Repairs & Upgrades

July 17, 2018 »

Twitter shutters accounts linked to US election hacking

By Lisa Vaas

On Saturday, Twitter kicked off two accounts connected to the 2016 US presidential election hacking and the subsequent leak of documents stolen during the breaches: Guccifer 2.0 and DCLeaks.

The move came within hours of Friday’s indictment of 12 Russian intelligence officers who the US Department of Justice (DOJ) has fingered in connection to attacks on the computers and email systems of the Democratic National Committee (DNC) in the months leading up to the election,

Both accounts were fronted by fictitious personas and used to release tens of thousands of stolen emails and documents, according to the indictment. was created as a place to publish stolen documents more than a month before any documents were actually leaked from the breach, the DOJ says. The hacking group Fancy Bear has been linked to the spearphishing campaign that weaseled Gmail account credentials out of Hillary Clinton campaign chairman John Podesta and other DNC members.

Both the Guccifer 2.0 and DCLeaks accounts had reportedly been dormant for at least a year and a half prior to Twitter shutting them down.

The indictment claims that both accounts were used to spread misinformation. One example: in a 2016 interview with Motherboard’s Vice, Guccifer 2.0 claimed to be Romanian, not Russian. That’s the nationality of the original Guccifer hacker, Marcel Lehel Lazer, who’s now serving a 52-month prison sentence for hacking 100 Americans’ email accounts.

However, the metadata for emails sent by Guccifer 2.0 to The Hill revealed that they were sent using a predominantly Russian-language VPN. When Motherboard pressed Guccifer 2.0 to use Romanian in an online chat, his “clunky grammar and terminology” led experts to surmise that he was using an online translator.


Facebook refuses to remove fake news, but will demote it

By Lisa Vaas

Forget about getting rid of fake news, Facebook said on Thursday. It might be raw sewage, but hey, even raw sewage has a right to flow, right?

In the name of free speech, Facebook said, it’s keeping all the bilge water, be it pumped out by the right or left… though the platform intends to push fakery down deeper into the holding tank by demoting it.

As Facebook said in its tweet, demotion translates into an 80% loss of future views, and the punishment extends to Pages and domains that repeatedly share bogus news.

This latest fake-news spasm comes on the heels of an event Facebook held in New York on Wednesday that blew up in its face. Journalists got to feed on shrimp cocktail, listen to a short presentation, and then engage in a question-and-answer session, all in the name of convincing the press that the social media network has finally reached some kind of beachhead in the war against disinformation.

Facebook’s effort fell apart when CNN reporter Oliver Darcy began to grill Facebook Head of News Feed John Hegeman about its decision to allow Alex Jones’ conspiracy news site InfoWars on its platform.

How, Darcy asked, can the company claim to be serious about tackling the problem of misinformation online while simultaneously allowing InfoWars to maintain a page with nearly one million followers on its website?


Twitter pops a lot of famous people’s follower bubbles

By Lisa Vaas

Twitter has wiped out accounts that have been locked due to misbehavior, obliterating an average of about four followers each for us earth-bound mortals and millions for its twinkliest stars.

Vijaya Gadde, head of the company’s legal team, said that the move was taken as part of Twitter’s “ongoing and global effort to build trust and encourage healthy conversation on Twitter.”

In other words, it’s another salvo in the fight against fake news – or in the fight against the type of accounts that most Twitter users hold their noses over when they enter a conversation.

The locked-account purge had its biggest impact on the top Twitter accounts, of course.

The more followers, the bigger the gouge: Gadde said that most accounts would lose four or fewer followers, while the more popular accounts would “experience a more significant drop”.

Musician Katy Perry tops Twitter’s list of 50 most-followed accounts. Perry – along with Lady Gaga, who’s at No. 6 – both lost about 2.5m followers, according to the BBC. Ex-President Barack Obama, at No. 3, lost 2.1m followers.

But the biggest hit was to Twitter itself: according to the BBC, Twitter (No. 16 on the list) lost 7.7m followers.


July 16, 2018 »

USB Restricted Mode in iOS 11.4.1 now available to all iPhone users

By Maria Varmazis

The latest version of iOS is now available to all iOS users with eligible devices (iPhone 5s and up). This release not only brings bug fixes, but also includes at least one new feature that might be of interest to security-minded users.

The new feature is called “USB Restricted Mode,” and it lives quietly in the security settings of your iPhone (look for it under “Touch ID & Passcode”). Apple’s description of this new feature toggle:

If you don’t first unlock your password-protected iOS device – or you haven’t unlocked and connected it to a USB accessory within the past hour – your iOS device won’t communicate with the accessory or computer, and in some cases, it might not charge. You might also see an alert asking you to unlock your device to use accessories.

Upon updating to iOS 11.4.1, the default setting for this feature is to not allow USB accessories to work with the iPhone or iPad when locked for more than an hour.

To understand why this feature now exists, let’s review how USB accessories generally work with iPhones and iPads. When you plug a USB accessory into your iPhone or iPad, that item will not work unless the iDevice is unlocked first and the user answers a prompt on their iDevice to recognize the new USB device.

After completing this prompt successfully, that USB device will be able to work with the iDevice without issue in the future even when the phone is locked.


Ex-Apple engineer charged with stealing self-driving car secrets

By Lisa Vaas

A former Apple engineer who worked on driverless car technology was arrested on his way to start a new job in China with autonomous vehicle start-up Xiaopeng Motors – a Guangzhou-based company also known as XMotors – Apple charged in federal court on Monday.

A criminal complaint charged the former employee, Xiaolang Zhang, with stealing trade secrets and accused him of downloading a blueprint related to autonomous cars to a personal laptop before trying to board a last-minute flight.

Zhang was arrested on 7 July after he passed through a security checkpoint at the San Jose airport.

According to the complaint, he was hired at Apple on 7 December 2015 to work on its autonomous car project – R&D that Apple’s kept very hush-hush. His most recent work was on the compute team, designing and testing circuit boards to analyze sensor data.

That role gave him access to all sorts of juicy, and confidential, databases.

According to the complaint, information about the project “is a closely guarded secret that has never been publicly revealed.”

Apple has been cagey about its research, making general comments about its interest in developing self-driving technology but keeping mum about just what, exactly, the company’s working on. According to the complaint, information has even been kept away from most of its employees. Some 5,000 staff, out of more than 135,000, have been “disclosed” on the project, meaning that they’re working on it directly or know something about it. Fewer people, about 2,700 “core employees,” have access to the project’s databases.

