Repairs & Upgrades

October 22, 2018 »

Up to 9.5 million net neutrality comments were fake

By Lisa Vaas

New York Attorney General Barbara Underwood has subpoenaed 14 companies and organizations as part of the state’s investigation into the blizzard of fake public comments over net neutrality that inundated the Federal Communications Commission (FCC), according to The New York Times.

From Underwood’s statement:

The FCC’s public comment process was corrupted by millions of fake comments. The law protects New Yorkers from deception and the misuse of their identities. My office will get to the bottom of what happened and hold accountable those responsible for using stolen identities to distort public opinion on net neutrality.

As far as the identity theft piece of the puzzle goes, the Wall Street Journal cited an anonymous source who’s familiar with the investigation who said that the civil subpoenas are aimed at determining who was behind millions of comments posted with real people’s names but without their permission.

Underwood said in her statement that her office found up to 9.5 million comments that, the WSJ writes, “appear to have been filed using the names and addresses of real people who had no idea they were being cited in the comments.”

The subpoenas went out to telecommunications industry groups such as Broadband for America – a coalition supported by cable and telecommunications companies – and conservative groups such as the political consultancy Century Strategies and Media Bridge, a conservative messaging company whose site boasts about having placed nearly 800,000 comments opposing internet regulation.


Maker of LuminosityLink RAT gets 30 months in the clink

By Lisa Vaas

The 21-year-old developer who cooked up LuminosityLink – the $39.99, turnkey, remote-access Trojan (RAT) used as spyware, keylogger, electricity/CPU-stealing cryptocurrency miner, and distributed denial-of-service (DDoS) launchpad by cybercrooks in 78 countries – was sentenced last week to 30 months in federal prison.

In a plea deal, Colton Grubbs also gave up the $725,000 worth of bitcoin he made from peddling the malware, which was marketed as a legitimate remote-administration tool but which he knew full well was being used by plenty of customers to remotely access and control their victims’ computers without their knowledge or consent.

The Department of Justice (DOJ) for the Eastern District of Kentucky announced last Monday that Grubbs had signed a plea deal that covered charges of conspiracy to unlawfully access computers in furtherance of a criminal act, conspiracy to commit money laundering, and the illegal removal of property to prevent its lawful seizure.

Grubbs pleaded guilty in July to the federal charges of creating, selling and providing technical support for the RAT to his customers, who used it to gain unauthorized access to thousands of computers across 78 countries worldwide. Grubbs also pleaded guilty to trying to hide incriminating evidence.

According to the plea agreement after learning the FBI was about to search his apartment in Lexington, Kentucky, Grubbs gave his laptop to his roommate and asked him to conceal it in the roommate’s car.


Serious D-Link router security flaws may never be patched

By John E Dunn

Stop me if you’ve heard this one before.

In May, Polish researcher Blazej Adamczyk of the Silesian University of Technology contacted D-Link to tell it he’d discovered a trio of important security flaws affecting eight of its Wi-Fi routers.

According to Adamczyk, D-Link replied two weeks later to say that two of the products would be patched in due course but that the remaining six were considered end of life (EOL), the implication being that they wouldn’t be updated.

After receiving no further communication regarding the vulnerabilities by September, he gave them one month to announce updates or he would make the flaws public.

Last Friday, 12 October, he held true to his word, revealing the vulnerabilities, which included a proof-of-concept video showing how they could be used together to compromise vulnerable models.

We haven’t had D-Link’s side of the story, in fairness, but on the face of it this looks like another example of how responsible disclosure can occasionally end in an uncomfortable impasse.


Apple privacy portal lets you see everything it knows about you

By Lisa Vaas

A month after its most recent iPhone and Mac launches, Apple has refreshed its privacy pages.

There isn’t much that’s changed: those pages still espouse Apple’s long-held commitment to privacy being a “fundamental human right” and that your information is, for the most part, kept on your iPhones, iPads and Macs.

Apple’s iOS 12 was loaded with useful security upgrades and patches for software vulnerabilities (though, granted, not one lock-screen bypass, but two have already been discovered).

As expected, the updated pages cover the new security and privacy features in iOS 12 and macOS Mojave, including new information about end-to-end encrypted group FaceTime video calls and improvements to intelligence tracking protections, as well as how Apple uses differential privacy to understand which are the most popular features, without being able to identify individual users.

But there is, actually, something new on those pages: Apple’s now allowing US customers to download all the data it holds on them through a new privacy portal.

Besides giving users the ability to download their data, it also enables them to request corrections if they spot errors.


Is Google’s Android app unbundling good for security?

By John E Dunn

Is Android about to change for better or worse?

If you live in the European Union (actually, the Europen Economic Area, which consists of the EU plus Norway, Iceland, and Liechtenstein), turning on a new Android device after 29 October 2018 could be less familiar than in the past.

Until now, almost all Android users have been greeted by Google’s own suite of 11 factory-installed apps that includes Gmail, Chrome, Maps, Search, and – most important of all to most users – Google Play. 

