Repairs & Upgrades

December 11, 2018 »

Dark web goldmine busted by Europol

By John E Dunn

What’s the safest way for a criminal to buy counterfeit banknotes?

Curiously, it’s not necessarily from the dark web, as 235 people now “detained” by police have just discovered.

According to Europol, between 19 November and 3 December police forces in 13 countries searched 300 properties, uncovering caches of drugs, guns and knives, along with computer wallets containing Bitcoins and the hardware needed to mine currency.

About 180 of the searches were in Germany, with 28 in France, and 20 in Italy. Others took place in Croatia, Cyprus, Finland, Ireland, the Netherlands, Portugal, Spain, Switzerland, and the UK.

To prove the adage that you never know what you’ll find until you look, German police even stumbled upon two facilities for growing marijuana, one cannabis plantation and a second counterfeit euro print shop.

The entire bust stemmed from the arrest in Austria in June 2018 of a single unnamed individual whom police discovered had been counterfeiting 10-, 20-, and 50-euro banknotes.

These days, simply stopping a criminal is becoming a small part of this kind of arrest operation – more important is finding out who that individual was doing business with, increasingly through the dark web.


Teen SWATter who had 400 schools evacuated lands 3 years in jail

By Lisa Vaas

Incorrigible SWATter George Duke-Cohan, a British teenager from a village near Watford, just north of London, has now been sentenced to three years in prison, according to the UK’s National Crime Agency (NCA).

In September, Duke-Cohan – at 19, the most outspoken member of a distributed denial of service (DDoS) gang – pleaded guilty to making bomb threats to thousands of schools and to a United Airlines flight between the UK and San Francisco while it was in mid-air.

The teenager sent bomb threats that resulted in 400 UK schools being evacuated in March. He was arrested just days later.

While still under investigation in April, Duke-Cohan sent a mass email to schools in the UK and the US claiming that there were pipe bombs planted on their grounds.

Then on 9 August, his hacking group – “Apophis Squad” – claimed on Twitter that flight UAL 949 had been grounded due to their actions.


Facebook fined $11m for misleading users about how data will be used

By Lisa Vaas

Italy’s competition regulator announced on Friday that it’s fining Facebook €10m (USD $11m, £8.9m) for laying it on thick when it comes to the service being “free” to users but keeping quiet about how the company’s making money off their data.

The fines come out of an investigation the Italian Competition Authority (ICA) wrapped up on 29 November. Opened last April, it looked into alleged violations of the Consumer Code by Facebook Ireland Ltd. and its parent company, Facebook Inc.

Here’s what the ICA had to say about it:

Facebook emphasizes the free nature of the service but not the commercial objectives that underlie the provision of the social network service, thus inducing users into making a transactional decision that they would not have taken otherwise (i.e., to register in the social network and to continue using it). The information provided is in fact general and incomplete and does not adequately make a distinction between the use of data to personalize the service (in order to connect “consumer” users with each other) and the use of data to carry out advertising campaigns aimed at specific targets.

Four Consumer Code violations

Facebook violated four of the Consumer Code articles, the ICA concluded: by misleading consumers into “registering without adequately and immediately informing them during the creation of the account that the data they provide will be used for commercial purposes,” it’s violated articles 21 and 22.


December 10, 2017 »

Massive botnet chews through 20,000 WordPress sites

By Danny Bradbury

WordPress users are facing another security worry following the discovery of a massive botnet. Attackers have infected 20,000 WordPress sites by brute-forcing administrator usernames and passwords. They are then using those sites to infect even more WordPress installations.

The botnet, which WordPress security company Wordfence discovered last week, infects sites using a feature known as XML-RPC. This is an interface that lets one piece of software make requests to another by sending it remote procedure calls (RPCs) written in the extensible markup language (XML).

Legitimate blogging programs use this feature to send blog content for WordPress sites to format and publish. Attackers can also use it to try multiple passwords and then manipulate a site if they gain access.

The attackers wrote a script that would launch an XML-RPC-based brute force attack, automatically generating a range of usernames and passwords in the hope that one of them will work and give it access to a privileged account. At that point, they can use that account to infect that site with the botnet software.

The password-building mechanism takes lists of usernames along with lists of common passwords and uses simple algorithms to create new password combinations from the usernames. So, it might try the username ‘alice’ with passwords like alice123, alice2018, and so on. It might not be very effective on a single site, but when used across many sites, the attackers’ chances of success increase, says Wordfence.


Android click fraud apps mimic Apple iPhones to boost revenue

By John E Dunn

SophosLabs has uncovered an unusual click fraud campaign in which malicious Android apps masquerade as being hosted on Apple devices to earn extra rewards.

Advertising click fraud, where a malicious app or process bombards websites with bogus traffic to earn advertising revenue, is a rapidly growing form of cybercrime on mobile and can be hard to spot.

This may go some way to explaining why Google’s Play store failed to detect the malicious design embedded inside a total of 22 apps which kicked off their click fraud campaign in June this year.

Named Andr/Clickr-ad by researchers, the malicious apps were downloaded a total of two million times with one, Sparkle Flashlight, accounting for half of this.

It’s the second time that SophosLabs has discovered malicious ad fraud apps on Google Play, after noticing the separate Andr/Guerilla-D ad fraud campaign lurking inside 25 apps in March and April.

Fake Apple traffic

What sets Clickr-ad apart from previous examples is its sophisticated attempt to pass off much of the traffic the apps generate as coming from a range of Apple models such as the iPhone 5, 6 and 8.


Microsoft’s gutting Edge and stuffing it with Chromium

By Lisa Vaas

Microsoft on Thursday announced that it’s going to spend the next year or so gutting its Edge browser and filling it with Chromium: the same open-source web rendering engine that powers Google’s Chrome browser (Chrome is Chromium with some Google extras), Opera, Vivaldi, Yandex, Brave and others.

This is an extraordinary step: some say it points to open source having won the browser wars, for better or worse. Better for web compatibility, says Microsoft, worse for a monoculture where if one thing breaks, a whole lot of other things break.

Terrible for any browser that’s trying to succeed outside of the near-total control of our online lives that Google already enjoys, Mozilla says. The open-source foundation regularly points out that Firefox is the only independent browser that isn’t tied to a profit-driven company, including Google with Chrome, Apple with Safari, and Microsoft with Edge.

Back in the day, Internet Explorer – the predecessor to Edge – not only ruled the browser roost; its stranglehold precipitated an epic antitrust case accusing Microsoft of abusing its monopoly position over Windows. But that was then, and this is now, and Explorer’s replacement, Edge, has a tiny share of the browser marketplace.