From 1 to 28 April 2018, Zhang took paternity leave following the birth of a child. During his leave, he and his family traveled to China. When he got back, he met with his immediate supervisor, as the complaint tells it, and told him that he planned to resign and move back to China in order to be closer to his ailing mother. Zhang allegedly also told his supervisor that he planned to take a job with XMotors: a Chinese start-up in the driverless car space.


Sextortion scam knows your password, but don’t fall for it

By Danny Bradbury

Someone has been sending sextortion scam emails with a new twist – one aimed at making it more likely you’ll be duped into paying a blackmail fee.

One of the emails arrived at Naked Security yesterday, via a diligent reader, just as Brian Krebs was breaking the story on his site.

It claims to have compromising images of the recipient and goes on to ask for payment in order to stop the images being released publicly. Attempting to manipulate victims by claiming to have compromising images of them is known as sextortion, and its been used for years. What makes this scam different is that it’s added something extra: it contains a real password used by the victim.

The email reads:

I do know, [PASSWORD REDACTED], is your password. You do not know me and you are probably thinking why you are getting this e mail, correct?

actually, I placed a malware on the adult videos (pornography) website and do you know what, you visited this web site to experience fun (you know what I mean). While you were watching videos, your internet browser initiated working as a RDP (Remote Desktop) that has a key logger which gave me accessibility to your display and also webcam. after that, my software program obtained all your contacts from your Messenger, Facebook, as well as email.

What exactly did I do?

I made a double-screen video. First part displays the video you were viewing (you've got a nice taste haha), and second part shows the recording of your webcam.

exactly what should you do?

Well, I believe, $2900 is a reasonable price tag for our little secret. You'll make the payment via Bitcoin (if you don't know this, search "how to buy bitcoin" in Google).

BTC Address: 19ZFj3nLSJCgoAcvZSgxs6fWoEmvJhfKkY

(It is cAsE sensitive, so copy and paste it)


You have one day to make the payment. (I've a unique pixel within this email message, and now I know that you have read this e mail). If I do not get the Bitcoins, I will definitely send out your video to all of your contacts including relatives, co-workers, and so forth. Nonetheless, if I receive the payment, I'll erase the video immediately. If you want evidence, reply with "Yes!" and I will send your video to your 9 friends. It is a non-negotiable offer, that being said do not waste my time and yours by replying to this e-mail.

The power of a password

Many people, even those who feel as though they could have been seen in a compromising position, would normally be too jaded to fall for a sextortion scam with no evidence. Including a real password makes it seem more convincing, though, which might be enough to fool some people.


Facebook ordered to let grieving mother in to dead daughter’s account

By Lisa Vaas

Germany’s highest court has ruled that access to social networks can be inherited when people die, overturning a previous court’s decision that kept a grieving mother locked out of her daughter’s account after the girl was hit by a subway train.

A year ago, a German court denied the mother’s request to access her dead daughter’s Facebook account – access she had been seeking for years in an effort to determine whether the girl had purposefully thrown herself in front of a train at a Berlin station in 2012, and if cyberbullying was behind what could have been her child’s suicide.

The girl’s parents already had her Facebook account password: according to the Guardian, their daughter had shared it with them in return for being allowed to open an account when she was 14. She died at the age of 15.

But when they tried to access the account, the girl’s parents found that it had been memorialized.

That means that Facebook completely removed the dead girl’s data, changed the privacy setting so that only confirmed friends could view her profile or search for it, removed her status updates, and locked the account so that nobody in the future could log in. As Facebook describes in its policy, the account was transformed into “a place where people can save and share their memories of those who’ve passed”.

On Thursday, Germany’s Federal Court of Justice said that social media accounts are no different than personal letters and diaries in that they, too, can be inherited. From an English translation of the court’s decision:

From a hereditary perspective, there is no reason to treat digital content differently.

Last year, a lower court had ruled that the girl’s rights to private telecommunications included her electronic communications, which, it decided, were meant to be read only by those with whom the girl had communicated.


“Bitcoins for cash in bags” trader gets 12 months in prison

By Paul Ducklin

Anacoluthon – we love it!

(That’s where a sentence has some sort of grammatical inconsistency or ambiguity that jars you into thoughtfulness, then I went for a walk by the River Thames.)

We find anacoluthon as fascinating as cryptocurrency shenanigans, so we were doubly intrigued by a recent Ars Technica headline – Woman who once bought bitcoins for cash in paper bags sent to prison.

We were dying untangle the ambiguity here – did the bags contain the cash, or did the bags contain the bitcoins?

Were the bags sent to prison, or the woman?

Was she buying cash in paper bags with bitcoins, or bitcoins in paper bags with cash, or were both parts of the transaction in bags?

If the cash was in paper bags, were they brown bags, as they would be in a metaphor, or at lunch, and if not, why not?

Heck, these days, if someone actually buys and sells bitcoins in person for real, hard cash, don’t they deserve some sort of medal?

When you think of how often cryptocurrency buyers and sellers have gone through online exchanges and ended up out of pocket following some sort of cybersecurity catastrophe, real or imaginary, aren’t cash buyers to be applauded?

So many questions, and we hadn’t got past the headline yet!


July 11, 2018 »

Apple and Google questioned by Congress over user tracking

By Lisa Vaas

In May, two weeks before the “we’re not kidding about this protecting user data stuff” General Data Protection Regulation (GDPR) went into effect in the EU, Apple started getting its protecting-user-data ducks in a much straighter row.

It cracked down on developers whose apps share location data, kicking them off the App Store until they cut out any code, frameworks or Software Development Kits (SDKs) that were in violation of its location data policies.

But hang on a minute… members of the US House of Representatives Energy and Commerce Committee asked Apple on Monday: why was it even necessary to limit how much data third-party app developers can collect from Apple device users in the first place?

… given that CEO Tim Cook has repeatedly told the press that Apple believes that “detailed profiles of people that have incredibly deep personal information that is patched together from several sources [shouldn’t] exist”?

Similar question to Alphabet CEO Larry Page: in June 2017, Google announced that Gmail would stop reading our email.

Nonetheless, reports surfaced last week that found the company is still allowing third parties to merrily scan away, giving them access to our email text, signatures, and receipt data, in order to target-market advertising. In fact, a new class action suit was filed against the company on Thursday night over developers’ scanning of millions of users’ private messages.

The committee wants Apple and Alphabet to answer some questions about how they’ve represented all this third-party access to consumer data, about their collection and use of audio recording data, and about location data that comes from iPhone and Android devices.

Inquiring minds want to know, for one thing, whether our mobile phones are actually listening to our conversations, the committee said in a press release.


