Repairs & Upgrades

March 26, 2020 »

Apple Safari now blocks all third-party cookies by default

By Lisa Vaas

“The long wait is over,” Apple WebKit engineer John Wilander announced on Tuesday: the latest update to the Safari browser is blocking third-party cookies by default for all users.

Safari 13.1 was released on Tuesday, bringing full cookie blocking and other updates to Apple’s Intelligent Tracking Prevention (ITP) privacy feature. What it means: online advertisers and analytics firms will no longer be able to use our browser cookies to follow us around like bloodhounds as we wander from site to site, tracking and mapping our interests and behavior for whatever profit-motivated, privacy-wrecking purposes they might have.

Is this is a big deal? Not really, Wilander said in a post on the WebKit team’s blog, given that previous work has meant that most cookies are already blocked:

It might seem like a bigger change than it is.

But we’ve added so many restrictions to ITP since its initial release in 2017 that we are now at a place where most third-party cookies are already blocked in Safari.

Safari thus joins other browsers that either plan to or are already blocking third-party tracking cookies by default, including the Tor browser. Mozilla rolled out the privacy enhancement in September 2019, announcing that Firefox would block both tracking cookies and cryptomining by default.


Adobe issues emergency fix for file-munching bug

By Danny Bradbury

Adobe has released another security patch outside of its usual routine this month to deal with a strange bug that can allow attackers to delete victims’ files.

The file-deleting bug, CVE-2020-3808, stems from a time-of-check to time-of-use race condition vulnerability, which happens when two system operations try to access shared data at the same time. That allows an attacker to manipulate files on the victim’s system. The company warned:

Successful exploitation could lead to arbitrary file deletion.

To successfully exploit the flaw, an attacker would need to convince a victim to open a malicious file, Adobe has said.

Creative Cloud is a subscription-based service that lets users access its range of creative software products from Adobe online, and to use some cloud-based services that support them. Users get well-known Adobe titles like Acrobat, After Effects, Dreamweaver, Illustrator, InDesign, and Photoshop. It replaced Creative Suite, which was its perpetual license software.


Hijacked Twitter accounts used to advertise face masks

By Lisa Vaas

As of Tuesday, hijacked Twitter accounts were spewing out hundreds of tweets hawking a dodgy looking face mask/toilet paper/digital forehead thermometer online store, according to Motherboard’s Vice.

When Vice’s Joseph Cox searched for the masks site on Tuesday, he found what he called a “heavy stream” of other accounts that posted a link to the site. Some at least appeared to have been hijacked, given that they were created years ago and posted what Cox called “relatively normal content” before tweeting out the link to the masks site.

As of Wednesday afternoon, two Twitter accounts were still advertising masksfast[.]us. One of the accounts, created in April 2012, had zero followers and had only ever created one post: the ad for masks that it posted on Tuesday. Another account advertising the (potentially scammy) site hadn’t previously posted anything since July 2019, has only retweeted and has never posted original content, all of which gives off the aroma of a bot network and/or having been hacked away from their rightful account owners.

I reported both accounts to Twitter.

Vice knows for sure that one of the accounts pumping out mask advertising was hijacked, given that the account belonged to one of its own: Motherboard’s Todd Feathers. On Tuesday, the journalist confirmed on Twitter that his account had been hijacked and used to send out direct messages, purportedly about face masks.

Vice found another hijacked account that posted tweets to a website called “Masks 2 U” and which included this message in broken English:

Wearing mask make you away from COVID-19

Motherboard’s Feathers told Vice that about 40 minutes before he logged into Twitter and realized that his account had been hacked, the platform had informed him that his account was last accessed by a computer in Virginia. That doesn’t mean much: whoever took over his account could have been located anywhere.


Apple iOS 13.4 offers fixes for 30 vulnerabilities

By John E Dunn

Apple has just announced its latest something for everyone security and feature updates for iOS, iPadOS, macOS, watchOS, and tvOS.

In terms of security, the attention grabber is iOS/iPad 13.4, which fixes 30 CVEs. Apple doesn’t rate the severity of vulnerabilities in its advisories, but we can pick out a few highlights from their descriptions.

The following apply to supported devices, namely the iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation.

Kernel bugs

The standout here is CVE-2020-9785, through which a rogue application could execute with kernel privileges, mirroring CVE-2020-3919, an identical-sounding issue connected to the IOHIDFamily.

A third kernel flaw fixed is CVE-2020-3914, information disclosure by reading restricted memory.


As usual, WebKit browser engine and Safari gave Apple plenty to fix, all bar one of which were found by sources outside the company, including an arbitrary code execution flaw, CVE-2020-3899, credited to Google’s open source fuzzing tool, OSS-Fuzz.

Of the 10 CVEs in WebKit, another four allow arbitrary code execution, including CVE-2020-3901 and CVE-2020-9783, which could be exploited through maliciously crafted web content. The same goes for CVE-2020-3902, in which maliciously crafted content could make possible a cross-site scripting attack.


March 25, 2020 »

Your unused computer could help find a COVID-19 cure

By Lisa Vaas

Folding@Home, a distributed computing project that’s using its might to battle COVID-19, is now twice as fast as Summit, the world’s fastest supercomputer. In fact, it now has more brawn than the world’s top seven supercomputers – combined.

Folding@home’s director, Dr. Greg Bowman, told Twitter on Friday that the project’s now working with about 470 petaFLOPS in its quest to help scientists better understand how the virus’s proteins fold and bind and to hence be able to find a way to block them from attaching to human cells:

Amazing! @foldingathome now has over 470 petaFLOPS of compute power. To put that in perspective, that's more than 2……

Greg Bowman (@drGregBowman) March 20, 2020

Earlier this month, Oak Ridge National Laboratory (ORNL) announced that IBM’s Summit had joined the coronavirus fight and that it had already found 77 promising small-molecule drug compounds that can be tested for experimental use.

A distributed computing project like Folding@Home works by borrowing PC-owning donors’ idle CPU and GPU cycles. Since February, the community has been working on the computationally heavy work of figuring out how the virus’s proteins bind to cells.

It’s all about blocking those spikes on the outer surface of the virus.

