Security


Networking


Software


Repairs & Upgrades

September 20, 2018 »

US military given the power to hack back/defend forward

By Lisa Vaas

Hacking back – what’s also called offensive hacking, or what the Defense Department is calling “defending forward” in its new cyber strategy, or what we can think of as plain old “attacking” but without the need for the military to get an OK from the president’s National Security Council – is back.

The new version of cyber strategy, first reported by CNN on Tuesday, says that the Department of Defense (DoD) will “defend forward” to confront threats before they reach US networks: in other words, the military has gained the power to launch “preventative” cyberattacks, be they to protect election systems or the energy grid.

Our primary role in this homeland defense mission is to defend forward by leveraging our focus outward to stop threats before they reach their targets.

“The United States cannot afford inaction,” the summary reads. As it is, the US is in a “long-term strategic competition” with China and Russia, it says, which have both launched persistent cyber campaigns that pose “long-term” risk to the country, its allies and its partners.

References to state-sponsored hacks

The strategy references China-sponsored hacking and Russian tinkering with US elections and US discourse.

North Korea also rated a mention. Earlier this month, the US unsealed a criminal complaint that charged a North Korea regime-backed programmer with multiple devastating cyberattacks, including the global WannaCry 2.0 ransomware in 2017, the 2014 attack on Sony Pictures, and the $81m cyber heist in 2016 that drained Bangladesh’s central bank.

Read more at https://nakedsecurity.sophos.com/2018/09/20/us-military-given-the-power-to-hack-back-defend-forward/

FBI wants to keep “helpful” Mirai botnet authors around

By Lisa Vaas

In December 2017, the youthful authors of the devastating Mirai botnet admitted that, collectively, they were guilty of conspiracy to violate the Computer Fraud and Abuse Act (CFAA): one charge for the Mirai botnet, and two charges for a clickfraud botnet.

Which, in legalese, means…

…intentional damage to a protected computer, to wit knowingly causing the transmission of a program, code, or command to a computer with the intention of impairing without authorization the integrity or availability of data, a program, system, or information; and the computer was used in or affected interstate or foreign commerce or communication.

…and which, in English, means writing and implementing the code that led to the Mirai malware, which ensnared more than 300,000 Internet of Things (IoT) devices; launching multiple distributed denial-of-service (DDoS) attacks (including, unwisely, against security journalist Brian Krebs, whose response was to track them down and unmask them); renting the botnet out to third parties and then extorting money from hosting companies in exchange for not being targeted, or selling uniquely tailored “services” to victims in order to fend off such attacks; scanning for vulnerable devices to attack; and click fraud.

…All of which is estimated to have caused damage in excess of $100m.

Yeah, the FBI says, but they’re such smart guys. Let’s keep them around!

On Tuesday, on the FBI’s recommendation and the defense attorneys’ “Yes, please!”, an Alaskan court sentenced the three men to probation, community service and fines.

Read more at https://nakedsecurity.sophos.com/2018/09/20/fbi-wants-to-keep-helpful-mirai-botnet-authors-around/

Western Digital goes quiet on unpatched MyCloud flaw

By John E Dunn

Western Digital has failed to patch a serious security vulnerability in its MyCloud NAS drives that it was told about more than a year ago, researchers have alleged.

Worse, this is despite the fact that the issue was publicly disclosed as far back as DEF CON 25 in July last year.

The latest flaw, discovered independently by researchers at Securify and Exploitee.rs, is an authentication bypass that could give a local attacker complete admin control over drives.

The researchers started an admin session tied to their IP address and then fooled the drive into thinking this was authenticated by setting a username=admin cookie.

That was possible because:

The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1.

No admin password, nothing – just a simple CGI request to MyCloud’s web server and an attacker would be in via a local network (a remote compromise would depend on such access being enabled).

Securify has even published a proof-of-concept comprising a few lines of code – this isn’t major league hacking.

Read more at https://nakedsecurity.sophos.com/2018/09/20/western-digital-goes-quiet-on-unpatched-mycloud-flaw/

iOS 12 is here: these are the security features you need to know about

By John E Dunn

One year to the day after iOS 11 appeared, Apple yesterday released its replacement, iOS 12.

There’s always a lot of fuss about new features, which tends to obscure the fact that iOS updates these days also come loaded with useful security upgrades and patches for software vulnerabilities.

Naked Security covered the expected iOS 12 security enhancements in August, but a quick reminder shouldn’t go amiss given that some need to be turned on by owners.

Settings you need to turn on

One of the first questions iOS 12 asks during initialization is whether owners would like to turn on automatic iOS updating. Updating happens anyway with each major update, but without automatic updating it’s still possible to miss fixes for security issues that pop up between versions.

An interesting recent example of this is the 11.4.1 update Apple offered in July to turn on USB restricted mode in response to techniques believed to be used by GrayShift and Cellebrite to bypass the iOS lock screen – it’s turned on by default in iOS 12 but users who enabled automatic updating could have had it two months ago.

Our advice is to turn this on! You can do this manually by going to Settings > General > Software Update while USB Restricted Mode is enabled via Settings > Touch ID & Passcode (Face ID & Passcode on the iPhone X) > and make sure the USB Accessories toggle is off. This will require the device to be unlocked before connecting USB devices in future, which some might find inconvenient – see Apple’s explanation of the feature for background.

Read more at https://nakedsecurity.sophos.com/2018/09/19/ios-12-is-here-these-are-the-security-features-you-need-to-know-about/

Here we Mongo again! Millions of records exposed by insecure database

By Lisa Vaas

Yet another MongoDB database instance has been found belly-up, unprotected and exposing 11 million customer records.

Former Kromtech security researcher Bob Diachenko, who made the discovery on Monday, said the database instance was revealing records that included personal details such as email addresses, full name, gender, and physical addresses (zip code, state, city of residence). The database also contained DNS data and information on server response.

To be precise, the 43.5GB dataset contained 10,999,535 email addresses, all of them Yahoo-based.

There weren’t many indications of who the database belongs to. The database name itself gave no indication of ownership – nor did the exposed data include administrator emails, system logs or host information.

But there was one hint: a small suffix in several records. Diachenko said one example was “Yahoo_090618_ SaverSpy,” while ZDNet mentioned “Content-SaverSpy-09092018”. Which lead some to conclude the database might belong to a coupon/discount company named SaverSpy: a daily deals website operated by Coupons.com.

Neither SaverSpy nor Coupons.com responded to inquiries from ZDNet and Diachenko, but within a few hours of those inquiries, the database was taken offline.

Read more at https://nakedsecurity.sophos.com/2018/09/19/here-we-mongo-again-millions-of-records-exposed-by-insecure-database/

State Department scores an F on 2FA security

By Danny Bradbury

Five Senators have discovered that the State Department is breaking the law by not using multi-factor authentication (MFA or 2FA) in its emails. They’ve sent a letter to Secretary of State Mike Pompeo, and they want answers.

The letter, from Senators Ron Wyden, Cory Gardner, Edward Markey, Rand Paul and Jeanne Shaheen, referenced reports from federal auditors that the Department of State was failing to meet basic federal cybersecurity standards.

The General Services Administration (GSA), which is the US department dealing with government procurement, property management and information delivery, analysed federal cybersecurity this year, stated the letter.

The GSA’s report found that the Department of State had deployed “enhanced access controls” across just 11% of required agency devices.

MFA or 2FA requires users to enter a second piece of information along with their password. This is linked to a physical asset that only they hold, thwarting imposters trying to steal their accounts remotely. That second piece of information could be biometric, such as your fingerprint; a hardware key, such as Google’s recently-announced dongle; or a code delivered to a mobile phone.

Federal agencies in the Executive Branch are legally required to enable 2FA for any accounts with elevated privileges under the Federal Cybersecurity Enhancement Act, passed as part of an omnibus spending bill in December 2015.

