Repairs & Upgrades

February 22, 2018 »

Is your child a victim of identity theft?

By Maria Varmazis

The Equifax breach was well over half a year ago now, but I’ve had a nagging worry all the while since then: Was my child’s data affected in that breach, and how could I possibly find out for sure?

After the Equifax breach, a number of people who had never even heard of the credit monitoring bureau (including people living outside of the U.S.) found out their personal data had been compromised – an unpleasant discovery, to say the least. Something that was and still is quite unclear after the breach is if any data belonging to children had been leaked.

The official line from Equifax or any other credit bureau is that children should never be affected by a data breach like this, as children are not supposed to have any kind of credit until they become legal adults, which in the U.S. is at 18 years of age. However, some parents checked the Equifax breach website to see if their child’s data was leaked, and alarmingly many people got a notice that their child’s social security number “may” have been involved – with no easy way to investigate further.

That operative word, “may,” is unnerving – this is not an issue you want to let sit and fester with unknown status, as child identities are a very tempting blank slate for criminals to misuse. Most people won’t even think of their child’s credit until the child becomes an adult. However, finding out someone has already established your child’s credit for them is a nightmare to try and clean up after years of damage already done – you can’t just scrap the old credit profile and/or social security number and get a new one.

The reason for the ambiguity from Equifax’s point of view is that in most cases there should be no child credit report or any record of the child at all in the hands of a credit bureau in the first place (though some parents add their teenager as an authorized user to a credit card the parent owns, which does result in the teenager having a legitimate credit report). So if a credit bureau has a credit report for your child and that data has been breached, unfortunately, you now have two problems.

Finding out if someone has your child’s data takes a little investigation work, but it is absolutely doable. Someone who has unauthorized access to a social security number won’t just sit on it, they’ll use it – to rack up bills, take out loans – and that will leave a paper trail. For an adult, you want to scour your paper trail/credit report for signs of foul play; however, in the case of a child, the complete absence of a paper trail is a good sign.


Flight simulator comes bundled with password stealing stowaway

By John E Dunn

How far should a software company be able to go to protect its products from piracy?

Not, one would assume, as far as deploying a Chrome password capture tool in its downloads. Yet this was the extraordinary accusation levelled at Flight Sim Labs (FSLabs) last weekend by a perplexed Reddit user.

The company makes flight simulation mods, one of which – an Airbus A320X add-on for Lockheed Martin’s pro-level Prepar3D – was setting off antivirus security software during installation.

As the user suspected – subsequently confirmed by pen-testing company Fidus Information Security –  the offending file, test.exe, was an executable for something called SecurityXploded. Explains Fidus:

The command line-based tool allows users to extract saved usernames and passwords from the Google Chrome browser and have them displayed in a readable format.

Under pressure, FSLabs quickly owned up to what it was doing and, moreover, why it was doing it.

According to founder and CEO, Lefteris Kalamaras, the tool captured passwords but not indiscriminately (FSLabs’ emphasis):

There are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products.

The tool only activated if the user had installed the software using a pirated serial number believed to be circulating on the internet.

That program is only extracted temporarily and is never under any circumstances used in legitimate copies of the product.

It was so narrowly targeted, in fact, that the whole scheme was intended to gather evidence against a single individual believed to be circulating license keys for FSLabs’ software.


Artificial intelligence reads privacy policies so you don’t have to

By Lisa Vaas

We can think of privacy policies as fortresses made out of thick bricks of gobbledygook: impenetrable, sprawling documents that do little beyond legally protect companies.

Nobody reads them. Or, to be more precise, 98% of people don’t read them, according to one study, which led to 98% of volunteers signing away their firstborns and agreeing to have all their personal data handed over to the National Security Agency (NSA), in exchange for signing up to a fictional new social networking site.

And here’s the thing: if you’re one of the ~everybody~ who doesn’t read privacy policies, don’t feel bad: it’s not your fault. Online privacy policies are so cumbersome that it would take the average person about 250 working hours – about 30 full working days – to actually read all the privacy policies of the websites they visit in a year, according to one analysis.

So how do we keep from signing away our unsuspecting tots? Machine learning to the rescue!

A new project launched earlier this month – an artificial intelligence (AI) tool called Polisis – suggests that visualizing the policies would make them easier to understand. The tool uses machine learning to analyze online privacy policies and then creates colorful flow charts that trace what types of information sites collect, what they intend to do with it, and whatever options users have about it.


February 21, 2018 »

Read the 200,000 Russian Troll tweets Twitter deleted

By Lisa Vaas

Twitter announced last month that it would email notifications to 677,775 users in the US: that’s how many people it says followed one of the accounts created by the Russian government-linked propaganda factory known as the Internet Research Agency (IRA).

Less than two weeks later, Twitter announced that the number had more than doubled.

The number included those of us who retweeted or liked a tweet from Russian accounts during the 2016 US presidential election. The accounts had already been suspended, Twitter said, meaning that the relevant content is no longer publicly available on the platform.

But it is, in fact, available somewhere: Last week, NBC News published 200,000 Russian troll tweets that Twitter had deleted.

NBC News says that the accounts worked in concert as part of large networks that posted hundreds of thousands of inflammatory tweets, “from fictitious tales of Democrats practicing witchcraft to hardline posts from users masquerading as Black Lives Matter activists.”

The US intelligence community has determined that the IRA is part of a Russian state-run effort to influence the 2016 election, and all signs are pointing to the organization gearing up to do the same to the November mid-term elections.

Director of National Intelligence Dan Coats told the Senate Intelligence Committee last Tuesday that the US is “under attack,” adding that Russia is attempting to “degrade our democratic values and weaken our alliances.”

