Repairs & Upgrades

September 11, 2019 »

Wikipedia fights off huge DDoS attack

By John E Dunn

Last Friday, 7 September, Wikipedia suffered what appears to be the most disruptive Distributed Denial of Service (DDoS) attack in recent memory.

It’s not that Wikipedia isn’t attacked regularly – it is. It’s just that the DDoS that hit it around 17:40 p.m. (UTC) on that day was far larger than normal and carried on its attack for almost three days.

The site quickly became unavailable in Europe, Africa, and the Middle East, before later slowing or stopping for users in other parts of the world such as the US and Asia.

The size of the attack has not been made public, although from details offered by mitigation company ThousandEyes it’s clear that it was an old-style volumetric flood designed to overwhelm the company’s web servers with bogus HTTP traffic.

Given the protection sites employ these days, this suggests that it was well into the terabits-per-second range used to measure the largest DDoS events on the internet.

In fact, most of that flood would never have reached Wikipedia’s servers, instead of being thrown away by upstream ISPs as a protective measure when it became obvious that a DDoS was underway.


LinkedIn can’t block public profile data scraping, court rules

By Lisa Vaas

An appeals court has told LinkedIn to back off – no more interfering with a third-party data-analytics startup’s use of the publicly available data of LinkedIn’s users.

The court’s decision, which affirmed that of a lower court, has been closely anticipated for what some legal scholars consider to be the case’s important constitutional and economic issues, as well as what critics believe could be a chilling effect on digital competition.

Constitutional scholar and Harvard law professor Laurence Tribe, for one, has weighed in on this issue to offer advice to the data-scraping startup in question, hiQ Labs.

At issue, Tribe has said, was that social media is the modern equivalent of the public square. He’s called LinkedIn’s attempts to stop hiQ from using its users’ publicly available data “a serious challenge to free expression in the modern world.”

Freedom of speech is not just about flag-burning. It’s about how you use information in the digital economy. Data is the new form of capital in creating products and services.

The decision was applauded for providing clarity around the scope of the nation’s major hacking law, the Computer Fraud and Abuse Act (CFAA). The Electronic Frontier Foundation (EFF), for one, said that it should come as a relief to researchers, journalists, and companies…

who have had reason to fear cease and desist letters threatening liability simply for accessing publicly available information in a way that publishers object to.


Telegram fixes ‘unsend message’ bug that held on to your pictures

By Danny Bradbury

Imagine this: you’re at a party one Saturday night and, at 1 a.m. decide to send your best pal a picture of yourself doing a headstand wearing nothing but a pink tutu, slamming a litre of Smithwick’s finest from a beer bong.

Unfortunately, your best pal’s name is Sue, which also happens to be your boss’s name, and you selected the wrong contact. Ruh-roh. That’s a quick way to sober up.

Luckily, you sent the photo using Telegram Messenger, and you remember that it lets you delete entire messages and the pictures they contain both from yours and the recipient’s phone. Sue was probably asleep, so you can quickly wipe the message and no one will be any the wiser.

Phew, no harm done. Except for one important fact: it turns out that ‘unsend’ feature didn’t work properly.

Telegram introduced its ‘unsend message‘ feature in version 3.16 back in 2017. It’s another feature in an app that has attracted privacy advocates everywhere for its ability to cloak communications, but security researcher Dhiraj Mishra has uncovered a flaw.

The Android version of Telegram stores any images received in the /Telegram/Telegram Images/ folder. When deleting a message, you’d expect it to delete the image as well. In fact, it left the picture intact in the folder. The recipient would have to know to look there, of course, but if they checked, they’d be able to see you in all your tutu-sporting, beer-bonging glory. Bang goes your promotion.


Facebook says location data in iOS 13, Android 10 may be confusing

By Lisa Vaas

On Monday, Facebook gave users a heads-up about changes coming in Android and iOS updates and how they let you see and manage your location data, how apps track you, and how Facebook’s use of your location data fits into all of it.

The post explains how Facebook’s app collects and uses background location data from smartphones: “background,” as in, when you’re not actually using the app.

You can see why Facebook might want to get its location data story out there now, in front of Apple’s release of iOS 13, which is expected in just a few days, on 19 September. (Android 10 was already publicly released – at least for Pixel devices – on 3 September.)

Facebook’s is, after all, one of the apps whose snail-slime trails of users’ location data iOS 13 is going to depict in maps.

From Facebook’s newsroom post:

If you are using iOS 13, you will begin to receive notifications about when an app is using your precise location in the background and how many times an app has accessed that information. The notification will also include a map of the location data an app has received and an explanation why the app uses that type of location information.

Apple announced the background location feature in June.

Craig Federighi, Apple’s senior vice president of software engineering, said at the time that sharing your location data with a third-party app can “really enable some useful experiences,” but that “we don’t expect to have that privilege used to track us.”

iOS 13 will show users a map of where apps have been tracking you when requesting permission


Mozilla increases browser privacy with encrypted DNS

By Danny Bradbury

Mozilla is about to turn on-by-default an oft-overlooked privacy feature in Firefox. The desktop version of the browser will soon automatically encrypt your website requests using a feature called DNS-over-HTTPS (DoH), it said on Friday.

DNS (short for Domain Name System) is the service that takes a human-readable name like and turns it into an IP address a computer can use. (Your DNS service provider is usually your ISP, but it doesn’t have to be. There are free and commercial DNS services too.)

The problem is that computers normally send DNS requests in the clear. Doing that allows an evil man-in-the-middle sniffing the Wi-Fi in your local coffee shop, or stationed on any of the computers between you and your DNS resolver, can meddle with your DNS. They can spy on it, to see what sites you’re visiting, or change it, to send you somewhere else.

