Repairs & Upgrades

April 24, 2019 »

NYPD forgets to redact facial recognition docs, asks for them back

By Lisa Vaas

Inquiring privacy experts want to know, and they’ve wanted to know for a few years: what type of facial recognition technology is the New York City Police Department (NYPD) using?

What’s it purchased? What are its policies and procedures? How does it train cops on how to use it? What agreements does it have with other agencies that help it run the facial recognition program?

After three years of asking these questions, and filing over 100 requests for relevant documents – which the NYPD is required to hand over per New York State’s Freedom of Information Law (FOIL) – and after a year of being told that the department couldn’t find any such information, Georgetown University Law Center’s Center on Privacy & Technology (CPT) think tank finally managed to claw out 3,700 pages.

Some of which, three weeks after it coughed them up, the NYPD demanded that the CPT return.

A Manhattan judge has ordered the CPT to give back 20 pages of confidential, unredacted documents about the NYPD’s use of facial recognition that were handed over by mistake during the long-running legal case… Oops.

Mind you, the NYPD has already shared these documents. At least once, it’s done so publicly… or, rather, it’s shared one document with anybody who could cough up a conference fee to see it splashed on a screen in a PowerPoint presentation.


Gunpoint domain hijack turns out to have been a family affair

By Lisa Vaas

You might recall the epic, violent domain transfer #FAIL that involved pistol-whipping, tasering, and demanding, at gunpoint, the transfer of “” – a site devoted to content concerned with the beer-guzzling and butt-ogling of college students.

The domain-demanding burglar, Sherman Hopkins, Jr., of Cedar Rapids, Iowa – who got shot multiple times in the chest when the rightful owner of managed to wrestle Hopkins’ gun away from him – was sentenced to maximum prison time of 20 years last year.

But it turns out that the entrepreneurial yearning to possess the site did not originate with Hopkins. In fact, Hopkins was hired by his cousin, who last week was convicted for planning the armed home invasion and hiring Hopkins to do it.

Rossi Lorathio Adams II, 26, also from Cedar Rapids, Iowa, was convicted of conspiracy to interfere with commerce by force, threats, and violence. The time it took the jury to convict: one hour.

‘State Snaps’ and its lust for ‘Do It For State’

As prosecutors described during the trial, Adams founded a social company called “State Snaps” while he was a student at Iowa State University in 2015. Similar to Do It For State, State Snaps – and its Snapchat, Instagram and Twitter feeds – showed great gusto for boob-, butt- beer-, setting-things-on-fire-, drug- and arrows-shot-into-the-groin-related content, as well as for at least one depiction of beer drinking a la butt.


DNS over HTTPS is coming whether ISPs and governments like it or not

By John E Dunn

The penny has finally dropped inside ISPs and governments that a privacy technology called DNS over HTTPS (DoH), backed by Google, Mozilla and Cloudflare, is about to make web surveillance a lot more difficult.

In the UK, this matters because under the 2016 Investigatory Powers Act (IPA), ISPs are required to store a record of which websites citizens visit for the previous 12 months, which is done by noticing Domain Name System (DNS) requests, e.g. to

DNS over HTTPS (and its close relative DNS over TLS, or DoT) makes this impossible because it encrypts these requests – normally sent in the clear – hence the panic reported in a recent Sunday Times article (paywall).

For more detail on how DoH/DoT works, read our previous coverage on the topic. The takeaway, however, is that Britain’s National Cyber Security Centre (NCSC), and probably the US Government think its unexpectedly rapid evolution imperils the monitoring of terrorism and other illegal content.

Big ISPs also worry it will interfere with complex Content Delivery Network (CDN) traffic caching, make customer management through support and captive portals difficult, and leave them fielding calls from unhappy customers when the third-party DNS servers offering DoH fall over.

Confusingly, the Sunday Times story also says DoH will stymie the UK’s controversial porn block, which enforces age checks before adults can visit big porn sites, although it’s not clear how – encrypting DNS hides the domains people visit but not inherently the fact web requests are being made from UK ISPs (although it would stop ISPs from implementing their own domain filters).


Phone fingerprint scanner fooled by chewing gum packet

By Paul Ducklin

Nokia’s funky new phone, known as the Nokia 9 PureView, has some very cool features.

Five of them, in fact – five cameras, arranged on the back of the phone like a spider’s eye, capturing 12 megapixels each to make the device a snapper’s delight.

The Nokia 9 also includes a fingerprint scanner – a feature that Apple recently ditched from its smartphone range so that the screen could reach right to the edges of the device, as modern style dictates, but that several modern Android devices have retained by building the fingerprint detector into the screen itself.

That sounds like the best of both worlds: a good-looking screen plus convenient biometric security that is based on more than just a picture of your face.

Fingerprint scanners, however, aren’t perfect, with the result that we’ve written several stories over the years about the tricks that hackers have found to bypass them.

Positives and negatives

A fingerprint sensor bypass is what’s known in the jargon as a false positive, where an invalid fingerprint is incorrectly recognized as genuine, and the device is wrongly unlocked.

The opposite misbehavior is a false negative, where even the genuine owner of the device can’t get in because their own fingerprint is wrongly rejected.


Hotspot finder app blabs 2 million Wi-Fi network passwords

By Lisa Vaas

This should come as no surprise, but it still sucks big-time: thousands of people who downloaded a random, very popular app called WiFi Finder found that it got handsy with users’ own home Wi-Fi, uploading their network passwords to a database full of 2 million passwords that was found exposed and unprotected online.

The leaked database was discovered by Sanyam Jain, a security researcher and a member of the GDI Foundation who reported his find to TechCrunch. Jain and TechCrunch’s Zack Whittaker spent more than two weeks fruitlessly trying to contact the developer, who they believe is based in China.