England versus Facebook – score currently stands at £500,000-nil

By Paul Ducklin

It’s the hot story right now in Europe…

…no, we’re not talking about the news that France just dumped neighbors Belgium out of the World Series with a 1-0 victory. [Surely you mean the World Cup?Ed.]

We’re talking about the widespread media coverage that the UK Information Commissioner’s Office (ICO) intends to fine Facebook £500,000 (about $660,000) over the Cambridge Analytica fiasco:

[The ICO intends] to fine Facebook a maximum £500,000 for two breaches of the Data Protection Act 1998.

Facebook, with Cambridge Analytica, has been the focus of the investigation since February when evidence emerged that an app had been used to harvest the data of 50 million Facebook users across the world. This is now estimated at 87 million.

The ICO’s investigation concluded that Facebook contravened the law by failing to safeguard people’s information. It also found that the company failed to be transparent about how people’s data was harvested by others.

Cambridge Analytica (CA) – in cased you missed the saga as it uncoiled itself earlier this year – was a web analytics company started by a group of researchers with connections to Cambridge University in the UK.


Think that bitcoins and a VPN keep you anonymous? Think again…

By Paul Ducklin

Lots of people think that a VPN, short for virtual private network, is enough on its own to keep them safe and anonymous online.

If you add some sort of mostly-untraceable digital cash into the mix – a cryptocurrency such as Bitcoin or Monero, for example – then you’d be forgiven for thinking that you’re as good as invisible.

So, it’s easy to assume that VPN + cryptocoins == private && secure.

But VPNs and cryptocoins only go so far in keeping cybercrooks and other undesirables out of your online life, and here’s why.

Simply put, a VPN encrypts your network traffic – every data packet, not just your web browsing or email – and transports it to a server somewhere else on the internet.

That server then strips off the encryption and sends your data on its way, as if it had originated from the VPN operator’s network, not from your phone or your laptop.


Why the airplane romance that went viral should worry everyone

By Lisa Vaas

Last week, a woman named Helen (she asked that her last name not be published, for reasons that will soon be clear to anybody who favors privacy over virally inflicted fame) got on a plane in New York, heading for Texas, and left her privacy on the tarmac.

It all began when a lady with a sweet Southern drawl asked to switch seats so she could sit next to her boyfriend.

Sure. Good deed for the day, Helen must have thought. Why not?

So Helen swapped seats and wound up sitting next to an attractive guy with whom she shared conversation, including showing each other family photos on their cell phones.

I know this, and the internet knows this, because along with her boyfriend, the woman who made the request – her name is Rosey Blair – sat in the row behind Helen, whose privacy the couple was about to roto-rooter.

Blair and her boyfriend, Houston Hardaway, began to chronicle – and publicly post, through photos, videos and commentary – Every. Single. Move. Those. Two. People. Made. …And to interpret every one of those moves, slathering their own alternatively romantic/lascivious storyline onto the interactions of two people they’d never met and whose motivations they could only guess at, like so much sweetened-lard frosting on a cardiac-arrest wedding cake.


Woman scams scammer, incriminates self in the process

By Lisa Vaas

First, the international scammer hacked a business account and used it to buy a computer.

Then, he put up an ad, offering a “job opportunity” online to somebody who could pick up that computer in Laconia, New Hampshire, and ship it overseas.

Sounded good to Jennifer Wozmak. According to WMUR News, the New Hampshire woman answered the ad. Then, she did, in fact, pick up the fraudulently purchased laptop, promising to send it along.

The laptop would never make it, though – Wozmak sent a stack of old magazines in its place. She eventually turned herself in, telling police that she sold the computer and kept the money.

Now, having allegedly scammed the scammers, she’s facing charges.

WMUR quoted Wolfeboro, NH Police Chief Dean Rondeau, who said that this scenario happens a lot. People should stay away from these come-ons, he said:

What they want you to do is essentially be a straw man in a scam. They may wave money to pick up an item and move it to another location. Don’t do it.

The long and short of it is if you have any questions and you think something might not be legitimate, pick up your phone and call your local police department and ask to talk to an officer and he will help you work through that, there is no harm in that.

The chief didn’t have any advice for the scammer who got scammed, however. Perhaps “Nyah, nyah, nyah” would suffice?


Gas thieves remotely pwn pump with mysterious device

By Lisa Vaas

Last month, in broad daylight, thieves somehow hacked into a Detroit gas pump and, over the course of about 90 minutes, stole 600 gallons of gas.

The gas, worth about $1,800, was pumped into the tanks of 10 cars, all while the station attendant tried and failed to shut the gas pump down.

The attendant, Aziz Awadh, told Fox 2 Detroit that until he finally got an emergency kit to shut down the pump, he couldn’t get the system screen to respond:

I tried to stop it, but it didn’t work. I tried to stop it here from the screen, but the screen’s not working. I tried to stop it from the system, [but nothing was] working.

After Awadh finally got the pump shut down, he called police.

There are plenty of videos available online about button sequences that will get a pump to give you free (also known as stolen!) gas. But police say that the Detroit gas thieves were actually using a remote device to hack the pump. Police also told Fox that it’s an active investigation. As of Thursday, they weren’t sure whether all the people in the 10 cars were in on the theft.

The owner declined to share surveillance video with the TV station. But police told Fox that whatever device was used did, in fact, prevent the pump from being turned off from inside the station.

Police are looking for two suspects.

That’s about all we know at this point. One possible explanation is that the attackers targeted the fuel-management software used by the Marathon gas station.


July 10, 2018 »

Privates on parade: fitness tracker app reveals sensitive user details

By Danny Bradbury

Another online fitness tracking app is giving up sensitive information – but this time, it is revealing the names and home locations of government personnel.

Permissive search capabilities in Polar Flow, an online tracking app by Finnish fitness wearables company Polar, has enabled researchers to pinpoint highly sensitive military and intelligence operatives and quickly find out where they live. Furthermore, until Polar shut the app down it was possible to download gigabytes of this information automatically.

Foeke Postma, a volunteer at open source intelligence collective Bellingcat, originally discovered the issue and contacted Dutch news site De Correspondent, who dug into it further. The flaw lay in the way that Polar Flow displayed the details of users’ workouts over several years and allowed people to search for them.

The web app displayed icons in a geographic area of the visitor’s choicer, indicating exactly where someone had worked out. Clicking on an icon revealed the details that the person had registered in the app along with all their other workout locations.

The researchers could use that information to find workout routes that began and ended at the same residential address to pinpoint where they lived.

