly, at any rate. An intruder claimed to have broken into servers and ripped off data s/he said was so sensitive, it made them queasy.

With good reason: the intruder claimed to have accessed photos of kids and parents; chat logs; and audio files. The FTC said they got first names, genders and birthdays of about 638,000 children. The intruder said they got email addresses; encrypted passwords; secret questions and answers for password retrieval; IP addresses; mailing addresses; and download histories. The personal data pertained to 4,833,678 parents, the intruder said.

On Monday, VTech didn’t admit to wrongdoing, but it did settle Federal Trade Commission (FTC) charges that the company violated children’s privacy law – that would be the Children’s Online Privacy Protection Act (COPPA) – and the FTC Act.

The FTC announced on Monday that VTech had agreed to settle for a civil fine of $650,000.

In a complaint filed by the US Department of Justice on behalf of the FTC, the commission alleged that VTech’s Kid Connect app collected the personal information that was allegedly breached. Kid Connect is a service that allows parents and kids to chat via a mobile phone app and a VTech tablet.

Read more at https://nakedsecurity.sophos.com/2018/01/10/smart-toymaker-vtech-fined-over-charges-of-violating-child-privacy-law/

Beautiful webchat honeys turn out to be fembots

By Lisa Vaas

Police in Guangdong, China, announced on Monday that there will henceforth be a sizable population of homeless dating app fembots.

This comes after police successfully “smashed” the 21 companies the chatbots called home. Police said they’ve arrested more than 600 suspects on suspicion of mobile app network fraud, froze a total of 100 billion yuan (USD $154m; £113m), and seized more than 400 servers, computers, mobile phones, books and more.

Authorities have been working on the massive fraud network since August 2017. They were tipped off after coming across a mobile app that was charging visitors to view porn videos that didn’t actually exist.

The crackdown, dubbed “Security Network No. 20”, was simultaneously carried out in 11 cities, including Zhuhai, Shantou and Dongguan in Beijing, Liaoning, Shaanxi, Henan, Shandong, Jiangsu, Zhejiang, Hunan, Hubei, Jiangxi, Fujian and Guangdong Guangxi and another 13 provinces, autonomous regions and municipalities.

A task force found dating-app fembots “making friends,” or what we also call dangling porn as bait for men, getting them to register for apps, dropping flirty phrases such as (what Google translates as) “a city courtship,” “party dating,” and “a city secret tease.”

Once the dating apps lured men into download and installation, surprise! The apps would continuously upgrade their membership level.

Read more at https://nakedsecurity.sophos.com/2018/01/10/beautiful-webchat-honeys-turn-out-to-be-fembots/

CoffeeMiner project lets you hack public Wi-Fi to mine cryptocoins

By Paul Ducklin

Remember how an Argentinian Starbucks store recently turned out to be doing JavaScript cryptomining on the side?

That’s where someone else uses your computer, via your web browser, to perform a series of calculations that help to generate some sort of cryptocurrency, and keeps the proceeds for themselves.

In that case, it seems to have been a unilateral decision by the Wi-Fi provider to include coin mining JavaScript code in the Wi-Fi registration page.

We’re guessing that the provider figured it would be OK to “borrow” approximately 10 seconds of CPU time whenever someone connected to the Wi-Fi, presumably as a way of earning a few extra pennies in return for providing free internet access.

(Just for the record, the tweeter was wrong above, inasmuch as the code was mining Monero, not Bitcoin – but the sentiment was spot-on.)

Starbucks wasn’t impressed, and “took swift action to ensure [the] internet provider resolved the issue”.

We’re guessing here, but we’re prepared to assume that this “swift action” involved a very short phone call in a rather loud voice.

But it’s not only the Wi-Fi operator or the coffee shop owner that you need to worry about.

If you join a public Wi-Fi network, and you don’t use a VPN, or stick to HTTPS websites, or both, then…

…anyone else in the coffee shop (or bus, or train, or hotel lobby, or wherever it is) at the same time can sniff out what you’re doing, and perhaps also trick you into seeing and doing something you didn’t expect.