The Internet Engineering Task Force (IETF) has worried about the privacy implications of DNS for years. In 2018, it attempted to solve them by introducing DoH. It handles all DNS queries over the HTTPS protocol, which is protected by TLS encryption. Not only does this encrypt DNS, but it also uses the same ports that handle HTTPS sessions, which are different to the ports used for DNS queries. That makes DoH requests look the same as regular HTTPS traffic and makes it impossible for ISPs to block the use of DoH without also blocking all web access.

The desktop version of Firefox has provided DoH support since Firefox 62, but it was turned off by default. Mozilla had been experimenting with it before switching it on by default to make sure that it didn’t break anything – such as parental control systems or the safe search capability on some search engines, like Google.


Google & Apple pushed to reveal gun scope app users’ names to feds

By Lisa Vaas

US Immigration and Customs Enforcement (ICE) is looking into illegal exports of a gun scope, and its investigation includes going after Apple and Google to get them to hand over the names of who’s using an associated gun-scope app.

The Department of Justice (DOJ) on Thursday filed a court order demanding that the two companies turn over data on some 10,000 users of Obsidian 4: an app from American Technologies Network Corp. (ATN) that connects the scope to smartphones or tablets via Wi-Fi so that gun owners can watch a live video stream of their hunt and calibrate their smart scope.

Apple doesn’t release app download numbers, but Google Play says that the app’s been downloaded over 10,000 times. How many of those installs are from actual users is another question, though, given how many recent reviews say that they’re only downloading in protest of the government demanding that Google and Apple hand over a list of the app’s users.


Facebook loses control of key used to sign Android app

By Lisa Vaas

Android apps are digitally signed by their developers. Digital signatures are created using a private cryptographic key, and the word ‘private’ means just what it says – the value of the signature depends on keeping the signing key private.

After all, if someone else gets hold of your private key then they can sign their own apps with it and pass them off as yours.

Facebook, however, is reportedly shrugging off the fact that it lost control of one of its app-signing keys and that apps signed with that same key are popping up in unofficial repositories.

The signing key that Facebook lost was apparently used to vouch for the Free Basics by Facebook app. According to Artem Russakovskii, the owner of the Android Police website and its sister site, APK Mirror, which hosts Android apps for download, third-party apps signed with that key have appeared online.

Free Basics, in case you are wondering, is part of Facebook’s 2016 plan to connect everyone on the planet, for free.


September 4, 2019 »

QR codes need security revamp, says creator

By Danny Bradbury

Museums use them to bring their paintings to life. Restaurants put them on tables to help customers pay their bills quickly. Tesco even deployed them in subway stations to help create virtual stores. QR codes have been around since 1994, but their creator is worried. They need a security update, he says.

Engineer Masahiro Hara dreamed up the matrix-style barcode design for use in Japanese automobile manufacturing, but, as many technologies do, it took off as people began using it in ways he hadn’t imagined. His employer, Denso, made the design available for free. Now, people plaster QR codes on everything from posters to login confirmation screens.

If you thought QR codes were just a passing marketing gimmick, think again. They’re hugely popular in China, where people used them to make over $1.65 trillion in payments in 2016 alone, and Hong Kong too has just launched a QR code-based faster payments system.

The codes generated enough interest that Apple even began supporting them natively in iOS 11’s camera app, removing the need for third-party QR scanning apps.

Hara is a little spooked by all these new uses for a design that originally just helped with production control in manufacturing plants. In a Tokyo interview in early August, he reportedly said:

Now that it’s used for payments, I feel a sense of responsibility to make it more secure.

He’s right to be concerned. Attackers could compromise people in various ways using QR codes.

One example is QRLjacking. Listed as an attack vector by the Open Web Application Security Project (OWASP), this attack is possible when someone uses a QR code as a one-time password, displaying it on a screen. The organization warns that an attacker could clone the QR code from a legitimate site to a phishing site and then send it to the victim.


YouTube reportedly to be fined up to $200m over COPPA investigation

By Lisa Vaas

Google has reportedly agreed to pay between $150 million and $200 million to resolve the FTC’s investigation into YouTube and its allegedly illegal tracking and targeting of kids who use the video streaming service.

In June, people familiar with the matter told news outlets that the Federal Trade Commission (FTC) was nearing the end of an investigation into YouTube’s alleged failure to protect the kids who use the Google-owned service.

That was followed by letters sent to the FTC about the matter from children’s privacy law co-author Senator Edward Markey and two consumer privacy groups. They urged the FTC to do whatever it takes to figure out if YouTube has violated the law protecting children and, if so, to make it shape up and stop it.

That “stop it” recommendation included Markey’s request that the FTC force Google to establish “a $100 million fund to be used to support the production of noncommercial, high-quality and diverse content for children.”

In July, the Washington Post was the first to report on the finalization of the settlement. Sources familiar with the issue told the newspaper that the FTC’s investigation concluded that Google hasn’t properly protected kids who use YouTube and has suctioned up their data, in violation of the Children’s Online Privacy Protection Act (COPPA), which outlaws tracking and targeting kids younger than 13.

Now, sources have put forward a number: they told Politico that Google has indeed agreed to pay between $150 million and $200 million to resolve the FTC’s investigation into YouTube.


EFF and Mozilla scold Venmo over app’s privacy failings

By John E Dunn

The increasingly tense stand-off between privacy campaigners and the popular mobile payment app Venmo has taken another turn for the worse.

The latest salvo is an open letter by the Electronic Frontier Foundation (EFF) and Firefox makers The Mozilla Foundation to Dan Schulman and Bill Ready, respectively the CEO and COO of Venmo owner, PayPal.

Their complaint has three strands to it, the first of which is the long-running gripe that transactions made using Venmo are still not private by default.

The second worry is that anyone using the app can see who someone is connected to through their friends’ list.