They also used this technique to identify workouts near sensitive sites such as military bases, detention centers, intelligence offices and nuclear weapons sites. They could then identify employees by name and search their other workouts to find their homes.

Even when people had marked themselves private in the app or registered with a fake name, the reporters were still able to find their identities. Polar Flow still exposed a unique identifying number, and allowed public searches using that ID.

The app revealed all their logged activity to anyone who searched, enabling the reporters to quickly track down the private individual’s home address. From there, a quick public record search revealed their real name.


Your social media memories may have been compromised

By Paul Ducklin

Remember Timehop, the “digital nostalgia” app?

No, nor do we, but the company still has a database of about 21,000,000 users who have given the app permission to sift through their digital photos and social media posts – even if they no longer actively use Timehop service.

The idea is that the app turns every day into an anniversary, reminding you of what you were doing on this day last year, three years ago, five years ago, and so on.

The app was briefly popular a few years ago, before Facebook built a similar feature, known as On This Day, into its own social network.

The good news is that a third-party app like Timehop can’t work without your permission.

The Timehop app has to be authorized by you, and furnished with cryptographic keys (known in the jargon as access tokens), to get into the various online services from which you want it to scrape photos and posts.

Per-user, per-service access tokens of this sort are a great idea (notably, this system means you never have to share your actual passwords with a third party), as long as the company holding the tokens doesn’t let crooks wander in and steal them.

The bad news is that Timehop just announced a data breach.


What sensitive data is lurking on your old SD card?

By Danny Bradbury

SD cards – those tiny devices that go into your camera or tablet – may be small, but they can hold a lot of revealing information. Because they are often used for storing photos, that information can be highly visual. A research team from the University of Hertfordshire just bought 100 second-hand SD cards and found two thirds of them carrying incriminating files.

The team, commissioned by consumer device advisory site Comparitech, found that 65% of the SD cards still had sensitive files ranging from pornography and intimate personal photos through to passport pictures.

SD cards use a different technology to hard drives, but they have some commonalities. One of these is that deleting a file or even using the standard quick format option in your operating system doesn’t really erase the data. It only marks the file as deleted in the drive’s index, which tells the operating system that the space occupied by that file is now available. The file’s data is still there, and curious users – or organizations wanting to prove a point – can recover it with freely-available forensics tools.

The researchers’ report on the project explains that the cards came from various sources including second hand shops, auctions, and eBay. Researchers typically bought the cards one at a time, and then used a free data forensics tool called FTK Imager to create a bit-for-bit copy of each card. This enabled them to work from a copy without disturbing the original. Then, they used WinHex and OSForensics to work out what data was in the imaged disk.

Four of the drives couldn’t be read at all, four of them had no data present, 25 had been properly wiped with a data erasing tool, and 29 had been improperly formatted, leaving the data easily recoverable. On two of the disks, files had only been deleted (again, leaving the files exposed). Alarmingly, 36 of the drives’ former owners had taken no steps to remove their data. This enabled the researchers to recover data from 65% of the cards.


Copyright Directive legislation voted down by European Parliament

By Lisa Vaas

Our sympathies to Paul McCartney, Annie Lennox, Placido Domingo and David Guetta, as well as to newspapers and other outlets whose music and content are sucked from them for nary a dime in recompense by internet giants including Google and Facebook.

For better (and there’s a lot of that) and worse (sorry, again, content creators), the European Parliament on Thursday voted down proposed legislation known as the Copyright Directive.

The EU’s rejection of the controversial legislation – the vote was 318 against 278 with 31 abstaining – isn’t the end of the fight. It now goes back to the drawing board before it faces a second vote in September.

The purpose of the legislation is to drag copyright law into the digital age and ensure that content creators get paid for their work, be it newspaper copy, music or other copyrighted content.

The Copyright Directive encompassed two highly controversial articles: the first was Article 11, intended to protect newspapers and the like from having their material used without payment. Opponents dubbed it the Link Tax, given that it would have given media giants the power to charge licensing fees for posting links such as this one.

According to an opposing group, Save the Link, Article 11 would have required websites to install bots to monitor posts for copyrighted content and to censor posts to filter it out. That would have had a major impact on the quotidian work of scores of internet content producers, including journalists looking up and citing sources and professional reviewers discussing the latest film, the group says.

The second controversial piece of the Copyright Directive was Article 13, also known as the Censorship Machine.


Smart TVs are spying on you through your phone

By Lisa Vaas

Last year, the US Federal Trade Commission (FTC) slapped TV maker Vizio with a $2.2m fine for watching us watch its TVs: the spy boxes were collecting data that included IP addresses and demographic information on 11 million users.

Pffft! Amateurs. Vacuuming our data straight out of our living rooms to see what we’re watching so they can target-market us is so last year. Now, it turns out, one company that’s all about making personalized viewing recommendations is jumping beyond our living rooms in order to sniff out what’s happening on any device that’s on our networks, including our mobile devices, and that of course means following us around.

The New York Times on Thursday published a report about Samba TV, which collects data on 13.5 million TV viewers in order to make its personalized show recommendations. Samba has signed deals with about a dozen TV makers, including Sony, Sharp, Magnavox, Toshiba and Philips, to install its software on certain sets.

It calls that software Automatic Content Recognition (ACR) and says that it delivers “essential TV insights.”

As the Times reports, when a user gets one of these TVs out of the box, a screen urges them to enable a service called Samba Interactive TV. The service promises to recommend shows and provide special offers “by cleverly recognizing onscreen content.” As of 2016, company executives said that more than 90% of people clicked the enable button.

But they were likely agreeing to give away far more data than they realized. What the initial “enable” screen doesn’t include: a terms of service agreement that exceeds 6,500 words and a privacy policy that pushes past 4,000 words. That’s a lot of reading for somebody who just wants to find out if Jon Snow is going to accidentally sleep with his aunt.

With all those words, tucked into screens that Game of Thrones fans clearly aren’t clicking through to pore over, Samba gives itself the go-ahead to create a “device map” that matches TV content to devices sharing a network with a smart TV. And that, according to Jeffrey Chester, executive director of the Center for Digital Democracy, helps the company to leap out of living rooms in order to track users “in their office, in line at the food truck and on the road as they travel.”

Sounds a lot like the internet at large, doesn’t it? Online services follow us around after we leave, taking note of where we go. Facebook, in fact, found itself in quite a bit of hot water over that one: CEO Mark Zuckerberg was in the hot seat in Congress a few months ago, as Florida Rep. Kathy Castor asked whether or not Facebook collects personal data on people who aren’t even Facebook users.


