Repairs & Upgrades

July 8, 2020 »

Mozilla turns off “Firefox Send” following malware abuse reports

By Paul Ducklin

What do you do when you need to send a file to someone you don’t interact with a lot?

Many of us use email attachments for small files, because it’s quick and easy to share modest amounts of data that way.

Sure, the attachment will probably lie around in the recipient’s mailbox for days, or months, or even years, which might not be quite what you had in mind…

…but when you send someone else a file, you can’t control what they do with it anyway, or how long they keep it, or how widely visible it is on their corporate network after they save it.

Nevertheless, most emails are end-to-end encrypted these days, which at means that files sent by email are unlikely to lie around (intentionally or otherwise) at your ISP, or at one or more third-party servers along the way.

But email is no good for large files such as audio data or videos, because most email servers quite reasonably have a low limit on message sizes to stop the system getting clogged up by attachments.

So the usual fallback for sending files that you can’t or don’t want to transmit via email is to use a file sharing service instead, which is rather like using webmail, only without the messaging part.

You upload the file to a file sharing site, optionally setting various options that describe which other users can see it, and for how long, and then send the recipient an email that contains a download link where they can fetch the file at their leisure.


Kinda sorta weakened version of EARN IT Act creeps closer

By Lisa Vaas

There are gut-churning tales of online child sexual abuse material (CSAM).

Last week, when a bill designed to strip legal protection from online abusers sailed through the Senate Judiciary Committee, UC/Berkeley Professor Hany Farid passed on this example from investigators at the Department of Justice’s Child Exploitation and Obscenity Section: a man had “expressed excitement for his soon-to-arrive ‘new material,’ sharing an in-utero picture of his unborn child with an online network of abusers.”

Now that the EARN-IT Act has crept closer to a full Senate hearing, we’re that much closer to finding out whether the bill can really help stem the flood of online CSAM, whether it’s a barely veiled attack on online privacy and end-to-end encryption, or all of the above.

During Thursday’s hearing on the bill, which they’d amended the day before, the proposed law’s co-sponsors stressed that it’s not a wooden stake to stick in encryption’s heart. Senator Richard Blumenthal claimed that the bill “is not about encryption and it never will be.” The other co-sponsor, Senator Lindsey Graham, said that his goal “is not to outlaw encryption”. Well, at least not at this point, maybe: he called that “a debate for another day.”

The critics of the proposed law aren’t swallowing it.

The day before the hearing, the co-sponsors amended the act to make it appear, at least, to be more of a nudge than a cudgel. As explained by the Electronic Frontier Foundation (EFF)— – a staunch critic of the bill – the new version now gives state legislatures the power to regulate the internet in the quest to battle CSAM, as opposed to a 19-person federal commission.

Nonetheless, it still threatens encryption, its critics say, albeit less blatantly.

In its first iteration, the EARN-IT Act proposed a commission to come up with best practices to battle CSAM. That commission would have been controlled by Attorney General William Barr. Given how often Barr has said that he thinks that encrypted services should be compelled to create backdoors for police, it was easy to see the legislation as an embodiment of a threat from Graham and other senators to regulate encryption in lieu of tech companies willingly creating those backdoors.


July 7, 2020 »

Flashy Nigerian Instagram star extradited to US to face BEC charges

By Lisa Vaas

The US has dragged a fancy-pants, Instagram-star, high-fashion-flaunting, alleged Nigerian scammer out of the United Arab Emirates (UAE) and into Chicago to face charges that he helped launder beaucoup bucks gouged out of businesses in email compromise (BEC) scams.

His name is Ramon Olorunwa Abbas, aged 37, also known as “Ray Hushpuppi” and “Hush.” Abbas, a Nigerian national, arrived in Chicago Thursday evening after being extradited from the UAE. He made an initial court appearance in Chicago on Friday, but his case is expected to be transferred to Los Angeles in coming weeks.

As of Monday, you could still check out his public, uber-blingy Instagram account, where Abbas has 2.4 million followers. It lists him as a real estate developer. The photos show him slouching on pricey couches in luxury hotels, riding in charter jets, wearing fancy sneakers and designer clothes, sporting expensive watches, posing in or with Richie Rich cars – think Bentleys, Ferraris, Mercedes and Rolls Royces – and lavishing pictorial love on Dior this and Gucci that.

