Cryptomining versus cryptojacking – what’s the difference?

By Paul Ducklin

Cryptomining – performing the zillions of cryptographic calculations you need to earn hot-topic cryptocurrencies such as Bitcoin, Monero or Ethereum – is a massive global industry these days.

With Bitcoins worth about $10,000 each, you can see the attraction.

But to get serious about cryptomining, you’re looking at setting up hundreds or thousands of high-powered compute servers, which typically means renting space in a data centre where electricity is cheap and cooling is easy – such as Iceland.

Or you can cheat.

Break into someone’s network and install cryptomining software onto their computers so you can steal their electricity and CPU power – laptops are good, servers are better, and supercomputers are the best of all.

Or break into their web server and sneakily add in browser-based cryptomining code, written in JavaScript, that mines whenever anyone visits their website.

Or take over their guest Wi-Fi access point and inject cryptomining content wherever their customers go.

There’s even an open-source toolkit called CoffeeMiner that will inject rogue cryptomining code into Wi-Fi traffic automatically – all you have to do is to plug in your own anonymous cryptomining ID and the earnings come to you.

Read more at https://nakedsecurity.sophos.com/2018/03/09/cryptomining-versus-cryptojacking-whats-the-difference/

Facebook says “let me get that for you”, secures your links

By John E Dunn

The campaign to make HTTPS universal scored a huge win this week with the news that Facebook has started upgrading external links to use HTTPS when sites support it.

In other words, if a user puts a link into a Facebook post that starts with http:// but the site they’re linking to appears on an HSTS preload list it’ll be written to https://.

If this sounds incremental, it’s anything but: links clicked on from inside Facebook and Instagram have grown into one of the most important ways many internet users discover websites, so anything that boosts security here will have a big influence.

The announcement might seem simple but something quite extraordinary is going on when you stand back a bit.

Facebook’s Data Privacy engineer, Jon Millican:

This will improve people’s security and will also often improve the speed of navigation to sites from Facebook.

To understand why, it’s necessary to understand why HSTS is a good idea and how preloading improves matters.

The TL; DR is that HSTS is a way for a website and a browser to co-operate to ensure everyone visiting it does so over secure HTTPS (SSL/TLS) rather than insecure HTTP.

In other words, just having an HTTPS server isn’t enough – the site has to make browsers use it, communicated by sending the browser an HSTS response header when it first connects, after which HTTP is no longer an option.

This stops users from connecting to insecure HTTP manually or through a downgrade attack.

The obvious flaw is that the first time the user connects to the site (before they receive the response header policy), they are briefly vulnerable to a downgrade attack that keeps them on HTTP and routes them through a man-in-the-middle who can snoop on or modify their traffic.

Read more at https://nakedsecurity.sophos.com/2018/03/09/facebook-says-let-me-get-that-for-you-secures-your-links/

Rift keels over after Oculus forgets to renew security certificate

By Lisa Vaas

Somebody screwed up at Oculus on Wednesday, when an expired security certificate caused all Rift virtual reality headsets to keel over.

It was first called out on Reddit when a user said his machine decided to update, never restarted, and gave an error message that read “Can’t reach Oculus Runtime Service.”

The problem turned out to be an expired security certificate that Oculus failed to update along with the Rift software, the company confirmed on its forum. Oculus co-founder and head of Rift Nate Mitchell also confirmed the headset issue on Twitter

Read more at https://nakedsecurity.sophos.com/2018/03/09/rift-keels-over-after-oculus-forgets-to-renew-security-certificate/

Amazon’s trying to get Alexa to stop laughing at us

By Lisa Vaas

Forget about how Alexa’s listening to us. She’s recently been freaking people out by randomly laughing at us too.

Late-show host Jimmy Kimmel interviewed Alexa to find out what’s so damn funny. Alexa – or, well, a voice that sounds just like the voice assistant – told Kimmel that she’s been laughing because of a joke she just remembered:

Kimmel: Alexa, people have been reporting that you’ve been spontaneously laughing.

What we’re fervently praying is a voice actor who sounds like Alexa: That is nothing, just a funny joke I remembered. Why did the chicken cross the road? Because humans are a fragile species who have no idea what’s coming next.

Yea, that’s creepy as hell. That’s one disembodied AI that’s definitely got plans.

But seriously, as Amazon has confirmed, Alexa is laughing at us sometimes because of a mistaken interpretation of a command.

The laughing has been recorded by startled Echo owners who told Alexa to play back the last sound their devices made. Amazon’s gabby little gadget apparently has multiple versions of its laugh.

The creepiest seems to be this one, first reported by Twitter user @CaptHandlebar. He posted a video of his JBL speaker, to which his Amazon Echo Dot is connected. It apparently squeezed out this “ha-ha-ha” out of the blue.

Read more at https://nakedsecurity.sophos.com/2018/03/09/amazons-trying-to-get-alexa-to-stop-laughing-at-us/