Security


Networking


Software


Repairs & Upgrades

April 19, 2018 »

Russia’s Grizzly Steppe gunning for vulnerable routers

By John E Dunn

The Russian Government’s hackers – codenamed “Grizzly Steppe” – stand accused of trying to turn millions of routers against their owners.

After the stream of recent accusations levelled by cyber-authorities in the US, UK and Australia, it was probably inevitable that Russia would be formally accused of targeting network infrastructure at some point.

That happened yesterday, in the bludgeoning coordinated style that now marks out every official statement regarding Russia and cyberwarfare.

Stated US-CERT:

Since 2015, the US Government received information from multiple sources – including private and public-sector cybersecurity research organizations and allies – that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide.

These operations enable espionage and intellectual property that supports the Russian Federation’s national security and economic goals.

In fact, Grizzly Steppe was first mentioned in late 2016 when the FBI published its first report on the group’s alleged activities.

There will perhaps be two public reactions to this remarkable accusation, the first being to wonder what routers are and why they matter so much that Russia would want to target them.

The second may be to wonder why it has taken these countries so long to point out the phenomenon of coordinated router compromise – something that a variety of groups have been engaged in for at least a decade without much fuss being made about it.

In case the alert sounds a bit vague, the UK National Cyber Security Centre (NCSC) followed up the warnings with a document explaining in some detail the hardware weaknesses the Russians are alleged to be exploiting.

Read more at https://nakedsecurity.sophos.com/2018/04/18/russias-grizzly-steppe-gunning-for-vulnerable-routers/

Why ‘remote detonator’ is a bad name for your Wi-Fi network

By Lisa Vaas

Tell us, XFINITY, CableWiFi and HOME-7F0C-2.4, did it ever occur to you that your Wi-Fi names are really, really boring?

No offense, though! Generic is good! It’s so much better than “Quick, everybody out, NOW – before somebody connects to ‘remote detonator’!!!”

As the Michigan news site M Live reports, a patron of a Planet Fitness in Saginaw Township was looking through available Wi-Fi connections on Sunday evening when he noticed one named just that – “remote detonator.”

He brought it to the attention of the manager, who promptly evacuated the 24-hour gym and called police. According to Saginaw Township Police Chief Donald Pussehl, a bomb-sniffing dog made a sweep of the premises, but it didn’t turn up any explosives.

Nothing can be done to make the Wi-Fi naming wit change his or her alarming network name, Pussehl said: it’s speech that’s protected under the First Amendment. Pussehl:

Everything is perfectly legal from a police standpoint. There was no crime or threat. No call saying there was a bomb.

Read more at https://nakedsecurity.sophos.com/2018/04/18/why-remote-detonator-is-a-bad-name-for-your-wi-fi-network/

Silence! Chrome hushes noisy autoplaying videos

By Lisa Vaas

On Tuesday, Google launched Chrome 66 for Windows, Mac, Linux, Android and iOS.

With the new browser comes blissful quiet: Google is muting all autoplay content by default, thus giving people the option to turn off one of today’s most annoying aspects of going online. The update also includes a passwords export feature, security improvements and new developer features.

You can update to the latest Chrome version now via the browser’s built-in updater or download it from google.com/chrome.

Google originally planned for autoplay mute to arrive in Chrome 64, which introduced autoplay settings on a per-site basis, but it didn’t happen for reasons Google didn’t specify.

Now, however, all users are getting the feature, be they on mobile or desktop. In September, Google said the move is meant to address one of the most frequent user concerns – unexpected media playback, “which can use data, consume power, and make unwanted noise while browsing.”

The new autoplay blocking feature adds to Google’s existing ban on video, pop-up and intrusive advertisements, which it began to block on 15 February from within its browser on both desktop and mobile. As we noted at the time, that ad filter wasn’t an adblocker, and Google didn’t describe it as one. Rather, it was meant as a way to keep people from wanting to install an adblocker in the first place, by keeping these kinds of annoying ads out of people’s faces:

Read more at https://nakedsecurity.sophos.com/2018/04/19/silence-chrome-hushes-noisy-autoplaying-videos/

April 18, 2018 »

Could an Intel chip flaw put your whole computer at risk?

By Paul Ducklin

Remember the Chernobyl virus, also known as “CIH” after the initials of its author, a certain Mr Chen Ing Hau of Taiwan?

CIH was the first virus that succeeded in directly and deliberately damaging your computer hardware by purposefully reprogramming your BIOS chip with garbage machine instructions.

The BIOS is the chip that contains the low-level software that is the very first thing to run when your computer fires up, so trashing it stopped your PC from loading up at all.

Ironically, the CIH virus didn’t have to find and exploit any security holes – there was generally no formal protection against writing to the BIOS back in those days.

You didn’t need to hold down a special hardware switch, enter a user-selectable password, or update with a cryptographically signed blob of firmware code.

The only protection was a sort of “security through obscurity” system that required a specific but publicly documented sequence of memory accesses and timings to activate BIOS writes.

This was a precaution intended to prevent programming accidents, but not to keep out crooks.

Read more at https://nakedsecurity.sophos.com/2018/04/17/could-an-intel-chip-flaw-put-your-whole-computer-at-risk/

“Privacy is not for sale,” says Telegram founder

By Lisa Vaas

Following the April 2017 suicide bombing on the St. Petersburg metro that killed 16 people, Russia threatened to block Telegram: the encrypted messaging app used to carry out the attack.

The FSB, the successor to the KGB, said in June that the app gave terrorists “the opportunity to create secret chat rooms with a high degree of encryption.”

At the time, Telegram’s founder, Pavel Durov, had resisted handing over the information the government had requested in order to put the app on its official list of information distributors. Durov said at the time that Russian authorities had also asked for the ability to decrypt user messages.

Durov’s argument: What would that achieve, besides prompting Telegram users to move to another app?

If you want to defeat terrorism by blocking stuff, you’ll have to block the internet.

Now, Russia’s made good on its threats. On Friday, the New York Times reported that Roskomnadzor – the Russian communications and technology watchdog – asked the court for the authority to block the app, effective immediately.

It took the court only 18 minutes to approve the request.

Read more at https://nakedsecurity.sophos.com/2018/04/17/privacy-is-not-for-sale-says-telegram-founder/

Gmail’s new ‘Confidential Mode’ won’t be completely private

By John E Dunn

Have you ever wished it were possible to delete an email from a recipient’s inbox days, weeks or months after it was sent?

If so and you’re a Gmail or G Suite user, it looks as if Google might be about to enable this kind of ‘self-destructing’ email feature on its platform.

We only have screenshots from an email sent to G Suite admins last week to go on, but what seems to be in the offing is the ability to set an expiration date for an email in a similar fashion to that already offered by specialist rivals such as ProtonMail.

“Confidential mode” time limits will be one week, one month or a chosen number of years from the moment it is sent, after which the email will disappear from both the recipient’s inbox and the sender’s outbox.

In addition, “options to forward, download or copy this email’s contents and attachments will be disabled” during the message’s lifetime, as will the ability to print it.

Senders will also be able to make recipients authenticate themselves by entering a onetime code sent from Google to a phone number.

Instead of sending a physical copy from one user to another, Confidential Mode will most likely host it on Google’s own servers, simply sending the recipient a link through which to view it.

That way, Google controls access to it and can delete it after the period set by the sender (ditto controlling access through authentication).

This design also makes it possible for a user on any email system to view the message without having to use Gmail (it’s possible Gmail account will be necessary at both ends for authenticated access to work).

Read more at https://nakedsecurity.sophos.com/2018/04/17/gmails-new-confidential-mode-wont-be-completely-private/

WhatsApp image showing drug dealer’s fingerprints leads to arrest

By Lisa Vaas

A dealer had some Class A drugs to sell.

