Security


Networking


Software


Repairs & Upgrades

September 9, 2020 »

Phishing tricks – the Top Ten Treacheries of 2020

By Paul Ducklin

Sophos Phish Threat, in its own words, is a phishing attack simulator – it lets your IT department send realistic-looking fake phishes to your own staff so that if they do slip up, and click through…

…it’s not the crooks on the other end.

The crooks are testing you all the time, so you might as well test yourself and get one step ahead.

(Don’t panic – this isn’t a product infomercial, just some intriguing statistics that have emerged from users of the product so far this year.)

You can knit your own scam templates to construct your own fake phishes, but the product includes an extensive collection of customizable templates of its own that we update regularly.

The idea is to to track the look and feel of real-world scams of all types, all the way from Scary Warnings of Imminent Doom to low-key messages saying little more than Please see the attached file.

Read more at https://nakedsecurity.sophos.com/2020/09/04/phishing-tricks-the-top-ten-treacheries-of-2020/

Vishing scams use Amazon and Prime as lures – don’t get caught!

By Paul Ducklin

Well-known US cybercrime journalist Brian Krebs recently published a warning about vishing attacks against business users.

The FBI promptly followed up on Krebs’s article with a warning of its own, dramatically entitled Cyber criminals take advantage of increased telework through vishing campaign.

So, what is vishing?

And how does it differ from phishing, something that most of us see far to much of?

The V in vishing stands for voice, and it’s a way of referring to scams that arrive by telephone in the form of voice calls, rather than as electronic messages.

Of course, many of us use voicemail systems that automatically answer and record messages when we aren’t able or willing to take a call in person, and many modern voicemail systems can be programmed to package up their recordings and deliver them as email attachments or as web links.

So the boundary between voice calls and electronic messages is rather blurred these days.

Nevertheless, many of still routinely pick up calls in person when we can – especially those of us who run a business, or who have family members we’re supporting through coronavirus lockdown or who aren’t well and might need urgent help.

We know several people who keep a landline especially as a contact point for family and friends.

They give out their landline number sparingly on what you might call a “need-to-know” basis, and use their mobile number – which is comparatively easy to change if needed, and easy to monitor and filter using a suitable app – for day-to-day purposes where giving out a working number can’t easily be avoided.

As you can imagine, however, the crooks only need to uncover your phone number once, perhaps via a data breach, and they can call it forever, especially if it’s a landline that you’re keeping because people who are important to you know it and rely on it.

Read more at https://nakedsecurity.sophos.com/2020/09/03/vishing-scams-use-amazon-and-prime-as-lures-dont-get-caught/

Phishing scam uses Sharepoint and One Note to go after passwords

By Paul Ducklin

Here’s a phishing email we received recently that ticks all the cybercriminal trick-to-click boxes.

From BEC, through cloud storage, via an innocent-sounding One Note document, and right into harm’s way.

Instead of simply spamming out a clickable link to as many people as possible, the crooks used more labyrinthine techniques, presumably in the hope of avoiding being just one more “unexpected email that goes directly to an unlikely login page” scam.

Ironically, while mainstream websites concentrate on what they call frictionlessness, aiming to get you from A to B as clicklessly as possible, and some cybercrooks deliberately add extra complexity into their phishing campaigns.

The idea is to require a few extra steps, taking you on a more roundabout journey before you arrive at a website that demands your password, so that you don’t leap directly and suspiciously from an email link to a login page.

Here’s the phish unraveled so you can see how it works.

Read more at https://nakedsecurity.sophos.com/2020/09/02/phishing-scam-uses-sharepoint-and-one-note-to-go-after-passwords/

September 1, 2020 »

Russian cybercrime suspect arrested in $1m ransomware conspiracy

By Paul Ducklin

Here’s a cybercrime conspiracy story with a difference.

When we write about network-wide ransomware attacks where a whole company is blackmailed in one go, two burning questions immediately come up:

  • How much money did the crooks demand?
  • Did the victim pay up?

The answers vary, but as you have probably read here on Naked Security, modern ransomware criminals often use a two-pronged extortion technique in an attempt to maximise their asking price.

First, the crooks steal a trove of company files that they threaten to make public or to sell on to other crooks; then they scramble the data files on all the company’s computers in order to bring business to a halt.

Pay up the blackmail money, say the crooks, and they will not only “guarantee” that the stolen data will never be passed on to anyone else, but also provide a decryption program to reconstitute all the scrambled files so that business operations can resume.