So much Gucci. In fact, Abbas’s Instagram account listed his Snapchat contact name as “The Billionaire Gucci Master!!!”


Company web names hijacked via outdated cloud DNS records

By Paul Ducklin

US security researcher Zach Edwards recently tweeted about finding 250 company website names that had been taken over by cybercriminals.

He didn’t name the brands, but insists that the organizations affected include banks, healthcare companies, restaurant chains, civil rights groups and more:

I reported ~250 enterprise subdomains I've found compromised over the last ~7 days // some of these orgs are MASSIVE (banks, tons of healthcare orgs, critical infrastructure, huge restaurant chains, power companies, insurance, civil rights groups). This story needs to be written.

— Z?????? ?????????????? (@thezedwards) July 3, 2020

The issue here is that the websites themselves haven’t been hacked, but their DNS entries have.

These attacks, known as DNS hijacks, happen when crooks don’t actually break into and take over a site itself, but instead simply change the “internet signposts” that point to it.

As you probably know, DNS, short for domain name system, is the distributed, global name-to-number database that automatically turns human-friendly server names such as nakedsecurity DOT sophos DOT com into computer-friendly IP numbers that are needed to send and receive network packets on the internet.


July 6, 2020 »

Boston bans government use of facial recognition

By Lisa Vaas

It’s simple: Boston doesn’t want to use crappy technology.

Boston Police Department (BPD) Commissioner William Gross said last month that abysmal error rates – errors that mean it screws up most particularly with Asian, dark or female skin – make Boston’s recently enacted ban on facial recognition use by city government a no-brainer:

Until this technology is 100%, I’m not interested in it. I didn’t forget that I’m African American and I can be misidentified as well.

Thus did the city become the second-largest in the world, after San Francisco, to ban use of the infamously lousy, hard-baked racist/sexist technology. The city council voted unanimously on the bill on 24 Jun – here’s the full text, and here’s a video of the 3.5-hour meeting that preceded the vote – and Mayor Marty Walsh signed it into law last week.

The Boston Police Department (BPD) isn’t losing anything. It doesn’t even use the technology. Why? Because it doesn’t work. Make that it doesn’t work well. The “iffy” factor matters most particularly if you’re Native American, black, asian or female, given high error rates with all but the mostly white males who created the algorithms it runs on.

According to a landmark federal study released by the National Institute of Standards of Technology in December 2019, Asian and black people are up to 100 times more likely to be misidentified than white men, depending on the particular algorithm and type of search. Commercial facial analysis systems vary widely in their accuracy, but overall, Native Americans had the highest false-positive rate of all ethnicities.


Facebook hoaxes back in the spotlight – what to tell your friends

By Paul Ducklin

At the risk of giving you a feeling of déjà vu all over again…

…it’s time to talk about Facebook hoaxes once more.

Looking at the Naked Security articles that people have not only searched for but also read in large numbers over the past few days tells us that we’re in what you might call a “market uptick” for hoaxes at the moment.

The top two resurgent hoaxes in the past week have been the Instant bank fraud “warning” and the How to post to more than 25 friends “advice”.

Loosely speaking, most Facebook hoaxes – by which we really mean “posts that get shared virally despite being useless and inaccurate, yet that aren’t actually scams or phishing tricks” – take one of three forms:

  1. Warnings to watch out for something supposedly dangerous that isn’t going to happen, and wouldn’t be particularly dangerous even it it did.
  2. Instructions to copy a specific paragraph of bogus information exactly and repost it under your own name.
  3. Advice on how to check your cybersecurity settings that achieves nothing except giving you a false sense of security.


Google buys AR smart-glasses company North

By Lisa Vaas

Google announced on Tuesday that it’s purchased a smart-glasses company called North and, notwithstanding its failure to bring Google Glass wearables to the masses, still plans to caress our vision with the vast tentacles of its helpfulness.

From the announcement, which was posted by Rick Osterloh, Senior Vice President, Devices & Services:

From 10 blue links on a PC, to Maps on your mobile phone, to Google Nest Hub sharing a recipe in the kitchen, Google has always strived to be helpful to people in their daily lives. We’re building towards a future where helpfulness is all around you, where all your devices just work together and technology fades into the background. We call this ambient computing.