So, he sent out an advertisement for ecstasy on WhatsApp. White, blue, yellow, red: they looked like candy in the photo, sealed in plastic, held out for display on his palm.

Smart drug dealer, right? Much to the chagrin of law enforcement, WhatsApp encrypts messages end-to-end. That means all messages: calls, photos, videos, file transfers and voice messages.

But the pill pusher didn’t consider that his message might end up on a seized phone in the hands of the police. Not did he likely consider a certain piece of evidence captured in that photo: his fingers.

In what the BBC calls a first for police in Wales, the image of a fingerprint helped to identify the man and to bring down an extensive drug-selling ring that could turn out to be larger still as the investigation continues.

Dave Thomas, of South Wales Police’s scientific support unit, called the work “groundbreaking.” He said that the WhatsApp photo helped to secure 11 convictions and to bring down the drug ring’s supply chain.

The middle and bottom part of a couple of fingers were just about visible under the bag of tablets in the image. In a video interview filmed by the BBC, Thomas pointed to the photo to describe how the imaging work was done:

Through some work done by our imaging unit, we enhanced what we could see on here. We did some inverting of the marks, [and] we then looked at the scale, which was another problem for us. We didn’t have a scale. Eventually we came from that with a suspect – main file fingerprints – and we compared them directly against this part of the mark which we could then search and identify the individual, which resulted in a number of arrests and a number of jail terms.

Thomas told the BBC that police are now looking more closely at the photos found on seized phones, in case they too might lead to evidence.

Read more at https://nakedsecurity.sophos.com/2018/04/17/whatsapp-image-showing-drug-dealers-fingerprints-leads-to-arrest/

5 simple tips for better computer security

By Maria Varmazis

Protecting your privacy and securing your home computers is easier than you might imagine. Better security isn’t just for big organizations or the uber-nerds – everyone, regardless of their computer literacy, can take simple steps to better secure their data and their personal devices. Small steps really can make a big impact.

If you’re not sure where to start, here are five tips that will go a long way to keeping you and your information safe.

1. Use unique passwords for every service you use

As tempting as it might be to reuse the same password across various websites (less to remember, less to type, you might be thinking), this is akin to you using the same key for your front door, back door, car, garage, and everything else you want to keep a lock on.

As easy as it might make things for you, it makes things even easier for an attacker to break into all of your accounts. If a hacker manages to grab your password through breaching one site, they get the keys to your entire digital life. That’s why you really want to have a unique password on each and every one of the websites you log in to.

This might sound like a lot to wrangle – “I thought you said these would be easy!” – but this is where technology can really come to your aid. There are many tools available to you, for free, that will generate unique passwords for the websites you use and store those passwords for you so you don’t have to remember them. They’re called password managers, and we’ve written about several of them before.

Many of the password managers on the market will integrate with your browser so you don’t even need to look up or copy/paste the password in, they’ll automatically fill the correct password in for you.

Examples of password managers include 1Password and LastPass, or if you’re an Apple or Google device user you could also try the Apple iCloud Keychain or Google’s Password Vault. Whichever one you choose, the key thing is that it’s easy for you to use. A password manager that works for you is one that takes away the burden of creating (and remembering) unique passwords, so using those passwords becomes a piece of cake. Just make sure you have a super strong, super long password on your password manager!

Read more at https://nakedsecurity.sophos.com/2018/04/17/5-simple-tips-for-better-computer-security/

Traditional firewalls fall short in protecting organizations, says survey

By Maria Varmazis

Even with a firewall in place, nearly a quarter of IT managers don’t know what’s going on with 70% of their network traffic.

That’s one of several key takeaways from a new survey, sponsored by Sophos, that asked IT managers in mid-sized organizations across the globe about how their firewall technology is working for them.

The survey covered IT managers from countries including the US, Canada, France, Germany, UK, Japan, India, South Africa and Australia. Respondents were from organizations ranging in size from 100 to 5,000 employees, in industries spanning several verticals, including technology, retail, manufacturing, professional services, utilities, education, and healthcare.

The survey responses reveal several “dirty secrets” of how traditional firewalls aren’t living up to their old promises, and how they fail to deliver the kind of visibility or responsiveness that organizations need to defend against modern threats.

Of course, visibility is a key component to security, as you can’t control what you can’t monitor. So if a protective measure, such as a firewall, isn’t aiding in providing that network traffic visibility, IT managers find themselves hindered in monitoring and controlling threats, and lagging in mitigation and remediation response times.

When there’s an active threat on the network, lost time means more time for malicious actors or rogue apps to cause damage. Survey respondents said on average each infected computer on their network takes 3.3 hours to identify, isolate, and remediate, so that real cost in time and resources adds up very quickly.

Read more at https://nakedsecurity.sophos.com/2018/04/17/traditional-firewalls-fall-short-in-protecting-organizations-says-survey/

Facebook: 3 reasons we’re tracking non-users

By Lisa Vaas

It should have been an easy question to answer.

It came from Florida Rep. Kathy Castor during the House’s questioning of Facebook CEO Mark Zuckerberg last week, when she asked:

You are collecting personal data on people who are not Facebook users. Yes or no?

There was no yes or no to be had, so she tried again:

You watch where we go. Isn’t that correct?

Zuckerberg’s response:

Everyone has control over how that works.

She wasn’t the only member of the House Energy and Commerce Committee to press the CEO about how much information it collects about both users and non-users. As Castor put it, “It’s practically impossible these days to remain untracked in America,” and it’s led to a “devil’s bargain” in which people are “spied on” and tracked even after they leave the platform.

On Monday, Facebook finally coughed up the answer. It’s no shocker: the answer is yes.

Yes, Facebook tracks both users and non-users across websites and apps, according to a post written by David Baser, Product Management Director.

It does so for three main reasons, he said:

  1. To provide its services to the sites or apps;
  2. To improve safety and security on Facebook; and
  3. To enhance its own products and services.

From the post:

When you visit a site or app that uses our services, we receive information even if you’re logged out or don’t have a Facebook account. This is because other apps and sites don’t know who is using Facebook.

Facebook is far from the only online service to do this. Twitter, Pinterest and LinkedIn have similar Like and Share buttons, Google has a popular analytics service, and Amazon, Google and Twitter all offer login features, Baser said.

Read more at https://nakedsecurity.sophos.com/2018/04/18/facebook-3-reasons-were-tracking-non-users/

April 16, 2018 »

Facebook shines a little light on ‘shadow profiles’

By John E Dunn

Mark Zuckerberg, CEO of supposed surveillance titan Facebook, has apparently never heard of shadow profiles.

Of all the things learned during Zuckerberg’s questioning by a succession of politicians in Congress this week, for privacy campaigners this was one of the most unexpected.

We have Congressman Ben Luján to thank for a discovery that might come to hang around Zuckerberg as he battles to save his company’s image.

After asking Zuckerberg about the company’s practice of profiling people who had never signed up for the service, said Luján:

So, these are called shadow profiles – is that what they’ve been referred to by some?

Replied Zuckerberg:

Congressman, I’m not, I’m not familiar with that.

For anyone unsure of its meaning, shadow profiles are the data Facebook collects on people who don’t have Facebook accounts.

Zuckerberg’s ignorance was presumably limited to the term and its usage rather than the concept itself, since Facebook offers non-members the ability to request their personal data.

It seems that all web users are of interest to Facebook for security and advertising.