This happened because Google’s licensing compelled device makers to install apps such as Search and Chrome if they wanted to install Google’s well-stocked app repository, the Play Store.

In July 2018, the European Commission (EC) concluded this was a ploy to give Google Search a monopoly on Android, fined the company €4.34 billion ($5.1 billion) on anti-trust grounds.

Even though Google has appealed the latest ruling, which will likely wend its way through the courts for several years, the company nevertheless yesterday announced plans to comply with the decision.

However, there’s a sting in the tail: device makers will no longer have to bundle Google’s apps, but if they do they’ll pay for the privilege.


October 18, 2018 »

You don’t have to sequence your DNA to be identifiable by your DNA

By Lisa Vaas

In April, the power of online genealogy databases to help track down and identify people became clear.

That’s when police arrested Joseph James DeAngelo on suspicion of being the Golden State Killer: the man allegedly responsible for more than 50 rapes, 12 murders and more than 120 burglaries across the state of California during the 70s and 80s.

Investigators had collected and stored DNA samples from the crime scenes over the years. They ran the genetic profile they derived from those samples through an online genealogy database and found it matched with what turned out to be distant relatives – third and fourth cousins – of whoever left their DNA at the crime scenes.

Getting a match with the database’s records helped investigators to first locate DeAngelo’s third and fourth cousins. The DNA matches eventually led to DeAngelo himself, who was arrested on six counts of first-degree murder.

It wasn’t that DeAngelo submitted a DNS sample to any one of numerous online genealogy sites, such as 23andMe or AncestryDNA. Rather, it was relatives with genetic makeups similar enough to whoever left their saliva on something at a crime scene who made the search possible.

The more people who submit DNA samples to these databases, the more likely it is that any of us can be identified. According to new research published in Science Magazine, the US is on track to have so much DNA data on these databases that 60% of searches for individuals of European descent will result in a third cousin or closer match, which can allow their identification using demographic identifiers.


Twitter publishes data on Iranian and Russian troll farms

By Lisa Vaas

A few weeks ahead of mid-term elections in the US, as social media platforms try to plug leaks that let in waves of meddling and propaganda that soaked the country in 2016, Twitter on Wednesday released all the tweets, images and videos it believes have been planted by “state-backed information operations.”

In other words, Russian and Iranian troll farms.

Researchers can get the massive datasets at Twitter’s Election Integrity hub.

The two datasets comprise more than 10 million public, non-deleted tweets, two million images and videos, and thousands of accounts linked to operatives based in Russia and Iran. Many of the accounts have previously been reported.

The Russia-linked dataset contains accounts created by the Russian government-linked propaganda factory known as the Internet Research Agency (IRA).

It also contains a lot more personality, according to Ben Nimmo, a senior fellow at the Atlantic Council’s Digital Forensic Research Lab (DFRLab) who got a sneak peek at the data before the sets were published.

Both regimes put a huge amount of effort into churning out propaganda: The Iranian troll farm employed 770 users and put out one million tweets, while Russia’s 3,841 accounts posted nine million tweets.


Weirdo Twitter messages were a glitch, not a hack

By Lisa Vaas

Were you one of the dozens of people who got a bizarre Twitter message yesterday?

The messages were a long string of what looked like random numbers and letters. They were so mystifying that even Twitter CEO Jack Dorsey himself was like, whaaa?

Naturally enough, recipients assumed that the messages were the probably result of…

  1. A disturbance in the Matrix,
  2. The End of Days,
  3. Kanye West’s new password,
  4. What started as a coded mathematical declaration before the sender fell down the stairs,
  5. Encrypted messages from Numbers Stations whose senders forgot to include creepy-sounding chains of dispassionately enunciated letters or numbers, sometimes 24 hours a day, from high-powered shortwave transmitters, or
  6. Those darn hacking Russians.

It was, in fact, none of the above.


Serious SSH bug lets crooks log in just by asking nicely…

By Paul Ducklin


Big, bad, scary bug of the moment is CVE-2018-10933.

This is a serious flaw – in fact, it’s a very serious flaw – in a free software library called libssh.

The flaw is more than just serious – it’s scary, because it theoretically allows anyone to log into a server protected with libssh without entering a password at all.

It’s scary because ssh, or SSH as it is often written, is probably the most widely deployed remote access protocol in the world.

Almost all Unix and Linux servers use SSH for remote administration, and there are an awful lot of awfully large server farms out there, and so there’s an awful lot of SSH about.

SSH stands for secure shell, where the term shell is Unix-speak for a command prompt, the place where most Unix-style system administration functions are performed, whether manually by a logged-in human, or automatically via a logged-in script.

But SSH is used for much more than just shell logins because it creates what’s often called a secure tunnel – a general-purpose encrypted data channel between two computers on the internet.

Notable uses for SSH include secure file transfer between servers, and secure data synchronization between data centers.