Receiving no reply, they instead turned to the host, DigitalOcean, which yanked the database within a day of their contact.

According to the app’s Google Play listing, it’s been installed more than 100,000 times.

The app does what it says it does: it searches for nearby hotspots, maps them, and enables users to upload all their stored Wi-Fi passwords. Unfortunately, in spite of what the app developer – Proofusion – claims, WiFi Finder doesn’t differentiate between public hotspots and what Whittaker says are the “countless” home Wi-Fi networks found by TechCrunch and Jain.

The exposed database didn’t give away contact information for any of the Wi-Fi network owners, but it did include geolocation data. The geolocations often corresponded to what look like wholly residential areas where there don’t appear to be any businesses, suggesting that the logins are for home networks.


Once again, it’s 123456: the password that says ‘I give up’

By Lisa Vaas

The essence of most people’s regard for cybersecurity: we’re DOOMED.

That’s one of the key takeaways from the UK’s National Cyber Security Centre (NCSC), which released the results of its first ever UK cyber survey on Sunday, along with a list of the most craptacular passwords found most often in breached databases.

The findings were released ahead of the NCSC’s CYBERUK 2019 conference in Glasgow this week.

Some of those doomy gloomy findings: 70% of the 1,350 Brits surveyed between November 2018 and January 2019 believe they’re going to be cyber-pounced on sometime in the next two years, and it will put on some hurt, aka a “big personal impact.”

Many people – 37% – think that getting mugged online for money or personal details is inevitable these days. Losing money is the biggest concern, with 42% feeling it’s likely to happen by 2021. That’s not keeping them from buying stuff online, though: 89% are using the internet to make online purchases, and 39% say they do so on a weekly basis.

Although 80% said that cybersecurity is a “high priority,” that doesn’t mean that the doomed plan to do anything about it. In fact, some of the groups most likely to say it’s a priority are the least likely to take protective action. For example, older people – those aged 55-64 – are the likeliest to say it’s a high priority, and 16-24 year-olds are least likely to prioritize it. However, the youngsters are more likely to say they’re capable when it comes to cybersecurity, and they’re more likely to flip the switch on some protection.


April 22, 2019 »

WannaCry hero Hutchins now officially a convicted cybercriminal

By ul Ducklin

Remember the reluctant WannaCry hero?

WannaCry was ransomware that made big headlines in mid-2017 for two important reasons.

First, it was a true computer worm, or virus, that automatically propagated itself to the next guy, and the next guy…

…and so on, meaning that although it drew attention to itself very quickly, it was nevertheless able to spread far and fast.

SophosLabs estimated that it infected 200,000 computers in 150 countries within four days of showing up in the wild.

Second, WannaCry’s spreading mechanism used a exploit code known as ETERNALBLUE, allegedly developed by the US National Security Agency for secret intelligence-gathering purposes.

That exploit, along with many others, was subsequently stolen in a data breach at the NSA, offered for sale for a while at an outrageous price, and finally dumped for anyone to use for free around the start of 2017.

Microsoft pushed out a patch at the start of 2017 that effectively immunised everybody who applied it, but those who neglected or declined that update ended up at risk.


Facebook: we logged 100x more Instagram plaintext passwords than we thought

By Paul Ducklin

About a month ago, Facebook owned up to a programming blunder that’s been a top-of-the-list coding “no-no” for decades.

The social networking behemoth admitted that it had been logging some passwords in plaintext, saving a record of exactly what your password was, character by character, rather than just keeping a cryptographic hash used for verifying that your password was correct.

Well, it’s just updated its March 2019 admission to state that the number of plaintext passwords found scattered round its systems in various logfiles is greater that originally thought.

Back in March, the damage was said to involve hundreds of millions of Facebook Lite users, tens of millions of Facebook users, and tens of thousands of Instagram users, but yesterday the company updated its bulletin to say:

Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.

Simply put, the chance that your Instagram password was stored somewhere in a logfile, somewhere in Facebook’s network, turns out to be 100 times greater than you might have thought last month.


Serious Security: Ransomware you’ll never find – and how to stop it

By Paul Ducklin

Imagine that you’ve been hit by ransomware.

All your data files are scrambled, you’re staring at a ransom note demanding $1000, and you’re thinking, “I wish I hadn’t put off updating that cybersecurity software.”

When the dust has settled – hopefully after you’ve restored from your latest backup rather than by paying the blackmail charge – and you’ve got your anti-virus situation sorted out, your burning question will be…

…where did the malware come from?

But what if, no matter how carefully and deeply you scan, you can’t find any trace that there ever was any malware on your computer at all?

Unfortunately, as our friends over at Bleeping Computer recently reported, that can happen, and it’s one case where not being infected yourself is actually a bad sign, rather than a good one.

The Bleeper crew have had several reports of users whose files were scrambled from a distance across the internet, by ransomware running on someone else’s computer.


Facebook user data used as bargaining chip, according to leaked docs

By Lisa Vaas

User privacy is super-duper important, Facebook has said publicly for years out of one side of its mouth, while on the other side it’s been whispering to third-party app developers to come on in and feast – this user data is tasty.

Well, that’s confusing, its own employees have said, according to yet more newly revealed internal discussions.

NBC News, one of a handful of media outlets that got its hands on the documents, said that the cache contains about 4000 pages of leaked company documents that largely span Facebook communications from 2011 to 2015.

(Computer Weekly reported on Monday that it was 7000. At any rate, it was a lot of documents.)

Photos visible to “Only me?” Says YOU

As NBC reports, the documents show that in April 2015, Facebook product designer Connie Yang told colleagues that she’d discovered apps collecting profile data she’d marked as visible only to herself. Yang wrote that apps were displaying her “only [visible to] me” data as being visible to…

…both you and *other people* using that app.

