Security


Networking


Software


Repairs & Upgrades

August 16, 2018 »

Australians who won’t unlock their phones could face 10 years in jail

By Danny Bradbury

The Australian government wants to force companies to help it get at suspected criminals’ data. If they can’t, it would jail people for up to a decade if they refuse to unlock their phones.

The country’s Assistance and Access Bill, introduced this week for public consultation, strengthens the penalties for people who refuse to unlock their phones for the police. Under Australia’s existing Crimes Act, judges could jail a person for two years for not handing over their data. The proposed Bill extends that to up to ten years, arguing that the existing penalty wasn’t strong enough.

The Bill takes a multi-pronged approach to accessing a suspect’s data by co-opting third parties to help the authorities. New rules apply to “communication service providers”, which is a definition with a broad scope. It covers not only telcos, but also device vendors and application publishers, as long as they have “a nexus to Australia”.

These companies would be subject to two kinds of government order that would compel them to help retrieve a suspect’s information.

The first of these is a ‘technical assistance notice’ that requires telcos to hand over any decryption keys they hold. This notice would help the government in end-to-end encryption cases where the target lets a service provider hold their own encryption keys.

But what if the suspect stores the keys themselves? In that case, the government would pull out the big guns with a second kind of order called a technical capability notice. It forces communications providers to build new capabilities that would help the government access a target’s information where possible.

Read more at https://nakedsecurity.sophos.com/2018/08/16/australians-who-wont-unlock-their-phones-could-face-10-years-in-jail/

Sacramento admits to tracking welfare recipients’ license plates

By Lisa Vaas

As the American Civil Liberties Union (ACLU) found out in 2015 through the Freedom of Information Act, the US Drug Enforcement Administration (DEA) has for years been building a massive national license plate reader (LPR) database that it shares with federal and local authorities, with no clarity on whether courts are overseeing its use.

That blasé approach to mass surveillance of drivers is holding steady, as evidenced by recent revelations about California using an LPR database to track down welfare cheats.

It’s doing so in a manner that’s against the law. As the Electronic Frontier Foundation (EFF) noted when it revealed the surveillance two weeks ago, “California law is crystal clear” on this: any entity – including government agencies such as those that administer welfare programs – that access data collected by automated license plate readers (ALPRs) must implement a privacy and usage policy that ensures that use of this sensitive information “is consistent with respect for individuals’ privacy and civil liberties.”

ALPRs snap photos of all license plates from street poles and police cars as vehicles drive by. To legally get at those images, the Sacramento County Department of Human Assistance (DHA) should have had a policy that includes periodic audits. Also, each time that LPR data was looked up, a purpose should have been recorded.

But for the two years preceding the EFF’s California Public Records Act request, the DHA didn’t tick off those two basic legal requirements – or if they did, it didn’t show up in the logs seen by the EFF.

In fact, between June 2016 through July 2018, 22 employees working on welfare fraud searched ALPR data more than 1,000 times – all without privacy policies posted online or written anywhere, as required by law. Some employees only dipped a toe into the database, only running a single search, while others ran more than 100 searches. One employee ran 214 searches over the course of 20 months, the EFF found.

Read more at https://nakedsecurity.sophos.com/2018/08/16/sacramento-admits-to-tracking-welfare-recipients-license-plates/

Silk Road founder Ross Ulbricht is dictating tweets from prison

By Lisa Vaas

Ross Ulbricht is forbidden from going online, but that hasn’t stopped him from tweeting.

Ulbricht – formerly known as Dread Pirate Roberts, founder of the Silk Road Dark Web online market – was convicted in 2015 on charges of money laundering, conspiracy, drug and hacking-related charges.

He was sentenced to double life sentences without parole, plus another 40 years – but that hasn’t kept him quiet: his family opened a Twitter account for him in June, and they’ve been posting his tweets ever since.

After he was convicted, Ulbricht’s mother, Lyn Ulbricht, launched the “Free Ross Ulbricht” campaign, which accuses the government of framing her son as part of the “failed War on Drugs.” The campaign portrays his case as a milestone in the government’s crackdown on internet freedom.

The campaign reads:

This is a sentence that shocks the conscience. The website Silk Road was an e-commerce platform similar to eBay, where individual users chose what to list for sale. Both legal and illegal items were sold, most commonly small amounts of cannabis.

Ross is condemned to die in prison, not for dealing drugs himself but for a website where others did. This is far harsher than the punishment for many murderers, pedophiles, rapists and other violent people.

You might be forgiven if you were to raise an eyebrow at Ulbricht being called nonviolent, given that six separate murder-for-hire incidents were leveled against him. If he had been found guilty of any of those charges, we could safely assume he had a rather harsh way of dealing with business competitors.

But he was not. None of the murder-for-hire allegations turned up in the final charge-sheet.

At the time of his sentencing, however, family members of several people thought to have died of drugs purchased on Silk Road appeared in court. Those deaths were highly significant in what might otherwise seem like an overly harsh sentence for a “nonviolent” offender.

Read more at https://nakedsecurity.sophos.com/2018/08/16/silk-road-founder-ross-ulbricht-is-dictating-tweets-from-prison/

Bogus journals being used to publish fake science

By John E Dunn

If post-truth has an alarming ring to it, try to imagine a world full of fake science – fake science that is incredibly hard to distinguish from the real thing.

According to a DEF CON presentation written up by Motherboard that would sound like the outline for an amusing Sacha Baron Cohen satire if it wasn’t so serious, such fake science is already upon us.

It seems that thousands of scientists and companies across the world want the credibility boost from having research published, and a cottage industry of bogus publishers has sprung up to service this need – for a fee of course.

Analyzing the 175,000 articles published by “predatory journals”, journalists Svea Eckert, Till Krause, and Online Privacy Foundation co-founder Chris Sumner, counted hundreds of papers from academics at leading universities as well as volumes promoted by pharmaceutical and tobacco companies.

This isn’t just vanity publishing, however – after studying two major sites in the sector, they discovered tens of thousands of abstracts for fake scientific papers, including 15,000 from India and 13,000 that originated from the US.

In the last decade, these sites alone had even received 162 papers from Stanford, 153 from Yale, 96 from Columbia, and 94 from Harvard.

It’s likely that several slightly different things are going on here. Some academics might be paying sites to cite research that might not pass strict peer review in order to boost their reputations.

Read more at https://nakedsecurity.sophos.com/2018/08/16/bogus-journals-being-used-to-publish-fake-science/

Google is tracking your location, even when the setting is turned off

By John E Dunn

Shock horror – it appears Google can track the location of anyone using some of its apps on Android or iPhone even when they’ve told it not to.

That’s according to an “exclusive” from the Associated Press (AP) which describes how researchers at Princeton University have confirmed that Google’s ability to record a user’s location history goes deeper than many realise.

Officially, Android users can turn off tracking using a slider button in the Location section under Settings.

Once deactivated, Google no longer stores a timeline and a precise record of a user’s movements when they take their Android device (or iPhone running Google services and apps) with them.

Checking this in Maps can be done by visiting Google’s Account Settings >My Account Activity > Other Account Activity > click ‘Visit Timeline’ under Location History. This should show a history of a user’s movements while using their device.

But according to AP’s research, turning off Location History doesn’t stop certain Google apps (Maps and Weather for instance) from storing a timestamped location when you open them.

Confusingly, this isn’t the same as Location Data, which uses a range of techniques (cell towers but especially Wi-Fi geolocation) to track where people are, sometimes to within a few metres.

Read more at https://nakedsecurity.sophos.com/2018/08/15/google-is-tracking-your-location-even-when-the-setting-is-turned-off/

Are your Android apps listening to you?

By Matt Boddy

Here’s a thing: numerous apps on your phone have permission to access your microphone.

