Security


Networking


Software


Repairs & Upgrades

November 19, 2018 »

Has that website been pwned? Firefox Monitor will tell you

By John E Dunn

Firefox Monitor, a breach notification website launched by Mozilla in September, can now deliver alerts from inside the Firefox browser.

Once the service goes live in the coming weeks, Firefox users running version 62 and later will see an icon appear in the address bar when they visit a known breached website.

Clicking on this will reveal details of the specific breach supplied through Firefox’s integration with the Have I Been Pwned (HIBP) website, which Naked Security covered in September.

This will read something like:

More than x number of email accounts from example.domain were compromised in 2018. Check Firefox Monitor to see if yours is at risk.

Notice the alert won’t tell Firefox users that their personal account has been breached, only that they should check for themselves, offering them a link to do this.

The first time Firefox users see a breach alert for any website, it will relate to those added to the HIBP database in the preceding 12 months (the actual breach may have happened years earlier of course).

From there on, to avoid alert fatigue, the cut-off will be websites added within the preceding two months.

It will also be possible to turn alerts off completely by hitting ‘never show Firefox Monitor alerts’ on the notification drop-down box.

Read more at https://nakedsecurity.sophos.com/2018/11/19/has-that-website-been-pwned-firefox-monitor-will-tell-you/

Did a copy-paste error reveal the US’s secret case against Assange

By Lisa Vaas

What a rough few weeks it’s been for WikiLeaks founder/Ecuadorian embassy poltergeist Julian Assange: Ecuador told him that if he wants to stay wrapped up in his asylum cocoon, he needs to shut up about politics, clean his own damn bathroom and scoop the poop from his cat’s litter box lest the kitty be given to somebody who knows how to take care of it.

Then last week there were rumors that the US finally, after six long years, filed charges against him for publishing stolen information.

It’s a big “maybe.” The supposition that the US secretly charged Assange comes from a mistake on a court filing that could have been a slip-up or might have been just a copy-paste error.

The “evidence:” the name “Assange” was mentioned in an unrelated court filing in a case from a prosecutor in the US District Court for the Eastern District of Virginia, Assistant US Attorney Kellen Dwyer.

Assange wasn’t the defendant in the case; rather, that was Seitu Sulayman Kokayi, who’s charged with coercion and enticement of a minor. He’s charged with coercing a 15-year-old girl to have sex with him and to give him sexual images.

Read more at https://nakedsecurity.sophos.com/2018/11/19/did-a-copy-paste-error-reveal-the-uss-secret-case-against-assange/

How to rob an ATM? Let me count the ways…

By John E Dunn

How many computer users still regularly use Windows XP?

It’s a trick question, of course, because the answer is that millions of people do every time they take money out of an ATM cash machine; a significant proportion of which still run some variant of the geriatric OS.

It’s a finding that jumps out of a new probe of ATM security by Positive Technologies, which found that 15 out of the 26 common designs it tested were running embedded versions of XP.

The report doesn’t differentiate between Windows XP and the various Windows Embedded products based on it, but in technology terms they’re all ancient. XP gasped its last breath in April 2014, as did Windows XP Professional for Embedded Systems. The end of extended support has come and gone for most other embedded products based on XP too, and those that are still hanging on by their fingernails only have a few months left.

A further eight ATMs used Windows 7, while only three used Windows 10. While ATM security shouldn’t be reduced to which OS version is in use, the fact that over half were using an OS that even Microsoft thinks is on life support underscores the challenge of keeping them safe.

A quick check on Naked Security shows a string of stories of ATM compromises going back into the mists of time, including August’s multinational cashout warning by the FBI, and a wave of “jackpotting” attacks.

Read more at https://nakedsecurity.sophos.com/2018/11/16/how-to-rob-an-atm-let-me-count-the-ways/

Judge asks if Alexa is witness to a double murder

By Lisa Vaas

Christine Sullivan was stabbed to death on 27 January 2017, in the kitchen of the New Hampshire home where she lived with her boyfriend. Her friend, Jenna Pellegrini, was also murdered that day, in an upstairs bedroom.

There might have been a witness who heard Sullivan’s murder as it happened, given that an Echo smart speaker equipped with Amazon’s Alexa voice assistant was sitting on the kitchen counter the whole time.

What did it hear?

A New Hampshire judge says that Amazon must let us know. Last week, the judge ordered Amazon to turn over any recordings the Echo device may have made between the day of the murder and two days later, when police found the women’s bodies beneath a tarp under the porch. The murder weapons – three large knives – were found wrapped in a flannel shirt buried one foot below the bodies.

From court documents seen by the Washington Post:

The court finds there is probable cause to believe the server(s) and/or records maintained for or by Amazon.com contain recordings made by the Echo smart speaker from the period of Jan. 27 to Jan. 29, 2017… and that such information contains evidence of crimes committed against Ms. Sullivan, including the attack and possible removal of the body from the kitchen.

A 36-year-old New Hampshire man, Timothy Verrill, has been charged with two counts of first-degree murder in the fatal stabbings and is expected to stand trial in May. Prosecutors allege that Verrill killed the two women when he grew suspicious that one of them was tipping off the police about a suspected drug operation. Verrill has pleaded not guilty.

Read more at https://nakedsecurity.sophos.com/2018/11/16/judge-asks-if-alexa-is-witness-to-a-double-murder/

Hacking MiSafes’ smartwatches for kids is child’s play

By Lisa Vaas

MiSafes, the maker of surveillance devices meant to track kids, is back in the news. This time it’s due to the company’s smartwatches that researchers say are drop-dead simple to hack.

Pen Test Partners has found that attackers can easily eavesdrop on children’s conversations; track them; screw with the geofencing so that parents don’t receive notices when their children wander off; see kids’ names, genders, birthdays, heights and weights; see parents’ phone numbers; and see what phone number is assigned to the watch’s SIM card.

Pen Test Partners researchers Ken Munro and Alan Monie told the BBC that they got curious about the watches after a friend bought one for his son earlier this year.

The watches, in kid-happy kartoon kolors, use a GPS sensor to locate a wearer and a 2G mobile data connection to let parents see where their child is via a smartphone app. They allow one-press phone calls and feature an SOS feature that records a 10-second clip of your kid’s surroundings that’s sent to parents via text. It also sends the child’s exact location, with automatic updates every 60 seconds until the emergency is canceled.

The phones also let parents create “safe zones” and, if everything is working as intended, be alerted if their child leaves the area. Parents can also eavesdrop on kids at any time and initiate two-way calls.

Read more at https://nakedsecurity.sophos.com/2018/11/16/hacking-misafes-smartwatches-for-kids-is-childs-play/

AI-generated ‘skeleton keys’ fool fingerprint scanners

By Danny Bradbury

We’ve had fake videos, fake faces, and now, researchers have developed a method for AI systems to create their own fingerprints.

Not only that, but the machines have worked out how to create prints that fool fingerprint readers more than one time in five. The research could present problems for fingerprint-based biometric systems that rely on unique patterns to grant user access.

The research team, working at New York University Tandon and Michigan State University, used the fact that fingerprint readers don’t scan a whole finger at once. Instead, they scan parts of fingerprints and match those against what’s in the database. Previous research found that some of these partial prints contain features common to many other partial prints. This gives them the potential to act as a kind of skeleton key for fingerprint readers. They are called MasterPrints.

The researchers set out to train a neural network to create its own MasterPrints that could be used to fool fingerprint readers into granting access. They succeeded, with a system that they call Latent Variable Evolution (LVE), and published the results in a paper.

Read more at https://nakedsecurity.sophos.com/2018/11/16/ai-generated-skeleton-keys-fool-fingerprint-scanners/

November 15, 2018 »

Official Google Twitter account hacked in Bitcoin scam

By Danny Bradbury

The epidemic of Twitter-based Bitcoin scams took another twist this week as attackers tweeted scams directly from two verified high-profile accounts. Criminals sent posts from both Google’s G Suite account and Target’s official Twitter account.