Security holes in SSH are therefore the stuff of nightmares for many sysadmins out there, and this one has certainly got the security newswires buzzing.


New iPhone lock screen bypass exposes your photos

By John E Dunn

Apple’s iOS security team must be starting to feel as if they’re being besieged by security sleuth José Rodríguez.

In his latest YouTube proof-of-concept, the Spaniard demonstrates how an attacker with physical access to an Apple device running iOS 12.0.1 (including the latest X and XS models) can gain access to photos stored on it.

The bypass needs 13 steps and requires good timing but at the end of the process, photos can be extracted by selecting and sending them to any number.

Embarrassingly, Apple released iOS 12.0.1 last week to address a range of issues that had cropped up with iOS 12, including two separate lock screen bypass flaws publicized by Rodríguez in late September.

Admittedly, one of these was more serious because it allowed access to a device’s contacts, emails, telephone numbers, and photos, but at 37 steps it was also a lot trickier to pull off than his latest compromise.

The root cause of the issue is the same in all of these – namely using Siri to activate Voiceover to perform certain tasks without having to unlock the phone.


Is this the simple solution to password re-use?

By John E Dunn

Persuading people not to reuse the same password across multiple websites has become one of security’s big head-scratchers.

Asking people not to do something only gets you so far – because there will always be people who think it doesn’t apply to them, or who simply can’t be bothered.

But might there be a simpler fix? A new Indiana University (IU) study, Factors Influencing Password Reuse: A Case Study, thinks it has hit on an answer that’s been hiding in plain sight for years –  set policies that mandate longer and more complicated passwords.

It sounds too good to be true, but the researchers arrived at this disarmingly straightforward recommendation after using some slightly involved inference about the level of password reuse at 22 US universities, including IU itself.

First, they analysed the institutions’ published password policies, paying attention to variables such as length and character type, whether the reuse of previous passwords was possible, and whether they expired.

Next, they combed a database of 1.3 billion known breached credentials, looking for email addresses connected to one of these university domains – and discovered 7.3 million that were connected.


October 17, 2018 »

Donald Daters app for pro-Trump singles exposes users’ data at launch

By Lisa Vaas

Donald Daters, a new dating app that promises to “make dating great again” has instead leaked its users’ data.

On its first day.

The app, available on Apple and Android, went live on Monday morning and Fox News reported that Donald Daters is “open to everyone.” Unfortunately, Donald Daters turned out to be open in ways you really don’t want your app to be.

After Fox’s report was widely picked up by other media outlets, French security researcher Baptiste Robert – who also goes by the Mr. Robot-inspired handle Elliot Alderson – discovered that the app was exposing user information in an open database, including biographical details such as user names and profile photos. It was also exposing what could have been tokens for session IDs that would allow attackers to log into peoples’ accounts and private messages.


US embassy accidentally emails invitation to ‘cat pajama-jam’ meeting

By Louisa Hardwick

Canberra’s US embassy accidentally exposed details of one of its more enticing get-togethers last week, after an employee distributed a meeting invite to an undisclosed number of email recipients, The Guardian reported.

Gavin Sundwall, US Mission to Australia public affairs counsellor, was, however, unperturbed, by what he claimed was a “training error”:

Sorry to disappoint those of you who were hoping to attend this ‘cat pajama-jam’ party, but such an event falls well outside our area of expertise. It was a training error made by one of our new staff testing out our email newsletter platform.

The email – entitled “Meeting” – featured an attractive tabby cat relaxing on the sofa in a Cookie Monster-style onesie, with a plate of delicious edibles on his or her lap.

Sundwall also said that they would be employing “strong new management controls” to prevent a repeat of the mistake.


How Chrome and Firefox could ruin your online business this month

By Paul Ducklin

Chrome 70 comes out today.

Most people who use Google’s popular browser will receive the update, and either won’t realise or won’t especially care about the changes it contains.

Next Tuesday, Firefox 63 will be released, and much the same thing will happen for users of Mozilla’s browser.

But one of the changes common to both those products, which have a huge majority of the market share amongst laptop users, may matter very much to a small but significant minority of website operators.

Chrome 70 and Firefox 63 will both be disowning any web certificates signed by Symantec.

From this month, anyone with Chrome or Firefox who browses to a web page “secured” with a Symantec certificate will see an unequivocal warning insisting that the site is insecure.


Google using lock screen passwords to encrypt Android Cloud backups

By Lisa Vaas

Google’s got your back when it comes to your backups, it says – and it’s even promising to keep its own peepers off the goods.

On Friday, Google announced that it’s brokered a marriage between Android’s Backup Service and Google Cloud’s Titan Technology to keep your backups encrypted so that even the Googlemeister itself can’t decrypt your stuff.

It’s using its newish Titan security to do that. Rolled out in July, Titan technology includes a tiny USB device – a Yubico-esque security key that offers hardware-based two-factor authentication (2FA) for online accounts to keep them from getting hijacked.