Microsoft calls for laws on facial recognition, issues principles

By Lisa Vaas

In a year in which facial recognition has made massive strides to invade personal privacy and settle in as a favored tool for government surveillance, Microsoft isn’t just open to government regulation; it’s asking for it.

On Thursday, in a speech at the Brookings Institution, Microsoft President Brad Smith warned about facial recognition technology spreading “in ways that exacerbate societal issues.” Never mind any dents to profits, he said, we need legislation before the situation gets more dystopian than it already is.

We don’t believe that the world will be best served by a commercial race to the bottom, with tech companies forced to choose between social responsibility and market success. We believe that the only way to protect against this race to the bottom is to build a floor of responsibility that supports healthy market competition. And a solid floor requires that we ensure that this technology, and the organizations that develop and use it, are governed by the rule of law.

We must ensure that the year 2024 doesn’t look like a page from the novel 1984.

Smith said that Microsoft, after much pondering, has decided to adopt six principles to manage the risks and potential for abuse that come along with facial recognition: fairness, transparency, accountability, non-discrimination, notice and consent, and lawful surveillance. He said that Microsoft will publish a document this week with suggestions on implementing the principles.

The good, the bad, and the intrusive

It’s not as if facial recognition is being used to solely create worlds of ubiquitous surveillance, in which you’re shamed for jaywalking, you’re publicly humiliated for your financial troubles, or law enforcement uses it to surveil crowds that are overwhelmingly composed of innocent people.


Flash zero-day exploit spotted – patch now!

By John E Dunn

If you’re among the holdouts still running Flash, you have some more updating homework to do. Adobe has issued an out-of-band patch after researchers spotted a Flash zero-day flaw being exploited in the wild.

The discovery was made by Qihoo 360 which on 29 November noticed a targeted APT (Advanced Persistent Threat) attack against a healthcare clinic used by Russian Government officials.

Codenamed “Operation Poison Needles” by Qihoo in honor of its medical theme, the attack uses a Word document mocked up to look like a job application questionnaire embedding a Flash Active X control.

Anyone on the receiving end of the attack will receive a phishing email with an attached RAR archive containing the boobytrapped document executing the payload.

The fix

The vulnerability, a use after free flaw, is now identified as CVE-2018-15982 and affects all Flash versions up to and including Patching it on Windows, macOS and Linux, and ChromeOS requires downloading

For good measure, the patch applies a separate fix for CVE-2018-15983, a privilege escalation caused by the insecure library loading of DLLs.


Kids’ VTech tablets vulnerable to eavesdropping hackers

By Lisa Vaas

VTech, the Hong-Kong-based smart-toy maker has hit another bump in the road.

This time around, it’s a serious security flaw in the software of VTech’s flagship tablet, the Storio Max, which is called the InnoTab Max in the UK. The flaw could allow hackers to remotely take control of the device and spy on the 3- to 11-year-old children for whom it’s marketed.

The vulnerability was discovered earlier this year by Elliott Thompson, a security consultant with the London penetration-testing firm SureCloud. On Wednesday, SureCloud said in a post that Thompson had found a vulnerable service enabled on the tablet that could be exploited by a script placed on a website, where a child could visit it, trigger the flaw and be none the wiser.

An attacker would then gain full root control over the device, including access to its webcam, speakers and microphone. In other words, an attacker could eavesdrop on a child using the tablet or talk to them.

The Max tablets are designed to enable parents to restrict their kids’ access to websites that they’ve personally vetted. The flaw pops a hole in that bubble of trust, given that an attacker could exploit the vulnerability to boobytrap that collection of supposedly “safe” sites.


Unencrypted medical data leads to 12-state litigation

By Danny Bradbury

Twelve US states are suing an electronic healthcare record provider who lost 3.9 million personal records in 2015.

The Attorneys general of Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Wisconsin clubbed together to file suit against Indiana-based Medical Informatics Engineering (MIE) and its subsidiary NoMoreClipboard (NMC) this week. The states, who each have residents affected by the breach, are negotiating a payout with the company.

MIE sells web-based electronic health record services to healthcare providers via NMC’s Webchart web-based portal.

Starting on 7 May 2015, hackers pilfered 3.9 million people’s personal information from MIE’s back-end systems, stealing not only names, addresses and social security numbers but also health data. This included lab results, health insurance policy information, diagnoses, disability codes, doctors’ names, medical conditions and the names and birth statistics of children.

The complaint accuses MIE of failing to properly secure its computer systems, not telling people about its system weaknesses, and then failing to provide timely notifications of the incident.

MIE failed to encrypt sensitive information, even though it said it did, the lawsuit says. It also used test accounts sharing the passwords “tester” and “testing”, established so that a client’s employees didn’t have to log in with a unique user ID.

Pen testers uncovered the issue and highlighted the risk but the lawsuit says that MIE took no action.

One of these test accounts allowed the thieves to explore the health record database with SQL injection attacks, gaining further access to privileged accounts called ‘checkout’ and ‘dcarlson’.


Hacker-besieged DNA data tucked away under military care

By Lisa Vaas

On Wednesday, Genomics England – an ambitious project to map the DNA of a million Brits – proudly announced that it had completed the “100,000 Genomes Project” started in 2013, having sequenced 100,000 whole genomes in the National Health Service (NHS).

The project goal is to improve treatments for patients with rare inherited diseases and cancer, and to uncover new diagnoses. So far, it’s involved the creation of 13 NHS Genomic Medicine Centers (GMCs), a state-of-the-art sequencing center, and an automated analytics platform to return whole genome analyses to the NHS. It’s crunched through 85,000 people’s genomes (participants with cancer have three genomes sequenced: healthy and cancerous cells within their tumor and a third from their blood).

Unfortunately, the servers in those data centers are bare. The Telegraph reports that following a swarm of attacks on the machines holding the data, Genomics England had to shuffle the genomes over to servers at a military base for safekeeping.


December 6, 2018 »

Facebook staff’s private emails published by fake news inquiry

By Lisa Vaas

Want to know what Mark Zuckerberg and his underlings really think about us users?

Get ready to read ’em and weep: against the wishes of the Facebook CEO, the UK parliament’s inquiry into fake news has published confidential correspondence between Zuck and his staff.

That correspondence has some revealing stuff in it. But first, how did the Parliament’s Digital, Culture, Media, and Sport (DCMS) committee – which has been overseeing inquiries into Facebook’s privacy practices – get their hands on it?

Well, it has to do with bathing suit photos. A now-defunct app called Six4Three that searched for Facebook users’ bathing suit photos is embroiled in a years-long lawsuit against Facebook.