Coats said that Russian President Vladimir Putin considers Russia’s interference in the 2016 presidential elections a success and that he’s targeting the midterms:

There should be no doubt that [Putin] views the past effort as successful and views the 2018 US midterm elections as a potential target for Russian influence operations.

Twitter trolls and their seeds of discord are great tools for the Russians, Coats said: they’re cheap, low-risk and effective:

The Russians utilize this tool because it’s relatively cheap, it’s low risk, it offers what they perceive as plausible deniability and it’s proven to be effective at sowing division. We expect Russia to continue using propaganda, social media, false flag personas, sympathetic spokesmen, and other means of influence to try to build on its wide range of operations and exacerbate social and political fissures in the United States.

Twitter handed over to Congress a list of 3,814 IRA-connected account names and, as is its practice, has since suspended those accounts. That means deletion of the accounts’ tweets from public view, both on Twitter and from third parties. Unfortunately, erasing the evidence of foreign election meddling isn’t helpful for the investigation into that meddling – an investigation that resulted in a federal indictment on Friday, accusing 13 Russians and three Russian companies of conducting a criminal and espionage conspiracy using social media to interfere in the election.


Facebook to verify election ad buyers by snail mail

By Lisa Vaas

Facebook’s come up with a way to avoid being used by the Russians like a tinker toy in the upcoming US mid-term elections: snail mailed postcards.

Katie Harbath, Facebook’s global director of policy programs, described the plan to verify political ad buyers at a conference held by the National Association of Secretaries of State over the weekend. She didn’t say when the program would start, but she did tell Reuters that it would be before the congressional midterms in November.

The unveiling of the plan, which is meant to verify ad buyers and their locations, came a day after Robert S. Mueller III filed an indictment describing a Russian conspiracy to interfere in the 2016 US presidential election. It alleges that 13 Russians and three Russian companies conducted a criminal and espionage conspiracy using social media to pump up Donald Trump and to vilify Hillary Clinton.

Lawmakers, security experts and election integrity watchdog groups have been dissecting the social network’s failure to detect Russia’s use of Facebook and other social media platforms, including Twitter and Google, and its sluggishness in dealing with its fake news problem.

Facebook isn’t the only media outlet to turn to nice, flat, analog paper to try to keep Russians from meddling in the 2018 election.


Apple fixes that “1 character to crash your Mac and iPhone” bug

By Paul Ducklin

Apple has pushed out an emergency update for all its operating systems and devices, including TVs, watches, tablets, phones and Macs.

The fix patches a widely-publicized vulnerability known officially as CVE-2018-4124, and unofficially as “one character to crash your iPhone”, or “the Telugu bug”.

Telugu is a widely-spoken Indian language with a writing style that is good news for humans, but surprisingly tricky for computers.

This font-rendering complexity seems to have been too much for iOS and macOS, which could be brought to their knees trying to process a Telugu character formed by combining four elements of the Telugu writing system.

In English, individual sounds or syllables are represented by a variable number of letters strung together one after the other, as in the word expeditious.

That’s hard for learners to master, because written words in English don’t divide themselves visually into pronunciation units, and don’t provide any hints as to how the spoken word actually sounds. (You just have to know, somehow, that in this word, –ti– comes out as shh and not as tea.)

But computers can store and reproduce English words really easily, because there are only 26 symbols (if you ignore lower-case letters, the hyphen and that annoying little dingle berry thing called the apostrophe that our written language could so easily do without).


February 20, 2018 »

Facebook told to stop tracking users that aren’t logged in

By John E Dunn

In late 2015, a Belgian court ordered Facebook to stop tracking internet users in the country, even when they were not logged into – or even members – of its site.

Failure to comply within 48 hours would result in a €250,000 a day ($267,000) fine by the Belgian Privacy Commission (BPC), which brought the case.

Last week, in an eerie case of déjà vu all over again, a Belgian court ordered Facebook to stop tracking users not logged into its site or face a fine of €250,000 (now $315,000) per day up to a maximum of €100m. It must also delete data it had gathered from Belgians in this way.

Same issue, same result against Facebook more than two years on – what gives?

The legal answer is Facebook appealed against the 2015 judgement, winning in 2016 on the basis that because Facebook’s European HQ was in Ireland, the company should not be regulated by a court decision made in Belgium.

That appeal has, in turn, now been overturned, leaving the case more or less back at square one. Not surprisingly, Facebook said it will appeal yet again, which means the case trundles on.

The dispute is over the way Facebook is said to have carried out commercial surveillance on internet users who come into contact with the site with, but often without, their explicit consent.

It’s not the only company that does such things, of course, but it has become the European test case for where the acceptable lines should be drawn.

Most Facebook users might expect the company to track what they do on Facebook and other sites while logged into Facebook according to the company’s published ad policy.


Google drops new Edge zero-day as Microsoft misses 90-day deadline

By Paul Ducklin

Google’s Project Zero team has dropped a Microsoft Edge bug for the world to see.

Google originally shared details of the flaw with Microsoft on 17 November 2017, but Microsoft wasn’t able to come up with a patch within Google’s non-negotiable “you have 90 days to do this” period.

Ironically, Google may give you a 14-day grace period to extend the deadline to 104 days, but if you admit you aren’t going to make it within 104 days, you don’t get any of the extra 14 days of non-disclosure.

Last week, right at the 90-day deadline, Google quoted Microsoft as saying:

The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team IS positive that this will be ready to ship on March 13th [2018-03-13], however this is beyond the 90-day SLA [service level agreement] and 14-day grace period to align with Update Tuesdays.