Credit where credit’s due – “ambient computing” sounds friendlier than, say, “pervasive privacy-threatening creepster surveillance spectacles.” Privacy concerns contributed to the sinking of Google Glass. In January 2016, after years of development, Google shuttered its Glass social media accounts.

A year prior, Google had ended its Explorer program and stopped selling Glass. But a few months after that, Google executive chairman Eric Schmidt said that the move wasn’t meant to imply that Google was sticking a fork in its internet-connected eyeglasses.

No, Schmidt said, Google Glass wasn’t dead. It was just being fine-tuned for the masses. Google then focused work on a Glass spinoff for the enterprise.

Details of the North purchase, including how much Google’s paying for the Canadian company, weren’t disclosed.


MongoDB ransom threats step up from blackmail to full-on wiping

By Paul Ducklin

Have you left a cloud database exposed online?

According to Dutch security researcher Victor Gevers of the Dutch Institute for Vulnerability Disclosure, who’s been hunting down insecure databases for years, thousands of MongoDB users have done just that – or, to be more precise, many tens of thousands of databases have shown up where they shouldn’t.

And that’s just this year.

A significant proportion of exposed databases have been modified by hackers in recent months to include a blackmail demand database in broken English that says:

All your data is backed up. You must pay 0.015 BTC [currently about $135] to [REDACTED] 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server!

There’s a pseudo-anonymous email address that you can use to contact the extortionist, and a Bitcoin wallet for the money.

(We suspect that some victims will have exposed several different databases at the same time, given that a security blunder that’s easy to make once is just as easy to repeat.)

Note that when the extortion note says that “your data is backed up,” the crooks aren’t congratulating you on having a backup of your own.

What they mean is that, whether you have a backup or not, they have one, or so they say, and their leverage is that they’ll dump your data for the world to see, and tell the regulator, if you don’t cough up the money.


133m records for sale as fruits of data breach spree keep raining down

By Lisa Vaas

A data breach broker has flooded a hacker forum with a whopping total of 132,957,579 user records.

Bleeping Computer is in touch with the data breach broker: a “known and reputable” broker who’s selling databases, all of which contain different data types but all of which include usernames and hashed passwords.

The companies whose databases are allegedly being peddled include game sites, food delivery services, Soccer streaming, online fashion and loans. Out of the 14, only four are known to have been breached: Home Chef, Minted, Tokopedia and Zoosk.

Home Chef, a meal delivery service, confirmed a data breach two weeks after a hacker group named Shiny Hunters listed a database of 8 million customer records on a dark web marketplace. Shiny Hunters was the same group that claimed to be selling Zoosk’s records – along with nine other companies’ records, for a total of 73 million user records – in May.

For its part, Minted, a marketplace for independent artists, in late May confirmed that it had suffered a data breach earlier that month – confirmation that came after a hacker sold a database containing 5 million user records on a dark web marketplace. The name of the broker? Shiny Hunters.

Also in May, data breach monitoring and cybersecurity intelligence firm Under the Breach discovered that a hacker was offering the account information for 15 million users of Tokopedia – which is Indonesia’s largest online store – on a hacker forum for as little as USD $5,000. The broker? Shiny Hunters.

In sum: as Wired notes, during the first few weeks of May, the hacking group went on a data breach spree, hawking close to 200 million stolen records from over a dozen companies.

Bleeping Computer didn’t name the data breach broker it’s been in contact with, but it’s highly possible its initials turn out to be SH. The broker told the news outlet that the 14 databases they’re selling can be had for as little as $100, on up to $1,100.


July 1, 2020 »

Microsoft issues critical fixes for booby-trapped images – update now!

By Paul Ducklin

Microsoft has just released emergency patches for two critical security holes in the Windows Codecs Library.

We all know what Windows means.

But what is a Codecs Library, and why are bugs in it such as a big deal that they need to be updated without waiting for the next Patch Tuesday to come round?

Well, codec is short for encoder-decoder, and it’s the jargon term for the sort of software that takes data of some sort – notably the raw data that represents the pixels in a video or the sound in an audio file – and reworks it so it can be sent and received easily.

The co- part of a codec takes something like a raw image, consisting of rows and rows of color pixels, and wraps it up in a format such as as JPG or PNG so it can saved into a file for downloading or streaming.

The -dec part does the reverse at the other end, reading in the file, decompressing it (most images and videos are compressed for transmission because this saves an enormous amount of bandwidth) and getting it back into its raw form so it can be displayed.


