Repairs & Upgrades

March 21, 2019 »

Opera brings back free VPN service to its Android browser

By Lisa Vaas

Opera announced on Wednesday that it’s added its free Virtual Private Network (VPN) service to its Android browser app …again.

The Norwegian browser maker offered a stand-alone, built-in VPN service before it was sold to a Chinese consortium, but it stopped working after the sale.

Now, it’s back: the latest, VPN-bearing, mobile browser version – Opera for Android 51 – is available now in the Google Play store or on The company hasn’t given any hints about whether it’s planning to bring the VPN to its iOS browser.

The VPN is free, unlike private VPN services for which you have to pay additional fees, Opera stressed. It’s also easy: users don’t have to sign in every time they want to use it; all you have to do is hit a switch.

What this is…

The Opera browser VPN will create a private and encrypted connection between Androids and a remote VPN server, using 256-bit encryption. It will shield users’ geographical locations, thus making it hard to track us, Opera says. That will hopefully provide a bit of relief from the apps that have been sucking our location data like so many leeches and selling it to third parties.


FBI crackdown on DDoS-for-hire sites led to 85% slash in attack sizes

By Lisa Vaas

In December, the FBI seized the domains of 15 of the world’s biggest “booters” (websites that sell distributed denial-of-service, or DDoS, services) – a crackdown that’s led to an 85% decrease in the average size of DDoS attacks on a year-on-year basis, according to a new report.

According to NexusGuard’s DDoS Threat Report 2018 Q4, the number of DDoS attacks also fell by 10.99% when compared with attacks during the same time in 2017.

That’s thanks to the FBI taking down the booters that were allegedly responsible for what the DDoS security provider says was more than 200,000 DDoS attacks since 2014.

Besides the drop in overall activity, both the average and the maximum DDoS attack sizes also dropped like rocks – by 85.36% and 23.91%, according to NexusGuard’s analysis.

DDoS-for-hire sites sell high-bandwidth internet attack services under the guise of “stress testing.” One example is Lizard Squad, which, until its operators were busted in 2016, rented out its LizardStresser attack service. …an attack service that was, suitably enough, given a dose of its own medicine when it was hacked in 2015.

You might remember Lizard Squad as the Grinch who ruined gamers’ Christmas with a DDoS against the servers that power PlayStation and Xbox consoles – an attack it carried out for our own good.


Researcher finds new way to sniff Windows BitLocker encryption keys

By John E Dunn

A researcher has published a new and relatively simple way that Windows BitLocker encryption keys can be sniffed in less secure configurations as they travel from Trusted Platform Modules (TPMs) during boot.

BitLocker is the full volume encryption system that has been shipped with higher-end versions of Windows since Vista, which in the case of Windows 10 requires running or upgrading to Pro, Enterprise or Education versions on a computer with a TPM 1.2 or 2.0 chip.

Inevitably, being the Windows encryption platform has made it a target for researchers looking for weaknesses in something many people use, of which the method published by Denis Andzakovic of Pulse Security last week is only the latest example.

The weakness he exploits is that in its most basic and insecure configuration, BitLocker boots encrypted drives without the user needing to enter a password or PIN other than their normal Windows login. Writes Andzakovic:

The idea behind this is that if the laptop is stolen, and the attacker does not know your login password, they cannot pull the drive and read the contents.

No login, no access to the computer’s encrypted drive. Simply removing the drive and putting it in another computer won’t work either because the encryption key is secured inside the old machine’s TPM.


Google researcher discovers new type of Windows security weakness

By John E Dunn

Microsoft has said it plans to patch a new class of Windows security bug discovered by a Google Project Zero researcher despite finding no conclusive evidence that it poses a threat to users.

The unusual and complicated weakness appears to have been sitting unnoticed in Windows since as far back as XP and will be patched in the next version of Windows 10, currently named 19H1 (aka version 1903).

But if it’s not a clear threat, why patch it at all? For the answer to that, we need to explore the backstory.

According to Project Zero researcher James Forshaw, he first discovered what he assumed was a relatively straightforward kernel-mode drive Elevation of Privileges (EoP) issue in 2016, eventually fixed by Microsoft as CVE-2016-3219.

Following up a year later, however, he realized he’d stumbled upon a larger logic hole that might allow malware running in user mode (which limits privileges) to sneak privileges through the interaction of Microsoft and third-party kernel-mode drivers and the Windows I/O manager subsystem.

However, Forshaw was still unable to create a working proof-of-concept (many aspects of these deeper code interactions are difficult without proprietary knowledge), forcing him to contact Microsoft for help:

This led to meetings with various teams at Bluehat 2017 in Redmond where a plan was formed for Microsoft to use their source code access to discover the extent of this bug class in the Windows kernel and driver code base.


Researchers fret over Netflix interactive TV traffic snooping

By Danny Bradbury

No sooner has Netflix made an interactive TV show than people are pulling apart its privacy implications and fretting about its potential to leak private information. Research published last week said that it is possible to deduce viewers’ choices from the platform’s interactive TV shows, like Bandersnatch.

After a couple of smaller projects, Bandersnatch was Netflix’s first big foray into interactive TV. Based in 1984, the episode in Charlie Brooker’s Black Mirror series lets the reader control the actions of a young video games programmer Stefan Butler, who idolizes established games programmer Colin Ritman. Throughout the episode, the viewer gets to control his actions, including seemingly innocuous choices such as which cereal to eat. The choices guide you down a range of paths concluding in one of several endings for the story.

It’s an idea that anyone who grew up on the Choose Your Own Adventure and Fighting Fantasy book series will warm to. Unlike the books, Netflix records your story choices digitally, and the researchers believe that could pose a privacy problem.

According to their paper, although Netflix uses end-to-end encryption to send those choices from your viewing device to its servers, communication flaws still make it possible to snoop on what you choose. The paper says:

Recent advancements in the domain of encrypted network traffic analysis make it possible to infer basic information about the preferences of Netflix viewers.

