Safer browsing coming soon to MacOS Chrome users

by Maria Varmazis

Google’s security team recently announced that Chrome is expanding its “Safe Browsing” capabilities to help protect MacOS users from Mac-specific threats and malware.

Any Mac user that stumbles upon a website that might host a compromised or malicious ad, attempt to download Mac-specific malicious software, or try to modify browser settings (like changing the default search engine or default home page) will see a message warning them about the website’s dangers.

If you’re a Chrome user on Windows and this all sounds familiar, it should: These protections are in place for you already. Google says that Mac users of Chrome will start seeing these added protections from 31 March.

Read more at https://nakedsecurity.sophos.com/2018/03/07/safer-browsing-coming-soon-to-macos-chrome-users/

Facebook photos expose “sick” couple as food poisoning fakers

by Lisa Vaas

Take a look at the vacation photo Jade Muzoka posted on her Facebook page.

There she is with then-boyfriend Leon Roberts, poolside, eating a fine meal and drinking at the luxury Cornelia Diamond Golf Resort and Spa, in Turkey, in July 2015.

Mmmm, maki roll… wasabi… soy sauce… dumplings… pepper sauce… My, what a scrumptious meal. Odd thing, though: the couple is smiling, definitely not clutching their stomachs, even though they claimed in April 2016 that they’d had food poisoning during their stay and were bedridden with vomiting and diarrhea.

Muzoka, 27, and Roberts, 37, both bodybuilders, had, in fact, faked food poisoning in order to get a £58,000 pay out. On Monday, after having pleaded guilty to fraud at Southern Derbyshire Magistrates’ Court in the UK, they were slapped with a six-month sentence that was suspended for 12 months, ordered to perform 200 hours of unpaid community work, and handed a bill for £1,115 to cover court costs and a victim surcharge.

How did they get found out? It was those happy, shiny photos they posted to Facebook that popped their £58,000 bubble. Not only was there that shot of them lounging and dining by the pool: they also posted boozy selfies and photos from day trips.

They had sued the travel firm Tui, but Tui wasn’t having any of it. Not only did investigators find the couple seemingly looking quite chipper in their Facebook photos, they also described to the court how a solicitor, a doctor and a claims management company had helped to prepare the “blatantly false” food-poisoning claim.

Read more at https://nakedsecurity.sophos.com/2018/03/07/facebook-photos-expose-sick-couple-as-food-poisoning-fakers/

‘We know all about you’ – MoviePass CEO admits to tracking users

by Lisa Vaas

At first blush, MoviePass, the subscription that lets you see a movie a day at participating theaters for $9.95/month (now on sale for $7.95), sounds like a great deal.

But like so many too-good-to-be-true deals nowadays – Google, Facebook, et al. – subscribers are forking over far more than they might imagine. In fact, you and all the juicy personal data that can be squeezed out of you are the marketing-gold product.

Last week, at an Entertainment Finance Forum session titled, appropriately enough, “Data is the New Oil: How Will MoviePass Monetize It?”, MoviePass CEO Mitch Lowe unabashedly enthused over how the company now uses – or can use, a company spokesman emphasized in the media outfall that followed – subscribers’ data.

As Media Play News first reported, the company has access to subscribers’ addresses, from which to glean demographic data.

Media Play News quoted Lowe:

We know all about you.

The industry audience – some of them subscribers themselves – laughed nervously, for good reason. Lowe continued, describing how beyond the demographic data, MoviePass’s mobile app gives it the ability to track subscribers via GPS. It can follow users as they leave home, on their trip to the movie theater, and even beyond, sniffing their trail to find out what pub or restaurant they go to after the film.

We watch how you drive from home to the movies. We watch where you go afterwards.

Lowe, who used to be an executive at industry disruptors Netflix and Redbox, said that the master plan is to use all that data to “build a night at the movies.” MoviePass would advise subscribers on where to go out for dinner before or after a screening, for instance, and would take a cut from vendors.