Read more at https://nakedsecurity.sophos.com/2018/09/18/state-department-scores-an-f-on-2fa-security/

Septenber 17, 2018 »

On the hook! Phishing trip nets “Barbara” 5 years and whopping fine

By Lisa Vaas

A Nigerian man is facing the prospect of up to five years in the decidedly unprincely confines of a US jail after pleading guilty to operating an email phishing scam targeting businesses around the world. To add a little spice to the mix, the fraudster also set up romance scams as an attractive young woman named “Barbara.”

In Manhattan Federal Court on Tuesday, Onyekachi Emmanuel Opara, 30, originally from Lagos, Nigeria, was also ordered to pay $2.5m in restitution. In April, he pled guilty to charges of wire fraud and conspiracy to commit wire fraud amounting to $25m.

Opara was arrested in South Africa in 2016 and extradited to the US to face charges in January 2018. One of his co-conspirators, David Chukweneke Adindu, pleaded guilty to charges of conspiracy to commit wire fraud and conspiracy to commit identity theft. Adindu was sentenced to 41 months last year.

The Department of Justice (DOJ) said that between 2014 and 2016, the pair participated in multiple business email compromise (BEC) scams that targeted thousands of victims around the world, including in the US, the UK, Australia, Switzerland, Sweden, New Zealand and Singapore.

The spear-phishers would send bogus emails to employees, directing them to transfer funds to bank accounts that they controlled. The emails were made to look like they came from supervisors at the targeted companies or from third-party vendors that they did business with.

To make the emails that bit more convincing, the crooks set up domain names similar to those of the companies and vendors they were posing as: just one of the more nefarious purposes for which typosquatters set up domains that at a quick glance look like a legitimate business save for one, stray keystroke.

Read more at https://nakedsecurity.sophos.com/2018/09/17/on-the-hook-phishing-trip-nets-barbara-5-years-and-whopping-fine/

Deepfake pics and videos set off Facebook’s fake news detector

By Danny Bradbury

Facebook will begin officially checking videos and photos for authenticity as part of an expanding effort to stamp out fake news, the company said last week.

Facebook has already responded to the fake news epidemic by checking articles that people post to its social media service for authenticity. To do this, it works with a range of third-party fact checking companies to review and rate content accuracy.

A picture’s worth a thousand words, though, and it was going to have to tackle fake news images eventually. In a post to its newsroom site on Thursday, it said:

To date, most of our fact-checking partners have focused on reviewing articles. However, we have also been actively working to build new technology and partnerships so that we can tackle other forms of misinformation. Today, we’re expanding fact-checking for photos and videos to all of our 27 partners in 17 countries around the world (and are regularly on-boarding new fact-checking partners). This will help us identify and take action against more types of misinformation, faster.

Facebook, which has been rolling out photo- and video-based fact checking since March, said that there are three main types of fake visual news. The first is fabrication, where someone forges an image with Photoshop or produces a deepfake video. One example is a photo from September 2017, which depicted a Seattle Seahawks player burning a US flag. The image, of a post-game celebration, had been doctored to insert the flag.

Read more at https://nakedsecurity.sophos.com/2018/09/17/deepfake-pics-and-videos-set-off-facebooks-fake-news-detector/

Facebook’s robot coders step into the future of programming

By John E Dunn

In one of those landmark moments that will doubtless pass most of us by, but ought to have coders sitting up and taking notice, Facebook’s Android app recently became one of the first in the world to run software debugged by Artificial Intelligence (AI).

Called SapFix, the company describes it as an “AI hybrid tool” that can be used in conjunction with the Sapienz automated Android testing tool originally developed by university researchers but taken in-house by Facebook some time ago.

Sapienz finds the bugs in the code that might cause something like a crash or perhaps even a simple security vulnerability – and this is the new bit – SapFix fixes them. Beams Facebook:

To our knowledge, this marks the first time that a machine-generated fix – with automated end-to-end testing and repair – has been deployed into a codebase of Facebook’s scale.

How does AI do this?

From Facebook’s description, the workflow begins by trying to revert the code back to the state it was in before the bug that caused the problem was introduced.

If it’s a more complex issue, SapFix looks at a collection of “templated fixes” built up from those made by human developers over time.

If even this won’t work, SapFix sets about what Facebook calls a “mutation-based fix” whereby it starts making small code modifications to the problem statement until it thinks the bug has been mitigated.

Read more at https://nakedsecurity.sophos.com/2018/09/17/facebooks-robot-coders-step-into-the-future-of-programming/

Blockchain hustler beats the house with smart contract hack

By Danny Bradbury

A wily hacker has scored a thousand-dollar cryptocurrency jackpot – 24 times – by using their own code to tamper with a smart contract run by a betting company on the EOS blockchain.

EOS is a blockchain-based cryptocurrency launched by Block.one, and it is a competitor to the more established Ethereum.

Unlike Bitcoin, which uses a blockchain to record the transfer of digital currency, EOS and Ethereum both enable people to run computer programs. These programs are called smart contracts, and instead of running in one place they run on many computers connected to the blockchain.

Smart contracts can do similar things to more conventional programs on the regular internet. They can run ecommerce sites, digital currency exchanges, and games. In this case, a Maltese company called DEOS Games was using the EOS blockchain to run a gambling game.

Customers send a quantity of the EOS cryptocurrency over the network to DEOS smart contracts running Lotto, Blackjack or Roulette. A smart contract processes the bet, and if the customer wins, it sends them their winnings and their original stake.

These blockchain betting shops use cryptographic techniques to prove that the contracts are fair and that they’re not just taking your money. In fact, DEOS goes so far as to promise “no house advantage”. That couldn’t have been more true in the case of runningsnail.

Runningsnail is an EOS user who figured out a way to hack a DEOS smart contract, and thanks to the wonder of the EOS block explorer – a system that lets people see transactions on its blockchain – the internet got a front row seat.

Read more at https://nakedsecurity.sophos.com/2018/09/14/blockchain-hustler-beats-the-house-with-smart-contract-hack/

Major US mobile carriers want to be your password

By John E Dunn

If password-only security is reaching its end of days, what will replace it?

For years, many have assumed that some form of new authentication must be the answer without being able to agree on which.

Now an alliance of big US mobile carriers – Verizon, AT&T, Sprint, and T-Mobile – has added a new possibility to the mix under the banner of Project Verify.

Using Project Verify, users will access a supported website simply by clicking on a special icon which will verify them by communicating with a mobile app on their device.

The impressive bit is that’s it – no passwords, no usernames, no special codes – just one click on an icon. Alternatively, users will still enter passwords but use Project Verify as a second factor for two-factor authentication.

The eagle-eyed will have spotted that this sounds a bit like the push verification technology already offered by Google through its codeless Prompt system for Android and iOS.

Under that scheme, when users log in to Google they are sent a message via a mobile app asking them to confirm their action from the registered device.

Of course, unlike Prompt, Project Verify is intended for any website but it also works a bit differently below the surface.

Read more at https://nakedsecurity.sophos.com/2018/09/14/major-us-mobile-carriers-want-to-be-your-password/

Review that! Fake TripAdvisor review peddler sent to jail

By Lisa Vaas

The owner of a fake-review factory is going to get a chance to write a review about his trip to the inside of an Italian jail.

TripAdvisor announced (PDF) on Wednesday that, in one of the first cases of its kind, the criminal court of the Italian city of Lecce has ruled that writing fake reviews, under a fake identity, is criminal conduct.

In a decision handed down in June, the court sentenced the owner of PromoSalento – a business that sold fake review packages to Italian hospitality businesses – to nine months in prison and ordered him to pay about 8,000 Euros (USD $9300) in costs and damages. He hasn’t been named.

Understandably enough, given that its business model relies on disseminating authentic reviews by actual patrons, TripAdvisor is pretty stoked about the decision:

We see this as a landmark ruling for the internet. Writing fake reviews on TripAdvisor has always been a violation of the law in many jurisdictions… However, this is the first time we have seen the laws being enforced to the point of securing a criminal conviction.

