Repairs & Upgrades

June 18, 2018 »

SHOCK! HORROR! SURPRISE! Bitcoin priceplosion may have been market manipulation

By Lisa Vaas

Last year’s meteoric rise in the value of Bitcoin and other cryptocurrencies might well have been artificially inflated, according to a paper released on Wednesday by University of Texas finance professor John Griffin and graduate student Amin Shams.

The suspected culprit: people using Tether, one of the most-traded cryptocurrencies, to buy bitcoin when the price dips:

Tether seems to be used both to stabilize and manipulate Bitcoin prices.

Bitcoin hit a 16 December 2017 peak of $19,343 before it bumped and thumped on down to USD $6,591.94 (the current price as of writing).

That’s a massive deflation, but it’s looking like the inflation itself might have been based on little besides hot air and market manipulation. According to Griffin, the drive up to nearly $20,000 was likely manipulated by coordinated purchases of bitcoin when they were selling low at exchanges. And according to the New York Times, Griffin knows what he’s talking about: he has a history of spotting financial fraud.

The paper, which attempts to causally determine if price manipulation is taking place, suggests that a concentrated campaign may account for half of last year’s spiked cryptocurrencies prices.


Apple iPhone’s USB Restricted Mode gives Feds a cracking headache

By John E Dunn

Apple thinks it has restricted a bypass that allowed companies working with agencies such as the FBI to gain access to locked iPhones.

According to Reuters, a forthcoming software release – probably iOS 12 in September – will block all communication through the lightning port if the phone hasn’t been unlocked for an hour.

Under the new ‘USB Restricted Mode’, which is already at the beta stage in iOS11.4.1, only power charging will be possible after that.

This has been mentioned before but the timescale of one hour is dramatically shorter than the one week mooted when the story raised its head a month ago.

On the face of it, a small tweak, but almost certainly enough to severely limit the use of tools from companies such as Grayshift and Cellebrite, which are believed to depend on a USB port connection to attack Apple’s security.

It recently emerged that Grayshift’s GrayKey is a small box with an Internet connection and two Lightning cables sticking out of it – images on the Internet show as much.

These connect to two iPhones at a time and somehow instigate what must be a brute force of the passcode – essentially trying lots of options until the correct one is found.

This would be a simple process if it weren’t for onerous time restrictions Apple has built into iPhones that limit the rate at which incorrect guesses can be made.

Another factor is the length of the passcode with informed reports suggesting days being needed where a passcode of six digits is being attacked.


Football app tracks illegal broadcasts using your microphone and GPS

By Lisa Vaas

Are you watching an illegal broadcast of a Spanish football game? Are you sure?

Spanish football league La Liga is asking, because, it says, it’s losing about 150 million euros a year (USD $173.5m) when venues illegally broadcast matches, which…

…translates into direct damage for clubs, operators and fans, among others.

… and which is why it started turning on the microphones and GPSes of Android users of its mobile app, La Liga said in an updated privacy policy posted on Monday.

It’s asking users for their explicit consent to turn on the new, eavesdroppy-feeling function, which captures the binary code of audio fragments. The “sole purpose” of the new function is to figure out if Android users are watching football matches of competitions “disputed” by La Liga teams, it said. In other words, nobody’s ever going to access the content of the recordings, La Liga promised.


The $99 digital padlock that kept crooks out… for 2 whole seconds

By Paul Ducklin

Imagine if you could walk up to your bicycle, unlock it within two seconds, and ride off without grubbing in your pocket for keys, without spinning a combination dial with cold, wet hands, and without fiddling around with a mobile phone app to tell the lock to open.

What if you could just swipe your finger over the lock and open it as easily as you unlock your mobile phone with its fingerprint scanner?

Well, Canadian company Tapplock sells a product that not only works that way, but also boasts “unbreakable design”.

Admittedly, the small print on its website ultimately tones that punchy claim down to say “virtually unbreakable”, but the Tapplock is certainly pitched as a secure product.

Tapplock claims that unlocking takes just 0.8 seconds, and that up to 500 different fingerprints can be registered with the lock, making it suitable for even the most extended family.

Those cool features are supposed to be what makes the Tapplock cost a bullish $99 – big money for a padlock.


“Hey, Cortana, did Patch Tuesday fix a serious lock screen bug?”

By Maria Varmazis

This month’s Patch, er sorry, Update Tuesday includes fixes for 50 high-impact vulnerabilities in Microsoft Windows – 11 of which were rated Critical and 39 Important.

The majority of the Critical bugs patched in this update affect the Edge browser, while most of the Important bugs belonged to Windows 10.

One of the more interesting Windows 10 fixes in this update was a Cortana bug (CVE-2018-8140) that allowed an attacker to bypass the Windows lock screen entirely, accessing private data on the machine, and even running executables.

An Elevation of Privilege vulnerability exists when Cortana retrieves data from user input services without consideration for status. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions.

It’s worth noting that Cortana is automatically enabled on the default settings for Windows 10, including the lock screen. With about 150 million people using Cortana today, by Microsoft’s estimates, this vulnerability could affect a lot of people (although an attacker needs to be near enough to a vulnerable machine for it to hear them, obviously).

Apple fanboys would do well to remember that Siri is no stranger to lock screen bugs should they be tempted to throw any stones from the comfort of their glass houses!

Thankfully, there’s now a patch. If you aren’t planning to patch any time soon you can disable Cortana access on the lock screen.


June 14, 2018 »

Google locks out extensions that don’t come from its Chrome Web Store

By Lisa Vaas

As of Tuesday, 12 June, Google started on a phase-out of Chrome extensions that come from third-party websites. In the coming months, that means that extensions have got to either hit the Chrome Web Store or hit the highway.

It’s about time, many will say – third-party extensions cause too many headaches.

Extensions Platform Product Manager James Wagner said in an announcement on the Chromium blog that inline extensions (i.e., those from third-party sites) are far more likely to cause Chrome users problems than the ones they get from the Chrome Web Store:

When installed through the Chrome Web Store, extensions are significantly less likely to be uninstalled or cause user complaints, compared to extensions installed through inline installation.

Here’s the timeline:

  • Starting on Tuesday 12 June 2018, inline installation was made unavailable to all newly published extensions. Extensions first published on that day or later that attempt to call the chrome.webstore.install() function will now automatically redirect the user to the Chrome Web Store in a new tab to complete the installation.
  • Starting 12 September 2018, inline installation will be disabled for existing extensions, and users will be automatically redirected to the Chrome Web Store to complete the installation.
  • In early December 2018, the inline install API method will be removed from Chrome 71.

Wagner advised developers who distribute an extension using inline installation that they’ll have to update install buttons on their websites to link to their extension’s Chrome Web Store page prior to the stable release of Chrome 71.


Tech pioneers: new copyright law a step towards an internet of surveillance and control

By Lisa Vaas

You’re throwing a monkey wrench into the internet with all this copyright zeal.