Cryptocurrency giveaway scams work by offering money to victims. There’s a catch, of course: They must first send a small amount of money to ‘verify their address’. The money in return never shows up and the attacker’s cash out.

Authenticity is a key factor in these scams. Accounts with verified status shown by a blue tick carry more of that. So it makes sense for attackers to hack verified accounts and then use them to impersonate very high profile people with lots of followers. Elon Musk and Ethereum founder Vitalik Buterin have both been targets for imposters.

On Tuesday, criminals went one better, managing to compromise the official account of Google’s G Suite. This gave them an authentic platform to address the account’s 822,000 followers as Google itself, rather than impersonating it with another hacked account.

The Bitcoin giveaway scam quickly followed, claiming that G Suite was now accepting cryptocurrency payments and offering a total of 10,000 Bitcoins (BTC) to “all community”. The scammers asked for between 0.1 and 2 BTC, and promised to return ten times the amount sent. They also added a bonus: send 1 BTC or more and get an additional 200% back.

Read more at https://nakedsecurity.sophos.com/2018/11/15/official-google-twitter-account-hacked-in-bitcoin-scam/

DARPA uses a remote island to stage a cyberattack on the US power grid

By Lisa Vaas

There was the sound of breakers tripping in all seven of the grid’s low-voltage substation, and then, the station was plunged into darkness. It was the worst possible scenario: swaths of the country’s grid had already been offline for a month, exhausting battery backups at power plants and substations alike.

What would you do if you were in that utility command center? Turn up everything all at once? Turn up smaller pieces of the grid and put them into a protected environment to run cyberforensics and thus keep them from potentially spreading whatever malware was used in the attack?

Those are the kinds of questions that are typically confined to a lab setting. But earlier this month, on a small island 1.5 miles off the shore of Long Island, the Defense Advanced Research Projects Agency (DARPA) brought the dreaded scenario to life.

Plum Island – at 840 acres, it’s about the same size as Central Park, in Manhattan – is officially called the Plum Island Animal Disease Center. Currently run by the Department for Homeland Security (DHS), the federal facility comprises 70 mostly decrepit buildings.

The island has its own fire department, power plant, water treatment plant and security. The center was originally created in 1954, in response to outbreaks of foot-and-mouth disease in cattle. DHS took over control of Plum Island in 2003, due to the research center’s critical role in protecting the nation’s livestock from infectious animal diseases.

Read more at https://nakedsecurity.sophos.com/2018/11/15/darpa-uses-a-remote-island-to-stage-a-cyberattack-on-the-us-power-grid/

France: Let’s make the internet safer! US: ‘How about NO?!’

By Lisa Vaas

The US, China and Russia are some of the big names that are missing from the list of signees of the Paris Call for Trust and Security in Cyberspace: an initiative designed to establish international etiquette with regards to the internet, including coordinating disclosure of technical vulnerabilities.

French President Emmanuel Macron announced the agreement on Monday at the annual UNESCO Internet Governance Forum in Paris.

The document proposes rules of engagement for a slew of internet-related challenges, including cooperating to fend off interference in elections, online censorship and hate speech, intellectual property theft, malware proliferation and cyberattacks, and the use of cyberweapons to hack back… or, in the parlance of the US military, “offensive hacking,” as in, what the Department of Defense gave itself the power to do in the new military strategy it set forth in September.

The document has been endorsed by more than 50 nations, 90 nonprofits and universities, and 130 private corporations and groups.

You can see why the accord’s attitude about cyberwarfare wouldn’t fly with a lot of countries. Besides the US, some of the nations that abstained from signing on, including China and Iran, have active cyberwar programs. As we reported last week, Iran unravelled the CIA’s secret online network years ago with simple online searches, leading to informants being left vulnerable to exposure and execution worldwide.

Read more at https://nakedsecurity.sophos.com/2018/11/15/france-lets-make-the-internet-safer-us-how-about-no/

Targeted ransomware attacks – SophosLabs 2019 Threat Report

By John E Dunn

Cybercriminals have returned to old-school manual hacking tactics to boost the efficiency of targeted extortion, according to research conducted for the SophosLabs 2019 Threat Report.

Ransomware attacks are nothing new, but well known examples like CryptoLocker or WannaCry have tended to be opportunistic and indiscriminate. To penetrate their targets they rely on simple automation, such as boobytrapped attachments sent to a large number of prospective victims via email.

However, the most eye-catching innovation seen by Sophos during 2018 looks more like the opposite of automation – manual control.

Deploying an attack by hand takes time and doesn’t scale well, but it is hard to detect – because it doesn’t necessarily follow a predictable pattern – and hard to stop – because an attacker can adapt as they go.

SophosLabs sums up the advantages of the hands-on approach:

With targeted attacks, the behavior is inherently unpredictable, and the attackers can respond reactively to defense measures that, at first, thwart them from accomplishing their goal.

The perfect case study in how successful this modus operandi can be is the SamSam ransomware, whose evolution Sophos has been tracking since 2015.

Earlier this year, Sophos researchers discovered that a group or individual has used SamSam to successfully extort $6 million (£4.6 million) out of victims in the two and a half years to June 2018.

Read more at https://nakedsecurity.sophos.com/2018/11/14/targeted-ransomware-attacks-sophoslabs-2019-threat-report/

HTTP/3: Come for the speed, stay for the security

By Danny Bradbury

Google’s campaign to nudge the web towards faster performance took a big step last month. Key personnel at the Internet Engineering Task Force (IETF) suggested basing the next version of a core protocol on technology that originated with the search giant.

The IETF is responsible for signing off many of the key standards underpinning the internet and the web. One of them is the hypertext transport protocol (HTTP), which is how browsers fetch web pages.

In 2013, Google introduced a new experimental protocol called Quick UDP Internet Connections (QUIC), that would make HTTP requests faster and more secure.

Google proposed the idea of running HTTP requests using QUIC in 2016. The IETF evolved the protocol, producing what amounts to its own version (sometimes called iQUIC, in contrast to Google’s gQUIC).

The IETF has been working on running HTTP over QUIC for a while. On 18 October, Mark Nottingham, chair of the HTTP and QUIC working groups, suggested that it was time to call that specification HTTP/3. This would, effectively, make it the next major version of HTTP, and it represents a significant change.

Read more at https://nakedsecurity.sophos.com/2018/11/14/http-3-come-for-the-speed-stay-for-the-security/

November 14, 2018 »

Support wouldn’t change his password, so he mailed them a bomb

By Lisa Vaas

On 8 March, Cryptopay co-founder Wesley Rashid began to open a padded package addressed to two of his employees.

Something about it struck him the wrong way, though, so he didn’t open it all the way. That was a fortunate decision. The package held a bomb that could have injured or even killed him.

London’s Metropolitan Police announced on Friday that the sender, a 43-year-old Swedish man named Jermu Michael Salonen, has been sentenced to six and a half years in prison for sending the potentially lethal homemade bomb.

It turns out that the package had been delivered months earlier, around November 2017, to an office unmanned by Cryptopay employees. The UK crypto-wallet business had at one point employed an accounting firm that did have an office in that location, but fortunately nobody at the accounting company opened it on behalf of its client. The letter bomb just sat there, unopened, for five months.

Forensic specialists managed to retrieve some DNA samples from the package, but no matches were found in the UK. Investigators turned next to Interpol, and that’s when they hit a match, turning up Sorenson’s DNA sample in Sweden.

Police said he was known to Swedish authorities. In addition to being found guilty of attempted murder by Stockholm District Court, Salonen was also convicted of mailing threatening letters to Swedish lawmakers and government officials.