As a result, Google published details of the bug immediately, so Microsoft Edge users are now adrift without a patch for nearly a month.

How bad is it?

Fortunately, this bug isn’t a remote code execution exploit all on its own.

It’s a security bypass that could allow an attacker who has already wrested control from your browser to vault over Microsoft’s second layer of defense, known as ACG, short for Arbitrary Code Guard.

ACG is supposed to head off remote code execution attacks before they can make any headway.

Even if a booby-trapped web page, image or script manages to wrest the CPU away from Edge in an effort to grab control, ACG means that the attack can’t easily transfer control to malware of its own choice.

That’s a bit like having a backup security system at home that throws a net over crooks who manage to pick your front door lock and get into your house: they’re already in, which is bad, but their hands are pinned to their sides, so they can’t pick anything up or open any more doors, which is good.

Very simply put, ACG works by locking down the memory that Edge uses to run its own software code.


Broadband network plagued by wheezy old cryptomining gadget

By Lisa Vaas

Cryptocoin mining, how do you ruin our day?

Let us count the ways, because hastening global warming and hoovering up all the graphics processing units (GPUs) apparently isn’t enough.

Now, we have method #1583: a mining device with halitosis, breathing out interference emissions that befogged T-Mobile’s broadband network in Brooklyn.

Knock it off, the Federal Communications Commission (FCC) told Brooklyn resident Victor Rosario on Thursday. The FCC’s letter said that if Rosario didn’t turn off the mining device, and if the interference kept up, he’d be in danger of incurring “severe penalties,” including, but not limited to, stiff fines, seizure of the offending radio equipment, and potentially jail time.

How did they test whether the device in question was really screwing up T-Mobile’s broadband? They either turned it off or told Rosario to turn it off. Presto! No more “spurious emissions” were found when the gadget was powered down, the FCC said.

David C. Dombrowski, regional director of the FCC’s Enforcement Bureau, said that agents had used direction-finding techniques to trace radio emissions in the 700 MHz band and found they were emanating from Rosario’s home in Brooklyn, New York.


US and UK condemn Russia for NotPetya worm attack

By John E Dunn

When it comes to pointing the finger for last year’s historically-disruptive NotPetya cyberattack, nobody could accuse the US and UK of dodging the issue.

First the UK, and then the US, named their chief suspect – Russia – in near-synchronized statements that set out to dissolve the secrecy and confusion that cloaks many cyber-incidents.

UK Defense Secretary Gavin Williamson said at the time:

Russia is ripping up the rule book by undermining democracy, wrecking livelihoods by targeting critical infrastructure, and weaponising information.

Which echoed White House Press Secretary Sarah Sanders:

This was also a reckless and indiscriminate cyberattack that will be met with international consequences.

In a possible first, the three other members of the Five Eyes intelligence alliance – Australia, Canada and New Zealand – also put out statements blaming Russia too.

We’ve heard US-led condemnations before. Examples include that Russia hacked the Democratic National Committee in 2016, that North Korea was behind WannaCry and, further back in time, a lot of fuss about China’s APTs stealing intellectual property from US companies.

The problem is accusations only get you so far: no technical evidence against Russia has been offered beyond noting that NotPetya appeared to have been aimed at arch-Russian foe, Ukraine.

Inevitably – whether Russia was behind the attack or not – it can dismiss the accusation as “Russiaphobia” in a way that makes that defense sound plausible.


Hackers sentenced for SQL injections that cost $300 million

By Lisa Vaas

Heartland Payment Systems: remember that decade-old breach?

What was then the sixth-largest payments processor in the US announced back in 2009 that its processing systems had been breached the year before.

Within days, it had been classified as the biggest ever criminal breach of card data. One estimate claimed 100 million cards and more than 650 financial services companies were compromised, at a cost of hundreds of millions of dollars. Prosecutors have said that three of the corporate victims reported $300m in losses.

The “biggest ever” designation applied to Heartland, but it was one of many corporate victims in a worldwide hacking and data breach scheme that targeted major networks. In total, the hacking ring responsible for the Heartland attack compromised 160 million credit card numbers: the largest such scheme ever prosecuted in the United States. Individual consumers also got hit, incurring what court documents said were “immeasurable” losses through identity theft, including costs associated with stolen identities and false charges.

It might be an old breach, but it hasn’t been collecting dust.

On Wednesday, the US Attorney’s office of New Jersey announced that two Russians belonging to the hacking ring that gutted Heartland, other credit card processors, banks, retailers, and other corporate victims around the world have been sent to federal prison.

Both had pleaded guilty in 2013.

Russian national Vladimir Drinkman, 37, had previously pleaded guilty to one count of conspiracy to commit unauthorized access of protected computers and one count of conspiracy to commit wire fraud. He’s been sentenced to 12 years in prison. Dmitriy Smilianets, 34, of Moscow, had previously pleaded guilty to conspiracy to commit wire fraud against a financial institution and was sentenced to 51 months and 21 days in prison: time served.


February 19, 2018 »

Telegram IM security flaw – what you see is NOT always what you get

By Paul Ducklin

Researchers at Kaspersky recently outed a bug in the popular Telegram instant messaging service.

Crooks had revived an old visual trick to disguise files that many users would otherwise recognise as unwanted right off the bat.

The flaw has been addressed by Telegram, so we’re OK to describe in here in detail: it’s a trick that is as simple as it is effective, and involves conning the app into displaying filenames backwards.

Sometimes, of course, the old tricks are the very best – ransomware first appeared in 1989, for instance; spam first showed up in the 1970s; and self-spreading network worms were already a significant problem in the 1980s.

Whether you’re a user or a programmer, it pays to be aware of the optical illusions that are available to the many cybercrooks out there.