During the exchange Zuckerberg explained that Facebook needs to know when two or more visits come from the same non-user in order to prevent scraping:

…in general, we collect data on people who have not signed up for Facebook for security purposes to prevent the kind of scraping you were just referring to … we need to know when someone is repeatedly trying to access our services

A little later he implied that non-users are also subject to data gathering for targeted advertising:

Anyone can turn off and opt out of any data collection for ads, whether they use our services or not

You can opt of targeted advertising by Facebook and a plethora of other advertisers using the Digital Advertising Alliance’s Consumer Choice Tool or by blocking tracking cookies with browser plugins.

Read more at https://nakedsecurity.sophos.com/2018/04/13/facebook-shines-a-little-light-on-shadow-profiles/

Fake Hillary porn just the tip of Russia’s Reddit penetration

By Lisa Vaas

A fake porn video that claimed to show Hillary Clinton engaging in a sex act has been traced back to a Reddit account which the platform acknowledged on Tuesday is linked to a Russian troll farm.

The account, u/rubinjer, was banned but is being kept up for the time being for purposes of transparency, Reddit said. The account was used to post pro-Trump, racially divisive, anti-Clinton messages.

The fake porno was titled “This is How Hillary gets black votes.” It linked to an animated gif that NBC News said was still available on the platform as of Tuesday. Links to the video and gif have now been deleted, according to the BBC.

NBC News said that the same faux gif was posted five times to PornHub under the name “Leaked Hillary Clinton’s Hotel Sex Tape with Black Guy,” and also onto the porn site SpankBang.

NBC News reports that it had been viewed more than 250,000 times on PornHub.

Read more at https://nakedsecurity.sophos.com/2018/04/13/fake-hilary-porn-just-the-tip-of-russias-reddit-penetration/

Interview: Sarah Jamie Lewis, Executive Director of the Open Privacy Research Society

By Maria Varmazis

This article is an interview with Sarah Jamie Lewis, Executive Director of the Open Privacy Research Society, a new privacy advocacy and research non-profit based in Vancouver, Canada.

Its goal is to make it easier for people, especially marginalized groups (including LGBT persons), to protect their privacy and anonymity online by helping app and technology firms more easily build privacy-by-default services via open source software that they’re spearheading.

We asked Sarah a few questions about the Open Privacy Research Society and the state of privacy in tech in general, and have reprinted her responses in full below.

What was the impetus for this project?

Last year I published a book, Queer Privacy, it’s a collection of essays written by people in queer and trans communities. While all the essays were ostensibly about technology, they cover broad topics like coming out, dating, sex work, intimate partner violence and even death and media representation.

It was a hard project to work on, but my goal was to finally start documenting how modern technology fails to protect the privacy, or uphold the consent of, marginalized people.

I’m not a fan of simply documenting though, and it’s no coincidence that Open Privacy emerged roughly a year after I finished the first cut of Queer Privacy.

I have had a year to sit and think about the kinds of technology we need to build, as well as the kind of organization we need to ensure that technology exists. And I’ve also had a year to find some amazing people to work with me and help guide that.

Read more at https://nakedsecurity.sophos.com/2018/04/13/interview-sarah-jamie-lewis-executive-director-of-the-open-privacy-research-society/

Instagram bends to GDPR – a “download everything” tool is coming

By Lisa Vaas

Following criticism about lack of data portability – unlike parent Facebook, it doesn’t have a Download Your Data tool – Instagram now says it’s building a tool to let users download everything they’ve ever shared.

Everything, as in everything? We’re still waiting to hear details.

An Instagram spokesperson told TechCrunch that the new tool – available “soon” – will enable users to download a copy of their photos, videos and messages. What’s not clear yet is if the tool will also enable users to export following and follower lists, Likes, comments, Stories, and the captions they put onto posts.

Nor was it clear what quality the downloadable photos and videos will have: will they export with the high resolution that they’re uploaded or displayed in, or will they come through compressed?

Hang tight, Instagram told TechCrunch: more details are coming soon.

We’ll share more details very soon when we actually launch the tool. But at a high level it allows you to download and export what you have shared on Instagram.

If the tool launches by 25 May, it will help Instagram to comply with the European Union’s upcoming General Data Protection Regulation (GDPR) privacy law, which requires data portability.

The new law requires that individuals be able to demand deletion of data, to opt out of future data collection, to view what personal data a company holds, and to download that data in a format that they can move to competitors.

Read more at https://nakedsecurity.sophos.com/2018/04/13/instagram-bends-to-gdpr-a-download-everything-tool-is-coming/

The ransomware that says, “I don’t want money” – play a violent game instead!

By Paul Ducklin

Not all ransomware is made equal.

To be clear, we’re not for a moment suggesting that any form of ransomware is technically, ethically, morally or legally acceptable.

After all, ransomware is guilty of unauthorized access as soon as it reads your files, and of the more serious crime of unauthorized modification as soon as it overwrites them.

Worse still, most ransomware follows up those offences with the yet more odious crime of demanding money with menaces – what is known on the street as blackmail, extortion, standover, or plain old criminal b*****dry.

But it’s Friday the Thirteenth today, historically the “day of madness” for computer virus writers, so we thought we’d feature a recent ransomware sample with an unusual twist.

This one explicitly and unusually says, “I don’t want money.”

Instead, the PUBG Ransomware has a weirder aim: to get you to play a recently-released online game called PLAYERUNKNOWN’s Battleground, or PUBG for short.

Read more at https://nakedsecurity.sophos.com/2018/04/13/the-ransomware-that-says-i-dont-want-money-play-a-violent-game-instead/

April 12, 2018 »

Congress chews up Zuckerberg, day two: A far more thorough mastication

By Lisa Vaas

After Tuesday’s nearly five-hour grilling in the Senate – more of a light sautéing, really – Facebook CEO Mark Zuckerberg on Wednesday gave Congress another five hours of his life: this time, before the House Energy and Commerce Committee.

Representatives’ questions again hit on Tuesday’s themes: data privacy and the Cambridge Analytica (CA) data-scraping fiasco, election security, Facebook’s role in society, censorship of conservative voices, regulation, Facebook’s impenetrable privacy policy, racial discrimination in housing ads, and what the heck Facebook is: a media company (it pays for content creation)? A financial institution (think about people paying each other with Facebook’s Venmo)?

Zuck’s take on what Facebook has evolved into: “I consider Facebook a technology company. The main thing we do is write code. We do pay to help produce content. We also build planes to help connect people, but I don’t consider ourselves to be an aerospace company.” (Think of Facebook’s flying ISPs.)

When he hears people ask whether Facebook is a media company, the CEO said that what he really hears is whether the company has, or should have, responsibility over published content – be it fake news meant to sway elections, hate speech, or Russian bots doing bot badness.

His answer has evolved: for years, he’s been pushing back against fears about fake news on Facebook. The company just builds the tools and then steps back, he’s repeatedly said, insisting that platform doesn’t bear any of the responsibilities of a publisher for verifying information.

Read more at https://nakedsecurity.sophos.com/2018/04/12/congress-chews-up-zuckerberg-day-two-a-far-more-thorough-mastication/

Update now! Microsoft April Patch Tuesday – 65 vulnerabilities, 24 critical

By John E Dunn

With the Windows 10 1803 Spring Creators Update delayed at the eleventh hour for unknown reasons, admins and end users still have plenty of work on their hands with April’s Patch Tuesday.

The big picture is 65 security fixes assigned CVE numbers, 23 of which (plus a separate Adobe Flash flaw) are rated critical, with no true zero-days among them.

An urgent 66th CVE on the list should already have been fixed a week ago through an emergency patch that Microsoft issued for a critical vulnerability (CVE-2018-0986) in the Microsoft Malware Protection Engine (MMPE).

Affecting Security Essentials, Intune Endpoint Protection, Windows Defender, Exchange Server 2013/2016, and Forefront Endpoint Protection 2010, this patch should have been applied automatically via MMPE itself.