Six4Three alleges that Facebook suddenly changed the terms of how it allowed developers to access Facebook’s Graph API generally, and its Friends’ Photos Endpoint, specifically. Six4Three made an app known as “Pikinis” that specifically sought out bikini photos across Facebook users’ friends pages. In April 2015, Six4Three sued Facebook, claiming that Facebook’s sudden yanking of access rendered both the app and the company itself “worthless.”

According to a court filing from last week, Six4Three managing director Ted Kramer met with MP Damian Collins in his London office on 20 November. Collins told Kramer that he was under active investigation, that he was in contempt of parliament, and that he could potentially face fines and imprisonment.


Patch now (if you can!): Latest Android update fixes clutch of RCE flaws

By John E Dunn

Android’s December security bulletin arrived this week with another sizable crop of vulnerabilities to add to the patching list for devices running version 7.0 Nougat to version 9.0 Pie, including Google Pixel users.

Overall, December sees a total of 53 separate flaws and 21 assigned CVE numbers. (Qualcomm components add another 32 CVEs in mainly closed-source components.)

If there’s a theme this month, it’s probably remote code execution (RCE), which accounts for five of the 11 critical flaws listed, plus one flaw marked high.

Four of these were discovered in the Media Framework with another two in the core system, which could, in Google’s words:

Enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

This means that an attacker exploiting the flaws could remotely take over a vulnerable Android device – for example by sending you a booby-trapped image or talking you into clicking on a this-is-not-the-video-you-wanted-to-watch link.

Fortunately, according to Google, none of the listed flaws is being exploited in the wild.


Google’s private browsing doesn’t keep your searches anonymous

By Lisa Vaas

New research has found that it doesn’t matter what you do to burst out of Google’s search filter bubble: you can log out of Google, then enter private browsing mode, but those precautions won’t render your search anonymous. Google’s search engine will still tailor results to the personal information the company has on you, including search, browsing and purchase history.

Granted, the research comes from search competitor DuckDuckGo, which draws search results from third-party sites such as Bing, Yahoo and Yandex without tracking you. The research is still eye-opening, though, in spite of DuckDuckGo being a competitor.

In order to test whether a search engine is really profiling you or not, it helps to keep in mind that a search engine that doesn’t profile users should show all users who search at the same time the same search results for a given search term, without tweaking the results based on things like an individual’s previous search history.

Google has claimed to have taken steps to reduce the filter bubble problem – a problem that’s been implicated in influencing US presidential election outcomes both in 2016 and in the 2012 Romney-Obama bout. The thinking is that profiling search users and feeding them tailored search results essentially surrounds them with a walled garden of information they already agree with, thereby silencing new information or differing opinions.


Chrome 71 stomps on abusive advertising

By Danny Bradbury

Google shipped version 71 of its Chrome browser earlier this week, alongside fixes for 43 security issues. The latest Chrome version also introduces several new security measures.

Perhaps the biggest new security feature in Chrome is its anti-abuse technology, which focuses on ads that deliberately mislead users. These sites use a range of techniques such as presenting buttons that purport to do one thing like playing video or closing a window, but which actually do another like opening advertising windows.

Such sites are also known to use fake chat messages, transparent areas that are clickable without the user’s knowledge, auto-redirects without user interaction, and ads that use fake moving mouse cursors to try and make users click on a certain area. Scammers and phishers sometimes use these techniques to steal personal information, the company said.

Google is stepping up the anti-abuse measures that it launched last year by identifying sites that persist in using these abusive techniques to serve ads, and blocking advertising from them altogether. Site owners will get a 30-day warning.


Kubernetes cloud computing bug could rain data for attackers

By Danny Bradbury

Kubernetes, a tool that powers much modern native cloud infrastructure, just got its first big security bug – and it’s a mammoth one. The flaw could give an attacker unfettered access to the software applications that rely on the tool to operate.

Kubernetes is a software tool that manages large numbers of containers. These are similar to the virtual machines that run multiple operating systems on the same physical computer, but they have a key difference. Instead of housing a complete operating system, containers house only what’s needed for a particular application to run (such as software dependencies, system libraries etc), while sharing a host operating system with other containers.

Containers are small, nimble operating environments that are designed to run the same way across multiple computing environments, removing “but it worked when we tested it!” issues. Companies can run tens or even hundreds of thousands of containers, and that can make deploying, updating and managing them all a serious challenge. That’s where Kubernetes comes in. It manages containers in groups called pods.

The program, which originally started as an open-source project from Google and is now managed by the Linux Foundation’s Cloud Native Computing Foundation (CNCF), sprang its first serious leak with the flaw, which gives an attacker deep access to a Kubernetes installation. It enables a specially crafted request to connect with Kubernetes servers and make their own requests.

Read more at admits data breach affecting 100 million accounts

By John E Dunn

Hackers have compromised data from the accounts of 100 million users of question and answer site,

The bad news arrived in emails sent to the affected users – half its estimated 200 million account base – and through a public announcement made on Monday on its website.

The company discovered the breach on 30 November, finding that “data was compromised by a third party who gained unauthorized access to our systems,” wrote Quora CEO, Adam D’Angelo.

Data accessed included private information such as name, email address and encrypted (hashed) passwords, and any data imported from linked networks as authorized by account holders.

Also taken was “Non-public content and actions, e.g. answer requests, downvotes, direct messages,” however the company believes only a low percentage of users had such data in their accounts.

In addition, the hackers got hold of any questions, answers and upvotes posted by users, although these would also have been publicly available on the site itself.

Anyone who posted anonymously to the site over the years is not affected as Quora does not store data from these users, the company said.


Those are NOT your grandchildren! FTC warns of new scam

By Lisa Vaas

Grandkid imposters are managing to finagle a skyrocketing amount of money out of people, the Federal Trade Commission (FTC) warned on Monday.

The FTC says that its Consumer Sentinel Network has noticed a “striking” increase in the median dollar amount that people 70 and older report losing to fraud. When they started to peel back the layers, the Commission found a number of stories that involve people of that age group having mailed “huge” amounts of cash to people who pretended to be their grandchildren.

People from all age groups report having fallen for phony family and friends: the reported median loss for individuals is about $2,000, which is more than four times the median loss of $462 reported for all fraud types.

But that’s nothing compared with how much money is being bled out of the elderly: those who send cash reported median losses of a whopping $9,000. About one in four of the ripped-off elderly who report that they lost money to a family or friend imposter say that they sent cash: a far higher rate than the 1 in 25 of people who sent cash for all other frauds.