Recent reports include an attack on fitness tracking company Garmin, which was allegedly blackmailed for $10m and did pay up, though apparently after wangling the amount down into the “multi-million” range; and on business travel company CWT, which faced a similar seven-figure demand and ended up handing over $4.5m to the criminals to get its business back on the rails.

In contrast, legal firm Grubman Shire Meiselas & Sacks faced a whopping $42m ransomware extortion demand but faced it down, likening the crooks to terrorists and refusing to pay a penny.

More recently, US liquor giant Brown-Forman took a similar stance, refusing to deal with criminals after its network was infiltrated.

Read more at https://nakedsecurity.sophos.com/2020/08/27/russian-cybercrime-suspect-arrested-in-1m-ransomware-conspiracy/

Fake Android notifications – first Google, then Microsoft affected

By Paul Ducklin

If you’re a Google Android user, you may have been pestered over the past week by popup notifications that you didn’t expect and certainly didn’t want.

The first mainstream victim seems to have been Google’s own Hangouts app.

Users all over the world, and therefore at all times of day (many users complained of being woken up unnecessarily), received spammy looking messages.

The messages didn’t contain any suggested links or demand any action from the recipient, so there was no obvious cybercriminal intent.

Indeed, the messages did indeed look like some sort of test – but by whom, and for what purpose?

The four exclamation points suggested someone of a hackerish persuasion – perhaps some sort of overcooked “proof of concept” (PoC) aimed at making a point, sent out by someone who lacked the social grace or the legalistic sensitivity of knowing when to stop.

Read more at https://nakedsecurity.sophos.com/2020/08/28/fake-android-notifications-first-google-then-microsoft-affected/

“Chrome considered harmful” – the Law of Unintended Consequences

By Paul Ducklin

An excellent article appeared last week on the APNIC blog.

Researched and written by Matthew Thomas of Verisign, the article is entitled Chromium’s impact on root DNS traffic, and it has raised some important issues amongst the Chromium browser development community relating to a feature in the browser code that’s known as the Intranet Redirect Detector.

To explain.

APNIC is the Asia Pacific Network Information Centre, headquartered in Brisbane, Australia, one of five internet number registries around the world.

These Regional Internet Registries (RIRs) look after global IP number allocations, maintain definitive internet domain name databases for their regions, and generally concern themselves with the health of the global internet.

As you can imagine, anything that upsets the balance of the internet – from spamming and cybercrime to misconfigured servers and badly-behaved network software – is of great concern to the RIRs.

The root DNS servers form the heart of the global Domain Name System, which automatically converts human-friendly server names such as nakedsecurity.sophos.com into network numbers that computers can use to send and receive traffic, such as 192.0.66.200 (that was our IP number when I looked it up today, as shown below).

As you can imagine, any unnecessary load on the root DNS servers could slow down internet access for all of us, by stretching out the time taken convert names to numbers, something that our browsers need to do all the time as we click from link to link online.

Chromium, as you almost certainly know, is a Google open-source project that produces the software at the core of many contemporary browsers, notably Google’s own Chrome Browser, which accounts for the majority of web traffic these days on laptops and mobile phones alike.

Chromium is also used in many other browsers, including Vivaldi, Brave and – recently, at least – Microsoft Edge. (Of today’s mainstream browsers, only Safari and Firefox aren’t based on a Chromium core.)

Read more at https://nakedsecurity.sophos.com/2020/08/26/chrome-considered-harmful-the-law-of-unintended-consequences/

August 19, 2020 »

US liquor giant hit by ransomware – what the rest of us can do to help

By Paul Ducklin

US hard liquor giant Brown-Forman is the latest high-profile victim of ransomware criminals.

Even if the company’s name doesn’t ring a bell, some of its products are well-known to spirits drinkers world-wide: Brown-Forman is a multi-billion dollar business that owns Jack Daniel’s whiskey, Finlandia vodka and other global brands.

It’s a multi-billion dollar business, headquartered in Louisville, Kentucky – a US state that’s famous for American whiskey, better known as bourbon – and you can see why today’s big-money ransomware crooks might go after a company of that size and sort.

According to business media site Bloomberg, which claims to have received an anonymous tip-off from the crooks behind the attacks, the ransomware crooks involved are the infamous REvil or Sodinokibi gang.

Read more at https://nakedsecurity.sophos.com/2020/08/18/us-liquor-giant-hit-by-ransomware-what-the-rest-of-us-can-do-to-help/

Tor and anonymous browsing – just how safe is it?

By Paul Ducklin

An article published on the open-to-allcomers blogging site Medium earlier this week has made for some scary headlines.