The documents show that regardless of users locking down their accounts so that their photos and other data were visible to “only me,” they could still be transferred to third parties, according to the documents.

That’s only one of an ocean’s worth of revelations in the cache of internal documents, which include emails, chats, presentations, spreadsheets, and meeting summaries that show that top Facebook execs – including CEO Mark Zuckerberg and chief operating officer Sheryl Sandberg – mulled the idea of selling access to user data for years.


April 18, 2019 »

Google plays Whack-A-Mole with naughty Android developers

By Lisa Vaas

Following updates to Android application programming interfaces (APIs) and Google Play policies, some developers have been surprised to find they’ve been blocked from distributing apps through Google Play.

Sorry, Google said on Monday: we’re playing Whack-A-Mole with “bad-faith” developers.

Google said that the “vast majority” of Android developers are good at heart, but some accounts are rotten to the core.

At least, some accounts are suspended after “serious, repeated” violations of policies meant to protect Android users, according to Sameer Samat, VP of Product Management, Android & Google Play.

Samat said that such developers often try to slip past Google’s checks by opening up new accounts or hijacking other developers’ accounts in order to publish their unsafe apps.

In order to fend off those repeat offenders, developers without an established track record can henceforth expect to be put through a more thorough vetting process, Samat said.

Sorry for the 1% of blunders

As with any move made to boost Android security, this one’s bound to misfire, he said – although he claimed that 99% of Google’s suspension decisions are correct.

The company isn’t always able to share the reasoning behind deducing that a given account is related to another, he said, but developers can immediately appeal any enforcement.


Chrome flaw on iOS leads to 500 million unwanted pop-up ads

By John E Dunn

If you own an iOS device and use the Chrome browser, there is a chance during the last week that you’ve encountered some strange-looking advertising pop-ups.

There are no rewards, of course, because these pop-up ads are run by a cybercrime group and exist to generate revenue for the crooks – you don’t get to share the spoils.

But the bigger question that bugged Confiant’s researchers when they analysed the pop-ups was how they were bypassing Chrome’s iOS ad-blocking protection.

The volume of campaigns was massive – 500 million pop-ups since 6 April 2019, apparently – featuring 30 adverts connected to a cybercrime group called eGobbler.

Aiming such a large volume of ads at the users of one platform and browser, iOS Chrome, also looked a little unusual.

Sure enough, Confiant discovered the campaigns had found a way to beat Chrome’s pop-up blocker by exploiting a previously unknown and unpatched security vulnerability.

Google was told of the issue last week, which Confiant hasn’t yet explained in detail because it remains unpatched:

We will be offering an analysis of the payload and POC [proof-of-concept] exploit for this bug in a future post given that this campaign is still active and the security bug is still unpatched in Chrome as of this blog post.


Oracle issues nearly 300 patches in quarterly update

By Danny Bradbury

Oracle is keeping people busy before the Easter weekend. The company has issued a raft of quarterly security updates for 297 vulnerabilities, along with an urgent warning to patch now.

The latest Critical Update Patch contains vulnerabilities spanning dozens of products including its Fusion Middleware product set, which received 53 new security fixes overall – 42 of them for vulnerabilities that could in theory be exploited remotely over a network with no user credentials

The Oracle E-Business Suite accounted for 35 new security fixes in the critical patch update – 33 of them for remotely exploitable bugs. The Suite encompasses business applications including enterprise resource planning, customer relationship management, and supply chain management.

Also high on the list of affected product groups was Oracle Communications Applications, which received 26 security fixes for vulnerabilities, 19 of which were remotely exploitable.

The software giant’s suite of retail applications got 24 security fixes between them; Oracle Database Server had six; Java SE, which Oracle acquired along with Sun Microsystems in 2010, had five holes patched.


April 17, 2019 »

Mozilla to Apple: Protect user privacy with rotating phone IDs

By Danny Bradbury

Mozilla has criticized Apple for its latest privacy marketing campaign, urging it to provide more automatic protection for users behind the scenes. The nonprofit Mozilla Foundation has launched a petition to enhance a little-known feature in iOS devices that could make it harder for advertisers to track mobile users.

In a blog post, Mozilla praised Apple for its privacy track record but criticized its latest marketing campaign, with the slogan “Privacy. That’s iPhone.” The iPhone vendor has produced tongue-in-cheek videos showing people in various situations they’d rather keep private. Mozilla responded:

A key feature in iPhones has us worried, and makes their latest slogan ring a bit hollow.

Mozilla has a problem with the Identifier for Advertisers (IDFA), which is a hexadecimal code unique to every iPhone. When mobile users click a banner, play a video, or install an app, media companies can pass that information to advertisers along with the IDFA. The code doesn’t identify you, but it enables them to build up a profile of your activities.

The IDFA is a crucial tool in advertisers’ quest for attribution. This marketing concept ties individual product purchases or subscriptions to the advertisements that promoted them. The missing link is an individual’s series of responses to those advertisements over time. This is what the IDFA provides, and Mozilla finds it distasteful:

It’s like a salesperson following you from store to store while you shop and recording each thing you look at. Not very private at all.

Apple has sided with privacy advocates against advertisers before. In September 2017, it shipped IOS 11 with a new feature for the mobile version of Safari called intelligent tracking prevention. This feature, which also hit macOS Safari the same month, used machine learning to better manage cookies. These are small files, different to IDFAs, that websites and advertisers place in the browser to identify users later on.


Ad blocker firms rush to fix security bug

By Danny Bradbury

If you’re using an ad blocker to filter out online commercials, then beware: You might be vulnerable to a new attack revealed on Monday that enables hackers to compromise your browser.

