Scarlett Johansson’s face lands starring role in database hack

By Mark Stockley

An actor’s face is an instrument of depth and expression – a shifting facade that stands guardian to a well of unseen emotions, empathy and, just occasionally, a great lump of malicious binary code.

The code in today’s story is, no surprises, a cryptominer for grinding out Monero cryptocoins, and the face on the photo into which it was inveigled belongs to non-other than Hollywood star Scarlett Johansson.

Ms. Johansson’s picture, and the miner therein, appeared at the denouement of a hacking performance played out for the viewing pleasure of security company Imperva, as part of its StickyDB honeypot project.

Let us begin.

Act one

A honeypot is a computer, in our story a database server, deliberately configured to attract the attention of hackers.

To hackers a honeypot looks like a valuable, easily exploited target but it’s actually a stage on which they’re putting on a show, unwittingly, for an audience of boffins eager to see them at work.

Imperva set up a range of database honeypots to learn about:

common database attacks, tools and techniques employed by attackers, how they gain access, what their actions are once inside, what their end goal is and more.

To entice the hackers, the company connected their database honeypots to the internet, left them with weak default credentials and hooked them up to vulnerable web applications. Such a feeble configuration doesn’t ring any alarm bells with the hackers because, sadly, it’s not uncommon – in fact it’s exactly what they’re looking for.

And looking for it is easy because, being connected to the internet, the databases could be found using network scanning tools or Shodan, the search engine for internet-connected stuff.

Read more at https://nakedsecurity.sophos.com/2018/03/16/scarlett-johanssons-face-lands-starring-role-in-database-hack/

The Chrome extension that knows it’s you by the way you type

By John E Dunn

Using multi-factor authentication (MFA) is more secure than relying on passwords alone – but could it be made even better?

There is no shortage of ideas, one of which is keyboard dynamics (or biometrics), based on the long-understood observation that each person’s typing style is unique to them.

Recently, a Romanian startup called TypingDNA has turned the concept into a free Chrome extension that can be used to add an extra layer of authentication to a wide range of websites by utilizing this principle.

According to the company, typing patterns allow their machine-learning algorithm to generate a 320-feature vector based on noticing the time it takes someone to move between 44 commonly-used characters, combined with the length of time each key is depressed.

So, it’s not what you type that counts but how you type it.

Once enrolled, the way a person types their username and password when logging in to a site is compared to previous recordings made by the user.

If the patterns match, TypingDNA’s servers return an encryption key that is used to unlock local keys held for each service the extension is being used with, allowing the user to proceed to conventional multi-factor authentication.

This stage generates a standard one-time authentication code inside the browser, taking over that task from smartphone apps such as Google Authenticator.

Read more at https://nakedsecurity.sophos.com/2018/03/16/the-chrome-extension-that-knows-its-you-by-the-way-you-type/

YouTuber jailed after shooting boyfriend dead in failed prank

By Lisa Vaas

The prank, destined to be filmed for YouTube: stand one foot away from your boyfriend and, at his insistence, shoot a .50 caliber bullet through an encyclopedia he was holding in front of his chest to see if it would pass through.

It did. He’s dead.

The prankster who talked his girlfriend into the stunt was Pedro Ruiz III, 22. His girlfriend and the mother of his two children, Monalisa Perez, now 20, pleaded guilty in December to second-degree manslaughter in his death.

On Wednesday, Minnesota Judge Jeffrey Remick set out the terms agreed under plea bargaining: Perez will serve a 180-day jail term, alternating between 10 days in jail and 10 days out for the first six months, for a total of 90 days behind bars. Perez will serve her six-month term 30 days per year for the next three years and then become eligible to serve the balance out of prison, on electronic home monitoring, as long as she abides by the terms of her 10-year supervised probation.

Perez is also banned for life from owning firearms and is forbidden from making money off the case.