The researchers realized that viewers’ devices indicated their choices by sending a JSON file (JSON is a human-readable text file commonly used in cloud-based software queries). It would send one of two different JSON files for each choice, based on what the user chose. By working out the JSON file type and the point in the program when it was sent, they could work out the users’ choices.


March 20, 2019 »

Elsevier exposes users’ emails and passwords online

By Lisa Vaas

Elsevier – publisher of scientific journals such as The Lancet – has left its users’ passwords and email addresses lying around online.

What Motherboard described as a “rolling list of passwords,” along with password reset links produced when a user requested a change to their login credentials was discovered by cybersecurity company SpiderSilk. It’s unclear how many records were exposed and for how long.

Mossab Hussein, SpiderSilk chief security officer, said that most of the exposed accounts are related to educational institutions, and hence belong to either students or teachers.

To paraphrase a Twitter wit… What could go wrong besides hackers making sure all their journal submissions get accepted?

For one thing, those email addresses/passwords could be used on other, sensitive sites, as Hussein pointed out. With the depressing ubiquity of password reuse, some of them undoubtedly are sprinkled around elsewhere online.


New scam accuses you of child abuse, offers to remove evidence

By Paul Ducklin

Here’s a new twist to sextortion, the cybercrime that gets its name because it melds sex with extortion.

Usually, the approach is to send you an email saying, “We infected your computer with malware, we snooped via your webcam, we monitored your browsing…

…and we recorded you on a porn site, so send us money or we’ll send the recording to your friends and family.”

To reinforce the claim to have remote control over your computer, the crooks often add some personalized content into the email they send you.

For example, the crooks may include a password from one of your accounts, list your phone number, or set the From: line in the email to make it look as though they sent the message directly from your own email account.

Don’t panic if you see “personal” data in one of these spams. The passwords and phone numbers almost certainly come from a data breach – in fact, you might recognise the password as an old one you had to change because the service provider got hacked. And the From: header in an email is essentially part of the mail message itself – the sender can set it to anything they like.)


Microsoft won’t patch Windows registry warning problem

By Danny Bradbury

A security researcher has found a way to tinker with Windows’ core settings while persuading users to accept the changes, it emerged this week – and Microsoft has no intention of patching the issue.

The attack was discovered by John Page, who goes by the name hyp3rlinkx. It focuses on the Windows registry, which is a database of configuration settings for software programs, hardware devices, user preferences and the operating system itself.

Users can make changes to the registry using the Registry Editor program that ships with Windows, but this isn’t something that non-power users would normally do. Messing with the registry can cripple your machine or introduce security risks.

In most cases, when a Windows user really must make changes to the registry, they’ll do it by clicking on a file with a .reg extension. These files, provided by a trusted third party, alter the registry without the user having to enter anything.

This is why a dialog box appears when opening a .reg file, asking users if they trust the source and if they want to continue. It will then offer a ‘yes’ or ‘no’ choice.

Page’s attack changes that. In a document describing the process, he explains:

…we can inject our own messages thru the filename to direct the user to wrongly click “Yes”, as the expected “Are you sure you want to continue?” dialog box message is under our control.


Gargantuan Gnosticplayers breach swells to 863 million records

By John E Dunn

A hacker using the identity ‘Gnosticplayers’ has topped up one of the largest data breaches ever publicized by offering for sale 26 million records stolen from another six online companies.

The first of four data caches came to light in early February when The Register got wind that a database of 617 million records pilfered from 16 companies had been put up for sale on the Dark Web for $20,000.

Days later, Gnosticplayers added another 127 million records from a further eight websites, before adding a third round on 17 February comprising another 93 million from a further eight sites.

Round 4

The fourth round, posted to Dark Web market Dream Marketplace last weekend brings the total number of hacked records to 863 million from 38 sites.

The data at risk varies by site but reportedly includes email address, usernames, IP addresses, and in some cases, personal details, settings and in one case, phone numbers.

Passwords are also at risk with a variety of hashing algorithms used to secure them, including SHA1 (with and without salting), SHA256, SHA512 (with salting), and in the case of LifeBear, MD5.

Naked Security was unable to independently confirm the victims, but ZDNet has named the sites in the latest round as Bukalapak (13 million records) GameSalad (1.5 million), Estante Virtual (5.4 million), Coubic (1.5 million), LifeBear (3.8 million), (1.1 million).


Court: Embarrassing leaks of internal Facebook emails are fishy

By Lisa Vaas

Remember when app company CEO Ted Kramer was “spooked” into handing over confidential internal Facebook emails to MP Damian Collins during the UK’s fake-news inquiry?

Well now a California court agrees with Facebook that the “I panicked” explanation from Six4Three’s Kramer could stand a bit of scrutiny.

After all, Kramer handed over highly confidential documents, which he was explicitly told not to do during the company’s legal battle with Facebook. The whole thing looks more like a plot to leak confidential data than a flustered moment in an MP’s office, the court says.

Judge V. Raymond Swope, of the ¬≠superior court of California, ruled that there was prima facie evidence that Six4Three had plotted to “commit a crime or fraud” by leaking the emails in violation of an earlier court order. Prima facie evidence is that which is sufficient to establish a fact or raise a presumption unless disproved or rebutted.

Six4Three’s legal team had been trying to hide the developer’s conversations with British MPs, claiming that they should be protected under attorney-client privilege. But given that prima facie evidence points to Six4Three having potentially leaked the emails, the court has ordered the developer to hand over all such records.


Epic in hot water over Steam-scraping code

By Danny Bradbury

Epic Games, the company behind online gaming phenomenon Fortnite, is at the centre of a privacy storm after players noticed that it was gathering data from their Steam accounts and storing it on their computers without permission.

Fortnite has been a gaming sensation. The game, which pits players against each other in an online world, is downloadable directly from Epic, which launched its own online Epic Games Store in December.

Last week, players found it gathering information about their accounts on rival online gaming service Steam, and Reddit was up in arms.

Reddit user notte_m_portent alerted Fortnite users to alleged suspicious activity in the Epic Game Launcher, which controls the Fortnite software. They claimed that it was watching other processes on the machine, reading root certificates, and storing hardware information in the registry, among other things.

