Netflix phishing campaign goes after your login, credit card, mugshot and ID

By Paul Ducklin

Think of the big security stories of recent months.

Security holes like F**CKWIT and KRACK; a plethora of ransomware attacks ending in extortion; data breaches that were big, bigger or biggest…

…there are plenty of candidates for the story that got the most attention.

In contrast, phishing attacks rarely make the news these days, even though (or perhaps precisely because) there are so many of them.

Somehow, phishing seems to have turned into an “obvious” problem that everyone is expected to have experienced, learned from, got the better of, and moved on.

But phishing is still big business for cybercriminals: in the last week alone, for example, SophosLabs intercepted phishing attacks that abused the brands of many financial institutions.

Organizations that had their brands hijacked in this way in the past few days include: eBay, PayPal, VISA, American Express, Bank of America, Chase, HSBC, National Australia Bank – and that’s just a random subset of the list, in one industry sector.

Protecting your brand against abuse by phishers is, sadly, as good as impossible, especially if your brand is well-known and widely advertised.

Every time you send out an email of your own, or publish a blog article, or pen a PR statement, or put a logo on your website, you provide raw material for cybercrooks to copy-and-paste to produce simulacrums of their own.

Ironically, the less original and inventive they try to be, the more legitimate they’ll look, and the less likely they’ll be to introduce spelling, grammar and visual mistakes that clue you in to the deception.

Read more at https://nakedsecurity.sophos.com/2018/01/15/netflix-phishing-campaign-goes-after-your-login-credit-card-mugshot-and-id/

House votes for six more years of warrantless surveillance

By Taylor Armerding

If you’re a member of the US “intelligence community” – the FBI, CIA and NSA – this past Thursday was a great day for homeland security.

A majority vote in the US House of Representatives to renew Section 702 of the Foreign Intelligence Surveillance Act (FISA) for six years will, in their view, give them continued access to the indispensable tools they need to prevent major foreign terrorist attacks. Without them, they would be blinded to terrorist plots within the US, and US soldiers could be at much greater risk on foreign battlefields.

If you’re a privacy/civil liberties advocate, it was an unwelcomed win for Big Brother and a shameful, ominous day for everybody else – a reauthorization of warrantless spying on US citizens that amounts to a back door around the Fourth Amendment’s prohibition against unreasonable search and seizure.

According to a bipartisan “letter to colleagues” from four senators – Republicans Rand Paul (KY) and Michael Lee (R-UT); and Democrats Ron Wyden (OR) and Patrick Leahy (VT) – Section 702 in its present form…

…does nothing substantive to protect the Fourth Amendment rights of innocent Americans. This bill allows an end-run on the Constitution by permitting information collected without a warrant to be used against Americans in domestic criminal investigations.

Most of the debate over Section 702 is not about its stated intent, but about how it is interpreted. The provision allows the NSA to monitor the communications of foreigners located outside the country to gather what was the agency’s original mission: foreign intelligence. That goal gets general, bipartisan support.

But, as has been widely reported since the law was created in 2008, and as the revelations of former NSA contractor Edward Snowden documented, that collection has been both foreign and domestic. The communications of millions of Americans who were not specific targets have been “incidentally” included. And much of that data, critics say, has been made available to other intelligence agencies like the FBI and CIA.

That is what has prompted the intensity of debate over Section 702’s renewal that ramped up last fall.

Read more at https://nakedsecurity.sophos.com/2018/01/15/house-votes-for-six-more-years-of-warrantless-surveillance/

Typosquatting and the risks of one wrong keystroke

By Matthew Phillion

It’s easy to do – you quickly type a URL you use every day, whether it’s Google or Facebook or Amazon, and in your haste, you accidentally swap, add, or delete a single letter and hit enter. Suddenly you’re not where you wanted to be, and often that new strange piece of the internet isn’t a 404 message, but rather an unexpected, and often sinister, website.

Or even stranger, a spoofed version of the site you wanted to visit in the first place.

Registering common misspellings of popular websites to catch users unaware is known as typosquatting, and it’s exactly what it sounds like – cybercriminals scoop up these frequently mis-spelled domain names, knowing that some innocent users will end up on their page.

Typosquatting is so common that businesses often register common typos themselves to redirect users to the correct page – Google, for example, owns the dot-com domains for its name spelled with one, two and three Os.

Typosquatting is a huge industry – over 80% of all possible one-character variants of Facebook, Google, and Apple are registered.

It’s easy to make jokes about typosquatting – the human error component can be amusing, and some of the satirical page’s users stumble across are occasionally clever – but the risks posed by typosquatting are very real. NBC Nightly News recently highlighted the dangers of these typos and what you can do to avoid these malicious sites in a video featuring Sophos’ James Lyne.

But what really happens when someone makes their way to the wrong page? That depends on the intentions of the typosquatter. Sometimes it’s simply domain parking or domains for sale, or “related search” pages. Others are riskier to encounter, like competitions and surveys asking for personal information, or bait-and-switch sites. Others still truly are benign, like humor or satire sites or sites maintained by typosquatting researchers.

Read more at https://nakedsecurity.sophos.com/2018/01/15/typosquatting-and-the-risks-of-one-wrong-keystroke/

How to set up 2FA on your Facebook account

By Maria Varmazis

As Facebook continues to embed itself into the fabric of our social and online lives – or, perhaps it’s more correct to say, as we let Facebook continue to embed itself in our lives – it’s increasingly important that we keep our accounts safe from unauthorized use.