Firefox 78 is out – with a mysteriously empty list of security fixes

By Paul Ducklin

Yesterday was both a Tuesday and four weeks since the last major Firefox update, making it the official release date for the latest version.

There are now three mainstream flavors of Firefox to choose from: 68.10ESR, 78.10ESR and 78.0.

ESR is short for Extended Support Release, often preferred by IT departments because it gets security fixes at the same rate as the regular version, but only takes on new features in a staggered fashion – in other words, users of the ESR versions are shielded from sudden switches in appearance, user interface and workflow.

This time you can choose from 68.10ESR (the numbers to the left and right of the dot add up to the current major version number, in this case 78), which is Firefox with the look-and-feel of about a year ago plus 10 updates’ worth of security fixes, or 78.0ESR, which is largely the same as the regular version, as the numbers reveal.

Every time the ESR version “catches up” with the regular version’s features, Mozilla releases old-style and the new-style ESR versions in parallel so there’s always an overlap period in which to try out both before switching over.

The new Firefox 78.0 does have some visible changes, notably the addition of a special web page called the Protections Dashboard, accessible by putting about:protections in the address bar.

This gives you a summary of any trackers blocked recently, a button to entice you to sign up for Firefox’s breach alerts, and a link to the Firefox password manager.


iOS 14 flags TikTok, 53 other apps spying on iPhone clipboards

By Lisa Vaas

In March, researchers Talal Haj Bakry and Tommy Mysk revealed that Android and iOS apps – including the mind-bogglingly popular, China-owned, video-sharing/often in privacy hot water TikTok – could silently, automatically read anything you copy into your mobile device’s clipboard.

Sexy selfies? Passwords copied from your password manager? Bank account information? Bitcoin addresses? Yes, yes, scary yes, yes. Anything you’ve copied recently, they’ll paste it into themselves. Such data is typically used for advertising and tracking purposes.

The covert content copying is possible not only for a device’s local data, but also on nearby devices, as long as the devices share the same Apple ID and are within about 10 feet of each other. That’s enabled by Apple’s universal clipboard: a clipboard that enables content to be copied on one device and then pasted into an app running on a separate device.

It’s “very, very dangerous,” Mysk told Ars Technica on Friday, after the discovery had bubbled to the surface yet again. The findings hit the headlines anew as Apple released the developer beta of iOS 14 – a release that flags this behavior.

Mysk said that the ability for apps to read content of off nearby devices means that an app on an iPhone could possibly read sensitive data on the clipboards of other connected iOS devices, be they cryptocurrency addresses, passwords, or email messages, even if the iOS apps are running on a separate device.

The iOS 14 developer beta release – which you can download and install now to get an eyeful of this behavior – comes with a feature that’s custom-tailored to spotlight this kind of thing: namely, a banner warning that pops up every time an app reads clipboard contents.


June 29, 2020 »

Satori IoT botnet author sentenced to 13 months in prison

By Lisa Vaas

The coder who created the massive Satori botnet of enslaved devices and a handful of other botnets will be spending 13 months behind bars, the US Attorney’s Office of Alaska announced on Friday.

Kenneth Currin Schuchman, 22, from Vancouver, Wash., spent years developing distributed denial-of-service (DDoS) botnets. In September 2019, he pleaded guilty to operating the Satori botnet, made up of IoT devices, and at least two other botnets; to running a DDoS-for-hire service; to cooking up one of the evolving line of botnets while he was indicted and under supervised release; and to swatting one of his former chums, also while on supervised release.

Satori did massive damage: it and its iterations would be unleashed in record-setting DDoS attacks that enslaved more than 800,000 devices – things like home routers, security cameras and webcams – and flattened ISPs, online gaming platforms and web hosting companies.

Schuchman was indicted in September 2018 on two counts of fraud and related activity in connection with a computer, but in the plea agreement he struck with prosecution, he pleaded guilty to just one count of fraud and related activity in connection with computers, in violation of the Computer Fraud & Abuse Act (CFAA).

Schuchman worked with two criminal colleagues: “Vamp”, also known as “Viktor,” and “Drake”. The recently unsealed indictment reveals the names and locations of the two men who were sometimes his friends, sometimes his competitors and targets. Vamp is actually Aaron Sterritt, a national from the UK, while Drake turns out to be Logan Shwydiuk, a Canadian national.