Crayten, another Reddit user, also claimed to have found EGL creating an encrypted copy of the user’s localconfig.vdf file, which contains all friends on Steam and their name histories.

Epic VP of engineering Dan Vogel explained to concerned Redditors that tracking JavaScript feeds information to the company’s Support-a-Creator program, enabling it to pay creators. Epic describes these as “active video makers, streamers, storytellers, artists, cosplayers, musicians, and community builders” supporting its products.


March 19, 2019 »

MySpace loses 50 million songs in server migration

By Lisa Vaas

For at least a year, MySpace users have been complaining about broken links to music.

On 1 February 2018, Redditor JodiXD got a dispiriting reply from MySpace, to the effect that there was “an issue” with all songs/videos uploaded more than three years ago. Hang tight, should be a fix on the way, support said, though they weren’t exactly sure when that would be. Sorry for the inconvenience!


Well, 13 months later, the arrival date of the fix has been determined. It is, as MySpace said on Monday, “never.” Here’s the statement it finally put out:

As a result of a server migration project, any photos, videos, and audio files you uploaded more than three years ago may no longer be available on or from Myspace. We apologize for the inconvenience and suggest that you retain your back up copies. If you would like more information, please contact our Data Protection Officer, Dr. Jana Jentzsch at

Back-up copies? That’s a great idea. Unfortunately, it’s apparently not one utilized at MySpace before it does a server migration.


Child-friendly search engines: How safe is Kiddle?

By Maria Varmazis

Every now and then the following meme does the rounds on the family-focused corners of social media. The meme/public service message encourages parents and teachers to switch children to a kid-friendly search engine called Kiddle.

Kiddle’s tagline is that it’s a “safe visual search engine for kids.” It has been around for a few years, and is certainly not the only search engine marketed as child-friendly – similar services include Kidrex.

To be clear, neither Kiddle or Kidrex are reinventing the search engine wheel, and, despite what some news stories imply, neither are owned by Google – they just use heavily customized versions of Google’s search engine under the hood, going beyond SafeSearch with the goal of making internet sleuthing as safe as possible for little ones.

In fact, Kiddle got into a little hot water a few years ago for making its search engine too exclusive, when it erased LGBT-related terms right out of existence from its search engine results pages. Kiddle soon fixed their search engine so kid-safe LGBT terms do show up in their searches.


Home DNA kit company now lets users opt out of FBI data sharing

By Lisa Vaas

Update 18 March 2019

FamilyTreeDNA emailed users last week to let them know that they can now opt out of DNA matching that will be used to help police identify the remains of deceased people or to help them track down violent criminals.

It’s now calling that type of investigative DNA research Law Enforcement Matching (LEM). The gene-matching company also set up a separate process for police to upload genetic files to the database. Police-uploaded files must now be used for the purpose of identifying a dead person or the perpetrator of a homicide or sexual assault.

Those EU residents who created accounts before 12 March 2019 have been automatically opted out of LEM. They still have the option of adjusting their Matching Profiles to opt back into LEM, however. To do so, users should visit the Privacy & Sharing section within their Account Settings.

Original article, published 5 February 2019

Home DNA kit company says it’s working with the FBI

FamilyTreeDNA – one of the larger makers of at-home genealogy test kits – has disclosed that it’s been giving the FBI access to DNA profiles to help solve violent crime.

Investigators’ use of public genealogy databases is nothing new: law enforcement agencies have been using them for years. But the power of online genealogy databases to help track down and identify people became clear in April 2018, when police arrested Joseph James DeAngelo on suspicion of being the Golden State Killer: the man allegedly responsible for more than 50 rapes, 12 murders and more than 120 burglaries across the state of California during the 70s and 80s.


DARPA is working on an open source, secure e-voting system

By Danny Bradbury

The US Government is working on an electronic voting system that it hopes will prevent people from tinkering with voting machines at the polls.

Motherboard reports that the Defense Advanced Research Projects Agency (DARPA) is working with Oregon-based verifiable systems company Galois to create a voting system based on open source hardware and software.

There will be two systems, according to the report, neither of which will be offered for sale. Instead, they will serve as reference platforms for other vendors to produce more secure electronic voting machines.

The first system, which DARPA plans to bring to DefCon Voting Village this summer, will use a touch screen for voters to choose their candidates. It will then print out a paper ballot for a voter to check before depositing it into an optical scanning machine that counts the vote. That machine prints a paper receipt with a cryptographic code unique to that voter and their choices.

After all the votes have been counted, the codes will be listed on a website so that each voter can check that their votes were logged correctly.

Independent observers will also be able to count all the votes on the website and check the election results, Motherboard said.


Intel releases patches for code execution vulnerabilities

By Danny Bradbury

Intel released a slew of patches last week, fixing a range of vulnerabilities that could allow attackers to execute their own code on affected devices.

The chip maker released several security advisories to address the risks. One group of patched vulnerabilities affect its Converged Security and Management Engine (CSME), Server Platform Services, Trusted Execution Engine and Active Management Technology (AMT).

These are technologies that run at a very low level in the hardware stack, often underneath anti-malware software that might otherwise pick up suspicious activity. The bugs allow users to potentially escalate privileges, disclose information or cause a denial of service, Intel said.

There are 12 vulnerabilities in this group, including five marked with high severity.

Of these, only CVE-2018-12187 can be executed remotely via a network. This is a high-severity denial of service bug relying on insufficient input validation in Intel’s Active Management Technology.

Two of the other high-severity bugs rely on local access, which is tied to read/write/execute capabilities. In practice, this means that the attacker has to be logged into the machine, or that the user must be persuaded to interact with a malicious file.

These bugs are CVE-2018-12190, which lets an attacker potentially execute arbitrary code via insufficient input validation in CSME. CVE-2018-12200 could allow privilege escalation via insufficient access control in the Intel Capability Licensing Service.


March 18, 2019 »

G Suite admins can now disallow SMS and voice authentication

By John E Dunn

Users of Google’s cloud-based suite of productivity apps may find when logging in that their usual two-factor authentication options (2FA, or 2-step verification, as Google calls it) have disappeared.