That’s essentially what the people who created the internet said in a letter to the president of the European Parliament in regards to Article 13 of the EU Copyright Directive.

The letter (PDF), posted on Tuesday, was signed by a who’s who of internet somebodies that included the inventor of the World Wide Web, Tim Berners-Lee; Wikipedia co-founder Jimmy Wales; and internet pioneer Vint Cerf. Together with a slew of other experts, they warn that:

[Article 13] takes an unprecedented step towards the transformation of the internet, from an open platform for sharing and innovation, into a tool for the automated surveillance and control of its users.

What is Article 13?

The article’s mouthful of a name is article 13 of the Proposal for a Directive of the European Parliament and of the Council on copyright in the Digital Single Market. Its purpose is to reshape copyright law for the internet age.

It wants to make service providers that “store and provide to the public access to large amounts of works or other subject-matter uploaded by their users” responsible for enforcing copyrights through measures such as “effective content recognition technologies.”

The service providers shall provide rightholders with adequate information on the functioning and the deployment of the measures, as well as, when relevant, adequate reporting on the recognition and use of the works and other subject-matter.

…zzzzz…. Oh, excuse me, I fell asleep while typing. But while it all sounds dry and legalistic, the foes of Article 13 fear that its goal of “[preventing] the availability” of protected works suggests that service providers will need to adopt technology that can recognize and filter work created by someone other than the person uploading it.


FBI arrests 74 in global Business Email Compromise takedown

By John E Dunn

Finally, after years of laughing in the face of a growing list of mainly SMB victims, Business Email Compromise (BEC) criminals appear to have taken one on the chin.

In an FBI action dubbed Operation WireWire, 42 people accused of being involved in BEC have been arrested in the US, plus a further 29 in Nigeria, and one each in Canada, Mauritius and Poland.

These numbers alone make it one of the biggest cybercrime busts ever recorded and that’s without factoring in $16.4 million of fraudulent wire transfers recovered during the operation.

What is BEC? In short: it’s a bit like phishing but without the fake website. Employees at predominantly small companies are contacted – often through spoofed email addresses but also by phone – by criminals impersonating suppliers or customers and conned into wiring money to them.

Its victims tend to be SMBs without lots of financial checks but also individuals conducting certain kinds of high-value transactions, for example people buying houses through a realtor or estate agent.

Once the money has been transferred, it’s incredibly unlikely that much, if any, of it will ever be seen again.  With transfers that are initiated by the victim, there is no comeback and insurance is out of the question. As US Attorney General Jeff Sessions put it:

Fraudsters can rob people of their life’s savings in a matter of minutes.

Or of large sums of money that put entire businesses in peril.

Overshadowed by better-publicized crimes such as ransomware, BEC has surreptitiously grown into one of the most dangerous methods of cybercrime targeting SMBs.

The biggest problem is that, up until now, very little has been done about it. Between 2013 and 2015 losses reported to the FBI’s Internet Crime Complaint Center (IC3) totalled $1.2 billion, a lot of money by any standards.


MP gets 600 rape threats in a night, wants an end to online anonymity

By Lisa Vaas

Two years ago, Jess Phillips, Labor MP for Birmingham Yardley, joined others to launch #Recl@im the Internet: a campaign based on the Reclaim the Night effort to enable women to walk freely at night without the fear of being attacked.

After Phillips launched the campaign, she spent a bank holiday playing in the garden with her kids. But while she was enjoying her holiday, Twitter’s bilge pumps went into turbo-drive, resulting in some 5,000 abusive tweets.

There were the initial poison arrows from the troll ringleaders, followed by the troll-lettes that dogpiled on. As she told the BBC’s Victoria Derbyshire at the time, many of the messages threatened rape. Many others said that Phillips wasn’t worthy of being raped, as if rape was something attackers would only do to someone they liked.

The rate of sewage flow was quite high. Fast-forward to the 2018 Cheltenham Science Festival this past weekend, where Phillips said that she received 600 rape threats in one night and was threatened with violence and aggression every day.

Two years ago, Phillips said that she intended to contact Twitter about the ringleaders of the dogpile. More recently, she has stressed that legal action, be it civil or criminal, is the best way to attack the abusers. Phillips told The Metro that she contacted the police, who’ve issued harassment orders against two individuals for “constantly emailing me with bile and abuse.”

That’s not enough, however. The MP wants the social platforms to join the fight: she said at the weekend conference that she wants trolls to more or less be stripped of their anonymity online. At least, they’d have to disclose their identities to companies such as Facebook and Twitter, but they could still post messages anonymously.


Serious Security: How three minor bugs make one major exploit

By Paul Ducklin

More insecure webcams! Inattention to IoT security! Who would have thought?

Unfortunately, cybersecurity still seems to sit way down in Nth place for many vendors when they start programming their latest and greatest Internet of Things (IoT) devices.

In this case, the bugs are in a family of webcams – and not just any old webcams, but security webcams.

In other words, the very product you bought to protect you from real-world crooks plundering your warehouse at night could be the gateway for cybercrooks to plunder your network at any time.

This story, published by researchers at IoT security company VDOO, documents a sequence of security holes in various Foscam products.

Note. These bugs were responsibly disclosed by VDOO, and quickly fixed by Foscam, so that updates were ready before the details you see below were made public. In other words, the story is now safe to tell on educational grounds: the more we revisit security basics, the more likely we are, collectively, to get them right in the future.

It’s a fascinating reminder of how crooks can combine vulnerabilities that seem unimportant or unexploitable on their own into an “attack chain” that ultimately lets them take over a device entirely.

VDOO’s own post has the full technical details, but here’s our own high-level version.

By the way, we’ve added a fourth vulnerability, which we’ve given the number zero – a design decision that made things worse overall.


6 million cards compromised in Dixons Carphone breach – act now!

By Matt Boddy

In what could be the largest data breach since the GDPR came into effect, Dixons Carphone has revealed what it’s calling an “attempt to compromise 5.9 million [credit or debit] cards”, and a leak of “1.2m records containing non-financial personal data, such as name, address or email address”.

Dixons Carphone – a large European electrical and telecommunications company that owns familiar brands like Dixons, Currys, PC World and Carphone Warehouse – has only revealed vague details about the breach so far, but of the 5.9 million cards compromised:

  • 5.8 million are protected by Chip and PIN.
  • 105,000 non-EU issued cards are not protected by Chip and PIN.

The ICO (Information Commissioner’s Office) have issued a statement saying:

An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.

Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud.

If you’re a Carphone Warehouse customer, there is good news and bad news.

Let’s start with the good news.

The risk to the owners of the 5.8 million affected payment cards protected by chip and PIN is lowered because crooks will likely need additional data in order to use them to make transactions. According to Dixons Carphone:

The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made.

That being said, there has also been a loss of personal data which could include contact details for the individuals affected by the card theft.

Now the bad news.

The data that has been stolen makes it much easier for crooks to acquire the rest of the information they need to use your Chip and PIN credit card.