July 9, 2018 »

Chrome and Firefox pull history-stealing browser extension

By John E Dunn

One minute that favorite browser plug-in is your friend, the next it’s quietly turned into a privacy disaster that’s profiling your browsing in the most intimate way possible.

Browser makers should be on top of this phenomenon and yet, here we are reporting on the latest example, this time spotted by software engineer Robert Heaton.

He’d been using a Chrome and Firefox extension called Stylish for years to re-skin websites and hide their “distracting parts” such as Facebook and Twitter feeds. (Safari and Opera versions are also available.)

Usefully, it even:

Added manga pictures to everything that wasn’t a manga picture already.

Not hard to see why Heaton and two million others might want to use it then.

Unbeknownst to him, however, in January 2017 the extension was sold to new owners, SimilarWeb, who changed its privacy policy – and outlook.

This came to his attention when he noticed Stylish had started sending obfuscated data back to its website as part of what looked like data gathering.

Sure enough, after more research:

When I looked at the contents of the decoded payload, I realized that Stylish was exfiltrating all my browsing data.

From inside his browser, Stylish could monitor every website he visited. Worse, because Heaton had an account login for the extension, it could relate his activity to his identity.


Employee allegedly stole government spyware and hid it under his bed

By Lisa Vaas

A former, unnamed programmer for spyware maker NSO Group was indicted last week for allegedly stealing source code, disabling company security so they could load it onto a storage drive, and trying to sell it on the Dark Web for USD $50m.

Actually, that would have been a bargain: According to a translated version of the indictment (PDF), the powerful spyware’s capabilities are estimated to be worth “hundreds of millions of [US] dollars.”

The company’s products have made headlines on multiple occasions.

NSO Group, an Israeli company, sells off-the-shelf spyware that’s been called History’s Most Sophisticated Tracker Program.

One of its products, codenamed Pegasus, enables governments to send a personalized text message with an infected link to a blank page. Click on it, whether it be on an iOS or Android phone, and the software gains full control over the targeted device, monitoring all messaging, contacts and calendars, and possibly even turning on microphones and cameras for surveillance purposes.

Pegasus is supposed to be used solely by governments, to enable them to invisibly track criminals and terrorists. But once software blinks into existence, keeping it out of the hands of the wrong people can be very difficult.

One case in point came last year, when Pegasus was reportedly used to target Mexico’s “most prominent human rights lawyers, journalists and anti-corruption activists, in spite of an explicit agreement that it be used only to battle terrorists or the drug cartels and criminal groups that have long kidnapped and killed Mexicans,” as the New York Times reported.

According to Amnesty International, Pegasus has also been used in the United Arab Emirates, where the government targeted prominent activist and political dissident Ahmed Mansoor. Last month, Mansoor was sentenced to 10 years in jail and a fine of 1,000,000 Emirati Dirham (USD $272K) on charges including “insulting the UAE and its symbols.”


The Pirate Bay is plundering your CPU for cryptocash, again

By Danny Bradbury

Popular file sharing site The Pirate Bay seems to have returned to its old tricks again by mining cryptocurrency in visitors’ browsers without telling them. Last month, a user called okremix posted a complaint in Suprbay, which is the Pirate Bay’s official forum.

I wanted to upload my torrents to TPB and because of the current upload error (file not found) I leaved the tab open and noticed that my CPU is getting really hot.

I remember that TPB was testing background mining in the past so checked the source on upload page and there it was.

He posted a segment of JavaScript designed to mine for cryptocurrency.

Browser-based cryptominers use code embedded in a web page to force your miner into solving the complex mathematical problems that earn cryptocurrency. Instead of doing it for you, though, they do it for someone else.

Occasionally, publishers will give you the option to mine for cryptocurrency if you don’t want to read their ads. More often, crooks hack someone’s website to embed the code without their knowledge.

Sometimes, as was the case with the Pirate Bay first time around at least, the site owner embeds the code themselves but doesn’t tell visitors. When the person visiting the website doesn’t know about the mining and doesn’t give their permission, that can be classified as cryptojacking.

The Pirate Bay has done this before, using well-known miner Coinhive. This time, though, they seem to have opted for the relatively new cryptojacking service called Crypto-Loot (probably because it charges 12% commission on Monero mining, compared to Coin-Hive’s 30% commission).

Both Coinhive and Crypto-Loot focus on mining Monero, which has become the cryptocurrency of choice for cryptojackers for two reasons. First, it is CPU-friendly, meaning that miners can use a computer’s CPU in a browser without having to rely on expensive GPU hardware. Second, Monero is designed to be even more anonymous than Bitcoin, obfuscating sending and receiving addresses by default.


SIM card in bird’s GPS tracker used to rack up $2,700 phone bill

By Lisa Vaas

A migrating, tagged, male white stork—known to the Polish environmentalists who were tracking him as “Kajtek”—blipped out of contact on 26 April.

That, however, did not stop him from making good use of the SIM card in his GPS tracker, with which the bird—or somebody who found the GPS device and picked it apart in order to get at the card—racked up a $2,700 phone bill.

As IFL Science reports, Kajtek was last located at the Blue Nile valley in Sudan, on his way back home to Poland after successfully making his annual 6,000-kilometer (3,700-mile) trip to Africa, when his GPS tracker showed that he had stopped moving.

White storks aren’t endangered, though their habitats are threatened. The birds spend the warm summer months of the breeding season in parts of central and southern Europe—including in Poland—the Middle East, and west-central Asia before heading to Africa to spend the winter.

When his GPS tracker showed that Kajtek had stopped moving, researchers at the environmental group Grupa EkoLogiczna—EcoLogic—assumed the bird was dead. They had placed the tracker on him in April 2017: a “fairly routine” practice, as you can see by the many accounts of tagging white storks that the group posts to Facebook.

It was 26 April when things got weird. That’s when the scientists who were monitoring Kajtek’s tracker noticed that the bird’s signal again started to move, taking a roundabout, 25-kilometer (16-mile) trip before it went dead.

Then, a number of weeks later, on 7 June, EcoLogic got the giant bill from its phone company. According to The Register, the group said in June that someone pulled apart the tracker to get at the SIM card, then used it for a marathon call-everywhere-and-everyone spree.

EcoLogic told IFL Science that it doesn’t know who made the calls, but they’ll likely have to fork over the money for the phone bill out of their own pockets.