Some, like the Phone app itself, were on the phone when you got it, but you’ve almost certainly added others – WhatsApp, Skype and Facebook, for instance – along the way.

From the moment you gave those apps audio permission, they’ve been able to listen in whenever they want, without telling you.

In theory, you’ll never know if an app is overstepping the mark; in practice, however, there are some cool ways of checking to see when an app is listening in.

Keeping track of an app’s behavior is a handy technical skill to have, so we’re going to show you how to look at the system calls made by your Android mobile to the audio subsystem.

No more audio secrets!

By following our tutorial, you can keep track of exactly when an app is accessing the microphone.

Note. For this article, we used a test device that was wiped first and then rooted. This means we deliberately altered the security settings to give us administrative access – on Linux/Android, the admin account is called root, so getting root access is colloquially called rooting. We strongly recommend that you don’t do research of this sort on your regular phone, just in case something goes wrong. And definitely don’t try this on your work phone!

Read more at https://nakedsecurity.sophos.com/2018/08/15/are-your-android-apps-listening-to-you/

August 15, 2018 »

FBI warns banks that crooks are planning choreographed ATM drainage

By Lisa Vaas

The FBI has alerted banks that in the coming days cybercrooks are planning to spring a highly choreographed, multinational “ATM cashout” that could drain their cash machines of millions within the span of hours.

In an ATM cashout, cybercrooks hack a bank or payment card processor, lift fraud controls such as withdrawal limits and/or account balances and/or number of daily withdrawals, outfit so-called “casher crews” with cloned cards, and send them out to simultaneously descend on cash machines and strip them of money before the banks sound the alarm and slam down the window of opportunity.

Cybercrime journalist Brian Krebs on Sunday reported that the FBI alert to banks indicated that the plot could be triggered any day now.

From the confidential alert, which was privately sent to banks on Friday:

The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation’.

According to Krebs, the FBI said that “unlimited operations” compromise a financial institution or payment card processor with malware to access bank customer card information and exploit network access, enabling large-scale theft of funds from ATMs.

Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities. The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.

What kind of vulnerability, you may well ask? We have no idea. Perhaps it’s a vulnerability that’s got an inch or two of dust on it? In January, the US Secret Service sent out an alert about ATM “jackpotting” attacks that used malware known as Ploutus.D: a malware to which ATMs running Windows XP are particularly vulnerable.

Read more at https://nakedsecurity.sophos.com/2018/08/15/fbi-warns-banks-that-crooks-are-planning-choreographed-atm-drainage/

Apple Mac “zero day” hack lets you sneakily click [OK]

By Paul Ducklin

At the recent DEF CON cybersecurity conference in Las Vegas, macOS security researcher Patrick Wardle did something that the responsible disclosure doctrine says is a bit naughty.

He “dropped 0day” on Apple’s macOS, meaning that he publicly revealed an exploit for which no patch is yet available.

Exploits against unpatched vulnerabilities are known as zero-days for short, or 0days for supershort, because even an on-the-ball system administrator has had zero days to get ahead of the game with updates.

In an ideal world, Wardle would have told Apple quietly first, waited until a fix was out – or a suitable deadline had passed that implied Apple couldn’t be bothered to fix the issue – and only then gone public.

Fortunately, as zero-days hacks go, this one isn’t super-serious – a crook would have to infect your Mac with malware first in order to use Wardle’s approach, and it’s more a tweak to an anti-security trick that Wardle himself found and reported last year than a brand-new attack.

The word zero-day originates in the 1980s and 1990s software piracy scene, where crackers competed to be the first to hack a new game so it could be played illegally without paying. The speed of a crack was measured in the number of days after official release until the crack appeared, so that a same-day crack, known as a “zero-day”, was the ultimate achievement.

Read more at https://nakedsecurity.sophos.com/2018/08/14/apple-mac-zero-day-hack-lets-you-sneakily-click-ok/

Pacemaker controllers still vulnerable 18 months after flaws reported

By John E Dunn

A popular brand of heart pacemaker is still vulnerable to compromise more than a year and a half after the company that makes them was told of weaknesses in its security, researchers have claimed during a Black Hat presentation.

The product in question is the Medtronic CareLink 2090 monitor, used by doctors to control pacemaker settings, and the researchers are Billy Rios of QED Secure Solutions and Jonathan Butts of WhiteScope, both of whom have an impressive track record at finding flaws in unexpected places.

Last year the pair used a show session to highlight flaws that might allow an attacker to gain control of poorly-secured car washes, while Rios has also co-researched weaknesses in diverse devices such as electronic door security and X-ray machines.

This year’s session on pacemaker hacking sounded a lot more dangerous, however. A medical theme the pair underscored by demonstrating a separate attack on Medronic’s MiniMed insulin pump.

As reported by journalists who attended the demo, the vulnerability that makes it possible for an attacker to run malware on the CareLink 2090 is down to poor software design, primarily that software updates aren’t signed or encrypted.

This is far from an unknown issue on IoT devices, but the session wasn’t simply about what is possible so much as how the manufacturer had responded after being told of the weakness.

As of 9 August, the issue had first been reported to Medtronic 570 days ago, with a proof-of-concept 155 days ago, they said.

Read more at https://nakedsecurity.sophos.com/2018/08/14/pacemaker-controllers-still-vulnerable-18-months-after-flaws-reported/

August 14, 2018 »

Police body cameras open to attack

By Danny Bradbury

Police officers in the US often wear body cameras to protect themselves and reduce complaints from the public. Now, though, a security researcher has revealed that these cameras could put evidence – and even police officers themselves – at risk.

Josh Mitchell, a consultant at security firm Nuix, analysed cameras from five vendors who sell them to US law enforcement agencies. Presenting at the DEF CON conference last week, he highlighted vulnerabilities in several popular brands that could place an attacker in control of a body camera and tamper with its video.

Attackers could access cameras in several ways, Mitchell said. Many of them include Wi-Fi radios that broadcast unencrypted sensitive information about the device. This enables an attacker with a high-powered directional antenna to snoop on devices and gather information including their make, model, and unique ID. An attacker could use this information to track a police officer’s location and find out more about the device that they are using. They might even be able to tell when several police officers are coordinating a raid, he said.

Mitchell’s research found that some devices also include their own Wi-Fi access points but don’t secure them properly. An intruder could connect to one of these devices, view its files and even download them, he warned. In many cases, the cameras relied on default login credentials that an attacker could easily bypass.

Read more at https://nakedsecurity.sophos.com/2018/08/14/police-body-cameras-open-to-attack/

11-year-old hacker changes election results

By Lisa Vaas

At the DefCon Voting Village in Las Vegas last year, participants proved it was child’s play to hack voting machines: As Wired reported, within two minutes, democracy-tech researcher Carsten Schürmann used a novel vulnerability to get remote access to a WinVote machine.

This year, it was literally child’s play: the DefCon village this past weekend invited 50 kids between the ages of 8 and 16 to compromise replicas of states’ websites in the so-called “DEFCON Voting Machine Hacking Village.”

11-year-old Emmett Brewer is too young to vote, but it turned out that he’s not too young to learn how to change election results on a replica of Florida’s state website… in under 10 minutes, mind you, as the Voting Village announced on Friday.

The kids were given rudimentary instruction in performing SQL injection attacks: one of the web attacks that refuses to die.

The organizers are still analyzing the results of the project, but they said that they invited the kids to tamper with vote tallies, candidate names, and party names.

Mission accomplished: Nico Sell, the co-founder of the non-profit r00tz Asylum – an organization that teaches kids reverse engineering, soldering, cryptography, and responsible bug disclosure and which helped to organize the event – told PBS News Hour that more than 30 children managed to change state site replicas in under 30 minutes.