A breakdown of the remaining 22 critical flaws shows:

  • Seven memory corruption vulnerabilities in the Chakra Scripting Engine (Edge’s JavaScript interpreter).
  • Five remote code execution (RCE) flaws in Microsoft Graphics’ Windows font library.
  • Four affecting Internet Explorer
  • Four affecting the scripting engine also used by Internet Explorer.
  • One affecting Windows 10’s Edge browser.
  • One RCE in the Windows VBScript engine.

Read more at https://nakedsecurity.sophos.com/2018/04/12/update-now-microsoft-april-patch-tuesday/

3 critical Flash vulnerabilities patched. Update now!

By Mark Stockley

In news that can surely only be a surprise to people who’ve learned to use a computer since the middle of March 2018, or who’ve been trapped in their own fridge for the last decade… last Tuesday was Patch Tuesday, there’s a Critical Flash vulnerability and, if you’re still using Flash, it’s time to reexamine your attitude to risk and reward (and while you’re doing that, update to the latest version).

Did I say a critical vulnerability? I meant three.

Adobe Bulletin APSB18-08 lists six security issues fixed in the latest release, version 29.0.0.140, three RCE (Remote Code Execution) vulnerabilities rated critical and three information disclosure vulnerabilities rated Important.

Updates for all platforms have been given a priority of 2, which means that to Adobe’s knowledge there are currently no known exploits and none are expected imminently.

Flash plug-ins for Google Chrome on all platforms, or for Microsoft Edge and Internet Explorer 11 on Windows 10 and 8.1, will update themselves automatically.

Everyone else should download the latest version:

Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player 29.0.0.140 via the update mechanism within the product [1] or by visiting the Adobe Flash Player Download Center.

The good news is that, in this case, Adobe and the independent researchers who found the holes in its product are one step ahead of the bad guys this month (provided you install the update).

The bad news is that the rate at which critical, remotely exploitable flaws are found – in a product that barely changes – shows no signs of slowing, even after all these years.

So, if you find yourself downloading the latest version, ask yourself what you’re planning to use it for and whether you really need it.

Why? Because cybercriminals love that you run Flash.

Read more at https://nakedsecurity.sophos.com/2018/04/11/3-critical-flash-vulnerabilities-patched-update-now/

April 11, 2018 »

Back to the future! 1990s Windows File Manager! NOW OPEN SOURCE!

By Paul Ducklin

You know you want to.

Actually, you know you DON’T want to – I certainly didn’t.

But you will anyway – I did.

Microsoft has released the File Manager program from Windows 3, which was released back in 1990.

When I say “released”, I mean “set free”, and that’s free in the threefold sense of speech, beer and download.

Yes, the venerable WinFile application is now open source software!

To kick off with an admission: I’ve never got on with single-pane file managers – from WinFile to the latest Mac Finder, I’ve always shoved them to one side in favour of two-panel viewers.

Why view one directory at a time when you so often want to view two, either to move files from A to B (or in the Windows world, probably from D: to C:), or to compare old and new versions of stuff?

As a result, I’ve always had a copy of Midnight Commander to hand on Mac and Linux boxen, as well as Servant Salamander back when I used Windows as a matter of routine. (I chose that last word very carefully to avoid giving the impression that it was a matter of choice.)

In truth, I never much liked Windows 3, and when I used it, I didn’t like WinFile at all.

WinFile made tasks that were somewhat complicated but perfectly reliable at the DOS prompt into tasks that were dead easy but liable to go weirdly wrong when moving clunky icons between two separate on-screen windows.

But time is a great healer.

Read more at https://nakedsecurity.sophos.com/2018/04/11/back-to-the-future-1990s-windows-file-manager-now-open-source/

Steve Wozniak explains why he deactivated his Facebook account

By John E Dunn

As his 5,000 Facebook friends are about to find out, Apple co-founder Steve Wozniak has well and truly left the building.

When it comes to Facebook, most celebrities tip-toe out the back door without saying much. But Wozniak is not most celebrities, and sent an email explaining the recent decision to deactivate his account to USA Today.

Given the recent fuss about Facebook’s privacy behavior, most of it is not hard to second guess:

Users provide every detail of their life to Facebook and… Facebook makes a lot of advertising money off this. The profits are all based on the user’s info, but the users get none of the profits back.

Which had become a thinly-gilded cage:

I was surprised to see how many categories for ads and how many advertisers I had to get rid of, one at a time. I did not feel that this is what people want done to them. Ads and spam are bad things these days and there are no controls over them. Or transparency.

This compared unfavorably with another big tech company close to Wozniak’s heart:

Apple makes its money off of good products, not off of you. As they say, with Facebook, you are the product.

This echoes criticism of Facebook by Apple’s CEO Tim Cook who told reporters a few days ago that his company could do what Facebook does it if wanted to. However:

We’ve elected not to do that… We’re not going to traffic in your personal life. Privacy to us is a human right, a civil liberty.

It’s not clear how many Facebook users have left since the Cambridge Analytica scandal became public on 16 March, although #deletefacebook gained considerable traction, trending on Twitter in the following days.

Read more at https://nakedsecurity.sophos.com/2018/04/11/steve-wozniak-explains-why-he-deactivated-his-facebook-account/

Congress grills Zuckerberg, day one: How does this online stuff work?

By Lisa Vaas

Yikes, Facebook CEO Mark Zuckerberg said in prepared remarks for a rare joint hearing of the Senate Judiciary and Commerce Committees on Tuesday and Wednesday: malefactors have used reverse-lookup “to link people’s public Facebook information to a phone number”!

Quelle surprise, according to Zuckerberg’s prepared remarks: Facebook only discovered the incidents a few weeks ago, they claim, and immediately shut down the phone number/email lookup feature that let it happen.

Zuckerberg’s remarks:

When we found out about the abuse, we shut this feature down.

And thus, to borrow the Daily Beast’s phrasing, Zuckerberg gaslighted Congress before the hearings even started.

On Tuesday, senators were ready, though, to grill the virgin-to-Congressional-grilling about that “Well, shucks, we just found out” bit. Sen. Dianne Feinstein was the first to jump in with the fact that Facebook learned about Cambridge Analytica’s (CA’s) misuse of data in 2015 but didn’t take significant steps to address it until the past few weeks.

Zuckerberg’s response, reiterated many times during five hours of testimony: We goofed. CA told us it deleted the data. We believed them. We shouldn’t have. It won’t happen again.

Sen. Chuck Grassley asked the CEO if Facebook has ever conducted audits to ensure deletion of inappropriately transferred data (it seemed to have an audit allergy, at least during whistleblower Sandy Parakilas’s tenure), and if so, how many times?

My people will get back to you on that, Zuckerberg said… Many times, to many questions.

Read more at https://nakedsecurity.sophos.com/2018/04/11/congress-grills-zuckerberg-day-one-how-does-this-online-stuff-work/

How ODNS keeps your browsing habits secret

By Mark Stockley

In computing, popular ideas have a way of becoming part of the bedrock and, once petrified, they’re extremely difficult to dislodge.

It doesn’t matter how good or bad an idea is, how well or how poorly something is coded or how insecure it is, if something is widely adopted it’s not going anywhere fast.

For example, despite its inherent insecurity email remains central to our lives, and Flash, despite a ready replacement and countless should-have-been-fatal wounds, is dying as if there’s an Oscar on the line.

Finding new ideas is easy but replacing or retooling old ideas is hard.

That puts a premium on solutions that make things better, faster or more secure by working with, or adding to, what’s already there with minimal disruption.

And that’s why ODNS (Oblivious DNS) is such an interesting idea.