Infection in both COVID-19 (2019-nCoV) and its close cousin, the SARS coronavirus (SARS-CoV), first happens in the lungs when a protein on the surface of the virus binds to a receptor protein on a lung cell.


Hackers target WHO in phishing attack

By Danny Bradbury

A cyberattack that targeted the World Health Organization (WHO) is probably just the tip of the iceberg according to experts reacting to the news this week.

Reuters first broke the news that a hacking group had targeted WHO, which is the UN agency responsible for international public health. It has played a central role in the monitoring and mitigation of the COVID-19 pandemic in recent weeks.

WHO reportedly noticed the hacking attempt in mid-March. It involved an email front end hosted on a phishing domain that tried to lure the agency’s employees into logging handing over their login credentials.

According to Reuters sources, the attack likely came from Darkhotel, a group that according to MITRE has been active since at least 2004. The group, believed to be based in Southeast Asia, got its name by targeting high-value individuals as they travelled around the world by tracking their hotel bookings via compromised hotel web apps.


Battling the global COVID-19 scammers and fake news hawkers

By Lisa Vaas

Thousands of COVID-19 scam and malware sites are being pumped out on a daily basis: people going online to put up coronavirus scam sites or to sell counterfeit surgical masks; fake self-testing kits for HIV and glucose monitoring; and/or bogus antiviral meds, chloroquine (that’s fish-tank cleaner to me and you, and regardless of what you might have heard, please don’t take it – at least one man has already died), Vitamin C or other food supplements.

Law enforcement around the globe is fighting the good fight to limit how many people’s brains these burrs hook their barbs into.


On Friday, the pandemic-afflicted state of New York, governed by COVID-19 savvy lawmakers, let it be known to domain registrars that it’s high time they cracked down on this health-threatening trend.

The office of New York Attorney General Letitia James sent letters – here’s one sent to GoDaddy – to six of the internet’s largest domain name registrars, asking them how they plan to protect New Yorkers and others across the country from these scams by making it tougher to register a domain that’s likely to be selling snake oil, inflicting malware or setting up whatever other trap the crooks have been rushing to put into place.

The letter was penned by the AG Office’s Kim A. Berger, Chief of the Bureau of Internet and Technology.

New York has already taken action to shut these guys down, Berger noted. For example, earlier this month, the AG ordered conspiracy theorist Alex Jones to stop peddling fake coronavirus cures.


Windows has a zero-day that won’t be patched for weeks

By John E Dunn

Cybercriminals are exploiting two unpatched zero-day flaws affecting all supported versions of Windows, Microsoft has warned.

The Remote Code Execution (RCE) vulnerabilities affect Adobe Type Manager (ATM) Library, the part of Windows that manages PostScript Type 1 fonts.

For now, there are no CVE identifiers and the only confirmed details are in Microsoft’s warning:

Microsoft is aware of limited targeted attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library and is providing the following guidance to help reduce customer risk until the security update is released.

Attackers could exploit the flaw by persuading users to open a malicious document. Importantly, however, the same danger would arise even if users viewed that document using the Windows Explorer file manager preview pane.

The latter is significant because, for now, there’s no software fix, which could be as far away as the next Patch Tuesday update, scheduled for 14 April 2020:

Microsoft is aware of this vulnerability and working on a fix. Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month.

Until then, the only countermeasure is to use one of the recommended workarounds, which involves disabling Explorer’s preview and details pane.


March 24, 2020 »

Facebook Messenger may ban mass-forwarding of messages

By Lisa Vaas

Facebook Messenger may ban mass-forwarding of messages in an effort to lasso the runaway forwarding of COVID-19 fake news and rumors, it confirmed on Sunday.

Facebook has done this before when its other messaging services have gone berserk with forwarding hysterical misinformation – misinformation that led to people getting lynched in the fake-news crisis that seized India, Myanmar and Sri Lanka in 2018.

India was torn apart as rumors spread virally on social media sparked dozens of mob lynching’s. Over the period of 18 months, 33 people were killed and at least 99 injured in 69 reported lynching’s. At least 18 of those incidents were specifically linked to WhatsApp.

In July 2018, the Facebook-owned company said that it would limit forwarding to everyone using WhatsApp, with the limit being most restrictive in India, where people forward more messages, photos and videos than any other country in the world. In India, WhatsApp tested a lower limit of 5 chats at once and removed quick-forward button next to media messages. WhatsApp also imposed a larger limit globally of 20 recipients.

In January 2019, WhatsApp applied the lower limit of five forwarded chats on a global scale.

On Saturday, Jane Manchun Wong, a hacker who reverse-engineers apps, spotted Facebook’s test of a new feature in Messenger: a 5-chat forwarding limit. She tweeted an example of how it might work that she’d found hidden inside the app.


Russia’s FSB wanted its own IoT botnet

By Danny Bradbury

If you thought the Mirai botnet was bad, what about a version under the control of Russia’s military that it could point like an electronic cannon at people it didn’t like? That’s the prospect we could face after the reported emergence of secret Russian project documents online last week.

The documents, which come from hacking group Digital Revolution but haven’t been verified, suggest that Russia’s Federal Security Service (in Russian, the FSB), has been working on an internet of things (IoT) botnet of its own called Fronton.

Mirai was a botnet that infected IoT devices by the million, taking advantage of default login credentials to co-opt them for attackers. They then pointed it at DNS service provider Dyn, mounting a DDoS attack that took down large internet services for hours.

That happened in late 2016. Shortly after, the documents suggest, the FSB decided to get in on the act by commissioning its own botnet that would infect and control connected small footprint devices. The evidence apparently shows a procurement order from unit 64829, an internal FSB department, for a project put together in 2017 and 2018. They reference Mirai, suggesting that the FSB could develop something similar.

BBC Russia, which saw the 12 documents in the dumped cache first hand, said they refer to three variations of the project: Fronton, Fronton-3D, and Fronton-18. Each describes a botnet of infected IoT devices under the FSB’s control.


Feds shut down bogus COVID-19 vaccine site

By Lisa Vaas

A free coronavirus vaccine from the World Health Organization (WHO), for only $4.95 to cover shipping costs?!?