Read more at https://nakedsecurity.sophos.com/2018/11/14/support-wouldnt-change-his-password-so-he-mailed-them-a-bomb/

Microsoft update breaks Calendar and Mail on Windows 10 phones

By Lisa Vaas

Still reeling from last week’s Windows 10 Pro debacle, Microsoft dropped a fresh pile of “Oops!” onto Windows 10 Mobile users.

On Wednesday, users started reporting that an app update had broken Mail and Calendar:

Mail and Calendar no longer starts. After a short flash screen, the app crashed back to the main screen. Tried restart and soft reset.

App got updated today 07-11-2018. This morning before the update it worked fine.

The problems showed up immediately after Microsoft released update 16006.11001.20083.0.

As of the following Tuesday afternoon, the initial post had tallied 431 “I have the same question” and 306 replies: a combination of “me-too’s” and “Is it time to jump ship and climb on board with Android/iOS/Google?”

By Saturday, however, many users were sighing with relief as they got back Outlook Mail and Calendar on their mobile devices, in spite of Windows 10 Phone being a nearly dead platform. As in, Microsoft is no longer developing new features, though it’s still supporting it with bug fixes and security updates.

As one Redditor noted, they weren’t even sure a fix would be forthcoming, given that their phone’s build – they said they were on a Nokia Lumia 1520 – is no longer officially supported.

Read more at https://nakedsecurity.sophos.com/2018/11/14/microsoft-update-breaks-calendar-and-mail-on-windows-10-phones/

Google and Cloudfare traffic diverted to China… do we need to panic?

By Paul Ducklin

Conspiracy theorists can stand down from puce alert!

A network outage that affected US providers including Google and Cloudflare on Monday, intermittently diverting traffic via China…

…has been chalked up to a blunder.

Here’s why.

Internet traffic depends heavily on a system called BGP, short for Border Gateway Protocol, which ISPs use to tell each other what traffic they can route, and how efficiently they can get that traffic to its destination.

By regularly and automatically communicating with one another about the best way to get from X to Y, from Y to Z, and so on, internet providers not only help each other find the best routes but also adapt quickly to sidestep outages in the network.

Unfortunately, BGP isn’t particularly robust, and the very simplicity that makes it fast and effective can cause problems if an ISP makes a routing mistake – or, for that matter, if an ISP goes rogue and deliberately advertises false routes in order to divert or derail other people’s traffic.

Read more at https://nakedsecurity.sophos.com/2018/11/13/google-and-cloudfare-traffic-diverted-to-china-do-we-need-to-panic/

WordPress GDPR compliance plugin hacked

By Danny Bradbury

The EU General Protection Data Regulation (GDPR) is supposed to make companies take extra care with their customers’ personal data. That includes gathering explicit consent to use information and keeping it safe from identity thieves.

WP GDPR Compliance is a plugin that allows WordPress website owners to add a checkbox to their websites. The checkbox allows visitors handing over their data to grant permission for the site owners to use it for a defined purpose, such as handling a customer order. It also allows visitors to request copies of the data that the website holds about them.

Users send these requests using admin-ajax.php, which is a file that lets browsers connect with the WordPress server. It uses Ajax, a combination of JavaScript and XML technology that creates smoother user interfaces. This system first appeared in WordPress 3.6 and allows the content management system to offer better auto-saving and revision tracking among other things.

The GDPR plugin also allows users to configure it via admin-ajax.php, and that’s where the trouble begins. Attackers can send it malicious commands, which it stores and executes. They can use this to trigger WordPress actions of their own.

Read more at https://nakedsecurity.sophos.com/2018/11/13/wordpress-gdpr-compliance-plugin-hacked/

DEA and ICE hiding cameras in streetlights and traffic barrels

By Lisa Vaas

Drug and immigration cops in the US are buying surveillance cameras to hide in streetlights and traffic barrels.

Quartz spotted a number of contracts between a company called Cowboy Streetlight Concealments and two government agencies: the Drug Enforcement Administration (DEA) and Immigration and Customs Enforcement (ICE).

As government procurement documents show, since June, the DEA has spent about $22,000 to buy “video recording and reproducing equipment” in Houston, Texas, while the Houston ICE office paid out about $28,000 for the same type of equipment, all of it coming from Cowboy Streetlight Concealments.

It’s unknown where those surveillance cameras will be installed or where they’ve already been plugged in. Quartz reports that ICE offices in the Texas cities of Dallas, Houston, and San Antonio have all ponied up money to buy equipment from Cowboy Streetlight Concealments. The DEA’s most recent purchases were funded by the agency’s Office of Investigative Technology, in Lorton, Virginia.

Streetlight is owned by Christie Crawford and her husband, who’s a police officer in Houston. Crawford told Quartz that she wasn’t at liberty to go into detail about federal contracts: all she can say is that the government tells her company what it wants, and Streetlight builds it:

Basically, there’s businesses out there that will build concealments for the government, and that’s what we do. They specify what’s best for them, and we make it. And that’s about all I can probably say.

Does it really matter where the hidden surveillance cameras are being installed? Maybe to me and you, but that could just be because we aren’t aware of how ubiquitous surveillance cameras are. Crawford:

I can tell you this – things are always being watched. It doesn’t matter if you’re driving down the street or visiting a friend, if government or law enforcement has a reason to set up surveillance, there’s great technology out there to do it.

Another company in this space, Obsidian Integration, last week received a DEA contract for “concealments made to house network PTZ [Pan-Tilt-Zoom] camera, cellular modem, cellular compression device”. Obsidian, which sells “covert systems” and “DIY components,” lists among its customers the Department of Homeland Security (DHS), the Secret Service, the FBI, and the Internal Revenue Service (IRS), among other government agencies.

Last week, Obsidian was also granted a $33,500 contract with New Jersey’s Jersey City Police Department to buy a covert pole camera. The city’s resolution noted that the reason it needs a hidden camera is so that police can “target hot spots for criminal and nuisance activity and gather evidence for effective prosecutions.”

Quartz noted that it’s not just streetlights that are spying on us: the DEA is stashing hidden cameras in other places that can just as handily surveil the masses:

In addition to streetlights, the DEA has also placed covert surveillance cameras inside traffic barrels, a purpose-built product offered by a number of manufacturers. And as Quartz reported last month, the DEA operates a network of digital speed-display road signs that contain automated license plate reader technology within them.

Unfortunately, there’s scant oversight regarding where surveillance cameras can be put or how the government can use them, ACLU senior advocacy and policy counsel Chad Marlow told Quartz:

[Local law enforcement] basically has the ability to turn every streetlight into a surveillance device, which is very Orwellian, to say the least. In most jurisdictions, the local police or department of public works are authorized to make these decisions unilaterally and in secret. There’s no public debate or oversight.

What little effort has gone into curtailing local governments’ pervasive surveillance hasn’t met with much success. In January 2018, a California committee passed senate bill SB-712: a piece of legislation that would tweak the law that says you can’t cover your car’s license plate. It basically amounted to “keep your spying, data-collecting, privacy-invading cameras away from our cars.” As it is, there are businesses that send automated license plate readers (ALPRs) up and down streets to document travel patterns and license plates and sell the data to lenders, insurance companies, and debt collectors.

Read more at https://nakedsecurity.sophos.com/2018/11/13/dea-and-ice-hiding-cameras-in-streetlights-and-traffic-barrels/

November 13, 2018 »

Does wiping your iPhone count as destroying evidence?

By Lisa Vaas

Police are accusing a 24-year-old woman, arrested in connection with a drive-by shooting, of remote-wiping her iPhone and thereby destroying evidence – a felony offense.

Her defense: I don’t even know how to do that!

Daniel Smalls, the lawyer for the accused – 24-year-old Juelle L. Grant, of Schenectady, New York – on Monday told the local news outlet The Daily Gazette that his client wasn’t involved in the shooting, in which no one was injured; that she “didn’t access anything to remotely delete anything”; and that she “wouldn’t have any knowledge how to do that.”