Businesses are hungry for good reviews: as in, those that come from customers and which are stripped of marketing speak. A Harvard Business School study recently determined that a one-point improvement in a restaurant’s score on Yelp could increase its revenue by as much as 5-9%.

With that much business at stake, you can see how dishonest entrepreneurs would be happy to step in and fill the need by cooking up and selling rave reviews.

That’s why, in 2015, Amazon sued over 1,000 people for posting fake reviews on its marketplace. Also, in 2015, a number of diners, critics and restaurateurs, frustrated by what they saw as a plethora of fake reviews on TripAdvisor, took to Twitter to campaign under the #noreceiptnoreview hashtag.

Read more at https://nakedsecurity.sophos.com/2018/09/14/review-that-fake-tripadvisor-review-peddler-sent-to-jail/

September 13, 2018 »

California bill regulates IoT for first time in US

By Danny Bradbury

California looks set to regulate IoT devices, becoming the first US state to do so and beating the Federal Government to the post.

The State legislature approved ‘SB-327 Information privacy: connected devices’ last Thursday and handed it over to the Governor to sign. The legislation introduces security requirements for connected devices sold in the US. It defines them as any device that connects directly or indirectly to the internet and has an IP or Bluetooth address. That covers an awful lot of devices.

The legislation says:

This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.

What does ‘reasonable security feature’ mean? The legislation goes on to define it explicitly: If someone can log into the device outside a LAN, then it must have either preprogrammed passwords that are unique to each device (so, no more default login credentials), or a way to generate new authentication credentials before accessing it for the first time.

Read more at https://nakedsecurity.sophos.com/2018/09/13/california-bill-regulates-iot-for-first-time-in-us/

Update now! Microsoft’s September 2018 Patch Tuesday is here

By John E Dunn

Patch Tuesday is upon Windows users once again, delivering fixes for 61 security flaws, including one confirmed zero day, several vulnerabilities in the public domain, and the now-standard Adobe Flash vulnerability to remind everyone they should stop using it.

There are several ways to cut every Patch Tuesday, but the headline vulnerabilities are usually the best place to start: 61 CVEs, 17 flaws rated as critical, and a flaw affecting Adobe Flash Player.

ALPC zero day

The standout this month is CVE-2018-8440, a system-compromising issue in the Windows Task Scheduler’s Advanced Local Procedure Call (ALPC) function, revealed on 27 August by someone on Twitter using the ID SandboxEscaper, complete with a GitHub proof-of-concept.

By early September an in-the-wild exploit had been spotted. Security company Acros Security quickly issued its own micropatch for the flaw, although only for Windows 10 64-bit version 1803.

A limitation is that the attacker would need to be logged in to the affected system locally but as that could easily happen using a malicious attachment, this one needs immediate attention.

Public flaws

According to Microsoft, three other flaws are in the public domain, with the biggie being CVE-2018-8475 – a critical-rated remote code execution (RCE) in the Windows Graphics Component that could allow an attacker to compromise a system simply by getting a user to view an image file.

Read more at https://nakedsecurity.sophos.com/2018/09/13/update-now-microsofts-september-2018-patch-tuesday-is-here/

Microsoft purges 3,000 tech support scams hiding on TechNet

By John E Dunn

Microsoft has taken down thousands of ads for tech support scams that had infested the company’s TechNet support domain in a sly attempt to boost their search ranking.

According to Cody Johnston, the self-styled ad hunter who reported the issue to Microsoft, until a few days ago Microsoft’s site was home to around 3,000 of these ads, mostly associated with the gallery.technet.microsoft.com downloads section.

The ads covered a wide range of fraudulent support issues, from virtual currency sites to Google Wallet and Instagram. Johnston told ZDNet:

I was able to find a total of 3,090 results, ranging back to August 2018. Twelve new ones have been created in the last week.

After reporting the problem to Microsoft, the ads were taken down within 24 hours, he said on Twitter.

However, within hours new ads quickly replaced the deleted ones on the same domains, which brings home the scale of Microsoft’s content monitoring challenge.

How is this possible?

Finding the ads wasn’t hard, requiring a custom Google search that anyone could run. So why didn’t Microsoft notice the issue and react sooner? Probably because it didn’t anticipate how quickly this can become a problem – and it doesn’t appear to be only one caught napping.

Read more at https://nakedsecurity.sophos.com/2018/09/12/microsoft-purges-3000-tech-support-scams-hiding-on-technet/

Beware: WhatsApp scammers target children with ‘Olivia’ porn message

By Lisa Vaas

Somebody calling themselves “Olivia” is sending WhatsApp messages to kids, claiming to be from a friend of a friend who has a new phone number. However, she soon cuts the small talk short and starts sending links to porn sites.

Last week, British police in Cheshire asked parents to check their kids’ messages if they use the app.

Read more at https://nakedsecurity.sophos.com/2018/09/12/beware-whatsapp-scammers-target-children-with-olivia-porn-message/

Younger Facebook users 4 times more likely to delete app, study shows

By Lisa Vaas

Post-Cambridge Analytica, Facebook users have been taking a break from their relationship with the “we didn’t know what all those scampy apps were doing with our users’ data!” platform.

According to a new study from the Pew Research Center, 42% of adult users – those 18 and older – have taken a break from checking the platform, for several weeks or more.

The survey, conducted from 29 May to 11 June, asked 4,594 people just how much arm’s-length they’ve been holding Facebook at. If you’ve been following the news…

…wait, scratch that. Unless you’ve been on sabbatical for the past few months – say, vacationing in the Mariana Trench – you can’t have missed the news that’s been boiling around Facebook, what with some 50 million users getting their personal data scraped by psychographic tests (whether they’d agreed to it or not), CEO Mark Zuckerberg getting dragged in front of Congress to answer some pointed questions about that and how Russians played hacky-election-sack with the platform, and a rash of fines that may well hit it as a result of data slurping.

Given all that, you might imagine that users have been like rats jumping the sinking Facebook ship. And indeed, the Pew Research Center study found that 54% of adults have adjusted their privacy settings in the past 18 months.

Read more at https://nakedsecurity.sophos.com/2018/09/12/younger-facebook-users-4-times-more-likely-to-delete-app-study-shows/

September 12, 2018 »

Vizio to send class notices through the TVs that spied on viewers

By Danny Bradbury

In a sign that we’re actually all living in a science fiction novel, millions of smart TVs may soon be forced to admit to viewers that they have been spying on them.

TV manufacturer Vizio is working on the feature to help satisfy a class action suit against it by disgruntled customers.

Back in 2015, investigative journalism site ProPublica revealed that Vizio’s smart TVs were just a little too smart for their own good. The TVs included a feature – switched on by default in 11 million devices – called ‘Smart Interactivity’, which tracked its customers’ viewing habits.

Vizio’s Inscape data services operation collected data including snippets of the programs that the viewers watched, along with the date, time, channel, and whether they were viewed live, or as recordings. It also gathered data on over-the-top services such as Netflix, along with data from DVDs and even streaming devices. In short, if you watched it on a Vizio TV, Vizio knew about it.

The company then linked that data to your IP address and sold the whole package to advertisers, who could then combine it with information about other devices associated with that IP address. So if, as most of us do, you connected your phone or your home computer to your home Wi-Fi network, advertisers could use your viewing data to serve you ads via those devices too.

The manufacturer, which was preening itself for an IPO at the time, argued that laws preventing cable TV companies from selling their customers’ viewing data didn’t apply to its business. In fact, it doubled down by using data brokers to append more information to its customers’ viewing data, including sex, age, income, marital status, household size, education level, home ownership, and household value. It then promoted “highly specific viewing behavior data on a massive scale with great accuracy” as a way to boost its margins for investors.