Read more at https://nakedsecurity.sophos.com/2018/08/14/11-year-old-hacker-changes-election-results/

Facebook news feed changes – it’s a hoax!

By Lisa Vaas

Remember Certs? It was a candy mint. It was a breath mint. It was two! Two! Two mints in one!

The Facebook hoax du jour is like that: it’s a hoax about Facebook limiting your news feed to 26 people! It’s a hoax about users being able to copy and paste their way into a Whole New News Feed! It’s Two! Two! Two hoaxes in one!

Here are the hoax mongers’ instructions on how to dupe Facebook’s cursed (fictional) friend-limiting algorithm.

It WORKS!! I have a whole new news feed. I’m seeing posts from people I haven’t seen in years.

Here’s how to bypass the system FB now has in place that limits posts on your news feed.

Their new algorithm chooses the same few people – about 25 – who will read your posts. Therefore, I ask you all a favor so I can see your news feed and you can see mine.

Hold your finger down anywhere in this post and “copy” will pop up. Click “copy”. Then go your page, start a new post and put your finger anywhere in the blank field. “Paste” will pop up and click paste.

This will bypass the system.

The 26-friends-only algorithm hoax dates back to the beginning of the year, coming as it did on the heels of a real Facebook announcement from 11 January about a major overhaul in how Facebook’s newsfeed works.

The change wasn’t about squeezing out your friends, though. In fact, Facebook had the opposite in mind: squeezing businesses out of your news feed. The point was to get more personal content from friends and family into our news feeds, as opposed to corporate posts, be they from corporations, businesses or media.

Read more at https://nakedsecurity.sophos.com/2018/08/14/facebook-news-feed-changes-its-a-hoax/

How a cryptocurrency-destroying bug almost didn’t get reported

By Danny Bradbury

A researcher recently revealed how he found a bug that could have brought the fourth largest cryptocurrency to its knees – and how he struggled to report it.

Cory Fields, who works as a developer at MIT Media Labs’ Digital Currency Initiative, found the bug in Bitcoin Cash, which is an alternative cryptocurrency to Bitcoin based on software called Bitcoin ABC. A group of activists in the Bitcoin community introduced the software after becoming unhappy with the direction that the developers of the original Bitcoin software (known as Bitcoin Core) were taking.

When people began using Bitcoin ABC, they created a hard fork of the Bitcoin blockchain. This is a separate blockchain – a new ledger of transactions that split off from the original Bitcoin blockchain and is incompatible with it. It’s akin to one community in a town leaving and setting up their own town with its own rules.

Since then, the Bitcoin Cash blockchain has existed as an alternative to the original, and various members of its community have proclaimed it as the ‘real’ Bitcoin. At the time of writing, it had the fourth biggest market capitalization of any cryptocurrency at almost $10bn.

Fields, who is a Bitcoin Core developer, discovered a bug in Bitcoin Cash that could have allowed attackers to create their own involuntary split in the Bitcoin Cash blockchain. According to his Medium post, someone in the Bitcoin Cash developer community updated the rules in the software that verifies Bitcoin Cash transactions before including them on the blockchain.

Read more at https://nakedsecurity.sophos.com/2018/08/13/how-a-cryptocurrency-destroying-bug-almost-didnt-get-reported/

Siri is listening to you, but she’s NOT spying, says Apple

By Lisa Vaas

Are our iPhones eavesdropping on us? How else would Siri hear us say “Hey, Siri” other than if she were constantly listening?

That’s what Congress wondered, and it wanted Apple to explain. It also wanted to know about how much location data iPhones are storing and handing over about us.

So the US House of Representatives Energy and Commerce Committee sent a letter to Apple CEO Tim Cook on the matter of Apple having recently cracked down on developers whose apps share location data in violation of its policies.

The letter posed a slew of questions about how Apple has represented all this third-party access to consumer data, about its collection and use of audio recording data, and about location data that comes from iPhones.

On Tuesday, Apple responded.

Much of the response letter translates into “We Are Not Google! We Are Not Facebook!” As in, Apple’s business model is different from those of other data-hoovering Silicon Valley companies that rely on selling consumer information to advertisers:

The customer is not our product, and our business model does not depend on collecting vast amounts of personally identifiable information to enrich targeted profiles marketed to advertising.

Timothy Powderly, Apple’s director of federal government affairs, emphasized in the letter that Apple minimizes collection of data and anonymizes what it does collect:

We believe privacy is a fundamental human right and purposely design our products and services to minimize our collection of customer data. When we do collect data, we’re transparent about it and work to disassociate it from the user.

And no, Siri is not eavesdropping. The letter went into specifics about how iPhones can respond to voice commands without actually eavesdropping. It has to do with locally stored, short buffers that only wake up Siri if there’s a high probability that what it hears is the “Hey, Siri” cue.

Read more at https://nakedsecurity.sophos.com/2018/08/13/siri-is-listening-to-you-but-shes-not-spying-says-apple/

Feds indict 12 for allegedly buying iPhones on other people’s dimes

By Lisa Vaas

The Feds have indicted a dozen people for allegedly using hacked cell phone accounts to “upgrade” to nice, shiny new iPhones and other pricey gadgets, waltzing into stores to pay the small upgrade fees, sticking victims with the rest of the costs, selling the loot for full purchase price, and pocketing the profit.

The US Department of Justice (DOJ) announced the indictments on Thursday.

Geoffrey S. Berman, the US Attorney for the Southern District of New York, and Angel M. Melendez, a special agent with the New York office of the Immigration and Customs Enforcement’s (ICE’s) Homeland Security Investigations (HSI), said they’ve got seven suspects – six were arrested in southern New York, and one in Ohio – while another five are still on the loose.

They stand accused of improperly accessing more than 3,300 customers’ cellphone accounts and defrauding those accounts of the cost of more than 1,200 cellphones, causing losses of more than $1 million.

Berman said that the fraud ring pulled off the heists, which were carried out nationwide, by first allegedly buying their victims’ account details off the dark web, then allegedly hacking into their accounts.

Melendez said that the fraud network was operating out of New York – most particularly in the Bronx, which is where they sold many of the iPhones, iPads, tablets and watches they bilked people out of. It was also operating out of the Dominican Republic; from other, unspecified places; and on the dark web, he said.

According to the indictment, defendants allegedly traveled to 30 states to get the phones, then often brought them back to the Bronx to sell through fencing operations. The cellphone carriers absorbed the financial losses, but the victims suffered the theft of their identities and/or had their accounts accessed without authorization.

Read more at https://nakedsecurity.sophos.com/2018/08/13/feds-indict-12-for-allegedly-buying-iphones-on-other-peoples-dimes/

In-flight satellite comms vulnerable to remote attack, researcher finds

By John E Dunn

IOActive’s researcher Ruben Santamarta is the sort of person anyone interested in computer security would probably enjoy sitting next to on a long flight.

Take the journey he made last November between Madrid and Copenhagen on Norwegian during which (naturally) he decided to use Wireshark to study the aircraft’s in-flight Wi-Fi.

As well as finding that Telnet, FTP and web were available for certain IPs, it turned out that an interface page for a Hughes aircraft satellite communication (SATCOM) router could also be accessed without authentication.

This is the system used by Norwegian that connects a plane to the ground to provide internet connectivity. (Icelandair and Southwest are customers too.)

In a Black Hat show paper last week, Last call for SATCOM Security, Santamarta and his colleagues published details of how this simple discovery put them on the trail of a string of larger security flaws that build on IOActive SATCOM vulnerability research dating back to 2014.

Read more at https://nakedsecurity.sophos.com/2018/08/13/in-flight-satellite-comms-vulnerable-to-remote-attack-researcher-finds/

August 13, 2018 »

How one man could have hacked every Mac developer (73% of them, anyway)

By Paul Ducklin

Here’s a cool fact: Macs run Unix.