If G Suite users have previously been logging in with SMS or voice call verifications, they could now be asked to authenticate using another method such as Google’s Prompt system or a security token based on the FIDO/2.0 standards.

Hopefully, this won’t come as a surprise to users because their G Suite admins will have mentioned this change in their 2FA options to users in advance.

Tough love

What lies behind the change is a new setting Google has made available in the G Suite console that for the first time gives admins the power to migrate users from one method of authentication to another.

Previously, admins could simply enable 2FA, choosing from a range of possible ways this could happen. Now, although admins can allow any type of authentication if they wish, two specific types of authentication – SMS and voice calls – can also be disallowed by policy.


WordPress 5.1.1 patches dangerous XSS vulnerability

By John E Dunn

Researchers have offered more detail on a recently patched vulnerability that would allow an attacker to take over a WordPress site using something as simple as a maliciously crafted comment.

Discovered by RIPS Technologies, the flaw is a cross-site request forgery (CSRF) flaw that exists on any site running version 5.1 or earlier with default settings and comments enabled.

The problem at the heart of this flaw is the problem of how WordPress protects itself (or rather, doesn’t) from CSRF-based takeovers in comments.

CSRF attacks happen when an attacker hijacks an authenticated user session so that the malicious instructions appear to come from that user’s browser.

In the case of the latest flaw, all the attacker has to do is lure a WordPress admin to a malicious website serving a cross-site scripting (XSS) payload.

Websites defend themselves against CSRF in different ways, but the complexity of the task means there are always cracks attackers can slip through.


You left WHAT on that USB drive?!

By Lisa Vaas

Back in 2012, Sophos picked up a stash of USB keys from a lost property auction as an experiment. It turned out that they were a scary bunch of sticks: 66% of them contained malware, and not a single one was encrypted.

Well, the more things change, the more things USB drive-related remain hair-raising…

A new study found that you don’t just run a good chance of catching something from second-hand drives: you also run the risk of getting an eyeful of sensitive data that the previous owner may or may not have even bothered to drag to the trash – not that that would actually delete the data, mind you, but at least it’s an attempt.

The study, done by the University of Hertfordshire and commissioned by a consumer product comparison website called Comparitech, looked at what could be found on second-hand drives picked up on eBay, in second-hand shops and through traditional auctions.

The researchers found that about two-thirds of second-hand USB memory sticks bought in the US and the UK have recoverable and sometimes sensitive data. In one-fifth of the devices studied, the past owner could be identified.

They bought 200 USB drives – 100 in the US and 100 in the UK – between January and May 2018.

People in the US who offload their sticks turned out to at least be aware of the need to erase their data, with only one of the drives showing no sign of an erasure attempt. In the UK, however, 19 of the devices showing no sign of attempted cleansing.


Facebook outage coincides with (or causes?) 3m new Telegram users

By Lisa Vaas

Facebook fell flat on its face on Wednesday, which seems to have led to Telegram having a busy, busy day.

On Thursday, the founder and CEO of Telegram – a popular encrypted messaging app that describes itself as the “more secure alternative” to common messaging apps like WhatsApp – announced that it had picked up three million new users in the past 24 hours: a period that coincided with nearly a day-long, worldwide outage at Facebook.

The outage brought down not only Facebook’s core service, but also its Messenger, Instagram and WhatsApp services. On Thursday, Facebook blamed a misconfigured server.

Of course, we can’t say for sure if the Facebook outage actually caused the 3m user uptick. Maybe the two just happened to coincide. Durov didn’t mention what the typical, non-Facebook-flattened new-user signup rate is. At any rate, in any given week, there are multiple news stories that might cause users to seek out a messaging service that doesn’t suck their data blood like a cyber vampire.

Telegram is a free, encrypted messaging service that’s similar to WhatsApp, except that it doesn’t slurp up users’ data in order to make money from targeted ads. Rather, it runs on user donations.


How to make DuckDuckGo your default Chrome search engine

By Danny Bradbury

Privacy-conscious web users now have a new way to search in Chrome’s address bar. Version 73 of the browser, released Tuesday, now includes the DuckDuckGo search engine as an option.

Included without fanfare, the feature enables users to search DuckDuckGo by default from the address bar, but they must set this option in the preferences.

DuckDuckGo bases its business model on the idea that advertising needn’t invade users’ privacy. The company still gets its revenues from displaying ads, but it bases them on immediate searches rather than building data profiles of people.

Earlier this month, DuckDuckGo founder Gabriel Weinberg testified before the US Senate Judiciary Committee hearing on GDPR and California’s equivalent privacy legislation, CCPA. He told the Committee:

We simply do not collect or share any personal information at all.

Kudos to Google for taking the plunge, but it is five years late to the party. Safari has supported DuckDuckGo since OSX Yosemite, released in fall 2013, and Mozilla added support in Firefox around the same time.


Man drives 3,300 miles to talk to YouTube about deleted video

By Lisa Vaas

On Sunday, police in Mountain View, California, where Google is headquartered, arrested a man who drove more than 3,300 miles from Maine to discuss what he thought was the company’s removal of his YouTube account and the one video he’d posted – one about getting rich quick.

It was not, in fact, deleted by YouTube. It turns out, his wife deleted it, concerned as she was about her husband’s mental state. She told BuzzFeed News that the video, created by 33-year-old Kyle Long, was “rambling” and “bizarre.”

According to a press release from the Mountain View police department (MVPD), Iowa State Patrol on Friday gave them a heads-up about Long’s journey. Iowa police spoke to Long twice that day: once when he got into a collision (without injuries) and then again after he vandalized a restroom at a gas station store a short time later.

Employees at the gas station store didn’t want to press charges, and the collision didn’t warrant Long’s detention, so Iowa police let him go.

Three baseball bats and a serious need to chat

Then, on Sunday, the MVPD got another heads-up. This one came from police in Long’s hometown of Waterville, Maine. Waterville police told MV police that they’d been tipped off about Long having made it to California. They’d also gotten a tip that he intended to resort to physical violence if his meeting with Google execs didn’t go well.