Nah, we didn’t think so, either. On Sunday, the US Department of Justice (DOJ) announced that it shut down what it called a wire fraud scheme being carried out by the operators of a site in order to squeeze profit from the confusion and widespread fear surrounding COVID-19 – by promising to ship coronavirus vaccine kits that don’t actually exist.

Let us state the obvious, or, rather, quote the DOJ’s statement as it states the obvious:

There are currently no legitimate COVID-19 vaccines and the WHO is not distributing any such vaccine.

The site – now offline but available as an exhibit attached to the DOJ’s civil complaint – was offering consumers access to WHO vaccine kits in exchange for a shipping charge of $4.95, which consumers would pay by entering their credit card information on the website.

Per DOJ request, US District Judge Robert Pitman issued a temporary restraining order requiring that the registrar of the scam site – listed as NameCheap in its Whois Record – immediately take action to block public access to it.

The DOJ says that this is its first enforcement action taken against COVID-19 fraud. Dollars to donuts says it won’t be the last, given that we’ve seen plenty of cyberscum trying to make money off of people’s misery and uncertainty.


WhatsApp “Martinelli” hoax is back, warning about “Dance of the Pope”

By Paul Ducklin

If you follow @NakedSecurity on Twitter, you’ll have noticed that we warned last week about an old WhatsApp hoax that suddenly reappeared.

The bogus news is generally known as the “Martinelli hoax”, because it starts like this:

If you know anyone using WhatsApp you might pass on this. An IT colleague has advised that a video comes out tomorrow from WhatsApp called martinelli do not open it , it hacks your phone and nothing will fix it. Spread the word.

When we last wrote about “Martinelli”, back in 2018, we noted that the hoax was given a breath of believability because the text above was immediately followed by this:

If you receive a message to update the WhatsApp to WhatsApp Gold, do not click!!!!!

This part of the hoax has a ring of truth to it.

Back in 2016, hoax-checking site Snopes reported that malware dubbing itself WhatsApp Gold, was doing the rounds.

The fake WhatsApp was promoted by bogus messages that claimed, “Hey Finally Secret WhatsApp golden version has been leaked, This version is used only by big celebrities. Now we can use it too.”

So, WhatsApp Gold was actual malware, and the advice to avoid it was valid, so the initiator of the Martinelli hoax used it to give an element of legitimacy to their otherwise fake warning about the video.


March 23, 2020 »

Cisco issues urgent fixes for SD-WAN router flaws

By John E Dunn

Cisco has patched a clutch of high-priority vulnerabilities in its SD-WAN routes and their management software that admins will want to apply as soon as possible.

SD-WAN is a technology that allows large companies to manage different types of Wide Area Network (WAN) communications links such as carrier MPLS, conventional broadband, and mobile 4G as a single virtual entity.

Making SD-WAN work requires specific routers that support it, spread out across the WAN, as well as management software to interact with this infrastructure. It is this software that is vulnerable.

There are five CVEs in total, three of which are rated high, including one, CVE-2020-3266, given a CVSS severity score of 7.8.

The latter is a privilege escalation vulnerability in the SD-WAN management software used with a range of Cisco routers, including the vEdge 100 Series, 1000 Series, 2000 Series, 5000 Series, and Cloud Router.


Tour guide/Chinese spy gets four years for SD card dead drops

By Lisa Vaas

A naturalized US citizen who was working as a tour guide in San Francisco has been sentenced to four years in prison for being a Chinese spy.

Last Tuesday, 56-year-old Xuehua (Edward) Peng, also known as Edward Peng, was sentenced in US District Court in San Francisco and ordered to pay a $30,000 fine for acting as an agent of the People’s Republic of China’s Ministry of State Security (MSS).

The MSS instructed an agent – a double agent working for the FBI, as it turns out – to dead-drop SD cards full of classified data at various hotels. (“Dead drop” is spy-speak for techniques to pass information or items between two individuals using a secret location, so they never meet, to thereby keep the lid on the operation.)

What classified information was on those cards, and from what government agency, private business or government contractor was it copied? The US isn’t saying.

According to the criminal complaint, Peng’s undoing started in March 2015, when the FBI planted its double agent in the MSS. The double agent met with MSS intelligence officers and handed over classified information relating to US national security, for which he was paid.

At one point, the spy bosses told the double agent that they had a new way to pass classified information: on an SD card, stuck in a book, wrapped in a bag addressed to “Ed”, and left at the front desk of a hotel in Newark, California.

Ed’s reliable, he’s got family in China, and he’s had business dealings in China, the MSS agents told the FBI mole.

Peng pleaded guilty in November 2019. According to his plea agreement, Peng, who lives in Hayward, California, admitted that in March 2015, a Chinese official introduced himself while Peng was on a business trip to China. The official – whom Peng eventually figured out was working for the MSS – asked Peng to use his citizenship in the US to assist the official with “matters of interest” to the PRC.


Stolen data of company that refused REvil ransom payment now on sale

By Lisa Vaas

Operators of the Sodinokibi (aka Sodin or REvil) Ransomware as a Service (RaaS) recently published over 12GB of data that allegedly belongs to one of its victims – Brooks International – that refused to pay ransom.

As if that weren’t bad enough, cyber-intelligence firm Cyble told BleepingComputer that it’s seen the data up for sale on hacking forums.

RaaS is the malware for lazy crooks who just want to launch attacks at the press of a button: it enables novice cybercriminals to build automated campaigns using third-party kits sold on the dark web. They don’t have to break a sweat by learning about malware, teaching themselves how encryption works, writing ransomware code, running an anonymous webserver on Tor to collect the loot, distributing decryption keys, or otherwise getting their hands dirty with technical details.

Sodinokibi – a GandCrab derivative blamed for numerous attacks that took place last year – is a prime example of RaaS.

BleepingComputer shared a screengrab of one such hacker forum post that showed a member advertising a link to the stolen data for 8 credits: that’s worth about €2 (USD $2.15, £1.72).

Brooks International is a global professional services firm that says it’s got clients in all industries and sectors. The data dump, if it proves legitimate, will prove highly valuable to cybercrooks, as it contains usernames and passwords, credit card statements, alleged tax information, and far more, according to BleepingComputer.