The company’s frankly anti-privacy stance got it into hot water. It was investigated by the Federal Trade Commission, which along with the New Jersey Attorney General made it agree to a $2.2m settlement in February 2017. Alongside the hefty fine, the federal court order forced the company to delete data collected before 1 March 2016, implement a privacy program, and to get explicit consent for its data slurping.

Read more at https://nakedsecurity.sophos.com/2018/09/12/vizio-to-send-class-notices-through-the-tvs-that-spied-on-viewers/

The rise of targeted ransomware

By Mark Stockley

Thanks to Peter Mackenzie of Sophos Support for his behind-the-scenes work on this article.

In the year since the “shock and awe” of WannaCry and NotPetya – outbreaks that spread globally in a matter of hours – ransomware has been making a lot less noise.

You’d be forgiven for thinking that it’s had its day, but reports of the demise of ransomware have been greatly exaggerated, as they say.

While cryptomining and cryptojacking have been sucking all the air out of the press room, a snowball that started rolling well before anyone had ever heard of WannaCry has been gathering pace and size.

The snowball is a trend for stealthier and more sophisticated ransomware attacks – attacks that are individually more lucrative, harder to stop and more devastating for their victims than attacks that rely on email or exploits to spread.

And they do it in a way that’s hard to stop and easy to reproduce.

WannaCry’s reliance on an exploit stolen from the NSA (the USA’s National Security Agency) made its success hard to replicate, and its promiscuous spread attracted the attention of law enforcement everywhere while leaving countless copies of the malware to be analysed by researchers and security companies.

The criminals behind targeted ransomware attacks have no such limits. They rely on tactics that can be repeated successfully, commodity tools that are easily replaced, and ransomware that makes itself hard to analyze by staying in its lane and cleaning up after itself.

And while the footprint of a targeted attack is tiny in comparison to an outbreak or spam campaign, it can extract more money from one victim than all of the WannaCry ransoms put together.

Targeted attacks can lock small businesses out of critical systems or bring entire organisation’s to a grinding halt, just as a recent SamSam attack against the city of Atlanta showed.

Read more at https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/

Airbnb launches investigation after man finds hidden camera in clock

By Lisa Vaas

Do you really want to be the crazy guest who checks alarm clocks and coat hooks and smoke alarms and USB power plugs and lightbulbs and air fresheners and picture frames and wall outlets for hidden cameras when you check into an Airbnb?

Oh, YES.

On Thursday, Scottish traveler Dougie Hamilton was sitting there, staring at his Airbnb’s alarm clock, wondering whether he wanted to be that tinfoil hat kind of guest. After 10 minutes, he gave in to the weird feeling he was getting from that odd clock, which he says was wired like a phone charger.

As he told the Daily Record, he “felt a bit weird even thinking it” and kept telling himself “not to be daft. But there was just something.”

Oh yeah, there was something. There was, in the device that was pointed right at the open-plan bedroom, a hidden webcam:

I took the charger out of it and saw there was a lithium battery in the back. At this point, I slid the front facing off the clock and could see there actually was a camera.

Hamilton and his girlfriend, who didn’t want to be identified, had just checked into their Airbnb in Toronto. They were there for about 20 minutes, relaxing after a busy day in the city, before Hamilton noticed the clock.

I just happened to be facing this clock and was staring at it for about 10 minutes. There was just something in my head that made me feel a bit uneasy.

Hamilton and his travel companion didn’t know if the rental’s owner had been watching them, but given that the hidden camera was facing into the living area and the open-plan bedroom, he certainly could have seen whatever he wanted.

It just felt really creepy, and we didn’t want to stay.

We’re innocent-minded people, but the clock was facing where our bed was, and we thought it might be for something more sinister like a sex ring.

Hamilton immediately got in touch with Airbnb, which promised him that it would launch an urgent investigation. The service also told him that the host in question has six other properties that he rents out.

Read more at https://nakedsecurity.sophos.com/2018/09/11/airbnb-launches-investigation-after-man-finds-hidden-camera-in-clock/

Fetish app put users’ identities at risk with plain-text passwords

By Lisa Vaas

Whiplr is an iOS app that describes itself as “Messenger with Kinks.” Understandably, its kinkster users expect a good deal of care when it comes to the privacy of their accounts.

After all, nobody wants their breathy play/bondage/latex photos to be found and attached to their true identities by just anybody, as writes one reviewer on iTunes:

The app itself is wonderful. … I … love having photos I can keep secret until I wish to share them.

Unfortunately for such users, their secret photos – and their identities – were put at risk.

Engadget recently discovered a security failure when a user was asked to submit their password, username and email address in plain-text format to verify their account.

This is the data the app demanded:

Pursuant to our records, we have not identified an account associated with [your email address]. In order to enable us to exercise your request to receive access to your personal data, we kindly request the below information (please respond with the below to this email):

· The email address you registered with on Whiplr;

· Your username on Whiplr;

· Your password on Whiplr.

Asking people to send passwords in email completely bypasses safe password storage, and leaves them lying around in plain text where anyone with access to either the sender’s sent items or recipient’s inbox could find them.

Worse yet, Whiplr confirmed that it had been storing users’ passwords in plain text. Therefore, any hackers who might have breached Whiplr’s database potentially could have discerned users’ real identities, either through Whiplr itself or through social media if users were in the habit of password reuse.

A breach isn’t the only thing to worry about. If passwords are stored in plain text then they’re visible to any rogue employee who has access to the database.

Read more at https://nakedsecurity.sophos.com/2018/09/11/fetish-app-put-users-identities-at-risk-with-plain-text-passwords/

Yikes: 1 in 5 employees share their email passwords with coworkers

By Maria Varmazis

19% of employees of small and medium-sized businesses (SMBs) share their passwords with coworkers or assistants, according to a recent survey by IT consultancy Switchfast.

Switchfast surveyed about 600 small businesses about how cybersecurity works, or doesn’t work, for them. It spoke to the C-suite level leaders of the business about their own habits, as well as the habits of their employees. Among its findings was the stat about employee email sharing.

One could imagine that in an SMB, this kind of shared password might be used for a crucial central piece of technology, like team remote fileshare or a customer service email account.

And, of course, it’s very convenient to share passwords. But as Mark Stockley wrote in his article 4 password mistakes small companies make and how to avoid them, there are huge downsides:

  1. If something bad happens you can’t tell who did it.
  2. It makes your more vulnerable to social engineering.
  3. It makes changing passwords too painful to bother with.
  4. Everyone with a password can cause maximum damage.
  5. You don’t know who else has your passwords.

On top of it all, those shared passwords are often weak – easily guessed, brute-forced, and/or possibly already compromised from an older data breach – so no matter what way you slice it, password sharing is risky for these small businesses and their customers.

Even folks at bigger firms make this easy mistake of reusing passwords: In 2016, Facebook’s Mark Zuckerburg had several of his own social media feeds hijacked, as they all used the same extremely guessable password, “dadada,” which was initially leaked via a LinkedIn data breach.

What’s also quite telling in this survey is that many of the C-level leaders reported bad habits at higher rates than their own employees — for example, 76% of the SMB leaders say they haven’t enabled multi-factor authentication, compared to 69% of SMB employees. (Here’s why 2FA is a good idea.)

Read more at https://nakedsecurity.sophos.com/2018/09/11/yikes-1-in-5-employees-share-their-email-passwords-with-coworkers/

September 11, 2018 »

Keybase browser extension weakness discovered

By John E Dunn

Is the Keybase secure messaging browser extension safe to use or not?

Respected researcher Wladimir Palant (of AdBlock Plus fame) is so convinced that it isn’t that he has recommended users “uninstall the Keybase browser extension ASAP,” after he discovered what looks like a gap in its claim to offer end-to-end encryption.

As covered previously, Keybase is a desktop messaging app (Windows, Mac and Linux), which can also be used on mobiles (Android and iOS) and, from last year, through browser extensions for Chrome and Firefox.