In the case of Android backups, starting with its ninth operating system – that would be Android Pie, released in August – Android devices can take advantage of the new encryption by way of a decryption key that will be randomly generated on the device. The decryption key is encrypted using the user’s lock screen PIN/pattern/passcode, which Google doesn’t know.


October 16, 2018 »

How to buy (and set up) a safe and secure baby monitor

By Maria Varmazis

With the ever-growing list of things to acquire when your little one is on the way, finding a good baby monitor can give new parents quite a headache. And when you want to make sure your baby monitor is safe to use – on top of having all the bells and whistles you need – well, it’s hard to know where to even start.

Fear not, finding a secure baby monitor is very doable. I went down this rabbit hole myself in the last year when my daughter was a newborn, so you can learn from my own investigations here.

There are two big camps for baby monitors – ones that connect to the internet and ones that don’t. We’ll dive into the pros and cons of each, as well as the major security considerations.

Wireless (internet-free!) baby monitors

Baby monitors that don’t use the internet don’t have the neat IoT-y bells and whistles. You can’t check in on how your kids are doing with the babysitter on the sly while you’re out on date night.

Non-internet-enabled monitors are basically fancied up walkie-talkies or cordless phones – once you’re out of physical range of the camera, usually about the end of your front yard, you can’t see what’s going on via the monitor. Cheaper versions can also be prone to receiving interference from other radio-emitting devices in your house, which nowadays is basically everything from your phone to your microwave.


Facebook opens up about data breach details

By Paul Ducklin

What is this Facebook breach?

The breach was announced by Facebook itself on 28 September 2018.

It worked something like this…

Facebook has a View As feature that lets you preview your profile as other people would see it.

This is supposed to be a security feature that helps you check whether you’re oversharing information you meant to keep private.

But crooks figured out to how exploit a bug (actually, a combination of three different bugs) so that when they logged in as user X and did View As user Y, they essentially became user Y.

If user Y was logged into Facebook at the time, even if they weren’t actually active on the site, the crooks could recover the Facebook access token for user Y, potentially giving them access to lots of data about that user.


Beware sextortionists spoofing your own email address

By Lisa Vaas

Oh, no! A hacker (says he) planted a Trojan, (claims he) took over your computer’s camera and microphone, (purportedly) filmed you watching porn, (theoretically) has the password to your email account, and is threatening to forward the scandalous video to all your email and social media contacts unless you fork over Bitcoin!

“It must be true,” many people have unfortunately thought about this new twist on an established sextortion scam. After all, he’s (apparently) sending email from your very own email address!

Good news: thankfully, it’s not true. The sextorting phisher has not, in fact, demonstrated that he’s hacked your email. All he’s done is demonstrate that anyone can send an email claiming to be from anyone else.

That’s nothing new; it’s just the way email is designed, though plenty of phishers use this fact to send spoofed email that looks like it comes from a trusted party (like you!).

We’ve seen sextortion emails that have included an intended victim’s password – that the attackers actually found in a data breach dump – in order to make their claims to have taken over somebody’s computer seem legitimate. Those passwords are typically outdated. But with the latest spin, they’re also pretending to have access to their victim’s email account, by simply spoofing the sender of the scam email to make it look like the same email as that of the victim.


Literary-minded phishers are trying to pilfer publishers’ manuscripts

By Lisa Vaas

A scammer has been trying to steal manuscripts by spoofing their email address to make it look like messages are coming from literary agent Catherine Eccles, owner of the international scouting agency Eccles Fisher.

The scammer is targeting literary agencies, asking for manuscripts, authors’ details and other confidential material, as the industry publication the Bookseller reported on Thursday.

The attack on Eccles Fisher is just part of a broader, global spate of phishing attacks that’s prompted Penguin Random House (PRH) North America to issue an urgent warning to all staff just as the five-day Frankfurt Book Fair began, the Bookseller then reported on Friday.

PRH sent the warning to staff on Wednesday, when the book fair began. The email warned that…

We have recently seen an increase in attempts to steal our manuscripts. This has occurred in multiple locations across the globe. The individuals attempting to access these manuscripts have a sophisticated understanding of our business. We need to protect ourselves from these threats.

At least some of the emails look like they’re coming from a genuine Eccles account, including with the owner’s signature. But as is typical of spoofed email, the reply-to email address is going to a different domain with a slightly altered address, the Bookseller reports.


October 15, 2018 »

What Kanye West can teach us about passcodes

By John E Dunn

Kanye West did something incredibly unwise during his visit to the White House this week that had nothing to do with making the media and a famously impatient President Trump sit through a 10-minute expletive-laced monologue.

Pulling out an iPhone XS to show the assembled throng a picture of the hydrogen-powered aircraft that “our president should be flying in,” West casually unlocked it using the passcode ‘000000’.

Famous people occasionally make security mistakes like this in public, and every time the reaction is the same – ridicule mixed with surprise.

