Repairs & Upgrades

November 13, 2019 »

Microsoft says it will honor California’s new privacy law across US

By Lisa Vaas

You know California’s Consumer Privacy Act (CCPA), the tough new privacy law? The sweeping, GDPR-esque legislation set to go into effect on the first day of the new year that’s set off palpitations within the breasts of tech companies and lawmakers, what with its specter of fines and compliance costs?

Microsoft’s cool with it.

In fact, the company said that it plans to “honor” the law throughout the entire country, even though it’s only a state law. That’s similar to what it did in 2018, when the European Union’s comprehensive General Data Protection Regulation (GDPR) went into effect and the company extended the regulation’s data privacy rights worldwide, above and beyond the Europeans it covers.

On Monday, Microsoft chief privacy officer Julie Brill said in a blog post that CCPA is good news, given the failure of Congress to pass a comprehensive privacy protection law at the federal level.

Chalk one up for Microsoft when it comes to privacy signaling in the runup to CCPA’s debut. Here’s Brill:

CCPA marks an important step toward providing people with more robust control over their data in the United States. It also shows that we can make progress to strengthen privacy protections in this country at the state level even when Congress can’t or won’t act.

Brill reminded the world that Microsoft’s privacy attitude “starts with the belief that privacy is a fundamental human right and includes our commitment to provide robust protection for every individual.”

We will extend CCPA’s core rights for people to control their data to all our customers in the U.S.

True, we don’t know exactly what it’s going to take to digest this enchilada, Brill said:

Under CCPA, companies must be transparent about data collection and use, and provide people with the option to prevent their personal information from being sold. Exactly what will be required under CCPA to accomplish these goals is still developing.

…but we’ll stay on top of it, she said:

Microsoft will continue to monitor those changes, and make the adjustments needed to provide effective transparency and control under CCPA to all people in the U.S.

In spite of the US Federal Trade Commission (FTC) marching down to Capitol Hill to beat the drum for a unified federal privacy law (and more regulatory powers to enforce it), and in spite of both the House and Senate holding hearings on privacy legislation, transparency about how data is collected and shared, and the stiffening of penalties for data-handling violations, any of a slew of online privacy bills that tried to get before Congress this year is not going to make it.


No, YouTube isn’t planning to jettison your unprofitable channel

By Lisa Vaas

YouTube may terminate your access, or your Google account’s access to all or part of the service if YouTube believes, in its sole discretion, that provision of the service to you is no longer commercially viable.

A representative comment from the multiple YouTubers who’ve tweeted out that clause:

So according to Youtube’s new Terms of Service, if your channel isn’t making them enough money, they’ll just terminate it.

To all of the smaller content creators out there, it was nice knowing ya.

In a nutshell, that’s not going to happen. Google isn’t suddenly going to start shutting down channels that aren’t making money. Google released the updated YouTube Terms of Use on Sunday in order to, well, update them, plus to make them easier to read. A YouTube spokesperson says nothing’s changing:

We made some changes to our Terms of Service in order to make them easier to read and to ensure they’re up to date. We’re not changing the way our products work, how we collect or process data, or any of your settings,


Apple to fix Siri bug that exposed parts of encrypted emails

By Danny Bradbury

Apple may care about your privacy but that doesn’t mean it gets it right all the time, especially when it comes to training its Siri AI assistant. Last week, a researcher went public with a glaring security hole in the way that Siri gets to know you.

Apple IT specialist Bob Gendler was tinkering around in the macOS operating system to understand more about how Apple personalizes Siri for each user. During the process, he found that the operating system was storing portions of user emails in plaintext, even when they were supposed to be encrypted.

According to Gendler’s Medium post revealing the issue, Apple uses a system process called suggestd. Apple explains (as part of a help file system in the underlying BSD OS) that the program, which runs constantly, slurps content from various apps. These include Spotlight (the macOS indexing system), Mail, and Messages. It uses them to learn how you work and what you’re interested in, using it for things like news personalization.

When it read this information, it stores it in the snippets.db file inside the macOS Suggestions folder. Even emails encrypted with Secure/Multipurpose Internet Mail Extension (S/MIME), a technology that uses public and private keys to digitally sign and protect emails, didn’t escape. Suggestd stored the plaintext versions with no encryption at all in the database.

An attacker would need full disk access to your system files to look at this information, because macOS protects it with its System Integrity Protection feature, an OS X El Capitan-era security measure that ring fences important system files. However, we know from recent problems that some people have needed to turn this off, and Gendler says that any program with full disk access in macOS could potentially harvest the data. Because Apple’s Finder (the equivalent of Windows File Explorer) has full access, a rogue AppleScript program could do it.


Nvidia patches graphics products and GeForce Experience update tool

By John E Dunn

Nvidia’s November 2019 update just fixed 11 mainly high-severity security flaws in its Windows and GeForce graphics card drivers, including three in the program used to update them.

Users often associate driver updates for graphics cards with performance, stability and general bug fixes but security has become almost as big an issue in recent years.

The three with the highest severity – CVE-2019-5690, CVE-2019-5691 and CVE-2019-5692 – are kernel mode flaws in the Nvidia Windows GPU display driver and which could be exploited to cause a crash or escalation of privileges.

The same component features a further four lower-rated flaws, CVE-2019-5692, CVE-2019-5693, CVE-2019-5695, and CVE-2019-5694, the latter requiring local access.


Sextortionist whisks away sex tapes using just a phone number

By Lisa Vaas

A 33-year-old businessman from Toronto got jumped by a sextortionist who got at his phone’s sex tapes via SIM-swap fraud.

CBC News on Sunday reported that the victim, Randall Baran-Chong, knew trouble had come knocking when he got a message last week from his phone carrier about his phone service being cut off.

Baran-Chong said that around 3:30 a.m., he started to get emails warning about changes made to his Microsoft account: his password had been reset, and his email address had been removed as a verification method.

I knew things were about to go badly.

What followed: the attacker locked down his laptop, bought an Xbox video game gift card and charged it to Baran-Chong’s credit card, accessed his personal files, and threatened him with sextortion: all possible because whoever it was had stolen his mobile phone number.

How the crooks swing a SIM swap

As we’ve explained, SIM swap fraud, also known as phone-porting fraud, works because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.

Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number… and your telephonic identity.


ASP.NET hosting provider recovering from ransomware attack

By Lisa Vaas

SmarterASP.NET – a provider that hosts Microsoft’s ASP.NET open-source web framework and reportedly has more than 440,000 customers – suffered a ransomware attack on Saturday.

SmarterASP.NET was blunt in a status update on Monday titled:

Your hosting accounts are under attack

This wasn’t a partial paralysis. The provider advised customers that all data had been encrypted and that it was working with security experts to try to decrypt it, as well as making sure that “this would never happen again.”

Please don’t email us, the company asked, saying that it was (understandably!) being flooded by emails and that it doesn’t employ enough people to answer them all. It directed customers to its Facebook page for updates.

As of Monday morning, the provider said that it had fully restored FTP and control panel services – though, going by comments on its Facebook post, it sounds like the company’s stressed-out servers were still giving off a miasma of 503 Service Unavailable error messages.

In that post, the company warned customers not to download encrypted files. “If you still see encrypted files, we will get to it soon,” SmarterASP.NET said. The malware encrypted customers’ web hosting accounts, from which they access servers that may contain the files and data they need to run their sites. Thus, it’s not just the SmarterASP.NET customers that lost all their data: it’s also their websites that were affected.

SmarterASP.NET’s website was also temporarily knocked offline by the attack, but it was reportedly back online as of Sunday morning.


Microsoft urges us to patch after partially effective BlueKeep attack

By Danny Bradbury

Microsoft has urged people to patch their Windows systems following the report of widespread attacks based on the BlueKeep vulnerability.

BlueKeep is the code name for a security hole dubbed CVE-2019-0708, first revealed in May 2019. The flaw, in Windows 7 and Windows Server 2008, allows attackers to break into a computer through the Windows Remote Desktop Protocol (RDP) – without bothering with the RDP logon screen first.

Exploiting the vulnerability was technically difficult, creating a tense race to patch systems in the wild before someone released an exploit.


November 6, 2019 »

Ransomware attacks in Spain leave radio station in “hysteria”

By Danny Bradbury

A ransomware attack has ransacked at least two Spanish companies, leaving their employees without computer access.

The ransomware hit radio broadcaster Sociedad Española de Radiodifusión (Cadena SER), which released a statement about the attack. The company said that it was maintaining its radio service from its Madrid headquarters with the help of autonomous teams. A technician there said that the company was in “hysteria mode”, according to local media.

Local press also reported that the Radio Systems Department at SER’s parent company PRISA issued a circular to staff which reads (translated):

We are immersed in a computer security incident. It is mandatory to comply with the following guidelines:

  • Under no circumstances can PRISA computer equipment be used (neither desktops nor laptops)
  • Under no circumstances can the Wi-Fi network be accessed.

There is no problem in using Outlook 365 email from your mobile phone and from private computers (desktops or laptops) and connecting to your One Drive, Share Point applications…

Please extend this statement to all your colleagues. We will keep you updated with any news.

The ransomware also hit IT services and consulting company Everis, which is a subsidiary of Japanese telco NTT. It came with a €750,000 ransom demand, according to Spanish site

Both companies have reportedly warned staff to switch off computers.


Founders of ‘worthless cryptocurrency’ ATM Coin fined over $4.25m scam

By Lisa Vaas

The US Commodity Futures Trading Commission (CFTC) on Friday announced that it’s fining the founders of a “worthless cryptocurrency” that ran a $4.25m, so-called “binary options” scam involving a virtual currency known as ATM Coin.

Their pie-in-the-sky financial promises were rigged with software that put a finger on the scale to tip it away from a customer’s chance to make a profit on their binary-options gamble. Add a dollop of “Let’s stash your money in St. Kitts and Nevis where it’s conveniently tough to trace funds,” and the equation balances out to that $4.25m fine for fraud and misappropriation of client funds.

Binary options give the buyer the right to buy or sell an asset for a specified price on or before a certain date. See below for the CFTC’s detailed explanation of how they work. TL;DR: suffice it to say that these financial contracts tend toward the slimy, right along with initial coin offerings (ICOs).

Facebook banned ads for both ICOs and binary options back in 2018, on top of ads for cryptocurrency in general, or, really, anything that combines exclamation marks, full capitals and/or deceptive financial promises, like, say, these real-world examples:

  • “Start binary options trading now and receive a 10-risk free trades bonus!”
  • “Click here to learn more about our no-risk cryptocurrency that enables instant payments to anyone in the world.”
  • “New ICO! Buy tokens at a 15% discount NOW!”
  • “Use your retirement funds to buy Bitcoin!”

This is what Facebook product management director Rob Leathern had to say at the time:

There are many companies who are advertising binary options, ICOs and cryptocurrencies that are not currently operating in good faith.

Clearly, the ATM Coin lot were not operating in good faith. Rather, they were operating in something about as valuable as pocket lint.


Google patches bug that let nearby hackers send malware to your phone

By Danny Bradbury

Google has patched a bug in the Android operating system that could have allowed attackers to install a rogue application on a victim’s phone – but only if they were able to invade their personal space.

Nightwatch Security found the flaw, numbered CVE-2019-2114, and described it in an advisory. The problem lies in Android Beam, a feature in the mobile operating system that lets people transfer large files directly between phones. It uses near field communications (NFC), a communications mechanism enabled by default in most Android phones, often used for contactless payments.

Users can send each other files using Android Beam by placing their phone within an inch or two of another. If the phone is able to send the content, an option will appear to transfer it.

One file type that can be sent using this technology is an APK file, which is an application installable on an Android device. If it receives an APK, the Android Beam service will automatically try to install it. This is where an attacker could exploit the vulnerability.

For security reasons, Android treats APKs that don’t stem from the official Google Play Store as unknown applications. Android version 8 (codenamed Oreo) and above ask the user’s permission before installing any unknown application. That is supposed to stop users unwittingly installing rogue applications that have made their way onto the device, perhaps via email or an unknown App Store.


Office for Mac 2011 users warned about SYLK file format

By John E Dunn

Any Apple users out there still running Microsoft Office for Mac 2011? If so, there are at least two reasons why that might not be a good idea.