The extension is a useful way to connect to other Keybase users by advertising its use through profiles on Facebook, Twitter, GitHub, and Reddit.

If Firefox’s daily stats are anything to go by, this method isn’t hugely popular, with fewer than 2,000 daily users – and Palant’s security assessment is unlikely to help its popularity.

Behind the scenes, every message sent via browser chat is passed to the local desktop app, which is the bit that does the encryption. However, according to Palant, messages are unencrypted as they are sent to the app – hardly the “end-to-end encryption” promised on the Keybase website.

Read more at https://nakedsecurity.sophos.com/2018/09/11/keybase-browser-extension-weakness-discovered/

Microsoft extends security patch support for some Windows 7 users

By Danny Bradbury

Microsoft is offering an olive branch to companies taking too long to upgrade from Windows 7, the company revealed last week. It will provide security updates for another three years as it tries to help business customers migrate to Windows 10 – but they’ll have to pay for the privilege.

Microsoft products go through two support phases. The first is mainstream support, which lasts for five years from the product’s release. Then, it provides another five years of extended support, but with caveats.

While the company continues to offer security updates for its products during the extended support phase, non-security updates are only available on a paid basis, and only for enterprise users, not consumers. At the end of the extended support period, the security updates are also supposed to end, which leaves users with increasingly vulnerable systems unless they migrate to a newer version of Windows.

Mainstream support for Windows 7 ended in 2015, and Microsoft had already warned customers that extended support for that version of the operating system would end in January 2020. However, in a blog post, it acknowledged that “everyone is at a different point in the upgrade process”.

To support late upgraders, the company will charge for Extended Security Updates (ESU) for an additional three years. It will charge for these on a per-device basis, ratcheting up the charge each year.

Read more at https://nakedsecurity.sophos.com/2018/09/11/microsoft-extends-security-patch-support-for-some-windows-7-users/

Apple’s new tool will make it easier for law enforcement to request data

By Danny Bradbury

Apple is planning to create an online portal that will allow law enforcement officials around the world to request information about its users more easily.

The company is seeking to streamline the way that it currently services information to government agencies with the new tool, which will be ready by the end of the year. It outlined the plans in a letter, from Apple’s general counsel Kate Adams to US Senator Sheldon Whitehouse of Rhode Island, according to a report from Reuters.

Sent last week, the letter said that Apple had responded to 14,000 information requests from US law enforcement last year, including 231 “domestic emergency requests” that it addressed within 20 minutes of receipt, regardless of when it received them.

The new portal will make it easier for law enforcement officials to request information about Apple customers. The company previously handled such requests by email, Reuters said.

The revamp to Apple’s government request handling program also extends to training. The company, which has already trained nearly 1,000 law enforcement officers in how to request information, previously did it in person at its headquarters. It will create an online training course to make things more efficient, along with a team of trainers to better serve smaller police departments.

Apple, which has marketed itself as an advocate for customer privacy, infamously got into a spat with the US government over refusing to unlock an iPhone in the San Bernardino shootings in 2016. Nevertheless, the company explains in its privacy policy that it does honor requests from government agencies if it considers them to have a “valid legal basis”. In that case, it complies by providing the “narrowest possible set of data responsive to the request,” it says.

The consumer computing giant will work with law enforcement under certain circumstances to provide information about customers’ Apple devices, it says. It will also deliver information based on financial identifiers such as credit card data.

Read more at https://nakedsecurity.sophos.com/2018/09/10/apples-new-tool-will-make-it-easier-for-law-enforcement-to-request-data/

Supermicro servers fixed after insecure firmware updating discovered

By John E Dunn

Researchers have sounded a warning about the security of Baseboard Management Controllers (BMCs) – a critical component that datacenters depend on to manage servers.

According to Eclypsium, the BMC used by one server brand, Supermicro, has an insecure updating process that could allow an attacker to modify its firmware or run malware.

Affecting X8 through X11-generation systems, the BMC code wasn’t carrying out cryptographic signature verification before accepting firmware updates, the company said.

BMCs are like powerful computers-within-the-server, complete with their own CPU and memory, that remain turned on even when the server is not being used (not dissimilar to the Intel Management Engine found inside home computers).

When compromised, an attacker would be able to sneak their own modified firmware onto a server – something that would give admins a very bad day at the office.

This is the privileged layer used to issue server wipes and OS reinstalls, which would hand the same power to attackers to take over the system, or to ‘brick’ it as part of a denial-of-service attack, or possibly move sideways to other parts of the network.

It would also be incredibly difficult to detect, let alone stop once it had started – the attacker would have loaded their own firmware after all.

Read more at https://nakedsecurity.sophos.com/2018/09/10/supermicro-servers-fixed-after-insecure-firmware-updating-discovered/

North Korean programmer charged for Sony, WannaCry attacks and more

By Lisa Vaas

The US Department of Justice (DOJ) announced on Thursday that it had unsealed a criminal complaint (PDF) charging a North Korea regime-backed programmer, Park Jin Hyok, with being part of a team that launched multiple cyberattacks.

Make that big, dreaded, infamous cyberattacks, including unleashing the global WannaCry 2.0 ransomware in 2017, the 2014 attack on Sony Pictures, and the 2016 $81m cyber heist that drained Bangladesh’s central bank.

Beyond those headline-grabbing cyber assaults, the encyclopedic, 127-page complaint details the hacking team’s other malicious activities, including attacks or intrusions on the entertainment, financial services, defense, technology, and virtual currency industries, academia, and electric utilities.

The complaint alleges that Park, a North Korean citizen, was a member of a government-sponsored hacking team known as the “Lazarus Group” and that he worked for a North Korean government front company, Chosun Expo Joint Venture (aka Korea Expo Joint Venture or “KEJV”), to support cyber actions on behalf of the Democratic People’s Republic of Korea (DPRK).

Lazarus Group, also known as Guardians of Peace or Hidden Cobra, is a well-known cybercriminal group. In June 2017, US-CERT took the highly unusual step of sending a stark public warning to businesses about the danger of North Korean cyberattacks and the urgent need to patch old software to defend against them.

It specified Lazarus Group. The alert was unusual in that it gave details, asking organizations to report any detected activity from the Lazarus Group/Hidden Cobra/Guardians of Peace to the US Department of Homeland Security’s (DHS’s) National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch).

Read more at https://nakedsecurity.sophos.com/2018/09/10/north-korean-programmer-charged-for-sony-wannacry-attacks-and-more/

‘Only paper ballots by 2020!’ call experts after election tampering

By Lisa Vaas

An expert panel at the National Academy of Sciences has called for sweeping election reforms, including one, specific recommendation that should come as no surprise: use paper.

From Thursday’s announcement about the report’s release:

All local, state, and federal elections should be conducted using human-readable paper ballots by the 2020 presidential election.

And what about the mid-terms, right around the corner in November? Yes, let’s try to get paper ballots for that one, too, the panel said. Let’s try our best to stay away from all the technologies that we’ve got in place now, because they’re full of holes:

Ballots that have been marked by voters should not be returned over the internet or any network connected to it, because no current technology can guarantee their secrecy, security, and verifiability.

Michael McRobbie, president of Indiana University and co-chair of the committee that conducted the two-year study and wrote the report, called the 2016 election a “watershed” moment:

The 2016 presidential election was a watershed moment in the history of elections – one that exposed new challenges and vulnerabilities that require the immediate attention of state and local governments, the federal government, researchers, and the American public.

Lee Bollinger, president of Columbia University and co-chair of the panel, called the threat from foreign actors “extraordinary”, according to the AP:

The extraordinary threat from foreign actors has profound implications for the future of voting and obliges us to examine, re-examine seriously, both the conduct of elections in the United States and the role of the federal and state governments in securing our elections.