June 13, 2018 »

Florida skips gun background checks for a year after employee forgets login

By Lisa Vaas

In Florida, the site of recent mass shootings such as at the Stoneman Douglas High School and the Pulse nightclub, more than a year went by in which the state approved applications without carrying out background checks. This meant the state was unaware if there was a cause to refuse a license to allow somebody to carry a hidden gun – for example, mental illness or drug addiction.

The reason is dismayingly banal: an employee couldn’t remember her login.

The login is for the FBI’s background check database, or National Instant Criminal Background Check System (NICS).

The database was created in 1993 by the FBI and the US Bureau of Alcohol, Tobacco, Firearms and Explosives. States and firearm retailers can use it to check on the criminal and mental health history of those who want to buy a firearm, including their histories in other states. The database flags applicants who’ve served more than one year in prison, have been convicted of drug use in the past year, are undocumented immigrants, were involuntarily committed or deemed to have a “mental defect” by a court, or who were dishonorably discharged from the military.

As the Tampa Bay Times reported on Friday, a previously unreported investigation from the Office of Inspector General (OIG) found that the employee in charge of the background checks was rubberstamping applications without checking applicants’ backgrounds.

The investigation found that the Florida Department of Agriculture and Consumer Services stopped using the FBI’s crime database in February 2016 when the employee, Lisa Wilde, couldn’t log in. She was the only one who regularly used the database, with the exception of a mailroom supervisor who was “barely trained” on the system.

It only came to light in late March 2017, when an OIG staffer noticed that she wasn’t receiving concealed weapon license (CWL) applications from anybody who’d been turned down – a situation that was “unusual,” she said. When interviewed, Wilde said that she’d had a login issue with the database but hadn’t followed up to resolve the problem.


Bitcoin value tumbles as hacker’s loot CoinRail cryptocurrency exchange

By Lisa Vaas

Over the weekend, the small South Korean cryptocurrency exchange CoinRail confirmed via Tweet that it had been hacked. On its site, CoinRail explained that 70% of coins/token reserves were moved offline to safe storage in a cold wallet.

Of the 30% of coins that were leaked, CoinRail said that some 80% had been “frozen/withdrawn/redeemed or equivalent”, with the rest under investigation with law enforcement, related exchanges and coin developers.

On Sunday, the price of Bitcoin tumbled 10% to a two-month low, to under $6,700.

By Monday, media outlets including Bloomberg, the Wall Street Journal, Reuters, and the Guardian, put two and two together and came up with a loss of up to $42 million as the Bitcoin drop dragged down the value of other cryptocurrencies.

Here’s Bloomberg’s chart of the sudden drop that coincided with the CoinRail news.


The Google Pixelbook power button is now a 2FA token

By John E Dunn

If you own a Google Pixelbook, intriguing news –  it appears the power button can now double as an alternative to using U2F (Universal 2nd Factor) tokens for two-factor authentication (2FA).

As the name implies, U2F tokens such as the YubiKey are hardware tokens that plug into a USB port to authenticate users who enter a username and password on supported websites.

The U2F protocol (co-developed by Google and others) improves security because an attacker has to have the token in their possession to access an account. Just having the password and username aren’t enough.

It resists phishing too because the token’s private key is cryptographically tied to the website(s) it will be used on, e.g. Gmail. Anyone tricked into visiting the wrong site will find that the token won’t work.

Now, it seems the same – or something approximating it – can be achieved simply with a short press of the power button on a Pixelbook.

Given that the Pixelbook only has two USB-C ports, it’s not hard to see why Google might want to enable the feature for users who begrudge having to use one for a token.

It sounds alien but it seems the feature has been in the works since around the time of the Pixelbook’s launch last September but nobody beyond the developer community noticed.

Enabling the feature involves loading May’s Chrome OS 66.0.3359.203 or later from the stable channel, putting it into developer mode, opening the Chrome OS developer shell and executing the correct command.

The feature must also be enabled as an additional security key via the Google 2-step verification (2SV) account settings, repeating this process for third-party sites that support U2F authentication.

Before we move on to the caveats, this remains an experimental feature, and we don’t recommend enabling it if you’re not experienced at using developer mode and its shell.


Check your router – list of routers affected by VPNFilter just got bigger

By John E Dunn

The VPNFilter router malware, a giant-sized IoT botnet revealed two weeks ago, just went from bad to somewhat worse.

Originally thought to affect 15-20 mostly home/Soho routers and NAS devices made by Linksys, MikroTik, Netgear, TP-Link, and QNAP, this has now been expanded to include at least another 56 from Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.

Talos gets this information by trying to determine the models on which VPNFilter has been detected but given the size of that job (affected devices number at least 500,000, probably more) the list is unlikely to be complete.

The updated alert confirms that VPNFilter has the ability to carry out man-in-the-middle interception of HTTP/S web traffic (something that SophosLabs own investigation of the malware concluded was highly likely), which means that it is not only able to monitor traffic and capture credentials but potentially deliver exploits to network devices too.

Home routers have become a big target but malware able to infect so many of them is relatively rare. The last home router scare of this multi-vendor magnitude was probably DNSChanger which took years for anyone to notice, having first emerged in 2007.

As VPNFilter is more potent – there doesn’t seem to be a simple way to detect it for a start – the safest assumption is that owners of any home router from one of the affected vendors should take immediate precautions.


June 11, 2018 »

Google: We won’t cause “overall harm” with our AI

By Lisa Vaas

Google has pledged not to use its powerful artificial intelligence (AI) to create weapons of war, illegal surveillance or to cause “overall harm”. However, new guidelines on the use of AI don’t rule out working with the military.

On Thursday, Sundar Pichai, CEO for Alphabet Inc.’s Google, set out a series of principles about AI at the company.

The announcement follows more than 4,500 Google employees having written a letter in April, calling on the company to get out of the “business of war” and cancel Pentagon work.

Pichai said in Thursday’s post that Google recognizes that its powerful technology “raises equally powerful questions about its use”.

AI is being used for good, he said, citing use cases such as machine-learning sensors being built by higher schoolers to predict the risk of wildfires; farmers using it to monitor their cows’ health; and doctors who are using it to diagnose breast cancer and to prevent blindness.

On the other hand, AI can go in much darker directions, given the bias of the data it’s trained on. The most recent example is that of Norman, MIT Media Lab’s psycho bot, which was fed on enough subreddit death material that it started seeing electrocution and gang-style slayings in Rorschach inkblots that other AIs interpreted as far less blood-soaked.

When an AI gets biased training, it has real consequences outside of the lab: In 2016, Pro Publica released a study that found that algorithms used across the US to predict future criminals – algorithms that come up with “risk assessments” by crunching answers to questions such as whether a defendant’s parents ever did jail time, how many people they know who take illegal drugs, how often they’ve missed bond hearings, or if they believe that hungry people have a right to steal – are biased against black people.


US Government’s biometric database worries privacy advocates

By John E Dunn

It is something few Americans will have likely heard of, but the US Department of Homeland Security’s Homeland Advanced Recognition Technology (HART) is catching the eye of privacy advocates – and not in a good way.

