Telegram IM security flaw – what you see is NOT always what you get

By Paul Ducklin

Researchers at Kaspersky recently outed a bug in the popular Telegram instant messaging service.

Crooks had revived an old visual trick to disguise files that many users would otherwise recognise as unwanted right off the bat.

The flaw has been addressed by Telegram, so we’re OK to describe in here in detail: it’s a trick that is as simple as it is effective, and involves conning the app into displaying filenames backwards.

Sometimes, of course, the old tricks are the very best – ransomware first appeared in 1989, for instance; spam first showed up in the 1970s; and self-spreading network worms were already a significant problem in the 1980s.

Whether you’re a user or a programmer, it pays to be aware of the optical illusions that are available to the many cybercrooks out there.

The flaw we’ll be talking about in this article – which sort of isn’t a bug in theory, but can be abused as a bug in practice – comes about because not all languages write in the same direction.

English and French, for example, run left-to-right, top-to-bottom; Hebrew and Arabic run right-to-left, top-to-bottom.

Often, for example when printing a book, the text direction isn’t too much of a challenge because it’s consistent throughout.

But in a modern app in the modern world on a modern operating system, you often want to mix and match character sets, languages, writing styles and more.

Read more at https://nakedsecurity.sophos.com/2018/02/16/telegram-instant-messaging-flaw-the-images-that-were-programs/

Google’s big plans for email will give it even more power

By Mark Stockley

Email has been around for nearly half a century and there are some things about it that are looking quite dated. In particular, its approach to privacy and security are decidedly mid-twentieth century.

In the beginning it was OK because nobody knew to care about that kind of thing and almost nobody used email anyway. In the blink of an eye though, everybody was using it and email had become an indispensable technological pillar of the world. And then it really did matter that email was broken but it was too difficult to fix and too entrenched to replace.

For most of its working life then, three intractable problems have hovered close to the top of our collective “things we wish somebody else would hurry up and fix about email” list:

• A lack of TLS encryption makes it too easy to read and modify emails as they move around the globe. According to Google’s transparency report about 10% of the emails sent and received by Gmail are going to, or coming from, mail servers that don’t encrypt. Now. In 2018.
• It’s easy to fake who an email seems to have come from so – in spite of anti-spoofing measures like DANE, DKIM and SPF – cybercriminals continue to fool users with low cost, low effort scams and phishing tactics which barely change from one decade to the next.
• There is no usable end-to-end encryption to protect emails at rest, as they sit on servers. Sure, you could use GPG but you don’t, just like you don’t let Clippy help you if it looks like you’re trying to write a letter or drive to work on a Sinclair C5.

Google, one of the major email providers through its Gmail platform, has done much to try and fix these difficult problems with projects like its transparency report and efforts to fix end-to-end encryption.

Despite its own travails (Android devices that can’t be patched, years-long Gmail lawsuits…) it has also never been shy of using its considerable bulk to bully others into adopting better privacy and security – from HTTPS on websites to 90-day responsible disclosure windows, and much else besides.

So when I heard that Google was planning to modernize email I hoped they’d dusted off The Great Email TODO List That’s Still Waiting To Be Fixed After Fifty Years and started at the top.

Nope.

Read more at https://nakedsecurity.sophos.com/2018/02/16/googles-big-plans-for-email-will-give-them-even-more-power/

Why Chrome’s ad filter isn’t an adblocker

By John E Dunn

Screen-covering pop-ups, countdown timers, ads that start playing sound when you visit a website – just some of the annoying ads Google Chrome’s new integrated filtering promises to start blocking from this week.

Optimistic news coverage has described this as the arrival of adblocking in Chrome, which is neither how Google explains the change, nor technically accurate.

Google, of course, can’t enable full-throated blocking of web advertising because this would risk damaging its business model.

What it does want to do is stop websites from pushing certain kinds of intrusive and distracting advertising tricks in readers’ faces. Specifically:

• Flashing animated ads (mainly a problem for mobile users)
• Large prestitial ads that cover the whole screen (a particular problem for mobile users)
• Auto-playing video ads with sound that catch users off guard
• Postitial ads that delay readers with countdown timers
• Sticky ads that hang around even when the reader scrolls

Chrome VP, Rahul Roy-Chowdhury, explains the change:

By focusing on filtering out disruptive ad experiences, we can help keep the entire ecosystem of the web healthy, and give people a significantly better user experience than they have today.