July 5, 2018 »

Tor-linked nonprofit raided by police

By Lisa Vaas

On 20 June, at 6:00 a.m., German police knocked on the doors at the homes of three members of the board of directors for Zwiebelfreunde: a non-profit organization whose name, in English, translates as “Onion Friends” and which operates Tor services for

On Wednesday, the group said on its blog on – which is one part of a large, decentralized network of Tor nodes – that police seized most of the group’s electronic storage equipment: disks, laptops, PCs, GnuPG Smartcards/Yubikeys, and mobile phones.

In a coordinated set of raids, police also ransacked the group’s registered headquarters in Dresden – which is the group’s lawyer’s office – and the home of a previous board member.

Der Spiegel reported on Wednesday that police also seized a number of documents, including paper receipts identifying donors and membership lists for previous years. Police also raided the Augsburg headquarters of the Chaos Computer Club (CCC).

Well, so much for striving to promote anonymity, privacy and security on the internet.

As Der Spiegel notes, Onion Friends has for years been collecting donations on behalf of alternative and non-commercial providers whose confidential communication services are used by social movements worldwide.

That, obviously, is “the only reason why the German investigators went so far against the club,” the newspaper said.

The raids were reportedly sparked by the Munich Attorney General’s search for the authors of a left-wing blog, Krawalltouristen, which translates to “riot tourists.” Police claim that the blog called for violent protests aimed at the annual convention of the right-wing Alternative for Germany (AfD) party, the largest opposition party in the German parliament.

But German police didn’t bother to go after the email provider behind that email address, which was As Zwiebelfreunde tells it, the group has a partnership with Riseup Labs, a US non-profit focused on technological research, development, and education for the purpose of furthering social justice and supporting social movements. Onion Friends manages donations to Riseup Labs and says the two groups collaborate to spend the money on software development, travel reimbursements and Riseup’s Tor infrastructure.


7-year-old’s avatar sexually assaulted on “family-friendly” Roblox

By Lisa Vaas

Roblox, a gaming site for kids and teens, says it’s the largest user-generated online gaming platform. It calls itself “a family-friendly, immersive, 3D environment.”

A North Carolina mother is calling it something else entirely after she watched her 7-year-old’s avatar being “violently gang-raped on a playground” by two male players’ avatars… And then witnessing the female avatar of an onlooker jump on her daughter’s avatar when the virtual rapists were through.

Amber Petersen said in a 28 June Facebook post that she and her husband had thought they had done due diligence when they allowed their daughter to play the game. She noted that Roblox is rated Pan European Game Information (PEGI) 7: PEGI being a European video game content rating system that assigns age recommendations and content descriptions. Hence, a PEGI 7-rated game such as Roblox should be appropriate for those children who are at least 7 years old.

The game has a multiplayer online gaming platform in which users can create their own personal avatar and their own adventures, similar to Minecraft. Then, players can interact with each other in virtual reality.

Of particular interest to parents such as Petersen and her husband: Roblox has security settings that allow parents to block outside conversations and invitations. Moderators and automatic filters also block potentially inappropriate content.


Want to beat facial recognition? Join the Insane Clown Posse

By Lisa Vaas

Over the weekend, a computer science blogger for WonderHowTo who’s known on Twitter as @tahkion announced his revelation that makeup worn by fans of the hip hop duo Insane Clown Posse (ICP) – collectively known as Juggalos or Juggalettes – makes it very difficult for facial recognition (FR) software to figure out the wearer’s identity.

Tahkion says he discovered the facial recognition trickery while working on his own FR research project and was pretty surprised to find that Juggalo face paint was:

Some of the most effective camouflage I’ve found, even more effective than some styles created deliberately to fool such systems.

Of course, while Juggalo face paint may well fool automated FR, it makes the wearer far more recognizable to just about anyone else – say, humans, Tahkion said. For those who are truly devoted to avoiding facial recognition, this isn’t the answer. Rather, the surveillance-allergic would be better off with an FR-foiling disguise that still looks completely normal to the human eye.


Elderly scam victims are too embarrassed to speak up

By Lisa Vaas

“Christine” was a pensioner in her 70s with a terminally ill husband when she got an email out of the blue: she could receive £500,000 if certain “fees” were paid, it said. Well, hallelujah.

So she began paying… And paying… And paying. Over the course of a few months, Christine spent the couple’s life savings – £108,000, or about USD $142,555. The reality of the fleecing didn’t become clear until she tried to re-mortgage their home, at which point her solicitors suggested she’d been scammed.

It took a long time to drain Christine dry, with those “fees” drip, drip, dripping away until the couple’s bank account was empty. Didn’t family or friends notice the duress the couple was under? Why did it take a solicitor to spot what might seem like a blatant fraud perpetrated on the elderly – and why did it only come after the damage was done?

Unfortunately, Christine’s plight is all too common. According to a new, joint report from Reassura, a new anti-fraud helpline for pensioners, and the University of Portsmouth’s Centre for Counter Fraud Studies (CCFS), 22% of elderly people – those aged 65 and over – are unwilling to talk about their personal finances at all, even in good times. But if the elderly have been victimized by fraudsters or scammers, that number jumps to 36% who are too embarrassed to talk about what’s gone down.


Samsung phones sending photos to contacts without permission

By John E Dunn

At least two Samsung smartphone models have reportedly spontaneously started sending photographs to contacts without being asked to do so.

It’s never easy to tell how widespread smartphone problems are – forums are regularly filled with an assortment of issues – but the pattern of behavior in anecdotal reports from US owners has a consistent ring to it.

Multiple images are said to have been sent to contacts without users being aware that it’s happening or having any indication after the fact in the Samsung Messages app.

One user claimed it sent his entire photo gallery to his girlfriend during the night, while another reported photographs had been sent to multiple contacts. Presumably, users find out when recipients tell them.

Judging from one Reddit thread, the affected devices are the latest Galaxy S9 and S9+, but it’s possible that other models are affected too.

What might cause such an issue – and how photographs could be sent to contacts – is a mystery.


Facebook accidentally unblocks people

By Lisa Vaas

There are so, so many reasons to block the Facebook annoyarati. As Ranker enumerates in its 15 reasons why they’re so annoying, they can be selfie-saturaters, romance oversharers, my life is SO GREAT!-ers, feed cloggers, or whining whiner babies, for example.

Annoying is one thing. On the other end of the spectrum are the dangerous or illegal social media accounts: the stalkers, the child predators, the trolls, the bots, the scammers. But they all have one thing in common. They deserve to be blocked, and Facebook users deserve the benefits of blocking them, as in, to be spared their grating or endangering presence.