Together these create the third problem – it’s likely that many Venmo users don’t realise the privacy effect of these settings, which means they might be giving away data about their personal habits they’d rather not. As the EFF/Mozilla letter puts it:

It appears that your users may assume that, like their other financial transactions, their activity on Venmo is both private and secure.

How we got here

Founded a decade ago, people use Venmo’s digital app wallet to send money to other users, for example conveniently splitting restaurant bills or bar tabs. It can also be used to buy things from participating merchants.

In practice, Venmo is also used to pay for everything from rent and personal debts to illegal drugs and prostitutes.


September 3, 2019 »

iPhone attack may have targeted Android and Windows too

By John E Dunn

Last week’s significant hack of iPhones also targeted Android smartphones and Windows computers, it has been reported.

According to unnamed sources speaking to a news site TechCrunch, the campaign was part of the Chinese Government’s attempts to monitor the Uighur ethnic group.

Google already dropped hints about nation-state involvement in its announcement, but a separate report that Windows and Android devices were also on the target list offers a new twist to the story.

If correct, the inclusion of Windows and Android shouldn’t be surprising – it makes sense when targeting specific groups of people through a small group of websites to target as many computing devices as possible so as not to miss anyone.

Of course, none of this can currently be verified. For now, these are simply unnamed sources talking to a few journalists, offering information that might never be confirmed.

Indeed, the fact that it is being taken seriously at all is partly down to the fact that the companies involved – Google, Microsoft, Apple – seem unwilling to deny any of it.


China’s new face-swapping app Zao gets whiplash-fast privacy backlash

By Lisa Vaas

Launched on Friday and viral practically right off the bat, the brand-new, AI-outfitted, deepfake face-swapping app Zao can swap users’ photos to those of celebrities zippity quick.

And just as fast as greased lightning, the app got itself banned from China’s top messaging app service, WeChat, after its meteoric rise in China’s app stores was countered by a fierce privacy backlash.

Sina Technology reports that on Sunday, the company behind the Zao mobile app had posted onto Weibo – China’s Twitter-like microblogging service – an apology and a request to please give it some time to figure out privacy issues.

Forbes gave this translation:

We thoroughly understand the anxiety people have towards privacy concerns. We have received the questions you have sent us. We will correct the areas we have not considered and require some time.

Regardless of that apology and a tweak to Zao’s originally “we own your stuff forever” terms of service, that same day, WeChat banned the posting of any external links shared from Zao, saying that…

The app has security risks.


FBI asks Google for help finding criminals

By Danny Bradbury

How would you prepare to rob a bank? You’d scope out the location, suss out the quietest times, and use clothing to conceal your identity. But would you leave your phone at home? Judging by news that surfaced last week, you probably should – at least if it has Google’s software on it.

The Verge reports that FBI agents issued the search and advertising giant with a warrant in November 2018, seeking its help with a bank robbery the month before.

The robbery took place at 9:02am on 13 October 2018 at the Great Midwest Bank in Hartland, Wisconsin. Two robbers entered the building, one of them waving a handgun and forcing staff to the floor. He filled a plastic bag with cash and demanded the key to the vault. He took three drawers of cash from the vault, and then both robbers left the building by the back door. The whole thing took just seven minutes.

Investigators, hitting a brick wall, turned to Google. The search warrant said:

Google collects and retains location data from Android-enabled mobile devices when a Google account user has enabled Google location services. The company uses this information for location-based advertising and location-based search results. This information is derived from GPS data cell site/cell tower information, and Wi-Fi access points.

It added:

It is probable that the unknown suspects of this investigation had cellular telephones which utilized either Google’s Android or Apple OIS [sic] operating systems.


XKCD forums breached

By Lisa Vaas

The forum for the techie-darling comic strip XKCD was still offline on Monday afternoon after Troy Hunt’s breach site, Have I Been Pwned, reported on Sunday that 562,000 of the forum’s accounts had been breached sometime in August.

A breach notice on the forums echoed Hunt’s message: portions of the forums’ phpBB user table showed up in a cache of leaked data, it said. The forum exposed usernames, email addresses, passwords salted and hashed using the obsolete MD5 hashing function, and IP addresses.

To translate: MD5 is a hashing function, and it’s not a good one. For over a decade, it’s been recognized as not producing truly random hashes and there have been far, far better solutions for storing passwords for decades.

As Naked Security’s Mark Stockley said back when he ditched his Yahoo account, the final nail in the coffin was the fact that Yahoo said, in its December 2016 mega-breach announcement, that it was hashing passwords with MD5 (and, in some cases, encrypted or unencrypted security questions and answers).

Was Yahoo bolstering the not-so-random randomness of MD5 hashing by using it in the context of a more complex “salt, hash and stretch” password storage routine, like PBKDF2, bcrypt or scrypt?

Yahoo didn’t say – not a good sign. So out the window went Mark’s Yahoo account.


WordPress sites are being backdoored with rogue admin users

By John E Dunn

Lock up your WordPress – a recent malvertising campaign targeting vulnerable plugins is now trying to backdoor sites by creating rogue admin accounts.

In July when web firewall company WordFence (aka Defiant) first noticed the campaign, it was attempting to hijack sites to push popup ads, tech support scams and malicious Android apps.

Plugins targeted included vulnerable versions of Coming Soon Page & Maintenance Mode, which followed attacks in April and May on the Yellow Pencil Visual CSS Style Editor and Blog Designer.

Six weeks on, perhaps encouraged by the number of vulnerable sites they found, the attackers have upgraded their attacks to take complete control of sites vulnerable to their attacks.

A new vulnerable plugin, Bold Page Builder, has also been added to the exploitation list, which attackers reportedly started targeting on 22 August.