Read more at https://nakedsecurity.sophos.com/2018/01/09/coffeeminer-project-lets-you-hack-public-wi-fi-to-mine-cryptocoins/

Aadhaar breaches fueled by rogue admin accounts

By John E Dunn

Not long ago trumpeted as the world’s largest biometric database, India’s Aadhaar system covers 1.2bn citizens. Lately, though, it’s acquired a less impressive reputation – that it’s one of the easiest to breach.

In a matter of days, two sets of journalists claimed they’ve bypassed its security with worrying ease, apparently by gaining access to a layer of privileged and admin accounts that have ended up in the wrong hands.

In the most widely-reported incident, a researcher paid Rs 500 ($8) to an anonymous WhatsApp seller for credentials giving access to the name, address, phone number, postal PIN, email address and photograph of anyone in Aadhaar after entering their 12-digit UIDAI (Unique Identification Authority of India) number.

Worse, for a few dollars extra, the researcher was offered software capable of printing this out as a usable Aadhar identity card.

A day later and a second investigation reported being able to acquire access to an admin account for between Rs500 and 6,000 ($95) that conferred the Godlike ability to additional new admins accounts, which in turn could create new admin accounts – and so on.

Which meant:

Once you are an admin, you can make ANYONE YOU CHOOSE an admin of the portal. You could be an Indian, you could be a foreign national, none of it matters – the Aadhaar database won’t ask.

The revelations continued this week with the Times of India reporting that despite November reports that up to 200 Indian government websites were displaying details of Aadhaar identities in public, some continued to do so weeks later.

None of this is good news for Aadhaar’s reputation of course, but the biggest worry could turn out to be the authorities’ confused response.

Read more at https://nakedsecurity.sophos.com/2018/01/09/aadhaar-breaches-fuelled-by-rogue-admin-accounts/

Apple issues Spectre fix with iOS 11.2.2 update

By Maria Varmazis

On 8 January, Apple made available iOS 11.2.2, which includes a security update for Spectre, one of the CPU-level vulnerabilities making the headlines of late. (If you need a full rundown about what these processor bugs entail and how they work, take a moment to read Paul Ducklin’s comprehensive post on the topic.)

This iOS update specifically addresses CVE-2017-5753 and CVE-2017-5715, two chip-level vulnerabilities collectively known as Spectre. All of the chip-level vulnerabilities including Spectre, at a very high level, take advantage of flaws in hardware to allow an attacker to potentially read or steal data.

Thankfully, these flaws can be mitigated at an operating system or software level when vendors make patches available. The two Spectre vulnerabilities can be triggered via Javascript running in a web browser, so the iOS 11.2.2 update specifically makes changes to Apple’s Safari and WebKit to mitigate their effects.

There were a number of chip vulnerabilities revealed concurrently earlier this month – they’re similar but not the same. Often mentioned in the same breath as Spectre is Meltdown, CVE-2017-5754. While Meltdown affects most types of Intel processors made since 1995 – meaning almost all the world’s desktops, laptops, and servers – Spectre affects an even broader array of processor types, not just Intel, but AMD and ARM as well.

Most of the world’s smartphones, including iPhones and Samsung phones, run on ARM chips. While yes, technically, Spectre makes most of us with a smartphone in our hands vulnerable, thankfully the Spectre flaws have been found by vendors and researchers to be much harder to exploit overall than Meltdown, so it hasn’t been as high a priority for a fix.

Read more at https://nakedsecurity.sophos.com/2018/01/09/apple-issues-spectre-fix-with-ios-11-2-2-update/

January 9, 2018 »

Meltdown and Spectre exploits: Cutting through the FUD

By Jack Gold

There is lots of information circulating about the new exploits of computer chips from Intel and others announced in the past few days. Some of it has been accurate, and some has been sensationalist and overblown. There is much technical information with high level of details available for both Meltdown and Spectre, so I won’t get into a lot of technical detail here. Rather, I’ll focus on the higher-level issues affecting business and personal computer users.