Well, Facebook goofed on that front. On Monday, the company admitted that it’s notifying over 800,000 users about a bug in Facebook and Messenger that unblocked some people they’d blocked. Facebook Chief Privacy Officer Erin Egan said in a Facebook newsroom post that the glitch was active between 29 May and 5 June.

She said that while someone who was unintentionally unblocked couldn’t actually see content shared with friends, they could have seen things posted to a wider audience: for example, pictures shared with friends of friends.


Someone else is reading your Gmails

By Danny Bradbury

Remember when privacy advocates used to worry about Google scanning your email? Well now they have another problem on their hands: real people reading them.

We’re not talking about Google employees. We’re talking about developers in third-party companies, and in some cases the developers in other organizations that those companies partner with.

Google has a history of tussling with people over email privacy. It scanned emails for years, using what it gleaned from the text to target users with personalized advertisements. As early as 2004, privacy activists were urging it to stop, and the company has battled lawsuits from disgruntled users since then.

A year ago, it partially caved, announcing that it would stop using content from its consumer Gmail service to personalize ads, bringing it in line with an existing policy for its business accounts.

That doesn’t mean that the company stopped automatically reading your mail, though. In fact, Google spokespeople confirmed in May that the company still uses email content to help drive a range of other services.

Earlier this week, the story took another turn after the Wall Street Journal reported that third-party developers can read the emails of millions of Gmail users.

Many companies develop apps that need access to your mail for processing purposes. An AI-driven assistant might ask to read your mails to automatically book appointments for you, say. Other apps that might want access to your email include itinerary planners that scan travel emails for appropriate details. Google made this easier to do in 2014 when it created APIs to help third party developers access Gmail accounts.

There was always a caveat. Users had to agree to share that information first, granting explicit permission for an app to access your Gmail account or your broader Google account. However, what users may not have known is that this doesn’t only give the third party company’s software access to your email. It gives developers inside those companies the ability to manually access them too.


July 3, 2018 »

Facebook gave certain companies special access to customer data

By John E Dunn

What do Russian internet company, car maker Nissan, music service Spotify, and sports company Nike have in common? They, and 57 other companies, were revealed by Facebook in a US House of Representatives’ Energy and Commerce Committee submission to have been given temporary extensions to access private Friends data API despite the company supposedly changing the policy allowing this in May 2015.

This is news because it shouldn’t have been possible. As Facebook explains the policy, first communicated to all companies in April 2014:

We made clear that existing apps would have a year to transition – at which point they would be forced to migrate to the more restricted API and be subject to Facebook’s new review and approval protocols.

It wasn’t a long extension, amounting to six months for all bar one company, accessibility app company Serotek, which was given eight months in total.

Facebook doesn’t make clear why this happened, a frustrating omission in a document that runs to 747 pages of answers to around 2,000 questions sent by US lawmakers following Mark Zuckerberg’s Senate grilling in April.


Typeform data breach hits thousands of survey accounts

By John E Dunn

Survey company Typeform has admitted suffering a breach caused by attackers downloading a “partial backup” of its customer data.

The Spanish company said it noticed the issue on 27 June, remedying its cause within 30 minutes. The affected data was that collected prior to 3 May, which meant:

Results collected since May 3rd 2018 are therefore safe and not compromised.

As breaches go, this is a slightly complicated one because Typeform’s paying customers are businesses that use its software to conduct customer surveys and quizzes.

Each one of those collects data from possibly tens of thousands of their own customers when they take part, which widens the breach’s scope.

Each affected provider will therefore need to contact these customers independently – a situation that draws parallels with the breach suffered by email marketing provider Epsilon in 2011, which saw dozens of large brands sending out apology emails.

Typeform said affected account holders would be informed by email. The Tasmanian Electoral Commission, British prestige brand Fortnum & Mason, digital bank Monzo, and food maker Birdseye have been among those issuing their own alerts, but this is only a fraction of the company’s business customer base, which runs to thousands.


Fake Bitcoin exchange traps drug dealers on the dark web

By John E Dunn

As around 35 alleged drug vendors have found out to their cost, you never know who you’ll meet on the dark web.

In the case of the customers of one money laundering operation, it turned out to be agents working for the US Immigration and Customs Enforcement’s Homeland Security Investigations (HSI).

According to a Department of Justice announcement, the authorities spent a year investigating dozens of individuals using the front, turning the bitcoins they had received for illegal drug sales into dollars.

The core of the operation was the takeover of an established laundering outfit, whose owner police arrested and charged in 2016.

This led to the arrest of more than 35 individuals across numerous US states and the seizure of $3.6 million in currency and gold bars, plus 100 handguns, assault rifles, and a grenade launcher.

Police also recovered a long list of drugs, including Oxycodone, MDMA, cocaine, LSD, marijuana, and a “psychedelic mushroom.” They also seized 2,000 BTC and other cryptocurrencies with a value of $20 million.

Said Derek Benner of the HSI:

In this case, HSI special agents were able to walk amongst those in the cyber underworld to find those vendors who sell highly addictive drugs for a profit.

The HSI release was very much of the “criminals have nowhere to hide” type that is often trumpeted after these sorts of operations:

The veil has been lifted. HSI has infiltrated the Darknet, and together with its law enforcement partners nationwide, it has proven, once again, that every criminal is within arm’s reach of the law.

That’s true, even if arresting 35 people barely scratches what goes on within the confines of the dark web.


July 2, 2018 »

Brave adds Tor to reinvent anonymous browsing

By John E Dunn

The Brave privacy browser has added another feature to bolster its blossoming anti-surveillance credentials – the ability to use the Tor anonymity system by launching a tab.

Called Private Tabs with Tor (beta version 0.23), launching a session involves clicking on the Private Tab with Tor option from a drop-down list.

Naked Security has covered the inner workings of Tor (The Onion Router) in previous articles, but the privacy benefit of using it is summed up quite nicely in the Brave announcement:

Private Tabs with Tor help protect Brave users from Internet Service Providers, guest Wi-Fi providers, and visited sites that may be watching their internet connection or even tracking and collecting IP addresses, a device’s internet identifier.

Browsers already offer so-called incognito modes, but these offer limited privacy. Sessions are isolated from those opened by the main browser and ostensibly leave no traces of your browsing habits on your computer (although not everyone agrees this is strictly true).

What incognito mode doesn’t do is hide browsing from ISPs, which typically will keep a record of the websites visited from a given IP address.

As Google itself notes:

Going incognito doesn’t hide your browsing from your employer, your internet service provider or the websites that you visit.