Written as an independent research piece by an author going only by nusenu, the story is headlined:

How Malicious Tor Relays are Exploiting Users in 2020 (Part I)

[More than] 23% of the Tor network’s exit capacity has been attacking Tor users

Loosely speaking, that strapline implies that if you visit a website using Tor, typically in the hope of remaining anonymous and keeping away from unwanted surveillance, censorship or even just plain old web tracking for marketing purposes…

…then one in four of those visits (perhaps more!) will be subject to the purposeful scrutiny of cybercriminals.

That sounds more than just worrying – it makes it sound as though using Tor could be making you even less secure than you already are, and therefore that going back to a regular browser for everything might be an important step.

So let’s look quickly at how Tor works, how crooks (and countries with strict rules about censorship and surveillance) might abuse it, and just how scary the abovementioned headline really is.

Read more at https://nakedsecurity.sophos.com/2020/08/13/tor-and-anonymous-browsing-just-how-safe-is-it/

Facial recognition – another setback for law enforcement

By Paul Ducklin

So far this year, the use of facial recognition by law enforcement has been successfully challenged by courts and legislatures on both sides of the Atlantic.

In the US, for example, Washington State Senate Bill 6280 appeared in January 2020, and proposed curbing the use of facial recognition in the state, though not entirely.

The bill admitted that:

[S]tate and local government agencies may use facial recognition services in a variety of beneficial ways, such as locating missing or incapacitated persons, identifying victims of crime, and keeping the public safe.

But it also insisted that:

Unconstrained use of facial recognition services by state and local government agencies poses broad social ramifications that should be considered and addressed. Accordingly, legislation is required to establish safeguards that will allow state and local government agencies to use facial recognition services in a manner that benefits society while prohibiting uses that threaten our democratic freedoms and put our civil liberties at risk.

And in June 2020, Boston followed San Fransisco to become the second-largest metropolis in the US – indeed, in the world – to prohibit the use of facial recognition.

Even Boston’s Police Department Commissioner, William Gross, was against it, despite its obvious benefits for finding wanted persons or fugitive convicts who might otherwise easily hide in plain sight.

Gross, it seems, just doesn’t think it’s accurate enough to be useful, and was additionally concerned that facial recognition software, loosely put, may work less accurately as your skin tone gets darker:

Until this technology is 100%, I’m not interested in it. I didn’t forget that I’m African American and I can be misidentified as well.

Read more at https://nakedsecurity.sophos.com/2020/08/11/facial-recognition-another-setback-for-law-enforcement/

Business Email Compromise – fighting back with machine learning

By Paul Ducklin

If you’re interested in artificial intelligence (AI) and how it can be used in cybersecurity…

…here’s a DEF CON presentation you’ll like, coming up this weekend!

DEF CON is perhaps the ultimate “come one/come all” hackers’ convention, now in its 28th year, and it famously takes place in Las Vegas each year in a fascinating juxtaposition with Black Hat USA, a corporate cybersecurity event.

Black Hat, where tickets cost thousands of dollars, runs during the week, and then DEF CON, where tickets are just a few hundred dollars, takes over for the weekend that follows, resulting in what can only be described as a Very Massive Week for those who attend both.

At least, that’s how it was last year, and for many years before that.

This year is different, of course – holding a physical conference and running all the many DEF CON Villages would have been impracticable due to coronavirus social distancing regulations, if it would even have been possible at all. (Though you would surely have seen the funkiest facemasks ever!)

The DEF CON Villages are breakout zones at the event where likeminded researchers gather to attend talks and discussions in research fields all the way from Aerospace, Application Security and AI to Social Engineering, Voting Machines and Wireless.

But DEF CON doesn’t give up easily and, like many other events in 2020, has gone virtual, wittily dubbing this year’s event DEF CON 28 SAFE MODE.

Read more at https://nakedsecurity.sophos.com/2020/08/07/business-email-compromise-fighting-back-with-machine-learning/

Porn blast disrupts bail hearing of alleged Twitter hacker

By Paul Ducklin

One of the alleged Twitter hackers faced a bail hearing in a Florida court yesterday.

ICYMI, the Twitter hack we’re referring to involve the takeover of 45 prominent Twitter accounts, including those of Joe Biden, Elon Musk, Apple Computer, Barack Obama, Kim Kardashian and a laundry list of others with huge numbers of followers.

The hacked accounts were then used to send out bogus Bitcoin investment messages along the lines of “pay in X bitcoins, get 2X back!”, although as an investigator in the criminal case wryly pointed out in his affidavit, “No bitcoin was ever returned, much less doubled.”