The first is that Microsoft stopped supporting this version with bug and security fixes in October 2017, which means that any vulnerabilities in the software are essentially there forever.

The second is that the US CERT Coordination Center (CERT/CC) has issued a warning prompted by new research. The warning details the risky way Office for Mac 2011 handles a forgotten macro format called XML (no relation to XML markup) when embedded inside a Microsoft spreadsheet exchange format called SYLK (SYmbolic LinK).

Its unlikely many people will have heard of either but as with so many formats from the distant past, support for them lingers on inside today’s software as something attackers might exploit in certain circumstances.

Last year, Dutch researchers noticed that SYLK’s .slk file format was a great “candidate for weaponization on Mac” for reasons that have been underestimated.

First, Office’s ‘be careful’ protected mode sandbox warnings weren’t triggered when trying to open files in this format.

More seriously, in Office for Mac 2011, the default macro execution warning – disable all macros without notification – could allow an attack exploiting XML inside .slk files to slip through unnoticed.

The only alternatives to this are the clearly unwise enable all macros or disable macros with notification which stops any macros from running automatically but informs the user each time it has to intervene.

Disable all macros without notification should be safer but, ironically disable macros with notification is the option that would warn of a malicious XML/SYLK file.


Florida city sends $742K to fraudsters as it bites the BEC hook

By Lisa Vaas

We’re changing our banking information, said the sham email purporting to be from a construction company working on an international airport in the Florida city of Ocala.

The message pretended to come from Ausley Construction, a bona fide firm that’s working on the $6.1m project of constructing a new terminal at the 17,500-square foot Ocala International Airport – and included the proper form to change the routing and account number, plus a copy of a voided check from the account.

It was all right and proper-looking, as are the most sophisticated Business Email Compromise (BEC) scams, and, of course, utterly bogus.

The spearphishing email worked. As reported by local paper Ocala Star Banner, the city is now $742,376.73 lighter.

According to reports from Ocala Mayor Kent Guinn and the Ocala Police Department, in September, a city senior accounting specialist got the phishing email in September. The next month, Ausley Construction submitted a legitimate invoice for nearly $250K.

The next day, on 18 October, the city paid the invoice. Ausley never saw that money, though. On 22 October, the firm let the city know that it was still waiting to be paid, and that’s when the fraud came to light.


Police interrogate Alexa for clues in fatal spear-stabbing

By Lisa Vaas

Police in South Florida plan to interrogate a potential witness to a fatal stabbing: Amazon’s Alexa smart speaker app.

Last week, the South Florida SunSentinel reported that police in Hallandale Beach issued a search warrant for anything recorded by two devices – an Echo and Echo Dot – found in the apartment where a woman who was arguing with her boyfriend was killed in July.

Police have accused Adam Reechard Crespo of murdering his girlfriend, Silvia Galva.

When police arrived at the apartment, they found Galva in one of the bedrooms in Crespo’s condo. She was bleeding to death from a stab wound in her chest, as Crespo tried to stanch the bleeding and save her life. Police also found the spear that, as Crespo told them, he had pulled from her chest: a spear with a 12-inch, double-sided blade.

Crespo says that Galva had been drinking, and that he’d tried to kick her out of the bedroom, but she resisted, grabbing onto the spear – at the foot of the bed – for leverage. He says he kept pulling, without turning around, until he heard a snap. That’s when the spear she was holding onto snapped and impaled her, police said.

A friend of Galva’s was in the condo at the time and told police that she’d heard arguing coming from the bedroom but couldn’t make out the details of the fight.


Apple developers – get this update to protect the rest of us!

By Paul Ducklin

Apple just pushed out an update to its widely used software development toolkit, Xcode.

New Xcode releases are pretty common immediately after updates to macOS or IOS, typically to provide official support and documentation for new programming features in the latest operating system versions.

The Xcode 11.2 release was a bit different, however, even though it followed closely on the heels of the recent macOS 10.15.1 and iOS 13.2.1 updates.

Xcode 11.2 comes with its own security advisory urging you to get (and then to verify that you have correctly installed) the new version, thanks to a pair of security flaws denoted CVE-2019-8800 and CVE-2019-8806.

These flaws are described in Apple’s typically perfunctory fashion in APPLE-SA-2019-11-01-1 (SA stands for security advisory):

Processsing a maliciously crafted file may lead to arbitrary code execution.

In other words, it sounds as though the supposedly innocent task of just compiling, or building, a software project – something that’s supposed to be ‘mostly harmless’ – could inject malware onto your system.


October 31, 2019 »

Got an early iPhone or iPad? Update now or turn it into a paperweight

By John E Dunn

If you own an Apple iPhone 5, iPhone 4s or one of the early iPads with cellular connectivity, your device is about to be turned into a vintage technology paperweight by the GPS rollover problem that we wrote about in April.

Before we explain why, we should say it is possible to avoid this fate by updating your device to iOS version 10.3.4 (iPhone 5) or version 9.3.6 (iPhone 4 and iPads).

But there’s one critical detail – you must apply this update before 12:00 a.m. UTC on 3 November.

If you don’t follow this advice, the iPhone will, according to Apple, no longer be able to…

Maintain accurate GPS location and to continue to use functions that rely on correct date and time including App Store, iCloud, email, and web browsing.

So, losing the GPS stops the time and date being set, which immediately causes internet synchronization problems affecting services that need to connect to remote servers.

In addition to the iPhone 5 and 4s, the iPads affected are the cellular-enabled iPad mini, iPad 2, and the third-generation iPad.

You can read the iPhone 5-specific warning or the one that includes the iPhone 4s if you want to confirm the worst in more detail.


Sextortion scammers are hijacking blogs – and victims are paying up

By Danny Bradbury

Sextortion scammers have started hijacking poorly managed or defunct hosted blog sites to expand an increasingly profitable business. They have now started posting their messages – which dupe people into believing they’ve been filmed watching porn and demand a bitcoin ransom – to WordPress and Blogger sites.

The messages, which appear as blog posts from the administrators, take varying forms but all say the same basic thing: We’ve accessed your computer and filmed you in a compromising position using your webcam. Send bitcoin to our address or we’ll spill the goods.