If you barely ever log in to Facebook, you might not be too concerned about what could happen if someone gets into your account. But with Facebook being the biggest social media network on the planet with more than two billion users, and even if not all of those users are active or tied to a real person, it is increasingly used as a service to prove we are who we claim to be.

Facebook is entrenching itself to be indelibly tied to our entire identity online: How often have you seen Facebook authentication offered as a way to post comments on websites, or to register or log in to an app or service?

For many Facebook users, if someone were to gain access to their account, this would go beyond a mere annoyance – that person could also have access to their accounts on other apps, access to all sorts of sensitive information about them, their families, friends, and coworkers. From a reputation perspective alone, there’s a lot of potential for real-life consequences.

That’s why it’s a very good idea to take the security of your Facebook account seriously, and thankfully Facebook has made it reasonably easy to manage. A complex, unique password for Facebook is a great starting point – and if you haven’t changed it in a long while, take a moment to do it – but we also encourage you to take the security of your account to the next level and enable two-factor authentication as well.

Two-factor authentication (2fA) isn’t just a good idea, it’s a great idea: Someone trying to log in to your account needs more than just your password (“something you know”), they also need access to a phone or device that you own (“something you have”). This extra layer of security is simple to set up – we’ll walk you through it below – and can provide great peace of mind.

Read more at https://nakedsecurity.sophos.com/2018/01/15/how-to-set-up-2fa-on-your-facebook-account/

More SCADA app vulnerabilities found

By John E Dunn

A big motivation for pulling software apart to find security flaws is the idealistic hope that developers will get the message and do a better job next time.

But what happens if they don’t?

It’s something that must have researchers at security consultancies IOActive Labs and Embedi pulling out their hair, assuming they have any left.

Two years ago, they jointly found 50 weaknesses in the security of 20 mobile apps used by a plethora of SCADA Industrial Control Systems (ICS) sectors covering things like power, water, and manufacturing.

Not good news exactly, but at least the problems were public domain and that meant they’d be fixed.

Now a follow-up test of 34 ICS apps from Google Play has found that far from improving, things have got worse – this time they found 147 security vulnerabilities in apps and backend systems designed for the same job.

Classifying them using OWASP’s Top Ten Mobile risk categories, 32 of the 34 lacked root or code protection, 20 had poor authorization, 20 implemented insecure data storage, and 18 lacked obfuscation to protect code from reverse engineering.

Less frequent but still serious issues included poor-quality coding (12), insecure communication (11), insufficient cryptography (8), and insecure authentication (6).

In addition, the team noticed that seven apps exposed vulnerabilities on backend servers, for example SQL injection or cross-site scripting (XSS). And:

One of the reviewed applications had write permissions for the tables, allowing an attacker to tamper with station configurations and user statistics.

Overall, in the period between the two tests, researchers saw an average increase of 1.6 vulnerabilities per application.

Clearly, there’s a problem, but what is it?

Read more at https://nakedsecurity.sophos.com/2018/01/15/more-scada-app-vulnerabilities-found/

iPhone’s Apple Health data used as evidence in murder trial

By Lisa Vaas

If you have an iPhone running iOS 6S or later, you’ve got Apple’s Health App, which accurately records steps. You’ve also got the Altimeter app, which keeps track of changes in elevation, to track how many stairs you’ve climbed.

And it is that health data that’s been used in the trial of an Afghani refugee in Germany who has admitted to raping and murdering 19-year-old medical student Maria Ladenburger in October 2016.

The refugee, Hussein Khavari, admitted to raping Ladenburger and to drowning her in the river Dreisam. But as the BBC reported on Friday, although he’s admitted his guilt, he’s disputed some details.

He was identified by a long strand of hair found in bushes close to the crime scene and by DNA recovered from a scarf that was found on the river bed nearby. In spite of those and other pieces of evidence, Khavari refused to provide police with the PIN to unlock his phone.

So, similar to the case of the FBI trying to get into the iPhone of the San Bernardino terrorists in the US, German investigators turned to an unnamed company from Munich that has a reputation for being able to crack locked phones. The unnamed cyber forensics firm did, in fact, manage to get into Khavari’s phone after months of work, according to German newspaper Welt. The case had begun in September.

Getting into the phone meant getting at details of its owner’s geodata.

Read more at https://nakedsecurity.sophos.com/2018/01/15/iphones-apple-health-data-used-as-evidence-in-murder-trial/

Your Facebook News Feed is getting an overhaul

By Lisa Vaas

One week after Facebook CEO Mark Zuckerberg pledged to spend the new year fixing Facebook – as in, attempting to tackle problems of abuse/hate/nation-state meddling/couch potato syndrome – he again took to blogging to announce a “major change” to the way Facebook is built.

The problem, he said in a post published on Thursday, is that an explosion of corporate posts – be they from corporations, businesses or media – are overcrowding the platform, squeezing out personal content from friends and family.

Well, that isn’t what we intended, he said. And it hasn’t made Facebook into something that’s necessarily good for people. From his post:

The balance of what’s in News Feed has shifted away from the most important thing Facebook can do – help us connect with each other… We feel a responsibility to make sure our services aren’t just fun to use, but also good for people’s well-being.

“Research shows that strengthening our relationships improves our well-being and happiness,” he said, making us feel more connected and less lonely – markers that correlate to long-term measures of happiness and health… as opposed to passively reading articles or watching videos, which can make us depressed and isolated.

Read more at https://nakedsecurity.sophos.com/2018/01/15/your-facebook-news-feed-is-getting-an-overhaul/