Amongst other things, the alleged crooks are said to have ended up with more than $100,000 of bitcoins sent in by trusting Twitter users who’d been duped by the upbeat messages that apparently came from celebrities.

As you can imagine, given current coronavirus concerns, even though the hearing took place before the court, not all the participants were actually in the courtroom.

Instead, the courtroom was hooked up to a Zoom meeting that was, it seems, not adequately secured against – how shall we put this? – external interference…

…with sadly predictable results.

Zoombombers, as they’ve become known, are miscreants who join in Zoom calls not to participate but to disrupt, something that’s all too easy if the call is set up with the same sort of implicit behavioral trust that everyone expects in face-to-face meetings.

Read more at https://nakedsecurity.sophos.com/2020/08/06/porn-blast-disrupts-bail-hearing-of-alleged-twitter-hacker/

July 8, 2020 »

Mozilla turns off “Firefox Send” following malware abuse reports

By Paul Ducklin

What do you do when you need to send a file to someone you don’t interact with a lot?

Many of us use email attachments for small files, because it’s quick and easy to share modest amounts of data that way.

Sure, the attachment will probably lie around in the recipient’s mailbox for days, or months, or even years, which might not be quite what you had in mind…

…but when you send someone else a file, you can’t control what they do with it anyway, or how long they keep it, or how widely visible it is on their corporate network after they save it.

Nevertheless, most emails are end-to-end encrypted these days, which at means that files sent by email are unlikely to lie around (intentionally or otherwise) at your ISP, or at one or more third-party servers along the way.

But email is no good for large files such as audio data or videos, because most email servers quite reasonably have a low limit on message sizes to stop the system getting clogged up by attachments.

So the usual fallback for sending files that you can’t or don’t want to transmit via email is to use a file sharing service instead, which is rather like using webmail, only without the messaging part.

You upload the file to a file sharing site, optionally setting various options that describe which other users can see it, and for how long, and then send the recipient an email that contains a download link where they can fetch the file at their leisure.

Read more at https://nakedsecurity.sophos.com/2020/07/08/mozilla-turns-off-firefox-send-following-malware-abuse-reports/

Kinda sorta weakened version of EARN IT Act creeps closer

By Lisa Vaas

There are gut-churning tales of online child sexual abuse material (CSAM).

Last week, when a bill designed to strip legal protection from online abusers sailed through the Senate Judiciary Committee, UC/Berkeley Professor Hany Farid passed on this example from investigators at the Department of Justice’s Child Exploitation and Obscenity Section: a man had “expressed excitement for his soon-to-arrive ‘new material,’ sharing an in-utero picture of his unborn child with an online network of abusers.”

Now that the EARN-IT Act has crept closer to a full Senate hearing, we’re that much closer to finding out whether the bill can really help stem the flood of online CSAM, whether it’s a barely veiled attack on online privacy and end-to-end encryption, or all of the above.

During Thursday’s hearing on the bill, which they’d amended the day before, the proposed law’s co-sponsors stressed that it’s not a wooden stake to stick in encryption’s heart. Senator Richard Blumenthal claimed that the bill “is not about encryption and it never will be.” The other co-sponsor, Senator Lindsey Graham, said that his goal “is not to outlaw encryption”. Well, at least not at this point, maybe: he called that “a debate for another day.”

The critics of the proposed law aren’t swallowing it.

The day before the hearing, the co-sponsors amended the act to make it appear, at least, to be more of a nudge than a cudgel. As explained by the Electronic Frontier Foundation (EFF)— – a staunch critic of the bill – the new version now gives state legislatures the power to regulate the internet in the quest to battle CSAM, as opposed to a 19-person federal commission.

Nonetheless, it still threatens encryption, its critics say, albeit less blatantly.

In its first iteration, the EARN-IT Act proposed a commission to come up with best practices to battle CSAM. That commission would have been controlled by Attorney General William Barr. Given how often Barr has said that he thinks that encrypted services should be compelled to create backdoors for police, it was easy to see the legislation as an embodiment of a threat from Graham and other senators to regulate encryption in lieu of tech companies willingly creating those backdoors.

Read more at https://nakedsecurity.sophos.com/2020/07/08/kinda-sorta-weakened-version-of-earn-it-act-creeps-closer/

July 7, 2020 »

Flashy Nigerian Instagram star extradited to US to face BEC charges

By Lisa Vaas

The US has dragged a fancy-pants, Instagram-star, high-fashion-flaunting, alleged Nigerian scammer out of the United Arab Emirates (UAE) and into Chicago to face charges that he helped launder beaucoup bucks gouged out of businesses in email compromise (BEC) scams.