OK, in some ways that’s only very loosely true, when you think of all the non-Unixy stuff on top of the Darwin base layer, and we welcome your comments below to explain just how carelessly loose we have been…

…but Macs are Unix computers – in fact, they’re UNIX computers – at least if they’re running a currently supported macOS, and that means lots of cool, useful, well-known and powerful tools for sysadmins, developers and power users, preinstalled and ready to go.

Here’s an eclectic, alphabetically-ordered subset of the utility programs that arrive on every brand new Mac, taken from the /usr/bin directory.

If Perl and Ruby don’t @float your $boat (language-war comments below, please, no need to hold back), you can also choose from other open-source programming languages such as Java, PHP, Python and Tcl.

Despite all this ready-to-go choice, however, Mac developers miss the ease with which their Linux chums can grab additional open source software packages.

Linux distros famously come with one or more package managers that can be told, with a single command in a terminal window, to call home, find the latest version of super-useful toolkit X, fetch it and install it.

No need to hunt down the X project online, find the right fork, identify the latest version, download the source code, inspect it, apply any needed tweaks, configure it, compile it, and install it.

Read more at https://nakedsecurity.sophos.com/2018/08/10/how-one-man-could-have-hacked-every-mac-developer-73-of-them-anyway/

Comcast Xfinity web flaws exposed customer data

By John E Dunn

There is no comfortable way for an organization to learn that its website is leaking customer data but one of the most alarming must surely be getting that bad news from a journalist.

This is what appears to have happened to US communications giant Comcast Xfinity, which has had to patch two significant web vulnerabilities after Buzzfeed News learned of the issues from researcher Ryan Stevenson.

Flaw #1

The first was found on the in-home authentication page through which customers can pay bills without the inconvenience of having to log in.

It seems the company authenticated users by asking them to choose their home address from one of four possibilities, selected by looking at one of the headers added to the HTTP request.

The HTTP header used to “identify” the user contained their public-facing Comcast IP address – data that isn’t suitable to use as a secret identifier.

An attacker who knew your IP number could therefore insert it into their own web requests, and keep refreshing the identification page – each time they refreshed, the list of home addresses returned would include your address plus three randomly chosen other addresses.

The address that showed up every time would, rather obviously, be yours – the attacker wouldn’t ever even need to guess and risk getting locked out.

Read more at https://nakedsecurity.sophos.com/2018/08/10/comcast-xfinity-web-flaws-exposed-customer-data/

15,000-strong army of Twitter robots found spreading cryptocurrency spam

By Lisa Vaas

Twitter may be fighting the bot battle, but it’s still got plenty of multi-legged e-millipedes crawling around its ecosystem.

That was evidenced by a large, cryptocurrency scam-spewing collection of robot accounts – at least 15,000 of them – found by Duo Security researchers while they were conducting a three month study.

The researchers announced the find on Wednesday at the Black Hat security conference.

The bots in this case were aimed at parting you from your precious cryptocoins with bogus posts – posts of the #Blockchain #Crypto #tokens #bitcoin #eth #etc #loom #pundix #icx #ocn #nobs #airdrop #ICO #Ethereum #giveaway type.

Of course, Twitterbots can be useful: they help keep weather, sports and other news updated in real-time, and they can help find the best price on a product or track down stolen content.

Bad bots, however, are the bane of Twitter’s existence.

For example, Twitter has recently purged tens of thousands of accounts associated with Russia’s meddling in the 2016 US presidential election.

More recently, in June, Twitter described how it’s trying to fight spam and malicious bots proactively by automatically identifying problematic accounts and behavior.

Read more at https://nakedsecurity.sophos.com/2018/08/10/15000-strong-twitter-robot-army-found-spreading-cryptocurrency-spam/

Facebook ‘regrets’ balloons and confetti triggered by earthquake posts

By Lisa Vaas

Does your stomach churn a little when your Facebook post triggers saccharine animations of popping hearts or confetti and balloons?

That’s nothing. The let’s-festoon-everything-with-glee impulse got Facebook into trouble this week: it pulled the animated confetti-and-balloons shtick on posts from people reporting that they had survived a 6.9 magnitude earthquake that killed at least 259 people and left some 150K homeless on the Indonesian island of Lombok on Sunday.

The death toll will rise. The BBC reports that as of Thursday, rescue workers were still digging people out of the rubble.

Facebook has apologized for survivors’ “I’m safe” messages triggering the celebratory animations. The misstep comes out of a bungled translation of the word “selamat,” which in Indonesian can mean “to survive” or “congratulations.”

Herman Saksono, an Indonesian computer science PhD student at Northeastern University in Boston, noticed the inappropriate Facebook action over the weekend and tweeted out a screen capture that shows the word highlighted in red as it triggers the inappropriately gleeful animation.

Read more at https://nakedsecurity.sophos.com/2018/08/10/facebook-regrets-balloons-and-confetti-triggered-by-earthquake-posts/

Google to warn companies targeted in government-backed attacks

By Maria Varmazis

Is your company running G Suite? If so, from August you’ll have the option to enable alerts if Google suspects government-backed hacking attempts on any of your accounts.

Since 2012, Google has been alerting individual Google account users if they suspect their account has been targeted by government-backed attackers using any number of phishing- or malware-based methods (malicious attachments, scripts embedded in files, dodgy links). This August update now offers these alerts to G Suite administrators as well so they can take action to protect their users.

In the case of suspected government-backed activity on an organization’s G Suite account, an email alert would go directly to the G Suite super admins – not the user. From there, the admins can then choose what to do with that information: Bolster security on that user’s account, share the information with other team members, and/or warn the user directly.

Google notes that “less than 0.1% of all Gmail users” receive a notification of potential government-backed attacks on their accounts, and the notification is not sent in real-time. Google also takes pains to note that:

  1. Their suspicion of an attack could very well be a false alarm.
  2. Google will not name the specific methods they’ve detected that could be triggering the alarm.
  3. Google will not attempt to attribute the attack to any party, government or nation.

In any case, since the notifications are light on details and aren’t sent in real-time, users and admins alike may be left scratching their heads wondering what exactly triggered this warning. This could be frustrating for G Suite administrators who might want this information to understand what kinds of targeted attacks are coming their organization’s way. However, Google argues that the end result is the same regardless of whether you’re a user or an admin: Take additional precautions to secure user accounts.

Read more at https://nakedsecurity.sophos.com/2018/08/09/google-to-warn-companies-targeted-in-government-backed-attacks/

“Attack” on FCC over net neutrality was legitimate traffic, report says

By Lisa Vaas

Oh, that poor, poor, net neutrality commenting system. If it wasn’t HBO’s John Oliver unleashing his flying monkeys on the Federal Communications Commission (FCC) – him with that site of his, giving people an actual, direct, non-convoluted way to get to the spleen-venting comments page – it was those gosh-darned distributed denial of service (DDoS) attacks.

As you may recall, in May 2017, the FCC was advancing its plan to curtail the USA’s net neutrality rules when Oliver served up an epic 19-minute rant inciting vast mobs of internet users to rise up and demand that the FCC get out of their faces.

At the height of the net neutrality debate, the commenting system struggled under the strain of responding to the mighty onslaught of visitors, leaving people stuck stewing in that spleen for a few days. At the time, FCC CIO Dr. David Bray blamed the bombardment on all those nasty hackers:

These were deliberate attempts by external actors to bombard the FCC’s comment system… While [it] remained up and running the entire time, these DDoS events tied up the servers and prevented them from responding to people attempting to submit comments.

Yes. Well. So. Anyway. About those DDoS attacks.