Fancy hacking a PlayStation? Sony announces its bug bounty program

By Paul Ducklin

You’ve probably heard the French saying, “Plus ça change, plus c’est la même chose.”

Alliteratively coined by the French satirical writer Jean-Baptiste Alphonse Karr, it means that the more things change, the more they remain the same, and it’s a cynical observation that what seems like an improvement may not, in the end, sort out the underlying problems or attitudes it was mean to fix.

Well, here’s a change that really does seem to be a change, in heart as well as in direction!

Sony, maker of the PlayStation games console series, has not always been friendly to hackers.

About ten years ago, the company famously took legal action against a young George Hotz, better known as geohot, an American hacker – in the neutral sense of the word here – who has found his way into numerous “locked down” devices over the years.

Hotz, who is now into open source self-driving automotive software, has variously come up with jailbreaks (or roots as they are known on Android phones, after the Unix name for the top-level administrative account) for iPhones, locked-down Androids such as Galaxies

…and for the Sony PlayStation 3.


REvil gang threaten to auction celebrity data from Mariah Carey, Lebron James, MTV and more

By Lisa Vaas

What would you do if your law firm to the stars were to be presented with this choice: pay us $42 million or we’ll sell Mariah Carey’s confidential legal documents on the dark web on 1 July?

… followed by a carefully laid out schedule to sell personal correspondence, contracts, agreements, non-disclosure agreements, court conflicts and other internal correspondence relating to other clients, including Nicki Minaj, Lebron James, Bad Boy Records, MTV and Universal?

If you were Allen Grubman, founder of the star-studded law firm Grubman Shire Meiselas & Sacks, you’d tell the ransomware crooks to get lost. Following a ransomware attack from the REvil cybergang that flattened in May, Grubman said he wouldn’t negotiate with the hackers, equating them to terrorists.

In the May attack, the gang stole more than 750GB in total. Now, the blackmailers are making good on their threats to publish it.

According to Variety, REvil has threatened to auction off sensitive documents from the firm’s top clients, laying out a schedule that begins on 1 July with documents from Mariah Carey, Nicki Minaj and Lebron James, starting at $600,000 per celebrity. They plan to auction off documents from Bad Boy Records (starting at $750,000) and from MTV and Universal (starting at $1 million each) two days after that. There’ll be more from an unspecified celebrity – or two or three or more of them, who knows – released on 5 July, the REvil gang promised.


June 25, 2020 »

Patch time! NVIDIA fixes kernel driver holes on Windows and Linux

By Paul Ducklin

The latest security patches from NVIDIA, the maker of high-end graphics cards, are out.

Both Windows and Linux are affected.

NVIDIA hasn’t yet given out any real details about the bugs, but 12 different CVE-tagged flaws have been fixed, numbered sequentially from CVE-2020-5962 to CVE-2020-5973.

As far as we can tell, none of the bugs can be triggered remotely, so they don’t count as RCEs, or remote code execution holes, by means of which crooks could directly hack into your laptop or server over the internet.

However, as is very common with security bugs in kernel-land, they could let crooks carry out what’s known as information disclosure or elevation of privilege attacks.

Given that the kernel contains information about the entire system, including details such as which processes are allowed to access what memory locations, being able to fiddle around inside the kernel is usually a privilege reserved for top-level sysadmins only.

Kernel bugs that allow regular users to peek into the kernel’s protected memory areas are therefore dangerous because they can often be exploited by criminals to grant themselves permanent administrator powers without needing to know any administrator passwords.


Twitter apologizes for leaking businesses’ financial data

By Lisa Vaas

Twitter apologized on Tuesday for sticking business clients’ billing information into browser cache – a spot where the uninvited could have had a peek, regardless of not having the right to see it.

In an email to its clients, Twitter said it was “possible” that others could have accessed the sensitive information, which included email addresses, phone numbers and the last four digits of clients’ credit card numbers. Any and all of that data could leave businesses vulnerable to phishing campaigns and business email compromise (BEC) – a crime that the FBI says is getting pulled off by increasingly sophisticated operators who’ve grown fond of vacuuming out payrolls.

Mind you, Twitter hasn’t come across evidence that billing information was, in fact, compromised.

