Jail for white collar pirates who stole from Oracle

By John E Dunn

The struggle between software giant Oracle and services company Terix has finally concluded with the latter’s CEO and co-founder Bernd Appleby being handed two years in jail.

A US tech exec being put behind bars is not an everyday occurrence but, then again, what Oracle accused Terix of doing was not a run-of-the-mill crime. According to Oracle’s 2013 accusation, along with a separate company Maintech, Terix had illegally obtained software patches and firmware from Oracle’s Solaris support site, secretly distributing them to their own customers on a commercial basis.

A serious accusation, which led to Maintech settling the case for $14 million in 2014. The following year, Terix was ordered to pay the even larger sum of $57 million. Oracle also won a separate judgement against support company, Rimini Street, which earlier this year resulted in a $75 million sum being awarded to Oracle.

But the payout didn’t end the case against Terix, who allegedly defrauded Oracle using the sort of cloak and dagger tactics that merited extra attention, according to recent court documents.

Terix allegedly set up three bogus shell companies which each bought a single license at low cost from Oracle, hiding their association with Terix. To maintain the deception, they received support from Oracle using “bogus email addresses and addresses, pre-paid telephones and pre-paid credit cards.” 

In total, 2,700 pieces of software IP worth $10 million were downloaded between 2010 and 2014, used to support 500 customers of Terix, who were unaware that the software had been obtained fraudulently.

Read more at https://nakedsecurity.sophos.com/2018/04/10/jail-for-white-collar-pirates-who-stole-from-oracle/

5 Facebook facepalms (just last week)

By Lisa Vaas

Your weekly roundup of Facebook news, also known as #SOMUCHPRIVACYSPLATTER!!!

In the wake of the Cambridge Analytica (CA) User Data Grabathon, Facebook’s spasming like a data addict suffering from withdrawal-related delirium tremors. Here are our picks for the week’s Top 5 chunks of shrapnel from that and other Facebook hijinx:

1. Facebook broke Tinder

Facebook on Wednesday applied thumbscrews to apps, tightening up its API in hopes of rewriting its history of ignoring developers as they’ve gleefully ransacked users’ private data.

We said, Hooray! No more searching for users by email or phone, making it that much tougher for these apps to auto-scrape our data!

Oh, NO! said people who found that the privacy changes interrupted their Tinder chats with cute French people.

Users reported getting logged out and then not being able to log back in, in spite of jumping through a whole lot of privacy hoops. New York Magazine reported that things got circular: users were first asked to log in to Facebook. Then they were asked to provide “additional Facebook permissions” to “create fuller profiles, verify authenticity and provide support.” Tapping “Ask me” on the permission request merely sent users back to the original notification asking them to log in to Facebook.

Facebook said it was a glitch. It was fixed later Wednesday night. Sorry about that, Facebook said. And no, your come-on lines weren’t that bad, and yes, you can now return to the search for the love of your life.

2. What’s a mere 37 million more CA victims between BFFs?

Speaking of that Wednesday privacy spasm, Facebook’s post about the overhaul included a wee bit more information about the CA Grabathon.

The factoid has to do with how many Facebook users were affected by CA’s harvesting of data to build “psychographic” profiles (all the better to profile you with, my dear, and to then target you with uber personalized political ads).

Two investigatory reports – one from the New York Times, another from The Observer – had originally estimated that more than 50 million Facebook users were psychographically scraped in early 2014 to build the system.

Read more at https://nakedsecurity.sophos.com/2018/04/09/5-facebook-facepalms-just-last-week/

Hacker mines up to $1 million in Verge after exploiting major bug

By John E Dunn

Earlier this week, investors in the popular privacy-oriented Verge (XVG) cryptocurrency received disquieting news.

According to a forum post, a malicious miner appeared to have found a way to subject Verge to a widely-hypothesized blockchain takeover called a “51% attack”.

In layman’s terms, someone was exploiting the majority of the mining power of the blockchain, potentially gaining power over its currency generation.

Theoretically, this could happen if a single miner suddenly acquired lots of computing power to ramp up its hash rate (equivalent to its currency-generating horsepower) but this time it appeared the reason was simpler – the attacker had found bugs in Verge’s software:

According to someone called OCminer:

Due to several bugs in the XVG code, you can exploit this feature by mining blocks with a spoofed timestamp. When you submit a mined block, as a malicious miner or pool, you simply set a false timestamp to this block one hour ago and XVG will then “think” the last block mined on that algorithm was one hour ago.