Chrome users can already achieve this and more by loading one of a number of ad-blockers so all Google’s new filtering is offering is to do a smaller part of that job by default.

Despite complaints that the ad-blocking industry has become deceptive (allowing some advertisers to bypass filters in return for money), the principle is that the end user decides what level of filtering should be applied, and to which sites.

Google’s Chrome ad filtering, by contrast, is more like a feedback mechanism for website owners that measures ads against a set of standards defined by the Coalition for Better Ads, an organization of which Google is a member.

Read more at https://nakedsecurity.sophos.com/2018/02/16/why-chromes-ad-filter-isnt-an-adblocker/

Facebook accused of spamming 2FA phone numbers

By Lisa Vaas

Facebook is being accused of spamming people via the phone numbers they used to turn on two-factor authentication (2FA) and posting their “PLEASE STOP!!” replies to their walls.

Software engineer Gabriel Lewis noticed it late last month and told Facebook to please knock it off: a request that 1) Facebook’s systems ignored, merrily continuing to spam him and then 2) auto-posted to his wall.

Nobody’s sure if it’s a feature meant to drive engagement – is Facebook suffering separation anxiety over its recent traffic decline? – or if it’s a bug.

From the sounds of the statement it’s sending to press, Facebook itself apparently doesn’t know. A Facebook representative told The Verge, for one, that it’s looking into the text notification issue.

We’re looking into this situation to see if there’s more we can do to help people avoid unexpected or unwanted communications.

Its statement says that users can refrain from using their phone numbers for its 2FA system and instead use a code generator with an authenticator app such as Sophos Authenticator (also included in our free Sophos Mobile Security for Android and iOS).

Read more at https://nakedsecurity.sophos.com/2018/02/16/facebook-accused-of-spamming-2fa-phone-numbers/

Joke dating site matches people based on their passwords

By Lisa Vaas

Let us ask you this, Ms. “123456” and Mr. “Password”, are you tired of making excuses when your password winds up on the yearly worst passwords lists?

Wouldn’t you like to meet somebody who shares your confusion over how to use a password manager?

Despair no longer! As Motherboard reports, there’s now a dating site that matches people based on their passwords.

It’s called Words of the Heart. It’s billed as a way to help find and date people who have the same password.

Because why? Because…

We believe that something as intimate as your password best describes your inner self.

Fortunately for all of us, it’s a joke site, and unfortunately for all of us, the site’s makers (reasonably enough) felt the need to spell that out loud and clear on the front page to prevent anybody from entering an actual password:

DO NOT USE your real password here, especially a password for something important (banks, e-mail, Facebook)!

Read more at https://nakedsecurity.sophos.com/2018/02/15/joke-dating-site-matches-people-based-on-their-passwords/

Coinmining frenzy is making it hard for us to find aliens

By Lisa Vaas

Forget Iceland’s energy getting sucked up by cryptocoin miners. We can’t find the aliens!

You need a few things to mine cryptocurrency, or to do a bunch of other things, including build a gaming PC from scratch, run radio-astronomy operations, or search the skies for incoming messages from extraterrestrials.

The things you need include a whole lot of preferably renewable energy (thanks, Iceland!). It’s also helpful to have access to data centers and a nice, chilly environment to help with cooling them (thanks again, Iceland!).

You also need a pile of graphics processing units (GPUs): the high-end computer chips from manufacturers like AMD or Nvidia that miners use to build their mining machines.

Unfortunately for gamers, radio astronomers and Search for Extraterrestrial Intelligence (Seti) researchers, the prices on GPUs have been going nuts for a few months. At the end of January, when cryptocurrency values had soared, they dragged GPU costs right on up with them.

Gaming news site Polygon last month reported these then-current examples of GPU prices:

The cheapest price for MSI’s GeForce GTX 1070 Gaming X (MSRP $459.99) is $945.99 on Amazon and $988.99 on Newegg; it’s not much lower at Micro Center, which has it listed at $919.99.

And that’s when you can get the GPUs at all.

At least one retailer, Micro Center, is keeping the supply lines open for its core customers (gamers), reduces the prices for those building gaming rigs, and is limiting GPU quantities to others, including both cryptocurrency miners and apparently Seti and other researchers. Here’s a letter Micro Center posted to its “Valued Build Customers” about the policies.

Read more at https://nakedsecurity.sophos.com/2018/02/15/coinming-frenzy-is-making-it-hard-for-us-to-find-aliens/