The vulnerability, discovered by security researcher Armin Sebastian, affects Adblock, Adblock Plus, and uBlock (but not uBlock Origin). It stems from a filtering option introduced into the ad blockers in July 2018. The option allowed the programs to rewrite web requests, cleaning them of tracking data.

The problem is that an attacker can exploit this rewrite function using XMLHttpRequest. This is a programming feature all modern browsers use to request data from a server after a page has loaded. They can also attack the server using an API called Fetch, which allows similar operations. An attacker can load a JavaScript string using either of these features and execute the returned code.

For the attack to work, the browser must visit another server after hitting a legitimate web page. Hackers can force that if the server allows open redirects. This is when the server takes a URL as input from the client and redirects to it, no matter what it is.

An attacker can also get their executable code into the browser via the $rewrite function if they can get it onto the legitimate web page. That’s possible if the server lets the user post their own content (such as in a comments section or social media timeline) and doesn’t use proper input validation to check the post for malicious commands.

Finally, for the attack to work, the server must not restrict where it can fetch content from. It must not validate the final request URL either, because the attacker will have tampered with it.


Internet Explorer browser flaw threatens all Windows users

By John E Dunn

Nearly four years after it was replaced by Edge as Microsoft’s preferred Windows browser, researchers keep finding unpleasant security flaws in Internet Explorer (IE).

The latest is a proof of concept (POC) published by researcher John Page (aka hyp3rlinx) that exploits a weakness in the way the browser handles MHTML (MHT) files, IE’s default web page archiving format.

If Windows 7, Windows 10 or Windows Server 2012 R2 encounters one of these, it attempts to open them using IE which means that an attacker simply has to persuade the user to do that. Success would…

Allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information.

IE should throw up a security warning, but this could be bypassed Page said:

Opening a specially crafted .MHT file using malicious <xml> markup tags the user will get no such active content or security bar warnings.

No escape

Does this matter to users who’ve moved on to Windows 10 or simply stopped using IE years ago?

Unfortunately, it does because IE 11 ships with every consumer Windows PC – including Windows 10 – for compatibility reasons (only Enterprise and Education licensees can optionally exclude it).

However, on Windows 10, IE still needs to go through a short setup process when it runs for the first time, something that might draw attention to attacks targeting the flaw discovered by Page.


Microsoft confirms and Hotmail accounts were breached

By John E Dunn

Between 1 January and 28 March this year hackers were able to access a “limited number” of consumer, Hotmail and MSN Mail email accounts, Microsoft has confirmed.

News of the attack first emerged late last week when the company started sending emails to what seems to be a small subset of affected users which ended up being discussed on Reddit:

We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account.

Microsoft says that data access was limited:

This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments.

When Microsoft realized the stolen credentials were being abused, it disabled the access, the company added. The crucial sentence:

It is important to note that your login credentials were not directly impacted by this incident.

Microsoft still recommends that everyone receiving a notification should change these as a precaution, and also warned that affected users were now at risk of receiving phishing emails.


Watch out! Don’t fall for the Instagram ‘Nasty List’ phishing attack

By John E Dunn

For nearly a week, Instagram users have been receiving odd messages from followers expressing shock that their accounts have somehow ended up on something called the “Nasty List.”

If you receive one, the message with an embedded link will look something like the following example (the list and placement numbers vary):

OMG your actually on here, @TheNastyList_xx, your number is 26! it’s really messed up.

In the cold light of day, it looks dubious but social media is all about rapid clicking so that’s what some people do, unaware of the danger they are heading towards.

According to Bleeping Computer, clicking on TheNastyList profile link leads to a page containing a second link that says it will let the user see everyone on the imaginary list.

Readers will probably have worked out what’s coming next – anyone following this is asked for their Instagram username and password (the link on the login page isn’t a legitimate Instagram address but it seems a lot of people don’t notice this).

Anyone entering their credentials will find themselves in a spot of trouble, starting with their entire base of followers receiving the same message telling them that they too are on the Nasty List – and so the social media phishing attack grows.

They’ll also potentially have handed control of their account to criminals to do whatever they want with.


Google’s location history data shared routinely with police

By Danny Bradbury

Law enforcement officials in the US have been routinely mining Google’s location history data for criminal investigations. Requests have escalated in the last six months, according to The New York Times.

The location data resides in Sensorvault, a Google system that logs information provided by the search and advertising giant’s mobile applications. Applications may gather the data even when not running, depending on the phone’s settings. However, for Sensorvault to store their data a user must have opted in to Location History, a feature that Google introduced in 2009. It stores daily movements based on raw data communicated via these apps.

Police officers don’t request the phone data of a particular suspect. Instead, they serve reverse location warrants, also known as ‘geofence’ warrants. These request anonymous IDs and locations relating to all phones found in a particular area over a particular time.

Officers analyze this data, looking for movement patterns that correlate with potential suspects or witnesses. When they narrow down the search to a handful of devices, they can request those users’ names and other information from Google.

The report highlighted several instances in which federal law enforcement have used this technique. They include the March 2018 bombings in Austin, Texas, along with a 2016 murder in Florida.


US feds’ names, home and email addresses hacked and posted online

By Danny Bradbury

A group of hackers that doxed thousands of federal law enforcement employees last week has followed up with more posts offering even more victims’ personal information.

The hacking group, which we won’t name here, published the personal details of around 4.000 federal law enforcement employees last week after breaching three related websites. It had defaced at least two of the three websites, publishing its logo on them, which remained viewable until at least Sunday.

Employees at the FBI, Secret Service, Capitol Police, and US Park Police were among those doxed, alongside police and sheriffs’ deputies in North Carolina and Florida, according to reports. Records posted on the group’s website included the individuals’ home addresses, phone numbers, emails and employers’ names.