On 20 May, Twitter updated the instructions that Twitter sends to browser cache, thereby putting a stopper in the leak. The two affected platforms are or If you viewed your billing information on either platform before 20 May, your billing information may have gotten stuck in browser cache.


Glupteba – the malware that gets secret messages from the Bitcoin blockchain

By Paul Ducklin

Here’s a SophosLabs technical paper that should tick all your jargon boxes!

Our experts have deconstructed a strain of malware called Glupteba that uses just about every cybercrime trick you’ve heard of, and probably several more besides.

Like a lot of malware these days. Glupteba is what’s known a zombie or bot (short for software robot) that can be controlled from afar by the crooks who wrote it.

But it’s more than just a remote control tool for criminals, because Glupteba also includes a range of components that let it serve as all of the following:


iOS 14, macOS Big Sur, Safari to give us ‘No, thanks!’ option for ad tracking

By Lisa Vaas

As is typical for Apple’s developer conferences, on Monday it started hyping the privacy and security goodies it’s got in store for us in a few months.

During the pre-taped keynote at Apple’s Worldwide Developers Conference (WWDC), the company promised to pump up data protection even more with gobs of new features in its upcoming iOS 14, macOS Big Sur, and Safari releases.

(Here’s the complete keynote transcript, courtesy of Mac Rumors, if you don’t have a spare 1:48:51 to listen to the opening for Apple’s first-ever, all-online WWDC.)

Pretty please stop the ad tracking

The big ones include the option for users to decline apps’ ad tracking. More specifically, we’ll be given the option to “Allow Tracking” or “Ask App Not to Track.” As Wired’s Lily Hay Newman points out, “asking” sounds a lot more dubious than “blocking.” But Apple makes it decisive in its notes to developers, where it says that the permission is a must-have for developers, not a nice-if-you’re-in-the-mood.


United States wants HTTPS for all government sites, all the time

By Paul Ducklin

The US government just announced its plans for HTTPS on all dot-gov sites.

HTTPS, of course, is short for for “secure HTTP”, and it’s the system that puts the padlock in your browser’s address bar.

Actually, the government is going one step further than that.

As well as saying all dot-gov sites should be available over HTTPS, the government wants to get to the point that all of its web servers are publicly committed to use HTTPS by default.

That paves the way to retiring HTTP altogether and preventing web users from making unencrypted connection to government sites at all.


‘BlueLeaks’ exposes sensitive files from hundreds of police departments

By Lisa Vaas

DDoSecret – a journalist collective known as a more transparent alternative to Wikileaks – published hundreds of thousands of potentially sensitive files from law enforcement, totaling nearly 270 gigabytes, on Juneteenth.

That date – 19 June – is a holiday that celebrates the emancipation of those who were enslaved in the US. There’s currently a push to make the date into a national holiday – a movement bolstered by the nationwide Black Lives Matter (BLM) protests.

DDoSecrets, which refers to itself as a “transparency collective,” has dubbed the release BlueLeaks.

On Friday, DDoSecrets said on Twitter that the BlueLeaks archive indexes “ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources”, including “police and FBI reports, bulletins, guides and more.”

Fusion Centers are state-owned and operated entities that gather and disseminate law enforcement and public safety information between state, local, tribal and territorial, federal and private sector partners.

DDoSecrets published the data in a publicly accessible, searchable portal that says it contains more than 1 million files, such as scanned documents, videos, emails, audio files, and more.



June 23, 2020 »

Anatomy of a survey scam – how innocent questions can rip you off

By Paul Ducklin

We’ve been receiving loads of survey scam emails lately – and you probably get heaps of these, too.

So we thought we’d take you through a recent scam from go to woe, with screenshots to document the path that the crooks lured us along.

Sometimes, a picture is worth 1000 words (or 1024 words, if you are accustomed to binary numbers like many computer programmers), so we hope this visual tour will be useful so you can show your friends and family what to watch out for.

After all, there doesn’t seem to be much harm in answering a few pseudo-anonymous questions such as “would you visit our shops in person if they were open later?”, or “how often do you browse our website for new products?”

Many brands ask questions of that sort, and sometimes offer small rewards for people who take the trouble to fill in the survey – $5 off your next purchase, for example, or a free product of modest value with your next order.

Tha scammers, however, have much bolder goals.

Typically, cybercriminals suck you in with a seemly and believable promise, but suddenly switch things up by suggesting that you’re one of the lucky few who is going to get a gift that’s much, much more valuable than just a discount code for 5% off your next purchase.