On Monday FCC Chairman Ajit Pai issued a statement ahead of an FCC Office of Inspector General (OIG) report that found that no evidence of DDoS attacks had been found.

https://nakedsecurity.sophos.com/2018/08/09/attack-on-fcc-over-net-neutrality-was-legitimate-traffic-report-says/

August 9, 2018 »

Snapchat source code leaked on GitHub – but no one knows why

By John E Dunn

What just befell a “small” piece of SnapChat’s source code, and should users be concerned?

Things took a turn for the worse earlier this week when Twitter users got wind that the company had filed a takedown request under the Digital Millennium Copyright Act (DMCA) on 2 August 2018 in response to a portion of precious code being posted on GitHub.

Asking GitHub to remove commercially sensitive source code isn’t surprising in the least, although some claimed they detected a note of mild panic in the language used. In answer to the question identifying which copyrighted work had been infringed, Snap’s employee replied in full caps:

SNAPCHAT SOURCE CODE. IT WAS LEAKED AND A USER HAS PUT IT IN THIS GITHUB REPO. THERE IS NO URL TO POINT TO BECAUSE SNAP INC. DOESN’T PUBLISH IT PUBLICLY.

Given the situation, to most observers this will sound perfectly reasonable. The company followed up by confirming to Motherboard that a “small amount” of the source code for its iOS app had leaked in May during an update:

We discovered that some of this code had been posted online and it has been subsequently removed.

However, the company made two further claims that are open to question, the first being that the company was:

Able to identify the mistake and rectify it immediately.

This sounds reassuring and yet clearly someone managed to grab the code and post it to GitHub (not to mention the possibility that the code sat on GitHub for two months before this was noticed).

Read more at https://nakedsecurity.sophos.com/2018/08/08/snapchat-source-code-leaked-on-github/

Facebook wants to be the future of online banking

By Lisa Vaas

Here’s what the Wall Street Journal reported on Monday: Facebook has asked big banks to share their customers’ personal financial data, including card transactions and checking-account balances.

And here, basically, was the response from anybody who’s ever heard of Cambridge Analytica: Hysterical laughter with a bit of “Oh, hell NO. We should trust Facebook with our financial data why!?

And here, in essence, was Facebook’s response, as it tried once again to convince everybody that it knows how to spell the word “privacy”: No, we aren’t asking for financial data! We just want to insert ourselves between you and your bank and keep you from waiting on the phone so long. Because bots! Chatbots! In Messenger!

Facebook has, in fact, approached big banks, including Wells Fargo, JPMorgan Chase, Citigroup and US Bancorp, with an eye toward partnering. According to the WSJ, this is how it envisions this swap: the banks will give Facebook its users’ banking data, and the platform would give bank customers the ability to conduct business within Facebook itself – specifically, within Messenger.

People familiar with the discussions in the talks told the newspaper that one feature Facebook has talked about would show its users their checking-account balances. It’s also pitching fraud alerts; some insiders have said. The WSJ also reports that the banks have been hit up by Google and Amazon on the data-sharing front: they reportedly want to provide basic banking services on applications such as Google Assistant and Alexa.

A spokesperson for Facebook told The Next Web that no, Facebook hasn’t asked banks for users’ transaction data. Rather, this is all about getting banking chatbots into Messenger to chat us up.

Read more at https://nakedsecurity.sophos.com/2018/08/08/facebook-wants-to-be-the-future-of-online-banking/

Could deliberately adding security bugs make software more secure?

By John E Dunn

The best way to defend against software flaws is to find them before the attackers do.

This is the unshakeable security orthodoxy challenged by a radical new study from researchers at New York University. The study argues that a better approach might be to fill software with so many false flaws that black hats get bogged down working out which ones are real and which aren’t.

Granted, it’s an idea likely to get you a few incredulous stares if suggested across the water cooler, but let’s do it the justice of trying to explain the concept.

The authors’ summary is disarmingly simple:

Rather than eliminating bugs, we instead add large numbers of bugs that are provably (but not obviously) non-exploitable.

By carefully constraining the conditions under which these bugs manifest and the effects they have on the program, we can ensure that chaff bugs are non-exploitable and will only, at worst, crash the program.

Each of these bugs is called a ‘chaff’, presumably in honor of the British WW2 tactic of confusing German aircraft radar by filling the sky with clouds of aluminum strips, which also used this name.

Arguably, it’s a distant version of the security by obscurity principle which holds that something can be made more secure by embedding a secret design element that only the defenders know about.

In the case of software flaws and aluminum chaff clouds, the defenders know where and what they are but the attackers don’t. As long as that holds true, the theory goes, the enemy is at a disadvantage.

The concept has its origins in something called LAVA, co-developed by one of the study’s authors to inject flaws into C/C++ software to test the effectiveness of the automated flaw-finding tools widely used by developers.

Of course, attackers also hunt for flaws, which is why the idea of deliberately putting flaws into software to consume their resources must have seemed like a logical jump.

Read more at https://nakedsecurity.sophos.com/2018/08/08/could-deliberately-adding-security-bugs-make-software-more-secure/

August 8, 2018 »

How Bitcoin and the Dark Web hide SamSam in plain sight

By Mark Stockley

For two and a half years someone has been terrorizing organisation’s by breaking in to their networks and infecting their computers with devastating, file-encrypting malware known as SamSam.

The attacks are regular, but rarer and more sophisticated than typical ransomware attacks, and the perpetrators extort eye-watering, five-figure ransoms to undo the damage they create.

This year alone, victims have included healthcare provider Allscripts, Adams Memorial Hospital, the City of Atlanta, the Colorado Department of Transportation and the Mississippi Valley State University.

By extracting high ransoms from a small number of victims who are reluctant to share news of their misfortune, the SamSam attackers have remained elusive while amassing an estimated fortune in excess of $6 million. Details about the attacks, the victims, the methods used and the nature of the malware itself have been hard to come by.

And yet, for all the mystery, some important aspects of SamSam attacks take place in plain sight.

One of the ways the man, woman or group behind SamSam gains entry to their targets is via RDP (the Remote Desktop Protocol), a technology that companies put in place so their employees can connect remotely. It’s easy to discover companies that use RDP with search engines like Shodan, and weak passwords can be exposed with publicly-available underground tools like nlbrute.

SamSam ransom notes direct victims to a Dark Web website where the victim can exchange messages with the hacker. The website and the conversation are discreet but they aren’t secret – anyone with the Tor Browser can visit the site and watch the conversation unfold.

The ransom note also instructs victims on how to purchase bitcoins, and how to use them to pay their attacker. Like all Bitcoin transactions, the ransom payments happen in plain sight and the inflows and outflows of cash can be easily observed.

Read more at https://nakedsecurity.sophos.com/2018/08/07/how-bitcoin-and-the-dark-web-hide-samsam-in-plain-sight/

iPhone chipmaker blames ransomware for factory shutdowns

By Lisa Vaas

After a weekend in which it had to shut down several factories making iPhone chips, Taiwan chipmaker TSMC is back up and running and pinning the blame on a network virus infection – specifically, one inflicted by a WannaCry ransomware variant.

On Sunday, the Taiwan Semiconductor Manufacturing Company put out a statement saying that it had recovered about 80% of its affected tools after the variant hit production facilities over the weekend.

According to Bloomberg, the chipmaker said on Monday that full operations had been restored.

TSMC traced the virus infection to a supplier having installed tainted software without having first scanned it. When the virus hit, it spread quickly, affecting production at semiconductor plants in Tainan, Hsinchu and Taichung.

Nehal Chokshi, an analyst with Maxim Group LLC, told Bloomberg that the incident won’t cause any major delays. It would have been much worse if the production line was affected between raw wafer and finished chips, but it wasn’t. So in this case, the only delay for Apple to get its chips will be the number of days the factories were gummed up: that’s about three days, Chokshi said.