His name is Ramon Olorunwa Abbas, aged 37, also known as “Ray Hushpuppi” and “Hush.” Abbas, a Nigerian national, arrived in Chicago Thursday evening after being extradited from the UAE. He made an initial court appearance in Chicago on Friday, but his case is expected to be transferred to Los Angeles in coming weeks.

As of Monday, you could still check out his public, uber-blingy Instagram account, where Abbas has 2.4 million followers. It lists him as a real estate developer. The photos show him slouching on pricey couches in luxury hotels, riding in charter jets, wearing fancy sneakers and designer clothes, sporting expensive watches, posing in or with Richie Rich cars – think Bentleys, Ferraris, Mercedes and Rolls Royces – and lavishing pictorial love on Dior this and Gucci that.

So much Gucci. In fact, Abbas’s Instagram account listed his Snapchat contact name as “The Billionaire Gucci Master!!!”

Read more at https://nakedsecurity.sophos.com/2020/07/07/flashy-nigerian-instagram-star-extradited-to-us-to-face-bec-charges/

Company web names hijacked via outdated cloud DNS records

By Paul Ducklin

US security researcher Zach Edwards recently tweeted about finding 250 company website names that had been taken over by cybercriminals.

He didn’t name the brands, but insists that the organizations affected include banks, healthcare companies, restaurant chains, civil rights groups and more:

I reported ~250 enterprise subdomains I've found compromised over the last ~7 days // some of these orgs are MASSIVE (banks, tons of healthcare orgs, critical infrastructure, huge restaurant chains, power companies, insurance, civil rights groups). This story needs to be written.

— Z?????? ?????????????? (@thezedwards) July 3, 2020

The issue here is that the websites themselves haven’t been hacked, but their DNS entries have.

These attacks, known as DNS hijacks, happen when crooks don’t actually break into and take over a site itself, but instead simply change the “internet signposts” that point to it.

As you probably know, DNS, short for domain name system, is the distributed, global name-to-number database that automatically turns human-friendly server names such as nakedsecurity DOT sophos DOT com into computer-friendly IP numbers that are needed to send and receive network packets on the internet.

Read more at https://nakedsecurity.sophos.com/2020/07/07/company-web-names-hijacked-via-outdated-cloud-dns-records/

July 6, 2020 »

Boston bans government use of facial recognition

By Lisa Vaas

It’s simple: Boston doesn’t want to use crappy technology.

Boston Police Department (BPD) Commissioner William Gross said last month that abysmal error rates – errors that mean it screws up most particularly with Asian, dark or female skin – make Boston’s recently enacted ban on facial recognition use by city government a no-brainer:

Until this technology is 100%, I’m not interested in it. I didn’t forget that I’m African American and I can be misidentified as well.

Thus did the city become the second-largest in the world, after San Francisco, to ban use of the infamously lousy, hard-baked racist/sexist technology. The city council voted unanimously on the bill on 24 Jun – here’s the full text, and here’s a video of the 3.5-hour meeting that preceded the vote – and Mayor Marty Walsh signed it into law last week.

The Boston Police Department (BPD) isn’t losing anything. It doesn’t even use the technology. Why? Because it doesn’t work. Make that it doesn’t work well. The “iffy” factor matters most particularly if you’re Native American, black, asian or female, given high error rates with all but the mostly white males who created the algorithms it runs on.

According to a landmark federal study released by the National Institute of Standards of Technology in December 2019, Asian and black people are up to 100 times more likely to be misidentified than white men, depending on the particular algorithm and type of search. Commercial facial analysis systems vary widely in their accuracy, but overall, Native Americans had the highest false-positive rate of all ethnicities.

Read more at https://nakedsecurity.sophos.com/2020/07/06/boston-bans-government-use-of-facial-recognition/

Facebook hoaxes back in the spotlight – what to tell your friends

By Paul Ducklin

At the risk of giving you a feeling of déjà vu all over again…

…it’s time to talk about Facebook hoaxes once more.

Looking at the Naked Security articles that people have not only searched for but also read in large numbers over the past few days tells us that we’re in what you might call a “market uptick” for hoaxes at the moment.

The top two resurgent hoaxes in the past week have been the Instant bank fraud “warning” and the How to post to more than 25 friends “advice”.