But there’s a catch…


Hacker indicted for stealing 65K employees’ PII in medical center hack

By Lisa Vaas

A Michigan man has been indicted for the 2014 hack of the University of Pittsburgh Medical Center’s (UPMC’s) HR databases and theft of employees’ personal information – information that he allegedly wound up selling on the dark web to crooks who used it to file thousands of bogus tax returns.

The 43-count indictment, returned on 20 May and unsealed on Thursday, named 29-year-old Justin Sean Johnson, also known as TDS or DS, with conspiracy, wire fraud and aggravated identity theft.

The theft involved personally identifying information (PII) belonging to 65,000 employees from the medical center’s PeopleSoft human resources management system.

The purloined data included the names, Social Security taxpayer ID numbers, birth dates, addresses, marriage statuses, salary information, and yet more PII contained in employee W-2 forms.

After the hack, Johnson allegedly sold UPMC employees’ PII to buyers around the world on dark web marketplaces, leaving every one of those people subject to identity theft and potentially years of financial fraud, as US Attorney Scott W. Brady pointed out in a press release.

Hackers like Johnson should know that our office will pursue you relentlessly until you are in custody and held accountable for your crimes.

Tom Fattorusso, Special Agent in Charge of IRS-Criminal Investigation, was also quoted in the release, talking about the prolonged misery that victims of ID theft suffer:

Unfortunately, through no fault of their own, the people whose identities are stolen in cases like this are often victimized repeatedly. Initially, they have to deal with the stress of knowing their personal information was stolen. Criminals then use the stolen information to file false tax returns, or they sell it to other criminals who use it to file false returns. This causes a hardship for the innocent victims when they try to file their own tax returns. Victims are then left to deal with credit issues caused by the unscrupulous actions of the criminals.

One of the victims was a nurse who wrote to the court, saying that the US had refunded her IRS refund money, but that she was still devastated by the invasion of her privacy. The Pittsburgh Post-Gazette quoted from her statement:

I think the perpetrators of this particular crime think every American is rich. Most of us, like me, are not … To think that someone could drain any of my assets as a result of possessing information about me including my Social Security number is too painful to think about.

Prosecutors say that Johnson allegedly sold the PII of doctors, nurses and other medical center employees – including W-2 tax forms – on dark web markets between 2014 and 2017. The crooks who purchased the data went on to submit false tax returns to the Internal Revenue Service (IRS) and made off with about $1.7 million in unauthorized federal tax refunds.


June 22, 2020 »

FBI uses T-shirt, tattoo and Vimeo clips to track down alleged arsonist

By Lisa Vaas

On the afternoon of 30 May, as in other US cities, all hell broke loose in Philadelphia as peaceful Black Lives Matter (BLM) protests turned into the smashing of store windows, looting, and arson, including the torching of two Philadelphia Police Department (PPD) cars.

On Wednesday, a 33-year-old Philadelphia woman was charged with allegedly torching those cars after the FBI tracked her down via a slew of online clues that shows how findable we all are, be we criminals or somebody to be marketed at or tracked.

Namely: her protest T-shirt, which the FBI matched to one sold on the Etsy online marketplace; social media handles; a tattoo of a stylized peace sign on her right forearm; and a Vimeo video that shows a woman matching her description who removed a flaming piece of wooden police barricade from one car and shoved it through the window of another.

It’s worth noting that the FBI and the National Institute of Standards and Technology (NIST) have a tattoo recognition program called Tatt-C (also known as the Tattoo Recognition Challenge) that involves creating an open tattoo database to use in training software to automatically recognize tattoos. However, the FBI didn’t mention using that database, or its vast wealth of facial images, to find the alleged arsonist.

It sounds like investigators didn’t have to resort to anything as fancy as that. The clues that led to a suspect were far simpler to find. Investigators allege that the arsonist was 33-year-old Lore-Elisabeth Blumenthal of Philadelphia.

According to an affidavit filed by FBI special agent Joseph Carpenter, on the same day of the protest and ensuing riot, he viewed a live, aerial news feed from a helicopter that was covering the fire that engulfed the first car.