CBS News talked to one man who got scammed in a way that the FTC says is a common ploy.


December 3, 2018 »

Microsoft cracks down on tech support scams, 16 call centers raided

By Lisa Vaas

More than 100 Indian police swarmed 16 tech support scam call centers in Gurgaon and Noida last week, arresting 39 people for allegedly impersonating legitimate support reps for companies including Microsoft, Apple, Google, Dell and HP.

The day after the raids, which were carried out on Tuesday and Wednesday, Microsoft said that it has received over 7,000 victim reports from customers in more than 15 countries who’ve been ripped off by the call centers.

This is the second of two recent, big raids on Indian tech support scammers. In October, after Microsoft filed complaints about customers falling for pop-up messages that lied about their systems being infected with malware, Indian police raided 10 illegal call centers and arrested 24 alleged scammers.

In that second raid, law enforcement seized a wealth of evidence, including the call scripts, live chats, voice call recordings and customer records used to run the scams.

Typosquatting and malvertising

There are a few ways that people can fall prey to these swindlers, who get to people via both phone calls and pop-up windows. Last year, researchers at Stony Brook University rigged up a robot to automatically crawl the web searching for tech support scammers and to figure out where they lurk, how they monetize the scam, what software tools they use to pull it off, and what social engineering ploys they use to weasel money out of victims.


Faster fuzzing ferrets out 42 fresh zero-day flaws

By Danny Bradbury

A group of researchers has found 42 zero-day flaws in a range of software tools using a new take on an old concept. The team, from Singapore, Australia and Romania, worked out a better approach to a decades-old testing technique called fuzzing.

A standard part of software testing involves developers placing inputs in software that they think might cause trouble. They then use scripts or tools to automatically run the program and test it with those inputs. They might test a web form that takes a first name as input for example, and ensure that it doesn’t allow a blank entry, or an entry that includes a command to manipulate a database.

This can be useful in ferreting out flaws, but it is difficult to make that comprehensive. Developers may not think of everything. And it gets even more complicated if you are uploading a sound file or a photograph. It’s far more difficult to produce testing data that might break the program, or even to know what that might look like.

Fuzzing programs fill that gap by automatically changing files and other inputs in many unpredictable ways. They can run thousands of different inputs against the program, often changing individual bits in each file that they present to it, to see if anything breaks.

There are three broad kinds of fuzzing.


Marriott’s massive data breach – here’s what you need to know

By Mark Stockley

Marriott has today revealed that its Starwood guest reservation database has been subject to unauthorized access “since 2014”. The scope of the data breach is huge, covering nearly five years and approximately 500 million guests.

The company has created a website to deal with the breach at (note that at the time of writing it redirects to

Who’s affected?

The company warns that if you made a reservation at one of its Starwood brands in the last five years then you are at risk:

If you made a reservation on or before September 10, 2018 at a Starwood property, information you provided may have been involved.

According to Marriott, its Starwood brands include: Starwood branded timeshare properties, W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.


Busted! DOJ exposes huge ad-fraud operation, eight charged

By John E Dunn

The US Department of Justice has charged eight men from Russia and Kazakhstan with running a vast ad-fraud scheme that milked a total of $36 million from advertisers.

Three of the accused – Aleksandr Zhukov, Sergey Ovsyannikov and Yevgeniy Timchenko – have been arrested in different countries pending extradition to the US, with Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, and Aleksandr Isaev still at large, an announcement said.

The fraud centered on two systems that resembled expertly crafted digital money trees.


The first, which ran between September 2014 and December 2016, dubbed ‘Methbot’ by discoverers White Ops in 2016, was a 1,900-strong farm of datacentre servers rented to host 5,000 bogus websites.

Not only was the traffic to these sites fictitious – the gang went to some lengths to simulate real users visiting these domains from fake geographic locations – but the sites themselves were spoofed versions of real sites including CNN, the New York Times, CBS Sports, and Fox News.


Prisoners allegedly posed as underage girls in $560K sextortion scam

By Lisa Vaas

Fifteen US prison inmates have been indicted for posting pictures of girls on dating sites and sextorting hundreds of military personnel who fell for the phony profiles after sending nude photos to their victims. To cap off the scam, the prisoners posed as the girls’ fathers and threatened to report them for disseminating child abuse imagery.

Law enforcement authorities held a press conference about the fraud ring in front of a state prison in Columbia, South Carolina, on Wednesday. According to a local paper, the Greenville News, authorities said that the prisoners had used contraband mobile phones to scam a total of 442 servicemen out of more than $560,000.

The indictments include charges of conspiracy to commit wire fraud, extortion and money laundering.

The bust was coordinated by a slew of law enforcement agencies, including from the military: the Naval Criminal Investigative Services (NCIS), US Army Criminal Investigations Command, US Air Force Office of Special Investigations, Department of Defense Criminal Investigative Services, IRS Criminal Investigative Services, the US Marshals Service, the South Carolina Department of Corrections, the South Carolina Law Enforcement Division and the US Attorney’s Office.

The prisoners allegedly used smuggled cellphones to log onto multiple dating websites and pretend to be 18- or 19-year-old girls. Court documents allege that after communicating with their victims, the inmates would eventually send nude photos to service members. Then, another prisoner would allegedly contact the marks, pretending to be an irate father and telling them that the “girl” they’d been communicating with was their underage daughter.


57m Americans’ details leaked online by another misconfigured server

By Danny Bradbury

Misconfigured Elasticsearch servers are the unwelcome gift that keeps on giving. The latest breach spilled personal details on 57 million Americans, according to reports this week.

Bob Diachenko, director of cyber risk research for security firm Hacken, said that the company found an exposed Elasticsearch server on the Shodan search engine, which scans for connected devices and open servers. It found at least three IP addresses with identical Elasticsearch clusters misconfigured for public access.

These instances, which held 73GB of data, had been publicly accessible on 14 November – which is when it was indexed by Shodan. However, it is unclear how long it had been online before that point, Diachenko said. Hacken discovered the instances on 20 November and the sites disappeared a couple of days later.

The service held data on almost 57 million US citizens, containing information including first and last name, employers, job title, email, address, state, ZIP code, phone number, and IP address. Another index of the same database included over 25 million business records, which held details on companies including employee counts, revenue numbers, and carrier routes.

Hacken couldn’t immediately identify the source of the leak, but Diachenko noted that one of the fields in the database was similar to those used by a marketing data company. He couldn’t reach their executives for comment, and the company took its website offline shortly before he blogged about the incident. However, this doesn’t necessarily mean that the company was the source of the leak. What’s scary is that this volume of records could be leaked online without anyone knowing for sure who’s responsible.