March 14, 2019 »

Update now! Microsoft’s March 2019 Patch Tuesday is here

By John E Dunn

If you were among the millions of users who updated Chrome last week to dodge a zero-day exploit, Microsoft has something for you in this month’s Patch Tuesday – a fix for a separate flaw targeting Windows 7 that is being used as part of the same attacks.

To recap, the Chrome flaw (CVE-2019-5786) was first advised on 1 March with a ‘hurry up and apply the update’ follow-up a few days later when news of exploits emerged. The patch for that took Chrome to 72.0.3626.121.

Microsoft’s part of the twofer is a fix for a local elevation of privilege (EoP) vulnerability in Win32k (CVE-2019-0808), which in addition to Windows 7 also affects Window Server 2008.

As Google’s Clement Lecigne pointed out, another way to achieve the same end is for Windows 7 users to upgrade:

As mitigation advice for this vulnerability users should consider upgrading to Windows 10 if they are still running an older version of Windows.

Zero day 2

Among a total of 64 CVEs, including 17 rated ‘critical’, is a second zero-day affecting all Windows versions identified as CVE-2019-0797, believed to have been deployed by middle-eastern APT groups. According to Microsoft’s description, that too is an EoP flaw requiring local access:

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

A further four vulnerabilities earn ‘important’ status because they are now in the public domain, namely CVE-2019-0683 (active directory EoP), CVE-2019-0754 (Windows denial-of-service), CVE-2019-0757 (NuGet Package Manager tampering), and CVE-2019-0809 (Visual studio remote code execution/RCE).


“FINAL WARNING” email – have they really hacked your webcam?

By Paul Ducklin

Sextortion is back!

In fact, it never went away.

Some of us get dozens of sextortion scam emails every month to our work and personal accounts, demanding us to PAY MONEY OR ELSE!!

In the crime of sextortion, the “OR ELSE” part is a threat to release a video of a sexual nature in which you are visible.

For example:

FINAL WARNING. You have the last chance to save your social life. I am not kidding. I give you the last 72 hours to make the payment before I send the video to all your friends and associates.

How did the crooks obtain this X-rated film in which you’re the star?

They typically claim to have filmed you using malware planted on your computer in some way, for example:

I’ve been watching you for a while because I hacked you through a trojan virus in an ad on a porn website. If you are not familiar with this, I will explain this. A trojan virus gives you full access and control over a computer, or any other device. This means that I can see everything on your screen and switch on your camera and microphone without you being aware of it.

The good news is that it’s all a pack of lies, so you can relax.


Chrome will soon block drive-by-download malvertising

By Danny Bradbury

Google is tooling up in the war against malvertisers. Developers of its Chrome browser are introducing a feature that they hope will choke off one of the most malicious forms of malware infection: drive-by advertising downloads.

Automatic downloads via advertising frames are a popular cause of drive-by downloads. In these attacks, a malicious party will rent space from an online advertising network, which pays for banners on participating websites. The network serves up ads from its clients through those banners, usually based on information compiled about the website visitor. This is how websites can creepily show you ads for things you were searching for elsewhere.

In this case, things get creepier still. The attacker’s ad includes a download – usually a JavaScript executable – that takes advantage of a browser vulnerability and infects the victim’s computer.

The feature that Chrome will add is, in reality, more of a removal. Google is planning to deprecate a feature that automatically downloads any content from an advertiser.

The update comes from Yao Xiao, a developer on the Chromium open-source browser project that feeds Chrome. It isn’t his first attack on drive-by downloaders. He introduced a similar update in a January document that targets the same behavior in IFrames – an HTML element which effectively creates a window from the host webpage into another webpage. Attackers quickly began using IFrames to spray malicious content through websites to infect users’ browsers. That update takes effect in Chrome 74, which ships in April.


Update now! WordPress abandoned cart plugin under attack

By John E Dunn

Hackers have been spotted targeting websites running unpatched versions of the WordPress plugin Abandoned Cart for WooCommerce.

According to a blog written by Mikey Veenstra of WordPress firewall company Defiant (formerly Wordfence), the attacks exploit a cross-site scripting (XSS) flaw in version 5.1.3, a plug-in designed to help site admins analyze and recover sales lost when shoppers abandon carts.

Affecting both paid and free versions of the software, the vulnerability is used to install two backdoors that compromise the site, the second a sneaky backup in case the site owners detect and disable the first.

The attack involves the hackers creating a cart containing bogus contact information, which is then abandoned. When the data in these fields is viewed by a site admin, a lack of output sanitization means that the billing_first_name and billing_last_name fields become a single customer field containing an injected JavaScript payload.

This uses the admin’s browser session to deploy the backdoors, starting with a rogue admin account added using a hidden iframe which triggers new account creation, at which point a notification of success is sent via the attacker’s command and control.

The second backdoor is then added by opening another iframe to the plugin’s menu, which is scanned for any with an ‘activate’ link denoting that they are inactive. This is injected with a PHP backdoor script and lies dormant until the attackers decide to activate it.


Misconfigured Box accounts leak terabytes of companies’ sensitive data

By Lisa Vaas

If your company uses Box for cloud-based file sharing, security researchers are advising you to stop reading right now and immediately disable public file sharing: vanity-named subdomains and URLs are “easily brute-forceable,” leaving companies’ publicly shared data open to extremely easy attacks.

Security firm Adversis published a report on Monday after using a “relatively large” wordlist to uncover hundreds of Box customers’ subdomains, through which they could access hundreds of thousands of documents and terabytes of extremely sensitive data.

A sampling of what the researchers found:

  • Hundreds of passport photos
  • Social Security and bank account numbers
  • High-profile technology prototype and design files
  • Lists of employees
  • Financial data, invoices, internal issue trackers
  • Customer lists and archives of years’ worth of internal meetings
  • IT data, VPN configurations, network diagrams

Adversis says its initial impulse was to reach out to all the affected companies, but the scale of the task ruled that out. After finding that a large percentage of Box customer accounts that it tested had thousands of exposed, sensitive documents, the firm alerted some of those companies, gave Box a heads-up – that was on 24 September – and published its report.