The attackers harvested the information from websites associated with the FBI National Academy Associates (FBINAA), which is a non-profit organization of 17,000 law enforcement professionals. In a statement released Saturday, FBINAA said the attack had affected three of its chapters, all of which used an unnamed third party’s software. It added:

We believe we have identified the three affected Chapters that have been hacked and they are currently working on checking the breach with their data security authorities. We have checked with the national database server/data provider and they have assured us that the FBINAA national database is safe and secure.

The hacking group soon followed up with what it claimed were more hacked databases. On Saturday, 13 April, it posted a 1.1GB file containing what it said were dumps from six government databases. These appeared to be from three nonprofit associations for government professionals. Four of the hackers were from one group’s state-level chapters, according to information posted on the page.


Security weakness in popular VPN clients

By John E Dunn

Numerous enterprise VPN clients could be vulnerable to a potentially serious security weakness that could be used to spoof access by replaying a user’s session, an alert from the Carnegie Mellon University CERT Coordination Center (CERT/CC) has warned.

Connecting to an enterprise VPN gateway made by a specific company usually requires a dedicated application designed to work with it. So far, the issue has only been confirmed in applications from four vendors – Palo Alto, F5 Networks, Pulse Secure, and Cisco – but others could be affected.

The problem is the surprisingly basic one that applications have been insecurely storing session and authentication cookies in memory or log files which renders them vulnerable to misuse. CERT/CC explains:

If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.

Which, if it were to happen on a network imposing no additional authentication, would be like handing over the privileges of an enterprise VPN to anyone able to get their hands on the vulnerable data.


April 15, 2019 »

Facebook admits “supply chain data leak” in new Oculus headsets

By Paul Ducklin

Oculus, Facebook’s virtual reality subsidiary, has fessed up to what might be the weirdest ever data leak.

OK, so it might not actually be a data leak at all, even though messages that weren’t supposed to be released seem to have got out.

And even if it is a data breach, it’s kind of cool – did we say that aloud, or just think it? – and may end up making the affected devices more sought after, and worth more money on online auction sites, than vanilla ones.

At any rate, if we were a Data Privacy Officer – a job that we suspect might be thin on opportunities for fun, games and humor – we’d be cracking a smile at this one, if not breaking into laughter, instead of reaching for our breach report forms.

The leaked messages are, literally and physically, printed characters that ended up hidden inside “tens of thousands” of new Oculus motion controllers.

We’re not big VR fans ourselves, but we think that motion controllers are the things you strap onto your hands so you can waft your way through vitality, rather than the masochistic-looking faux diving goggles [Can we just say ‘sinister’ or ‘peculiar’ instead?Ed.] that you wear while immersed in unreality.


Assange arrested, faces extradition for hacking

By Paul Ducklin

Julian Assange, founder of whistleblowing organization WikiLeaks (or co-founder, depending on whom you ask) , and arguably Ecuador’s most famous Londoner (or infamous, depending on whom you ask), is in custody following his arrest yesterday.

Assange rose to fame by leaking secret government documents that the WikiLeaks organization acquired from a wide range of sources.

The best-known WikiLeaks exposé is probably Cablegate, a massive dump of US State Department diplomatic cables exfiltrated by junior US soldier Bradley Manning, now Chelsea Manning, who was arrested in 2010 for making off with some 30 years’ worth of confidential US data.

Manning apparently burned the data to a rewritable CD, pretending she was listening to Lady Gaga tunes from the CD while writing hundreds of thousands of diplomatic cables onto it.

Amazingly, one person – and a soldier with the rank of Private, at that – was able to copy everything without triggering any sort of “data access overload” warning at any point.


Feds say Russian 2016 election meddling spanned all US states

By Danny Bradbury

A multi-agency report has strengthened claims that Russia meddled with election systems in all 50 US states during the last presidential race.

The report is called a joint intelligence bulletin (JIB), and it comes from the Department of Homeland Security and the FBI. It is an unclassified document intended for internal distribution to state and local authorities.

Intelligence newsletter OODA Loop reports that the JIB reveals stronger evidence of Russian interference. Agencies believe that Russian agents targeted more than the 21 states initially suspected.

According to the bulletin:

Russian cyber actors in the summer of 2016 conducted online research and reconnaissance to identify vulnerable databases, usernames, and passwords in webpages of a broader number of state and local websites than previously identified, bringing the number of states known to be researched by Russian actors to greater than 40.

Although there are some gaps in the data, the bulletin claims “moderate confidence” that Russia conducted “at least reconnaissance” against all US states because its research was so methodical, it added.

Russia’s cyberspace election meddling played out between June and October 2016, with most activity occurring in July, the JIB said. They researched election-related websites and information in at least 39 states or territories, with Secretary of State websites drawing the most attention. They proceeded alphabetically through the states “with some exceptions”, although OODA Loop doesn’t say what they were.


Flickr tackling online image theft with new AI service

By Danny Bradbury

Photo-sharing website Flickr is trying to combat copyright infringement with a service that spots copies of its users’ images online. The company is partnering with image monitoring company Pixsy to offer the AI-powered feature.

Flickr began offering the service this week, claiming it as a step forward in the fight to protect its members’ rights, stating:

We remain aware of the fact that photo theft is a sad reality of the online world and a major issue for photographers trying to make a living off of their work

It will offer the service to paying members under its Pro subscription. It enables them to monitor up to 1000 images and lets users send 10 DMCA takedown notices for free. The Digital Millennium Copyright Act lets copyright owners send cease and desist letters to people using their content online without permission.

Pixsy scours the internet looking for images that are registered with it, and tries to find a match. The BBC tested the service with mixed results. The AI tool found an image of its reporter Cody Goodwin used in a news story on its site used by 26 other news websites.