August 29, 2019 »

Microsoft may still be violating privacy rules, says Dutch regulator

By Lisa Vaas

After the privacy hell-hole that was Windows 10 circa 2017-ish, you’re doing better, the Dutch Data Protection Authority (DPA) told Microsoft on Tuesday, but you still aren’t legally kosher, privacy-wise.

A very quick recap: Users howled. Regulators scowled. Microsoft tweaked in 2017. The DPA investigated those tweaks. The upshot of its investigation: the DPA has asked the Irish privacy regulator – the Irish Data Protection Commission, DPC – to re-investigate the privacy of Windows users.

What a long, strange privacy trip it’s been

A recap with more flesh on its bones: in 2015, Microsoft released Windows 10. From the get-go, France’s privacy watchdog – the National Data Protection Commission (CNIL) – had concerns about the operating system’s processing of personal data through telemetry.

Window 10’s release had sparked a storm of controversy over privacy: Concerns rose over the Wi-Fi password sharing feature, Microsoft’s plans to keep people from running counterfeit software, the inability to opt out of security updates, weekly dossiers sent to parents on their kids’ online activity, and the fact that Windows 10 by default was sharing a lot of users’ personal information – contacts, calendar details, text and touch input, location data, and more – with Microsoft’s servers.

After conducting tests, CNIL determined that there were plenty of reasons to think that Microsoft wasn’t compliant with the French Data Protection Act. In July 2016, it gave Microsoft three months to fix Windows 10 security and privacy.


Emergency iOS patch fixes jailbreaking flaw for second time

By John E Dunn

With iOS 13 nearing release, Apple users perhaps thought they were done with iOS 12 updates for good.

If so, they were wrong. On 26 August 2019, another update was released for the four-week-old iOS 12.4 in the form of iOS 12.4.1.

Apple doesn’t describe this as an ‘emergency’ patch – though as it addresses a serious vulnerability, it’s hard to interpret it as being anything else.

Why the rush? This is where it gets awkward for Apple. Version 12.4.1 closes a jailbreaking hole, which we delved into in some detail last week.

The short version

Originally patched in iOS 12.3 in May 2019 after being revealed by Google Project Zero researcher Ned Williamson as the ‘Sock Puppet’ exploit (CVE-2019-8605), the arrival of iOS 12.4 in July inadvertently undid that fix.

A researcher known as Pwn20wnd subsequently released a follow-up jailbreak exploit dubbed ‘unc0ver’ on 18 August 2019 which jailbroke some Apple iOS devices.

In other words, Apple fixed the flaw, accidentally unfixed it, and with the appearance of a jailbreak had to rush out iOS 12.4.1 to re-fix it for a second time.


Video captures glitching Mississippi voting machines flipping votes

By Lisa Vaas

“It is not letting me vote for who I want to vote for,” a Mississippi voter said in a video that shows him repeatedly pushing a button on an electronic touch-screen voting machine that keeps switching his vote to another candidate.

On Tuesday morning, the date of Mississippi’s Republican primary election for governor, the video was posted to Twitter…

…and to Facebook by user Sally Kate Walker, who wrote this as a caption:

Ummmm … seems legit, Mississippi.

Walker said in a comment that the incident happened in Oxford, Miss., in Lafayette County. A local paper, the Clarion Ledger, reported that as of Tuesday night, there were at least three reports confirmed by state elections officials of voting machines in two counties changing voters’ selections in the state’s GOP governor primary runoff.

The machines were switching voters’ selections from Bill Waller Jr.- a former Supreme Court Chief justice – to Lt. Gov. Tate Reeves. Waller’s campaign told the Clarion Ledger it also received reports of misbehaving voter machines in at least seven other counties.


August 28, 2019 »

US charges 80 in world-spanning romance scam and email fraud ring

By Lisa Vaas

The US Department of Justice (DOJ) on Thursday unsealed a sprawling, 252-count, 145-page federal indictment charging 80 defendants – most of them Nigerian nationals – with conspiring to steal millions of dollars through online frauds that targeted businesses, the elderly and women.

Federal authorities cited the case of one of those romance-scam victims during a news conference on Thursday.

Identified only as “F.K.” in the indictment, the Japanese woman first met the fraudster who would come to bleed her of hundreds of thousands of dollars on an international social network for digital pen pals.

F.K. thought she was corresponding with a captain in the US Army captain, “Capt. Terry Garcia”, who was stationed in Syria. Over the course of 10 months, Garcia described in daily emails his scheme to smuggle diamonds out of the country.

F.K. borrowed money from her sister, her ex-husband and her friends to help out her fake boyfriend, but in the end, there were no diamonds.

She wound up $200,000 poorer and on the verge of bankruptcy. From the federal complaint:

F.K. was and is extremely depressed and angry about these losses. She began crying when discussing the way that these losses have affected her.

The indictment was unsealed after law enforcement arrested 14 defendants across the US, with 11 of those arrests taking place around Los Angeles. Two of the defendants were already in federal custody on other charges, and one was arrested earlier last week. The hunt is still on for most of the remaining defendants, who are believed to be abroad – mostly in Nigeria.


Android 10 coming soon, with important privacy upgrades

By Danny Bradbury

It’s official: Android 10, the next version of the Android operating system, ships 3 September 2019. Well, it’s semi-official, at least.

Mobile site PhoneArena reports that Google’s customer support staff let the date slip to a reader during a text conversation. Expect the operating system, also known as Android Q, to hit Google’s Pixel phones first before rolling out to other models. It will include a range of privacy and security improvements that should keep Android users a little safer.

Privacy features

Some of the most important privacy upgrades are those that stop applications and advertisers knowing more about your phone. Android 10 will now make apps transmit a randomised MAC address (this is a unique identifier for the network hardware in your phone) and also requires extra permissions to access the phone’s International Mobile Equipment Identity (IMEI) and serial numbers, both of which uniquely identify the device.