The flaw we’ll be talking about in this article – which sort of isn’t a bug in theory, but can be abused as a bug in practice – comes about because not all languages write in the same direction.

English and French, for example, run left-to-right, top-to-bottom; Hebrew and Arabic run right-to-left, top-to-bottom.

Often, for example when printing a book, the text direction isn’t too much of a challenge because it’s consistent throughout.

But in a modern app in the modern world on a modern operating system, you often want to mix and match character sets, languages, writing styles and more.


Google’s big plans for email will give it even more power

By Mark Stockley

Email has been around for nearly half a century and there are some things about it that are looking quite dated. In particular, its approach to privacy and security are decidedly mid-twentieth century.

In the beginning it was OK because nobody knew to care about that kind of thing and almost nobody used email anyway. In the blink of an eye though, everybody was using it and email had become an indispensable technological pillar of the world. And then it really did matter that email was broken but it was too difficult to fix and too entrenched to replace.

For most of its working life then, three intractable problems have hovered close to the top of our collective “things we wish somebody else would hurry up and fix about email” list:

  • A lack of TLS encryption makes it too easy to read and modify emails as they move around the globe. According to Google’s transparency report about 10% of the emails sent and received by Gmail are going to, or coming from, mail servers that don’t encrypt. Now. In 2018.
  • It’s easy to fake who an email seems to have come from so – in spite of anti-spoofing measures like DANE, DKIM and SPF – cybercriminals continue to fool users with low cost, low effort scams and phishing tactics which barely change from one decade to the next.
  • There is no usable end-to-end encryption to protect emails at rest, as they sit on servers. Sure, you could use GPG but you don’t, just like you don’t let Clippy help you if it looks like you’re trying to write a letter or drive to work on a Sinclair C5.

Google, one of the major email providers through its Gmail platform, has done much to try and fix these difficult problems with projects like its transparency report and efforts to fix end-to-end encryption.

Despite its own travails (Android devices that can’t be patched, years-long Gmail lawsuits…) it has also never been shy of using its considerable bulk to bully others into adopting better privacy and security – from HTTPS on websites to 90-day responsible disclosure windows, and much else besides.

So when I heard that Google was planning to modernize email I hoped they’d dusted off The Great Email TODO List That’s Still Waiting To Be Fixed After Fifty Years and started at the top.



Why Chrome’s ad filter isn’t an adblocker

By John E Dunn

Screen-covering pop-ups, countdown timers, ads that start playing sound when you visit a website – just some of the annoying ads Google Chrome’s new integrated filtering promises to start blocking from this week.

Optimistic news coverage has described this as the arrival of adblocking in Chrome, which is neither how Google explains the change, nor technically accurate.

Google, of course, can’t enable full-throated blocking of web advertising because this would risk damaging its business model.

What it does want to do is stop websites from pushing certain kinds of intrusive and distracting advertising tricks in readers’ faces. Specifically:

Chrome VP, Rahul Roy-Chowdhury, explains the change:

By focusing on filtering out disruptive ad experiences, we can help keep the entire ecosystem of the web healthy, and give people a significantly better user experience than they have today.

Chrome users can already achieve this and more by loading one of a number of ad-blockers so all Google’s new filtering is offering is to do a smaller part of that job by default.

Despite complaints that the ad-blocking industry has become deceptive (allowing some advertisers to bypass filters in return for money), the principle is that the end user decides what level of filtering should be applied, and to which sites.

Google’s Chrome ad filtering, by contrast, is more like a feedback mechanism for website owners that measures ads against a set of standards defined by the Coalition for Better Ads, an organization of which Google is a member.


Facebook accused of spamming 2FA phone numbers

By Lisa Vaas

Facebook is being accused of spamming people via the phone numbers they used to turn on two-factor authentication (2FA) and posting their “PLEASE STOP!!” replies to their walls.

Software engineer Gabriel Lewis noticed it late last month and told Facebook to please knock it off: a request that 1) Facebook’s systems ignored, merrily continuing to spam him and then 2) auto-posted to his wall.

Nobody’s sure if it’s a feature meant to drive engagement – is Facebook suffering separation anxiety over its recent traffic decline? – or if it’s a bug.

From the sounds of the statement it’s sending to press, Facebook itself apparently doesn’t know. A Facebook representative told The Verge, for one, that it’s looking into the text notification issue.

We’re looking into this situation to see if there’s more we can do to help people avoid unexpected or unwanted communications.

Its statement says that users can refrain from using their phone numbers for its 2FA system and instead use a code generator with an authenticator app such as Sophos Authenticator (also included in our free Sophos Mobile Security for Android and iOS).


Joke dating site matches people based on their passwords

By Lisa Vaas

Let us ask you this, Ms. “123456” and Mr. “Password”, are you tired of making excuses when your password winds up on the yearly worst passwords lists?

Wouldn’t you like to meet somebody who shares your confusion over how to use a password manager?

Despair no longer! As Motherboard reports, there’s now a dating site that matches people based on their passwords.

It’s called Words of the Heart. It’s billed as a way to help find and date people who have the same password.

Because why? Because…

We believe that something as intimate as your password best describes your inner self.

Fortunately for all of us, it’s a joke site, and unfortunately for all of us, the site’s makers (reasonably enough) felt the need to spell that out loud and clear on the front page to prevent anybody from entering an actual password:

DO NOT USE your real password here, especially a password for something important (banks, e-mail, Facebook)!


Coinmining frenzy is making it hard for us to find aliens

By Lisa Vaas

Forget Iceland’s energy getting sucked up by cryptocoin miners. We can’t find the aliens!

