Meltdown and Spectre exploits: Cutting through the FUD

By Jack Gold

There is lots of information circulating about the new exploits of computer chips from Intel and others announced in the past few days. Some of it has been accurate, and some has been sensationalist and overblown. There is much technical information with high level of details available for both Meltdown and Spectre, so I won’t get into a lot of technical detail here. Rather, I’ll focus on the higher-level issues affecting business and personal computer users.

Read more at https://www.networkworld.com/article/3245813/security/meltdown-and-spectre-exploits-cutting-through-the-fud.html

Spyware user tracked boyfriend to have him killed by hitman

By Lisa Vaas

Stop me if you’ve heard this one:

Boy meets girl. Girl tracks boy with spyware. Girl (allegedly) hires hitman to kill boy. Girl arrested by hitman, who actually works for the FBI.

Wait a minute. What’s that you say? It’s not an elevator pitch for a thriller? It actually happened?!

It sure did. Unfortunately, it’s not humorous, either, given that a man allegedly could have been murdered.

The story involves a Los Angeles woman who goes by the handle “Mz. Fiesty” on social media.

According to the US Attorney’s Office for the Central District of California, Rasheeda Johnson Turner, 37, was arrested last month on federal charges that she hired a hitman-slash-FBI informant to kill her boyfriend so she could get her hands on his life insurance payout.

The boyfriend/would-be victim is identified in court documents as L.G.

Turner allegedly told the informant she was the beneficiary of a $150,000 life insurance policy and that she would pay the killer $50,000. Over the course of two weeks, she allegedly told the purported hitman that she originally planned to do the deed herself and had sourced “pure acid” from a plumber to get it done.

According to the criminal complaint, Turner initially tried to hire a hitman in November, but he wasn’t interested in the job. The FBI got wind of the alleged plot and managed to get an informant introduced to Turner. Turner, also known as Feisty or Mz. Feisty, is, according to her social media posts, an amateur film star with a rap sheet: she was convicted in 2005 for forgery and theft and arrested in 2016 for spousal battery, having allegedly assaulted L.G.

Read more at https://nakedsecurity.sophos.com/2018/01/09/spyware-user-tracked-boyfriend-to-have-him-killed-by-hitman/

Facebook bug could have exposed your phone number to marketers

By Lisa Vaas

You know that Facebook data-use policy, the one that promises it’s not going to spread our personal information to outfits that want to slice and dice and analyze us into chop suey and market us into tomato paste?

We do not share information that personally identifies you (personally identifiable information is information like name or email address that can by itself be used to contact you or identifies who you are) with advertising, measurement or analytics partners unless you give us permission.

Yea, well… funny thing about that…

Turns out that up until a few weeks ago, against its own policy, Facebook’s self-service ad-targeting tools could have squeezed users’ cellphone numbers from their email addresses… albeit very, verrrrry sloooowly. The same bug could have also been used to collect phone numbers for Facebook users who visited a particular webpage.

Finding the bug earned a group of researchers from the US, France and Germany a bug bounty of $5000. They reported the problem at the end of May, and Facebook sewed up the hole on 22 December.

That means that phone numbers could have been accessed for at least seven months, although Facebook says that there’s no evidence that it happened.

The researchers described in a paper how they used one of Facebook’s self-serve ad-targeting tools called Custom Audiences to ascertain people’s phone numbers.

That tool lets advertisers upload lists of customer data, such as email addresses and phone numbers. It takes about 30 minutes for the tool to compare an advertiser’s uploaded customer list to Facebook’s user data, and then presto: the advertisers can target-market Facebook users whose personal data they already have.

Custom Audiences also throws in other useful information: it tells advertisers how many of its users will see an ad targeted to a given list, and in the case of multiple targeted-ad lists, it tells advertisers how much the lists overlap.

And that’s where the bug lies. Until Facebook fixed it last month, the data on audience size and overlap could be exploited to reveal data about Facebook users that was never meant to be offered up. The hole has to do with how Facebook rounded up the figures to obscure exactly how many users were in various audiences.

Read more at https://nakedsecurity.sophos.com/2018/01/09/facebook-bug-could-have-exposed-your-phone-number-to-marketers/

Facebook needs fixing, says Mark Zuckerberg

By Lisa Vaas

Mark Zuckerberg, the wizard who pulls the levers behind the Facebook curtain, has set himself a doozy of a challenge for 2018: to fix Facebook.

The most pressing problems, he said in a post on Thursday, are protecting the Facebook community from abuse and hate, stopping nation states from using Facebook like a hacky-sack in other countries’ elections, and making sure that all of us dopamine-addicted users spend our time on the platform productively (instead of turning into passive, miserable, Facebook-fixated couch potatoes).

Read more at https://nakedsecurity.sophos.com/2018/01/08/facebook-needs-fixing-says-mark-zuckerberg/

Ex-NSA hacker builds AI tool to hunt hate groups’ symbols online

By Lisa Vaas

Emily Crose, ex-hacker for the National Security Agency (NSA), ex-Reddit moderator and current network threat hunter at a cybersecurity startup, wanted to be in Charlottesville, Virginia, to join in the protest against white supremacists in August.

Three people died in that protest. One of Crose’s friends was attacked and hurt by a neo-Nazi.

As Motherboard’s Lorenzo Franceschi-Bicchierai tells it, Crose was horrified by the violence of the event. But she was also inspired by her friend’s courage.

Her response has been to create and train an Artificial Intelligence (AI) tool to unmask hate groups online, be they on Twitter, Reddit, or Facebook, by using object recognition to automatically spot the symbols used by white nationalists.

The images her tool automatically seeks out are so-called dog whistles, be they the Black Sun (also known as the “Schwarze Sonne,” an image based on an ancient sun wheel artifact created by pagan German and Norse tribes that was later adopted by the Nazi SS and which has been incorporated into neo-Nazi logos) or alt-right doctored Pepe the frog memes.

Crose dubbed the AI tool NEMESIS. She says the name is that of the Greek goddess of retribution against those who succumb to arrogance against the gods:

Take that to mean whatever you will, but you have to admit that it sounds pretty cool.

Crose says it’s just a proof of concept at this point …

Read more at https://nakedsecurity.sophos.com/2018/01/08/ex-nsa-hacker-builds-ai-tool-to-hunt-hate-groups-symbols-online/