Firefox is dropping FTP support

By Danny Bradbury

Heads up, Firefox users who rely on FTP: the browser is eliminating support for this venerable protocol.

First written in 1971, the file transfer protocol predates TCP/IP, the protocol stack that underpins the modern internet. In its original form, the protocol is insecure. For example, it transmits login credentials in plain text. In 1999, the IETF published a draft RFC listing its various shortcomings. These included everything from problems in the way it responded to invalid login attempts through to an inability to segment file permissions when using anonymous FTP (which doesn’t require user credentials at all).

Now, Mozilla is planning to turn off FTP by default in version 77 of Firefox, which will ship this June. Users will be able to turn it on again temporarily so that they can carry on using FTP from within the browser. Firefox Extended Support Release (ESR) will continue to have FTP turned on by default in ESR version 78.

The real crunch will come at the start of next year, when Michal Novotny, a software consultant at Mozilla, said that the Foundation will remove FTP code from the browser altogether. He added:

We’re doing this for security reasons. FTP is an insecure protocol and there are no reasons to prefer it over HTTPS for downloading resources.

Also, a part of the FTP code is very old, unsafe and hard to maintain and we found a lot of security bugs in it in the past.


Trolls ZoomBomb work-from-home videocall with filth

By Lisa Vaas

With so much of the world self-isolating, physically distancing themselves from others and remotely working from home, people are flocking to remote-work apps such as Microsoft, Slack and Zoom – anything that can make them feel connected by teleconference or videoconference.

Well, hang on to your hats, hosts: before you set up meetings, you need to know how to block the trolls. Specifically, if you’re using the Zoom videoconferencing app to connect people, you need to configure meetings so your participants don’t wind up connecting to the closest receptacle as their guts suddenly start to churn.

I’m talking about ZoomBombing: a new form of trolling in which asshats use Zoom’s screensharing feature to scorch other viewers’ eyeballs with the most revolting videos they can find, be they violent, pornographic, or a mixture of multiple revolting ingredients into a bile-rising cocktail.

As TechCrunch reports, on Tuesday, WFH Happy Hour – a popular daily public Zoom call hosted by The Verge reporter Casey Newton and investor Hunter Walk – got ZoomBombed. Dozens of attendees were suddenly exposed to disturbing imagery when a troll entered the call and screenshared a brain-scorching fetish video along with other “horrifying” sexual videos, Josh Constine reports.


March 20, 2020 »

Location-tracking wristbands required on all incoming travelers to Hong Kong

By Lisa Vaas

Welcome to Hong Kong, traveler, and to the mandatory, Disney MagicBand-esque tracking wristband we’re about to slap onto your potentially infectious arm.

The city-state had already been requiring arrivals from mainland China to self-isolate at home for 14 days. But as the area undergoes a COVID-19 resurgence, mostly brought in by travelers coming from European, US and Asian countries, it’s now enforcing the quarantine on all incoming travelers, with the wristbands helping to ensure that they adhere to movement restrictions.

The government announced on Monday that starting at midnight on Thursday (19 March), it was planning to put all arriving passengers under a two-week quarantine and medical surveillance.

On Wednesday evening, Government Chief Information Officer Victor Lam told reporters at the airport that the Privacy Commissioner for Personal Data had been consulted about the technology and had assured everybody that it won’t threaten people’s privacy.

CIO Lam:

The app will not capture, directly, the location. It will only capture the changes in location, especially the telecommunication signals around the confinee, to ensure that he’s staying at home.

Hong Kong confirmed 16 new cases of coronavirus on Thursday, bringing the city’s total to 208, according to the South China Morning Post. The new cases – 11 men and five women, aged 19 to 51 – had traveled to Europe, Britain and/or Canada. Hong Kong’s chief executive, Carrie Lam, said that of the 57 new cases Hong Kong recorded in the past two weeks, 50 were travelers from overseas.


COVID-19 disruption delays release of Chrome version 81

By John E Dunn

It’s the COVID-19 shortage nobody expected – not toilet rolls, tinned goods or headache pills this time but Google software engineers.

It’s a problem that many believe explains the abrupt decision by Google to delay the release of Chrome 81, the stable version of which was scheduled to start appearing on users’ computers on 17 March.

This was a bit of a shock – pulling the release of a browser version so late in the day is highly unusual, especially when the Chrome developers’ Twitter account had reportedly already announced its arrival in a now-deleted tweet.

The same delay applies for future Chrome versions, which should have appeared roughly every five weeks after that. Said the brief note from the Chrome Release Team:

Due to adjusted work schedules at this time, we are pausing upcoming Chrome and Chrome OS releases. Our primary objectives are to ensure Chrome continues to be stable, secure, and work reliably for anyone who depends on them.

The phrase “adjusted work schedules” is not surprising given that the company last week ordered many employees to work from home to enable social distancing to cope with COVID-19.


Exchange rate service’s customer details hacked via AWS

By Danny Bradbury

Online exchange rate data provider Open Exchange Rates has exposed an undisclosed amount of user data via an Amazon database, according to a notification letter published on Twitter this week.

Open Exchange Rates provides foreign exchange data for over 200 currencies worldwide, including digital ones. Software developers can access it using an application programming interface (API). It lets software applications query the Open Exchange Rates service, which delivers their results back in a machine- and human-readable format, JSON.

The company runs its service in the Amazon Web Services (AWS) cloud. Unfortunately, this was the focus of a breach that started on 9 February 2020, the company said in a notification that it sent to customers on 12 March. Linux and open source engineer Sylvia van Os tweeted the notification:


Sylvia van Os (@SylvieLorxu) March 12, 2020

This incident is different from many of the AWS-based exposures we report here because it wasn’t due to a public database or S3 bucket exposure. In those incidents, organizations publish information on the web for all to see, usually through database or cloud misconfiguration. Instead, this appears to have been a targeted attack.

Open Exchange Rates explained that it started getting complaints about its API performance on 2 March, which it tracked to a misconfiguration in its network. When fixing the issue, it found that an unauthorized account had been tampering with its AWS environment. According to the letter, they used a compromised secure access key.