You need a few things to mine cryptocurrency, or to do a bunch of other things, including build a gaming PC from scratch, run radio-astronomy operations, or search the skies for incoming messages from extraterrestrials.

The things you need include a whole lot of preferably renewable energy (thanks, Iceland!). It’s also helpful to have access to data centers and a nice, chilly environment to help with cooling them (thanks again, Iceland!).

You also need a pile of graphics processing units (GPUs): the high-end computer chips from manufacturers like AMD or Nvidia that miners use to build their mining machines.

Unfortunately for gamers, radio astronomers and Search for Extraterrestrial Intelligence (Seti) researchers, the prices on GPUs have been going nuts for a few months. At the end of January, when cryptocurrency values had soared, they dragged GPU costs right on up with them.

Gaming news site Polygon last month reported these then-current examples of GPU prices:

The cheapest price for MSI’s GeForce GTX 1070 Gaming X (MSRP $459.99) is $945.99 on Amazon and $988.99 on Newegg; it’s not much lower at Micro Center, which has it listed at $919.99.

And that’s when you can get the GPUs at all.

At least one retailer, Micro Center, is keeping the supply lines open for its core customers (gamers), reduces the prices for those building gaming rigs, and is limiting GPU quantities to others, including both cryptocurrency miners and apparently Seti and other researchers. Here’s a letter Micro Center posted to its “Valued Build Customers” about the policies.


February 14, 2018 »

Would you allow Facebook into your home?

By Maria Varmazis

If you believe some of the more speculative stories on the internet right now, this question won’t be hypothetical for long.

There are a number of stories circulating that later this year Facebook will announce the Portal, its camera-enabled premiere foray into the world of home smart devices, akin to Amazon Echo and Google Home.

Of course, this being a device from Facebook, it’s going to leverage its huge library of knowledge about all its users, and what those users look like. After all, Facebook has been using facial recognition technology to scan photos uploaded to its service for years to match those faces to its users.

The rumored Facebook Portal device would take advantage of Facebook’s massive database of knowledge about its users, their behavior, and their faces for everything from identity verification to detect moods for targeted advertisements, or to glean any trends about user emotional health over time.

The rumored Portal is still firmly in the realm of Silicon Valley whispers – though we’ll find out in May at the F8 Developer’s conference if it’s real or not – but it raises larger questions about welcoming smart devices into our home.


Did the NSA really use Twitter to send coded messages to a Russian?

By John E Dunn

On June 20 last year, the official Twitter account for the US National Security Agency (NSA) issued the following innocent-looking tweet:

Samuel Morse patented the telegraph 177 years ago. Did you know you can still send telegrams? Faster than post & pay only if it’s delivered.

On August 17, the same theme was taken up again:

The 1st telegraph communications exchange occurred between Queen Victoria and President Buchanan in 1858.

At the time, only a handful of people responded to either message. The tweets might have rested in obscurity indefinitely had the New York Times and The Intercept not alleged last weekend that the messages had an extraordinary purpose unconnected to remarking on telegraphic history. Explains The Intercept:

Each tweet looked completely benign but was in fact a message to the Russians.

As part of a sequence of 12, the tweets are now claimed to be a coded back-channel used to communicate with a Russian who was negotiating to sell to the NSA a set of cyberweapons stolen from it in 2016 by a group calling itself The Shadow Brokers.

These tools were leaked to the world and used by cybercriminals to launch attacks, such as May 2017’s WannaCry ransomware attack (later blamed by the US on North Korea).

Assuming the latest account stands up, it suggests that as recently as a few months ago, the NSA was still keen to find out precisely how much was lost in the incident and was willing to pay for the privilege.

But, surely sending coded messages on a public system is a strange way to communicate something this sensitive?


Facebook’s privacy settings are illegal, says court

By Lisa Vaas

Facebook tucks default privacy settings away where you have to go dig for them – not exactly what you’d consider a way to get informed consent, the Berlin Regional Court in Germany has decided. And what’s up with that real-name policy that doesn’t allow users to be anonymous?

Illegal, illegal, illegal: that’s what the court has decreed on those and five of Facebook’s terms of service.

According to a judgment (PDF; in German) handed down by the Berlin court in mid-January and publicly revealed on Monday, Facebook collects and uses personal data without providing enough information to users to constitute meaningful consent. The Guardian reports that the case against Facebook was brought by the federation of German consumer organizations (VZBV), which argued that Facebook force-opts users by default into features it shouldn’t.

The VZBV’s press release quotes the group’s legal officer, Heiko Dünkel:

Facebook hides data protection-unfriendly presets in its privacy center, without sufficiently informing [users] during registration. That’s not enough for informed consent.

According to Germany’s Federal Data Protection Act, companies can only collect and use personal data with the consent of those affected. How can users make informed consent if they don’t know what’s going on?

They can’t, the VZBV said:

In order for them to make informed choices, providers must provide clear and understandable information about the nature, extent and purpose of the use of the data.

The VZBV pointed out these shortcomings in Facebook’s privacy settings:

  • Location service for mobile phones is activated by default. This reveals locations of people who use chat.
  • Search engines get a link to the participants’ activity history by default, making it easy for anybody online to stumble across things like profiles and account photos.

In all, the VZBV complained about five of Facebook’s privacy presets. The Berlin judges agreed with the privacy group about all of them: the presets are “ineffective,” the VZBV said, and there’s no guarantee that a user would even take note of their existence.


Beware the ‘celebrities’ offering you free cryptocoins on Twitter

By Lisa Vaas

Consider @Eilon_Musk, @ElonMuski, @EloonMusk, @Elonn_Musk, @Alon_Musk, @DoonaldTrump65, and @justtinsun_tron: what a generous clutch of almost-celebrities!