As Box Chief Customer Officer Jon Herstein said in a blog post on Sunday, Box offers various ways for its customers to allow content sharing both between employees and outside the company.


March 13, 2019 »

New bill would give parents an ‘Eraser Button’ to delete kids’ data

By Lisa Vaas

Two US senators on Tuesday proposed a major overhaul of the Children’s Online Privacy Protection Act (COPPA) that would give parents and kids an “Eraser Button” to wipe out personal information scooped up online on kids.

The bipartisan bill, put forward by Senators Edward J. Markey (D-Mass.) and Josh Hawley (R-Mo.), would also expand COPPA protection beyond its current coverage of children under 13 in order to protect kids up until the age of 15.

The COPPA update also packs an outright ban on targeting ads at children under 13 without parental consent, and from anyone up until the age of 15 without user consent. The bill also includes a “Digital Marketing Bill of Rights for Minors” that limits the collection of personal information on minors.

The proposed bill would also establish a first-of-its-kind Youth Privacy and Marketing Division at the Federal Trade Commission (FTC) that would be responsible for addressing the privacy of children and minors and marketing directed at them.


Facebook sues developers over data-scraping quizzes

By Lisa Vaas

Facebook on Friday sued two Ukrainian men, Andrey Gorbachov and Gleb Sluchevsky, for allegedly scraping private user data through malicious browser extensions that masqueraded as quizzes.

The company also alleges that the deceptive extensions injected unauthorized ads into Facebook users’ News Feeds when their victims visited through the compromised browsers.

From Facebook’s civil complaint:

As a result of installing the malicious extensions, the app users effectively compromised their own browsers because, unbeknownst to the app users, the malicious extensions were designed to scrape information and inject unauthorized advertisements when the app users visited Facebook or other social networking site as part of their online browsing.

According to the complaint, from 2016 to 2018, Sluchevsky and Gorbachov allegedly ran at least four web apps: “Supertest,” “FQuiz,” “Megatest,” and “Pechenka.”

The apps ran quizzes promising answers to questions such as “Do you have royal blood?, “You are yin. Who is your yang?” and “What kind of dog are you according to your zodiac sign?” among many others.


Study throws security shade on freelance and student programmers

By Lisa Vaas

Security researchers often dump on users for their cruddy password practices. But what about the developers who write the code that’s supposed to keep our passwords safe?

…as in, what’s up with the developers who fail to properly encrypt/salt/hash, who use outdated password storage methods, who copy-and-paste code they found online (vulnerabilities and all), who leave passwords sitting around in plain text, or who don’t understand the difference between encryption and hashing?

There have only been a few studies looking at how developers handle end-user password storage, even though such work is primarily involved with the security of those passwords. After all, reusing a password can have dire results for an individual, but a developer failing to hash and salt a database can lead to a far more widespread problem.

One such study, from 2017-2018, used computer science students as lab rats to examine how developers deal with secure password storage.


Citrix admits attackers breached its network – what we know

By John E Dunn

On Friday, software giant Citrix issued a short statement admitting that hackers recently managed to get inside its internal network.

According to a statement by chief information security officer Stan Black, the company was told of the attack by the FBI on 6 March, since when it had established that attackers had taken “business documents” during the incident:

The specific documents that may have been accessed, however, are currently unknown. At this time, there is no indication that the security of any Citrix product or service was compromised.

No mention of when the attackers gained access, nor how long that had lasted. As to how they got into the network of a company estimated to manage the VPN access of 400,000 large global organisation’s:

While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security.

If you’re a customer of Citrix, apart from the lack of detail, two aspects of the statement will have unsettled you: the idea that attackers could bypass “additional layers of security” at a major tech company and the fact that the company didn’t know about the compromise until the FBI contacted it.


Email list-cleaning site may have leaked up to 2 billion records

By Danny Bradbury

The number of records exposed online by an email list-cleaning service in February may be far higher than originally anticipated, according to experts. The number of records available for anyone to download in plaintext from a breach at may have been closer to two billion.

Security researcher Bob Diachenko, who found the exposed data and worked on the breach investigation with research partner Vinny Troia, originally explained that on 25 February 2019, he discovered a 150Gb MongoDB instance online that was not password protected.

There were four separate collections in the database. The largest one contained 150Gb of data and 808.5 million records, he said in his blog post on the discovery. This included 798 million records that contained users’ email, date of birth, gender, phone number, address and Zip code, along with their IP address.

He then did some due diligence:

As part of the verification process, I cross-checked a random selection of records with Troy Hunt’s HaveIBeenPwned database. Based on the results, I came to conclusion that this is not just another ‘Collection’ of previously leaked sources but a completely unique set of data.

Exposed MongoDB instances don’t always clearly indicate who uploaded them, but Diachenko’s research turned up a likely suspect: This company, which has now taken down its website, offered what it called enterprise email validation services, along with free phone number lookup.


John Oliver bombards the FCC with anti-robocall robocall campaign

By Maria Varmazis

Americans are fed up with robocalls, and John Oliver of Last Week Tonight wants to do something about it.

Despite the existence of a do-not-call list and tools like call-blocking apps and caller ID to slow down incoming call spam, these tools have barely made a dent in the flood of harassing phone calls most Americans receive on their phones, with no real recourse to stop them.

Unfortunately it just seems to be getting worse year after year – in 2018 alone robocall volume in the US increased by 56.8% to 48 billion calls, and the Federal Communications Commission (FCC) reports that about half the phone calls made to cell phones in the US in 2019 will be robocalls.

Enough is enough of that, says John Oliver, comedian and host of TV show Last Week Tonight. He and his show are known for stunt activism to make a larger point about various societal and political ills in America.

Last Week Tonight has also gone after the FCC a few times in the past, namely in highlighting net neutrality and how it would affect the average internet user. The first time the show aired a net neutrality segment, the FCC’s website was DoSed into silence by angry viewers.