However, it also tested a picture of the same reporter in its Los Angeles bureau with the Hollywood sign in the background, and it flagged up an image of (very different person) Stormy Daniels in that studio instead. Apparently, the software still has some work to do.

What if you are not a Flickr Pro user? All is not lost. You can head over to Pixsy and sign up for a free account, which gives you the ability to monitor 500 images without paying a penny. You don’t get the free takedown notices that you get with a Flickr Pro account, though.


Android phones transformed into anti-phishing security tokens

By John E Dunn

Google just announced a new security feature that allows users of Android 7 and later to use their smartphones to authenticate themselves to their Google accounts.

The surprise announcement was buried inside a pile of enterprise-oriented enhancements revealed at Google Cloud Next 2019 in San Francisco on Wednesday.

Released in beta, the feature is designed to protect Google users from phishing attacks. Once enabled, the user logs into their Google account using their username and password as normal before authenticating that their enrolled smartphone is present by clicking on a message that appears on the screen.

It’s identical in principle to using a FIDO USB token such as the YubiKey (or Google’s Titan key equivalent launched last year), except that the smartphone itself becomes the token.

This defeats phishing in the same way a token does because even if attackers get hold of someone’s Google username and password, they can’t access the account without also having the smartphone.


To use your Android phone (tablets don’t appear to be supported yet) as a security key, you must have a phone running Android version 7.x or later, and you need to turn on Bluetooth.

Your computer must also have Bluetooth, and be running the latest version of the Chrome browser, on a Chrome OS, macOS X or Windows computer.


April 11, 2019 »

Ban the use of ‘dark patterns’ by tech companies, say US lawmakers

By Danny Bradbury

Lawmakers are getting wise to online companies’ manipulative user interface design practices. Congressional leaders in the US unveiled a new law this week to ban the use of ‘dark patterns’ by large online players.

What are these dark patterns? Senator Mark Warner, one of the Act’s sponsors, describes them as design choices based on psychological research. They are…

…frequently used by social media platforms to mislead consumers into agreeing to settings and practices advantageous to the company.

Warner’s Deceptive Experiences To Online Users Reduction (DETOUR) Act makes it illegal for online companies with over 100 million users to design interfaces that aim at:

Obscuring, subverting, or impairing user autonomy, decision-making, or choice to obtain consent or user data.

What kinds of techniques are we talking about, and what decisions do they coerce users into making?

The website, created by user experience consultant Harry Brignull, calls out several kinds of manipulative user interface behaviors with some delightful names.

These include confirmshaming. This guilts the user into opting into something. You’ll have seen this on some passive-aggressive websites that try to make you sign up for mailing lists. Instead of just offering a ‘No’ option, they’ll say something like “no, I don’t want to stay abreast of current industry trends”.

Other examples include Privacy Zuckering, which trick users into publicly sharing more information about themselves than they wanted to. Guess who it’s named after?


App could have let attackers locate and take control of users’ cars

By Danny Bradbury

A smartphone app used to control vehicles across North America left them wide open to attackers, it was revealed on Monday. The MyCar application, from Canada-based AutoMobility Distribution, allowed anyone that knew about the vulnerability to control, monitor, and access vehicles from an unauthorized device, experts said.

MyCar is an app available on both iOS and Android devices that serves the aftermarket telematics market. Users can install connected devices into their cars, turning them into IoT devices that they can control via a cellular connection. According to its website, the MyCar app lets users control their cars remotely from anywhere by communicating with one of these devices via AutoMobility Distribution’s servers.

Users can remotely start their car, lock and unlock vehicles, or locate them. Other features include getting the temperature and vehicle battery levels, and sharing your vehicle with other users or even transferring it to a new owner.

The company sells the app under a service plan. Users get the smartphone app, the hardware device to install in their car, and service for a set period of one or three years.

It all sounds very convenient, especially when you want a nice warm car waiting for you on those cold winter mornings. Unfortunately, according to a vulnerability note issued by Carnegie Mellon University’s Software Engineering Institute, the app also enabled attackers to take control of your car.


Toddler locks father out of iPad for 25.5 MILLION minutes, or until 2067

By John E Dunn

Last week a father thought he’d been permanently locked out of his Apple iPad after his young son repeatedly entered an incorrect passcode.

‘Permanently’ in this context means 25.5 million minutes (or 25,536,442), equivalent to over 48 years. That’s the wait time that confronted journalist Evan Osnos last week when he looked at the iPad screen after recovering it from the youngster’s grasp.

Naturally, he turned in his hour of need to the world’s biggest tech support system, Twitter.

But how does such a thing happen? The short answer is not easily.

A lot of stories mention that Osnos’s son entered an incorrect passcode 10 times without mentioning how hard that is to do this in a short space of time.

It’s common knowledge that if you get the code wrong five times, the user is locked out for one minute – that could have happened in seconds.


April 10, 2019 »

Mar-a-Lago intruder had instant-malware-inflicting thumb drive

By Lisa Vaas

It turns out that Yujing Zhang, the Chinese woman arrested when she tried to enter President Donald Trump’s private Mar-a-Lago club in Palm Beach, Florida, on 30 March, had a number of suspicious devices in her hotel room – as in, tools good for inflicting malware and spying, and more than $8,000 in cash, all suggesting that she was here for espionage.

As it was, she was carrying four cellphones, a thumb drive containing malware, and other electronics when she breached security at President Trump’s private Florida club. In getting past multiple security checkpoints, she first told US Secret Service agents that she was bound for the hotel’s pool.

Then, supposedly confused by a language barrier that came and went as Zhang used and then apparently forgot competent, nuanced English, Mar-a-Lago staff thought she might be the daughter of a club member with the same last name – one that’s common in China. Next, Zhang told Secret Service agents that she was headed for some kind of United Nations Chinese American Association event that night… or, as she said in her next version, a “United Nations Friendship Event” between the US and China.