Loosely speaking, most Facebook hoaxes – by which we really mean “posts that get shared virally despite being useless and inaccurate, yet that aren’t actually scams or phishing tricks” – take one of three forms:

  1. Warnings to watch out for something supposedly dangerous that isn’t going to happen, and wouldn’t be particularly dangerous even it it did.
  2. Instructions to copy a specific paragraph of bogus information exactly and repost it under your own name.
  3. Advice on how to check your cybersecurity settings that achieves nothing except giving you a false sense of security.

Read more at https://nakedsecurity.sophos.com/2020/07/03/facebook-hoaxes-back-in-the-spotlight-what-to-tell-your-friends/

Google buys AR smart-glasses company North

By Lisa Vaas

Google announced on Tuesday that it’s purchased a smart-glasses company called North and, notwithstanding its failure to bring Google Glass wearables to the masses, still plans to caress our vision with the vast tentacles of its helpfulness.

From the announcement, which was posted by Rick Osterloh, Senior Vice President, Devices & Services:

From 10 blue links on a PC, to Maps on your mobile phone, to Google Nest Hub sharing a recipe in the kitchen, Google has always strived to be helpful to people in their daily lives. We’re building towards a future where helpfulness is all around you, where all your devices just work together and technology fades into the background. We call this ambient computing.

Credit where credit’s due – “ambient computing” sounds friendlier than, say, “pervasive privacy-threatening creepster surveillance spectacles.” Privacy concerns contributed to the sinking of Google Glass. In January 2016, after years of development, Google shuttered its Glass social media accounts.

A year prior, Google had ended its Explorer program and stopped selling Glass. But a few months after that, Google executive chairman Eric Schmidt said that the move wasn’t meant to imply that Google was sticking a fork in its internet-connected eyeglasses.

No, Schmidt said, Google Glass wasn’t dead. It was just being fine-tuned for the masses. Google then focused work on a Glass spinoff for the enterprise.

Details of the North purchase, including how much Google’s paying for the Canadian company, weren’t disclosed.

Read more at https://nakedsecurity.sophos.com/2020/07/03/google-buys-ar-smart-glasses-company-north/

MongoDB ransom threats step up from blackmail to full-on wiping

By Paul Ducklin

Have you left a cloud database exposed online?

According to Dutch security researcher Victor Gevers of the Dutch Institute for Vulnerability Disclosure, who’s been hunting down insecure databases for years, thousands of MongoDB users have done just that – or, to be more precise, many tens of thousands of databases have shown up where they shouldn’t.

And that’s just this year.

A significant proportion of exposed databases have been modified by hackers in recent months to include a blackmail demand database in broken English that says:

All your data is backed up. You must pay 0.015 BTC [currently about $135] to [REDACTED] 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server!

There’s a pseudo-anonymous email address that you can use to contact the extortionist, and a Bitcoin wallet for the money.

(We suspect that some victims will have exposed several different databases at the same time, given that a security blunder that’s easy to make once is just as easy to repeat.)

Note that when the extortion note says that “your data is backed up,” the crooks aren’t congratulating you on having a backup of your own.

What they mean is that, whether you have a backup or not, they have one, or so they say, and their leverage is that they’ll dump your data for the world to see, and tell the regulator, if you don’t cough up the money.

Read more at https://nakedsecurity.sophos.com/2020/07/02/mongodb-ransom-threats-step-up-from-blackmail-to-full-on-wiping/

133m records for sale as fruits of data breach spree keep raining down

By Lisa Vaas

A data breach broker has flooded a hacker forum with a whopping total of 132,957,579 user records.

Bleeping Computer is in touch with the data breach broker: a “known and reputable” broker who’s selling databases, all of which contain different data types but all of which include usernames and hashed passwords.

The companies whose databases are allegedly being peddled include game sites, food delivery services, Soccer streaming, online fashion and loans. Out of the 14, only four are known to have been breached: Home Chef, Minted, Tokopedia and Zoosk.

Home Chef, a meal delivery service, confirmed a data breach two weeks after a hacker group named Shiny Hunters listed a database of 8 million customer records on a dark web marketplace. Shiny Hunters was the same group that claimed to be selling Zoosk’s records – along with nine other companies’ records, for a total of 73 million user records – in May.

For its part, Minted, a marketplace for independent artists, in late May confirmed that it had suffered a data breach earlier that month – confirmation that came after a hacker sold a database containing 5 million user records on a dark web marketplace. The name of the broker? Shiny Hunters.

Also in May, data breach monitoring and cybersecurity intelligence firm Under the Breach discovered that a hacker was offering the account information for 15 million users of Tokopedia – which is Indonesia’s largest online store – on a hacker forum for as little as USD $5,000. The broker? Shiny Hunters.