Read more at https://www.networkworld.com/article/3245813/security/meltdown-and-spectre-exploits-cutting-through-the-fud.html

Spyware user tracked boyfriend to have him killed by hitman

By Lisa Vaas

Stop me if you’ve heard this one:

Boy meets girl. Girl tracks boy with spyware. Girl (allegedly) hires hitman to kill boy. Girl arrested by hitman, who actually works for the FBI.

Wait a minute. What’s that you say? It’s not an elevator pitch for a thriller? It actually happened?!

It sure did. Unfortunately, it’s not humorous, either, given that a man allegedly could have been murdered.

The story involves a Los Angeles woman who goes by the handle “Mz. Fiesty” on social media.

According to the US Attorney’s Office for the Central District of California, Rasheeda Johnson Turner, 37, was arrested last month on federal charges that she hired a hitman-slash-FBI informant to kill her boyfriend so she could get her hands on his life insurance payout.

The boyfriend/would-be victim is identified in court documents as L.G.

Turner allegedly told the informant she was the beneficiary of a $150,000 life insurance policy and that she would pay the killer $50,000. Over the course of two weeks, she allegedly told the purported hitman that she originally planned to do the deed herself and had sourced “pure acid” from a plumber to get it done.

According to the criminal complaint, Turner initially tried to hire a hitman in November, but he wasn’t interested in the job. The FBI got wind of the alleged plot and managed to get an informant introduced to Turner. Turner, also known as Feisty or Mz. Feisty, is, according to her social media posts, an amateur film star with a rap sheet: she was convicted in 2005 for forgery and theft and arrested in 2016 for spousal battery, having allegedly assaulted L.G.

Read more at https://nakedsecurity.sophos.com/2018/01/09/spyware-user-tracked-boyfriend-to-have-him-killed-by-hitman/

Facebook bug could have exposed your phone number to marketers

By Lisa Vaas

You know that Facebook data-use policy, the one that promises it’s not going to spread our personal information to outfits that want to slice and dice and analyze us into chop suey and market us into tomato paste?

We do not share information that personally identifies you (personally identifiable information is information like name or email address that can by itself be used to contact you or identifies who you are) with advertising, measurement or analytics partners unless you give us permission.

Yea, well… funny thing about that…

Turns out that up until a few weeks ago, against its own policy, Facebook’s self-service ad-targeting tools could have squeezed users’ cellphone numbers from their email addresses… albeit very, verrrrry sloooowly. The same bug could have also been used to collect phone numbers for Facebook users who visited a particular webpage.

Finding the bug earned a group of researchers from the US, France and Germany a bug bounty of $5000. They reported the problem at the end of May, and Facebook sewed up the hole on 22 December.

That means that phone numbers could have been accessed for at least seven months, although Facebook says that there’s no evidence that it happened.

The researchers described in a paper how they used one of Facebook’s self-serve ad-targeting tools called Custom Audiences to ascertain people’s phone numbers.

That tool lets advertisers upload lists of customer data, such as email addresses and phone numbers. It takes about 30 minutes for the tool to compare an advertiser’s uploaded customer list to Facebook’s user data, and then presto: the advertisers can target-market Facebook users whose personal data they already have.

Custom Audiences also throws in other useful information: it tells advertisers how many of its users will see an ad targeted to a given list, and in the case of multiple targeted-ad lists, it tells advertisers how much the lists overlap.

And that’s where the bug lies. Until Facebook fixed it last month, the data on audience size and overlap could be exploited to reveal data about Facebook users that was never meant to be offered up. The hole has to do with how Facebook rounded up the figures to obscure exactly how many users were in various audiences.