As the Miami Herald reports, during a bond hearing in a Florida federal court on Monday, federal prosecutor Rolando Garcia said that a search of Zhang’s room yielded still more gadgetry: a “signal-detector” device used to reveal hidden cameras, USD $7,500 in $100 bills, $663 in Chinese currency, nine USB drives, five SIM cards and other electronics.

…and no swimsuit.

CNN quoted Garcia during the hearing, which was held to determine whether Zhang would be released on bail:

She lies to everyone she encounters.

Zhang was charged with two counts: making false statements to federal authorities and a misdemeanor offense of entering a restricted area without authorization. She hasn’t been charged with offenses that could be associated with international spying, but an FBI counterintelligence squad is investigating the incident as part of a broader investigation into Chinese espionage, and prosecutors are treating Zhang’s case as a national security matter, sources told the Miami Herald.


Two robocallers fined $3m for Google listings scam

By Danny Bradbury

Two robocall scammers have been fined over $3 million in a US court for defrauding small businesses. The pair pretended to represent Google and falsely took unwitting business owners’ money in return for the promise of better search results.

Judge Cecilia Altonaga fined Dustin Pillonato and Justin Ramsey, owners of Pointbreak Media, LLC and Modern Source Media LLC, $3,367,666.30 for their robocalling campaign.

According to a court affidavit filed last May, they used their robocall system to phone small businesses offering Google listing ‘claiming and verification’ services. They said that they were affiliated with Google and warned them that their businesses would be removed from Google search results unless they paid up. It was, in short, a shakedown. As in, ‘nice search ranking you’ve got there. It’d be a shame if something happened to it.’

They went further, though, trying to upsell the victims with extra services like higher rankings on certain keywords. When victims paid up, they got nothing.

To add insult to injury, this pair even called people on the FTC’s National Do Not Call Registry, which is the system that it set up to protect consumers from nuisance calls.

Pointbreak Media had already drawn attention from Bank of America Merchant Services, according to the affidavit, which closed the company’s account in October 2017 due to predatory services, scare tactics, and high chargeback rates. It added:

Point Break then wrote itself hundreds of checks, without authorization, using prior or existing customer checking account data.


Two teens charged with jamming school Wi-Fi to get out of exams

By Lisa Vaas

Two 14-year-old boys have been charged with jamming their school’s Wi-Fi network to get out of taking exams, authorities said on Monday.

According to, the New Jersey high school freshmen have been charged with computer criminal activity and conspiracy to commit computer criminal activity. School officials reportedly notified police on Thursday after a week of the Wi-Fi network having been forced to crash multiple times.

According to, Capt. Dennis Miller said that school officials at Secaucus High reached out to the Secaucus Police Department to notify them that the two students were part of a “scheme where they would disrupt the school’s WiFi service upon demand.”

Their names haven’t been released, given that they’re minors. The boys were released to their parents and are expected to appear in juvenile family court in Jersey City at an unknown date.

Schools Superintendent Jennifer Montesano said on Monday that the Wi-Fi is back up and is running just fine. She didn’t give details, but she did say that an investigation found two students “who may have been involved in the disruption of our system.”

How did they do it?

Some students told that they believe the boys were using a Wi-Fi interrupter program or app to crush the school’s routers with traffic in a denial of service (DoS) attack – an attack that caused the network to fail when students tried to log on to do classwork or take online exams.

The news outlet talked to a junior at Secaucus High who said that she learned about the Wi-Fi being down when a friend told her that she’d asked one of the suspects to jam the signal during an exam.


Knock and don’t run: the tale of the relentless hackerbots

By Matt Boddy

If you have an IoT device in your home, you could be receiving an average of 13 login attempts to these devices per minute.

That’s what I found in my latest research project. Over the past 3 months, I’ve setup and monitored 10 honeypots located across 5 different continents. These have been waiting patiently for SSH login attempts to better understand how often you face cybercriminals knocking at your network’s metaphorical front door.

Once I’d set up the honeypots, it took no time at all for the hackers to begin their login attempts. In one instance, a device was attacked less than one minute after deployment, in others it took nearly two hours before login attempts began. But once the login attempts started, the attacks were relentless and continuous. In total, I saw more than 5 million attempted attacks on all my honeypots, over the 30-day period they were live.

But that wasn’t all I found.

Default usernames and passwords

The research revealed that a lot of the login attempts monitored on these honeypots were using default usernames and passwords of devices that the average person would find in their home.

I saw default username and password combinations for routers, CCTV cameras and NAS devices, and combinations like the username pi with the password raspberry popping up together many times over.

This is the default username and password combination for Raspbian, which is a distribution of Linux designed for the Raspberry Pi.


April 9, 2019 »

Chrome, Safari and Opera criticized for removing privacy setting

By John E Dunn

It’s a browser feature few users will have heard of, but forthcoming versions of Chrome, Safari and Opera are in the process of removing the ability to disable a long-ignored tracking feature called hyperlink auditing pings.

This is a long-established HTML feature that’s set as an attribute – the ping variable – which turns a link into a URL that can be tracked by website owners or advertisers to monitor what users are clicking on.

When a user follows a link set up to work like this, an HTTP POST ping is sent to a second URL which records this interaction without revealing to the user that this has happened.

It’s only one of several ways users can be tracked, of course, but it’s long bothered privacy experts, which is why third-party adblockers often include it on their block list by default.

Until now, an even simpler way to block these pings has been through the browser itself, which in the case of Chrome, Safari and Opera is done by setting a flag (in Chrome you type chrome://flags and set hyperlink auditing to ‘disabled’).

Notice, however, that these browsers still allow hyperlink auditing by default, which means users would need to know about this setting to change that. It seems that very few do.