Google has also taken steps to protect information about how you interact with your contacts. When you grant an app access to your contacts, Android will no longer provide it with ‘affinity information’, which orders your contact data according to who you interact with most. Mark that one in the “wait, what? It did that?” file.

One of the other significant privacy enhancements is control over how an app accesses a phone’s location. A new dialog will let users choose whether apps can access location at all times, or only when running in the foreground. Google is playing catch-up here, as iOS already does this.


Report: 53% of social media logins are fraudulent

By Lisa Vaas

More than half of social media logins are fraudulent, according to a new report.

Specifically, 53% of social media logins are fraudulent, and 25% of all new account applications on social media are also coming from scammers, according to the Arkose Labs Q3 Fraud and Abuse report.

Of course, there are plenty of good reasons to care about the fakery that saturates social media, given that the fraudulent activity is focused on stealing data and squeezing us all for money. Large-scale bots are behind most of these transactions, launching attacks on social media platforms with the goal of “disseminating spam, stealing information, spreading social propaganda and executing social engineering campaigns targeting trusting consumers,” according to a media release from Arkose.

Arkose looked at fraud across the internet, but with specific regards to social media fraud, the activity took on a host of different forms: account hijackings, fraudulent account creation, and spam and abuse were among them. It found that more than 75% of attacks on social media are coming from automated bots.

Social media was distinct among the industries Arkose analyzed: account hijackings were more common, with logins twice as likely to be attacked than account registrations, the report found. Arkose says that the account takeovers are being done by attackers looking to harvest valuable personal data from the accounts of legitimate users.

We’ve often written about how these account takeovers manifest and what they’re after: In November 2018, for example, Facebook said that the US Department of Justice (DOJ) had recently discovered an alleged IS supporter warning others that it’s gotten tougher to push propaganda on the platform, and thus was suggesting that fellow propagandists try to take over legitimate social media accounts that had been hijacked: to act like wolves pulling on sheepskins in order to escape from Facebook’s notice, as it were.


August 27, 2019 »

GitHub joins WebAuthn club

By Danny Bradbury

Source code management site GitHub is the latest company to support WebAuthn – a new standard that makes logging into online services using a browser more secure.

WebAuthn is short for Web Authentication and it’s a protocol that lets you log into an online service by using a digital key. It’s a core part of FIDO2, a secure login protocol from the FIDO Alliance, which encourages industry support for these secure login standards.

GitHub, which Microsoft bought for $7.5bn last year, has been doing its best to secure peoples’ accounts with more secure logins for a while now. Back in 2013, it announced support for two-factor authentication (2FA) via SMS text messages and 2FA apps on a mobile phone. Then, in October 2015, it launched support for universal second factor (U2F) authentication. This was a FIDO specification that allowed the use of a hardware key as a 2FA mechanism.

WebAuthn supersedes U2F and offers everything the older standard did along with some additional benefits:

  • It upgrades GitHub’s 2FA support to the latest industry standard. The World Wide Web Consortium (W3C), which oversees many of the standards that make up the web, approved WebAuthn as an official standard in March 2019.
  • While you can use a third-party hardware security key to use WebAuthn, in many cases you don’t need to. You can also use a digital key stored on your phone instead, turning the phone itself into your hardware key.
  • WebAuthn can be a primary access factor. U2F still needed a password to gain access, meaning that it could only ever be a second factor in your login process. The U2F-based physical key effectively said “yes, the person entering that password is legit, because I am in their possession”.


Hostinger upgrades password security after 14m accounts breached

By John E Dunn

Over the weekend, millions of customers of web hosting company Hostinger started receiving emails bearing the bad news that their passwords were being reset after a data breach.

According to Hostinger, 14 million of its users are affected by the reset, which became necessary after attackers gained access to an API server on 23 August 2019.

This server contained an authorization token [for a database], which was used to obtain further access and escalate privileges to our system RESTful API Server.

This database contained details of customer accounts, including usernames, email addresses, first names, IP addresses, and hashed passwords.

What this means in practical terms is that anyone whose accounts were among those 14 million will need to reset their Hostinger Client password before they can log in.

Hostinger has said it has sent password reset instructions to all its Client users.

These are hosting accounts for numerous business and personal websites (including their domain and email management), so it’s critical that this is done without delay. So far at least:

Hostinger Client accounts and data stored on those accounts (websites, domains, hosted emails, etc.) remained untouched and unaffected.


Court squeezes $1 million back from convicted phisher

By Lisa Vaas

Wooo, fancy – a guy who phished more than 100 companies out of nearly £1m (around $1.1m) in cryptocurrency used some of that money to sit his butt down in a first-class carriage on the train. That’s how they caught him, actually – with “his fingers on the keyboard” as he was logging in to a dark web account on a train between Wales and London back in September 2017.

Flash forward two years, and Wooo-HOOOOO, it’s payback time!

As in, literal payback. London’s Metropolitan Police announced on Friday that Grant West, who was 25 when police arrested him on that train and who is now 27, has not only been jailed for fraud after carrying out attacks on more than 100 major brands worldwide, including Apple, Uber, Sainsbury’s, Groupon, T-Mobile, Ladbrokes, Vitality, the British Cardiovascular Society and the Finnish Bitcoin exchange.

He’s also been ordered to pay back the money he ripped off.

Goodbye, cryptocurrency: when Southwark Crown Court gave West ten years and eight months jail time, the judge also said that his ill-gotten loot would be sold and that the victims will receive compensation.

I therefore order a confiscation of that amount, £915,305.77, to be paid as a way of compensation to the losers.

Some of it’s frozen and being held by the FBI, and all of it’s fluctuating madly, as cryptocurrencies do, which has made it tough to figure out exactly how much to give victims.