Delayed Adobe patches fix long list of critical flaws

By John E Dunn

Notice anything missing from last week’s Microsoft Patch Tuesday?

Obscured by a long list of Microsoft patches and some fuss about a missing SMB fix, the answer is Adobe, which normally times its update cycle to coincide with the OS giant’s monthly schedule.

It’s mostly a practical convenience – admins and end-users get all the important client patches at once, which includes Adobe’s ubiquitous Acrobat and Reader software.

And yet March’s roster was Adobe-less. This week the company made amends, issuing fixes for an unusually high CVE-level 41 vulnerabilities, 21 of which are rated critical.

It’s not clear what caused the delay although it might simply be their number and the need to finalize patches before making them public.

The two patching hotspots are the 22 CVEs in Photoshop and 13 in Acrobat and Reader.

Of these, 16 uncovered in Photoshop/CC for Windows and macOS are rated critical compared to a more modest 9 in Acrobat and Reader.

That said, Reader is ubiquitous on Window and Macs, which is why admins will probably zero in on those as the top priority.


Facebook accidentally blocks genuine COVID-19 news

By Lisa Vaas

Fake news, bogus miracle cures: Facebook has been dealing with a lot, and COVID-19 isn’t making it any easier.

Like many other companies, Facebook is trying to keep its employees safe by allowing them to opt for working remotely, so as to avoid infection.

But when humans are taken out of the content moderation loop, it might suggest that automated systems are running the show. Facebook is denying that a recent content moderation glitch has anything to do with workforce issues, but it’s also saying that automated systems are to blame for being overzealous in stamping out misinformation.

On Tuesday, Guy Rosen, Facebook’s VP of Integrity, confirmed user complaints about valid posts about the pandemic (among other things) having been blocked by mistake by automated systems:

We’ve restored all the posts that were incorrectly removed, which included posts on all topics - not just those rel……

Guy Rosen (@guyro)
March 18, 2020

On Wednesday, a Facebook spokesperson confirmed that all affected posts have now been restored. While users may still see notifications about content having been removed when they log in, they should also see that posts that adhere to community standards are back on the platform, the spokesperson said.

Facebook says it routinely uses automated systems to help enforce its policies against spam. The spokesperson didn’t say what, exactly, caused the automated systems to go haywire, nor how Facebook fixed the problem.


Cryptojacking is almost conquered – crushed along with

By Danny Bradbury

Cryptojacking may not be entirely dead following the shutdown of a notorious cryptomining service, but it isn’t very healthy, according to a paper released this week.

Cryptomining websites embed JavaScript code that forces the user’s browser to begin mining for cryptocurrency. The digital asset of choice is normally Monero, which is often used in cybercrime because of its enhanced anonymity features.

Some cryptomining sites sought the visitor’s permission to co-opt their browser, often in exchange for blocking ads. Others did it surreptitiously (which is what we call cryptojacking). Either way, one name kept cropping up in these cases: Coinhive.

Coinhive provided Monero cryptomining scripts for use on websites, retaining 30% of the funds for itself. It showed up on large numbers of cryptomining and cryptojacking sites. Researchers tracked them with a tool called CMTracker.

Monero underwent a hard fork and its price plummeted. This contributed to Coinhive shuttering its service in March 2019, claiming that falling prices made it economically unviable.

Given Coinhive’s popularity, how prevalent is cryptojacking now? That’s what researchers at the University of Cincinnati and Lakehead University in Ontario, Canada explored in their paper, called Is Cryptojacking Dead after Coinhive Shutdown?

The researchers checked 2,770 websites that CMTracker had previously identified as cryptomining sites to see if they were still running the scripts. They found that 99% of sites had ceased activities, but that around 1% (24 sites) were still operating with working scripts that mined cryptocurrency. Manual checks on a subset of the sites found that a significant proportion (11.6%) were still running Coinhive scripts that were trying to connect to the operation’s dead servers.


NIST shared dataset of tattoos that’s been used to identify prisoners

By Lisa Vaas

In 2017, the Electronic Frontier Foundation (EFF) filed a Freedom of Information Act (FOIA) lawsuit looking to force the FBI and the National Institute of Standards and Technology (NIST) to cough up info about Tatt-C (also known as the Tattoo Recognition Challenge): a tattoo recognition program that involves creating an “open tattoo database” to use in training software to automatically recognize tattoos.

For years, the EFF has been saying that developing algorithms that the FBI and law enforcement can use to identify similar tattoos from images – similar to how automated facial recognition systems work – raises significant First Amendment questions. The thinking goes like this: you can strip out names and other personally identifiable information (PII) from the tattoo images, but the images themselves often contain PII, such as when they depict loved ones’ faces, names, birthdates or anniversary dates, for example.

As part of the Tatt-C challenge, participating institutions received a CD-ROM full of images to test the third parties’ tattoo recognition software. That dataset has 15,000 images, and most were collected from prisoners, who have no say in whether their biometrics are collected and who were unaware of what those images would be used for.

Since 2017, when the EFF used a FOIA lawsuit to get at the names of the participating institutions, it’s been trying to find out whether the entities realize that there’s been no ethical review of the image collection procedure, which is generally required when conducting research with human subjects.

On Tuesday, the EFF presented a scorecard with those institutions’ responses.

The results: nearly all of the entities that responded confirmed that they’d deleted the data. However, 15 institutions didn’t bother to respond, or said “You can count us as a non-response to this inquiry”, to a letter sent by the EFF in January.


March 18, 2020 »

VMware patches virtualisation bugs

By Danny Bradbury

Virtualisation company VMware patched two bugs this week that affected a large proportion of its client-side virtual machines (VMs).

VMware made its name offering server virtualisation products that recreate server hardware in software, allowing admins to run many virtual servers on the same physical box at once. Most ‘type one’ server hypervisors, including VMware’s, run directly on the bare metal instead of an installed operating system.

The company also has another strand to its business, though: ‘type two’ hypervisors that enable people to run guest operating systems in virtual machines (VMs) on their client devices, too. These let you run Windows or Linux on a Mac, for example. They work differently, running on top of the client operating system as applications, meaning that you don’t have to replace your core operating system to run VMs.