Read more at https://nakedsecurity.sophos.com/2018/01/09/facebook-bug-could-have-exposed-your-phone-number-to-marketers/

Facebook needs fixing, says Mark Zuckerberg

By Lisa Vaas

Mark Zuckerberg, the wizard who pulls the levers behind the Facebook curtain, has set himself a doozy of a challenge for 2018: to fix Facebook.

The most pressing problems, he said in a post on Thursday, are protecting the Facebook community from abuse and hate, stopping nation states from using Facebook like a hacky-sack in other countries’ elections, and making sure that all of us dopamine-addicted users spend our time on the platform productively (instead of turning into passive, miserable, Facebook-fixated couch potatoes).

Read more at https://nakedsecurity.sophos.com/2018/01/08/facebook-needs-fixing-says-mark-zuckerberg/

Ex-NSA hacker builds AI tool to hunt hate groups’ symbols online

By Lisa Vaas

Emily Crose, ex-hacker for the National Security Agency (NSA), ex-Reddit moderator and current network threat hunter at a cybersecurity startup, wanted to be in Charlottesville, Virginia, to join in the protest against white supremacists in August.

Three people died in that protest. One of Crose’s friends was attacked and hurt by a neo-Nazi.

As Motherboard’s Lorenzo Franceschi-Bicchierai tells it, Crose was horrified by the violence of the event. But she was also inspired by her friend’s courage.

Her response has been to create and train an Artificial Intelligence (AI) tool to unmask hate groups online, be they on Twitter, Reddit, or Facebook, by using object recognition to automatically spot the symbols used by white nationalists.

The images her tool automatically seeks out are so-called dog whistles, be they the Black Sun (also known as the “Schwarze Sonne,” an image based on an ancient sun wheel artifact created by pagan German and Norse tribes that was later adopted by the Nazi SS and which has been incorporated into neo-Nazi logos) or alt-right doctored Pepe the frog memes.

Crose dubbed the AI tool NEMESIS. She says the name is that of the Greek goddess of retribution against those who succumb to arrogance against the gods:

Take that to mean whatever you will, but you have to admit that it sounds pretty cool.

Crose says it’s just a proof of concept at this point …

Read more at https://nakedsecurity.sophos.com/2018/01/08/ex-nsa-hacker-builds-ai-tool-to-hunt-hate-groups-symbols-online/

January 8, 2018 »

Microsoft could soon be “password free”

By John E Dunn

As each New Year rolls by, someone somewhere usually predicts the death of passwords as a trend for the coming months.

Every year so far, they’ve been proved wrong – somehow passwords cling on despite an exhausting list of maladies, mostly to do with how easy they are to forget, steal and misuse.

The moral would seem to be never to listen to predictions about passwords. However, post-Christmas comments by Microsoft chief information security officer Bret Arsenault offer a small but tantalizing sign that the password age might finally be nearing its end.

The evidence is usage figures for Windows Hello, the company’s technology for authenticating Windows users using facial recognition.

Launched in 2015 as part of Windows 10, Arsenault said that Hello was now the default way for the company’s 125,000 employees to log into computers.

The majority of Microsoft employees already log in to their computers using Windows Hello for Business instead of passwords. Very soon we expect all of our employees will be able to go completely password free.

No surprise that Microsoft might champion its own security technology, but Arsenault goes on to make an argument for replacing passwords that will strike a chord among professionals who manage credentials.

For several decades, the industry has focused on securing devices […] but it’s not enough. We should also be focused on securing individuals. We can enhance your experience and security by letting you become the password.

Whatever one thinks of Windows Hello, or biometrics in general, his observation sounds fair.

Passwords were created for a world of devices and systems, not one in which the need to verify a person’s identity in real time using something more substantial than a string of characters has become pressing.

Read more at https://nakedsecurity.sophos.com/2018/01/05/microsoft-could-soon-be-password-free/

JPMorgan doesn’t trust YouTube to keep its ads out of sketchy channels

By Lisa Vaas

Last March, Google found itself apologizing to many of its YouTube advertisers.