November 29, 2018 »

Creeps outed as massage app exposes database with workers’ comments

By Lisa Vaas

A popular massage-booking app has spilled the beans on 309,000 customer profiles, including comments from their masseurs or masseuses on how creepy their customers are.

The app’s wide-open, no-password-required database was discovered by researcher Oliver Hough, who tipped off TechCrunch.

Hough said in a Tweet on Tuesday that the breach was caused by unimplemented security that should have been easy-peasy, and that the failing could lead to “some serious blackmail.”

TechCrunch reports that Urban left the database for a Google-hosted Elasticsearch instance – that’s an enterprise search tool – online without a password, “allowing anyone to read hundreds of thousands of customer and staff records.”

Anyone who knew where to look could access, edit or delete the database.

The makers of the app, which was previously known as Urban Massage but is now going by simply “Urban,” confirmed the breach on Tuesday. In its FAQ, Urban said that customers’ names, email addresses and phone numbers were exposed, as well as, potentially, their postcodes if they placed a booking on the platform. Urban says it’s going to contact those whose information it thinks was exposed.


Google’s “deceitful” location tracking is against the law, say 7 EU groups

By Danny Bradbury

The row over Google’s location tracking has spread to Europe.

Consumer organizations from across the region said this week that they will complain about Google’s location tracking activities to their data protection authorities, alleging that it is breaching the General Data Protection Regulation (GDPR).

BEUC, an umbrella group of 43 European consumer organizations, said that Norway, Netherlands, Greece, Czech Republic, Slovenia, Poland and Sweden will all file complaints.

They’re basing their gripes on a report from the Norwegian Consumer Council (Forbrukerrådet) called Every Step You Take that explains what Google is doing and why they think it might be flouting Europe’s privacy laws.

Monique Goyens, Director General of The European Consumer Organization, summed up the complaints in a statement on the BEUC site:

Google’s data hunger is notorious but the scale with which it deceives its users to track and monetise their every move is breathtaking. Google is not respecting fundamental GDPR principles, such as the obligation to use data in a lawful, fair and transparent manner.

The report takes a deep dive into Google’s location tracking activities. The company tracks you in two ways, according to the research: Location History and Web & App Activity.

Alongside basic data such as where you went and what mode of transport you took to get there, Location History also stores other data in the background, such as barometric pressure, nearby Wi-Fi hotspots and even your battery level. Google says that this is a voluntary, opt-in feature.


Facial recognition traffic camera mistakes bus for famous woman

By Lisa Vaas

It is said of Dong Mingzhu, known as China’s most successful businesswoman, that wherever the driven, I-haven’t-taken-a-day-off-in-27-years Queen of Air Conditioning walks, no grass grows.

Yeah, well, forget about the grass: she’s a scofflaw JAYWALKER!!!

That, at any rate, was the erroneous conclusion arrived at recently by a facial recognition traffic camera that obviously can’t tell an advertisement on a bus from a human face.

Hence was the face of the famous woman known throughout the land as “Sister Dong” splashed onto a huge screen erected along a street in the port city of Ningbo for purposes of naming and shaming jaywalkers. Dong’s photo included a line of text saying that she’d just broken the law by crossing the street against a red light.

The South China Morning Post (SCMP) reported that the surveillance system captured Dong’s image on Wednesday from an advertisement on the side of a moving bus.


Microsoft’s Office 365 MFA security crashes for second time

By John E Dunn

Microsoft’s multi-factor authentication (MFA) for Office 365 and Azure Active Directory has fallen over for the second time in a week.

Azure’s service status page delivered Tuesday’s bad news:

Between 14:25 UTC and 17:08 UTC on 27 Nov 2018, customers using Multi-Factor Authentication (MFA) may have experienced intermittent issues signing into Azure resources, such as Azure Active Directory, when MFA is required by policy.

Officially, that’s just shy of three hours with either no or intermittent MFA, although it took until 18:53 UTC for Microsoft’s Twitter account to become confident enough to announce that the service was definitely up and running again.

Microsoft’s initial root cause analysis (RCA): something went wrong at DNS level which led the infrastructure supporting MFA to become “unhealthy”.

The solution was to reboot – which seemed to work but at the expense of receiving several sarcastic tweets congratulating Microsoft on a successful reboot/turning it off and on again.


Iranian hackers charged in the US for SamSam ransomware attacks

By Paul Ducklin

We’re sure you know what ransomware is by now.

ICYMI, ransomware is malicious software that scrambles your files with a randomly generated cryptographic key…

…and then sends the one and only copy of that decryption key to the crooks.

Who promptly offer to sell it back to you so that you can unlock your data and get your business moving again.

And we’re sure you’ve heard of a strain of ransomware known as SamSam – named, apparently, after a French cartoon – that we’ve written about depressingly often on Naked Security.

The crooks behind SamSam have been using a tricky technique that is quite different to that used by early strains of ransomware from a few years ago, such as CryptoLocker, CryptoWall and TeslaCrypt.

Instead of using mass spamming techniques to blast their malware to millions of recipients in the hope of collecting thousands of dollars each from thousands of victims scattered all over the world, the SamSammers used a more pin-point approach.


JavaScript library used for sneak attack on Copay Bitcoin wallet

By John E Dunn

A mystery payload that was sneaked into a hugely popular JavaScript library seems to have been a deliberate plot to ransack bitcoins from a mobile cryptocoin wallet known as Copay, from a company called BitPay.

Back in September 2018, the author of a popular Node.js utility package called event-stream, used for sending and receiving data, handed over the reins to a new maintainer going by the handle of Right9ctrl.

Days later, the new maintainer released an update to the package, version 3.3.6, to which he’d added additional code from an apparently related package called flatmap-stream.

In early October, another event-stream update appeared, as though Right9ctrl were throwing himself enthusiastically into his new role at the helm of the project…

…except that, on 20 November 2018, someone investigating an error in event-stream discovered cryptocurrency-stealing malware, hidden in the flatmap-stream component.

Lock up your Bitcoins


November 28, 2018 »

Social media scraping app Predictim banned by Facebook and Twitter

By Lisa Vaas

Employers get turned off by a lot of things they find out about potential hires on social media: provocative material, posts about drinking or using drugs, racist/sexist/religiously intolerant posts, badmouthing others, lying about qualifications, poor communication skills, criminal behavior, or sharing of confidential information from a previous employer, to name just a few.

We should all take for granted, then, that nowadays our social media posts are being scrutinized. That also goes for those of us whose prefrontal cortexes are currently a pile of still-forming gelatin: namely, children and teenagers.