His client is not a computer-savvy person, Smalls said. In fact, his staff is puzzling out this “remote wipe” thing now, he said:

We’re doing research on it ourselves.

Last week, police said that they believe that Grant may have been the driver of a vehicle involved in a drive-by shooting last month, so they seized her iPhone X as evidence at the time.

But then, according to court documents, Grant allegedly remote-wiped the device, in spite of knowing full well that the police intended to inspect it for possible evidence:

The defendant was aware of the intentions of the police department at the conclusion of the interview with her.

Police arrested Grant on 2 November and charged her with three felonies: two counts of tampering with physical evidence and one count of hindering prosecution. According to The Daily Gazette, one of the tampering charges has to do with the remotely wiped phone, while the other tampering charge and the hindering charge are concerned with her alleged actions on the day of the shooting.

Read more at https://nakedsecurity.sophos.com/2018/11/13/does-wiping-your-iphone-count-as-destroying-evidence/

Headmaster fired over cryptocoin mining on the school’s dime

By Lisa Vaas

A headmaster in a Chinese high school in Hunan has been fired for allegedly stealing electricity to mine cryptocurrency, reports the South China Morning Post.

According to local media, teachers got suspicious over “a whirring noise that continued day and night” and a whopping electricity bill: 14,700 yuan (USD $2,113, £1,628) for about a year.

‘Oh, that? It’s just the air conditioners and the heaters!’ the headmaster, Lei Hua, reportedly said.

Lei Hua is said to have picked up his first Ethereum mining rig for about 10,000 yuan (£1107, USD $1,437) and started cryptocoin mining at his home in June 2017.

As anybody who knows anything about mining for crypto will tell you, that surely led to a whopping electricity bill. In fact, the machine was eating up nearly 21 kilowatt-hours of electricity per day.

So to save money on his power bill, Lei allegedly relocated the machine to the school where he worked. By the time the setup was discovered about a year later, he’d allegedly plugged in another seven mining computers in the school’s computer room. His deputy headmaster also allegedly got caught up in the craze, picked up a ninth machine for himself in January, and added it to Lei’s eight rigs.

Lei was fired last month after the power thievery was detected. His deputy received an official warning. The profits went bye-bye: a local authority responsible for “discipline inspection” reportedly seized the money that Lei and his deputy allegedly made.

Read more at https://nakedsecurity.sophos.com/2018/11/12/headmaster-fired-over-cryptocoin-mining-on-the-schools-dime/

Botnet pwns 100,000 routers using ancient security flaw

By John E Dunn

Researchers have stumbled on another large botnet that’s been quietly hijacking home routers while nobody was paying attention.

This one’s been named BCMUPnP_Hunter by discoverers Qihoo 360 Netlab, which says it’s infected at least 100,000 routers in the US, India and China since September.

The BCM part of that name refers to a security flaw affecting a Broadcom router software interface that was first made public in February 2013 by DefenseCode.

The UPnP, of course, is Universal Plug and Play, a longstanding and widely abused networking protocol designed to make it easy for devices to talk to one another without the need for complicated configuration.

We’ll skip the sermon about turning that off if you don’t need it (it’s not the only risky router interface that deserves this treatment after all), and merely note that Qihoo’s use of ‘Hunter’ at the tail end of this bot’s name is a warning.

BCMUPnP_Hunter feels like a despairing story for at least two reasons; the first being the range of products it affects.

The botnet covers 116 devices, including models from Billion, D-Link, Cisco Linksys (now Belkin), TP-Link, Zyxel, Broadcom itself, and several others.

Read more at https://nakedsecurity.sophos.com/2018/11/12/botnet-pwns-100000-routers-using-ancient-security-flaw/

Terrorists told to hijack social media accounts to spread propaganda

By Lisa Vaas

Monika Bickert, Facebook’s global head of policy management, and Brian Fishman, head of counterterrorism policy said in a post on Thursday that the US Department of Justice (DOJ) had recently discovered an alleged IS supporter warning others that it’s gotten tougher to push propaganda on the platform.

As detailed in a criminal complaint, one of the alleged terrorist/sympathizer’s suggestions for fellow propagandists was to try to take over legitimate social media accounts that had been hijacked: to act like wolves pulling on sheepskins to escape from Facebook’s notice, as it were.

Facebook’s continued work on tackling terrorist propaganda is bearing fruit.

Bickert and Fishman also reported that Facebook has removed 14 million pieces of content dubbed likely to come from terrorists, as determined by new machine learning technology; its hashing of images, videos, audio and text to create content fingerprints; and its long-suffering human reviewers (thank you, you poor souls).

They said that most of the content, which is related to the Islamic State (IS), al-Qaeda, and their affiliates, was old material that Facebook dug up by using specialized techniques.

Of course, 14 million pieces of content represents scarcely a drop in the ocean when it comes to the content-stuffed platform. Facebook was reportedly seeing 300 million photo uploads alone, per day, way back in 2012, and 2.5 billion content items shared: numbers that have ballooned since then.

Read more at https://nakedsecurity.sophos.com/2018/11/12/terrorists-told-to-hijack-social-media-accounts-to-spread-propaganda/

Microsoft mistake leaves Windows 10 users fuming

By Danny Bradbury

Microsoft Windows 10 users were left livid late last week after Microsoft mistakenly told them that their licenses were invalid.

On Thursday, Windows 10 Pro and Enterprise customers began complaining online that Microsoft was declaring their license keys invalid. The users, who confirmed that they had legal copies of the operating system, were told that they were actually using Windows Home. When they checked, the Pro version was still installed.

The problem led to Windows deactivation, according to some:

My digital entitlement is gone from my Microsoft account and I have a Windows 10 Home key now. Windows is deactivated because I went from Windows 10 Pro to Home and it doesn’t match anymore.

The issue affected both Pro and Home versions of Windows 10 that had been upgraded from earlier versions of the operating system, along with clean Windows 10 installs, according to posters on Reddit.

One Windows user reported that purchasing a Windows 10 Pro key in the Microsoft store was listed as an option for him, even though he had already upgraded to Windows 10 Pro years ago. When he tried to repurchase the key, it would not let him.

Read more at https://nakedsecurity.sophos.com/2018/11/12/microsoft-mistake-leaves-windows-10-users-fuming/

258,000 encrypted IronChat phone messages cracked by police

By Lisa Vaas

Police in the Netherlands announced on Tuesday that they’ve broken the encryption used on an cryptophone app called IronChat.

The Dutch police made the coup a while ago. They didn’t say when, exactly, but they did reveal that they’ve been quietly reading live communications between criminals for “some time.” At any rate, it was enough time to read 258,000 chat messages: a mountain of information that they expect to lead to hundreds of busts.

Already, the breakthrough has led to the takedown of a drug lab, among other things, according to Aart Garssen, Head of the Regional Crime Investigation Unit in the east of the Netherlands. He was quoted in the press release:

This operation has given us a unique insight into the criminal world in which people communicated openly about crimes. Obviously, this has led to some results. For example, we rolled up a drug lab in Enschede.

In the course of this investigation we also discovered 90,000 euros in cash, automatic weapons and large quantities of [hard drugs] (MDMA and [cocaine]). In addition, we became aware of a forthcoming retaliatory action in the criminal circuit.

IronChat used tinfoil marketing fluff by simply making up at least one celebrity endorsement, from Edward Snowden.

Also, on Tuesday, Dutch police shut down the site that sold the phones, Blackbox-security.com. An archived page shows this purported endorsement from Snowden …

I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation

… an endorsement that, Snowden said through a representative at the American Civil Liberties Union (ACLU), he never made. In fact, he’s never heard of the phone, Snowden said. Ben Wizner, director for the ACLU’s Speech, Privacy & Technology Project, relayed this message from Snowden in an email to Dan Goodin at Ars Technica:

Edward informs me that he has never heard of, and certainly never endorsed, this app.