West has to agree to release the funds from his accounts, but there’s not much of a choice there: he’d be looking at four additional years in jail if he were to refuse, the judge said.

West did, in fact, agree to give up the money, which reportedly included ethereum, bitcoin and other cryptocurrencies. Unfortunately, victims won’t be able to claw back the money West blew on his fancy travel: besides his first-class train habits, he also blew the money on holidays, food, shopping and household goods.


August 26, 2019 »

Instagram phishing uses 2FA as a lure

By Paul Ducklin

When cybercrooks first got into phishing in a big way, they went straight to where they figured the money was: your bank account.

A few years ago, we used to see a daily slew of bogus emails warning us of banking problems at financial institutions we’d never even heard of, let alone done business with, so the bulk of phishing attacks stood out from a mile away.

Back then, phishing was a real nuisance, but even a little bit of caution went an enormously long way.

That’s the era that gave rise to the advice to look for bad spelling, poor grammar, incorrect wording and weird-looking web sites.

Make no mistake, that advice is still valid. The crooks still frequently make mistakes that give them away, so make sure you take advantage of their blunders to catch them out. It’s bad enough to get phished at all, but to realise afterwards that you failed to notice that you’d “logged into” the Firrst Bank of Texass or the Royall Candanian Biulding Sociteye by mistake – well, that would just add insult to injury.

These days, you’re almost certainly still seeing phishing attacks that are after your banking passwords, but we’re ready to wager that you get just as many, and probably more, phoney emails that are after passwords for other types of account.

Email accounts are super-useful to crooks these days, for the rather obvious reason that your email address is the place that many of your other online services use for their “account recovery” functions.


‘Privacy policy change’ hoax infects Instagram; it confirms its crud

By Lisa Vaas

Who are you going to believe: screen sweetheart Julia Roberts or Instagram chief Adam Mosseri himself?

Roberts and a host of other celebrities have unfortunately fallen for an Instagram version of the Facebook chain letter hoax. After making the rounds on Facebook, it spread to Instagram, bleating all the way with its legalistic, poorly written and puzzlyingly punctuated load of horsefeathers about a purported privacy policy change taking place “tomorrow!”

The hoax would have us all believe that Instagram is planning to tweak its privacy policy to let old messages and private photos be used in court cases against its users.

It’s not. Mosseri took to his verified Instagram Story feed to confirm that it’s a load of bunk:

Heads up!

If you’re seeing a meme claiming that Instagram is changing its rules tomorrow, it’s not true.

The meme reportedly jumped from Facebook to Instagram, appearing as a text blob that went viral on Tuesday.

This hoax is as old as Rip Van Winkle but lacks the graciousness to shut up and take a 20-year nap.

Snopes debunked the original Facebook version in 2012.


Bumper Cisco patches fix four new ‘critical’ vulnerabilities

By John E Dunn

If you’re a Cisco customer, the company just issued some urgent patching homework in the form of 31 security fixes, including four addressing new flaws rated ‘critical’.

Three of the criticals (CVE-2019-1937, CVE-2019-1938, CVE-2019-1974) relate to authentication bypass vulnerabilities affecting the following products:

  • UCS Director and Cisco UCS Director Express for Big Data.
  • IMC Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data.
  • Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data.

All are remotely exploitable, resulting in the CVSS score of 9.8, which could allow “an attacker to gain full administrative access to the affected device.”

The fourth (CVE-2019-1935, also a 9.8) affects the Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data.

This is described as a default credentials flaw which could allow an attacker to log into the command line interface using the SCP user account giving them “full read and write access to the system’s database.”


Quick thinking by Portland Public Schools stops $2.9m BEC scam

By Danny Bradbury

Employees at Portland Public Schools were breathing easier this week after thwarting a business email compromise (BEC) scam that could have cost them almost $3m.

BEC is a sneaky form of attack in which a criminal impersonating a third party convinces someone at an organization to wire them money. The crook targets someone with control of the purse strings and uses what looks at first glance like a legitimate account owned by a supplier or business partner.

Sometimes, a BEC scammer might compromise the email account of a senior executive at the target company, or at their supplier, to get a better idea of how they communicate. They could even send an email directly from that account to someone with access to company funds. Sometimes, though, they can spoof an email and request the funds without hacking anything, relying entirely on social engineering.

Who, you may ask, would fall for such a thing? Lots of people apparently, including two employees at Portland Public Schools. A fraudster contacted them pretending to be from one of the institution’s construction contractors, asking them to send payment to an account. Of course, the request was illicit, and the account illegitimate. Nevertheless, the employees approved the payments, sending $2.9 million into the ether.

Luckily, Portland Schools moved quickly to stop the transaction. In a letter to employees and schools, superintendent Guadalupe Guerrero said that the banks involved froze the fraudulent funds, adding:

PPS has already begun the process to recover and fully return funds back to the district, likely within the next several days.

Guerrero didn’t reveal how Portland Public Schools found the fraud, but the institution acted quickly after it did. It immediately contacted the FBI and Portland Police, along with the Board of Education.


Humans may have been listening to you via your Xbox

By Lisa Vaas

Microsoft has (once again) joined the “our contractors are listening to your audio clips” club: up until a few months ago, your Xbox may have been listening to you and passing those clips on to human contractors, Vice’s Motherboard reported on Wednesday.

Like all the other revelations about tech giants getting their contractors and employees to listen in to voice assistant recordings – they’ve been coming at a steady clip since April – the purpose is once again to improve a device’s voice recognition.

Another similarity to earlier voice assistant news: Xbox audio is supposed to be captured following a voice command, such as “Xbox” or “Hey Cortana,” but contractors told Motherboard that the recordings are sometimes triggered and recorded by mistake. That’s the same thing that’s been happening with Siri: as we found out in July, Apple’s voice assistant is getting triggered accidentally by ambient sounds similar to its wake words, “Hey, Siri,” including the noise of a zipper.