Finally, its desktop virtualisation system, called Horizon, puts the whole desktop environment on a server so that users can access it from anywhere.

Between them, these bugs affect all of these services in some way. CVE-2020-3950, which VMware gives as a CVSS v3 store of 7.3, affects version 11 of Fusion, its type 2 hypervisor for Macs. It’s a privilege elevation vulnerability stemming from the improper use of setuid binaries (setuid is a *nix tool that lets users run certain programs with elevated privileges). It also affects two other programs for the Mac: Versions 5 and prior of the Horizon client that lets Mac users log into virtual Horizon desktops, and version 11 and prior of the Virtual Machine Remote Console that lets Mac users access remote virtual machines.


Uber to file federal suit against LA over users’ real-time location data

By Lisa Vaas

Uber is poised to file a federal lawsuit over Los Angeles’s demands for what the company (as well as privacy advocates and, presumably, state law) consider to be the city’s privacy-invading demands for real-time location data of its users.

Uber provided an embargoed draft of the lawsuit, which a spokesperson said the company will file later this week.

Uber had already threatened to sue the city in October 2019 after the LA Department of Transportation (LADOT) instituted data demands on ride-hailing, scooter/bike-sharing companies. Uber wound up delaying that suit as it tried to hash things out with the city. LADOT suspended Uber’s permit, but it still allowed Uber to operate its scooters during the discussions.

Uber had presented a compromise: we’ll give you location data, but only 24 hours after trips start and stop, it proposed. That will give LADOT data to use for traffic planning, but it won’t affect user privacy, Uber said. As well, it would, at least potentially, give the company at least a small window of time in which to challenge a specific LADOT request, which is impossible to do when the city demands data in real-time.

According to its federal lawsuit, that wasn’t good enough for LADOT. Uber’s counsel said in the suit that they suspect that the proposal merely galled LADOT. At any rate, on 25 October 2019, LADOT suspended Uber-owned JUMP’s permit and ordered its bikes and scooters off the streets lest they be swept up by the city’s trash collectors.

What’s so special about real-time data, unless – this is Uber’s speculation – perhaps for surveillance purposes?

This isn’t an answer – LADOT hasn’t been able to give one – but in general, LA wants the data for a new data standard called the Mobility Data Specification (MDS).

MDS is based on a standard set of application programming interfaces (APIs) through which mobility companies are required to provide real-time information about how many of their vehicles are in use at any given time, where they are at all times, their physical condition, anonymized trip start and stop times, destinations, and routes, among other data. Besides LA, other cities now using MDS to collect data to manage their own dockless vehicles include Seattle; Austin and San Jose in Texas; Santa Monica, CA; Providence, RI; and Louisville, KY.


DDoS attack on US Health agency part of coordinated campaign

By John E Dunn

Just because a website offers critical public information about the COVID-19 virus pandemic doesn’t mean Distributed Denial of Service (DDoS) attackers won’t be out to get it.

It’s a point underscored by the news that on Sunday cybercriminals attempted to disrupt the US Department of Health and Human Services (HHS) website using an unidentified flood of DDoS traffic.

The HHS site is one of the first ports of call for US citizens looking for a range of health information, including HHS announcements and links to COVID-19 updates from the Centers for Disease Control and Prevention (CDC).

It seems attackers – later described by officials as a “foreign actor” – twigged its importance too.

According to a Bloomberg report, the attack slowed the site but didn’t cause it to go offline. DDoS attacks come in different sizes and types and it’s not been revealed which methods were used beyond the fact the attacks lasted for hours.

HHS spokesperson Caitlin Oakley told Bloomberg:

On Sunday, we became aware of a significant increase in activity on HHS cyber infrastructure and are fully operational as we actively investigate the matter.

These days, DDoS attacks are not the potent weapon they once were, primarily because large websites are protected by a newer generation of defense’s trained on a number of large attacks, hijacking a widening range of protocols.


Human traffickers use social media oversharing to gain victims’ trust

By Lisa Vaas

Does your life suck?

If so, like many of us, you may have posted about your money troubles, your low self-esteem, or your relationship problems on social media or dating sites. But while it may feel good to vent, and while such posts may garner sympathy that can soothe the pain, the FBI is warning that human traffickers are attracted to the details of our misery like bees to honey.

On Monday, the FBI’s online crime division – the Internet Crime Complaint Center (IC3) – issued a warning that human traffickers are increasingly using online platforms, including popular social media and dating platforms, to recruit and to advertise sex trafficking victims.

They’re also increasingly harvesting personally identifiable information (PII) by putting up fake job listings, the IC3 warned in January, and are recruiting labor trafficking victims who are “bought, sold, and smuggled like modern-day slaves,” the FBI says:

Human trafficking victims are beaten, starved, deceived, and forced into sex work or agricultural, domestic, restaurant, or factory jobs with little to no pay.

Many of us in the US unknowingly encounter trafficking victims as we go about our days, the FBI says, given that both the perpetrators and their prey come from all backgrounds and work in all areas. The bureau says that victims have been recovered in rural areas, small towns, the suburbs, and large cities.

Have you gotten an offer from somebody who said they were recruiting for a job? Or perhaps they claimed to be a modeling agent? Those are some of the fronts that traffickers hide behind, the FBI says, and it often starts with online grooming as they offer opportunities for a better life or a better job.

Human traffickers target vulnerable individuals by preying on their personal situations. Online platforms make it easier for traffickers to find potential victims, especially those who post personal information, such as their financial hardships, their struggles with low self-esteem, or their family problems.

Human traffickers target and recruit their victims by appearing to offer help, or pretending to be a friend or potential romantic partner. They leverage their victims’ vulnerabilities and coerce them to meet in person. After establishing a false sense of trust, traffickers may force victims into sex work or forced labor.

As the FBI warned in August 2019, it’s also seen an increase in recruitment of money mules through dating sites.


March 17, 2020 »

Slack fixes account-stealing bug

By Danny Bradbury

Slack has fixed a bug that allowed attackers to hijack user accounts by tampering with their HTTP sessions. The flaw could have allowed attackers to pilfer users’ cookies, giving them full account access. They could also have automated those attacks at scale, said the researcher who discovered it, Evan Custodio.