Police said that they discovered the server through which encrypted IronChat communications flowed when police in Lingewaard, in the east of the Netherlands, traced a supplier of the cryptophones during a money-laundering investigation.

Read more at https://nakedsecurity.sophos.com/2018/11/09/258000-encrypted-ironchat-phone-messages-cracked-by-police/

Sent a photo to the wrong person? Facebook Messenger to let you unsend it

By Lisa Vaas

Back in April, Facebook automagically retracted CEO Mark Zuckerberg’s messages from recipients’ inboxes.

It was good enough for Zuck and other Facebook execs, but alas, beyond the reach of us mere mortal users. But relax, Facebook said at the time: we’re going to bring “Unsend” to one and all in a matter of months.

Well, the delete-messages time is finally nigh. Facebook said on Tuesday that Messenger is soon going to get an “Unsend” feature. Keep those fingers flexible, though: you’re only going to get up to 10 minutes to delete messages from chats after you send them.

Facebook mentioned the upcoming feature in the release notes for version 191.0 of the Messenger iOS app. Here’s what it said:

Coming soon: Remove a message from a chat thread after it’s been sent. If you accidentally send the wrong photo, incorrect information or message the wrong thread, you can easily correct it by removing the message within 10 minutes of sending it.

10 minutes? Well, it’s a lot less time than the hour Facebook gives users to delete WhatsApp messages, but it’s better than nothing, particularly when “nothing” translates into “dishonor and/or idiocy preserved for eternity.”

Read more at https://nakedsecurity.sophos.com/2018/11/09/sent-a-photo-to-the-wrong-person-facebook-messenger-to-let-you-unsend-it/

Update now! WordPress sites vulnerable to WooCommerce plugin flaw

By John E Dunn

Researchers have published details of a dangerous flaw in the way the hugely popular WooCommerce plugin interacts with WordPress that could allow an attacker with access to a single account to take over an entire site.

WooCommerce’s four million plus users were first alerted to the issue a few weeks back in the release notes for the updated version:

Versions 3.4.5 and earlier are affected by a handful of issues that allow Shop Managers to exceed their capabilities and perform malicious actions.

This week, PHP security company RIPS Technologies published the research that led to this warning which gives WooCommerce and WordPress admins more of the gory detail.

There are two parts to the vulnerability, the first of which the researchers describe as a “design flaw in the privilege system of WordPress.”

The second, in WooCommerce itself, is an apparently simple file deletion vulnerability affecting versions 3.4.5 and earlier.

Which of the two is the bigger issue will depend on whether you worry more about a site’s e-commerce function or happen to be its admin – either way, the combination spells trouble.

Read more at https://nakedsecurity.sophos.com/2018/11/09/update-now-wordpress-sites-vulnerable-to-woocommerce-plugin-flaw/

November 7, 2018 »

Voting machine manual tells officials to reuse weak passwords

By Lisa Vaas

Sysadmins will tell you that pathetically weak passwords are, in the words of one Redditor, “crazy normal.”

You have no idea how many Excel sheets containing passwords have “Passw0rd1!” peppered in them.

Right. But in this case, we’re not talking about any old vanilla set of users who get it into their heads, in spite of what one presumes/hopes to be organizational policy to the contrary, to cook up weak and/or iterative passwords. Rather, we’re talking about a vendor manual for voting machines that instructs users – and in this case, that means election officials – to use weak, iterative passwords.

On Monday, Motherboard published a report by Kim Zetter about these manuals, which, Zetter says, are used in about 10 states.

The manuals tell customers to use easy-to-guess, easy-to-crack passwords… and, in spite of the legions of security experts who advise against the practice of password reuse, to go right ahead and reuse those passwords when changing login credentials per federally mandated password-change prompts.

Motherboard hasn’t been able to verify what vendor produced the manual, but given that it’s for a Unisyn optical vote-counting machine, and that “unisyn” is one of the passwords suggested in the manual, one imagines it might have some ideas on the matter. However, it hadn’t responded to Zetter’s requests for comment as of Tuesday evening.

Unisyn machines are used in 3,629 precincts in 12 states, plus Puerto Rico.

Read more at https://nakedsecurity.sophos.com/2018/11/07/voting-machine-manual-tells-officials-to-reuse-weak-passwords/

Serious XSS flaw discovered in Evernote for Windows, update now!

By Danny Bradbury

Online note sharing company Evernote has patched a hole that allowed attackers to infect notes shared via its service. The vulnerability (CVE-2018-18524) could have allowed an attacker to run programs remotely on a victim’s computer simply by sharing a note with them and persuading them to view it.

Evernote has patched the vulnerability in Evernote for Windows 6.16.1 beta.

The vulnerability, discovered by TongQing Zhu, a researcher at Chinese cybersecurity company Knownsec, was a form of cross-site scripting (XSS) attack. XSS attacks allow attackers to inject malicious code into websites, and they come in two forms:

The first is the way we normally think of XSS, called reflected XSS. Reflected XSS works by poisoning links to legitimate websites with malicious, executable code. When the victim clicks the link, the vulnerable website processes the link’s information as normal, to work out which page to give you, and inadvertently runs the malicious code at the same time.

For this to work, the attacker has to fool you into clicking on link they’ve given you, either by sending it to you in an email or adding it to another website or social media post.

The second type of XSS exploit, which is what Zhu found in Evernote, is called stored or persistent XSS. Instead of poisoning a malicious link and hoping you click it, the attacker embeds their malicious code into the website directly.

To pull this off they typically have to find a place on a website that embeds user-supplied data, such as a comment form, into which they inject their code. Anyone landing on the page after the attacker will automatically execute the code they’ve left behind.

Read more at https://nakedsecurity.sophos.com/2018/11/07/serious-xss-flaw-discovered-in-evernote-for-windows-update-now/

WhatsApp ‘martinelli’ warning is a hoax, don’t forward it

By Lisa Vaas

Here’s a WhatsApp chain letter that’s been making the rounds:

If you know anyone using WhatsApp you might pass on this. An IT colleague has advised that a video comes out tomorrow from WhatsApp called martinelli do not open it , it hacks your phone and nothing will fix it. Spread the word. If you receive a message to update the Whatsapp to Whatsapp Gold, do not click !!!!!

Now said on the news this virus is difficult and severe

Pass it on to all

Received by a Sophos staffer, it might be easy to dismiss it offhand, given its mangled English-ish syntax.

Unfortunately, it’s only half rubbish. It’s a cocktail of one shot of bogus and one shot of authentic “yikes!” …It includes:

  1. A fictional threat: the “martinelli” video, supposedly carrying virus and mayhem.
  2. A real threat: WhatsApp Gold, a supposedly premium service offered by WhatsApp that’s anything but.

Read more at https://nakedsecurity.sophos.com/2018/11/07/whatsapp-martinelli-warning-is-a-hoax-dont-forward-it/

Android November update fixes flaws galore

By John E Dunn

Studying Android’s November security bulletin, you’ll notice that there’s a fair amount to patch.

In total, there are 36 vulnerabilities assigned a CVE, and another 17 relating to Qualcomm components rather than Android itself.

Within Android, four rated are critical and 13 rated as high. If there’s a standout it might be CVE-2018-9527, simply because it’s a Remote Code Execution (RCE) vulnerability affecting all versions of from Android 7.0 (Nougat) onwards.

The other RCEs are CVE-2018-9531 and CVE-2018-9521, although both relate to version 9.0 (Pie), which mainly affects devices released since the summer.

CVE-2018-9531 turns out to be one of a clutch of CVEs arising from the Libxaac library, which Google says has been marked “experimental” and “and is no longer included in any production Android builds.”