Read more at https://nakedsecurity.sophos.com/2018/08/07/iphone-chipmaker-blames-ransomware-for-factory-shutdowns/

Mozilla faces resistance over DNS privacy test

By John E Dunn

Is Mozilla’s enthusiasm for Cloudflare’s DNS-over-HTTPS (DoH) service getting out of hand?

Cloudflare launched its 1.1.1.1 public DNS resolver on 1 April, one of the first anywhere to support DoH, an emerging technology designed to secure Domain Name System (DNS) queries from prying eyes such as governments, ISPs, and the like.

Because browsers as well as DNS resolvers must support the DoH protocol, Mozilla adopted Cloudflare as its test partner with a view to integrating the technology in Firefox 62, due in September.

But supporting DoH in a browser isn’t as simple as just enabling the protocol. Mozilla must also decide whether this support is enabled by default and, if so, which DoH server, or “Trusted Recursive Resolver” (TRR) it points to when the browser launches.

It turns out that Firefox’s DoH Shield test beta has already embedded Cloudflare as the default TRR, which hasn’t gone down well with everyone on several counts:

  • It puts a lot of trust in a company that’s already plugged into a lot of websites.
  • Using one service is an obvious single point of failure (SPOF).
  • DoH resolvers should be opt-in, not opt-out.
  • It silently overrides your existing DNS settings.

From the Ungleich blog:

When Mozilla turns this on by default, the DNS changes you configured in your network won’t have any effect anymore. At least for browsing with Firefox…

The obvious reply is that Mozilla’s developers have set Cloudflare as the default TRR as part of the testing process and are unlikely to impose this setting on users when the capability is offered to the world in Firefox 62.

Read more at https://nakedsecurity.sophos.com/2018/08/07/mozilla-faces-resistance-over-dns-privacy-test/

Fortnite ditches Google Play – will it undermine Android security?

By Lisa Vaas

Well, Google, that’s what you get for having an open platform that makes it easy to install apps on Android phones: Epic Games has tucked its Fortnite game under its arm and leaped out of the Google Play walled garden, saying “Basta!” to that 30% “store tax” on all sales.

…and evidently not being able to do the same to Apple, with its identical 30% App Store cut, given that Apple, unlike Google, doesn’t allow iOS users to download apps that aren’t first approved by its internal review processes and distributed through its proprietary marketplace.

On Friday, Epic Games CEO Tim Sweeney confirmed the rumor about its Play Store exit to The Verge. Besides ditching the Play Store, Sweeney said that Epic would do the same thing for the iOS release of Fortnite, if it were possible. It’s not: Apple’s ecosystem is fully locked down, meaning Epic has no choice but to use the iTunes App Store, same as with the console platforms.

In an email, Sweeney said that Epic had two motivations: first, the game maker’s after a more direct relationship with customers. It doesn’t need Google Play for that, given that players can get Fortnite on PC through its own Epic Games Launcher. Similarly, Epic has chosen to bypass Steam – a video games distribution platform that offers digital rights management (DRM), matchmaking servers, video streaming, social networking services, game installation and automatic updating – and just use its own launcher and account system instead.

Read more at https://nakedsecurity.sophos.com/2018/08/07/fortnite-ditches-google-play-will-it-undermine-android-security/

Windows 10 updates under fire from unhappy security admins

By John E Dunn

Windows 10 is finally within spitting distance of being the most popular version of Microsoft’s OS, and yet at this moment of apparent triumph, some security professionals are not satisfied.

The evidence emerges in a survey of admins by the patchmanagement.org listserv, which uncovered a rich seam of unhappiness at the state of recent Windows updates, especially for Windows 10.

In her open letter to Microsoft, patchmanagement.org moderator and Microsoft Most Valuable Professional (MVP) Susan Bradley, doesn’t sugar coat it:

The quality of updates released in the month of July, in particular, has placed customers in a quandary: install updates and face issues with applications, or don’t install updates and leave machines subject to attack.

Bradley points to glitches with July’s updates after which products failed, particularly in the aftermath of the Security and Quality Rollup updates for .NET Framework. As she notes:

In the month of July 2018 alone there are 47 knowledge base bulletins with known issues.

Forty-seven bulletins with issues sounds like a lot. Asking users of patchmanagement.org to rate how satisfied they were with quality of Windows 10 updates, 64% said they were either ‘not satisfied’ of ‘very much not satisfied’.

The feature updates that have become a defining part of the Windows 10 strategy come in for particular flak, both in terms of their overall business benefit and unhelpful regularity.

In Bradley’s view, the fault lies with the Windows 10 Insider Program, the channel through which developers and enthusiasts test new versions to spot problems before software is let loose on everyone else.

Read more at https://nakedsecurity.sophos.com/2018/08/06/windows-10-updates-under-fire-from-unhappy-security-admins/

Man arrested for blackmailing women with porn fakes

By Danny Bradbury

Revenge porn using real images is a horrific abuse, and the most repeated advice is that you can only stop it by not creating revealing, digital images of yourself in the first place.

That advice is looking increasingly threadbare though, thanks to another kind of threat – faked images that use only your face to create embarrassing photos of you. This week, police arrested a man in India for blackmailing women with digitally manipulated images putting them in compromising positions.

On Tuesday, a resident of Gurugram, a city near Delhi, was arrested for blackmailing women through Facebook. At least one woman has accused the individual, identified in news stories only as “Vijay”, of trying to extort her using fake social media accounts and pictures.

Vijay, a helper at the Indira Gandhi International Airport who had recently lost his job, admitted to police that he created fake Facebook accounts in women’s names, and used them to send friend requests to random women. When some accepted, he would steal images from their accounts.

He would then approach them again using other Facebook accounts registered in men’s names, making lewd propositions. If they refused to interact with him, he would send them altered photographs (presumably of a sexual nature). If they continued to ignore him, he would post the photographs on Facebook to embarrass his victims.

Vijay had been blackmailing over 200 women, police said, adding that one account in his control had 353 ‘friends’ on it.

Read more at https://nakedsecurity.sophos.com/2018/08/06/man-arrested-for-blackmailing-women-with-porn-fakes/

‘Unhackable’ Bitfi hardware rooted within a week

By Lisa Vaas

Whaddya mean there’s no such thing as an unhackable device? John McAfee sputtered last week. I got a $100K bounty for anybody who can hack my spiffy, new, unbreakable breakthrough, the wowee-wow world’s first and only completely unhackable, most advanced digital thingie ever, cryptocurrency wallet!

Then, hardware maker Bitfi upped the ante with its own offer of a 250K bounty.

It allegedly took a week. Whether BS walked or pulled up a chair to discuss that $100K… or $250K… is debatable, though, as McAfee is happy to explain.

Press are indeed claiming that the Bitfi wallet has been hacked. It was released the week prior to the hack/not-a-hack with great fanfare and greeted with great guffaws, as well as by people who decided to give the breakage a go.

As CNet reported on Friday, a “self-described IT geek in the Netherlands” who goes by the Twitter handle @OverSoftNL tweeted on Wednesday that they’d gained root access to the crypto-wallet. @OverSoftNL went on to say they had help from @cybergibbons, also known as Andrew Tierney, a security consultant at Pen Test Partners, and from Graham Sutherland (@gsuberland)… all three of whom got royally peeved at what Sutherland called a “clueless and misleading attitude to security.”

The wallet comes from antivirus software pioneer, former Belize man-about-town/government spy/fugitive, current US fugitive McAfee, together with hardware crypto-wallet maker Bitfi. McAfee (the man, not the brand owned by Intel Security) and Bitfi had claimed that the thing had “absolute” security.

Read more at https://nakedsecurity.sophos.com/2018/08/06/unhackable-bitfi-hardware-rooted-within-a-week/

August 6, 2018 »

Routers turned into zombie cryptojackers – is yours one of them?