Will subscribers go for this? Oh hell, yea, Lowe said, pointing to how his past movie adventures have grown like weeds:

We went public with Netflix in 2002, and at the end of the year, we all made bets on how big we could get, so just to show you how bad I am at this – I was near the top by the way – mine was 1.7 million subscribers, and I think the highest was 2 million at the time. Of course, it’s 105 million now, so I do believe 20 million subscribers for MoviePass is definitely doable over a four-year period.

Lowe said that MoviePass will reach 5 million subscribers by year’s end. It already has a track record that suggests that it could, in fact, explode. After it dropped its price to $9.95/month in August, Lowe told Fortune, the following six weeks saw a 2300% increase in membership.

Read more at https://nakedsecurity.sophos.com/2018/03/07/we-know-all-about-you-moviepass-ceo-admits-to-tracking-users/

Second company claims it can unlock iPhone X

by John E Dunn

A tiny US company called Grayshift is reportedly quietly touting software it claims can unlock Apple’s flagship handsets, the iPhone X and 8.

This follows a similar claim by Israeli company Cellebrite last week which, it later emerged, was good for every iPhone up to the latest version of iOS, 11.2.6.

That’s two iOS unlocking stories in a few days, both based on anonymous sources talking to the same journalist.

Naked Security has already looked at the Cellebrite claims, so how does this latest one stack up?

The important questions: under what conditions can unlocking be achieved, how was it achieved in the first place, and what might Apple do in response.

According to Grayshift’s reported marketing materials, the iPhone X and 8 unlock tool is called GrayKey, which costs $15,000 for the 300-use online version or double that for unlimited use offline.

In addition to unlocking iOS 11, the company says the tool can also tackle iOS 10 devices, with support for iOS 9 not far off, which puts it on par with Cellebrite.

The story’s details aren’t crystal clear but the phrase “unlocking” appears to mean what one would assume – access to data stored on the device.

If the claims are true, it’s possible they’ve found a way around Apple’s Secure Enclave, a system-within-a-system chip introduced with the iPhone 5s onwards to secure encryption keys independently of the OS itself.

Read more at https://nakedsecurity.sophos.com/2018/03/07/second-company-claims-it-can-unlock-iphone-x/

“Prince Charming” is a happily married, gay, identity theft victim

by Lisa Vaas  

Well, ooo-la-la, “Martin,” you silver-haired fox, I just love your dating profile photos. I’m so sorry for the recent loss of your dog – what a cutie! But I’m super touched by the one where you’re doing something or other with pastries and jam, for a charity – awwww!

You’re just the man for me – you hot, sensitive, caring thing. You’re mature, plus that photo of you in the swimming pool in Mykonos shows you’ve stayed in shape since your wife died, and… wait one minute!

What’s that you say? You’re happily married? …And gay??!!

Oh, dear. *Poof!* go my dreams and those of at least three women who saw “Martin’s” photos on dating sites and social media platforms… actually, let’s make that 58-year-old Danish-American widower “Martin” on the Zoosk dating site, divorced Danish-American “Christian” on EliteSingles, and 50-year-old divorcé “Sebastian” on Facebook.

It turns out that the photos are actually of Steve Bustin, 46, currently happily married to his husband. They live in Brighton in the UK. Scammers have been using his photos to woo women since 2016.

Over the weekend, Bustin got so sick of being contacted by confused women that he decided to devalue the photos by telling The Times that he’s never visited a dating site and that he’s not going to be making some heterosexual woman’s dreams come true, given his aforementioned husband.

These are some of the captions the scammers slapped on the ripped-off photos:

The dog was mine but he passed last year.

The one with my face painted was Halloween.

The one with the pastries and jam was to raise funds for charity.

The one with me and just the woman is my late wife.

Lies, lies, despicable lies. Bustin told the Times that the romance scammers had used his likenesses to “construct a profile of my whole life”:

Someone has been harvesting images of me from all over the web.

The photos go back as far as 2012, to the photo of Bustin in a pool while he was on holiday in Mykonos, Greece. The most recent photo is from a Halloween party in autumn 2017.

Read more at https://nakedsecurity.sophos.com/2018/03/06/prince-charming-is-a-happily-married-gay-identity-theft-victim/