Bleeping Computer searched for phrases common to many of the sextortion posts and came up with almost 1,500 results on Blogspot, which is the free domain service provider frequently used to host Blogger blogs. It also found around 200 hits on WordPress sites. Both of these are online blog hosting services, but we did not find any hits showing compromised self-hosted blogs.

The posts carry titles like “High danger. Your account was attacked” and “Security Notice. Someone has access to your system.” They begin with messages like:

As you may have noticed, I sent you an email from your account.

This means that I have full access to your device.

This is a different modus operandi than the email versions of these scams, which usually contain one of the victim’s passwords gleaned from a hacked password list. The attacker might have hijacked the account used to manage the hosted site by either compromising an administrator’s machine, or more likely using a simple credential-stuffing attack.


Facebook launches $2m suit against alleged phishing, hacking sites

By Lisa Vaas

Facebook is using trademark law to go after the domain hosts which register phishing or hacking-tools sites that target the platform and its Instagram subsidiary.

CNET reports that on Monday, Facebook filed suit in the US District Court of the Northern District of California against web hosts OnlineNIC and ID Shield. It’s accusing the hosts of trademark infringement and cybersquatting – what’s also known as typosquatting, where crooks register common misspellings of popular websites to snare innocent users who wind up on the pages due to a keystroke slip.

According to the suit, OnlineNIC has registered domains from which to carry out phishing and which claim to sell hacking tools. Facebook listed 20 infringing domains, including,,,, and

Each of those domains was registered by ID Shield: a company that Facebook says is controlled by OnlineNIC.

The lawsuit also includes a screen capture designed to look exactly like a Facebook site. Facebook alleges that such sites are used in phishing attacks, meant to trick visitors into accidentally giving up their logins.

CNET quoted a statement from Facebook:

People count on us to protect the integrity of our apps and services. We don’t tolerate people creating web addresses that pretend to be associated with our family of apps. Today’s lawsuit shows we will take action against those behind this abuse.

This isn’t OnlineNIC’s first trademark waltz. In 2008, Verizon sued the company for registering hundreds of domain names with Verizon trademarks. Verizon won its $33m suit, being awarded a default judgment of $50,000 for each of 663 addresses registered by OnlineNIC.

Facebook said in its lawsuit that OnlineNIC’s history demonstrated a “bad faith intent to profit” off others’ intellectual property. The company is seeking $2 million in damages, which works out to $100,000 per infringing domain.


October 30, 2019 »

Uber sues LA in bid to protect scooter riders’ geolocation data

By Lisa Vaas

Los Angeles wants to know exactly when you hop on an Uber scooter or bike, when you hop off, and where you go, promising that such location data is “respectful of user privacy” because it’s not asking for personally identifiable information (PII) about users – well, at least not directly.

Uber’s response: Nope. Geolocation data is clearly PII, and LA’s requirements that companies like Uber and Lyft share scooter-sharing data could compromise user privacy, as well as the companies’ own trade secrets.

Uber, better known for its ride-hailing car service, on Monday filed a lawsuit after months of refusing to give the LA Department of Transportation (LADOT) what the city’s after, CNET reports.

The publication quoted an Uber spokesperson:

Independent privacy experts have clearly and repeatedly asserted that a customer’s geolocation is personally identifiable information, and – consistent with a recent legal opinion by the California legislative counsel – we believe that LADOT’s requirements to share sensitive on-trip data compromises our customers’ expectations of data privacy and security.

Therefore, we had no choice but to pursue a legal challenge, and we sincerely hope to arrive at a solution that allows us to provide reasonable data and work constructively with the City of Los Angeles while protecting the privacy of our riders.

Like other cities, LA is wrestling with a newly chaotic traffic situation, with Uber and Lyft drivers whizzing around, picking up, dropping off or waiting for fares, as city buses, bicyclists and scooter riders – some using rent-by-the-hour bikes and scooters – jostle for space.

Those ubiquitous dockless e-scooters and bikes often wind up randomly scattered or piled up in heaps on city sidewalks. Some cities have gone so far as to ban them.


Gradient “celebrity matching” photo app sparks privacy fears

By Paul Ducklin

If you’ve been following trendy news sites over the past week, you’ve probably heard of a new – or at least a newly popular – app called Gradient.

Gradient pitches itself as “the next big thing in the world of mobile photo editing”, heavily promoting a new feature that supposedly lets you:

Find what famous person do [sic] you look like with our brand-new AI feature! Our precise technology powered by artificial intelligence will amaze you with an accurate result. Don’t forget to share it with your friends as a post or a story!

Despite the “photo editor” category being a crowded field on both Google Play and in Apple’s App Store. The company that produces the app, Ticket to the Moon, Inc. (TttM) has hit the publicity jackpot in the last few days, splashing out on celebrity advertising on social media sites such as Instagram.

Apparently, three of the Kardashian sisters have recently posted paid endorsements for the Gradient’s You Look Like… feature, with Kourtney claiming the app matched her to Audrey Hepburn, Kim looking like Elizabeth Taylor, and Khloe coming up as the doppelgänger of the late Anna Nicole Smith.


PHP team fixes nasty site-owning remote execution bug

By Danny Bradbury

The PHP development team has fixed a bug that could allow remote code execution in some setups of the programming language, possibly allowing attackers to take over any site running the code remotely.

PHP is a common programming language used to run dynamic websites. It operates everything from online forums to ecommerce systems. The bug, found in version 7 of PHP, only affects instances running the PHP FastCGI Process Manager (PHP-FPM), which is an alternative implementation of a standard PHP module called FastCGI. It lets an interpreter outside the web server execute scripts. The process manager version includes some extra features to support high-volume websites.

For the bug to work, the website must also be running the Nginx web server, which runs on around one in every three websites, according to W3techs.

When calling a script, the PHP language failed to check that its path was correct. The researcher used this to manipulate a variable within PHP that developers use to configure it. The researcher explained:

Using this technique, I was able to create a fake PHP_VALUE fcgi variable and then use a chain of carefully chosen config values to get code execution.

The team acknowledged the bug and began working on a patch, publishing an untested one on 6 October on its own forum so that its developers could test it. They also collaborated with the researcher to help prepare the patch for testing.