Ridicule because 000000 seems like the sort of passcode anyone could guess, and surprise that West allowed himself to be filmed revealing this naive weakness.

Others are simply bemused that West didn’t use Face ID or Touch ID.


35 state attorneys general tell FCC to pull the plug on robocalls

By Lisa Vaas

A bipartisan group of 35 state attorneys general are tearing their hair out over robocallers. They’re telling the Federal Communications Commission (FCC) to implement technology that will identify illegally spoofed calls and authenticate legitimate ones, the sooner the better.

In a letter sent to the FCC on Tuesday, the AGs submitted comments in response to a public notice issued by the Consumer and Governmental Affairs Bureau seeking to refresh the record on how the FCC can further empower service providers to block illegal calls.

The AGs said that the situation is beyond what law enforcement can handle on its own. The states’ respective consumer protection offices are receiving and responding to tens of thousands of consumer complaints every year from people getting plagued by robocalls.

More often than not, such calls travel through “a maze of smaller providers,” the AGs said. If the caller can be found at all, they’re usually located overseas, making enforcement difficult. That’s why investigations and enforcement actions can’t serve as the sole solution, they said.

Last year, the FCC released the 2017 Call Blocking Order, which included rules allowing providers to block spoofed calls – as in, calls that pretend to come from consumers’ phones or, even more sneaky, from neighbors’ phones, with area codes that mirror their targets’ area codes. The order allowed providers to block calls from numbers on do-not-originate lists and from numbers that are invalid, unallocated, or unused.


Experian credit-freeze PINs could be revealed by a simple trick

By Lisa Vaas

Last year was a rough time for consumers whose personal information was handled with, shall we say, less than due diligence by the credit bureaus.

In an aftershock following the epic Equifax data-quake last year, it was revealed that the PINs used to protect frozen credit files (frozen by victims to protect themselves from the effects of the breach) were woefully bad.

Now, the latest news shows that at least one other credit bureau – Experian – is also undermining its own PIN security. This time, knowledge-based authentication questions were set up in a way that gave away credit freeze PINs.

Equifax and Experian under fire last year

In September 2017, Equifax disclosed its massive breach – one that affected about half of the population of the US and a mess of Canadians and Brits. We recommended that people put a freeze on their credit files.


Payment skimmers sneaking on to websites via third party code

By John E Dunn

With all the recent fuss about the alleged hacking activities of Russian intelligence, one could be forgiven for missing the unfolding story of ‘Magecart’.

It’s not clear whether Magecart is a loosely-affiliated cybercrime group or just the modus operandi of a few disparate cybercriminals using the same toolkit.  Whatever it is, it’s been blamed for several high-profile payment card breaches this summer, including TicketMaster.

In the latest development, security company RiskIQ says it recently stopped Magecart from pulling off a cyberattack that could have affected a sizeable group of companies using the Shopper Approved customer rating plug-in on their websites.

According to the company, attackers somehow compromised Shopper Approved’s servers to implant malicious JavaScript pointing to a domain under Magecart’s control. Why? To skim card numbers and data as it is entered by customers into payment forms.

Almost the perfect crime?

This is almost the perfect crime because the host website is unlikely to notice the skimming until defrauded customers (or a security company) tell them, not least because it’s inside a third-party plug-in.


Instagram tests sharing your location history with Facebook

By Lisa Vaas

For those Facebook users who still cling to the notion that they can limit Facebook’s tracking of our lives like it’s an electronic bloodhound, you should be aware that its Instagram app has been prototyping a new privacy setting that would enable location history sharing with its parent company.

It was first spotted by bug finder Jane Manchun Wong:

Instagram, as a "Facebook Product", is testing Facebook Location History in their app. It allows tracking the hist……

Jane Manchun Wong (@wongmjane)
October 04, 2018

As you can see in Wong’s screen grab, the “Learn More About Location History” section in the prototype notes that the setting will enable Facebook to build a history of precise locations on your device, even when you’re not logged in to the app.

It’s all about letting users “explore what’s around you,” the prototype says. You can translate “explore” as “buy stuff in nearby stores whose ads we can pepper you with.” The geo-tagged data will show up in users’ Activity Log on their Facebook Profiles, including daily maps of where you’ve been.


Millions at risk from default webcam passwords

By Danny Bradbury

Remember all those webcams that got infected by the Mirai IoT botnet two years ago? Well, Hangzhou Xiongmai Technology Co. Ltd (Xiongmai) – the Chinese manufacturer that made many of them – is back with another vulnerability that puts millions of devices across the world at risk yet again.

Xiongmai eventually fixed the vulnerability in its products that enabled the Mirai authors to compromise an unknown number of devices and bring the internet to a standstill. That doesn’t mean that the company’s products are watertight, though. The new vulnerability creates the opportunity for new attackers to make yet another large and powerful IoT botnet.