ODNS is the latest entrant to an increasingly crowded field of solutions looking to address the privacy problems of the global DNS (Domain Name System).

Read more at https://nakedsecurity.sophos.com/2018/04/10/how-odns-keeps-your-browsing-habits-secret/

How to check if your Facebook data was shared with Cambridge Analytica

By Paul Ducklin

We’re sure you’ve heard of Cambridge Analytica (CA), the controversial company that harvested data from Facebook and then used it in ways that you almost certainly wouldn’t have wanted.

About a month ago, we reported how a CA whistleblower named Christopher Wylie claimed that the company had allegedly:

…exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.

Were you affected?

The thing is that CA didn’t crack passwords, break into accounts, rely on zillions of fake profiles, exploit programming vulnerabilities, or do anything that was technically out of order.

Instead, CA persuaded enough people to trust and approve its Facebook app, called “This is Your Digital Life”, that it was able to access, accumulate and allegedly to abuse personal data from millions of users.

That’s because the app grabbed permission to access data not only about you, but about your Facebook friends.

In other words, if one of your friends installed the app, then they might have shared with CA various information that you’d shared with them, even if you didn’t install the app yourself.

But how to find out which of your friends (some of whom may be ex-friends by now) installed the app, and how to be sure that they remember correctly whether they used the app or not?

Facebook has now come up with a way, given that it has logs that show who used the app, and who was friends with them.

Read more at https://nakedsecurity.sophos.com/2018/04/10/how-to-check-if-your-facebook-data-was-shared-with-cambridge-analytica/

YouTube illegally collects data from kids, group claims

By Lisa Vaas

YouTube is illegally making “substantial profits” from children’s personal data, according to a group of 23 child advocacy, consumer and privacy groups that have filed a complaint asking the Federal Trade Commission (FTC) to make it stop.

Kids are on the platform en masse, the group said, citing a study that found that 96% of children aged 6-12 are aware of YouTube and that 83% of children that know the brand use it daily. In fact, last year, YouTube topped the list of favorite online kid brands, according to the study:

For the second year in a row, YouTube leads all 347 cross-category brands evaluated in the BRAND LOVE® study, solidifying its position as the most powerful brand in kids’ lives. The platform’s ascent to the top is impressive, moving from a KIDFINITY score of 749 (and #86 ranking) in 2010 to the #1 brand that is disseminating trends, changing play patterns, and transforming the ways kids come of age.

No wonder kids have come to adore YouTube: the Google-owned company has been working hard to get their love and their little eyeballs on advertisements, the coalition says.

A case in point is YouTube Kids: launched in February 2015, it was designed to be a sanitized place where youngsters would be spared the hair-raising comments and content found on the rest of YouTube.

But YouTube recently found itself hiring thousands of moderators to review content on the broader site after nasty children’s content and child abuse videos got through both on YouTube and even on YouTube Kids.

Read more at https://nakedsecurity.sophos.com/2018/04/10/youtube-illegally-collects-data-from-kids-group-claims/

Another company’s been harvesting Facebook user data

By Lisa Vaas

Déjà data-analytics vu: Facebook’s suspended yet another firm for dressing up its personal-data snarfing as “nonprofit academic research,” in the form of personality quizzes, and handing over the data to marketers.

The company, Cubeyou, a la Cambridge Analytica (CA), pasted the label “for non-profit academic research” onto its personality quizzes, CNBC reported on Sunday.

One of Cubeyou’s quizzes, “You Are What You Like,” was created in conjunction with the University of Cambridge, as was the psychographic data collected by the Facebook quiz thisisyourdigitallife.

Another version of Cubeyou’s quiz, named “Apply Magic Sauce,” states that it’s only for “non-profit academic research that has no connection whatsoever to any commercial or profit-making purpose or entity.” That sounds an awful lot like thisisyourdigitallife, which billed itself as “a research app used by psychologists.”

Cambridge University professor Aleksandr Kogan’s Facebook license was only to collect data for research purposes, not to pass on to a commercial outfit like CA. In violation of Facebook’s terms, he passed users’ data on to CA for targeted political ad marketing in the 2016 US presidential election. Similarly, Cubeyou sells data to ad agencies that want to target certain Facebook user demographics. It’s not what you’d call cloak and dagger: the data analytics firm’s site advertises its wares as “All the best consumer data sources in one place.”

Our platform brings together the most robust consumer data sources available, both online and offline. Leverage social media statistics, syndicated studies, government surveys, and more – even your own data.

One of many examples:

DEEP Go deeper than you’ve ever thought possible, mixing demographics, psychographics, lifestyles, interests and consumption traits to pinpoint the exact audience you’re looking for. Get hyper-local with over 10 Million panelists distributed across 950 US metro areas. ex. Millennial Gamers in San Francisco that purchase electronics at BestBuy

The site says that the company has access to personally identifiable information (PII) such as first names, last names, emails, phone numbers, IP addresses, mobile IDs and browser fingerprints. CNBC also dug into cached versions of the site from 19 March that said that Cubeyou also keeps age, gender, location, work and education, and family and relationship information.

Read more at https://nakedsecurity.sophos.com/2018/04/10/another-companys-been-harvesting-facebook-user-data/

April 10, 2018 »

Jail for white collar pirates who stole from Oracle

By John E Dunn

The struggle between software giant Oracle and services company Terix has finally concluded with the latter’s CEO and co-founder Bernd Appleby being handed two years in jail.

A US tech exec being put behind bars is not an everyday occurrence but, then again, what Oracle accused Terix of doing was not a run-of-the-mill crime. According to Oracle’s 2013 accusation, along with a separate company Maintech, Terix had illegally obtained software patches and firmware from Oracle’s Solaris support site, secretly distributing them to their own customers on a commercial basis.

A serious accusation, which led to Maintech settling the case for $14 million in 2014. The following year, Terix was ordered to pay the even larger sum of $57 million. Oracle also won a separate judgement against support company, Rimini Street, which earlier this year resulted in a $75 million sum being awarded to Oracle.

But the payout didn’t end the case against Terix, who allegedly defrauded Oracle using the sort of cloak and dagger tactics that merited extra attention, according to recent court documents.

Terix allegedly set up three bogus shell companies which each bought a single license at low cost from Oracle, hiding their association with Terix. To maintain the deception, they received support from Oracle using “bogus email addresses and addresses, pre-paid telephones and pre-paid credit cards.” 

In total, 2,700 pieces of software IP worth $10 million were downloaded between 2010 and 2014, used to support 500 customers of Terix, who were unaware that the software had been obtained fraudulently.

Read more at https://nakedsecurity.sophos.com/2018/04/10/jail-for-white-collar-pirates-who-stole-from-oracle/

5 Facebook facepalms (just last week)

By Lisa Vaas

Your weekly roundup of Facebook news, also known as #SOMUCHPRIVACYSPLATTER!!!

In the wake of the Cambridge Analytica (CA) User Data Grabathon, Facebook’s spasming like a data addict suffering from withdrawal-related delirium tremors. Here are our picks for the week’s Top 5 chunks of shrapnel from that and other Facebook hijinx:

1. Facebook broke Tinder

Facebook on Wednesday applied thumbscrews to apps, tightening up its API in hopes of rewriting its history of ignoring developers as they’ve gleefully ransacked users’ private data.

We said, Hooray! No more searching for users by email or phone, making it that much tougher for these apps to auto-scrape our data!

Oh, NO! said people who found that the privacy changes interrupted their Tinder chats with cute French people.

Users reported getting logged out and then not being able to log back in, in spite of jumping through a whole lot of privacy hoops. New York Magazine reported that things got circular: users were first asked to log in to Facebook. Then they were asked to provide “additional Facebook permissions” to “create fuller profiles, verify authenticity and provide support.” Tapping “Ask me” on the permission request merely sent users back to the original notification asking them to log in to Facebook.