October 29, 2019 »

New Facebook AI fool’s facial recognition

By Lisa Vaas

Facebook is both embroiled in privacy struggles over its use of facial recognition, working to spread it far and wide, and coming up with ways to flummox the technology so it can’t match an image of a person to one stored in image databases.

On Sunday, Facebook Research published a paper proposing a method for using a machine learning system for de-identification of individuals in videos by subtly distorting face images so they’re still recognizable to humans, but not to machines.

Other companies have done similar things with still images, but this is the first technology that works on video to thwart state-of-the-art facial recognition systems.

Here it is in action, with before and after videos of celebrity faces that many of us will recognize but that automatic facial recognition (AFR) systems can’t identify.

This, from the holder of the world’s biggest face database?

Why would Facebook do this, when it’s been so keen to push facial recognition throughout its products, from photo tag suggestions on to patent filings that describe things like recognizing people in the grocery store checkout lines so the platform can automatically send a receipt?


Adobe database exposes 7.5 million Creative Cloud users

By John E Dunn

Adobe has become the latest company to be caught leaving an Elasticsearch database full of customer data exposed on the internet.

Discovered on 19 October by data hunter Bob Diachenko and security company Comparitech, the unsecured database contained the email addresses of nearly 7.5 million customers of Adobe’s Creative Cloud, plus the following:

  • Account creation date
  • Adobe products used
  • Subscription status
  • Whether the user is an Adobe employee
  • Member IDs
  • Country
  • Time since last login
  • Payment status

That’s the email addresses of around half of Creative Cloud’s customer base although not, importantly, any of their passwords or payment information. Nevertheless, said Comparitech, spelling out the risk of phishing attacks:

Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.

Judging from clues in the data, Diachenko believes it might have been exposed for around a week. It’s not possible to tell whether anyone else accessed the data during this time.


Ransomware with a difference as hackers threaten to release city data

By Danny Bradbury

Johannesburg spent the weekend struggling to recover from its second cyberattack this year as it took key services systems offline.

The city first alerted users of the attack via Twitter on Thursday 24 October.

The cyberattack came from a group calling itself the Shadow Kill Hackers. Some media outlets are reporting it as a ransomware attack, but according to a note reportedly sent to city employees and shared on Twitter, the hackers didn’t encrypt data. Instead, they stole it and threatened to upload it to the internet if the City didn’t pay up. The note read:

All your servers and data have been hacked. We have dozens of back doors inside your city. We have control of everything in your city. We also compromised all passwords and sensitive data such as finance and personal population information.

The group reportedly demanded a payment of four bitcoins (£30,347) by 5pm today, Monday 28 October, or they will release the compromised data.

The attack also affected City Power, a city-owned utility providing pre-paid electrical power to residents. It said that it was experiencing call center problems due to the incident, and urged people to use its mobile app to log power problems instead. It also said that billing systems had been affected.


TikTok says no, senators, we’re not under China’s thumb

By Lisa Vaas

TikTok – the Chinese-owned, massively popular, kid-addicting, fine-accruing, short-and-jokey video-sharing platform – is a potential threat to national security, US lawmakers said last week.

Senators Tom Cotton and Chuck Schumer on Wednesday sent a letter to Acting Director of National Intelligence Joseph Maguire, asking that the intelligence community please look into what national security risks TikTok and other China-owned apps may pose.

TikTok’s parent company, Bytedance, is a private startup based in Beijing that was valued at $75 billion as of July. Most of that is thanks to TikTok and its Chinese equivalent, Douyin.

The senators pointed out that TikTok has been downloaded in the US more than 110 million times. At least one Chinese doctor specializing in addiction has warned that young people are so hooked on social media approval that they’ve been risking their lives to garner likes with their 15-second Douyin clips, which have featured things like dancing in front of a moving bus or trying to flip a child 180 degrees …and then dropping her.

The day after the letter was published, TikTok defended itself in a company blog post in which it reiterated what it’s repeatedly claimed – that Chinese law doesn’t influence TikTok, given that its data is stored on servers in the US:

We store all TikTok US user data in the United States, with backup redundancy in Singapore. Our data centers are located entirely outside of China, and none of our data is subject to Chinese law. Further, we have a dedicated technical team focused on adhering to robust cybersecurity policies, and data privacy and security practices.


New BBC ‘dark web’ Tor mirror site aims to beat censorship

By John E Dunn

A mirror copy of the BBC’s international news website is now available to users on the so-called dark web.

The site is the result of a collaboration between the BBC and Alec Muffett who in 2017 launched something called the Enterprise Onion Toolkit (EOTK) to make it easier to create dark web mirror sites. Muffett tweeted:

I should probably admit: this has been a 2 year project, though it could only have been brought to fruition with the partner/involvement of both @OpenTechFund & the BBC.

As well as English, versions for the BBC’s Arabic, Persian and Russian services will also be available.

The Corporation isn’t the first news organization to do this with EOTK – Facebook and The New York Times mirrored their sites in 2014 and 2017 – but it’s still a big advert for what remains a largely mysterious part of the internet.

But what is the ‘dark web’ and why might the BBC and others want to mirror themselves on it when you can already access the standard site using Tor?

Not so dark

The dark web gets its name the fact users must access it unconventionally using a browser designed to connect via dedicated privacy-preserving routing networks, principally Tor. Because of its private nature, it has a reputation for hiding shady websites (child abuse imagery, drugs, weapons, etc.).

While it’s true that the dark web is used for criminality, it could just as easily be used to preserve privacy and anonymity for positive reasons too.


Crypto Capital boss arrested over money laundering

By Lisa Vaas

Polish police have arrested the president of cryptocurrency exchange Crypto Capital on charges of money laundering.

According to reports from the Polish news outlets W Polityce and RMF24, Ivan Manuel Molina Lee was arrested in Greece in March 2019 and extradited to Warsaw on Thursday.

Molina Lee was wanted in Poland for allegedly laundering up to 1.5 billion zloty – about US $390m or £303m – that came from “illegal sources.” Specifically, prosecutors believe he’s a member of a Colombian cartel who laundered drug money through Crypto Capital.

They also believe that the cryptocurrency exchange Bitfinex has similarly laundered illegal proceeds through a Polish bank. Prosecutors say that Crypto Capital held accounts in Bank Spóldzielczy in the town of Skierniewice.