Announced in 2017, on the face of it HART is just a bigger and better version of the DHS’s Automated Biometric Identification System (IDENT), which dates back to the 1990s, before the DHS even existed.

IDENT was built to gather data such as fingerprints and photographs of people entering the US – anyone who’s visited the country as a non-US citizen in the last 15 years or so will be in this database.

Despite sounding similar, HART marks a step change in what such databases can be used for when combined with emerging technologies such as real-time facial recognition and biometrics.

The first upgrade is its projected size that will see it scale to 500 million or more identities, including many more Americans as they cross US borders.

Its data-gathering capabilities will expand too, taking in a wider range of biometric data such as iris scans, palm prints, voice patterns, scars and tattoos and even DNA used to feed a new type of identity built around External Biometric Records (EBRs).

This will be tied to names, addresses, number plates, and every and any documentation officials can add to form a rounded record of every individual the system comes into contact with.

Lurking in the background is what looks like a thinly-veiled ambition to track people in real time through facial and number-plate recognition.

To campaign groups such as the Electronic Frontier Foundation (EFF), HART smacks of an all-encompassing surveillance system that wants to know where people are at all times.


Welcome to the non-neutral net: Day one

By Lisa Vaas

On Friday afternoon, as the time ticked down to Monday’s repeal of net neutrality, the US House of Representatives was 48 votes shy of passing a motion to save it.

So close, but so far away. Monday’s repeal will be anything but surprising.

When the Senate voted in May to restore net neutrality, it passed by a whisper after three Republicans jumped ship to vote with Democrats. The Senate’s attempt was a quixotic effort, given how unlikely it was that the Republican-controlled House of Representatives would approve of rolling back the Federal Communications Commission’s (FCC’s) repeal. Plus, the White House had already made clear that it’s all for scrapping net neutrality.

But pro-net neutrality Representatives never even got the chance to vote on it.

In May, Rep. Mike Doyle (D-PA) filed what’s known as a discharge petition that would force the House to vote on a Congressional Review Act (CRA): a 1996 law that allows Congress to effectively erase certain regulatory actions by a federal agency within 60 congressional days of their enactment. CRA resolutions only require a simple majority to pass the House and Senate, meaning they can’t be filibustered, but they still need the president’s signature.

The signatures on the House motion were still coming in as of Friday, but they stalled at 170. The motion would have needed a majority of 218 representatives to force a House vote again to pass the motion, after which the petition would be sent to the president’s desk and, likely, vetoed.

On Friday, the entire Senate Democratic Caucus wrote a letter to House Speaker Paul Ryan urging him to schedule a vote on the House floor that could preserve broadband regulations.

A spokesperson for Ryan declined to comment when Ars Technica contacted his office, but that’s not surprising: the House’s Republican leadership clearly wasn’t interested in abandoning the party line in order to have the full House vote on a bill to undue FCC Chairman Ajit Pai’s repeal of net neutrality.

…Which is all to say that presumably, come Monday morning, when this article posts, net neutrality will be axed. What might the dawn of a net neutrality-free future hold?


WannaCry hero sinks deeper into trouble as new malware charges filed

By Paul Ducklin

Remember the reluctant WannaCry hero from just over a year ago?

A young man from the UK, known at the time to most people simply as @MalwareTechBlog, registered an internet domain name that was used by WannaCry as a signal to halt its attack.

If the ransomware was able to connect to a specific, weirdly named server, it would let you off and not scramble your files.

If the connection failed (which it inevitably did before the relevant domain name existed), then the ransomware attack went ahead

In short: registering and activating the domain programmed into the virus acted as a sort of kill-switch, turning @MalwareTechBlog into something of a crimefighting cyberhero.

At first, @MalwareTechBlog kept himself out of the limelight, but by the time he went to Las Vegas in August 2017 to attend the massive DEF CON hacker convention, his identity was out: Marcus Hutchins.

Worse still, Hutchins found rather abruptly that he was, as they say, “already known to the police” – indeed, he was arrested at Las Vegas airport shortly before his intended return to the UK, accused of the creation and distribution of banking malware known as Kronos.

Since then, Hutchins pleaded not guilty and was released on bail; he had to stay in the US, of


Facebook bug may have made 14m users’ posts public

By Lisa Vaas

The latest Facebook privacy SNAFU (Situation Normal, All Facebooked Up) is a bug that changed settings on some accounts, automatically suggesting that their updates be posted publicly, even though users had previously set their updates as “private”.

On Thursday, Facebook asked 14 million users to review posts made between 18 May and 22 May: that’s when the bug was changing account settings. Not all of the 14 million users affected by the bug necessarily had their information publicly, mistakenly shared, but best to check.

Facebook Chief Privacy Officer Erin Egan said in a post that as of Thursday, the company had started letting those 14 million people know about the situation. She stressed that the bug didn’t affect anything people had posted before that time, and even then, they could still have chosen their audience like they always have.

Normally, the audience selector is supposed to be sticky: every time you share something, you get to choose who sees it, and the suggestion is supposed to be based on who you shared stuff with the last time you posted. Friends only? Fine, that’s what should be automatically suggested for the next post, and the one after that, until you change it… or a weird little glitch like this pops up.

Egan said that the bug popped up as Facebook was building a new way to share featured items on profiles, like a photo for example. Featured items are automatically set to “public,” so the suggested audience for all new posts – not just these items – was also set to public, she said.

The glitch is now fixed. Facebook also changed the sharing audience back to what affected people had been using before. Facebook’s letting people know, and asking them to doublecheck the fix, “out of an abundance of caution,” Egan said.


Busted by a Facebook ‘friend’ who’s an undercover cop? It’s legal!

By Lisa Vaas

It’s illegal for convicted felons to possess deadly weapons, including handguns.

Which means it isn’t a good idea for them to post photos onto Facebook that show off their Smith & Wesson, or accept friend requests without knowing the requester, given that undercover investigators are in the habit of friending suspects.

And no, a Delaware court has decided, a felon who got caught with incriminating evidence of the aforementioned Smith & Wesson has no expectation of Fourth Amendment protection against the “mistaken trust” he placed when accepting that friend request.

The convict in question is Terrance Everett. As of November 2015, he was on federal probation after being convicted of conspiracy to possess with intent to distribute more than 500 grams of cocaine.

His Facebook “friend” turned out to be Detective Bradley Landis of the New Castle County Police Department in Delaware. Landis had monitored Everett’s Facebook page a few times a week for at least two years, using a fake name and photos on his profile. According to the court decision, it’s unclear what information was available to Landis before he friended Everett, and what was available after the friending.

Either way, on 4 November 2015, Landis saw a photo on Everett’s page that had been posted at 5 am. It showed a nightstand with a number of things on top: a handgun, a Mercedes car key, a large amount of cash, a pay stub, two cell phones and a framed photograph of Everett wearing a black T-shirt and a red necklace.