Facebook said it was a glitch. It was fixed later Wednesday night. Sorry about that, Facebook said. And no, your come-on lines weren’t that bad, and yes, you can now return to the search for the love of your life.

2. What’s a mere 37 million more CA victims between BFFs?

Speaking of that Wednesday privacy spasm, Facebook’s post about the overhaul included a wee bit more information about the CA Grabathon.

The factoid has to do with how many Facebook users were affected by CA’s harvesting of data to build “psychographic” profiles (all the better to profile you with, my dear, and to then target you with uber personalized political ads).

Two investigatory reports – one from the New York Times, another from The Observer – had originally estimated that more than 50 million Facebook users were psychographically scraped in early 2014 to build the system.

Read more at https://nakedsecurity.sophos.com/2018/04/09/5-facebook-facepalms-just-last-week/

Hacker mines up to $1 million in Verge after exploiting major bug

By John E Dunn

Earlier this week, investors in the popular privacy-oriented Verge (XVG) cryptocurrency received disquieting news.

According to a forum post, a malicious miner appeared to have found a way to subject Verge to a widely-hypothesized blockchain takeover called a “51% attack”.

In layman’s terms, someone was exploiting the majority of the mining power of the blockchain, potentially gaining power over its currency generation.

Theoretically, this could happen if a single miner suddenly acquired lots of computing power to ramp up its hash rate (equivalent to its currency-generating horsepower) but this time it appeared the reason was simpler – the attacker had found bugs in Verge’s software:

According to someone called OCminer:

Due to several bugs in the XVG code, you can exploit this feature by mining blocks with a spoofed timestamp. When you submit a mined block, as a malicious miner or pool, you simply set a false timestamp to this block one hour ago and XVG will then “think” the last block mined on that algorithm was one hour ago.

Your next block, the subsequent block, will then have the correct time. And since it’s already an hour ago – at least that is what the network thinks – it will allow this block to be added to the main chain as well.

Because Verge uses five different algorithms for successive mined blocks, this shouldn’t be possible. However, the time stamp spoofing bug had allowed the attacker to mine the currency using only one, Scrypt, at a greatly accelerated rate.

Read more at https://nakedsecurity.sophos.com/2018/04/09/hacker-mines-up-to-1-million-in-verge-after-exploiting-major-bug/

Thousands of Google employees call for company to cancel Pentagon work

By John E Dunn

“You don’t buy [artificial intelligence] like you buy ammunition,” says Marine Corps Col. Drew Cukor.

Cukor, from a speech given to military and industry technology experts in July:

There is no ‘black box’ that delivers the AI system the government needs, at least not now. Key elements have to be put together… and the only way to do that is with commercial partners alongside us.

Gizmodo first reported last month that when we’re talking industry heavyweights in artificial intelligence (AI) that are working with the Pentagon, we’re talking, among others, about Google.

Specifically, Google’s working with the Pentagon on Project Maven, a pilot program to identify objects in drone footage and to thereby better target drone strikes.

Google, as in, the company whose motto is Don’t Be Evil.

A vocal and large group of Google employees are outraged that the company’s working on what they call the “business of war.” The New York Times reports that a letter – the newspaper published it here – circulating within Google pleads with the company to pull out of the program. As of Wednesday, it had garnered more than 3,100 signatures.

The letter, which is addressed to CEO Sundar Pichai, asks that the company announce a policy that it will not “ever build warfare technology” and that it pull out of Project Maven:

We believe that Google should not be in the business of war. Therefore we ask that Project Maven be cancelled, and that Google draft, publicize and enforce a clear policy stating that neither Google nor its contractors will ever build warfare technology.

The letter references reassurances from Diane Greene, who leads Google’s cloud infrastructure business, that the technology will not “operate or fly drones” and “will not be used to launch weapons.”

Read more at https://nakedsecurity.sophos.com/2018/04/09/thousands-of-google-employees-call-for-company-to-cancel-pentagon-work/

Crooks are swapping out chips on payment cards, says US Secret Service

By Paul Ducklin

Well-known cybersecurity journalist Brian Krebs is reporting a US scam aimed at chip-based payment cards.

The crooks are stealing cards before they reach their intended recipients – an old technique for credit card fraud, admittedly, but now with an added twist.

These days, just stealing a new card in transit often won’t work, because the crooks don’t have the information needed to activate the new card…

…but in this scam, the crooks have figured out a way to do an end run around the activation process: steal just the chip off the card, and wait for the legitimate recipient to activate the card.

Assuming the recipient doesn’t spot the tampering, of course.

How the crime works

According to the US Secret Service, the government law enforcement agency that deals, amongst other things, with postal fraud, the crime goes something like this:

  • Intercept cards on the way to corporate recipients. We’re not sure whether corporates are targeted because they have more money, because they tend to receive cards in easily-detectable batches, or because their card usage patterns mean that scammed cards generally take longer to get spotted.
  • Prise the chips out of the cards.
  • Glue old chips from expired cards into the holes left by the real chips. The replacement chips don’t need to work – they merely need to look OK to disguise the fact that the cards have been tampered with.

Read more at https://nakedsecurity.sophos.com/2018/04/08/crooks-are-swapping-out-chips-on-payment-cards-says-us-secret-service/

Facebook’s new fake news strategy is… decide for yourself!

By Lisa Vaas

Who are these yo-yos who share fake news on social media?

None of your friends, right? Your friends are too smart to fall for cockamamie click bait, and they’re diligent enough to check a source before they share, right?

Well, get ready to have the curtain drawn back. These yo-yos may be us. Or, at least, they may turn out to be our friends and/or relatives.

In its ongoing fight against fakery, Facebook has started putting some context around the sources of news stories. That includes all news stories: both the sources with good reputations, the junk factories, and the junk-churning bot-armies making money from it.

On Wednesday, Facebook announced that it’s adding features to the context it started putting around News Feed publishers and articles last year.

You might recall that in March 2017, Facebook started slapping “disputed” flags on what its panel of fact-checkers deemed fishy news.

You might also recall that the flags just made things worse. The flags did nothing to stop the spread of fake news, instead only causing traffic to some disputed stories to skyrocket as a backlash to what some groups saw as an attempt to bury “the truth”.

Read more at https://nakedsecurity.sophos.com/2018/04/06/facebooks-new-fake-news-strategy-is-decide-for-yourself/

April 4, 2018 »

Those Facebook videos you thought were deleted were not deleted

By Lisa Vaas

Hang onto your hats for this data-retention non-shocker: Facebook’s retained user data it shouldn’t have.

In this most recent case, the content in question is users’ supposedly deleted videos. Facebook’s blaming a bug for the fact that those videos hung around…

…which users found out when many of them downloaded their Facebook data archive (an advisable step to take on the road to nuking your account) in the wake of the Cambridge Analytica (CA) data-strophe.)

The ZIP file Facebook pulls together contains all the data it has on you: your status updates, your friend list, your messages, plus what New York Magazine’s Madison Malone Kircher last week reported to be “every video you ever filmed on the platform – including videos you never published.”

Kircher and the many other Facebook users around the world who discovered the undead videos aren’t the only ones to have come across surprising things in their data archives.

Also last week, many were shocked to discover, when they peeked into their archives, that Facebook had been logging call and text data since they downloaded the Facebook app for Android.

(They shouldn’t have surprised, given that it was done with their permission. But it’s one thing to tick off “Yes do that” and quite another to suddenly come face to face with logs of your every call and your every text.)