The bug uses a sneaky trick called HTTP smuggling, which takes advantage of how back-end servers process requests using this protocol. Browsers use HTTP to ask web servers for pages and other resources. Those requests generally go through multiple servers. A front-end proxy server might send it to one of several back-end servers, for example. The front-end server often serves as a clearinghouse for requests from different browsers, meaning that different peoples’ sessions with web applications mingle in the same traffic stream.

The problem lies in the way that HTTP communications announce themselves. This announcement, known as an HTTP header, has to tell the server where the request ends. It does this in one of two ways.

The first uses a Content-Length header that tells the server how many bytes long the request is. The second uses a Transfer-Encoding: chunked header. This tells the server that the content comes in chunks, which end with a zero-sized chunk.

An HTTP request is only supposed to use one of these headers, but HTTP smuggling attacks use both of them to confuse the front-end and back-end servers. The idea is to make each server process the request differently.

Custodio discovered that Slack was susceptible to a variant of the HTTP smuggling attack called CLTE, in which the front-end server uses the Content-Length header while the back-end server uses the Transfer-Encoding one. Each header specifies a different amount of content to process, causing the front-end server to process more content than the back-end one.


Tor browser fixes bug that allows JavaScript to run when disabled

By John E Dunn

The Tor browser has fixed a bug that could have allowed JavaScript to execute on websites even when users think they’ve disabled it for maximum anonymity.

The Tor Project revealed the issue in the release notes for version 9.0.6, initially suggesting users manually disable JavaScript for the time being if the issue bothered them.

That was subsequently revised after the NoScript extension – used by Tor to control the execution of JavaScript, Java, Flash and other plugins – was updated to version 11.0.17.

Whether the issue matters depends on how users have configured Tor to treat JavaScript.

Tor’s ‘standard’ setting enabled JavaScript by default, which users can upgrade to either ‘safer’, which disables JavaScript on non-HTTPS sites, or ‘safest’, which disables JavaScript completely.

Each setting has its pros and cons. Leaving JavaScript enabled opens users to the hypothetical risk that their anonymity might be compromised, for example using a vulnerability in the underlying Firefox browser.


WordPress to get automatic updates for plugins and themes

By John E Dunn

If WordPress had a list of the most requested features, the ability to automatically update plugins and themes would surely be near the top.

Some good news: according to a recent development update, the ability to do this is now being beta-tested in the form of a new plugin for WordPress 5.5, due in August.

WordPress itself, the Content Management System Core, has had auto-updating since version 3.7 in 2013, which meant that security updates could be applied automatically.

Given the number of attacks exploiting WordPress vulnerabilities in the years leading up to that change, it was a big moment.

Unfortunately, the same wasn’t true of that other area of WordPress exposure, namely plugins and themes.

Whereas many years ago such add-ons were viewed as optional for most sites, these days many have become essential additions that add important capabilities to WordPress sites.

Vulnerabilities in these now generate a steady stream of stories:

We didn’t cherry-pick these – all of these were from 2020.


Europol busts up two SIM-swapping hacking rings

By Lisa Vaas

After months-long, cross-border investigations, Europol announced on Friday that it’s arrested more than two dozen people suspected of draining bank accounts by hijacking victims’ phone numbers via SIM-swap fraud.

Following a ramp-up in SIM-jacking over recent months, police across Europe have been gearing up to dismantle criminal networks that organize these attacks, Europol says.

That growth mirrors what’s happening in the US: In October, the FBI warned that bad guys were getting around some types of two-factor authentication (2FA). The easiest – and, therefore, the most common – way to sneak past 2FA is SIM-swap fraud, where an attacker convinces a mobile network (or bribes an employee) to port a target’s mobile number or plants malware on a victim’s phone, thereby allowing them to intercept 2FA security codes sent via SMS text.

How the crooks swing a SIM swap

As we’ve explained, SIM swaps work because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.

Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number… and your telephonic identity.

That comes in handy when you get a new phone or lose your phone: your phone carrier will be happy to sell you a new phone, with a new SIM, that has your old number.


March 16, 2020 »

Microsoft patches wormable Windows 10 ‘SMBGhost’ flaw

By John E Dunn

What’s the difference between a scheduled security update and one that’s out-of-band?

In the case of the critical Windows 10 Server Message Block (SMB) vulnerability (CVE-2020-0796) left unpatched in March’s otherwise bumper Windows Patch Tuesday update, the answer is two days.

That’s how long it took Microsoft to change its mind about releasing a fix after news of the remote code execution (RCE) flaw leaked in now-deleted vendor posts and word spread to customers. It even gained a nickname – ‘SMBGhost’ – in honor of its elusive status.

It wasn’t simply that word had slipped out about an unpatched flaw but the seriousness of the flaw itself, with one of the leaked advisories describing it as ‘wormable,’ in other words able to spread very rapidly.

Seeing double

To a lot of people, that sounded eerily similar to the wormable SMBv1 vulnerability exploited by the global WannaCry and the NotPetya attacks in 2017.

The SMB protocol is widely used to connect printers and network file sharing, so the possibility of a repeat alarmed admins. As Microsoft said:

To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server.

(There’s more on possible exploit scenarios in the detailed analysis from SophosLabs.)

After initially suggesting partial workarounds – disabling SMBv3.1.1 compression on servers and blocking port 445 using firewalls – Microsoft has now issued a patch, KB4451762.


Report calls for web pre-screening to end UK’s child abuse ‘explosion’

By Lisa Vaas

A UK inquiry into child sexual abuse facilitated by the internet has recommended that the government require apps to pre-screen images before publishing them, in order to tackle “an explosion” in images of child sex abuse.

The No. 1 recommendation from the independent inquiry into child sexual abuse (IICSA) report, which was published on Thursday:

The government should require industry to pre-screen material before it is uploaded to the internet to prevent access to known indecent images of children.