It was apologizing to their backs. They were running for the hills. Brands such as Marks & Spencer, McDonald’s, L’Oreal, Audi, Tesco and the BBC pulled ads that had wound up running alongside videos from rape apologists, anti-Semites, hate preachers and IS extremists.

The most recent YouTube ad scandal landed in November, when an investigation by the BBC found that a glitch in YouTube’s tool for tracking obscene comments on kids’ videos meant the tool hadn’t been working right for over a year. Meanwhile, an investigation by The Times found that YouTube ads were funding the habits of perverts.

Google’s response: sorry, we’ll do better!

Eight months later, the response from the advertisers: You’re not doing enough, and you’re not doing it fast enough.

Speaking at London’s Advertising Week Europe in March, Google’s European chief Matt Brittin said that the company was looking to give advertisers easier control over where their ads appear, that 98% of flagged YouTube content was being examined within 24 hours, and that it could, and would, do even better. However, observers noted that Brittin didn’t say anything about devoting staff to proactively seek out inappropriate content instead of just jumping on it after users had already seen and flagged it.

Read more at https://nakedsecurity.sophos.com/2018/01/05/jpmorgan-doesnt-trust-youtube-to-keep-its-ads-out-of-sketchy-channels/

Children at ‘significant’ social media risk

By Lisa Vaas

Slime.

It’s the most beautiful, satisfying, relaxing thing I’ve ever seen, and it proves that children are geniuses, because they’re smart enough to make it and smart enough to watch online slime videos.

Says 11-year-old Alina:

If you’re like really stressed or something and you watch a really satisfying slime video it makes you like calmer.

So that’s one of many plus sides of how kids – the under-13 crowd – are using social media. They say it takes their minds off things, too: “If you’re in a bad mood at home you go on social media and you laugh and then you feel better,” says 10-year-old Kam.

But according to a Children’s Commissioner report that looked at social media use among 8- to 12-year-olds, children aren’t getting enough guidance to cope with the emotional demands that social media puts on them.

For instance, many children interviewed for the report were over-dependent on “likes” and comments for social validation, according to researchers. They spoke to 32 children in eight focus groups, each including two friendship pairs, grouped by age and gender. The report says that the friendship pairing was done to enable the children to “open up with more confidence during the research, and to allow for insight around peer dynamics and other social factors to emerge more naturally.”

These are some of the things the kids said about getting social validation from social media:

If I got 150 likes, I’d be like, ‘that’s pretty cool, it means they like you’.

I just edit my photos to make sure I look nice.

My mum takes pictures of me on Snapchat… I don’t like it when your friends and family take a picture of you when you don’t want them to.

I saw a pretty girl and everything she has I want; my aim is to be like her.

Speaking to the BBC, Children’s commissioner for England, Anne Longfield, called on schools and parents to prep children emotionally for what she called the “significant risks” of social media as they move schools and meet new classmates, many of whom have their own phones.

Read more at https://nakedsecurity.sophos.com/2018/01/05/children-at-significant-social-media-risk/

January 5, 2018 »

F**CKWIT, aka KAISER, aka KPTI – Intel CPU flaw needs low-level OS patches

By Paul Ducklin

In the near future – in all likelihood, later this month – at least Windows and Linux will get security updates that change the way those operating systems manage memory on Intel processors.

There’s a lot of interest, excitement even, about these changes: they work at a very low level and are likely to affect performance.

The slowdown will depend on many factors, but one report suggests that database servers running on affected hardware might suffer a performance hit around 20%.

“Affected hardware” seems to include most Intel CPUs released in recent years; AMD processors have different internals and are affected, but not quite as broadly.

So, what’s going on here?

On Linux, the forthcoming patches are known colloquially as KPTI, short for Kernel Page Table Isolation, though they have jokingly been referred to along the way as both KAISER and F**CKWIT.

The latter is short for Forcefully Unmap Complete Kernel With Interrupt Trampolines; the former for Kernel Address Isolation to have Side-channels Efficiently Removed.

Here’s an explanation.