In fact, there’s an artificial intelligence (AI) app for scraping up the goo that those kids’ emotional, impulsive, amygdala-dominant brains fling online: it’s called Predictim, and it’s funded by the University of California at Berkeley’s Skydeck accelerator. Predictim analyzes Facebook, Instagram, and Twitter accounts to assign a “risk rating” from a scale of 1 to 5, offering to predict whether babysitters or dogwalkers might be bad influences or even dangerous.

You can sympathize with its clientele: Predictim features case studies about abusive babysitters that have caused fatal or near-fatal injuries to the children in their charge. Simple background checks or word-of-mouth references won’t necessarily pick up on the risk factors that its report spotlights, the company says, which include evidence of bullying or harassment, drug abuse, disrespectful or discourteous behavior, or posting of explicit content.


‘Grinch bots’ are ruining holiday shopping. Lawmakers hit back

By Danny Bradbury

US legislators have introduced a bill to stop bad bots from buying up all the hot holiday toys in bulk and then gouging parents by reselling them at exorbitant prices.

Bots are automated scripts and programs that can be used for good or bad: the good ones do useful things such as crawl the web, and they’re also used on social media to generate everything from poems to memes to self-care reminders to randomly generated awesomeness.

Then there are the bad bots: like, the ones that snatch up all the Super Nintendo and Barbie products before you can even log into an e-commerce site.

Fittingly enough, the Stopping Grinch Bots Act of 2018 was announced on Black Friday.

The bicameral bill comes from US Senators Tom Udall, Richard Blumenthal, and Chuck Schumer, along with US Representative Paul Tonko. Udall said in a press release that resellers are gaming the system with bots that snatch up toys and highly discounted products to sell at “outrageously inflated markups,” all “with a few keystrokes,” and often before any human has managed to even put an item into their online shopping cart.

These Grinch bots let scammers sneak down the proverbial chimneys of online retailers and scoop up the hottest products before regular Americans can even log on – and then turn around and sell them at outrageously inflated prices. That’s just not how the marketplace is supposed to work.

The bot problem is just one example of how consumers get preyed on when they venture online, Udall said. Bots enable “unscrupulous” scammers to game the system and “steal hard-earned money from Americans who have saved up just to buy gifts for their family and friends during the holiday season,” he said.


Microsoft patches Patch Tuesday’s Outlook 2010 problem patch

By Danny Bradbury

Just what is going on over in Redmond? Just weeks after issuing a Windows 10 patch of doom that started deleting users’ precious files, Microsoft ‘fixed’ Outlook 2010 with a November Patch Tuesday update that promptly borked it.

On 13 November, Microsoft released a security update, KB4461529, which fixed four security vulnerabilities. These flaws could allow remote code execution if a user opened a specially crafted Office file, it said. KB4461529 solved this problem for the .msi 64-bit version of Outlook 2010 in the worst way by simply having the program not run at all. It crashed Outlook at startup.

Microsoft advised users not to uninstall the patch. Instead, it suggested they use Outlook Web Access until the problem was resolved. In the meantime, it wrote a second patch which it sent scurrying after the first on 21 November. KB4461585 will fix the crashing problem, it said.

This wasn’t the first Outlook 2010 patch problem for Microsoft users this month. On 6 November it released updates KB2863821 and KB4461522, which fixed the program’s Japanese calendar to support new ‘eras’. These patches also caused Access to crash on startup in some cases, it warned. It removed them.

The Japanese calendar inherited the idea of eras from China in the eighth century. Eras punctuate an emperor’s reign or some other major event. You only get a new one every few years, which is how many Windows users probably wish Microsoft would schedule its software patches right about now.


Google Maps scammers put their own phone numbers onto bank listings

By Lisa Vaas

Google Maps lets users edit and update listings: crowd-sourcing that’s helped Google to fill in the details of its maps, such as adding new roads or parks: a helpful feature, particularly in areas where governments restrict distribution of such data or in what are often less-developed regions.

Some of the results have been giggle-worthy, even though they involve deceptive practices that we don’t endorse, such as sock puppetry that lets the pranksters create fake accounts that they then use to approve their own pranks.

For example, we’ve seen Google Maps depict the Android mascot robot peeing onto the Apple logo, and a giant cat that sprawled over Auckland’s Hobson Bay Walkway.

Besides graphic hijinks, we’ve also seen user-generated content that’s involved changing the details of an address: for example, Google Maps at one point was induced to display a snowboarding shop called Edwards Snow Den, located at 1600 Pennsylvania Avenue: an address otherwise known as the White House.

Unfortunately, the same mechanisms by which Google enables users to make useful or amusing edits to Google Maps is now being used by crooks. On Sunday, Business Insider reported that scammers are tweaking Google Maps to trick people into giving up their bank details.


LinkedIn rapped for targeting ads at 18 million Facebook users

By John E Dunn

During the first half of 2018, LinkedIn US came up with the idea to buy Facebook ads targeted to the owners of 18 million email addresses.

This was done discreetly by uploading hashed versions of the email addresses, which were presumably matched to the same hashes spotted among Facebook’s user base.

We don’t know how successful the campaign was, but with the publication of a report by Ireland’s Data Protection Commissioner (DPC) last week we do know that LinkedIn has been publicly rebuked for doing it at all.

What upset the Irish: none of the 18 million email addresses were those of LinkedIn users.

How did a LinkedIn US campaign come to the attention of Ireland’s data commissioner in the first place?

Where did LinkedIn get hold of email addresses for 18 million non-LinkedIn users?

Unravelling the answers to these questions starts with a complaint the DPC says it received in 2017 from one of those 18 million people who objected to being targeted by LinkedIn, which has its EU headquarters in Ireland.


Parents slam “weirdo” fraudsters for using child’s Facebook pic for cash

By Lisa Vaas

Did you see that viral post showing an adorably glowering kid posing for his school portrait last week? He’s got his hands in the pockets of his pink pants in one photo, he’s sitting in front of a container full of fake grass in another, and he’s just staring balefully straight at the camera in a third.

So what’s with the sour face? Does he hate pink? Did he get teased?

No, said “El Prive,” there’s nothing wrong with his “son.” It’s just that he ate the last Pop-Tart, and the boy said he’d never smile again. And, of course, #poptartforeverfund #cashapp $bandobill.

#SimplyAdorbs! Within two days, the post was reportedly shared more than 156K times and had garnered well over 40K comments.

…And then the boy’s real parents weighed in. Last Monday, the lad’s mom put up a post saying – Hey, #ThatIsn’tYourSon and #Don’tUseOurSonForLikesOrMoney.