According to the report, the US intelligence community found that “actors sponsored by the Russian government” obtained and maintained access to elements of multiple US state or local election systems. Those intrusions made clear that the country’s election infrastructure is clunky at best, even in the most well-resourced jurisdictions. For small jurisdictions without a lot of money to invest, things are even more grim.

Read more at https://nakedsecurity.sophos.com/2018/09/10/only-paper-ballots-by-2020-call-experts-after-election-tampering/

September 6, 2018 »

Thousands of unsecured 3D printers discovered online

By John E Dunn

You’ve installed an exciting new 3D printer in the office and decide you want to access it remotely because – heck – that sounds convenient… now what do you do?

According to an alert put out by the SANS Internet Storm Center (ISC), for 3,759 owners using an open-source monitoring utility called OctoPrint, the answer was to hook up their expensive 3D printer to the internet without bothering with the nuisance of authentication.

This is a bad idea because it’s trivially easy for someone with malicious intentions to spot the unsecured printer using Shodan (a search engine for internet-connected devices). In fact, the ISC was tipped off about the issue by someone who’d done just that.

The great thing about OctoPrint is how easy it makes it for an owner to control their complex 3D printer, but that applies to any other internet user connecting to it when access control is turned off.

In this state a hacker could steal valuable IP by downloading previous print job files in the unencrypted G-code format or, worse, try to damage the printer by uploading specially-crafted print files. Because most 3D printers have a built-in webcam for print monitoring, they could even watch their malicious print handiwork from afar.

Read more at https://nakedsecurity.sophos.com/2018/09/06/thousands-of-unsecured-3d-printers-discovered-online/

Ungagged Google warns users about FBI accessing their accounts

By Lisa Vaas

Dozens of people say they’ve received an email from Google informing them that the FBI has been sniffing around for information on their accounts. Now that a gag order has been lifted, the company is able to “disclose the receipt of the legal process” to any affected users, Google said.

That’s not entirely surprising: the gag orders that often accompany such requests keep organizations such as Google, Microsoft, Facebook and Apple from disclosing the order for a given period of time. Any email provider worth its salt nowadays issues transparency reports, and the biggest companies have called for increased transparency in government surveillance requests.

But these nondisclosure orders can be lifted, cybercrime lawyer Marcia Hoffman told Motherboard:

It looks to me like the court initially ordered Google not to disclose the existence of the info demand, so Google was legally prohibited from notifying the user. Then the nondisclosure order was lifted, so Google notified the user. There’s nothing unusual about that per se. It’s common when law enforcement is seeking info during an ongoing investigation and doesn’t want to tip off the target(s).

Who are the targets in the FBI’s inquiry – targets who can now be safely tipped off?

The emails lack specific details about whatever the FBI was investigating, though they did contain a case number that corresponded to a sealed case when Motherboard looked it up on PACER.

Read more at https://nakedsecurity.sophos.com/2018/09/06/ungagged-google-warns-users-about-fbi-accessing-their-accounts/

MEGA secure upload service gets its Chrome extension hacked

By Paul Ducklin

Remember MEGA – or, more precisely, Megaupload as it once was?

Sure, you do!

It was a New Zealand cloud storage business masterminded by Kim Dotcom, a larger-than-life digital-era entrepreneur (Dotcom is literally as well as figuratively big, standing more than 2m tall).

Megaupload is no more, having ended up embroiled in piracy allegations that led to a controversial raid on Dotcom’s home, Dotcom’s high-profile arrest, and the demise of the company.

Dotcom himself is still in New Zealand, where he’s been fighting extradition to the US for the past six years.

As far as we know, three Kiwi courts have already pronounced that his extradition can go ahead, so Dotcom is down to his final legal appeal now, assuming he can persuade the Supreme Court to hear his case.

After the bust

After the bust, the Megaupload service noisily reinvented itself, minus the controversial word “upload”, as the capital-lettered MEGA, bullishly and very pointedly launching on the anniversary of Dotcom’s arrest.

Read more at https://nakedsecurity.sophos.com/2018/09/05/mega-secure-upload-service-gets-its-chrome-extension-hacked/

Serious Fraud Office trialling AI for data-heavy cases

By Lisa Vaas

The BBC says it looks like a kids’ digital game: a mass of blue and green rubber balls bounce around the screen like they’re on elastic bands in a galaxy of paddle balls.

It’s no game, however. It is a new artificial intelligence (AI) tool that connects, and then visualizes, the parties and their interactions in a complex fraud inquiry. The UK’s Serious Fraud Office (SFO) recently gave the BBC a look at the system, called OpenText Axcelerate, which staff have been training on Enron: a massive corporate fraud case from 2001 that’s no longer actively being investigated.

The lines between the colored balls represent links between two people involved in the fraud inquiry, including the emails they sent and received, the people they carbon-copied, and the more discrete messages in which nobody was cc’ed.

SFO investigator Edgar Pacevicius told the BBC that a major advantage of the AI is that it can spot connections between individuals far more quickly than humans can. It’s designed to help investigators keep track of all the parties involved in a given, wide-scale fraud, with all their communications, along with individuals’ interactions with each other. The tool also groups documents with similar content, and it can pick out phrases and word forms that might be significant to an investigation.

Pacevicius:

Just click a couple of buttons and it takes me directly to what I’m interested to see, to pursue a line of inquiry or to close that line of inquiry, or something I’d like to put to a suspect.

We normally see a lot of euphemisms; there’s a lot of potential deception about the way people do corrupt activity.

What we’re trying to achieve is to find an intelligent technological solution that will allow us to not only identify those phrases but everyone involved.

In a speech on Monday, newly appointed SFO Director Lisa Osofsky said that she plans to focus on this type of cutting-edge technology. It’s a necessity, she said, given that the SFO is investigating “some of the most complex and data-heavy criminal investigations in any jurisdiction.”

Investigators have to deal with increasingly data-heavy cases. The SFO currently has a case that involves over 65 million files, and there’s an investigation in the pipeline that will involve more than 100 million files, Osofsky said.

Read more at https://nakedsecurity.sophos.com/2018/09/05/serious-fraud-office-trialling-ai-for-data-heavy-cases/

Knock, knock: Digital key flaw unlocks door control systems

By Danny Bradbury

Attackers could be able to unlock doors in office buildings, factories and other corporate buildings at will, thanks to a flaw in a popular door controller, discovered by a Google security researcher.

David Tomaschik, who works as senior security engineer and tech lead at Google, uncovered the flaw in devices made by Software House, a Johnson Controls company. Forbes reports that he conducted his research on Google’s own door control system.

Tomaschik, who described his project at a talk in August at DEF CON’s IoT Village, explored two devices. The first was iStar Ultra, a Linux-based door controller that supports hardwired and wireless locks. The second was the IP-ACM Ethernet Door Module, a door controller that communicates with iStar.

When a user presents an RFID badge, the door controller sends the information to the iStar device, which checks to see if the user is authorized. It then returns an instruction to the door controller, telling it to either unlock the door or to deny access.

Software House’s website still promotes the original version of its IP-ACM as a “highly secure option to manage their security”. But judging from Tomaschik’s research, that’s a bit wide of the mark.

The devices were using encryption to protect their network communication – however, digging through their network traffic, Tomaschik found that Software House had apparently been rolling its own crypto rather than relying on tried and tested solutions.

Read more at https://nakedsecurity.sophos.com/2018/09/05/knock-knock-digital-key-flaw-unlocks-door-control-systems/

Can ‘sonar’ sniff out your Android’s lock code?

By John E Dunn

Researchers have demonstrated a novel – if slightly James Bond technique – for clandestinely discovering the unlock pattern used to secure an Android smartphone.

Dubbed ‘SonarSnoop’ by a combined team from Lancaster University in the UK and Linköping University in Sweden, the idea is reminiscent of the way bats locate objects in space by bouncing sound waves off them.

Sound frequencies inaudible to humans between 18kHz and 20kHz are emitted from the smartphone’s speaker under the control of a malicious app that has been sneaked on to the target device.