Inside most modern operating systems, you’ll find a privileged core, known as the kernel, that manages everything else: it starts and stops user programs; it enforces security settings; it manages memory so that one program can’t clobber another; it controls access to the underlying hardware such as USB drives and network cards; it rules and regulates the roost.

Read more at https://nakedsecurity.sophos.com/2018/01/03/fckwit-aka-kaiser-aka-kpti-intel-cpu-flaw-needs-low-level-os-patches/

Children at ‘significant’ social media risk

By Lisa Vaas

Slime.

It’s the most beautiful, satisfying, relaxing thing I’ve ever seen, and it proves that children are geniuses, because they’re smart enough to make it and smart enough to watch online slime videos.

Says 11-year-old Alina:

If you’re like really stressed or something and you watch a really satisfying slime video it makes you like calmer.

So that’s one of many plus sides of how kids – the under-13 crowd – are using social media. They say it takes their minds off things, too: “If you’re in a bad mood at home you go on social media and you laugh and then you feel better,” says 10-year-old Kam.

But according to a Children’s Commissioner report that looked at social media use among 8- to 12-year-olds, children aren’t getting enough guidance to cope with the emotional demands that social media puts on them.

For instance, many children interviewed for the report were over-dependent on “likes” and comments for social validation, according to researchers. They spoke to 32 children in eight focus groups, each including two friendship pairs, grouped by age and gender. The report says that the friendship pairing was done to enable the children to “open up with more confidence during the research, and to allow for insight around peer dynamics and other social factors to emerge more naturally.”

These are some of the things the kids said about getting social validation from social media:

If I got 150 likes, I’d be like, ‘that’s pretty cool, it means they like you’.

I just edit my photos to make sure I look nice.

My mum takes pictures of me on Snapchat… I don’t like it when your friends and family take a picture of you when you don’t want them to.

I saw a pretty girl and everything she has I want, my aim is to be like her.

Speaking to the BBC, Children’s commissioner for England, Anne Longfield, called on schools and parents to prep children emotionally for what she called the “significant risks” of social media as they move schools and meet new classmates, many of whom have their own phones.

Read more at https://nakedsecurity.sophos.com/2018/01/05/children-at-significant-social-media-risk/

Social media namer and shamer charged

By Lisa Vaas

An 18-year-old woman in the UK has been charged with publishing the names of two sexual assault victims onto social media.

A local publication, Liverpool Echo, reports that Sophie Turner, of Merseyside, has been charged with two counts of publishing the names of the victims of a sexual offense and with two counts of harassment.

Turner allegedly posted messages in July about two victimized teenage girls following the sentencing of the two men who assaulted them. She’s now out on bail and due to appear at Liverpool Magistrates Court on 7 March.

The Echo says this is the first time somebody’s been charged with this particular crime in Merseyside, but it’s not the first time it’s happened in the UK.

One such was the infamous rape case for which footballer Ched Evans was convicted in 2012 (a conviction overturned on subsequent retrial). Ten people were accused of naming the victim on social media, including on Facebook and Twitter.

According to The Guardian, some of the defendants said the victim was “crying rape” and called her names. One tweet read: “She is to blame for her own downfall. Let’s find her address.”

As in many other countries, publicly naming rape victims is illegal in the UK. Victims of sexual assault are entitled to anonymity for life under the Sexual Offences Act 2003. It’s not just verboten for media; anyone can be convicted for identifying a victim.

The rationale for keeping victims’ names secret is that sex crimes are already widely under-reported: in 2012, the British Crime Survey found that about 89% of rape victims hadn’t reported the crime to police. What’s more, the conviction rate is vanishingly small: a recent documentary on rape reported that only 3% of rapes in the UK end with a guilty conviction. Victims claim that they’re blamed for the crime or simply not believed. Anonymity is one way to battle the victim-blaming and slut-shaming that keep the crimes unreported and the criminals out of court.

Read more at https://nakedsecurity.sophos.com/2018/01/04/social-media-namer-and-shamer-charged/

Is your Spotify password up to scratch?