By Paul Ducklin

We’ll start this story right at the end:

  • Users and sysadmins. Patch early, patch often.
  • Vendors and programmers. Don’t store plaintext passwords.

In this particular case, the vulnerable devices under attack are Mikrotik routers that haven’t been patched since April 2018.

Security researcher Simon Kenin at Trustwave pieced the story together, following reports that there seemed to be a surge of web-based cryptojacking in Brazil.

Kenin quickly realized that Brazil was something of a red herring in the story, because the attack was happening wherever the crooks could find unpatched Mikrotik routers.

Brazil just happened to be where the story broke – it is, after all, the fifth most populous country in the world, so there are a lot of Brazilian home and small business networks for crooks to find and attack.

Here’s how this cryptojacking attack seems to have gone down.

Back in April 2018, Mikrotik patched a remote access vulnerability in its products.

As far as we can tell, Mikrotik discovered the security flaw itself, describing it in basic terms as a vulnerability that “allowed a special tool to connect to the [administration] port, and request the system user database file.”

As it turned out, there was a bit more to it than that – the bug allowed any file to be read off the router, effectively giving crooks who knew the trick the opportunity to leech any data they wanted.

The user database file just happened to be the crown jewels, because Mikrotik had stored both usernames and passwords in plaintext.

Read more at https://nakedsecurity.sophos.com/2018/08/03/routers-turned-into-zombie-cryptojackers-is-yours-one-of-them/

Alleged “high-ranking” members of the Fin7 cybercrime group arrested

By Lisa Vaas

The DOJ announced on Wednesday that three alleged, “high-ranking” members of the notorious Fin7 cybercrime organization have been arrested.

According to three federal indictments, Ukrainian nationals Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30, are allegedly members of a prolific, professional, highly adaptable hacking group widely known as Fin7, though it’s also referred to as the Carbanak Group and the Navigator Group, among many other names.

The DOJ says that since 2015, Fin7 has engaged in “a highly sophisticated malware campaign” targeting more than 100 US companies, predominantly in the restaurant, gaming, and hospitality industries, hacking into thousands of computer systems and stealing millions of customer credit and debit card numbers in order to sell them.

Security groups have been tracking the actors for longer than that, however: the thinking is that Fin7 evolved from malware campaigns between 2013 and 2015 that used the banking Trojans Carberp and Anunak to attack financial institutions.

Fin7 doesn’t just work in the US, but the DOJ says that just its US sprees alone have included raids on the networks of companies in 47 states and the District of Columbia, with the theft of more than 15 million credit card records from 6,500 Point-of-Sale (PoS) terminals at more than 3,600 separate business locations.

The organization has also ransacked computer networks in the UK, Australia and France. Publicly disclosed hacks attributable to Fin7 include Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin and Jason’s Deli.

Read more at https://nakedsecurity.sophos.com/2018/08/03/alleged-high-ranking-members-of-the-fin7-cybercrime-group-arrested/

How safe is your DNA data?

By Danny Bradbury

As concerns mount over DNA privacy, a group of DNA collection and genealogy websites has released a set of best practice guidelines for handling sensitive genetic and family data. Will it give consumers much more protection though? Probably not.

23andMe, Ancestry, Helix, MyHeritage, and Habit worked with the Future of Privacy Forum to release the guidelines, which explain how to handle information about a family’s genetic makeup. Sites like 23AndMe offer genetic tests to consumers who send in a simple saliva swab. They can then use this to tell you about your ancestry and to let you know about genetic health risks.

The guidelines apply to any data about an individual’s inherited genetic characteristics. This includes three types: Data that comes directly from sequencing a person’s DNA, data that a company can create by analyzing that raw data (such as particular gene information or data about physical characteristics) and finally data that a person reports about their own health conditions.

The document broadly replicates many of the rules laid down by the EU’s General Data Protection Regulations (GDPR), which any company holding data on EU residents is already beholden to. It also draws on other guidance, including the Health Insurance Portability and Accountability Act (HIPAA), the Genetic Information Nondiscrimination Act and the Americans with Disabilities Act.

It includes statements on accountability (companies should release reports on what they’re doing with peoples’ data) and privacy by design (implementing technical controls to support the other rules) among others. It also says:

Genetic Data, by definition linked to an identifiable person, should not be disclosed or made accessible to third parties, in particular, employers, insurance companies, educational institutions, or government agencies, except as required by law or with the separate express consent of the person concerned.

This document still leaves some privacy concerns. Let’s start with the timing of its release.

Read more at https://nakedsecurity.sophos.com/2018/08/03/how-safe-is-your-dna-data/

Amnesty International spearphished with government spyware

By Lisa Vaas

Amnesty International has been spearphished by a WhatsApp message bearing links to what the organization believes to be malicious, powerful spyware: specifically, Pegasus, which has been called History’s Most Sophisticated Tracker Program.

On Wednesday, the human rights-focused NGO said in a post that a staffer received the link to the malware in June. It was baited with a message written in Arabic that implored the group to cover a protest for “your brothers detained in Saudi Arabia in front of the Saudi embassy in Washington.”

My brother is detained in Ramadan and I am on a scholarship here so please do not link me to this [link]

Cover the protest now it will start in less than an hour

We need your support please

Pegasus is a tool sold by NSO Group, an Israeli company that sells off-the-shelf spyware. It enables governments to send a personalized text message with an infected link to a blank page. Click on it, whether it be on an iOS or Android phone, and the software gains full control over the targeted device, monitoring all messaging, contacts and calendars, and possibly even turning on microphones and cameras for surveillance purposes.

Pegasus at one point even worked on non-jailbroken iOS devices. In 2016, Citizen Lab and Lookout discovered that the spyware was exploiting three critical iOS zero-day vulnerabilities to slip past Apple’s device security and install itself. Apple quickly fixed the vulnerabilities when alerted to them, according to Lookout.

This isn’t the first time that a group or individual who isn’t supposed to be a target of Pegasus has alleged they have been. NSO Group’s response to incidents like this has been consistent on each occasion: the company points to the fact that Pegasus is supposed to be used solely by governments, to enable them to invisibly track criminals and terrorists.

Read more at https://nakedsecurity.sophos.com/2018/08/03/amnesty-international-spearphished-with-government-spyware/

Reddit’s serious “security incident” – what you need to know

By John E Dunn

Reddit has suffered a “serious” data breach but seems unwilling or unable to put a figure on its size.

There are two parts to this story – who is affected and the weakness the company says led to the breach itself.

Dealing with users first, there are two groups in the firing line, arguably the most important being the unknown number of Reddit users who received an email digest between 3 and 17 June this year. If you’re one of those, the attackers know your email address and username but not your password, which has potentially troubling implications discussed below.

The second group at risk is anyone who registered with the site between 2005 (when it launched) and May 2007.

In this case, data accessed includes account username and password, the email address used at that time, and any content posted including private as well as public messages.

Passwords were salted and hashed, which sounds vaguely reassuring until you realise it covers a continuum of possibilities from very safe to not very safe at all.

If the salting and hashing was done in thousands of iterations by an algorithm like bcrypt then you can feel reassured. If it simply means the site used a hashing algorithm like SHA-1, the kind of password security that was already out of date but not uncommon at that time, then you can’t.

Sadly, we don’t know which it is.

If it’s the latter then the risk here would be for the probably small group of users who haven’t changed their password since then or did change it but used it on other sites without updating it there too.

Read more at https://nakedsecurity.sophos.com/2018/08/02/reddits-serious-security-incident-what-you-need-to-know/

How to defend yourself against SamSam ransomware

By Mark Stockley

On Tuesday 31 July 2018 Sophos released the largest and most comprehensive research paper ever compiled on SamSam, a sophisticated and highly destructive piece of ransomware noted for its ability to put entire organisation’s under siege.