June 7, 2018 »

Hackable CloudPets pulled from Target, Walmart, Amazon and more

By Lisa Vaas

Most parents likely don’t want their kids’ talking stuffed toys to issue Dalek threats in those non-indoor voices of theirs.

But that’s exactly what happened, thanks to toy maker CloudPets‘ unsecured MongoDB server. The toys allow children to send and receive audio messages via the cloud and an iOS or Android app.

Last year, more than half a million people who bought the Bluetooth-enabled, Internet of Things (IoT), fluffy little suckers had their data and kids’ voice messages exposed.

The email addresses and password information for more than 800,000 accounts were also leaked. In fact, CloudPets users’ data was accessed multiple times by unauthorized parties on multiple occasions and held for ransom.

Now, finally, 16 months later, the toys are being yanked from the online shelves at Walmart, Amazon, eBay and Target.

As Consumer Affairs reports, researchers recently discovered that the security issues in CloudPets still haven’t been fixed, prompting the Electronic Frontier Foundation (EFF) to pen a letter to Walmart, Target, and Amazon, voicing concern that they were still selling the not-so-smart toys.


Oh, the irony! When cybercriminals are rubbish at cybersecurity

By John E Dunn

The Owari DDoS botnet, built by knocking over weakly-secured Internet of Things (IoT) devices, has had a bad week.

The disruption of a botnet is always cause for celebration but it’s the reason behind Owari’s hiccup that might linger longer in the memory.

According to the NewSky Security researchers who compromised it, the botnet’s command and control server was secured with credentials so weak most admins will find themselves doing a double take.

When we investigated the IP, we observed that port 3306, the default port for MySQL database, was open.

Trying their luck, they discovered:

To our surprise, it is connected to the attacker’s servers using one of the weakest credentials known to mankind – Username: root, Password: root.

No brute forcing required, then, but there were other discoveries too, including a table of botnet customers who seemed to have been given similarly weak credentials including “sin/sin”, “packet/packet”, and “logi”/f***”.

Most of the IPs attacked by the botnet appeared to have been rival botnets.

The researchers also discovered a second MySQL database on another IP, also secured using “root/root”.


Norman the AI bot reads Reddit, becomes “psychopath”

By Lisa Vaas

When I looked at the Rorschach inkblot, I saw a giant, as seen from below, as if through a glass ceiling. A normal, well-adjusted artificial intelligence (AI) bot interpreted it as a black and white photo of a small bird.

A psycho bot who’s been trained on Reddit images saw a guy getting pulled into a dough machine. That’s what a bit too much exposure to the darkest subreddits will do to a bot, evidently – there’s nothing quite like an r/ dedicated to watching people die to mangle your wetware.

At any rate, say hello to Norman, a bot that MIT’s Media Lab claims is the “world’s first psychopath AI [artificial intelligence].”

This is what Norman sees when he looks at inkblots. It’s not his fault that he sees a man electrocuted when “normal” AIs see a group of birds sitting on a tree branch. (I see Siamese twin bats connected at the torso/head. Nobody has asked me to train AI, so any people who don’t like bats can relax.)

Rather than the non-gruesome images that most AI is trained on, Norman – named after Norman Bates, the homicidal hotel owner-manager in Alfred Hitchcock’s unforgettable psychological horror Psycho – “suffered from extended exposure to the darkest corners of Reddit,” MIT says.

The point of the Norman project is to present a case study on the dangers of AI gone bad when machine-learning algorithms are fed biased data. MIT says the Norman team trained the AI on image captions from an infamous subreddit whose name it redacted “due to its graphic content,” dedicated as it is to documenting and observing “the disturbing reality of death.”


The Zip Slip vulnerability – what you need to know

By Mark Stockley

Research by security firm Snyk has revealed that thousands of projects may be affected by a serious vulnerability, one so simple you’ll need to put a cushion on your desk before you read any further (in case of involuntary headdesk injury).

As you might guess from its fancy name – Zip Slip – the vulnerability is all about Zip files.

In a nutshell, attackers can create Zip archives that use path traversal to overwrite important files on affected systems, either destroying them or replacing them with malicious alternatives.

Attackers might use that ability to target files they can execute remotely, such as parts of a website, or files that a computer or user are likely to run anyway, like popular applications or system files.

Zip Slip isn’t a problem with the Zip file format though, it’s a bit of bad programming that’s been repeated over and over and over again, in lots of different projects:

The vulnerability has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java, where there is no central library offering high level processing of archive (e.g. zip) files. The lack of such a library led to vulnerable code snippets being hand crafted and shared among developer communities such as Stack Overflow.

… [it] can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z.

Unfortunately, that coding faux pas has been committed in multiple software libraries, in multiple languages, which has the effect of spreading it far and wide whilst making it harder to fix.

Software libraries are bits of code that are designed to be included in other software projects. So, not only do the vulnerable libraries need to be fixed, but so does the software that uses those libraries. And, of course, a patch is no good until it’s deployed.

Snyk is maintaining lists of affected projects and libraries on GitHub.


Apple says no to Facebook’s tracking

By John E Dunn

Later this year, users running the next version of Apple’s Safari browser on iOS and macOS should start seeing a new pop-up dialogue box when they visit many websites.

Shown during a demo earlier this week at Apple’s WWDC conference by software chief Craig Federighi, this will ask users whether to allow or block web tracking quietly carried out by a certain company’s ‘like’, ‘share’ and comment widgets.

Said a bullish Federighi to loud applause.

We’ve all seen these like buttons, share buttons and comment fields. Well it turns out, these can be used to track you, whether you click on them or not. And so this year, we’re shutting that down.

Facebook wasn’t mentioned verbally, but nobody was left in any doubt about the primary target of the new feature when they read the dialog text used in Federighi’s demo:

Do you want to allow ‘’ to use cookies and website data while browsing []? This will allow ‘’ to track your activity.

Facebook’s chief security officer later tweeted back, testily:

It’s an unexpected turn of events for Apple, a company that normally uses public presentations to tout new features but has recently indulged a bit of rival bashing in ways that hark back to the late 1990s when it was at perpetual loggerheads with Microsoft.


Blocking facial recognition surveillance using AI

By John E Dunn

If Artificial Intelligence (AI) is increasingly able to recognise and classify faces, then perhaps the only way to counter this creeping surveillance is to use another AI to defeat it.

We’re in the early years of AI-powered image and face recognition but already researchers at the University of Toronto have come up with a way that this might be possible.

The principal at the heart of this technique is adversarial training, in which a neural AI network’s image recognition is disrupted by a second trained to understand how it works.

This makes it possible to apply a filter to an image that alters only a few very specific pixels but makes it much harder for online AI to classify.

The theory behind this sounds simple enough, explains the University of Toronto’s professor Parham Aarabi:

If the detection AI is looking for the corner of the eyes, for example, it adjusts the corner of the eyes so they’re less noticeable. It creates very subtle disturbances in the photo, but to the detector they’re significant enough to fool the system.