Kircher said that last week that her sister Bailey downloaded her archive. Bailey found what you’d expect: contact lists, relationship statuses. What she didn’t expect: multiple videos of herself, playing a scale on her wooden flute, taken as she tried to get a good version to post on a friend’s page.

She filmed quite a few videos, apparently. Here’s one clip New York Magazine posted to YouTube. In it, Bailey, perhaps exaggerating but most definitely exasperated as she sighed and reached for the stop recording button, said it was “Take 13.”

It wasn’t just Bailey: Kircher found clips that looked like they’d never been posted but which Facebook saved anyway. She says the difference is obvious, given the lack of comments on draft videos.

One of her co-workers found over 100 videos in her archive, only a third of which she says she ever publicly posted. Others? They include videos “of me just checking my teeth,” said Kircher’s colleague, Brittany Stephanis. Bailey found videos that she had taken with Facebook’s desktop camera, of musical rehearsals and cheerleading, which she reviewed and then, as far as she knew, erased.

Read more at https://nakedsecurity.sophos.com/2018/04/04/those-facebook-videos-you-thought-were-deleted-were-not-deleted/

Panera Bread customer records exposed via leaky database – dough!

By Paul Ducklin

There’s a war of words going on at the moment between veteran cybercrime reporter Brian Krebs and US bakery chain Panera Bread.

Krebs recently wrote about a data leakage problem on Panera’s website, whereby crooks could supposedly tease out personal information about Panera customers, without logging in themselves, by directly searching for likely terms in Panera’s online database.

For example, if you knew someone’s phone number, you could put in a search request and retrieve information that Panera happened to hold against that phone number.

In Krebs’s article, he gave an example where searching for a single company phone number retrieved data on numerous users, including username, email address and the last four credit card digits – presumably because multiple staff at a company located near one of Panera’s outlets had asked for deliveries to their place of work.

Worse still, attackers could apparently search by account ID, a numeric identifier that Krebs says may simply be incremented by one for each new user.

In other words, if you had a Panera account yourself and knew that your numeric ID was, say, 31337, then trying 31338, 31339 and so on might allow you to recover at least some personal information about other customers who first transacted at around the same time you did.

Of course, by trying thousands or hundreds of thousands of IDs in sequence you might, in theory at least, suck down data about hundreds or thousands of other active users.

Read more at https://nakedsecurity.sophos.com/2018/04/03/panera-bread-customer-records-exposed-via-leaky-database-dough/

5 million credit cards exposed in Saks and Lord & Taylor data breach

By Paul Ducklin

A holiday weekend without a big data breach story!

Imagine that!

In your dreams, sadly – because in real life, the mainstream media in North America has been full of Easter news about a large-scale exposure of credit card data from Saks Fifth Avenue and other brands operated by Canadian retail giant Hudson’s Bay Company, or HBC for short.

A Dark Web monitoring company called Gemini Advisory announced the breach on 01 April 2018 (it wasn’t a joke) on Twitter.

Gemini Advisory itself is a bit of a mystery – there’s no address or phone number on the company’s website, and the Contact Us process is one of those mysterious web forms where you hand over your contact details and submit your query into the ether by clicking a [Send Message] button.

According to the company, it is:

Deeply embedded in the hacking underground, [where] our multilingual experts, who have years of experience consulting Fortune 100 companies, and federal law enforcement agencies, successfully conduct covert operations and provide ongoing support of cyber defense, threat intelligence, and fraud prevention teams.

Gemini Advisory’s claim in this data breach case is a bullish one, apparently based on an advert in an underground forum published by a crook going by the handle of JokerStash:

On March 28, 2018, a JokerStash hacking syndicate announced the release for sale of over five million stolen credit and debit cards. In co-operation with several financial organizations, we have confirmed with a high degree of confidence that the compromised records were stolen from customers of Saks Fifth Avenue and Lord & Taylor stores. We estimate the window of compromise to be May 2017 to present. Based on the analysis of the available data, the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations have been compromised. The majority of stolen credit cards were obtained from New York and New Jersey locations. As of this writing, approximately 125,000 records have been released for sale, although we expect the entire cache to become available in the following months.

The breach was apparently dubbed BIGBADABOOM-2 (it’s not just bugs that have catchy names these days), and claimed to offer TR2+TR1 dumps of cards from dozens of different countries.

Read more at https://nakedsecurity.sophos.com/2018/04/03/5-million-credit-cards-exposed-in-saks-and-lord-taylor-data-breach/

YouTube prankster sued by In-N-Out Burger

By Lisa Vaas

California burger chain In-N-Out Burger is not amused by YouTube prankster Cody Roeder, whose antics have included pretending to be the company’s CEO and telling a customer that their meal was “contaminated” and “garbage.”

Roeder films pranks for his YouTube channel, Troll Munchies. You can see his prior pranks on that channel – the picking up girls/embarrassing Mom prank, “hilarious fart vape pen” and the like – but the In-N-Out videos posted two weeks ago have since been made private, according to the BBC.

That’s likely because it’s gotten Roeder in a bit of a legal pickle. In-N-Out last week sought a restraining order against the prankster and his film crew. It also filed a lawsuit that claims that Roeder’s two recent pranks caused “significant and irreparable” harm to the chain. The suit seeks damages of more than $25,000.

CBS Los Angeles, which featured some footage taken of Roeder’s pranks in its own news coverage, says that early last month, Roeder put on a dark suit, walked into an In-N-Out in Van Nuys, and claimed to be their CEO.

“Hey, I’m your new CEO,” he said. “Just doing a little surprise visit.”

Read more at https://nakedsecurity.sophos.com/2018/04/03/youtube-prankster-sued-by-in-n-out-burger/

April 2, 2018 »

150 million MyFitnessPal accounts compromised – here’s what to do

By Mark Stockley

Under Armour’s hugely popular fitness tracker, MyFitnessPal, has been hacked. If you’re one of the 150 million or so users of the app or website don’t panic, but do change your password.

If you use Facebook to log in to MyFitnessPal you do not need to change your Facebook password.

If you use your MyFitnessPal password on any other websites, change your password on those websites – choose a different, strong password for each one (consider using a password manager if that sounds too difficult).

Under Armour says it’s notifying users of MyFitnessPal about the breach. It’s possible that criminals will try to take advantage of this by sending malicious tweets or emails that look like they’ve come from Under Armour.

You can protect yourself by be being proactive: read Under Armour’s notice of data breach and check its account security FAQs.

Don’t click on links in emails that seem to have come from Under Armour or MyFitnessPal. The company has made a clear statement that it will not send emails about this that contain links or attachments:

Please note that the email from MyFitnessPal about this issue does not ask you to click on any links or contain attachments and does not request your personal data. If the email you received about this issue prompts you to click on a link, suggests you download an attachment, or asks you for information, the email was not sent by MyFitnessPal

If you need to visit MyFitnessPal use a browser bookmark if you have one, open your browser and type the address: https://www.myfitnesspal.com/ if you don’t, or just use the app on your phone.

Read more at https://nakedsecurity.sophos.com/2018/03/30/150-million-myfitnesspal-accounts-compromised-heres-what-to-do/

Boeing hit by WannaCry, reminding everyone the threat is still there

By John E Dunn

When senior Boeing engineer Mike VanderWel reportedly sent an “all hands on deck” internal memo yesterday warning that the dreaded WannaCry malware was on the loose inside the company’s networks, alarm quickly spread.

According to excerpts leaked to the media, his anxiety is palpable:

[The malware] is metastasizing rapidly out of North Charleston and I just heard 777 [production] may have gone down. We are on a call with just about every VP in Boeing.

To many in the company and beyond, this must have sounded worryingly reminiscent of the way WannaCry attacks unfolded across numerous large organizations during its first appearance last May.