In the 10 March episode of Last Week Tonight, Oliver reported that 60% of the complaints registered to the FCC are about robocalls. So in his show’s tradition, Oliver announced that he’s hoping to spur the FCC into real action by giving them a taste of the annoyance of everyday Americans by subjecting the FCC commissioners with this message every 90 minutes:

Hi FCC! This is John from Customer Service. Congratulations! You’ve just won a chance to lower robocalls in America today. Haha… sorry, but I am a live person. Robocalls are incredibly annoying, and the person who can stop them is you! Talk to you again in 90 minutes. Here’s some bagpipe music.

So, if robocalls are such a problem, what is the FCC doing about it?


US Army clarifies its killer robot plans

By Danny Bradbury

The US Army has been forced to clarify its intentions for killer robots after unveiling a new program to build AI-powered targeting systems.

The controversy surrounds the Advanced Targeting and Lethality Automated System (ATLAS). Created by the Department of Defense, it is a program to develop:

Autonomous target acquisition technology, that will be integrated with fire control technology, aimed at providing ground combat vehicles with the capability to acquire, identify, and engage targets at least 3X faster than the current manual process.

That text comes from the US Army, which has announced an industry day taking place next week to brief industry and academia on its progress so far, and to source new expertise.

To translate, ATLAS is a project to make ground robots that are capable of finding and shooting at targets more quickly than people can. This raises the Spectre of lethal AI once again.

Ethicists and scientists are already hotly debating this issue. Some 2,400 scientists and other AI experts including Elon Musk and DeepMind CEO Demis Hassabis signed a pledge under the banner of the Boston-based Future of Life Institute protesting the development of killer AI.

The UN has not yet taken decisive action, but Secretary-General Antonio Guterres has called for an outright ban.


March 11, 2019 »

Booking a restaurant? Let Google’s Duplex AI make the call for you

By John E Dunn

What’s the easiest way to book a restaurant table by phone?

If you own a Google Pixel smartphone and live in one of 43 US states, the new answer to that question might be to ask Google Assistant to make that call on your behalf.

It’s as simple as telling it to “book a table for four people at [restaurant name] tomorrow night”, confirming details such as party size and preferred time. You can then leave Google’s deeply clever Duplex AI system to confirm details with the restaurant. Helpfully, writes Google:

Once your reservation is successfully made, you’ll receive a notification on your phone, an email update and a calendar invite so you don’t forget.

If you’re wondering what that conversation might sound like, that’s the clever bit – Google’s Duplex neural network AI is designed to sound and respond like a human being.

Not long after Google played this voice demo, it found itself in the middle of a backlash about creepy AI systems that simulate humans in ways that (it was argued) risked being deceptive.

To counter this, Google now says the system will announce that “the call is from Google,” while the call will also be recorded and offer the option to talk to a human if people feel intimidated.


FTC says taxpayer voice phishing scams are up nearly 20x

By Lisa Vaas

Have you gotten a (fake!) call from a (not!) US Social Security Administration rep? Maybe one in which you’re told that your Social Security number (SSN) has been suspended because of “suspicious” activity, or because it’s been involved in a crime?

Sometimes, the real Social Security Administration (SSA) phone number – or a number that’s close to it – shows up on your caller ID.

All you have to do to clear up the mess is to confirm your taxpayer ID, the scammer will sometimes say. Or maybe you can take care of it by paying a fine… via gift cards, the codes for which you can read to the imposter over the phone.

Of course, you never want to do any of that: if you hand over your SSN, you’re setting yourself up for identity fraud. If you buy gift cards and hand over the codes, you can kiss that money goodbye. We should never give our SSN, credit card or bank account number to anyone who contacts us.

Unfortunately, some people do. And given that we’re in tax fraud season right now, in the months leading up to the April US filing deadline, it’s time for an updated report from the US Federal Trade Commission (FTC).


Serious Security: When randomness isn’t – and why it matters

By Paul Ducklin

We’ve written many times about ';--have i been pwned? (HIBP), a website run by security researcher Troy Hunt where you can check how many times your email address has shown up in data breaches.

Amazingly, the number of breached accounts that Troy has processed into his database over the years is just under 7 billion.

We’re not looking at 7 billion real accounts or even still-active accounts, of course, and we’re definitely not looking at 7 billion unique users, which would just about cover everyone on the planet…

…but the cumulative amount of breached data exposed publicly in recent years is alarming.

Fortunately, HIBP doesn’t have passwords for all those breached accounts, because well-run websites store your passwords in salted-hashed-and-stretched form, so that the original passwords can’t be recovered easily in the event of a hack.


Firefox picks up advertiser-dodging tech from Tor

By Danny Bradbury

Firefox users will soon get yet another privacy feature to help them avoid snooping advertisers – and the measure comes straight from its cousin, the Tor browser.

The new privacy protection will help Firefox users avoid a long-used snooping technique called fingerprinting. Browser cookies are not the only way to track users as they visit different websites. Even with cookies turned off, advertisers can still identify you across multiple sites.

They do this by looking at other characteristics that your computer reveals when visiting a website such as the size of your browser window.

Many people resize browser windows by manually dragging their corners around. This creates random window sizes that few people will share. The chances are you’ll visit several websites in that window, which communicates its size to each one. Advertisers can use that data to track you across multiple sites.

To combat this, Firefox has borrowed a technique called letterboxing from Tor as part of a bigger, more structured program to transfer features between the browsers.


Zuck says Facebook is becoming more “privacy focused”

By Lisa Vaas

Facebook CEO Mark Zuckerberg has either 1) written a Microsoft-esque, Trustworthy Computing-inspired call for the company to perform an about-face on privacy and security, or 2) he’s managed to pull a brand-healing move by infusing Thursday’s headlines with a bunch of words that include “privacy-focused” and NOT “disaster,” “breach,” or “dumpster fire.”

…or, then again, maybe 3) both.

At any rate, on Wednesday, the CEO unveiled what he framed as a major strategy shift that will involve developing a highly secure private communications platform based on Facebook’s Messenger, Instagram, and WhatsApp services.