Tor is a major step up from this because it blocks the ISP from tracking which websites someone is visiting and hides a visitor’s true IP address and country of origin from the website they visit (as long as the user doesn’t log into them).


Second former Equifax staffer charged with insider trading

By Danny Bradbury

In another entry for the ‘what were they thinking’ file, a second former Equifax executive has been charged with insider trading in advance of the company’s massive data breach announcement last September.

According to an SEC release, Sudhakar Reddy Bonthu, a former software engineering manager at the credit information company, traded on confidential information that he received while creating a website for consumers affected by the Equifax breach.

The breach saw 146.6 million US consumers affected, with most records containing social security numbers. Some 99 million lost their address information while 17.6 million lost their drivers’ license numbers. In the UK, a file of 15.2 million records was hacked, and 693,665 consumers had sensitive personal details exposed.

Bonthu, 44, was told that he was building a site for an unnamed client, however, he soon worked out that it was for his employer, Equifax. He allegedly used this information to buy put options in the company’s shares.

A put option is a contract to sell stock for a specific price (the ‘strike price’) within a specified period. You can purchase put options whether you own a stock or not. If a stock trades at $140 per share and you know it will go down, then purchasing a put option to sell 100 shares with a $140 strike price lets you capitalize on the stock’s movement. If the stock drops to $95, then the put option contract becomes a valuable commodity that you can sell to someone else. It’s a classic tool for ‘shorting’ a stock by betting on its decline.

According to the SEC, Bonthu wasn’t betting at all. Instead, he knew that the Equifax stock would fall thanks to insider knowledge.

Equifax fired Bonthu in March after he refused to cooperate with its insider trading investigation. He has agreed to return his gains from the put option trades plus interest to settle the SEC’s civil charges, subject to court approval. However, he also faces criminal charges from the US Attorney’s Office from the Northern District of Georgia.


Facebook and Google accused of manipulating us with “dark patterns”

By Danny Bradbury

By now, most of us have seen privacy notifications from popular web sites and services. These pop-ups appeared around the time that the General Data Protection Regulation (GDPR) went into effect, and they are intended to keep the service providers compliant with the rules of GDPR. The regulation requires that companies using your data are transparent about what they do with it and get your consent for each of these uses.

Facebook, Google and Microsoft are three tech companies that have been showing their users these pop-ups to ensure that they’re on the right side of European law. Now, privacy advocates have analysed these pop-ups and have reason to believe that the tech trio are playing subtle psychological tricks on users. They worry that these tech giants are guilty of using ‘dark patterns’ – design and language techniques that it more likely that users will give up their privacy.

In a report called Deceived By Design, the Norwegian Consumer Council (Forbrukerrådet) calls out Facebook and Google for presenting their GDPR privacy options in manipulative ways that encourage users to give up their privacy. Microsoft is also guilty to a degree, although performs better than the other two, the report said. Forbrukerrådet also made an accompanying video.

Tech companies use so-called dark patterns to do everything from making it difficult to close your account through to tricking you into clicking online ads (for examples, check out‘s Hall of Shame).

In the case of GDPR privacy notifications, Facebook and Google used a combination of aggressive language and inappropriate default selections to keep users feeding them personal data, the report alleges.


Linux distro hacked on GitHub, “all code considered compromised”

By Paul Ducklin

Data breaches are always bad news, and this one is peculiarly bad.

Gentoo, a popular distribution of Linux, has had its GitHub repository hacked.

Hacked, as in “totally pwned”, taken over, and modified; so far, no one seems to be sure quite how or why.

That’s the bad news.

Fortunately (we like to find silver linings here at Naked Security):

  • The Gentoo team didn’t beat around the bush, and quickly published an unequivocal statement about the breach.
  • The Gentoo GitHub repository is only a secondary copy of the main Gentoo source code.
  • The main Gentoo repository is intact.
  • All changes in the main Gentoo repository are digitally signed and can therefore be verified.
  • As far as we know, the main Gentoo signing key is safe, so the digital signatures are reliable.

Like Drupal before it, the Gentoo team has started by assuming the worst, and figuring out how to make good from there.

That way, if things turn out to be better in practice than in theory, you’re better off, too.


The Ticketmaster breach – what happened and what to do

By John E Dunn

Live Nation Entertainment subsidiary Ticketmaster has admitted it has suffered a serious data breach affecting 40,000 of its British and international customers.

Anyone who used the Ticketmaster UK, GETMEIN! and TicketWeb sites to book tickets from February 2018 and 23 June 2018 may have had data compromised, including their name, email address, physical address, telephone number, Ticketmaster logins, and payment card details.

In addition, so-called “international customers” who bought, or tried to buy, tickets between September 2017 and 23 June 2018 could also be affected. (US customers are not part of the alert.)

The issue was caused by malware, spotted on 23 June 2018, that had infected a customer support system managed by Ticketmaster partner Inbenta Technologies, according to an email sent to affected account holders on Wednesday afternoon.

So far, the breach response is still at a stage described by Ticketmaster as follows:

Forensic teams and security experts are working around the clock to understand how the data was compromised.

In other words, we now all know that there was a breach, but not yet how it happened.

What’s happened to the stolen data?

Often, breach notifications refer to card payment data almost in passing, which invites readers to infer that although the data could have been compromised in theory, it wasn’t accessed in practice.

In this case, however, it seems pretty certain that payment card data was not only stolen but is also already being abused.


Windows 10 security can be bypassed by Settings page weakness

By John E Dunn

The file type used to link to Windows 10’s settings page can be abused to run malicious executables or commands in a way that bypasses the OS’s defenses.

Researcher Matt Nelson of SpecterOps made the discovery while he was looking for new formats for attackers to abuse now that the HTML Applications (HTA files), Visual Basic programs (VBS), JavaScript (JS), PDF and Office files are tightly controlled by Office 365 and Windows 10.

Nelson came across a format that few beyond Microsoft will have heard of: SettingContent-ms, used to create shortcuts to the settings page, the successor to the Control Panel.

A file with this extension is simply an XML file that contains paths to the programs used to configure Windows 10’s settings.

That brings with it some power through an option in. SettingContent-ms called “DeepLink”, which specifies the disk location that gets invoked when opening the Settings page or the Control Panel.

Nelson discovered that “DeepLink” could be used to open anything, for example CMD.EXE, PowerShell, or even a chain of commands, triggered by an internet link:

So, we now have a file type that allows arbitrary shell command execution and displays zero warnings or dialogs to the user.

Office would normally block commonly-abused file types when they’re referenced externally, but this file format is apparently not seen as risky.


« older