Both Bitfinex and Crypto Capital are already tangled in legal trouble. In April, New York Attorney General Letitia James accused Bitfinex and the cryptocurrency Tether – which calls itself a stablecoin – of an $850m fraud. That’s how much she says Bitfinex transferred to Crypto Capital, all without a written contract, and all of which Crypto Capital has refused to remit.

The extradition of Molina Lee to Poland comes within days of Bitfinex having filed a request to subpoena an ex-banking exec as it tries to get back that money.


October 24, 2019 »

Stalker app maker Retina-X settles FTC charges

By Lisa Vaas

Spyware maker Retina-X Studio has settled charges brought by the Federal Trade Commission (FTC) about not keeping its products from being used as illegal stalking apps.

Retina-X, maker of the spyware tools PhoneSheriff, TeenShield, SniperSpy and Mobile Spy, threw in the towel on all that snooping in March 2018, putting the kibosh on the products as a result of two hacks: the first in April 2017 and the second in February 2018.

Those tools were used to track targets’ call logs (including deleted ones), text messages, photos, GPS locations, and browser histories, as well as to eavesdrop on victims, wherever they might be.

The hacker who claimed responsibility for the breaches said at the time that he got access to all that, but he didn’t post any of it online. He did, however, claim to have wiped some of the servers he’d been allegedly rooting around in.

Like we said after news of the second attack surfaced, even if you find spyware repugnant, it’s still illegal to hack the companies that make it, for good reason. The hacker wasn’t helping anybody, let alone surveillance victims. By telling others how he did it, putting out blueprints and encouraging them to do the same, he and other spyware-focused hackers put the victims at that much greater risk of having their personal data accessed, meaning they’re twice victimized. Besides, who’s to say that a hacker who claims not to have posted material isn’t lying?

At any rate, back to the FTC complaint: the FTC claimed that Retina-X wasn’t making sure that spyware purchasers were using it for legitimate purposes. In fact, to install the tools, spyware purchasers often had to weaken security protections on a targeted phone – i.e., to jailbreak or root the phone.

Once the spy had installed the app on their target’s phone, they could then remove the icon showing that it was there. Thus, the target wouldn’t know they were being monitored.


Alexa and Google Home phishing apps demonstrated by researchers

By Lisa Vaas

Amazon and Google have blocked spying, phishing apps that keep your smart speaker listening after you think it’s gone deaf, lie to you about there being an update you need to install, and then vish (voice-phish) away the password you purportedly need to speak so you can get that bogus install.

Long story short, don’t believe a smart speaker app that asks for your password. No regular app does that.

Eight of these so-called “Smart Spies” were built by Berlin-based Security Research Labs (SRL) and put into app stores under the guise of being horoscope or random-number generators.

SRL says that it managed to sneak in the spyware because third-party developers can extend the capabilities of Amazon Alexa – the voice assistant running in its Echo smart speakers – and Google Home through small voice apps, called Skills on Alexa and Actions on Google Home.

Those apps currently create privacy issues, SRL says, in that they can be abused to eavesdrop on users or to ask for their passwords.


Hacker breached servers used by NordVPN

By John E Dunn

Leading VPN provider NordVPN has been forced to admit that a hacker stole an expired TLS certificate key used to securely connect customers to the company’s web servers.

According to a statement, the attack happened in early 2018 at the Finnish data center of a service provider used by the company, exploiting a vulnerability in a remote management interface which NordVPN wasn’t told about.

Not a good look for a company offering a VPN service which customers buy to boost the security and privacy of their internet connection. However, in a statement released earlier this week the company downplayed the risk of misuse:

The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.

There’s no evidence the stolen key was abused, nor that it could have been given its expiration.

So that’s that? Unfortunately, not. Indeed, this is where the story of the NordVPN hack takes a confusing turn involving rival VPN companies.


Facebook pulls fake news networks linked to Russia and Iran

By Lisa Vaas

Facebook has yanked four networks of coordinating accounts that it linked to Iran, Russia and election meddling.

One of the networks that was targeting the 2020 US presidential elections appeared to be linked to the Russian troll agency known as the Internet Research Agency (IRA): the operation that concocted a slew of cardboard cutout accounts to churn out divisive blogs.

Nathaniel Gleicher, head of cybersecurity for Facebook, said in a post on Monday that the networks, made up of fake and hijacked accounts, were masquerading as local accounts so as to post political content in the run-up to the 2020 presidential election.

We’ve seen this type of inflammatory, partisan content before, in the 2016 US presidential election: posts about Israel demolishing Palestinian houses, a US Congresswoman calling President Trump racist, Black Lives Matter and other race relations hot-button topics in the US, Iranian foreign policy, and more.

Facebook said that three of the account networks originated in Iran and one in Russia. They targeted a number of different regions of the world: the US, North Africa and Latin America.

It’s not the content that Facebook is taking down, Gleicher stressed. Rather, the platform is taking action based on “inauthentic behavior.” Its policy on misrepresentation, which requires that people connect on Facebook using the name they go by in everyday life, is geared to “create a safe environment where people can trust and hold one another accountable.”


October 23, 2019 »

US nuclear weapons command finally ditches 8-inch floppies

By John E Dunn

Imagine a computer system based on the 1970’s-era IBM Series/1 and 8-inch floppy drives and most people would assume you’re describing a museum piece kept alive by enthusiasts.

And yet, such a computer system ranks as one of the most important in the world – so critical in fact that nobody has wanted to change or upgrade it since it was built nearly half a century ago.

It sits in bunkers across the US, part of the command centres that run the country’s nuclear missile deterrent on behalf of the Strategic Automated Command and Control System (SACCS).

Surprised? You shouldn’t be. But what matters is that SACCS finally spies a hardware upgrade as part of a $400 billion, 10-year program to modernise the US’s military nuclear technology.

This program has been public knowledge for a while but a detail that might have escaped public attention is the recently reported intention to ditch 8-inch floppies in favour of a contemporary, presumably encrypted, storage equivalent.


Travel database exposed PII on US government employees

By Danny Bradbury

A property management company owned by hotel chain Best Western has exposed 179 GB of sensitive travel information on thousands of travelers, researchers said this week.

The breach, which exposed the users of many other travel services, also reportedly put sensitive US government employees at risk.