The redesign entails streamlining communication between the three messaging services – something that Facebook announced in January. At the time, sources told the New York Times that the plan was to keep the three as standalone apps but to stitch their technical infrastructure together so that users of each app can talk to each other more easily.

Tightly connecting the messaging networks could help Facebook fend off being forced by US antitrust regulators to divest one or more of its messaging services. It would, at any rate, make divestiture a lot tougher to do.


Serious Chrome zero-day – Google says update “right this minute”

By Paul Ducklin

Chrome users, make sure you’ve got the very latest version.

Or, as Justin Schuh, one of Chrome’s well-known security researchers, put it:

[L]ike, seriously, update your Chrome installs… like right this minute.

We’re not big Chrome fans – we’ve always thought that Firefox is better in both form and function, to be honest – but we have Chrome installed at the moment and can tell you that the version you want is 72.0.3626.121, released at the start of March 2019.

To check that you’re up-to-date, go to the About Google Chrome… window, accessible from the address bar by typing in the special URL chrome://settings/help.

This will not only show the current version but also do an update check at the same time, just in case any recent auto-updates have failed or your computer hasn’t called home yet.


March 6, 2019 »

Google reveals BuggyCow macOS security flaw

By John E Dunn

Google’s Project Zero researchers have revealed a “high severity” macOS security flaw nicknamed ‘BuggyCow’ that Apple appears to be in no rush to patch.

The vulnerability is in the way macOS implements a memory optimization and protection routine used by all OS file systems called copy-on-write (COW).

The principle behind COW is that it provides a way for different processes to efficiently and securely share the same data object in memory until they need to modify it in some way – at that point, they must make their own copy of the data rather than changing the data in memory.

Writes Google’s Jann Horn:

It is important that the copied memory is protected against later modifications by the source process; otherwise, the source process might be able to exploit double-reads in the destination process.

Using BuggyCow, malware already running on a Mac might be able to tamper with the copy of the data written to the disk in a way that is invisible to the file system:

This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug.

If that related to a privileged process, that might be a route to a privilege escalation capable of interfering with sensitive data.


Leaky ski helmet speakers expose conversations and data

By Danny Bradbury

On the face of it, Outdoor Tech’s Chips 2.0 speakers seem like the perfect accessory for any on-trend snow sports enthusiast.

The $130 Bluetooth helmet speakers attach to your audio-equipped ski helmet, giving you 10 hours of wireless audio with the ability to talk to your friends. There’s just one problem, said a security researcher this week: Everyone else can listen in too, and do a lot more besides.

Alan Monie, a researcher at cybersecurity consulting company Pen Test Partners, discovered the flaws after poking around in the walkie-talkie app that comes with the Bluetooth headphones.

Rather than connecting directly with other users on the slopes via Bluetooth, the app connects your Chips 2.0 speakers to the internet via your smartphone, meaning that all communications pass through Outdoor Tech’s servers.

The app allows you to form groups of other skiers or snowboarders, all of whom can then talk to each other via the app. Monie tried it out by creating a group and typing in his own name. That’s when the problems started, he says:

I began setting up a group and noticed that I could see all users. I started searching for my own name and found that I could retrieve every user with the same name in their account.

He dug a little deeper, typing ‘A’ into Outdoor Tech’s application programming interface (API), which is the software interface that the app uses to communicate with the back-end server. IT showed 19,000 users.


Google Photos disables sharing on Android TV

By Lisa Vaas

Imagine you’re setting up your Android TV to display pictures of your cat, or your kids, or your main squeeze, in Backdrop/Ambient Mode.

But instead of photos of your trip to Belize, you see a parade of strangers: as in, Google accounts belonging to people you don’t know, including their profile pictures, all showing up as linked accounts.

That’s what happened to Twitter user Prashanth, who on Saturday posted a 44-second long clip of the accounts that streamed by when he was trying to access his Vu Android TV through the @Google Home app on his phone.

Fortunately, the strangers’ photos stayed tucked away, given that access to the photos themselves was blocked. In fact, Google Photos functionality didn’t seem to be working.

Prashanth told Android Police that he first spotted the bug on his home TV, a 55-inch Vu LED TV (model number: 55SU134) with built-in Android TV functionality, while setting up Backdrop/Ambient Mode through his Pixel 2XL phone.


Facebook criticized for misuse of phone numbers provided for security

By Lisa Vaas

Facebook’s under fire – again. This time, it’s for using phone numbers provided for security reasons, for other things.

Users are once again accusing Facebook of playing fast and loose with their privacy, allowing users to look up their profiles using the phone number they thought they were only providing for 2FA (two-factor authentication). What’s more, there’s no getting out of it, since Facebook has no opt-out for the “look me up by my phone number” setting.

This latest scandal blew up on Friday, when Emojipedia founder Jeremy Burge publicly criticized Facebook’s information-slurping operation.

In a string of tweets sent after that, Burge said that he noticed that in September Facebook slipped in an understated “and more,” appended to the original phone number prompt. The “and more” linked to a page that explained that the number would be used for purposes other than securing your account.


Companies are flying blind on cybersecurity

By Danny Bradbury

IT managers are flying blind in the battle to protect their companies from cyberattacks, according to a survey released today. The result is that getting pwned is now the rule, rather than the exception.

Sophos, which publishes this blog, worked with market research company Vanson Bourne to survey 3,100 IT managers across the globe. The survey covered companies in 12 countries, and quizzed organizations with as few as 100 users and as many as 5,000, finding that 68% of companies had been hit by a cyberattack in the last year.

The reason surfaced quickly enough; companies can’t see what’s happening on their endpoint devices. It leaves them struggling to prevent attacks or even to know how and when they happened.

Most threats (37%) are only discovered when they reach servers, and another 37% are detected on the network. Attacks typically start on endpoint devices, so if companies are only picking them up on the server, that means attackers have already been snooping around their infrastructure for some time. Unfortunately, 17% of IT managers didn’t know exactly how long. Those who did know said that attackers had been on their networks for 13 hours before being detected. That’s plenty of time to steal a juicy batch of data or to plant some nasty ransomware.


« older