While most apps and platforms require users (of non-kid-specific services) to be at least 13, their lackluster age verification is also undermining children’s safety online, the inquiry says. Hence, recommendation No. 3:

The government should introduce legislation requiring providers of online services and social media platforms to implement more stringent age verification techniques on all relevant devices.

The report contained grim statistics. The inquiry found that there are multiple millions of indecent images of kids in circulation worldwide, with some of them reaching “unprecedented levels of depravity.”

The imagery isn’t only “depraved”; it’s also easy to get to, the inquiry said, referring to research from the National Crime Agency (NCA) that found that you can find child exploitation images within three clicks when using mainstream search engines. According to the report, the UK is the third greatest consumer in the world of the live streaming of abuse.

The report describes one such case: that of siblings who were groomed online by a 57-year-old man who posed as a 22-year-old woman. He talked the two into performing sexual acts in front of a webcam and threatened to share graphic images of them online if they didn’t.


Open source bugs have soared in the past year

By Danny Bradbury

Open source bugs have skyrocketed in the last year, according to a report from open source license management and security software vendor WhiteSource.

The number of open source bugs sat steady at just over 4,000 in 2017 and 2018, the report said, having more than doubled the number of bugs from pre-2017 figures that had never before broken the 2,000 mark.

Then, 2019’s numbers soared again, topping 6,000 for the first time, said WhiteSource, representing a rise of almost 50%.

By far the most common weakness enumeration (CWE – a broad classifier of different bug types) in the open source world is cross-site scripting (XSS). This kind of flaw accounted for almost one in four bugs and was the top for all languages except C. This was followed by improper input validation, buffer errors, out-of-bound reads, and information exposure. Use after free, another memory flaw, came in last with well under 5% of errors.

WhiteSource had some harsh words for the national vulnerability database (NVD), which it said only contains 84% of the open source vulnerabilities that exist. It adds that many of these vulnerabilities are reported in other places first and only make it into the NVD much later.


Senate bill would ban TikTok from government phones

By Lisa Vaas

On Thursday, two US senators introduced a bill that would ban all federal employees from using the Chinese singing/dancing/jokey platform on government phones.

The bill comes from Senators Josh Hawley (R-MO) and Rick Scott (R-FLA). It would expand on current TikTok bans from the State Department, the Department of Homeland Security (DHS), the Department of Defense (DoD), and the Transportation Security Administration (TSA).

The bans have been put in place due to cybersecurity concerns and possible spying by the Chinese government.

A statement from Hawley:

TikTok is owned by a Chinese company that includes Chinese Communist Party members on its board, and it is required by law to share user data with Beijing. The company even admitted it collects user data while their app is running in the background – including the messages people send, pictures they share, their keystrokes and location data, you name it. As many of our federal agencies have already recognized, TikTok is a major security risk to the United States, and it has no place on government devices.

TikTok’s many attempts to smooth it all over

TikTok has tried to soothe US fears about censorship and national security risks, including a reported plan to spin TikTok off from its parent company.

In November 2019, Vanessa Pappas, the general manager of TikTok US, wrote that data security was a priority, reiterating what TikTok has repeatedly claimed: that all US user data is stored in the US and that TikTok’s data centers are located “entirely outside of China.”

That and other attempts to allay concerns came after the US opened a national security review of TikTok owner Beijing ByteDance Technology Co’s $1 billion acquisition of the US social media app in 2017. ByteDance combined with a Chinese app called Douyin and put it under a new brand: TikTok. As of November 2019, the Committee on Foreign Investment in the United States (CFIUS) was probing the app for possible national security risks.


EARN IT Act threatens end-to-end encryption

By Lisa Vaas

While we’re all distracted by stockpiling latex gloves and toilet paper, there’s a bill tiptoeing through the US Congress that could inflict the backdoor virus that law enforcement agencies have been trying to inflict on encryption for years.

At least, that’s the interpretation of digital rights advocates who say that the proposed EARN IT Act could harm free speech and data security.

Sophos is in that camp. For years, Naked Security and Sophos have said #nobackdoors, agreeing with the Information Technology Industry Council that “Weakening security with the aim of advancing security simply does not make sense.”

The first public hearing on the proposed legislation took place on Wednesday. You can view the 2+ hours of testimony here.

Called the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act), the bill would require tech companies to meet safety requirements for children online before obtaining immunity from lawsuits. You can read the discussion draft here.

To kill that immunity, the bill would undercut Section 230 of the Communications Decency Act (CDA) from certain apps and companies so that they could be held responsible for user-uploaded content. Section 230, considered the most important law protecting free speech online, states that websites aren’t liable for user-submitted content.


Homeland Security sued over secretive use of face recognition

By Lisa Vaas

The American Civil Liberties Union (ACLU) is suing the Department of Homeland Security (DHS) over its failure to cough up details about its use of facial recognition at airports.

Along with the New York Civil Liberties Union, the powerful civil rights group filed the suit in New York on Thursday. Besides the DHS, the suit was also filed against US Customs and Border Protection (CBP), Immigration and Customs Enforcement (ICE), and the Transportation Security Administration (TSA).

The ACLU says that the lawsuit challenges the secrecy that shrouds federal law enforcement’s use of face recognition surveillance technology.

Ashley Gorski, staff attorney with the ACLU’s National Security Project, said in a release that pervasive use of face surveillance “can enable persistent government surveillance on a massive scale.”

The public has a right to know when, where, and how the government is using face recognition, and what safeguards, if any, are in place to protect our rights. This unregulated surveillance technology threatens to fundamentally alter our free society and is in urgent need of democratic oversight.

The ACLU had filed Freedom of Information Act (FOIA) requests to find out how the agencies are using the surveillance technologies at airports – requests that the agencies ignored.

In its suit, the ACLU demands that the agencies turn over records concerning:

  • Plans for further implementation of face surveillance at airports;
  • Government contracts with airlines, airports, and other entities pertaining to the use of face recognition at the airport and other ports of entry;
  • Policies and procedures concerning the acquisition, processing, and retention of our biometric information; and
  • Analyses of the effectiveness of facial recognition technology.

As the ACLU’s complaint tells it, in 2017, CBP began a program called the Traveler Verification Service (TVS) that involves photographing travelers during entry or exit from the country.


« older