The researchers even tested their algorithm against the 300-W face dataset, an industry-standard pool based on 600 faces in a range of lighting conditions.

Against this, the University of Toronto system reduced the proportion of faces that could be identified from 100% to between 0.5% and 5%.

However, read the detailed paper published by the team and it becomes clear that there’s still a way to go. For a start, not all image recognition systems work in the same way, with architectures such as the Faster R-CNN offering a much bigger challenge.


Microsoft faces wrath of developers after GitHub acquisition

By Lisa Vaas

It’s official: Microsoft has bought open-source developers’ beloved code-collaboration site, GitHub, for $7.5 billion in stock…

…a figure that basically transfers into ~”free”~ if stock market watchers are reading it right, particularly when it comes to encouraging more of those 28 million GitHub developers to build more cloud applications.

Hello, Microsoft Azure! That’s Microsoft’s cloud computing service, where customers rent digital resources and applications on demand and where, as the Wall Street Journal notes, Microsoft is racing to catch up to industry leader Amazon.

Microsoft says that GitHub developers work on code that sits in 85 million storage spaces, called repositories, used by people in nearly every country, from mega-corporations to wee startups. In other words, it’s an insanely popular, cloud-based Git repository with lots of bells and whistles for managing collaborative, open-source software projects. GitHub offers a free version to developers who commit to sharing code, though it began charging for private storage on the service six months after its launch. It charges corporate customers to host and run software projects: a service that includes security and identity-management features.

Microsoft has come a long way in the past 10 years, since former chief Steve Ballmer called open-source a malignant cancer: the company now says that it’s the most active organization on GitHub, with more than 200 million “commits” – in other words, updates – made to projects.


Google says fix for ‘weird’ 1975 text message bug is on the way

By Lisa Vaas

If you want to see your recent text messages on an Android device in the normal world, you just type “show me my texts” in the Google search bar.

But why be normal? If you want to get weird – as Redditor Krizastro discovered last week – you can also see your Android texts by typing in “”.


It’s like just about the weirdest glitch I have come by.

Krizastro was curious: Were others experiencing the glitch?

They certainly were. At the time of writing, Androids were still glitching out, given that the promised fix hadn’t been rolled out yet. But it gets even weirder…


Facebook defends practice of giving deep data access to device makers

By Lisa Vaas

Thanks to Facebook and its coziness with phone and device manufacturers, setting up your profile so as not to share your personal information is a futile act, according to reports by the New York Times:

Facebook allowed the device companies access to the data of users’ friends without their explicit consent, even after declaring that it would no longer share such information with outsiders. Some device makers could retrieve personal information even from users’ friends who believed they had barred any sharing.

According to Facebook officials, over the past decade – before Facebook apps were widely available on mobile phones – the social network developed data-sharing partnerships with “at least” 60 device makers, including the big ones: Apple, Amazon, BlackBerry, Microsoft and Samsung.

The point of the partnerships was to help Facebook expand and to enable device makers to offer Facebook’s popular features: for example, messaging, “like” buttons and address books.

Now that the scope of the data sharing has been brought to light, questions have arisen about how this jibes with a 2011 consent decree with the Federal Trade Commission (FTC). That decree required that Facebook notify users and receive explicit permission before sharing personal data beyond users’ specified privacy settings.

This practice of sharing data with device makers, sans explicit permission, didn’t come to a screeching halt because of the Cambridge Analytica scandal that erupted in March. The Times reports that most of the partnerships are still in effect, though Facebook started shutting them down in April, during its soul searching on privacy and data practices in the wake of the Cambridge Analytica fiasco.

The scope of how much data Facebook has fumbled over the years, through a diverse collection of data harvesters, continues to expand: initial estimates of data that Cambridge Analytica siphoned off for micro-targeted political ads was in the region of 50 million users.


June 4, 2018 »

Apple lifts two-month ban on Telegram updates in iOS store

By Lisa Vaas

Russia’s official ban of Telegram has spread, CEO Pavel Durov tweeted on Thursday, saying that Apple had been blocking updates to the encrypted messaging app on a global scale since Russian authorities ordered the company to remove Telegram from the App Store in April.

Durov said on his Telegram channel that Apple’s update block meant that some features that were fixed weeks ago – such as stickers – weren’t working correctly under the recently released iOS 11.4.

Apple’s upgrade block also prevented Telegram from complying with General Data Protection Regulation (GDPR) for its European Union users by the 25 May deadline.


Cloudflare mistakes own DNS for DDoS attack

By John E Dunn

When is a DDoS attack not a DDoS attack?

In the case of Cloudflare’s much-vaunted and recently-launched DNS service, the answer is when the company diligently starts blocking a DDoS event which turns out to have been caused by something much closer to home.

Users pointing their DNS resolution at (or at router level on 31 May would have noticed a 17-minute disruption to DNS resolution for all network devices, starting at 17:58 UTC.

Users doing the same from a Windows, Linux or Mac computer would have noticed the same effect but only on that device.

Anyone who had the presence of mind to switch to a different DNS service – the Global Cyber Alliance’s or their ISP’s default, say – would have noticed that website domains were suddenly resolving again. This would have been a good clue that something wasn’t quite right.

A DNS resolver disappearing for that long might indicate some kind of DDoS attack which, given that Cloudflare offers tier-one DDoS mitigation through something called Gatebot, would have to have been pretty remarkable to make any headway.

Cloudflare has now posted a blog in which it admitted it suffered an unusual and rare type of DDoS attack – an imaginary one.

Explained simply, Cloudflare’s Gatebot suddenly started interpreting traffic to (that is, sent to and from its users) as a DDoS attack on its infrastructure.

Whoops! It sounds bizarre at first but, as the company explains, Gatebot normally queries a hard-coded list of IP address ranges to check whether traffic is emanating from Cloudflare or is external.


Facebook faces furious shareholders at annual meeting

By Lisa Vaas

The US Senate had its chance to rake Facebook over the coals. The House of Representatives had its own day-long shake-down.

Last week, it was shareholders’ turn.

On Thursday, at Facebook’s annual meeting, CEO Mark Zuckerberg found himself confronted with a roomful of rebellion as angry activist investors forced what The Guardian reports were votes on six proposals to change the company’s governance or institute other reforms.

The proposals were all voted down, of course, courtesy of what one of those shareholder activists, James McRitchie, called Zuckerberg’s “corporate dictatorship.” McRitchie referred to US President George Washington’s decision to step down as president, telling Zuckerberg to be more like that, not like a certain Russian politician:

Mr. Zuckerberg, take a page from history. Emulate George Washington, not Vladimir Putin.

Zuckerberg doesn’t own the majority of voting shares. Nonetheless, Facebook’s stockholder voting structure allows the CEO to control the majority of votes, given that his shares have 10 times the voting power of regular investors’ shares. Hence, it was a foregone conclusion that Zuck and his board of directors would emerge from the meeting unscathed.

NBC News reported that the doomed proposals included one that called on the company to give all shareholders one vote per share, thus stripping Zuckerberg of his special voting rights.