Leaving aside the extra flaws added to the mix this month by Qualcomm, November looks very similar to every other month this year – plenty of fixes, exactly what one might expect.

Read more at https://nakedsecurity.sophos.com/2018/11/06/android-november-update-fixes-flaws-galore/

Facebook wants to reveal your name to the weirdo standing next to you

By Lisa Vaas

Not entirely unlike dogs socializing via their nether regions, Facebook’s latest idea is to wirelessly sniff out people around you and make friend suggestions based on what it finds. Only it’s slightly more intrusive than how dogs do it.

The patent, which got the go-ahead last month, is like the current People You May Know feature sprouting legs and trotting up to random strangers who have the awesome good luck of finding themselves in your proximity.

Does Facebook need yet more technology for this? It’s not as if it’s not already adept – to put it lightly – at rummaging through our everything to find ties that bind.

Take, for example, the interview published by Fusion editor Kashmir Hill a few years ago: it was with a father who attended a gathering for suicidal teens. The father was shocked to discover that following the highly sensitive meeting one of the participants duly appeared in his People You May Know feed.

The only thing the two people seemed to have in common was that they’d been to the same meeting.

According to Hill:

The two parents hadn’t exchanged contact information (one-way Facebook suggests friends is to look at your phone contacts). The only connection the two appeared to have was being in the same place at the same time, and thus their smartphones being in the same room.

Hill said that Facebook’s response gave her “reportorial whiplash”: first, it suggested that location data was used by People You May Know if it wasn’t the only thing that two users have in common, then said that it wasn’t used at all, and then finally admitted that it had been used in a test late in 2015 but was never rolled out to the general public.

Read more at https://nakedsecurity.sophos.com/2018/11/06/facebook-wants-to-reveal-your-name-to-the-weirdo-standing-next-to-you/

November 6, 2018 »

Is the US about to get a nationwide, privately owned, biometrics system?

By Danny Bradbury

Two US biometric companies, SureID and Robbie.AI, have partnered to research a private, nationwide biometrics system that could combine fingerprint and facial recognition data.

SureID runs a nationwide fingerprint collection system designed to make identity and background checks less painful. Users go to one of around 800 fingerprint collection stations around the US and scan their digits. A few hours later, SureID will deliver the user’s background check to their employer, landlord or whichever other authority they choose. Robbie.AI sells an AI-powered facial recognition technology.

By combining the two technologies, SureID hopes to create “the United States’ first nationwide biometrics gathering system for broad consumer-focused initiatives”. The idea is to use facial recognition to confirm that the person providing the fingerprints is legitimate.

Is it secure?

The worry with biometric authentication has always been that someone might crack it by replicating a person’s features. In the past, when companies have claimed high levels of security for their biometric systems, hackers have figured out a way past them.

For example, researchers pilfered publicly available photos online, created 3D-animated renditions that could be displayed on a smart phone, and then used them to fool facial recognition systems.

Read more at https://nakedsecurity.sophos.com/2018/11/06/is-the-us-about-to-get-a-nationwide-privately-owned-biometrics-system/

Children’s apps contain an average of 7 third-party trackers, study finds

By John E Dunn

When it comes tracking mobile app users, internet advertising companies like to start them young, according to a new University of Oxford study.

Researchers analysed nearly one million Android apps downloaded from the US and UK Google Play Stores and found that those used by children now embed some of the highest numbers of third-party trackers of any app category.

Most of these fall under in the ‘family’ category (8,930 apps), which had a median of seven trackers each, just ahead of the vast games and entertainment category (291,952 apps) on six.

Some family apps had even more trackers, with 28.3% exceeding 10. The only category that could match this was ‘news’ (26,281 apps), 29.9% of which had more than 10, or a median of seven trackers per app.

So, if you’re someone who gets their news from an app, chances are that what you’re doing is being watched very closely – something that’s at least as likely if you’re a child using a family app.

It’s no big reveal that advertisers are out to track people for commercial purposes, although the extent to which apps have become the front line in this endeavor is still quite surprising.

The extent to which children are being tracked through apps is even more unexpected given the wave of regulations that are supposed to limit how this is done, especially for anyone under the age of 13.

Read more at https://nakedsecurity.sophos.com/2018/11/06/childrens-apps-contain-an-average-of-7-third-party-trackers-study-finds/

CIA’s secret online network unraveled with a Google search

By Lisa Vaas

According to reports, the US government is still reeling from a catastrophic, years-long intelligence failure that compromised its internet-based covert communications system and left CIA informants vulnerable to exposure and execution worldwide.

In 2013, following the compromise, CIA experts worked feverishly to reconfigure their secret websites and try to move their informants to safety, but intelligence sources say that damage this severe probably can’t be wholly undone.

Yahoo published a report last week about the previously unreported intelligence disaster.

According to Yahoo, which relied on 11 former intelligence and national security officials for the report, the problem started in Iran and “spiderwebbed” out to countries that were friendly to Iran.

It wasn’t just one point of failure: it was a string of them. One of the worst intelligence failures of the past decade was in 2009, when the Obama administration discovered a secret Iranian underground enrichment facility. The Iranians, furious about the breach, went on a mole hunt, Yahoo reports, looking to dig out foreign spies.

Unfortunately for the US and its agents, it didn’t take long to find the moles. That’s due in large part to what one former official called an “elementary system” of internet-based communications – one that was never meant to stand up to sophisticated counterintelligence efforts such as those of China or Iran, let alone one that should have been entrusted with the extremely sensitive communications between the CIA and its sources.

Read more at https://nakedsecurity.sophos.com/2018/11/06/cias-secret-online-network-unravelled-with-a-google-search/

Private Facebook data from 81,000 accounts discovered on crime forum

By John E Dunn

Malicious browser extensions have been blamed for the theft of private messages and data from 81,000 Facebook users recently discovered for sale on a cybercrime forum.

According to the BBC Russian Service investigation, samples of the data were discovered in September being hawked for 10 cents per account on an English-language forum with Russian connections.

Most of the breached accounts were from Russia and Ukraine, but Facebook users in the UK, Brazil and other countries are also among the victims, the BBC said after verifying the find with UK cybersecurity company Digital Shadows.

Criminals offered another 176,000 accounts although it’s possible that some of the email address and phone number data in this cache could simply have been scraped from public profiles.

Stolen data from the 81,000 accounts that appeared to be genuine included intimate exchanges between Facebook users. One example, according to the BBC,

included photographs of a recent holiday, another was a chat about a recent Depeche Mode concert, and a third included complaints about a son-in-law.

When the BBC posed as a buyer, the seller claimed he could supply access to a further 120 million accounts, which Digital Shadows believes is probably untrue because it implies a huge data breach Facebook would have noticed.

This is a big problem for investigators: working out what’s been stolen or breached can be difficult when cybercriminals make exaggerated or false claims about what they have in their possession.

Read more at https://nakedsecurity.sophos.com/2018/11/05/private-facebook-data-from-81000-accounts-discovered-on-crime-forum/

FIFA, hacked again, is leaking like a sieve

By Lisa Vaas

The Fédération Internationale de Football Association (FIFA), world soccer’s governing body, acknowledged last week that it’s been hacked – again.

The first cyberattack, in 2017 – which led to the publishing of footballers’ failed drug tests – was attributed to the Russian hacking group Fancy Bear, also known as APT28.

FIFA President Gianni Infantino admitted to the new hack while talking to the press after a FIFA Council meeting last week in Kigali, Rwanda, telling press that he was braced for a release of private information after FIFA discovered that its network had suffered another intrusion.

The New York Times reported on Tuesday that there was “no clarity” at that point about the details of the second attack, but it did report that officials at UEFA (the Union of European Football Associations) had been targeted in a phishing attack. As of Tuesday, the organization reportedly hadn’t found traces of a hack.