In sum: as Wired notes, during the first few weeks of May, the hacking group went on a data breach spree, hawking close to 200 million stolen records from over a dozen companies.

Bleeping Computer didn’t name the data breach broker it’s been in contact with, but it’s highly possible its initials turn out to be SH. The broker told the news outlet that the 14 databases they’re selling can be had for as little as $100, on up to $1,100.

Read more at https://nakedsecurity.sophos.com/2020/07/02/133m-records-for-sale-as-fruits-of-data-breach-spree-keep-raining-down/

July 1, 2020 »

Microsoft issues critical fixes for booby-trapped images – update now!

By Paul Ducklin

Microsoft has just released emergency patches for two critical security holes in the Windows Codecs Library.

We all know what Windows means.

But what is a Codecs Library, and why are bugs in it such as a big deal that they need to be updated without waiting for the next Patch Tuesday to come round?

Well, codec is short for encoder-decoder, and it’s the jargon term for the sort of software that takes data of some sort – notably the raw data that represents the pixels in a video or the sound in an audio file – and reworks it so it can be sent and received easily.

The co- part of a codec takes something like a raw image, consisting of rows and rows of color pixels, and wraps it up in a format such as as JPG or PNG so it can saved into a file for downloading or streaming.

The -dec part does the reverse at the other end, reading in the file, decompressing it (most images and videos are compressed for transmission because this saves an enormous amount of bandwidth) and getting it back into its raw form so it can be displayed.

Read more at https://nakedsecurity.sophos.com/2020/07/01/microsoft-issues-critical-fixes-for-booby-trapped-images-update-now/

Firefox 78 is out – with a mysteriously empty list of security fixes

By Paul Ducklin

Yesterday was both a Tuesday and four weeks since the last major Firefox update, making it the official release date for the latest version.

There are now three mainstream flavors of Firefox to choose from: 68.10ESR, 78.10ESR and 78.0.

ESR is short for Extended Support Release, often preferred by IT departments because it gets security fixes at the same rate as the regular version, but only takes on new features in a staggered fashion – in other words, users of the ESR versions are shielded from sudden switches in appearance, user interface and workflow.

This time you can choose from 68.10ESR (the numbers to the left and right of the dot add up to the current major version number, in this case 78), which is Firefox with the look-and-feel of about a year ago plus 10 updates’ worth of security fixes, or 78.0ESR, which is largely the same as the regular version, as the numbers reveal.

Every time the ESR version “catches up” with the regular version’s features, Mozilla releases old-style and the new-style ESR versions in parallel so there’s always an overlap period in which to try out both before switching over.

The new Firefox 78.0 does have some visible changes, notably the addition of a special web page called the Protections Dashboard, accessible by putting about:protections in the address bar.

This gives you a summary of any trackers blocked recently, a button to entice you to sign up for Firefox’s breach alerts, and a link to the Firefox password manager.

Read more at https://nakedsecurity.sophos.com/2020/07/01/firefox-78-is-out-with-a-mysteriously-empty-list-of-security-fixes/

iOS 14 flags TikTok, 53 other apps spying on iPhone clipboards

By Lisa Vaas

In March, researchers Talal Haj Bakry and Tommy Mysk revealed that Android and iOS apps – including the mind-bogglingly popular, China-owned, video-sharing/often in privacy hot water TikTok – could silently, automatically read anything you copy into your mobile device’s clipboard.

Sexy selfies? Passwords copied from your password manager? Bank account information? Bitcoin addresses? Yes, yes, scary yes, yes. Anything you’ve copied recently, they’ll paste it into themselves. Such data is typically used for advertising and tracking purposes.

The covert content copying is possible not only for a device’s local data, but also on nearby devices, as long as the devices share the same Apple ID and are within about 10 feet of each other. That’s enabled by Apple’s universal clipboard: a clipboard that enables content to be copied on one device and then pasted into an app running on a separate device.

It’s “very, very dangerous,” Mysk told Ars Technica on Friday, after the discovery had bubbled to the surface yet again. The findings hit the headlines anew as Apple released the developer beta of iOS 14 – a release that flags this behavior.

Mysk said that the ability for apps to read content of off nearby devices means that an app on an iPhone could possibly read sensitive data on the clipboards of other connected iOS devices, be they cryptocurrency addresses, passwords, or email messages, even if the iOS apps are running on a separate device.

The iOS 14 developer beta release – which you can download and install now to get an eyeful of this behavior – comes with a feature that’s custom-tailored to spotlight this kind of thing: namely, a banner warning that pops up every time an app reads clipboard contents.