Researchers at vpnMentor, Noam Rotem and Ran Locar, were conducting a large web mapping project, port scanning IP blocks to find vulnerabilities. In a description of the breach, they explained how they stumbled upon an Elasticsearch database running on an AWS instance. The database was completely unsecured and unencrypted, they said.

After some digging, the researchers found that the database belonged to Autoclerk, which sells server-and cloud-based property management software. In August 2019, Best Western Hotel & Resorts Group bought the company to add Autoclerk’s software to its own technology stack, making it easier for its property management systems to talk to the central reservation systems used by travel agents.

The database contained information from third-party travel and hospitality platforms that used Autoclerk to communicate with each other and exchange data. 

The researchers said:

The leak exposed sensitive personal data of users and hotel guests, along with a complete overview of their hotel and travel reservations. In some cases, this included their check-in time and room number. It affected 1,000s of people across the globe, with millions of new records being added daily.


Storing your stuff securely in the cloud

By Maria Varmazis

How much of your stuff goes into the cloud? Probably a lot more than you realize.

Not just your files, photos, videos, but also your app settings, notes, reminders, and if you use a password manager, possibly your password vault too.

If you work in any kind of collaborative organization – from corporate life to family life – you probably do a lot of work in shared online documents that you pass around, maybe even share the credentials. I’m not here to wag a finger at you, this is just reality for many of us. What’s important is to understand the risks in what we’re doing and what we can do to mitigate them.

As the saying goes, the cloud is just someone else’s computer. So the risk with storing things in the cloud is that you’re giving up your own local control over your files. This means there is a risk, however small, that someone else can access them, maliciously or accidentally.

Some examples of unauthorized entrants can include:

  • An attacker who hacks their way into the cloud server where your files are stored
  • An employee of that cloud company who has more access to customers’ files than they should
  • A colleague who has since left your organization, but still has access to your files

Maybe that former colleague doesn’t care about being able to access their old files, or perhaps they’ve gone on to work for a competitor. Maybe that attacker is only able to gain access to a bunch of old Word documents you’ve forgotten about, or perhaps they’ve found an unencrypted collection of all your financial password.


Vatican launches smart rosary – complete with brute-force flaw

By Danny Bradbury

At some point, most software developers have probably hit ‘run’, crossed their fingers and prayed, but last week the Vatican took it to a whole new level. It released its new digital rosary – complete with show-stopping logic bug.

Deciding that the 21st century might be a nice place to visit, the Vatican started by testing out this whole wearable technology thing with an electronic rosary. It’s called the Click to Pray eRosary and it targets “the peripheral frontiers of the digital world where the young people dwell.” (The Vatican News actually talks like this.)

Traditional rosaries are meditative beads that you use to count off multiple prayers, and they’ve been around since at least the 12th century, according to scholars. Wearable as a bracelet, the new electronic version, released on 15 October, springs into life when users activate it by stroking its touch-sensitive cross.

The $110 device syncs with Click to Pray, which is the official prayer app of the Pope’s Worldwide Prayer Network. It tracks the user’s progress as they work through different sets of themed prayers. Oh, it also tracks your steps, too, for those that want to exercise both body and soul.

Unfortunately, it seems that holy software developers are as fallible as the rest of us. Two researchers noticed flaws with Click to Pray that divulged sensitive information.

In a blog post last Friday, Fidus Information Security exposed a brute-force flaw in the app’s authentication mechanism. It lets you log in via Google and Facebook – no problem there – but it’s the alternative that caused the issue: access with a four-digit PIN.

When a user resets their account using Click to Pray’s app, it uses an application programming interface (API) to make the request to the server, which then sends the PIN to the user’s email. The server also returns the PIN in its response to the API request, meaning that someone accessing the API directly could get the user’s PIN without having access to their email.


Woman ordered to type in iPhone passcode so police can search device

By Lisa Vaas

An Oregon appeals court last week decided that a woman who was high on meth when she crashed into a tree, seriously injuring one adult and five children passengers, can be forced to unlock her iPhone.

It’s not a violation of her Fifth Amendment rights against self-incrimination, the court said on Wednesday, because the fact that she knows her phone passcode is a “foregone conclusion.” Oregon Live reports that the court’s rationale is that police already had reason to believe that the phone in question is hers, given that they found it in her purse, the court said.

The foregone conclusion standard keeps cropping up in these compelled-unlocking cases. It allows prosecutors to bypass Fifth Amendment protections if the government can show that it knows that the defendant knows the passcode to unlock a device.

The woman in question, Catrice Cherrelle Pittman, was sentenced to 11 years in prison in March 2017.

According to court documents, at the time Pittman drove off the road and into a tree in June 2016, at the age of 27.

She pleaded guilty to second-degree assault, third-degree assault and driving under the influence of intoxicants (DUII). Prosecutors had wanted to use evidence from Pittman’s iPhone to help them build a case that she was also allegedly dealing meth, but that charge was later dismissed.


Google chief warns visitors about smart speakers in his home

By Lisa Vaas

Apparently caught off-guard by a question from the BBC, Google hardware chief Rick Osterloh made up a privacy etiquette rule on the spot last week when he said that yes, homeowners should tell guests that they’ve got smart speakers running in their homes.

At any rate, that’s what he does, he said.

Here’s his reported response after being asked whether homeowners should tell guests about smart devices, such as a Google Nest speaker or an Amazon Echo display, being in use before they enter a building:

Gosh, I haven’t thought about this before in quite this way.

It’s quite important for all these technologies to think about all users… we have to consider all stakeholders that might be in proximity.

After a bit of mulling, Osterloh said that the answer is yes, and that he himself discloses the use of the always-listening devices, which record conversations when they hear their trigger words… or by something that more or less sounds like one of their trigger words. Or by a burger advertisement. Or, say, by a little girl with a hankering for cookies and a dollhouse.

Not only should a homeowner disclose the presence of the devices, Osterloh said. The devices themselves should also – “probably” – let people know when they’re recording:

Does the owner of a home need to disclose to a guest? I would and do when someone enters into my home, and it’s probably something that the products themselves should try to indicate.

“Probably?” One would imagine that Google learned about the necessity of its gadgets disclosing their surveillance when it went through prolonged discussion of such questions with regards to whether its Google Glass always indicated that it was capturing images.