The vulnerability lies in a feature called XMEye P2P Cloud, which is enabled on all Xiongmai devices by default. It lets people access their devices remotely over the internet, so that they can see what’s happening on their IP cameras or set up recording on their DVRs.

Using a variety of apps, users log into their devices via Xiongmai’s cloud infrastructure. This means that they don’t have to set up complex firewall port forwarding or UPnP rules on their home routers, but it also means that it opens up a hole in the user’s network. That places the onus on Xiongmai to make the site secure. But it didn’t.

A technical advisory from SEC Consult, a cybersecurity consulting company that investigated the service, recently turned up a litany of security problems.


October 11, 2018 »

Update now! Microsoft fixes 49 bugs, 12 are critical

By John E Dunn

Microsoft’s October Patch Tuesday update made its scheduled appearance yesterday with fixes for 49 security flaws across its family of products, 12 of which are listed as ‘critical’.

Curiously, one of this month’s most interesting flaws hides itself among a further 35 rated merely ‘important’, namely the elevation-of-privilege flaw identified as CVE-2018-8453 affecting all Windows versions.

This is reportedly being exploited by a nation state hacking group nicknamed ‘FruityArmor’ whose highly targeted use of the flaw might explain its slightly lower rating.

A second CVE rated ‘moderate’ that stands out as unusual is CVE-2010-3190, the zombie flaw that refuses to die. A remote code execution (RCE) flaw first revealed eight years ago, this one has had at least two patches since then. Microsoft now says the flaw extends to Exchange Server 2016 too.

Public domain

Three other flaws rated ‘important’ are worth mentioning because they are in the public domain. The standout is CVE-2018-8423, a remote code execution vulnerability in the JET database engine, which means it’s in lots of software including Office. No exploits have been detected but it’s been in the public domain since a security company released details as it passed a 120-day patching deadline last month.


How a WhatsApp call could have taken over your phone

By Paul Ducklin

Google just unsealed information about an apparently exploitable bug in WhatsApp that could have allowed a malevolent caller to take over your device.

Just answering a call could have been enough to land you in trouble.

Project Zero researcher Natalie Silvanovich found a buffer overflow that could be triggered by data transmitted as part of the audio and video stream during a call.

WhatsApp, along with many other online calling apps, uses RTP, short for Real Time Protocol, for transmitting voice and video.

RTP was designed to be efficient – for example, it uses UDP instead of TCP, so that data arrives faster but less reliably. (UDP packets aren’t checked to see if they made it to the other end, and can arrive in a mixed-up order; TCP packets are verified and delivered in the order they were sent, which means more network overhead.)

If you lose some data packets from an app you are downloading, the entire download will be corrupted and useless; if you drop occasional voice packets, you’ll just have some inaudible moments in the call.

Unfortunately, RTP also squeezes its data into a binary packet format that needs careful unravelling at the other end to work out what sort of data was sent, how to deconstruct it, and how much data to expect.


Google+ wakes up to what the rest of us already knew

By Lisa Vaas

After months of hiding a relative pipsqueak of a data breach that happened through a Google+ API, Google on Monday ‘fessed up, said it was shuttering its Facebook-wannabe-but-never-gonna-happen social media platform, and was looking at a potential class action lawsuit that got filed within hours of the breach disclosure.

Busy day!

Google said in its blog post that at the beginning of this year, it began a review – dubbed Project Strobe – of third-party developer access to its data and thus came to a conclusion that everybody already knew: close to nobody likes Google+ and just about nobody uses it:

The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.

OK, so… Action No. 1: shut down Google+ for consumers. Project Strobe had showed that Google+ APIs, and the associated consumer controls, were both tough to develop and a bear to maintain, Google said.

Oh, and by the way, there was a bug in the Google+ People API that affected half a million accounts… a bug that it discovered in March, immediately fixed, and only mentioned on Monday.


October 10, 2018 »

291 records breached per second in first half of 2018

By Danny Bradbury

Over 4.5 billion data records were breached in the first half of this year, according to a report from Gemalto’s Breach Level Index released this week. That’s the highest number of breaches ever in a single six-month time period, but a deeper dive reveals an even more worrying trend.

Gemalto, which sells authentication and data storage products, produces an analysis every six months of the reported breaches from each period. This total number of breached records in this year’s first half (1H) report equated 291 breached records every second, on average.

Records-per-breach is growing

The general rise in the volume of lost records is alarming enough (1H 2018’s figure is up 1,751% on 1H 2015), but what’s really scary is the average number of records per data breach incident. It’s growing quickly.

2015: 245.9m records across 999 incidents. That’s 276,936 records per incident.

2016: 554.5m records across 974 incidents. That’s 569,255 records per incident.

2017: 2.6bn records across 1765 incidents. That’s 1.47m records per incident.

2018: 4.5bn records across 945 breaches. That’s 4.8m records per incident.

The distribution of these compromised records on a per-breach basis isn’t equal, of course. There were some absolute whoppers in early 2018.