All have been popping up on Twitter within the past few weeks, all of them bearing handles that are passingly close to those of legitimately famous people like Elon Musk, Donald Trump, Justin Sun, other tech CEOs, or other big names in cryptocurrency – and all of them claiming that they’re showering cryptocurrency onto the first comers.

All you have to do to receive it is first send some cryptocoin to an online wallet (please don’t!), and you’ll get double – triple! – quadruple! – decuple! – your money back (fat chance!).

Here’s one sample of these scammers’ come-ons:

The scammer in this case has ripped off a picture of Justin Sun, founder of the Tron Foundation. TRON is a blockchain-based open source global digital entertainment protocol. As this particular scam shows, not only are the scammers ripping off well known people’s photos and typosquatting their handles; they’re also plopping their scam come-ons down in the prime real estate of the comment section of their targeted celebrities’ posts.


Google-Nest merger reawakens privacy worries

By Lisa Vaas

Four years ago, Google paid $3.2 billion for Nest, a fancy smart-home thermostat and smoke alarm maker.

Privacy advocates found this a daunting marriage, but Google wound up running the business at arm’s length, over in its Alphabet division.

Nest co-founder and former CEO Tony Fadell told the BBC at the time of the acquisition that consumers could relax. Nest data wouldn’t be mixed with all the other information Google gathers:

When you work with Nest and use Nest products, that data does not go into the greater Google or any of [its] other business units. We have a certain set of terms and policies and things that are governed. So, just when you say we may be owned by Google, it doesn’t mean that the data is open to everyone inside the company or even any other business group – and vice versa. We have to be very clear on that.

Whew! What a relief, eh?

After all, on the one hand, we had Google, with its already vast knowledge of us. On the other hand, there was Nest, maker of Internet of Things (IoT) thermostats that learn, tracking customers’ daily usage to automatically set heating and cooling temperatures, and of smoke alarms that communicate via Wi-Fi with the company’s other devices or with your smartphone or tablet to send smoke or carbon monoxide alarms.

Put them together, and what do you get? Google’s hardware entrance into the IoT. Such a merger could have meant that Big Google Brother would be able to know even more intimate things about us than it already did at the time, such as whether we were home or not. Then, it easily could have connected that information with our mobile phone data to form ever-more-deep portraits of us for ever-more-targeted advertising or other profit-rich ventures.

Well, it turns out that Fadell’s “let’s be clear on that” promises on data privacy have gotten a bit muddy.


February 12, 2018 »

Cryptomining script poisons government websites – What to do

By Paul Ducklin

Reports surfaced over the weekend claiming that a whole raft of government websites were “infected with malware”.

The full story seems to be more nuanced than that, which is just as well, because the list of infected sites stretches across the Anglophone world, with web pages affected in at least the US, the UK, and Australia.

The malware involved – you’d probably have guessed what it was going to be even if we hadn’t mentioned it in the headline – was a cryptomining script.

Cryptomining malware is when crooks covertly infect your computer with software to do the calculations needed to generate cryptocurrency, such as Bitcoin, Monero or Ethereum. The crooks use your electricity and processing power, but keep any cryptocoin proceeds for themselves.

The infection source in this case seems to have been a service run by a company called Texthelp Limited.

The site serves up JavaScript that can convert pages on your website to speech, in order to help out visitors who aren’t fluent in English, or who aren’t good at reading.

As you can imagine, government websites are meant to serve everyone, even those who aren’t literate, and numerous regulations exist that cover how accessible the public sector needs to make its web pages.

Indeed, Texthelp lists some of these regulations on its website, including: EU – Convention on Human Rights, UK – Accessible Information Standard, IRE – Disability Act 2005, US – Americans with Disabilities Act (ADA), CA – Canadian Charter on Rights and Freedom, AUS – Disability Discrimination Act, and more.


Winter Olympics network outages blamed on unexplained cyberhack

By Paul Ducklin

The Mail Online has a URL that explicitly states, Russian-cyber-crooks-hacked-Winter-Olympics.html.

The article it links to isn’t quite so explicit, instead demanding to know, “Did Russian cybercriminals hack the Winter Olympics opening ceremony?”

The headline then answers its own question by adding, “[O]fficials don’t know who was behind it.”

Rival UK tabloid The Sun isn’t sure either, but that didn’t stop it shouting, “Cyber crooks HACKED the Winter Olympics opening ceremony”, before wondering, “[B]ut who is responsible?”

In comparison, Mashable is conciliatory, leading with, “Olympic organizers hit with hack during opening ceremony.”

(Even though a hack during the opening ceremony is not at all the same as a hack of the opening ceremony, Mashable couldn’t resist putting the slug Olympic-opening-ceremony-hack in its URL.)


Chinese police get facial recognition glasses

By Lisa Vaas

In time for the massive upcoming human migration that is China’s annual Lunar New Year, Chinese police have added a new surveillance tool to their already considerable arsenal: glasses outfitted with fast facial recognition technology that’s connected to a database of 10,000 suspects wanted in connection with major crimes.

During the celebration, which begins next week, hundreds of millions of people will flood train stations and airports.

China’s official state media outlet, the People’s Daily, on Monday touted the surveillance specs as a way to help out authorities during massive events such as the annual Lunar New Year. Chinese news outlets featured a policewoman wearing a sunglasses version while patrolling a train station in Zhengzhou, the capital of central China’s Henan province.

The People’s Daily reported that the eyeglass-mounted camera is equipped with facial-recognition technology capable of “highly effective screening” of crowds for fugitives traveling under false pretenses.