These bounce off the user’s fingers as the pattern lock is entered before being recorded through the microphone. With the application of machine learning algorithms specific to each device (whose speakers and microphones positions vary), an attacker can use this echo to infer finger position and movement.

Technically, this is known as a side-channel attack because it exploits the characteristics of the system without the need to discover a specific weakness or vulnerability in its makeup (the Meltdown and Spectre CPU cache timing attacks from earlier this year are famous examples of this principle).

In the context of acoustic attacks, this method is considered to be active because sound frequencies must be generated to make it work, as opposed to a passive method where naturally-occurring sounds would be captured.

Read more at https://nakedsecurity.sophos.com/2018/09/05/can-sonar-sniff-out-your-androids-lock-code/

September 5, 2018 »

Google releases free AI tool to stamp out child sexual abuse material

By Lisa Vaas

Since 2008, the National Center for Missing & Exploited Children (NCMEC) has made available a list of hash values for known child sexual abuse images. Provided by ISPs, these hash values (which are like a digital fingerprint) enable companies to check large volumes of files for matches without those companies themselves having to keep copies of offending images or to actually pry open people’s private messages.

More recently, in 2015, the Internet Watch Foundation (IWF) announced that it would share hashes of such vile imagery with the online industry in a bid to speed up its identification and removal, working with web giants Google, Facebook, Twitter, Microsoft and Yahoo to remove child sexual abuse material (CSAM) from the web.

It’s been worthy work, but it’s had one problem: you can only get a hash of an image after you’ve identified it. That means that a lot of human analysts have to analyze a lot of content – onerous work for reviewers, and also an approach that doesn’t scale well when it comes to keeping up with the scourge.

On Monday, Google announced that it’s releasing a free artificial intelligence (AI) tool to address that problem: technology that can identify, and report, online CSAM at scale, easing the need for human analysts to do all the work of catching new material that hasn’t yet been hashed.

Google Engineering Lead Nikola Todorovic and Product Manager Abhi Chaudhuri said in the post that the AI “significantly advances” Google’s existing technologies to “dramatically improve how service providers, NGOs, and other technology companies review violative content at scale.”

Read more at https://nakedsecurity.sophos.com/2018/09/05/google-releases-free-ai-tool-to-stamp-out-child-sexual-abuse-material/

Credit card gobbling malware found piggybacking on ecommerce sites

By Paul Ducklin

Thanks to Mark Stockley, our resident JavaScript, PHP and jQuery expert, for his help with this article.

Dutch security researcher Willem de Groot, who’s particularly interested in security problems on online payment sites, recently wrote about a long-running Magento malware campaign.

Magento is to ecommerce what WordPress is to blogging – you can run the open source version on your own servers; you can use an ecommerce partner who’ll run a Magento instance for you; or you can sign up for Magento’s own cloud platform.

Thousands of sites still run their own Magento servers, even in the modern cloud-centric era, for example because they’ve already got a customized warehousing and shipping system with which their ecommerce servers need to integrate.

Unfortunately, de Groot found that many of these sites – more than 7000 in total, he claims – have been infiltrated by cybercrooks in the past six months.

Worse still, de Groot estimates that nearly 1500 of them may have been infected for the entire six-month period.

We’re not sure how sites are getting infected, but we suspect that the crooks behind this campaign are using multiple ways to break in.

Read more at https://nakedsecurity.sophos.com/2018/09/04/credit-card-gobbling-code-found-piggybacking-on-ecommerce-sites/

How refusing to give police your Facebook password can lead to prison

By Lisa Vaas

A 24-year-old murder suspect was sentenced to 14 months in prison on Friday for refusing to hand over his Facebook account password to detectives who are investigating the death of 13-year-old schoolgirl Lucy McHugh.

As The BBC reports, Lucy had been missing for two days last month before her body was found in the woods near a sports center in Southampton, UK. She was stabbed to death.

Stephen Nicholson, a friend of the family who’d been staying with them, was allegedly in contact with Lucy the morning of her disappearance. Police took him into custody and asked him – twice – for his password so they could check out the alleged conversation and whatever other content might help the investigation.

Nicholson has been jailed not for the murder, but for his refusal to cooperate with the detectives and let them into his account.

On Friday, he pleaded guilty to failing to disclose access codes to an electronic device under the Regulation of Investigatory Powers Act 2000 (RIPA).

According to the Independent, Nicholson argued that giving police access to his private Facebook messages could expose information relating to cannabis.

The judge scoffed, describing the excuse as “wholly inadequate”, considering the severity of the case.

Part 3 of RIPA empowers UK authorities to compel the disclosure of encryption keys or decryption of data. Refusal to comply can result in a maximum sentence of two years’ imprisonment, or five years in cases involving national security or child indecency.

Read more at https://nakedsecurity.sophos.com/2018/09/04/how-refusing-to-give-police-your-facebook-password-can-lead-to-prison/

Governments demand companies allow access to data, or else

By Danny Bradbury

A decades-old alliance of national intelligence partners promised to get at encrypted data last week, whether tech companies helped them or not.

Australia, Canada, New Zealand, the United Kingdom and the United States released a joint statement calling on tech companies to help them access data when authorized by the courts – or else.

The alliance of countries is known as the Five Eyes, and it was formed after the Second World War as a collaborative effort to share intelligence information. The group released an Official Communiqué at a meeting last week, outlining several broad goals. One of these goals involved increasing government powers to target encrypted data when the courts authorized it (a concept known as ‘lawful access’).

The group went into more depth in its Statement of Principles on Access to Evidence and Encryption, released at the same time. The document starts off conciliatory enough, arguing that encryption is necessary:

Encryption is vital to the digital economy and a secure cyberspace, and to the protection of personal, commercial and government information.

Then came the common refrain: You can have too much of a good thing.

However, the increasing use and sophistication of certain encryption designs present challenges for nations in combatting serious crimes and threats to national and global security.

The same encryption that protects legitimate information is also protecting criminals, the statement said, adding that while privacy laws are important, the authorities need a way to access communications when a court has allowed it. The countries’ reasoning here is that the same principles have applied to searches of homes and other physical spaces for years. They want the same warrant principles to apply in cyberspace.

Read more at https://nakedsecurity.sophos.com/2018/09/04/governments-demand-companies-allow-access-to-data-or-else/

September 4, 2018 »

Hollywood accuses itself of piracy

By Lisa Vaas

“Hey!” Hollywood studios are saying to those darn IMDb “pirates:” “Those listings of our own work look suspiciously like our own work!”

As Torrent Freak reports, it’s not Sony Pictures Television, National Geographic or Columbia Pictures’ copyright lawyers that have spontaneously developed dementia, per se. Rather, it’s the armies of “largely automated” bots they deploy each day to scour the internet for references to pirated content.

The result: a slew of bone-headed DMCA notices have been sent out to perfectly legitimate sites, including IMDb, which stands for Internet Movie Database and contains a wealth of information about films, TV programs, video games, and internet streams, including cast, production crew and personnel biographies, plot summaries, trivia, and fan reviews and ratings. It is, in short, the holy scriptures of film, yet because of buggy bots, it’s being treated as a copyright-infringing ragamuffin.

After the bots spot piracy, they report the links to various online services, including Google. It works fine, except when it doesn’t.

Last month, bots with bugs started to wheeze. As Torrent Freak reported, even its own publication was targeted with takedown notices, along with several other sites that cover censorship-related issues. Multiple Hollywood studios have thus been inadvertently asking Google to remove IMDb listings of their own work, according to the publication.

Read more at https://nakedsecurity.sophos.com/2018/09/04/hollywood-accuses-itself-of-piracy/

Google Ads cracks down on tech support scammers

By John E Dunn

Remember Google’s boast earlier this year that it took down 3.2 billion bad ads during 2017?