In contrast, Firefox changed the hyperlink auditing flag to off by default from version 30 in 2008, since when users have had to turn it on via about:config > browser.send_pings set to ‘true’.


Airbnb says sorry after man detects hidden camera with network scan

By Lisa Vaas

A New Zealand infosec consultant on holiday with his family in Cork saved them all from being livestreamed by a hidden Spycam in an Airbnb by a) being good and paranoid and b) knowing his way around a network scan.

You can see all seven of them smiling up at the webcam in this 1 April Facebook post from Nealie Barker.

That photo came from a camera camouflaged to look like a smoke alarm. The Barker family only discovered it was actually a spycam because, as Nealie told CNN, her husband, Andrew Barker, routinely runs scans of networks when they check into lodgings and sign on to the Wi-Fi networks.

Nealie says that their first impulse was to call Airbnb. Talk about unhelpful. CNN quoted her:

They had no advice for us over the phone. The girl just said that if you cancel within 14 days, you won’t get your money back.

OK …and if you don’t pack up and vamoose, you get what? Your kids live-streamed on some creepster site, maybe? That’s certainly happened.

Next move: Andrew called the host. The host’s reaction: *Click!*

After the host initially hung up on Andrew, he later called back and insisted that the camera in the living room was the only one in the house.


We didn’t feel relieved by that.

She said that the host refused to say whether he was recording the livestream or capturing audio.


Hacker unlocks Samsung S10 with 3D-printed fingerprint

By Danny Bradbury

A lone security researcher just gave Samsung’s mobile phone cybersecurity technology the finger. According to a video posted on the Imgur site on Friday, it’s possible to bypass the biometrics on the new Galaxy S10 range in just a few minutes, using a 3D-printed fingerprint.

Released in February, almost every phone in the Galaxy S10 range features a fingerprint reader under the screen, contrasting with the previous generation of Galaxy S phones which put it on the back of the device. The only exception is the S10 Essential, which has a capacitive resistor on the side of the phone.

Capacitive technology is what most modern non-display fingerprint sensors use. It measures the electrical resistance between the tiny ridges and valleys of your fingerprint as they contact the sensor, creating a 2D image of it.

Under-display sensors take a different approach, using ultrasonic technology to bounce sound waves off the user’s finger. This creates a 3D ultrasound image of your fingerprint, containing information about the depth of its ridges and valleys.

Cool, right? Not according to Darkshark, an anonymous researcher who appeared to show themselves unlocking a Samsung S10 using a 3D printed-fingerprint.

In the description, Darkshark said that they photographed their finger on the side of a wine glass using their smartphone. Then they used Photoshop to increase the contrast and create an alpha mask (which is a fully-opaque version of an image). Using the 3DS Max 3D modeling software, they created a geometry displacement, which is a version of the alpha image with depth information from the original. Then, they used an Anycubic Photon resin-based 3D printer, which costs around US$500, to reproduce the print.


Fired sysadmin pleads guilty to doxxing five senators on Wikipedia

By Lisa Vaas

Jackson A. Cosko, a former sysadmin for US Sen. Maggie Hassan, has admitted to breaking into her office after he got fired, installing keyloggers, and using ripped-off employee credentials to get into senators’ Wikipedia entries so as to dox their contact information, the Department of Justice (DOJ) announced on Friday.

Cosko, 27, pleaded guilty to two counts of making public restricted personal information, one count of computer fraud, one count of witness tampering and one count of obstruction of justice related to publicizing the private information of five senators in autumn 2018.

He’s looking at between 30 and 57 months of prison time. The plea agreement also requires Cosko to forfeit computers, cellphones and other equipment he used in the crimes.

Getting fired steamed him

In his plea agreement, Cosko admitted that he was angry after getting fired from his job as a sysadmin at Hassan’s office in May 2018 and knew it would make it tough for him to get a new job.

The office had shut down his work accounts, but that didn’t stop Cosko from burglarizing the senator’s office at least four times. He started his nighttime forays in July, letting himself in with a former colleague’s keys. That former colleague is now themselves a former employee, according to Hassan’s office. At least once, the colleague allegedly had handed Cosko the keys, knowing that Cosko was going to illegally enter the office, according to the plea agreement.

During the burglaries, Cosko carried out what the court filing called “an extraordinarily extensive data theft scheme,” copying entire network drives and then cherry-picking the nuggets of sensitive information he might be able to use later. He stole the data by installing unobtrusive, innocent-looking keyloggers on at least six computers.


Bootstrap supply chain attack is another attempt to poison the barrel

By Lisa Vaas

Last week, malicious code was slipped into Bootstrap for Sass, the free, open-source, very popular, and widely deployed front-end web framework.

The good news: the good guys stamped it into oblivion lickety-split.

According to the timeline provided by Snyk – a company that provides tools to find and fix known vulnerabilities in open source code – the malicious version of the package was published on the RubyGems repository for Ruby libraries on 26 March (but not on GitHub, where the library’s source code was being managed).

Malicious actors had rigged that bad package – version – with a stealthy backdoor that would have allowed for remote code execution (RCE) in server-side Rails applications.

Later that same day, software developer Derek Barnes smelled a rat and opened a GitHub issue for what he thought was a suspicious snippet of code in the brand-new – what would turn out to be malicious – version of bootstrap-sass. Just an hour later, the malicious version was yanked from the RubyGems repository, and the two developers responsible for maintaining the code had updated their credentials.

As of Wednesday, it hadn’t yet been confirmed how the attacker(s) had managed to publish the malicious RubyGem package, but the assumption was that they had gotten hold of a set of credentials.

So that’s the good news: it was actually spotted and dealt with very quickly, so kudos to Derek Barnes for spotting the problem and for everybody else who jumped on the fix so quickly.


« older