Read more at https://nakedsecurity.sophos.com/2020/06/30/ios-14-flags-tiktok-53-other-apps-spying-on-iphone-clipboards/

June 29, 2020 »

Satori IoT botnet author sentenced to 13 months in prison

By Lisa Vaas

The coder who created the massive Satori botnet of enslaved devices and a handful of other botnets will be spending 13 months behind bars, the US Attorney’s Office of Alaska announced on Friday.

Kenneth Currin Schuchman, 22, from Vancouver, Wash., spent years developing distributed denial-of-service (DDoS) botnets. In September 2019, he pleaded guilty to operating the Satori botnet, made up of IoT devices, and at least two other botnets; to running a DDoS-for-hire service; to cooking up one of the evolving line of botnets while he was indicted and under supervised release; and to swatting one of his former chums, also while on supervised release.

Satori did massive damage: it and its iterations would be unleashed in record-setting DDoS attacks that enslaved more than 800,000 devices – things like home routers, security cameras and webcams – and flattened ISPs, online gaming platforms and web hosting companies.

Schuchman was indicted in September 2018 on two counts of fraud and related activity in connection with a computer, but in the plea agreement he struck with prosecution, he pleaded guilty to just one count of fraud and related activity in connection with computers, in violation of the Computer Fraud & Abuse Act (CFAA).

Schuchman worked with two criminal colleagues: “Vamp”, also known as “Viktor,” and “Drake”. The recently unsealed indictment reveals the names and locations of the two men who were sometimes his friends, sometimes his competitors and targets. Vamp is actually Aaron Sterritt, a national from the UK, while Drake turns out to be Logan Shwydiuk, a Canadian national.

Read more at https://nakedsecurity.sophos.com/2020/06/29/satori-iot-botnet-author-sentenced-to-13-months-in-prison/

Fancy hacking a PlayStation? Sony announces its bug bounty program

By Paul Ducklin

You’ve probably heard the French saying, “Plus ça change, plus c’est la même chose.”

Alliteratively coined by the French satirical writer Jean-Baptiste Alphonse Karr, it means that the more things change, the more they remain the same, and it’s a cynical observation that what seems like an improvement may not, in the end, sort out the underlying problems or attitudes it was mean to fix.

Well, here’s a change that really does seem to be a change, in heart as well as in direction!

Sony, maker of the PlayStation games console series, has not always been friendly to hackers.

About ten years ago, the company famously took legal action against a young George Hotz, better known as geohot, an American hacker – in the neutral sense of the word here – who has found his way into numerous “locked down” devices over the years.

Hotz, who is now into open source self-driving automotive software, has variously come up with jailbreaks (or roots as they are known on Android phones, after the Unix name for the top-level administrative account) for iPhones, locked-down Androids such as Galaxies

…and for the Sony PlayStation 3.

Read more at https://nakedsecurity.sophos.com/2020/06/26/fancy-hacking-a-playstation-sony-announces-its-bug-bounty-program/

REvil gang threaten to auction celebrity data from Mariah Carey, Lebron James, MTV and more

By Lisa Vaas

What would you do if your law firm to the stars were to be presented with this choice: pay us $42 million or we’ll sell Mariah Carey’s confidential legal documents on the dark web on 1 July?

… followed by a carefully laid out schedule to sell personal correspondence, contracts, agreements, non-disclosure agreements, court conflicts and other internal correspondence relating to other clients, including Nicki Minaj, Lebron James, Bad Boy Records, MTV and Universal?

If you were Allen Grubman, founder of the star-studded law firm Grubman Shire Meiselas & Sacks, you’d tell the ransomware crooks to get lost. Following a ransomware attack from the REvil cybergang that flattened gsmlaw.com in May, Grubman said he wouldn’t negotiate with the hackers, equating them to terrorists.

In the May attack, the gang stole more than 750GB in total. Now, the blackmailers are making good on their threats to publish it.

According to Variety, REvil has threatened to auction off sensitive documents from the firm’s top clients, laying out a schedule that begins on 1 July with documents from Mariah Carey, Nicki Minaj and Lebron James, starting at $600,000 per celebrity. They plan to auction off documents from Bad Boy Records (starting at $750,000) and from MTV and Universal (starting at $1 million each) two days after that. There’ll be more from an unspecified celebrity – or two or three or more of them, who knows – released on 5 July, the REvil gang promised.

Read more at https://nakedsecurity.sophos.com/2020/06/26/revil-gang-threaten-to-auction-celebrity-data-from-mariah-carey-lebron-james-mtv-and-more/

« older