By Taylor Armerding

If you’re among the 140 million users who enjoy streaming music from Spotify – especially if you are one of its 60 million paying customers for “premium” services – you might want to make sure you have a strong, long and unique password on your account. If not, you could be letting cybercriminals into your account.

Collective Labs’ Ryan Jackson came across a brute force hacking tool called Spotify Cracker v1 last month, which automatically cycles through known username and password combinations and breaks into Spotify accounts that use those credentials.

17-year-old Jackson, who reportedly has a history of involvement with hacking groups New World Hackers and Lizard Squad, (“while never participating in their antics”), told the International Business Times (IBT) that he found the tool on a private server on Discord – a popular, free online communications platform used primarily by gamers.

And given current Spotify login security protocols – the company doesn’t use CAPTCHAs or offer two-factor authentication (2FA) – it doesn’t meet much resistance. Without mechanisms to lock down an account after a certain number of incorrect password guesses, a brute force attack can simply keep guessing until it is successful.

Read more at https://nakedsecurity.sophos.com/2018/01/04/is-your-spotify-password-up-to-scratch/

Artificial Intelligence to listen for suicidal thoughts on social media

By Lisa Vaas

Canada is planning a pilot project to see if Artificial Intelligence (AI) can find patterns of suicidality – i.e., suicidal thoughts or attempts, self-harm, or suicidal threats or plans – on social media before they lead to tragedy.

According to a contract award notice posted by the Public Health Agency of Canada (PHAC), the $99,860 project is being handled by an Ottawa-based AI company called Advanced Symbolics Inc. (ASI). The agency says the company was the only one that could do it, given that ASI has a patented technique for creating randomized, controlled samples of social media users in any geographic region.

The focus on geographic region is key: As it is, the country is reeling after a dramatic spike in suicides in Cape Breton among girls 15 years old and younger and men in their late 40s and early 50s.

The idea isn’t to identify specific individuals at risk of suicide. Nor is it to intervene. Rather, the project’s aim is to spot patterns on a regional basis so that public health authorities can bolster mental health resources to regions that potentially face suicide spikes.

The project is set to begin this month and finish by the end of June, if not before.

First, the PHAC and ASI will work to broadly define these suicide-related behavior terms: ideation (i.e., thoughts), behaviors (i.e., suicide attempts, self-harm, suicide) and communications (i.e., suicidal threats, plans). The next phase will be to use the classifier to research the “general population of Canada” in order to identify patterns associated with users who discuss suicide-related behavior online.

Read more at https://nakedsecurity.sophos.com/2018/01/04/artificial-intelligence-to-listen-for-suicidal-thoughts-on-social-media/

Ad scripts track users via browser password managers

By John E Dunn

Researchers have spotted a sly new technique adopted by advertising companies to track web users that can’t be stopped by private browsing, clearing cookies or even changing devices.

The method, discovered by Princeton’s Center for Information Technology Policy, exploits the fact that many web users rely on the login managers built into browsers to autofill login details (email address and password) when they visit a familiar website.

Normally this is an innocent process, but on a small number of sites that have embedded either one of two tracking scripts – AdThink and OnAudience – the user is fed a second invisible login screen on a subsequent page that is auto filled by most browser password managers without the user realizing this is happening.

At this point, the scripts capture a hashed version of the user’s email address, which is sent to one or more remote servers run by the advertising companies including, in the case of AdThink, large data broker Acxiom.

But what use is a hashed and therefore unusable email address? Quite simply:

Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier.

Email addresses don’t change often or at all, which means:

The hash of an email address can be used to connect the pieces of an online profile scattered across different browsers, devices, and mobile apps.

The researchers speculate that tracking users via an email address identifier might even allow advertisers to join different browsing histories together even after cookies have been cleared.

Read more at https://nakedsecurity.sophos.com/2018/01/03/ad-scripts-track-users-via-browser-password-managers/

« older