Back in 2014, before Google Glass got taken out of the running as a consumer product, Google went on the defensive with a list of “Google Myths”. Google would have had us believe that Glass would indicate that it’s on and recording by virtue of its green camera-on light.


October 21, 2019 »

Mind your own business! CEOs who misuse data could end up in jail

By Danny Bradbury

CEOs who lie about misusing consumers’ data could face up to 20 years in jail under a new piece of US legislation proposed last week.

The Mind Your Own Business Act, authored by Senator Ron Wyden, would jail top executives for 20 years if their companies were found lying about misusing citizens’ information.

The legislation follows a draft version known as the Consumer Data Protection Act, released for consultation on 1 November 2018.

The bill requires companies to submit annual data protection reports confirming that they’ve complied with the regulations, and explaining any shortcomings. This applies to any companies holding data on more than 50m people, or over a million people if they make more than $1bn in revenue.

The CEO or chief privacy officer must personally certify that annual report. If they deliberately certify something that isn’t true, then the courts can fine them up to $5m, or a quarter of the largest payment they received from the company across the last three years. They can also face up to 20 years in prison.

Companies would have to describe to consumers what information they were collecting and what they were going to do with it. They would also have to provide a site that enables consumers to opt out of any personal data collection, either through a web form or an application programming interface (API) which would let them do this via a piece of software, like a mobile app.


Phishy text message tries to steal your cellphone account

By Paul Ducklin

Lots of people still think of phishing as a type of scam that arrives by email.

That’s because most phishing attacks do, indeed, arrive in your inbox – sadly, spamming out emails is cheap and easy for crooks, and it delivers results simply because of the volume they can achieve.

But phishing isn’t only about email – it’s a scamming technique that applies to every form of electronic messaging, including social media, instant messaging…

…and even, or perhaps especially, good old SMS texts.

One of the delightful simplicities of SMS is that it was designed back when mobile phones first came out, and thus when network bandwidth was limited.

So SMSes are short, simple, and text-only, and this stripped-down nature actually makes them ideal for crooks.

Messages sent via SMS unexceptionably use a brief and direct style that means crooks don’t need to master the grammatical niceties of English to create believable texts.

The brevity of SMSes also means that shortened or unusual-looking URLs are commonplace, so we’re more inclined to accept them than we would be if they showed up in an email.


Some Android adware apps hide icons to make it hard to remove them

By John E Dunn

Uninstalling an Android app caught pushing adware is normally simple to deal with – click and drag it to the top right of the screen and into the trash can.

App gone, ideally followed up with a public-spirited one-star rating on the Google Play store to alert others to its bad behavior.

But what happens if there’s no home screen or app tray icon?

New research by SophosLabs has discovered 15 apps on Google Play that install without icons as part of a campaign to keep themselves on the user’s device.

The motivation is to keep pushing obtrusive ads for as long as possible. But for some of the apps, the evasion doesn’t stop with disappearing icons.

For example, Flash On Calls & Messages (1 million installs since January 2019) tries to convince users it never installed properly in the first place.

When first launched, users are greeted with the message “This app is incompatible with your device!” The app then opens the Play store and navigates to the page for Google Maps to distract users from the nature of this failure.


Bitcoin money trail leads cops to ‘world’s largest’ child abuse site

By Lisa Vaas

US, British and South Korean police announced on Wednesday that they have taken down Welcome To Video: a Darknet market that had what the US Department of Justice (DOJ) says is the world’s most voluminous offerings of child abuse imagery.

The DOJ called this the largest market for child sexual abuse videos, and that this is one of the largest seizures of this type of contraband. The 8 terabytes worth of child sexual abuse videos, which are now being analyzed by the National Center for Missing and Exploited Children (NCMEC), comprise over 250,000 unique videos, 45% of which contain new images that weren’t previously known to exist.

The global crackdown, which has so far led to the arrest of 337 alleged users and the indictment of the website’s admin, has led to the rescue of at least 23 victims living in the US, Spain and the UK. The DOJ says that the minors were actively being abused by site users.

The admin of Welcome to Video, who was indicted on Wednesday, is Jong Woo Son, 23, a South Korean national who was previously charged and convicted in South Korea. He’s now serving his sentence in South Korea.

The global dragnet has scooped up 337 alleged site users who’ve been arrested and charged worldwide: throughout the US, the UK, South Korea, Germany, Saudi Arabia, the United Arab Emirates, the Czech Republic, Canada, Ireland, Spain, Brazil and Australia. About 92 individuals’ home and businesses in the US have been searched.

Five search warrants issued in the Washington, D.C. metropolitan area have led to the arrests of eight people suspected of both conspiring with Jong Woo Son and of being website users themselves. The DOJ says that two suspected users committed suicide after the search warrants were executed.


Much-attacked Baltimore uses ‘mind-bogglingly’ bad data storage

By Lisa Vaas

Many staffers in the IT department of the much-hacked US city of Baltimore have been storing files on their computers’ hard drives – as in, they haven’t kept properly backed-up data, stored in the cloud or off-site, an audit has found.

The Baltimore Sun reports that Baltimore City Auditor Josh Pasch, who presented his findings last month to a City Council committee, told the committee that because of (outdated and strongly inadvisable) data backup habits, the city hasn’t been able to provide documentation regarding the IT department’s performance goals, which include modernizing mainframe apps.

Some key personnel kept files on their computers – files that were lost in a May 2019 ransomware attack that reportedly involved a strain of ransomware called RobbinHood. The attack partially paralyzed the city’s computer systems.

The Baltimore Sun quoted Pasch:

Performance measures data were saved electronically in responsible personnel’s hard drives. One of the responsible personnel’s hard drive was confiscated and the other responsible personnel’s selected files were removed due to the May 2019 ransomware incident.

The newspaper quoted an alleged exchange between Pasch and City Councilman Eric T. Costello, a former government IT auditor himself:

Costello: That can’t be right? That’s real?

Pasch: One of the things I’ve learned in my short time here is a great number of Baltimore City employees store entity information on their local computers. And that’s it.

Costello: Wow. That’s mind-boggling to me. They’re the agency that should be tasked with educating people that that’s a problem.


« older