And thus was set off Pop-Tart-gate.

A woman named Tantarnea Arnold who goes by the name of LaShunta on Facebook posted about El Prive – who the Daily Mail identified as Bill Muhammad and whose Facebook page identifies as Bandobill™:


That Black Mirror episode with the social ratings? It’s happening IRL

By Lisa Vaas

What do you get when you cross the worst aspects of social media, people’s actual lives and giant, centralized databases?

The outcomes are already playing out. Certain cities in China have been piloting the country’s social credit score system – a system that’s due to be fully up and running by 2020, according to a plan posted on the Beijing municipal government’s website on Monday (the plan is dated 18 July).

One of the many repercussions of such a system is that people get blacklisted for not paying off their debts when a court thinks they’re capable of doing so, regardless of what the debtor says.

The ID photos, names and numbers of blacklisted people are displayed on billboards throughout the city, and they’re then barred from booking flights or high-speed trains (considered “luxury” travel) and blocked from staying in hotels. By the end of May, people with bad credit in China had been blocked from booking more than 11 million flights and 4 million high-speed train trips, according to the National Development and Reform Commission.

Read more at 

November 26, 2018 »

That Black Mirror episode with the social ratings? It’s happening IRL

By Lisa Vaas

What do you get when you cross the worst aspects of social media, people’s actual lives and giant, centralized databases?

The outcomes are already playing out. Certain cities in China have been piloting the country’s social credit score system – a system that’s due to be fully up and running by 2020, according to a plan posted on the Beijing municipal government’s website on Monday (the plan is dated 18 July).

One of the many repercussions of such a system is that people get blacklisted for not paying off their debts when a court thinks they’re capable of doing so, regardless of what the debtor says.

The ID photos, names and numbers of blacklisted people are displayed on billboards throughout the city, and they’re then barred from booking flights or high-speed trains (considered “luxury” travel) and blocked from staying in hotels. By the end of May, people with bad credit in China had been blocked from booking more than 11 million flights and 4 million high-speed train trips, according to the National Development and Reform Commission.

A permanent stigma?


The phone went dark, then $1m was sucked out in SIM-swap crypto-heist

By Lisa Vaas

A SIM-swap robber allegedly lifted $1 million in crypto-coin from Robert Ross, who was saving to pay for his daughters’ college tuition.

According to the New York Post, Ross “watched helplessly” on 26 October as his phone went dark. Within seconds, $500,000 drained out of his Coinbase account, and another $500,000 was suctioned out of a Gemini account. That was his entire life savings, West said.

Erin West, the deputy district attorney for Santa Clara County in California, told reporters that 21-year-old Nicholas Truglia, of Manhattan, has agreed to be extradited. Santa Clara officials plan to pick him up in December. According to court documents, he’s been charged with 21 felony counts against six victims, including identity theft, fraud, embezzlement, crimes that “involve a pattern of related felony conduct,” and attempted grand theft.

Truglia allegedly hacked the phones of Silicon Valley executives from his cushy West 42nd Street high-rise apartment.

Ross was apparently Truglia’s one success, though officials allege that he went after a half dozen other Silicon Valley cryptocoin players, including Saswata Basu, CEO of the block-chain storage service 0Chain; Myles Danielsen, vice president of Hall Capital Partners; and Gabrielle Katsnelson, the co-founder of the startup SMBX.


Spectre mitigation guts Linux 4.20 performance

By John E Dunn

One of Intel’s fixes for the Spectre variant 2 chip flaw (CVE- 2017-5715) appears to have taken a big bite out of the performance of the latest Linux kernel.

The mitigation in question is the Single Thread Indirect Branch Predictors (STIBP), one of three that Intel proposed not long after details of the Meltdown and Spectre flaws were made public in January.

Duly implemented in Linux 4.20, benchmarks run by Phoronix suggest that running it with Intel chips using Intel’s proprietary hyper-threading technology (principally Core i3s, and Core i7s and above) comes at a heavy cost.

Depending on the application, that could be anything from 30% to 50% on a top-of-the-line Core i9, a clearly unacceptable hit – and that’s before factoring in the smaller losses from previous mitigations for Spectre and Meltdown.

When the flaws were made public in January, performance drops were always on the cards, but a consensus emerged that this might be somewhere in the ballpark of a few percent for most users.

Less than a year on from that and anyone running 4.20 (and 4.19.2, which apparently has backported STIBP) is staring down the barrel of something much worse.


Cryptocurrency ‘minting’ flaw could have leached money from exchanges

By John E Dunn

Are Ethereum’s new-fangled smart contracts the ultimate point of the blockchain or a risky experiment whose vulnerabilities presage trouble?

Right now, few doubt that smart contracts – instruction workflows in a language called Solidity that automate complex, profitable processes on Ethereum – require close scrutiny.

The latest security flaw was discovered by smart contract developers Level K – a ‘minting’ flaw that would allow an attacker to drain Ethereum exchanges initiating smart contracts.

There are several scenarios in which the vulnerability could be exploited, which has already been revealed to most of the exchanges the researchers thought might be affected.

Explaining gas

Before getting to the weakness, it’s necessary to understand that on the Ethereum network sending Ether cryptocurrency from one address to another means paying a minimum fee to miners in a unit called ‘gas’.

This rewards miners according to the amount of computation involved in executing each set of Solidity smart contract instructions.

Recently, someone had the idea of turning gas into a sort of tokenised currency of its own – GasTokens – generated thanks to Ethereum’s complicated storage refund system (blockchains desire storage efficiency).

GasTokens are a new thing but seem to have taken off because gas price varies according to smart contract demand (and some think Ethereum gas is too expensive in the first place).


Hacker says USPS ignored serious security flaw for over a year

By John E Dunn

The US Postal Service (USPS) ignored a security flaw affecting millions of its registered website users for over a year until a researcher took his discovery to prominent blogger Brian Krebs, it has been alleged.

According to Krebs’s write-up, the unnamed researcher contacted him a week ago with news of a weakness he’d uncovered in the ‘Informed Visibility’ API.

This API enables a USPS service that gives customers real-time tracking data on mailshot campaigns and deliveries.

Although described in general terms (see the before and after APIs), the authentication flaw found by the researcher…

…let any logged-in user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.

Krebs estimates that there are 60 million USPS account holders, all of whose data (passwords excluded) would have been viewable and, for fields such as email addresses or phone numbers, potentially modifiable.