The first to get the newly leaked FIFA documents was Football Leaks – a whistleblowing platform that’s been called the football version of WikiLeaks.

Football Leaks fed the leaked documents to a consortium of European media organizations called the European Investigative Collaborations (EIC), and EIC members started to publish a series of stories based in part on the internal documents on Friday. Der Spiegel was the first to do so, but other media outlets soon started to publish articles based on analyzing the leaked, confidential, highly sensitive documents.

Read more at https://nakedsecurity.sophos.com/2018/11/05/fifa-hacked-again-is-leaking-like-a-sieve/

November 5, 2018 »

Should company bosses face jail for mishandling your privacy?

By Lisa Vaas

Mark Z, how do you feel about orange? Like, say, in a jumpsuit style?

Kidding! No court has found that you, the Facebook CEO, has purposefully misled the government about how your company did/did not protect consumers’ data during, say, the multifaceted, ever-unfolding, Cambridge Analytica privacy debacle.

Senator Oregon Ron Wyden’s on the case, though, and has now put on the table a bill that would throw execs into jail for up to 20 years if they play loosey-goosey with consumer privacy.

Under his proposed bill, introduced on Thursday and called the Consumer Data Protection Act, execs who knowingly mislead the Federal Trade Commission (FTC) about how their companies protect consumer data could face up to 20 years in prison and $5 million fines.

He’s proposing sunshine. He’s proposing “radical transparency.” He’s proposing legislation with “real teeth” when it comes to punishing companies that vacuum up our data without telling us “how it’s collected, how it’s used and how it’s shared,” Wyden said in a statement.

This is a way to arm consumers against the massive data monetization industry that’s flourished over the past decade, dragging privacy scandals along with it, Wyden said:

Today’s economy is a giant vacuum for your personal information – Everything you read, everywhere you go, everything you buy and everyone you talk to is sucked up in a corporation’s database. But individual Americans know far too little about how their data is collected, how it’s used and how it’s shared.

Besides fines and jail time, Wyden’s proposal would also dramatically beef up resources to go after data miscreants. The cops in this case would be the FTC: to give the Commission the muscle it would need, the senator is proposing jacking up its authority, funding and staffing to crack down on privacy violations. The bill would also mandate easy opt-out for consumers to shrug off hidden tracking of their sensitive personal data.

Read more at https://nakedsecurity.sophos.com/2018/11/05/should-company-bosses-face-jail-for-mishandling-your-privacy/

PortSmash attack steals secrets from Intel chips on the side

By Danny Bradbury

Researchers have developed an exploit that uses a feature in Intel chips to steal secret cryptographic keys.

The proof of concept code, called PortSmash, comes from researchers at Finland’s Tampere University of Technology and the Technical University of Havana, Cuba. It uses a category of exploit called a side channel attack, in which one program spies on another as it runs.

The attack exploits a feature called Simultaneous Multi-Threading (SMT), which runs two programs separately on a single physical CPU core. Although this concept has been around in various chips since the late sixties, this attack focuses on Intel’s version of it, Hyper-Threading, which it started building into its processors in 2002.

Side channel attacks don’t peek at the victim program’s secret directly. Instead, one thread (the attack thread) looks for clues that reveal what the other thread (the victim thread) is doing, and works the secret out from there. They can use a range of signals, including the timing of instructions. PortSmash uses instruction timing based on port contention.

Read more at https://nakedsecurity.sophos.com/2018/11/05/portsmash-attack-steals-secrets-from-intel-chips-on-the-side/

Another day, another update, another iPhone lockscreen bypass

By John E Dunn

Apple keeps releasing iOS updates and Spanish researcher José Rodríguez keeps finding new ways to bypass each version’s lockscreen security.

This week’s target was iOS 12.1, which appeared on Tuesday. By Wednesday, Rodríguez had posted a YouTube video showing how the lockscreen could be beaten with the help of Siri and Facetime to reveal the device’s contact phone numbers and email addresses.

Apart from having physical access to the target iPhone, all an attacker would need is the phone number of the target (if they don’t know the number, they can just ask Siri “who am I?” from the target phone).

Read more at https://nakedsecurity.sophos.com/2018/11/02/another-day-another-update-another-iphone-lockscreen-bypass/

Popular browsers made to cough up browsing history

By Lisa Vaas

Anonymous Coward, in commenting on a report from The Register about vulnerabilities that expose people’s browsing histories, pithily sums up potential repercussions like so:

Sweetheart, what’s this ‘saucyferrets.com’ site I found in your browsing history?

If you value your privacy and your ferret predilections, be advised that in August, security researchers from Stanford University and UC San Diego presented, during the 2018 USENIX Workshop on Offensive Technologies (WOOT), four new, privacy-demolishing attack methods to get at people’s browsing histories.

The novel attacks fit into two classic categories – visited-link attacks and cache-based attacks – and exploit new, modern browser features such as the CSS Paint application programming interface (API) and the JavaScript bytecode cache: two examples of evolving web code that don’t take privacy into account when handling cross-origin URL data, the researchers say.

So-called history sniffing vulnerabilities are as old as dirt, and browser code has addressed them in the past. Here’s a paper written on the issue back in 2000, and here’s a Firefox bug reported that same year about how CSS page disclosure could let others see what pages you’ve visited.

Read more at https://nakedsecurity.sophos.com/2018/11/02/popular-browsers-made-to-cough-up-browsing-history/

Google’s stealthy sign-in sentry can pick up pilfered passwords

By John E Dunn

Two things happened on Halloween with a bearing on cybersecurity.

The first is that the 15th year of the National Cyber Security Awareness Month (NCSAM) came to an end. You have heard of NCSAM, right?

The second, apparently timed to coincide with 31 October, was that Google is yet again modifying the background security checks it performs during accounts sign-in as well as modifying its recovery process in the event of unauthorized access. There’s also important news if you’re a hold-out against enabling JavaScript.

The main tweak is that Google is upping its detection of people pretending to be you. If you’re unwittingly tricked into handing over your Google username and password in a phishing attack, all isn’t lost. Google thinks it can distinguish a sign-in by the phishing attacker from a sign-in by you.

Wrote Google product manager, Jonathan Skelker in a blog announcement:

When your username and password are entered on Google’s sign-in page, we’ll run a risk assessment and only allow the sign-in if nothing looks suspicious.

The company is deliberately vague about what signals indicate this but it alluded to similar ideas in the reCAPTCHA v3 announcement from earlier this week.

Read more at https://nakedsecurity.sophos.com/2018/11/02/googles-stealthy-sign-in-sentry-can-pick-up-pilfered-passwords/

Report reveals one-dimensional support for two-factor authentication

By Danny Bradbury

Online services have several options as they move beyond passwords to try and make accounts more secure. Think of five websites that you have a user account for. How many of them offer you greater security with multi- or two-factor authentication (MFA or 2FA)?

The move to support 2FA is happening, slowly, but a report released this week suggests that many sites are lagging behind.

Password management company Dashlane examined 34 of the more popular consumer websites in the US to see how well they supported MFA.

It scored each site out of five, based on several criteria.

They got one point if they offered SMS or email authentication. They got another for using software tokens like Google Authenticator. Dashlane clearly considers hardware-based authentication superior though, as it awarded three points for websites that offered this option. These are hardware-based cards or keys like Yubikey or Google’s Titan that must be plugged into the computer or held next to it to authenticate the user. The FIDO Alliance’s Universal Second Factor (U2F) authentication is a good example of a standard that supports hardware tokens for accessing online services.

Read more at https://nakedsecurity.sophos.com/2018/11/02/report-reveals-one-dimensional-support-for-two-factor-authentication/

Passcodes are protected by Fifth Amendment, says court

By Lisa Vaas

There was an underage driver at the wheel, driving on a Florida highway. Police say he was speeding.