Ripple20 bugs set off wave of security problems in millions of devices

By Danny Bradbury

Security researchers have discovered a handful of game-changing vulnerabilities that spell trouble for dozens of connected device vendors and their customers. On Tuesday this week security company JSOF unveiled 19 CVEs – four of them critical remote code execution flaws – in a low-level networking software library that render millions of devices vulnerable.

Labeling the discovery Ripple20, the researchers said that the bugs enable attackers to take control of internet-facing devices and then lurk undetected for years. Other risks include mass infections inside a network using a hacked device as a foothold, said their vulnerability analysis. No user interaction is necessary for a hacker to take over your network using these flaws.

Getting in touch with vendors has been a priority for JSOF, which said that 15 were affected as of yesterday, including Cisco, HP, and Schneider Electric. Another 57 were still investigating the effect on their products, including EMC, GE, Broadcom, and NVIDIA. Not affected were AMD, Philips, and Texas Instruments (at least, according to their own reports).


Bundlore adware brings a new nest of risks to Mac users

By Paul Ducklin

A decade or so ago, many Mac users used to claim very confidently that anti-virus software would be wasted on them, “because Macs don’t get malware.”

They’d admit that Mac malware was theoretically possible, but point out that because they’d never run into any problems themselves – problems that they knew of, anyway – and had never heard a fellow Mac user asking for help with a malware attack, they’d decided to ignore the issue of rogue software entirely.

A few Mac fans went further than that, saying that Macs were immune to malware because they’re based on Unix – Unix, they’d say, couldn’t get viruses because the operating system was completely different from Windows internally, and was secure against malware by design.

The problem with definitive claims of this sort is that you only need a single example of Unix malware – what you might call an existence proof – to debunk the theory, such as the infamous Morris Worm that downed the internet back in November 1988.

Of course, we’ve written about Mac malware – including zombies, data stealers, ransomware and many other sorts of badware – many times since 1988.

Even Apple itself came to the anti-virus party back in 2009 when it introduced a rudimentary malware blocking tool called XProtect right into OS X (now macOS).

Whether you called it malware or not, there have long been “software actors” out there ready to go after Mac users in the same way that they’ve been going after Windows users for years.

Well, nothing has changed: although you’re probably more likely to get hit up with malicious or unwanted software on Windows, you aren’t free and clear just because you’re using a Mac.


Microsoft promises to fix Windows 10 printer problem

By John E Dunn

Windows 10 updates released as part of last week’s Patch Tuesday appear to be making life hard for some printer users.

Problems after monthly updates are not unusual, but the numbers tend to be limited to subgroups of users.

It’s hard to tell how many people have encountered the latest glitch but it was enough to register on Microsoft forums as well as multiple threads on that great bell-weather, Reddit. A typical error message ran something like:

Windows cannot print due to a problem with the current printer setup.

Numerous printer makers seemed to be affected. But other problems were reported too, ranging from application crashes and even the blue screen of death (BSOD), which hints at a deeper issue within Windows itself.

After several days of confusion, Microsoft has acknowledged the issue, describing it in the following terms:

After installing this update, certain printers might fail to print. The print spooler might throw an error or close unexpectedly when attempting to print, and no output will come from the affected printer.

It can also affect users printing to file formats such as PDF. No date for a fix has been set but the company said it was “working on a resolution” and would provide an update as soon as possible.


Crypto founder admits $25 million ICO backed by celebrities was a scam

By Lisa Vaas

The Miami-based cryptocurrency firm Centra Tech was built on fairy dust and paid celebrity hoo-ha, but co-founder Robert Joseph Farkas is going to be doing real time in a real prison for the $25 million initial coin offering (ICO) rip-off.

An ICO is an unregulated fundraising technique with a dodgy reputation that’s used by blockchain companies where cyptocurrencies like Bitcoin and Ethereum are used to purchase “tokens” from a startup. If the company takes off, they’ll theoretically be worth something. Centra Tech took off, all right, but only because its founders allegedly lied through their teeth.

Farkas – also known as RJ – pled guilty in Manhattan federal court on Tuesday to charges of conspiring to commit securities and wire fraud, according to the US Attorney’s Office for the Southern District of New York.

Sentencing hasn’t been scheduled yet. Farkas, 33, pled guilty to two charges, each of which carries a maximum sentence of five years in prison. Maximum sentences are rarely handed out, but Farkas agreed to serve between 70 and 87 months and a fine of up to $250,000 in a plea deal.


« older