Cyber tormentor leaves a trail that lands him 17.5 years

By Lisa Vaas

He, along with others he’d recruited into his cyberstalking campaign, sent lewd pictures of pre-pubescent females to her mother, her former roommate, and two former college classmates. They sent messages encouraging her to kill herself and threatening to rape and/or kill her and her friends. They posed as her and contacted somebody to claim that she’d killed the animal she was pet sitting, triggering a confrontation with police.

They pretended to be her roommate and her mother and called in over 120 hoax bomb threats to schools and residences. They broke into her iCloud account, laptop and iPhone to steal her photos; videos; and medical, psychological, and sexual history. They pieced it all together in a collage and sent it to hundreds of people, including her roommates, co-workers, 13-year-old sister, parents, parents’ work colleagues, and former teachers and school administrators. They put up bogus profiles of her on adult sites and directed interested men to her home address. She said that three men, unknown to her, showed up.

The main cyberstalker behind all this thought the IP address-anonymizing TOR service would protect him. He thought virtual private networks (VPNs) would hide him. He also seemed to put his faith in anonymous overseas texting services and overseas encrypted email providers that don’t respond to law enforcement and/or don’t maintain IP logs or other records.


Airport mislays world’s most expensive USB stick

By John E Dunn

Like so many stories of data disaster, this one started innocently enough.

In October 2017, a member of the public noticed a USB flash drive lying in the street in a London suburb.

After plugging the drive into a computer at their local public library, they discovered it contained 1,000 files held in 76 folders and a trove of data on security systems and procedures at one of the world’s largest airports, Heathrow.

Because we’re writing about this in the first place, you can already guess that none of the data was encrypted or password-protected.

The member of the public decided to tell The Sunday Mirror newspaper about the find, which days later published a story claiming the loss could potentially have compromised airport security, including putting Queen Elizabeth II, politicians and VIPs at risk.

Yesterday, the company with the job of looking after the data, Heathrow Airport Ltd (HAL), was fined £120,000 ($160,000) by Britain’s Information Commissioner (ICO) for allowing this to happen.

What was on the drive?

Heathrow Airport claimed that only 1% of the data on the memory stick was personal data, which would have been a good argument if that hadn’t included a training video exposing names, dates of birth, vehicle registrations, passport details, and mobile numbers for 10 people involved in important security procedures at the airport.


Apple and Amazon hacked by China? Here’s what to do (even if it’s not true)

By Paul Ducklin

The past week has seen the beginning of a saga that feels as though it could end up like Homer’s Odyssey or Virgil’s Aeneid

…a fascinating, entertaining, confusing, politically charged and unpredictable tale, littered with lyrical allusions and based on mysterious sources; a supposedly factual tale that the tellers nevertheless describe in mythological terms as “like witnessing a unicorn jumping over a rainbow” and as “a feat akin to throwing a stick in the Yangtze River upstream from Shanghai and ensuring that it washes ashore in Seattle.”

(Actually, transporting a stick from the Yangtze and dumping it on a beach in Lake Washington isn’t a particularly difficult feat these days, thanks to long-haul air travel.)

This saga was years in the making and will probably end up as prescribed reading in years to come for any number of students who’d really rather be trying to fathom something altogether more straightforward, such as programming elliptic curve cryptography from scratch – or, for that matter, translating Homer from the original Greek.

We’re talking, of course, about the astonishing claims published by US technology publishers Bloomberg that Chinese military spies successfully infiltrated at least 30 major US companies, starting about three years ago, by covertly implanting ultra-tiny “zombie chips” onto server motherboards sold by a US server vendor called Supermicro.


Microsoft hits the brakes on latest Windows 10 update – what to do

By John E Dunn

Something has gone wrong with Windows 10 update 1809, codenamed ‘Redstone 5’.

The scheduled update (build 17763), is the second of two that Microsoft planned for 2018 offering new features. It appeared on 2 October, after which serious complaints started rolling in. The most common was that files and settings were being deleted. Wrote one user:

Logged in first time, all looked fine. After a reboot and subsequent logon, I came to find that my profile had been deleted! Nothing remained, no data on the desktop, no settings… nothing.

Problems after major Windows updates aren’t unheard of but the consistency of the problems eventually caught Microsoft’s attention. On 6 October, almost four days after the update appeared, Microsoft did something it has never had to do in the download history of Windows:

We have paused the rollout of the Windows 10 October 2018 Update (version 1809)* for all users as we investigate isolated reports of users missing some files after updating.

What went wrong?

All there is to go on right now are symptoms. The common thread is that files are being deleted, with one user mentioning the loss of 220GB of files dating back to Windows 95 from the default Documents folder.


Don’t fall for the Facebook ‘2nd friend request’ hoax

By Lisa Vaas

Are your Facebook friends bellyaching about having received another friend request from you? Specifically, sending you a message that reads uncannily like this one?