It didn’t pass. Nothing passed.


Going to Infosec Europe? Grab yourself a goody bag

By Charlotte Williams

Are you making your way to Olympia, London for Infosecurity Europe tomorrow?

If the answer is yes, make sure to come to stand F160 to say hello, and stick around for talks from Sophos and Naked Security experts.

We’ll be presenting on a range of topics, including:

  • Fixing your digital tattoo. Tattoos are permanent, much like the information we post online. A look at the implications this online information, even if you’ve tried to delete it, could have on your security.
  • Hacking Android: How to find out which apps are spying on you. You’ve read his article, and now you’ll have the chance to see Matt Boddy in action.
  • Cryptography explained so you can actually understand it. Paul Ducklin will be using his clear and jargon-free style to explain the often-complicated subject of cryptography, so you can go home and impress your friends and family with it!
  • Steal Bitcoin, mine Monero: is cryptojacking the next ransomware? Criminals have taken a shine to cryptomining recently, but how does it fit into the bigger picture of threats?
  • Have your cloud and eat it too. Straight-talking tips on how to get security right without a load of old-fashioned rules.
  • Are you part of a zombie army? From “smart” home thermostats and refrigerators to lights and cars, there’s great potential to make our lives easier – but there’s also untold risk that these devices can bring to our day to day lives.


Doctor sues patient for $1m over bad online reviews

By Lisa Vaas

A Manhattan gynecologist is suing a patient for $1m over her one-star online reviews, claiming that she has committed defamation and libel and caused him emotional distress.

On Monday, the New York Post reported that the woman, Michelle Levine, has already spent nearly $20,000 defending herself against a suit filed by the physician, Dr. Joon Song of New York Robotic Gynecology & Women’s Health.

The essence of her reportedly lengthy bad reviews, posted to review sites including Yelp, ZocDoc, Health Grades and Facebook, is that the first time she went for an annual checkup, she was charged for it. She claims it was supposed to be free. Also, Levine claimed that the practice performed unnecessary procedures.

Following notice of the lawsuit, Levine took down the reviews.

She told the NY Post that after she found Dr. Song’s practice online in July 2017, she went in for a checkup. A week later, she got the bill:

He billed my insurance company $1,304.32 for the new-patient visit and ultrasound, and I got a bill for $427 that wasn’t covered.

The annual was supposed to be free!


May 31, 2018 »

Forget VPNfilter – here’s BACKLASH, a networking hack from way, way back

By Paul Ducklin

Do you remember the infamous Morris worm that paralyzed the internet back in 1988, or the Christmas Tree worm that hit IBM mainframes in December 1987?

Well, BACKLASH goes back further than both of those – all the way back, indeed, to the 1830s, so it predates even electrical telecommunications, let alone the era of electronics.

Until the first commercial installation of an electrical telegraph by Englishmen William Cooke and Charles Wheatstone in the late 1830s, telegraphy – short for “distant writing” – relied on optical signaling devices.

These devices worked mechanically and typically relayed messages between observers perched in towers, equipped with telescopes.

And it was a on just such a mechanical system, known as the Chappe Telegraph after its French inventor, Claude Chappe, that the BACKLASH vulnerability was exploited in the early nineteenth century.


Nuisance call bosses, get your wallets ready!

By Lisa Vaas

UK’s data protection watchdog, circa 2010: Curse you, nuisance callers! We’re going to fine you up to £500,000 if you break the law!

Nuisance callers: What’s that, you say? Can’t hear you over these rustling bankruptcy declaration papers!

UK’s data protection watchdog, circa 2018: Oh. Hmm. OK, how about this: we don’t fine the companies; we personally fine the companies’ bosses!

That’s the plan that the Department for Digital, Culture, Media and Sport (DCMS) is now mulling. Last week, the data protection watchdog said that it’s only managed to recover a little over half – 54% – of the £17.8 million in fines issued for nuisance calls since 2010, given that companies go into belly-up liquidation mode to slip out from under the fat penalties.

Ofcom, the UK’s communications regulator, estimates that British consumers were pestered with 3.9 billion nuisance phone calls and texts last year.

The DCMS says that over the past two years, the Information Commissioner’s Office (ICO) issued 23 companies more than £1.9m in fines for nuisance marketing. It’s now easier for regulators to fine those who breach the direct-marketing rules, given that the government has forced companies to display their number when calling customers and has increased fines for wrongdoers.

Ofcom data suggests this action is working: complaints to the ICO and Ofcom have fallen for two consecutive years.

But the nuisance-calling firms play whack-a-mole. As it now stands, only the businesses themselves are liable for the fines. Some directors try to escape paying penalties by declaring bankruptcy. Then they scurry off, only to pop up under a different name and start the pestering anew. The DCMS notes that this is illegal: failing to adhere to a ruling can lead to a prison sentence. Also, the UK’s Insolvency Service can disqualify people from boardroom positions for this kind of shenanigan.


California tests digital license plates. Is tracking cars next?

By Lisa Vaas

Alex Roy’s father had a saying:

Anything is possible, but not everything is necessary.

Some would say you could apply this sentiment to the Internet of Things (IoT). You could certainly apply it to the Rplate: “the world’s first digital license plate and cloud app store.”

Yes, now we can add license plates to the pile of “do we really need xyz IoT thing,” which already includes internet-enabled fridges, toasters, washing machines and coffee makers.

Roy, editor of a website called The Drive, points out that contrary to the manufacturer’s claim, the Rplate isn’t the first digital license plate.

But it is, in fact, the one that California is now piloting.

The IoT sitting inside your car’s license plate: what could possibly go wrong? But let’s start with this question: Why?

As the Sacramento Bee reports, California is the first state to adopt the digital plates. A pilot project was launched last week. Sacramento is also scheduled to start testing the plates on some of the cars in the city’s fleet.

The plates will enable those motorists who choose to buy them (the digital plates aren’t required, and they’re certainly not cheap; think in the ballpark of $699, plus installation fees, plus a monthly fee of about $7) to electronically register their vehicles. That means no more stickers that you have to slap onto your plates every year. If the Department of Motor Vehicles (DMV) decides to allow it, the plates will also be able to display personal messages that car owners can change at will.


Despacito YouTube video hack – teenagers charged

By John E Dunn

Web defacement is supposed to be an old-fashioned type of hack, but it probably didn’t look that way to YouTube viewers on 10 April this year.

That was the day a string of popular videos were defaced on the service, including songs by Chris Brown, Shakira, DJ Snake, Selena Gomez, Drake, Katy Perry, and Taylor Swift, many with pro-Palestinian messages and imagery.

The biggest attention-grabber of all was the defacement of Luis Fonsi and Daddy Yankee’s song Despacito – which with more than five billion views ranks as the most-viewed video in YouTube’s history.

The video was only briefly unavailable, but the attack’s brevity seemed insignificant beside the fact that someone had managed to muck around with gold star content on YouTube in front of millions of watchers.