When he crashed, one of the passengers in his car died. At the hospital, a blood test showed that the minor had a .086 blood-alcohol content: slightly over the legal limit of .08% for non-commercial drivers.

According to court documents, police found two iPhones in the car: one that belonged to a surviving passenger and one that allegedly belonged to the driver. The passenger told police that the friends had been drinking vodka earlier in the day and that she’d been talking with the driver on her iPhone.

The police wanted the driver’s phone, so they got a warrant to search it for data, photos, text messages, and more. They also sought an order compelling the minor to hand over the passcode for the iPhone and for an iTunes account associated with it.

And this is where we get into the evolving world of the Fifth Amendment and compelled passcode disclosure. Last Wednesday, 24 October, the Florida Court of Appeal quashed a juvenile court’s order for the defendant – identified only by his initials, G.A.Q.L., since he’s a minor – to disclose his passcodes.

Read more at https://nakedsecurity.sophos.com/2018/11/01/passcodes-are-protected-by-fifth-amendment-says-court/

Facebook is still approving fake political ads

By Danny Bradbury

Just a couple of weeks before the US midterm elections, journalists have revealed that Facebook is continuing to approve fake advertisements from fake sources. The discovery throws into question the company’s recent pledge to make advertising more transparent on its network.

Embarrassed by Russia’s use of its advertising system to interfere in the US 2016 election, the social media giant launched an initiative in June to make advertising on its network more transparent. This included a requirement for advertisers to disclose who paid for advertisements.

At the time, the company’s COO Sheryl Sandberg said:

Our ultimate goal is very simple: we want to reduce bad ads, we want to make sure that people understand what they’re seeing, who paid for it, and the fullness of what other people might see.

In September, Mark Zuckerberg followed this up with a missive explaining what the company was doing to combat election fraud. He said:

We now also require anyone running political or issue ads in the US to verify their identity and location. This prevents someone in Russia, for example, from buying political ads in the United States, and it adds another obstacle for people trying to hide their identity or location using fake accounts.

This month, VICE News showed that the transparency system for political ads isn’t working. Journalists there ran a test to see how closely Facebook was vetting these advertisers. As it turns out, it isn’t.

Read more at https://nakedsecurity.sophos.com/2018/11/01/facebook-is-still-approving-fake-political-ads/

October 31, 2018 »

Mirai author fined $8.6million, gets 6 months house arrest

By Lisa Vaas

The other shoe has dropped for Paras Jha, a 22-year-old New Jersey man who’s one of a trio of Mirai botnet authors sentenced in September. Besides the probation, community service and fines handed out by an Alaskan court last month, Jha has now been given a far stiffer fine from a New Jersey court for launching an attack on the network of Rutgers University.

He’s looking at paying $8.6m in restitution, and he’s been sentenced to six months of house arrest.

The US Attorney’s Office in New Jersey on Friday said that distributed denial of service (DDoS) attacks on the networks of Rutgers University “effectively shut down Rutgers University’s central authentication server,” which maintained, among other things, the gateway portal through which staff, faculty, and students delivered assignments and assessments.

At times, Jha succeeded in taking the portal offline for multiple consecutive periods, causing damage to Rutgers University, its faculty, and its students.

In September, an Alaskan court had sentenced the three Mirai botnet authors to probation, community service and fines.

It seemed like a light sentence, considering the vast damage done by the botnet.

Read more at https://nakedsecurity.sophos.com/2018/10/31/mirai-author-fined-8-6million-gets-6-months-house-arrest/

Alleged SWATter will plead guilty to dozens of serious new federal charges

By Lisa Vaas

Tyler Rai Barriss – the 25-year-old man from southern California who SWATted an innocent man who was killed in a subsequent police shooting – will plead guilty to 46 new federal charges, according to local news outlets in Kansas, where victim Andrew Finch lived and where Barriss is in prison.

A federal indictment unsealed on Wednesday also names two other men who were allegedly involved in the fatal SWATting incident: Casey Viner, of Ohio, and Shane Gaskill, of Wichita, Kansas. Both have been charged and have pleaded not guilty to multiple charges.

The new charges, filed in California on Wednesday, also list four unindicted co-conspirators: Twitter user “@INTERNETLORD” of Des Plaines, Illinois; “@TRAGIC” of Gulf Breeze, Florida; “@THROW” of Grand Rapids, Michigan; and “@SPARED” of Greenwood, Missouri.

According to prosecutors, Gaskill was the intended victim of the SWAT, which grew out of a Call of Duty game in which two teammates were disputing a $1.50 wager. Apparently, one had accidentally “killed” a teammate in the first-person shooter game.

According to court documents, Gaskill at one point saw that Barriss (@SWAuTistic) was following him on Twitter, so he allegedly gave him what turned out to be a former address – a house that he owned and which Finch was renting – and taunted Barriss to go ahead with the SWAT.

What @SWAuTistic is pleading guilty to

SWATting, which takes its name from elite law enforcement units called SWAT (Special Weapons and Tactics) teams, is the practice of making a false report to emergency services about shootings, bomb threats, hostage taking, or other alleged violent crime in the hopes that law enforcement will respond to a targeted address with deadly force.

Read more at https://nakedsecurity.sophos.com/2018/10/30/alleged-swatter-will-plead-guilty-to-dozens-of-serious-new-federal-charges/

Gov worker visits 9k porn sites without protection, spreads infection

By Lisa Vaas

A now very “ex”-government employee managed to compromise the networks of the US Geological Survey (USGS) after viewing some 9,000 malware-infected pages of porn on his work-issued laptop… and then further spread the contagion by saving images onto an unauthorized USB drive and his Android phone.

No surprise here: the unnamed employee no longer works at the agency, OIG External Affairs Director Nancy DiPaolo told NextGov.

The office of the Inspector General at the US Department of the Interior (DOI) published a redacted memorandum about the incident on 17 October.

The Inspector General said that a forensic investigation following the incident found that the employee had an “extensive history” of visiting porn sites. Many of the 9,000 pages he visited were routed through websites that originated in Russia and contained malware. Unsurprisingly, the phone and USB drive he saved his images to were also infected with malware.

The memo noted that malware is often used to damage or disable computers and/or to steal confidential information while spreading itself far and wide – not exactly the kind of thing you want romping around on government systems.

Read more at https://nakedsecurity.sophos.com/2018/10/30/gov-worker-visits-9k-porn-sites-without-protection-spreads-infection/

Snakes in the grass! Malicious code slithers into Python PyPI repository

By Danny Bradbury

Software developers downloading a seemingly innocent software library could find themselves hemorrhaging Bitcoin thanks to a wily attack.

A cybersecurity researcher calling himself ‘Bertus’ on Medium detailed an exploit that uses a common alternative spelling, remote code execution, and a rogue Bitcoin address to try and steal cryptocurrency from developers using the Python programming language.

The malicious code was uploaded to PyPI, an online repository of software packages developed for the Python programming language. Developers can create and upload their packages for others to use in their own programs. There are packages for everything from natural language processing through to screen-scraping libraries.

Developers that want to give something back to the community package their programs by including an installation script called setup.py. Others can download and install it with a single command – pip install. Normally, setup.py just installs legitimate Python software. However, attackers can use it to run malicious code that infects a computer.

In this case, a malicious actor created a PyPI package called colourama. It exploits a common spelling difference between US and British English to impersonate a legitimate PyPI package called colorama, which enables developers to produce colored terminal text in Microsoft Windows.

The name change is subtle, and developers may be fooled into installing the wrong package. As it installs, it creates a malware dropper designed to exploit Windows PCs. The dropper downloads malware written in Microsoft’s VBScript language.

Read more at https://nakedsecurity.sophos.com/2018/10/30/snakes-in-the-grass-malicious-code-slithers-into-python-pypi-repository/

« older