According to the Wall Street Journal, the devices are skirting the slow mess that is blurry CCTV cameras and hooking directly into a database of known suspects. LLVision, the company behind the devices, says that they’ve been able to identify individuals by zipping through a database of 10,000 suspects in as little as 100 milliseconds: faster than some fixed-camera systems.

As of Wednesday, the glasses had already helped railway police at Zhengzhou’s East Railway Station nab seven suspects and 26 people who were allegedly traveling using other people’s identities.

Borrowing others’ identities is a way for people to evade China’s monitoring of air and train travel, to get around travel restrictions, and to slip past whatever punishment authorities think should be meted out for their “infractions,” the WSJ reports.


Robot’s revenge – the CAPTCHA that stops humans

By Lisa Vaas

What do bots talk about on their bots-only internet?


(If you like robot humor like that, please do visit r/totallynotrobots and observe a fellow human having a human experience.)

Anyway, beats me, what robots talk about on robot internet. I’m a human. And I have verified my humanness thanks to an “online performance” called Humans Not Invited, brought to us courtesy of online programmer artist Damjanski. His real name, according to Motherboard, is Danjan Pita.


February 8, 2018 »

WordPress users – do an update now, and do it by hand!

By Paul Ducklin

WordPress just announced a most embarrassing bug.

Earlier this week, the world’s most widely used blogging and content delivery platform pushed out its Version 4.9.3 Maintenance Release.

There weren’t any critical security patches in this one, but there were 34 bug fixes, and who doesn’t want bugs fixed promptly?

And for more than four years, updating WordPress has been pretty easy – you haven’t had to type a single word or press a single button.

As Naked Security’s Mark Stockley wrote, back in October 2013 when WordPress 3.7 came out:

We’ve all become quite used to the idea of the software on our desktops, tablets, laptops and smartphones silently patching itself in the background and it’s good to see popular web software catching up – it’s long overdue.

What makes background updates for WordPress such a significant step is the software’s sheer popularity. Nobody is quite sure how many of the world’s websites are running on WordPress but the consensus seems to be that it’s about 15% to 20%.

These days, some estimates put the WordPress website share even higher, in the upper 20% range, so automatic updates are even more important than they were back in 2013.


Reddit users, beware its evil twin

By John E Dunn

Unbeknownst to Reddit users, the site that likes to call itself the “front page of the internet” has acquired an unwanted evil twin they’d do well to avoid.

Registered in July 2010 as (notice the missing ‘m’), it’s reportedly been used to host Flash games, a porn cam, and has spent a long time parked and for sale to anyone who might want to buy it.

Earlier this week, security engineer Alec Muffett noticed that had turned into something altogether more troubling – a clone of, most likely intended to phish user credentials.

Muffett found the site by accident, which is exactly how anyone would discover a site that is reached by mis-typing the correct domain by a single letter.

This made him wonder aloud:

How on earth the .co registry permitted it to be registered, is beyond me…

In fact, .co is the country code top-level domain (ccTLD) for Colombia – one might have assumed the registrar appointed to manage these would not have allowed it to be combined with such an obvious trademark as Reddit. Trademark holders are usually also careful to register similar-looking domains to protect themselves.

Muffett said he reported the page to Google’s Safe Browsing. Almost 24 hours later and the fake site was still reachable although by the morning of 7 February, Google had started blocking it.


YouTube Kids hasn’t cleaned up its act

By Lisa Vaas

How to sharpen knives. Characters from the Paw Patrol cartoon screaming on a burning plane. Images of blood-stained clowns.

Déjà vu!

Yes, the fright fest is back again at YouTube Kids, and YouTube is apologizing, again, uttering the tried-and-true “we have to do better.” An investigation by BBC Newsround is only the latest to find inappropriate content on the Google-owned site.

This is not what YouTube Kids was supposed to be. Launched in February 2015, it was meant to be sanitized: a place where youngsters would be spared the hair-raising comments and content to be found on the rest of YouTube.

But in November, the New York Times reported that a startling collection of disturbing videos were slipping past the algorithms erected to keep out bad actors on YouTube Kids.

As of November, YouTube Kids was pulling in more than 11 million weekly viewers, attracted by a seemingly bottomless barrel of clips, including those from kid-pleasing shows by Disney and Nickelodeon. Those viewers include parents who assume that their kids will only see age-appropriate content that’s been scrubbed of the muck that you can find on the main YouTube site, be it racist, anti-Semitic, homophobic, sexual, or horrifically violent.

YouTube said in November that it was hoping that within the window of time between content making its way from YouTube onto YouTube Kids – a matter of about five days – users would flag clips that could potentially disturb children. It also planned to start training its review team on a new policy that age-restricts this type of content in the main YouTube app when flagged.


February 7, 2018 »

Alleged Kelihos botmaster and spam king extradited to US

By Lisa Vaas

Peter Yuryevich Levashov – a 37-year-old Russian computer programmer, accused by the FBI of developing the Kelihos botnet and using it to stuff inboxes with Viagara and Cialis spam; to steal bitcoin wallets and other financial data; and to spew malware, including banking Trojans and ransomware, worldwide – has been deported from Spain to the US town of New Haven, Connecticut.

The US Department of Justice (DOJ) announced the extradition on Friday. In its press release, the DOJ said that besides the spam, the malware, and the harvesting of victims’ personal information, Levashov allegedly also rented out Kelihos botnet spam and malware services.

Levashov allegedly hid behind the hacker names Petr Levashov, Peter Severa, Petr Severa and Sergey Astakhov to do the dirty work.