This is Microsoft’s second eavesdropping headline this month: a few weeks ago we reported that humans listen to Skype calls made using the app’s translation function, as well as to clips recorded by Microsoft’s Cortana virtual assistant.

Can anybody NOT hear me?

Also earlier this month, thanks to whistleblowers who were disturbed by the ethical ramifications, we found out that Facebook has been collecting some voice chats on Messenger and paying contractors to listen to and transcribe them.

They were all doing it: Facebook, Google, Apple, Microsoft and Amazon.


Facebook delivers ‘clear history’ tool that doesn’t ‘clear’ anything

By Lisa Vaas

Post-Cambridge Analytica/Cubeyou/et al. privacy-stress disorder, privacy advocates, members of Congress and users told Facebook that we wanted more than the ability to see what data it has on us.

We wanted a Clear History button. We wanted the ability to wipe out the data Facebook has on us – to nuke it to kingdom come. We wanted this many moons ago, and that’s kind of, sort of what Facebook promised us, in May 2018, that we’d be getting – within a “few months.”

Well, it’s 15 months later, and we’re finally getting what Facebook promised: not the ability to nuke all that tracking data to kingdom come, which it never actually intended to create, but rather the ability to “disconnect” data from an individual user’s account.

The browsing history data that Facebook collects on us when we visit other sites will live on, as it won’t be deleted from Facebook’s servers. As privacy experts have pointed out, you won’t be able to delete that data, but you will be getting new ways to control it.

Facebook announced the new set of tools, which it’s calling Off-Facebook Activity and which includes the Clear History feature, on Tuesday.

Facebook Chief Privacy Officer of Policy Erin Egan and Director of Product Management David Baser said in a Facebook newsroom post that the new tools should help to shed light on all the third-party apps, sites, services, and ad platforms that track our web activity via Facebook’s various trackers.

Those trackers include Facebook Pixel: a tiny but powerful snippet of code embedded on many third-party sites that Facebook has lauded as a clever way to serve targeted ads to people, including non-members. Another tool in Facebook’s tracking arsenal is Login with Facebook, which many apps and services use instead of creating their own login tools.


The Silence hacking crew grows louder

By Danny Bradbury

The Silence crew is making a lot more noise. The Russian-speaking hacking group, which specializes in stealing from banks, has been spreading its coverage and becoming more sophisticated, according to a new report from cybersecurity company Group-IB.

It follows a report from the company last year which was the first to identify and analyses the Silence group. You can find both reports here.

Group-IB characterizes Silence as a young and relatively immature hacking group that draws on the tools and techniques of others, learning from them and adapting them to its own needs. It has been traditionally cautious, waiting an average of three months between attacks.

That hasn’t stopped it profiting, though. A string of heists has bought the group’s total ill-gotten gains to $4.2m as of this month. As it evolves, the group has been broadening its geographical reach and developing new malware to refine its techniques, the report says.

It has also added a new step to its hacking process: a reconnaissance mail. Since late last year, it has started sending emails to potential targets containing a benign image or link. This helps it update its active target list and detect any scanning technologies that the victims use.

Then, armed with a list of valid addresses, it sends them a malicious email. It can carry Microsoft Office documents with malicious macros, CHM files (Compiled HTML, often used by Microsoft’s help system) or.LNKs (a link to an executable file). Successful exploits install the group’s malware loader, Silence.Downloader (aka TrueBot). It has rewritten this loader to build encryption into some of the communication protocol with the command and control (C2) server.

More recently, the group has begun using a fileless loader called Ivoke, written in PowerShell. Silence began using fileless techniques later than other groups, showing that they are studying and then modifying other groups’ techniques, Group-IB said.


August 19, 2019 »

Did Facebook know about “View As” bug before 2018 breach?

By Lisa Vaas

A recent court filing indicates that Facebook knew about the bug in its View As feature that led to the 2018 data breach – a breach that would turn out to affect nearly 29 million accounts – and that it protected its employees from repercussions of that bug, but that it didn’t bother to warn users.

There was a class action lawsuit – Carla Echavarria and Derrick Walker v. Facebook, Inc.filed within hours of Facebook’s revelations last September that attackers had exploited a vulnerability in its “View As” feature to steal access tokens: the keys that allow you to stay logged into Facebook so you don’t need to re-enter your password every time you use the app.

Reuters reports that the lawsuit in question actually combined several legal actions, presumably including the one filed on the same day as Facebook disclosed the breach.

The breach

As Naked Security’s Paul Ducklin explained at the time, the View As feature lets you preview your profile as other people would see it.

This is supposed to be a security feature that helps you check whether you’re oversharing information you meant to keep private. But crooks figured out to how to exploit a bug (actually, a combination of three different bugs) so that when they logged in as user X and did View As user Y, they essentially became user Y. From Paul:

If user Y was logged into Facebook at the time, even if they weren’t actually active on the site, the crooks could recover the Facebook access token for user Y, potentially giving them access to lots of data about that user.

That’s exactly what attackers did: they took the profile details belonging to some 14 million users, including birth dates, employers, education history, religious preference, types of devices used, pages followed and recent searches and location check-ins.


Multiple HTTP/2 DoS flaws found by Netflix

By Danny Bradbury

Netflix has identified several denial of service (DoS) flaws in numerous implementations of HTTP/2, a popular network protocol that underpins large parts of the web. Exploiting them could make servers grind to a halt.

HTTP/2 is the latest flavour of HTTP, the application protocol that manages communication between web servers and clients. Released in 2015, HTTP/2 introduced several improvements intended to make sessions faster and more reliable.