A few months on and the company has now admitted its systems for detecting one especially tenacious form of malevolent ad – those pushing tech support scams – needs a lot more help.

In an announcement late last week, Google said that in future, any company wanting to advertise technical support services would have to pass manual verification checks first.

Assuming this resembles Google Ads’ established advanced verification system, this means that tech support is about to join other abused services such as payday loans and locksmiths on the league table of suspicion.

Presumably, Google has been using some form of automated ad checking, but this hasn’t worked. It’s not hard to imagine how this could go wrong. Wrote Google’s director of product policy, David Graff:

As the fraudulent activity takes place off our platform, it’s increasingly difficult to separate the bad actors from the legitimate providers.

Which is to say that when Google accepts paid ads, it has no quick way of knowing whether they’re honest because users who fall victim to scammers can’t feed that fact back to them.

Read more at https://nakedsecurity.sophos.com/2018/09/04/google-ads-cracks-down-on-tech-support-scammers/

Firefox to start blocking ad-tracking by default

By John E Dunn

Mozilla has announced plans to tweak Firefox’s privacy controls so that advertising trackers will be blocked by default. Trackers, it is often said, compromise privacy and have a big negative impact on performance, and yet browser makers have often seemed unable or unwilling to put blocks in place.

It’s a phenomenon that has driven a growing number of internet users to start using adblockers and privacy plug-ins, but many of these have commercial interests of their own that allow some advertising systems to continue their activities.

It certainly makes sense to do the ad-control from within the browser itself, but this is not offered by all browser makers, and where it is, it is usually not turned on by default.

Performance and cross-site tracking

Future versions of Firefox will assume the user wants tracking controls turned on, starting with version 63 in September which will automatically block slow-loading trackers of the sort that bog down page loading speeds.

From version 65 in January, the same will apply to cross-site trackers, a spying technique advertisers use to ‘follow’ users from site to site while building profiles based on their activity.

Read more at https://nakedsecurity.sophos.com/2018/09/03/firefox-to-start-blocking-ad-tracking-by-default/

‘Sick sadist’ admits to trolling dead people on social media

By Lisa Vaas

Yes, said a 38-year-old troll in the UK: he does deserve jail time, admitting to making Facebook posts falsely calling a tragically killed 20-year-old university student a “sex worker” and “prostitute”, among similarly offensive lies about others.

The South East Northumberland Magistrates’ Court heard on Thursday that the admitted troll – Paul Hind, from Westacres in Wark – posted offensive material about four people to Facebook, according to The Telegraph.

One of his high-profile targets was Olivia Burt, a Durham University student who died of head injuries in February when she was trapped under a fence in a crush of people outside of Durham’s Missoula nightclub.

Beyond calling the dead woman a prostitute, Hind also doctored one of her images and posted pictures of children who were “clearly terminally ill” on her Facebook page on 20 April.

Sky News reports that Ms. Burt’s father, Nigel, called Hind’s trolling a “desecration” of his daughter’s memory. He told the court that the posts had made him and Ms. Burt’s mother “physically sick” even after they’d been removed and that the perpetrator must be a “sick sadist”:

The person who carried out this trolling can only be described as a sick sadist who knows that they are adding to our anguish and gets enjoyment out of this.

Even though the Facebook posts have now gone, we keep expecting them to reappear on some other social media platform.

This is causing us continuing anxiety and distress.

Hind also admitted to targeting a tribute page for Hannah Witheridge, a 23-year-old who was killed on the Thai island of Koh Tao in 2014.

Another target was Joe Tilley, a 24-year-old reality star who was found dead at the bottom of the Fin del Mundo waterfall in Colombia in May. Hind’s fourth target was 19-year-old Duncan Sim, a Scottish college student whose remains were found at West Sands in St Andrews in June.

Read more at https://nakedsecurity.sophos.com/2018/09/03/sick-sadist-admits-to-trolling-dead-people-on-social-media/

Chrome: Flash is almost, almost, almost dead

By Maria Varmazis

If you use Google’s Chrome browser after 4 September the latest update will make it even harder to use in-browser Adobe Flash.

Starting with Chrome update 69, the browser will require users to explicitly enable Flash every single time they want to use it. Chrome will no longer remember this preference between sessions, so every time a user hits a site that uses Flash, they’ll have to say “yes, I really want to enable this extension.”

If it sounds annoying, it absolutely is, and that’s by design. This is just another step on the timeline that Chrome and many other browsers have set upon to slowly, slowly wean the public off Flash in anticipation of Adobe’s official plan to end support for the plugin by 2020.

Flash may have been the plugin of choice some time ago for fun in-browser games and interactive features, but it was also the go-to plugin for many attackers, as it was notoriously vulnerable to exploitation.

Read more at https://nakedsecurity.sophos.com/2018/09/03/chrome-flash-is-almost-almost-almost-dead/

Possible Satori botnet hacker indicted by Feds

By Danny Bradbury

A 20-year-old man has been indicted for computer crimes by a federal court in Alaska. Evidence suggests that he could be linked to the Satori botnet that exploited a previously unknown bug in a Huawei router. If so, one of the most virulent botnets in recent times might have been engineered not by a sophisticated organized criminal or nation state actor, but by a relatively inexperienced dabbler who happened across a zero-day vulnerability.

Kenneth Currin Schuchman of Vancouver, Washington, has been indicted in an Alaskan federal court on two charges. Firstly, from August through November 2017, he allegedly:

Knowingly caused the transmission of a program, information, code, and command, and, as a result of such conduct, intentionally caused damage without authorization to protected computers; the offense caused damage affecting 10 or more protected computers during a 1-year period.

The second charge mirrors the first but focuses on a specific unnamed victim. Both of these offenses happened in Alaska, the indictment alleges.

Possible Satori link

Reporting by the Daily Beast speculates that Schuchman may have created the Satori botnet. This botnet, also tracked as Okiru, was identified in the wild on November 23 2017 exploiting a zero-day vulnerability in Huawei HG532 routers.

Read more at https://nakedsecurity.sophos.com/2018/09/03/possible-satori-botnet-hacker-indicted-by-feds/

Google quietly bought Mastercard credit and debit card records

By Lisa Vaas

It’s common knowledge that Google knows when we click on ads. But now, it also knows what we buy in brick-and-mortar shops, due to a previously unreported deal it cut with Mastercard to get our transaction histories, Bloomberg has discovered.

The offline credit card spending data, which anonymous Google insiders said cost millions of dollars, gives Google an unprecedented advantage over competitors such as Amazon, by helping it track users’ offline spending in stores.

The deal hasn’t been made public. The two companies reportedly hammered it out over the course of four years, according to four people with knowledge of the agreement, three of whom worked directly on it.

Mastercard has denied suggestions that the data could be used to identify exact purchases, but the Open Rights Group told the BBC that the confidential nature of the deal raises privacy issues.

Open Rights Group legal director Myles Jackman wondered – given that Google can now tell advertisers that people’s clicking on ads led to actual store sales – whether the company will cut any of those people in on the profit:

This raises serious concerns regarding the use of private financial data. Will Mastercard be compensating their clients for the data they have given away to Google for their own financial gain?

Don’t count your micropayments before they microhatch: The answer, of course, is that it will likely be a cold day in retail hell before that happens.

Christine Bannan, counsel with Electronic Privacy Information Center (EPIC), told Bloomberg that this is surprising news for consumers, and it’s not coming with enough context regarding what’s being done with our data or what we can do about it:

People don’t expect what they buy physically in a store to be linked to what they are buying online. There’s just far too much burden that companies place on consumers and not enough responsibility being taken by companies to inform users what they’re doing and what rights they have.

At any rate, both Mastercard and Google are claiming that shoppers’ individual details aren’t being tied to the buying profiles.

Read more at https://nakedsecurity.sophos.com/2018/09/03/google-quietly-bought-mastercard-credit-and-debit-card-records/

« older