In April 2017, the US Department of Justice indicted Levashov on one charge each of damaging a protected computer, conspiracy, accessing protected computers to commit fraud, wire fraud, aggravated identity theft, and threatening to damage a protected computer; plus two counts of fraud in connection with email.

He had been arrested in Barcelona while vacationing with his family that same month.

In March 2010, Microsoft, working with other security researchers, went after another botnet called Waledac with a combination of legal and technical takedown maneuvers. (More recently, Microsoft again used the courts, sending lawyers to fight the [likely] Russian hacking group known as Strontium, Fancy Bear or APT28. It involved seizing domains that hosted the phishing sites used to steal credentials or for botnet command & control [C&C]).

Microsoft used the same takedown techniques with the Kelihos botnet, which shared a good deal of code with Waledac.

According to the indictment, Levashov allegedly tried hard to protect his anonymity.


Uber and Waymo clash in court over driverless technology

By Lisa Vaas

After a delay of about two months, Uber and Waymo, the self-driving-car unit from Google, finally had their first day in court in the trade secrets lawsuit brought by Waymo a year ago.

If Day One is any indication, this suit is going to paint a picture of a vicious competition between the two companies.

The BBC wrote about the evidence Waymo presented on Monday, including emails that portrayed Uber’s then-chief executive Travis Kalanick as having been desperate to catch up with Google’s autonomous driving technology.

According to that evidence, Uber Engineering Manager John Bares, who was head of Uber’s autonomous group at the time, took notes during an 18 September 2015 teleconference in which he writes about “increasing pressure” to 1) catch up on Google’s seven-year head start in autonomous vehicle technology and to 2) deploy 100,000 driverless cars in 2020.

Notes from a subsequent meeting Bares had with Kalanick show that the former Uber CEO wanted to obtain “the cheat codes,” “all of their data” and a “pound of flesh” from Waymo.

Waymo claims that Uber, worried about Waymo beating it in the self-driving car race, ripped off Waymo’s trade secrets when it hired one of its former executives, Anthony Levandowski. Levandowski had led the driverless car project for Google since 2011. That project first began in 2009, which is about as long as Uber’s existence.

Kalanik contacted Levandowski directly in October 2015 to discuss “selling a nonexistent company.” Levandowski allegedly stole 14,000 proprietary Waymo documents just days before leaving Waymo to start that company, “Otto,” in January 2016. In August 2016 Uber then acquired Otto, a move, which Waymo alleges, was all part of a plan with Levandowski to steal Google’s technology.


Early Google, Facebook employees band together to tame tech addiction

By Lisa Vaas

Fake news, foreign tinkering in the US 2016 presidential election, and mounting evidence about how bad technology is for kids: it’s all led to a tsunami of regret from those who helped to create the social media platforms that enable it all.

A quote from an early ex-Facebook employee, as reported by Vanity Fair:

Most of the early employees I know are totally overwhelmed by what this thing has become. They look at the role Facebook now plays in society, and how Russia used it during the election to elect Trump, and they have this sort of ‘Oh my God, what have I done’ moment.

We’ve seen ex-president of Facebook Sean Parker admit that from the get-go, the main goal has been to get and keep people’s attention, by hook, by crook or by dopamine addiction. Former vice president of Facebook user growth Chamath Palihapitiya has expressed remorse for his part.

Facebook has admitted that social media can be bad for you, Facebook founder Mark Zuckerberg has said that his platform needs fixing, Apple’s Tim Cook is keeping his nephew off social media, and, well, the list goes on.

The latest “woops!!!” news: a group of “what kind of mind-gobbling social media monster have we created?” repentants have come together to form the nonprofit Center for Humane Technology (CHT). On Sunday, the group launched a new campaign to protect young minds from what they say is “the potential of digital manipulation and addiction.”

Members include former employees and advisors to Google, Facebook, and Mozilla.

The CHT is partnering with Common Sense – a nonprofit that advocates for children and families – for the campaign, which is titled Truth About Tech.


Keeping kids safe online – trying to practice what I preach

By Maria Varmazis

Being a blogger in the world of cybersecurity, I’ve rather firmly established myself in the eyes of my friends and family as the person to go to with questions about an app they heard about on the news, or what to do about some new hack or big security bug, and how to keep their information safe.

I take a great deal of pride in being able to help people like that. When I was pregnant with my first child last year, one of my family members with young kids said something along these lines to me:

I can’t keep up with all the new tech and apps that kids have access to nowadays, it’s all happening so fast. But if anyone can sort it all out, you can.

I wish I shared that confidence.

My approach to keeping my kid safe online is easy right now because she’s a baby and it’s all fully under my control. My main concern is her future privacy, and I know it only gets harder from here.

I want my kid to have the choice about what to do with her data – as much as possible, anyway – without my actions removing all choice from her before she even has a say. After all, what we do know about what social networks actively do with identity and demographic information is alarming (or impressive, if you’re a marketer who wants to sell people stuff on Facebook).

Despite all the promises these companies make about how they take data privacy and protection seriously, breaches can happen to the most well-intentioned organization. The best personal data protection is ultimately preventative: Limit what data is available to companies in the first place.

In light of this, in trying to practice what I preach about data privacy online, these are the choices I’ve made:

  • I do not post my child’s name, date of birth, or any photos of her online.
  • I make sure my friends and family do the same.

My hopes are that this will allow her to decide on her own, as an adult, when and how to carve out her own identity online and share her childhood photos with the world. And, though it might be futile in a world where people who had never heard of Equifax were still affected by the breach, I hope by keeping as many of her personal details off the internet for as long as possible, that I might help guard her information from being stolen and used in identity theft. After all, we know babies and children are a favorite target for this kind of thing.


« older