Read more at https://nakedsecurity.sophos.com/2018/03/16/youtuber-jailed-after-shooting-boyfriend-dead-in-failed-prank/

Facebook: we won’t share data with WhatsApp (yet)

By Lisa Vaas

WhatsApp can’t share user data with parent Facebook without breaking the upcoming General Data Protection Regulation (GDPR), so it won’t.

It’s signed a public commitment not to share personal data with Facebook until data protection concerns are addressed.

No harm, no foul, no fine, the Information Commissioner’s Office (ICO) said on Wednesday as it wrapped up an investigation into whether WhatsApp could legally share users’ data with Facebook as it wanted.

In August 2016, WhatsApp announced that it was going to start sharing users’ phone numbers and other personal information with Facebook, in spite of years of promises that it would never, ever do such a thing.

The move was for ad targeting, of course, and to give businesses a way to communicate with users about other things, like letting your bank inform you about a potentially fraudulent transaction or getting a heads-up from an airline about a delayed flight. The reasons fell into three buckets: targeted advertising, security, and evaluation and improvement of services (“business intelligence”).

For a window of 30 days, WhatsApp offered users the option of opting out of data sharing for the purposes of advertising, but no way to entirely opt out of the new data sharing scheme.

The move outraged privacy advocates. After all, at the time of its $19 billion acquisition by Facebook in 2014, WhatsApp had promised never to share data.

That promise goes back further still. In November 2009, WhatsApp founder Jan Koum posted this to the company’s blog:

So first of all, let’s set the record straight. We have not, we do not and we will not ever sell your personal information to anyone. Period. End of story. Hopefully this clears things up.

Clear as mud. In December, France told WhatsApp and Facebook to knock off the data sharing. France’s ultra-vigilant privacy watchdog, the Chair of the National Data Protection Commission (CNIL), gave WhatsApp and Facebook a month to comply with an order to stop sharing data. In its public notice, it said that the messaging app will face sanctions for sharing user phone numbers and usage data for “business intelligence” purposes if it didn’t comply.

Read more at https://nakedsecurity.sophos.com/2018/03/16/facebook-we-wont-share-data-with-whatsapp-yet/

YouTube conspiracy videos to get links to Wikipedia and other sources

By Lisa Vaas

Were the US moon landings faked? Did director Stanley Kubrick rig the astronauts up with theatrical wires in a movie studio and bounce them up and down to simulate low gravity?

We’re not going there. We’re not going to the moon, and we’re not going to try to talk anybody out of their belief that visual flashes in videos betray the wires. But YouTube is – at least, it’s getting ready to put a bit more context around such content.

Reuters reported on Tuesday that YouTube – a unit of Google’s Alphabet – is planning to slap excerpts from Wikipedia and other websites onto pages containing videos about hoaxes and conspiracy theories, such as the ones relating to moon landings.

YouTube CEO Susan Wojcicki delivered the news at the South by Southwest Conference (SXSW) in Austin, Texas, on Tuesday. She displayed a mock-up of the new feature, which will be called information cues.

Wojcicki said that the videos slated to get this treatment won’t go away. They’ll just be accompanied by additional sources:

People can still watch the videos but then they actually have access to additional information, can click off and go and see that.

The information cues won’t appear on all controversial videos. Engadget reports that at least at first, the cues – including a text box linking to a third-party source such as Wikipedia – will only appear around videos regarding conspiracies that have “significant debate.”

Here’s a statement sent out by a YouTube spokesperson:

We’re always exploring new ways to battle misinformation on YouTube. At SXSW, we announced plans to show additional information cues, including a text box linking to third-party sources around widely accepted events, like the moon landing. These features will be rolling out in the coming months, but beyond that we don’t have any additional information to share at this time.

This is only one approach out of many that major content platforms such as Google and Facebook have presented, all in response to lawmakers and media advocacy groups asking for their help to battle hoaxes and fake news.

Read more at https://nakedsecurity.sophos.com/2018/03/15/youtube-conspiracy-videos-to-get-links-to-wikipedia-and-other-sources/