SamSam is different from most other ransomware – it’s used sparingly, in a relatively small number of targeted attacks by a skilled team or individual. They break into and survey a victim’s network before deploying and running the ransomware, just like a sysadmin deploying legitimate software.

Those unusual tactics create advantages for both attacker and defender.

The good news is that the SamSam attackers aren’t looking for a challenge. They want easy targets, which means that getting a few of the basics right gives you a very good chance of keeping them out.

The bad news is that if they do get a foothold in your organization they can dig in quickly. They don’t deploy the SamSam malware until they’re able to act as a Domain Admin, which gives them high ground from which to attack.

SamSam hackers have been seen changing their tactics during attacks and they will spend hours, and perhaps days, getting it right. If one approach doesn’t work they’ll try another and another, and if security software stops the malware from running, they’ll look for ways to disable it.

Read more at https://nakedsecurity.sophos.com/2018/08/02/how-to-defend-yourself-against-samsam-ransomware/

July 31, 2018 »

Cryptojacking for beginners – what you need to know

By John Shier

Cryptojacking has hit the headlines in recent months. But what is it? And do you need to be worried?

Cryptojacking occurs when a computer is used to mine cryptocurrency without the permission of the user. There are two main ways that this is done: in-browser and via installed malware on the machine.

In-browser cryptominers vs installed cryptomining malware

With an in-browser approach, cybercriminals break into a web server and inject browser-based cryptomining code that mines whenever anyone visits the website. For example, researchers recently discovered that a Coinhive Monero miner had been running on an LA Times website. Any time a user visited the Homicide Report web page offered by the LA Times, the hacker was able to steal their CPU power to mine for Monero, a popular digital currency.

We saw a similar example of this recently when a whole raft of government websites was infected with a cryptomining script through browsealoud DOT com – a service that converts pages on a website to speech, to help out visitors who aren’t fluent in written English or good at reading.

The bad news for consumers is that in-browser cryptojacking is platform-agnostic. That means that all of your devices – including your phone – are potential targets. We’ve seen Coinhive-based miners added to popular apps, like Netflix and Instagram, and there have even been reports recently about mobile phones being physically damaged by cryptominers.

The good news, though, is that in-browser crypto software generally isn’t doing anything malicious to your system, other than general wear and tear. The software might make your laptop use slightly more juice, but you’d be hard-pressed to notice those fractions of a penny on your electricity bill. The fact that it’s all self-contained within the browser itself means that cryptominers never get near your data, they’re just jacking up your CPU.

Read more at https://nakedsecurity.sophos.com/2018/07/31/cryptojacking-for-beginners-what-you-need-to-know/

Prisoners exploit tablet vulnerability to steal nearly $225K

By Lisa Vaas

Idaho prison officials said on Thursday that 364 inmates in five of the state’s prisons exploited vulnerable software in the JPay tablets they use for email, music and games in order to pump up the cash balances of their accounts.

The inmates transferred nearly $225K into their JPay accounts, according to the Associated Press.

The handheld tablets are used in prisons across the country, where inmates use them to stay in touch with the outside world via money transfers, emailing families and friends, buying and listening to music, video visitation, parole and probation payments, and downloading and playing games. The devices are made available through a contract between JPay and CenturyLink. Inmates can pay for entertainment, games and additional services with JPay credits.

Idaho Department of Correction spokesman Jeff Ray said on Thursday that no taxpayer money was involved in the fraud. The tablets operate over a secure network and don’t offer access to the wider internet.

The transfer scam was discovered earlier in the month by a special investigations unit, Ray said.

Mark Molzen, a spokesman for CenturyLink, told the AP that the problem involved inmates “intentionally exploiting a software vulnerability to increase their JPay account balances.” The company declined to give details, considering any such to be proprietary information. Molzen did say that the vulnerability has since been fixed, however.

Read more at https://nakedsecurity.sophos.com/2018/07/30/prisoners-exploit-tablet-vulnerability-to-steal-nearly-225k/

Social media rumors lead to PepsiCo lawsuit

By Lisa Vaas

Kurkure is PepsiCo’s finger-licking, lip-smacking, Indian corn puff snack. PepsiCo is happy to tell anybody who’ll listen that it makes Kurkure in state-of-the-art, automated, hygienic, food-safety-award-winning, certified factories. Here’s a 5-minute video of the process on YouTube. As you can see, we’re talking rice meal, edible vegetable oil (palm oil), corn meal, gram meal, spices, sugar and whatnot.

“Whatnot” is not code for “plastic.” There is no plastic in Kurkure. But somehow, the plastic jokes keep coming.

And because PepsiCo is so not laughing, and because the grain-based, beverage-centric multinational company is laughing so very not hard and has so very many lawyers, it’s sued to get all those despicable jokes and plastic rumors taken offline.

As Media Nama reported on Thursday, PepsiCo has obtained an interim order from the Delhi High Court to delete hundreds of posts on Facebook, Twitter, Instagram and YouTube.

Read more at https://nakedsecurity.sophos.com/2018/07/30/social-media-rumors-lead-to-pepsico-lawsuit/

Google bans Android miners from Play Store

By Danny Bradbury

Google has cracked down on apps that mine for cryptocurrency, banning them entirely from its official Google Play Store.

The company quietly updated its developer policy page with the following statement:

We don’t allow apps that mine cryptocurrency on devices. We permit apps that remotely manage the mining of cryptocurrency.

The policy change means that programs using the device’s own processing power to mine cryptocurrency will no longer be allowed in the official Google Play Store, but that Google is still OK with programs that manage cryptocurrency mining services operating elsewhere.

The move mirrors one by Apple, which banned cryptocurrency miners from its stores in June. It also follows other measures by Google to stamp out cryptocurrency mining programs delivered via its products and services. In April, it banned cryptocurrency mining extensions for its Chrome browser from the Chrome store.

This may stop cryptomining, where people voluntarily give up their phone’s processing power to generate digital coins. It is less likely to stop cryptojacking, where apps deliver a legitimate service but also do some cryptomining on the side without the user’s explicit consent.

Cryptojacking has been a growing problem in Android apps. Last year, cryptomining code was found in several apps that had been approved by the Google Play Store. In April, researchers discovered that users had downloaded various Play Store apps that secretly mined for cryptocurrency more than 100,000 times.

Read more at https://nakedsecurity.sophos.com/2018/07/30/google-bans-android-miners-from-play-store/

“Simple trick” floors home security camera, gives anyone access

By Lisa Vaas

A few weeks ago, a headline popped up on the BBC that caught the eye of security researchers: “Swann home security camera sends video to wrong user”.

It was clear what happened: the camera uploaded a bunch of data on purpose, and then it sent it to the entirely wrong person. As in, Louisa Lewis started to get “motion detected” alerts on her phone that showed somebody else’s kitchen, in somebody else’s house, with somebody she didn’t know, washing their dishes.

But it wasn’t clear why it happened, beyond the camera manufacturer’s explanation that it was human error, caused by two cameras being manufactured with the same cryptographic key to secure communications with their owners, and the duplicate camera owner having ignored the warning prompt that the “Camera is already paired to an account.”

…Nor was it clear that it wouldn’t happen again. Which it did. Nor was any evidence given to support Swann’s promise that “this was a one-off incident.” Which, it’s now clear, it was not.

We know this because a team of Europe-based security researchers came together to pick apart the security on these internet-connected cameras, to get a better sense of the “why”: Ken Munro, Andrew Tierney, Vangelis Stykas, Alan Woodward and Scott Helme.

Read more at https://nakedsecurity.sophos.com/2018/07/27/simple-trick-floors-home-security-camera-gives-anyone-access/

« older