Updates included:

  • HTTP header compression. In previous HTTP versions, only the body of a request could be compressed, even though for small web pages the headers, which often include data such as cookies and are always sent in text format, could be bigger than the body.
  • Multiplexed streams and binary packets. This made it easier to download multiple items in parallel, speeding up rendering of web pages made up of many parts.
  • Server Push. This means the server can send across cacheable information that the client might need later, even if it hasn’t been requested yet.

Features like these can help reduce latency and improve search engine rankings. The problem is that more complexity means more opportunity for bugs.

Netflix explains this in its writeup of the issue:

The algorithms and mechanisms for detecting and mitigating “abnormal” behavior are significantly more vague and left as an exercise for the implementer. From a review of various software packages, it appears that this has led to a variety of implementations with a variety of good ideas, but also some weaknesses.

There are eight of those weaknesses, all with their own separate CVE number and nickname.

Some flaws are reminiscent of other non-HTTP/2 DoS attacks.


61 impacted versions of Apache Struts left off security advisories

By Lisa Vaas

Security researchers have reviewed security advisories for Apache Struts and found that two dozen of them inaccurately listed affected versions for the open-source development framework.

The advisories have since been updated to reflect vulnerabilities in an additional 61 unique versions of Struts that were affected by at least one previously disclosed vulnerability but left off the security advisories for those vulnerabilities.

The extensive analysis was done by the Black Duck Security Research (BDSR) team of Synopsys’ Cybersecurity Research Center (CyRC), which investigated 115 distinct releases for Apache Struts and correlated those releases against 57 existing Apache Struts Security Advisories covering 64 vulnerabilities.

Synopsys’ Tim Mackey said in a blog post on Thursday that the danger isn’t that developers and users may have upgraded needlessly. Rather, the real danger is that needed updates may not have happened:

While our findings included the identification of versions that were falsely reported as impacted in the original disclosure, the real risk for consumers of a component is when a vulnerable version is missed in the original assessment. Given that development teams often cache ‘known good’ versions of components in an effort to ensure error-free compilation, under-reporting of impacted versions can have a lasting impact on overall product security.

Case in point: Equifax

Promptly patching security vulnerabilities in Apache Struts is a vital task: you can ask Equifax all about possible ramifications of failing to do so. Equifax blamed a nasty server-side remote code execution (RCE) bug (CVE-2017-5638) for the massive data breach of 2017. The patch had been available for months before the breach, it turned out, but Equifax hadn’t applied it.


iPhone holes and Android malware – how to keep your phone safe

By Paul Ducklin

Recent news stories about mobile phone security – or, more precisely, about mobile phone insecurity – have been more dramatic than usual.

That’s because we’re in what you might call “the month after the week before” – last week being when the annual Black Hat USA conference took place in Las Vegas.

A lot of detailed cybersecurity research gets presented for the first time at that event, so the security stories that emerge after the conference papers have been delivered often dig a lot deeper than usual.

In particular, we heard from two mobile security researchers in Google’s Project Zero team: one looked at the Google Android ecosystem; the other at Apple’s iOS operating system.

Natalie Silvanovich documented a number of zero-day security holes in iOS that crooks could, in theory, trigger remotely just by sending you a message, even if you never got around to opening it.

Maddie Stone described the lamentable state of affairs at some Android phone manufacturers who just weren’t taking security seriously.

Stone described one Android malware sample that infected 21,000,000 devices altogether…

…of which a whopping 7,000,000 were phones delivered with the malware preinstalled, inadvertently bundled in along with the many free apps that some vendors seem to think they can convince us we can’t live without.

But it’s not all doom and gloom, so don’t panic!


Google removes option to disable Nest cams’ status light

By Lisa Vaas

No more stashing your Nest security cameras in the bushes to catch burglars unaware: Google informed users on Wednesday that it’s removing the option to turn off the status light that indicates when your Nest camera is recording.

You can still dim the light that shows when Google’s Nest, Dropcam, and Nest Hello cameras are on and sending video and audio to Nest, Google said, but you can’t make it go away on new cameras. If the camera is on, it’s going to tell people that it’s on – with its green status light in Nest and Nest Home and the blue status light in Dropcam – in furtherance of Google’s newest commitment to privacy.

Google introduced its new privacy commitment at its I/O 2019 developers conference in May, in order to explain how its connected home devices and services work.

The setting that enabled users to turn off the status light is being removed on all new cameras. When the cameras’ live video is streamed from the Nest app, the status light will blink. The update will be done over-the-air for all Nest cams: Google’s update notice said that the company was rolling out the changes as of Wednesday, 14 August 2019.


Police site DDoSer/bomb hoaxer caught after jeering on social media

By Lisa Vaas

A UK man who DDoS-ed police websites was caught and imprisoned after he jeered at police about the attacks on social media.

Liam Reece Watts, 20, targeted the Greater Manchester Police (GMP) website in August 2018 and then the Cheshire Police site in March 2019, according to ITV News. Both of the public-facing websites were each disabled for about a day, The Register reported.

According to news outlets and Watts’s Twitter posts, the distributed denial-of-service (DDoS) attacks were done in retaliation for Watts having been convicted of calling in bomb hoaxes just days after the 2017 Manchester Arena suicide attack left 22 people dead and 500 injured.

Watts, who was 19 at the time of the DDoS attacks, was caught after he taunted police through Twitter. He used the handle Synic: a possible reference to SYN flood, which is a type of DoS attack in which servers are swamped with SYN – i.e., synchronize – messages.

Watts reportedly wrote this in one of his tweets:

@Cheshirepolice want to send me to prison for a bomb hoax I never did, here you f****** go, here is what I’m guilty of.

Watts reportedly posted that tweet while police were still investigating the first DDoS attack on the GMP site in 2018, and before he unleashed the March 2019 attack on the Cheshire Police site.

He reportedly admitted to carrying out the attack after police searched his home.


« older