Now, as then, WannaCry carries with it a feeling of helplessness, as if what is happening is unstoppable and therefore disruption is inevitable.

Read more at https://nakedsecurity.sophos.com/2018/03/29/boeing-hit-by-wannacry-reminding-everyone-the-threat-is-still-there/

Facebook revamps security, privacy settings following huge data scandal

By Lisa Vaas

Following the Cambridge Analytica (CA) privacy train wreck that has been the past two weeks, Facebook says it’s going to reach into the 20 or so dusty corners where it’s tucked away privacy and security settings and pull them into a centralized spot for users to more easily find and edit whatever data it’s got on them.

The changes are due to arrive over the coming weeks.

It gave details in a blog post on Wednesday.

Facebook VP of policy and chief privacy officer Erin Egan credited the CA revelations for showing the company that they’ve got work to do:

Last week showed how much more work we need to do to enforce our policies and help people understand how Facebook works and the choices they have over their data. We’ve heard loud and clear that privacy settings and other important tools are too hard to find and that we must do more to keep people informed.

Last week, CEO Mark Zuckerberg announced a crackdown on abuse of Facebook’s platform, strengthened policies, and pledged an easier way for people to revoke apps’ ability to use their data.

The core of the data analytics personal data-gobbling scandal is, of course, how very, very easy it’s been for apps to get at that data. … And how precious little Facebook has done to police those apps. … And the near-nil steps Facebook took to verify that the data of 50 million Facebook users inappropriately shared with data analytics firm CA had in fact been deleted (it hadn’t).

Egan said in Wednesday’s post that the revamp of privacy and security controls has been in the works “for some time,” but “the events of the past several days underscore their importance.”

We’ve heard loud and clear that privacy settings and other important tools are too hard to find, and that we must do more to keep people informed.

The changes, not surprisingly, put the onus on users to delve into what data Facebook has on them. The changes don’t speak to the lack of vetting Facebook has put app developers through.

Read more at https://nakedsecurity.sophos.com/2018/03/29/facebook-revamps-security-privacy-settings-following-huge-data-scandal/

Football team pays $2.5 million to criminals in transfer fee scam

By Paul Ducklin

Football is a big-ticket news item all around the world, whichever flavor of the game you prefer.

Unsurprisingly, there are huge amounts of money at the top level in all codes of football – American, Australian, two different tyes of rugby, and the most widely-played variant, Association Football, variously known as the “world game”, the “beautiful game”, or soccer.

A lot of money, at least in European soccer, goes on transfer fees, paid when players switch between teams – sometimes between teams in the same league, but often in moves from country to country.

For example, Dutch player Stefan de Vrij moved from top-flight Dutch club Feyenoord to Italian football giants Lazio a few years ago.

We’re not sure what the total transfer fee was, but apparently the payments were done in installments, with the final payment, due in 2018, a cool €2,000,000 ($2.5 million).

Here’s the scary thing.

According to astonished football journalists the world over, Lazio apparently paid out that final $2.5m sum…

…to the wrong bank account, after being convinced to switch account numbers by an email scammer.

As one football writer quipped:

There’s nothing more wonderful in the world than the spam folder […] – Lord knows how much utter nonsense lives there – but perhaps Lazio need better filters on their inbox…”

I chuckled at that remark, but the truth is almost certainly much more complex than just one piece of unfiltered spam.

Read more at https://nakedsecurity.sophos.com/2018/03/29/football-team-pays-2-5-million-to-criminals-in-transfer-fee-scam/

Hackers hit 911 systems, emergency dispatch affected

By Lisa Vaas

On Sunday, Baltimore’s emergency service dispatchers were forced off automated dispatching and onto getting the job done manually because of a hacked server.

According to the Baltimore Sun, the breach was confirmed by Mayor Catherine Pugh’s office, the FBI (which is helping with the investigation), Baltimore Police Commissioner Darryl De Sousa, and CIO Frank Johnson from the Mayor’s Office of Information Technology.

James Bentley, a spokesman for Pugh, told the newspaper that the attack, which came around 8:30 am on Sunday morning, affected messaging functions within the computer-aided dispatch (CAD) system.

The CAD system supports the 911 emergency service and the 311 mayor’s hotline. Johnson called it a “limited breach.” Services that back up the two numbers “were temporarily transitioned to manual mode,” he said, and continued to operate without disruption.

The Baltimore Sun quoted Johnson:

This effectively means that instead of details of incoming callers seeking emergency support being relayed to dispatchers electronically, they were relayed by call center support staff manually.

After isolating the affected server and taking it offline, city workers did a “thorough investigation of all network systems,” Johnson said, and had the problem fixed and the server back online as of 2 am Monday.

Police Commissioner De Sousa said that police response time to crime reports didn’t slow down due to the attack.

There were no suspects as of Tuesday, and the motive for the hack was unknown. Nor is it known if this was the first such attack on Baltimore’s 911 system.

There are all sorts of motives that have been at the heart of similar attacks, though. As the Baltimore Sun reports, and as was confirmed by an association that represents 911 professionals across the country, there’s not much by way of personal or financial data on these systems.

The systems can, however, store some medical information and can give attackers access to cities’ important mapping systems. Taking them down also affects cities’ ability to quickly respond to disasters.

Read more at https://nakedsecurity.sophos.com/2018/03/29/hackers-hit-911-system-emergency-dispatch-affected/

Firefox add-on limits Facebook’s tracking of you

By Maria Varmazis

Long gone are the days when Facebook was just a way to keep in touch with friends and family. Many of us don’t think twice about signing up or logging in to an app or retailer’s website through our Facebook account, and using Facebook to leave comments is so ubiquitous that it just seems like a normal part of the internet experience.

Long after we’ve closed that Facebook tab, our Facebook accounts continue to follow and monitor us everywhere we go online, all in the pursuit of mining us for marketing data and serving us targeted advertisements.

Most of us remember that it wasn’t always this way. Privacy advocates have long warned about overreach in how Facebook tracks user data, and there are certainly ways to curtail what Facebook knows about your internet activity (that is, if you must use Facebook at all) – clearing cookies frequently, disabling JavaScript, using ad and tracker blocker plugins and so on.

All of these methods chip away at the creeping moss of Facebook surveillance, a term that would have seemed absolutely laughable just a few years ago. But with the revelations about Facebook data misuse by Cambridge Analytica, more users are taking a hard look at what exactly they’ve tacitly consented to by using Facebook, and how much they really want to allow it to peek into more and more facets of their lives.

To make it easier for people to keep the Facebook experience precisely where one might expect it to be – within the browser tab where it is running, and no where else — Mozilla has released a new extension called the Facebook container extension for its Firefox browser. In Mozilla’s own words, the extension “prevents Facebook from tracking you around the web.” Essentially, it keeps all Facebook activity within the browser tab where you are actively looking at Facebook, and it slaps Facebook’s hand if it tries to do anything outside of that tab.

So much of what we’ve become used to as internet-ubiquitous in the past few years – commenting on a page with a Facebook account, logging in to a service with Facebook credentials, liking a page or a comment outside of Facebook – will no longer work (or will mostly not work) within Firefox if you have this extension installed.

As this runs in the browser, it doesn’t change Facebook’s behavior at the core. So if you use Facebook on a different browser or on another instance of Firefox that doesn’t have the extension, these protections won’t apply. And this certainly wouldn’t affect how the in-phone Facebook app potentially tracks you or collects data on your activity.

(If you’re really concerned about the data Facebook is collecting on you but can’t quite get on the #DeleteFacebook train, using this browser extension and deleting the app from your phone is a good compromise.)

Read more at https://nakedsecurity.sophos.com/2018/03/29/firefox-add-on-limits-facebooks-tracking-of-you/

« older