November 21, 2018 »

Dark Web hosting provider hacked, 6,500 sites erased

By Lisa Vaas

One of the most popular Dark Web hosting services – Daniel’s Hosting – was slaughtered last week when attackers hosed it clean of about 6,500 hidden services. The admin says they’re gone for good: he hasn’t even figured out where the vulnerability is yet.

The administrator at Daniel’s Hosting is a German software developer named Daniel Winzen, who acknowledged the attack on the hosting provider’s portal. Winzen said that it happened on Thursday night, a day after a PHP zero-day exploit was leaked.

The service will likely be back in December, he said, but even the “root” account has been deleted, and all the data on those 6,500 sites are toast:

There is no way to recover from this breach, all data is gone. I will re-enable the service once the vulnerability has been found, but right now I first need to find it.

Backups? Forget it. This is the Dark Web. Winzen told ZDNet that there ain’t no such thing as backups on Daniel’s Hosting, by design:

Unfortunately, all data is lost and per design, there are no backups.

As of last week, Winzen said his priority was to do a full analysis of the log files. He had determined that the attacker(s) had gained administrative database rights, but it’s looking like they didn’t get full system access. Some accounts and files that weren’t part of the hosting setup were left “untouched,” he said.

Other than the root account, no accounts unrelated to the hosting were touched and unrelated files in /home/ weren’t touched either. As of now there is no indication of further system access and I would classify this as a “database only” breach, with no direct access to the system. From the logs it is evident that both, adminer and phpmyadmin have been used to run queries on the database.

Who cares?

According to Dark Owl, when the attacker(s) took out Daniel’s Hosting, they erased over 30% of the operational and active hidden services across Tor and the Invisible Internet Project (I2P) – an anonymous network layer that allows for censorship-resistant, peer-to-peer communication. ZDNet’s Catalin Cimpanu tweeted on Monday night that this pretty much matched his own calculations.


Drone owner fined for putting police helicopter crew ‘in danger’

By Lisa Vaas

The owner of an iPad-controlled, £900 (USD $1,150) drone who flew it into the path of a police search helicopter has become the first person to be prosecuted under UK drone laws.

At Peterborough Magistrates’ Court on Friday, 37-year-old Sergej Miaun was ordered to pay fines and court costs amounting to £464 (USD $593) and to give up his drone, according to The Independent.

The BBC reports that he was found guilty of failing to maintain direct, unaided visual contact with a drone and flying it without being “reasonably satisfied” that he could do so safely.

Prosecutors told the court that Miaun’s amateurish flight could have caused “catastrophic” consequences, similar to the helicopter crash that left five people dead in Leicester City. The cause of that deadly crash hasn’t yet been determined, but aviation experts have suggested that the helicopter’s loss of power to the tail rotor could have been caused by a large bird or a large drone.

With regards to the UK’s first-ever conviction on unsafe drone flying, on 9 December, a police search helicopter had been out looking for a missing woman near a river in Cambridgeshire when the pilot was forced to take evasive action to avoid a drone that narrowly passed beneath it. Police followed the drone back to a home in Guyhim – a town in Cambridgeshire – and searched until they found the Phantom 4 drone hidden in a loft hatch above the bath in Miaun’s home.


Patch Skype for Business now or risk DoS via emoji kittens!

By Lisa Vaas

For the second time in three years, there’s a vulnerability in Microsoft Skype that could get communications tangled up in bouncy little kitten emojis (or any other kind of animated emojis, for that matter).

SEC Consult reported last week that it had discovered that launching 100 animated emojis (the security firm chose to focus on kittens, because, we assume, KITTENS) at Skype for Business caused it to flutter, triggering a short lag in the application.

Throwing 800 animated emojis at the app turned the emoji marauders into the forces of darkness in a denial of service (DoS) attack, causing Skype to keel…

…well, for a few seconds, anyway. Even so, if your business depends on Skype to hold staff conferences, client calls or any other form of communication, you should hop on the patch installation. Microsoft issued a patch for the vulnerability – CVE-2018-8546 – which affects Office 365 ProPlus, Microsoft Office, Microsoft Lync, and Skype.

It’s a good idea to install that patch. You don’t want some jerk – like, say, a disgruntled ex-employee – to lob gobs of nonstop kittens at your operation. If such a jerk were to keep it up, a business would be up a creek without a paddle, says SEC Consult:

When receiving about 800 kittens at once, your Skype for Business client will stop responding for a few seconds. If a sender continues sending emojis your Skype for Business client will not be usable until the attack ends.

This has happened before: in 2015, Skype for Business had the same kind of emoji-overload vulnerability. As SEC Consult put it, multiple animated emoticons would “cause a client’s CPU usage to go through the roof.”


Update now! Dangerous AMP for WordPress plugin fixed

By John E Dunn

If you’re one of the 100,000+ users of AMP for WP, good news – the popular plugin for implementing Accelerated Mobile Pages returned to last week.

AMP is a Google technology through which users of publishing partners such as WordPress can create pages that will load faster on mobile devices. Doing that requires a plugin, which is where AMP for WP comes in.

The plugin’s hiatus, which began when it abruptly disappeared on 21 October, was starting to look a little unusual.

According to a note from the developer, the reason for the disappearance was an ominous-sounding security flaw that “could be exploited by non-admins of the site.”

It also said that existing users could continue using the plugin in the meantime, which wouldn’t have sounded terribly reassuring to anyone using it in its vulnerable state as the days turned into weeks.

We’ve got a report from the WordPress that they found a security Vulnerability in our plugin which could be exploited by non-admins of the site, so to prevent the exploitation they temporary withdraw our plugin for further download. But the existing user’s will be able to use the plugin like always.

The day after AMP for WP reappeared on on 14 November, WebARX, the company that discovered the security problems, finally explained the weakness.


Instagram accidentally reveals plaintext passwords in URLs

By Lisa Vaas

In April, with the GDPR deadline and its requirement for data portability looming, Instagram released the long-anticipated download your data tool. The feature gave users the ability to download images, posts and comments.

Unfortunately, Instagram turned the task of downloading your data into an exercise in exposing people’s passwords in plain text. Thankfully, the bug in the “download your data” tool only affected a handful of users, it said.

As The Information reported last week, Instagram told affected users on Thursday night that if they’d used the “download your data” feature, their passwords were showing up in plaintext in the URL of their browsers.

That might not be a big deal to a user at home on an unshared computer, but as Facebook, which owns Instagram, said in the notice to users, it means that anybody who used the tool on a public computer – say, in a library – had their password exposed in the URL: an unfortunate gift to any shoulder surfers who may have been around.

It also means that Instagram passwords were stored on Facebook servers, the user notice said, and that means in plaintext, not encrypted.


« older