Hi … I actually got another friend request from you yesterday … which I ignored so you may want to check your account. Hold your finger on the message until the forward button appears … then hit forward and all the people you want to forward too … I had to do the people individually. Good Luck!

It doesn’t make sense if you stop and think about it.

Why would you have sent a friend request to somebody you’re already friends with? And then why in the world would you uncritically send this message to your Facebook friends?

The short answers are that you wouldn’t and you shouldn’t.

You should delete the message and ignore the instructions to forward it because it’s a hoax, trying to get you to believe that your account has been cloned.

Account cloning happens when somebody steals your profile pictures and your name to set up a new account. When the account is set up they send out friend requests that appear to come from you, pulling your friends into their web of lies.


October 8, 2018 »

Prison smuggler busted by his own drone camera

By Lisa Vaas

Step aside Amazon, drone deliveries are already a thing in prisons. There are many things that conspirators on the outside can do drone-wise: drop mobile phones, chargers, batteries, drugs, knives, memory cards, earphones, saws, or even drills.

There are also many ways for those drone drops to be duds: sometimes they crash into walls, spark fights in the prison yard or get snagged on barbed wire.

Now, we have a new drone-delivering duh: the criminals who didn’t realize their drone was filming them. Because it has a C A M E R A.

As the BBC reports, two Scottish men were caught smuggling drugs – well, trying to, anyway – into Perth Prison when they accidentally filmed themselves packing cannabis and pills into a drone.

The pair, Paul Reilly, 32, and Michael Martin, 35, were trying to get the contraband to Martin’s prisoner brother, but they mistakenly filmed themselves loading up the drone with £3,000 (around US $4,000) worth of drugs hidden inside Kinder Egg candy. (You might not be familiar with those sugary delights – in which a chocolate egg surrounds a plastic capsule containing a small toy – given that they’ve been banned in the US up until 2017, due to a 1930s law banning candy with non-food, choky objects inside.)


Wi-Fi versions to get names people can actually understand

By Danny Bradbury

Fed up with navigating alphabet soup when trying to buy fast wireless networking that reaches from one end of the house to the other?

Then rejoice, for the high priests of Wi-Fi just made your life – and the lives of wireless network equipment vendors everywhere – a little easier. The next generation of Wi-Fi networking technology has been renamed Wi-Fi 6.

The Wi-Fi Alliance, the industry group that certifies equipment to support the 802.11 wireless networking standard, has introduced a new, easier numbering system to distinguish different versions of the networking protocol. 

While the IEEE standards body ratifies new versions of the 802.11 protocol that underpins modern Wi-Fi equipment, it is the Wi-Fi Alliance that provides the technical profile that vendors can use to implement the protocol in their equipment. It also operates the certification program that lets them qualify their devices as Wi-Fi compatible. 


Facebook doubles cooling off period to cash in on your FOMO

By Lisa Vaas

Well, well, well, many of us are now thinking. Sure, Facebook was fun while it lasted.

But really, post-Cambridge Analytica/mega-breach/data slurping/fake news/Russian propaganda/et al., for some people it’s time to move on. Time to delete the account once and for all.

Well, if you’ve really decided, after all that, to finally thumbs-down the Face, get ready to wait a good, long time. In a move first noticed by The Verge, Facebook’s now doubled the time it takes to delete an account. It used to be 14 days, but now it will take 30 days before an account is killed.

This is actually for our own good, Facebook says. A spokesperson said that Facebook’s seen people who think they want to delete their accounts forever develop cold feet:

We recently increased the grace period when you choose to delete your Facebook account from 14 days to 30 days. We’ve seen people try to log in to accounts they’ve opted to delete after the 14-day period. The increase gives people more time to make a fully informed choice.

As the Verge notes, maybe this is a good thing. Maybe some of us aren’t really ready to ditch the relationship completely. Maybe we just need a time-out. A nice, long, 30-day break from the place that moves fast and breaks things, and the people who use it to be less than cordial.


Google’s Intra app secures older Androids with encrypted DNS

By John E Dunn

If you agree that it’s high time that all Domain Name System (DNS) queries were encrypted to boost user privacy, two things Google has done in recent weeks will come as good news.

The first was the inclusion of a rapidly-emerging IETF DNS encryption standard called DNS over TLS (DoT) as a default setting in the latest Android 9 ‘Pie’, released in August.

The second arrived yesterday when Alphabet subsidiary Jigsaw (formerly Google Ideas) released a new app called Intra that allows Android users not running 9 (i.e. almost everyone) to get their hands on the same security technology but using a close cousin of DNS over TLS called DNS over HTTPS (DoH).

Under Android 9, DNS over TLS privacy is configured via Settings > Network & Internet > Advanced > Private DNS (the default setting routes via Google’s or but third-party alternatives can be added). Intra essentially offers the same options in the form of an app.

With encrypted HTTPS spreading, the last year has seen a surge in interest in another big part of the web privacy and security puzzle, DNS queries.


« older