Six weeks on and police in Paris now say they’ve arrested and charged two 18-year-old teens with the attack, named as Nassim B and Gabriel KAB, who allegedly used the online identifiers Prosox and Kurois’h.

How did two teens allegedly deface so many massively popular videos hosted on a company like YouTube?

It soon became clear that the pair had found a way in by hacking a syndication account operated by Vevo, which is owned by Warner Music Group, Universal Music Group and Sony Music Entertainment, with YouTube itself having a 7% stake.


May 30, 2018 »

Facebook to be blocked in Papua New Guinea for one month

By Lisa Vaas

Who are these people who hide behind fake Facebook accounts? …Who uploads porn? …Who spread fake news? And how does it affect people’s security? …Their productivity? …Their well-being, or lack thereof?

One inquiring Communication Minister wants to know, and he’s planning to shut down Facebook for a month to get some answers as he tries to better enforce Papua New Guinea’s (PNG’s) 2016 Cyber Crime Act.

The Post Courier reported on Monday that PNG Communications Minister Sam Basil plans a month-long Facebook block that will give his department and the southwestern Pacific country’s National Research Institute a chance to research how people are interacting with the social network.

The Post Courier quoted the Communications Minster:

The time will allow information to be collected to identify users that hide behind fake accounts, users that upload pornographic images, users that post false and misleading information on Facebook to be filtered and removed.

This will allow genuine people with real identities to use the social network responsibly.

Basil and his department haven’t yet determined the timing on the ban, but as The Guardian reports, he’s been raising concerns about Facebook for a while.

There’s the privacy issue, for one. Last month, Basil told the agencies under him to do some research in order to advise him on how to protect the privacy of Facebook users in PNG.

That directive followed the revelation that Facebook apps were vampire-ing the personal data of millions of users and sending it to data-analytic firms such as Cambridge Analytica.

That leak was the first in what’s turning into a river: the Cambridge Analytica revelations were followed by news of similar leakage to Cubeyou and myPersonality.

Basil closely followed the aftermath, when first the US Senate and then the House of Representatives beckoned Facebook CEO Mark Zuckerberg into Washington for back-to-back hearings on the issues of Cambridge Analytica, fake news, fake accounts, Russian meddling, bots and other Facebook follies, including the class action lawsuit against Facebook over its facial recognition practices.


Tor exit node admin acquitted of aiding terrorism

By Lisa Vaas

In 2017, Russian police detained a 26-year-old math teacher for allegedly calling for riots in Moscow’s Red Square.

According to The Moscow Times, the police were after whoever posted under an alias to call for “rags, bottles, gas, turpentine, Styrofoam and acetone” to be brought to an unsanctioned protest. The posts also contained a link to a music video in which protesters launch Molotov cocktails at police.

A year later, the teacher, Dmitry Bogatov, has been acquitted.

Bogatov denied writing the posts: as the administrator of a Tor exit node, it could have been anyone who used his IP address. Bogatov hosts a Tor node, through which other internet users can surf anonymously.

He’s not the first Tor node administrator whose IP address has led police to his door. Two years ago, police traced illegal child abuse imagery to a married couple’s home IP address in Seattle.

Early one morning, Jan Bultmann and David Robinson woke to detectives from the Seattle Police Department who demanded passwords to access the couple’s computers. They consented to the search and gave their passwords to police, who found no child abuse imagery, didn’t seize any equipment, and made no arrests.

The couple, who are well-known privacy advocates, are also hosts for a Tor exit node – a fact that local police were aware of.


Facebook battles tiny startup over privacy accusations

By John E Dunn

Is there no end to Facebook’s petty humiliations?

Two weeks ago, CEO Mark Zuckerberg found himself having to account for his company’s behavior to members of the European Parliament, the latest round in the Cambridge Analytica ‘apology tour’ that happened after badly-received gigs in Washington in April.

But it’s not just the big guys that Facebook is having to answer to. This week, in a sign that even small problems have become big problems, it was the turn of an obscure startup called Six4Three to cause the company trouble.

The suit’s origins lie in Facebook’s 2014 decision to shut down the Friends data API, through which users could allow thousands of third-party apps to track their friends’ location, status, and interests.

One app that fell afoul of this supposedly privacy-oriented change was Six4Three’s $1.99 smartphone app Pikinis which touted the ability to find pictures of a user’s Facebook friends in their swimwear.

Tough luck, you might say, except that Six4Three launched a suit in 2015, in which it was alleged that Facebook turned off the tap as a way of forcing developers to buy advertising, transfer intellectual property or even sell themselves to it at below market value.

The change came in the wake of post-2012 worries about Facebook’s ability to generate revenue from advertisers as they switched to mobile platforms, which allegedly gave Facebook the motive to strong-arm developers.


Are your Android apps sending unencrypted data?

By Matt Boddy

Have you ever wanted to know what your phone is up to?

Good, then this article is for you.

Phones are locked down so you don’t have to worry about what’s going on under the hood. That’s great if you want a device that Just Works, and it’s the exact opposite if you’re the kind of person that worries about what it might be up to – like me.

Fortunately, if you have a bit of time and some technical skills, there are some simple ways to see what your apps are up to.

One of the things I worry about is oversharing – apps sending out more data than they need to, or transmitting data in insecure ways – such as using unencrypted HTTP requests instead of HTTPS.

My concerns led me to do some network analysis on popular Android apps, following the methodology set out in the OWASP Mobile Security Testing Guide.

I’ll tell you what I did, what I discovered and how you can do it to.


Wayback Machine ‘unarchives’ spying website

By Danny Bradbury

Who is archiving the web, and what happens when people ask for information to be ‘un-archived’?

The internet found out recently, when a company with a questionable marketing history reportedly asked the world’s best-known web archive to eradicate its information.

The Wayback Machine, which is run by the non-profit Internet Archive, has been quietly archiving as much of the web as it can to create a permanent record of our fast-moving, volatile digital landscape.

The archive’s preservation of online data has proven valuable on several occasions. In 2014, Ukrainian separatist leader Igor Girkin bragged about downing a Soviet military cargo plane on social media. After that plane was revealed as Malaysia Airlines Flight 17, the post was deleted, but the Wayback machine still had the original message.

Clearly, archiving information has its benefits. So what happens when someone doesn’t want information about them to stick around?

This issue came up recently when Thailand-based FlexiSpy reportedly asked the Internet Archive to delete its webpages from the Wayback Machine. FlexiSpy, which sells software for monitoring phones and desktop computers, used to market its software as a tool to spy on cheating spouses. As Motherboard points out, another archive still maintains images of the company’s site from several years ago.

Search the Wayback Machine’s archive for FlexiSpy, however, and it reports that the URL has been excluded. Does that mean it complied with the request?

The Internet Archive did not respond to requests about its policy. However, its terms and conditions say that if asked by an author or publisher, it “may remove that portion of the Collections without notice.” Its FAQ says that site owners can “send an email request for us to review”.


« older