Your next block, the subsequent block, will then have the correct time. And since it’s already an hour ago – at least that is what the network thinks – it will allow this block to be added to the main chain as well.

Because Verge uses five different algorithms for successive mined blocks, this shouldn’t be possible. However, the time stamp spoofing bug had allowed the attacker to mine the currency using only one, Scrypt, at a greatly accelerated rate.

Read more at https://nakedsecurity.sophos.com/2018/04/09/hacker-mines-up-to-1-million-in-verge-after-exploiting-major-bug/

Thousands of Google employees call for company to cancel Pentagon work

By John E Dunn

“You don’t buy [artificial intelligence] like you buy ammunition,” says Marine Corps Col. Drew Cukor.

Cukor, from a speech given to military and industry technology experts in July:

There is no ‘black box’ that delivers the AI system the government needs, at least not now. Key elements have to be put together… and the only way to do that is with commercial partners alongside us.

Gizmodo first reported last month that when we’re talking industry heavyweights in artificial intelligence (AI) that are working with the Pentagon, we’re talking, among others, about Google.

Specifically, Google’s working with the Pentagon on Project Maven, a pilot program to identify objects in drone footage and to thereby better target drone strikes.

Google, as in, the company whose motto is Don’t Be Evil.

A vocal and large group of Google employees are outraged that the company’s working on what they call the “business of war.” The New York Times reports that a letter – the newspaper published it here – circulating within Google pleads with the company to pull out of the program. As of Wednesday, it had garnered more than 3,100 signatures.

The letter, which is addressed to CEO Sundar Pichai, asks that the company announce a policy that it will not “ever build warfare technology” and that it pull out of Project Maven:

We believe that Google should not be in the business of war. Therefore we ask that Project Maven be cancelled, and that Google draft, publicize and enforce a clear policy stating that neither Google nor its contractors will ever build warfare technology.

The letter references reassurances from Diane Greene, who leads Google’s cloud infrastructure business, that the technology will not “operate or fly drones” and “will not be used to launch weapons.”

Read more at https://nakedsecurity.sophos.com/2018/04/09/thousands-of-google-employees-call-for-company-to-cancel-pentagon-work/

Crooks are swapping out chips on payment cards, says US Secret Service

By Paul Ducklin

Well-known cybersecurity journalist Brian Krebs is reporting a US scam aimed at chip-based payment cards.

The crooks are stealing cards before they reach their intended recipients – an old technique for credit card fraud, admittedly, but now with an added twist.

These days, just stealing a new card in transit often won’t work, because the crooks don’t have the information needed to activate the new card…

…but in this scam, the crooks have figured out a way to do an end run around the activation process: steal just the chip off the card, and wait for the legitimate recipient to activate the card.

Assuming the recipient doesn’t spot the tampering, of course.

How the crime works

According to the US Secret Service, the government law enforcement agency that deals, amongst other things, with postal fraud, the crime goes something like this:

• Intercept cards on the way to corporate recipients. We’re not sure whether corporates are targeted because they have more money, because they tend to receive cards in easily-detectable batches, or because their card usage patterns mean that scammed cards generally take longer to get spotted.
• Prise the chips out of the cards.
• Glue old chips from expired cards into the holes left by the real chips. The replacement chips don’t need to work – they merely need to look OK to disguise the fact that the cards have been tampered with.

Read more at https://nakedsecurity.sophos.com/2018/04/08/crooks-are-swapping-out-chips-on-payment-cards-says-us-secret-service/

Facebook’s new fake news strategy is… decide for yourself!

By Lisa Vaas

Who are these yo-yos who share fake news on social media?

None of your friends, right? Your friends are too smart to fall for cockamamie click bait, and they’re diligent enough to check a source before they share, right?

Well, get ready to have the curtain drawn back. These yo-yos may be us. Or, at least, they may turn out to be our friends and/or relatives.

In its ongoing fight against fakery, Facebook has started putting some context around the sources of news stories. That includes all news stories: both the sources with good reputations, the junk factories, and the junk-churning bot-armies making money from it.

On Wednesday, Facebook announced that it’s adding features to the context it started putting around News Feed publishers and articles last year.

You might recall that in March 2017, Facebook started slapping “disputed” flags on what its panel of fact-checkers deemed fishy news.

You might also recall that the flags just made things worse. The flags did nothing to stop the spread of fake news, instead only causing traffic to some disputed stories to skyrocket as a backlash to what some groups saw as an attempt to bury “the truth”.

Read more at https://nakedsecurity.sophos.com/2018/04/06/facebooks-new-fake-news-strategy-is-decide-for-yourself/