Guilty! Anti-anti-virus crook convicted, could spend decades in jail

By Lisa Vaas

A second Russian has been convicted for his part in running Scan4you, the notoriously nasty anti-anti-virus malware scanning service designed to keep new malware out of the hands of anti-virus makers.

The US Department of Justice (DOJ) announced on Wednesday that a federal jury convicted Ruslan Bondars, 37, after a five-day trial. The charges: one count of conspiracy to violate the Computer Fraud and Abuse Act (CFAA), one count of conspiracy to commit wire fraud, and one count of computer intrusion with intent to cause damage.

His colleague in crime, Jurijs Martisevs, was arrested on a trip to Latvia in April 2017, as was Bondars. The two ran the service along with a third, unnamed, alleged co-conspirator in Virginia.

Martisevs copped a plea in March.

The DOJ said that at its height, Scan4you was the largest service of its kind, with “at least” thousands of users. The service helped malware writers to come up with “some of the most prolific malware known to the FBI,” it said.

Scan4you kept things on the down-low. Unlike anti-virus makers, which report the detection of malicious files to the anti-virus community, the anti-anti-virus service promised anonymity to those who submitted samples. Users could upload files anonymously, and the service promised not to share information about the uploaded files with the anti-virus community.

The service had quite the palate: malware submitted to it included, among other types, crypters meant to hide malware from anti-virus programs, remote-access Trojans (RATs), keyloggers, and malware tool kits to create customized malicious files.

Read more at https://nakedsecurity.sophos.com/2018/05/22/guilty-anti-anti-virus-crook-convicted-could-spend-decades-in-jail/

Facebook conspiracy theories after Android app tries to “get root”

By Paul Ducklin

Facebook popped up in a slew of new cybersecurity conspiracy theories over the weekend.

Apparently, the company’s Android app suddenly started grabbing superuser rights – also known as “root access” in the Linux world. (Android is based on the Linux operating system.)

Apps with root access can pretty much do anything, rather like users with Administrator powers on Windows.

Notably, root-level apps can fiddle with protected system settings, spy on other apps as they run, peek at data from other apps, and more.

So the news that Facebook was “getting root” quickly caused alarm, given the privacy crises in which the company has been embroiled lately.

The obvious questions were: HOW was Facebook able to get root in the first place, WHY did it need root anyway, WHAT on earth has it been doing with this unwarranted privilege, and WHAT possible excuse will it come up with this time?

Read more at https://nakedsecurity.sophos.com/2018/05/21/facebook-conspiracy-theories-after-android-app-tries-to-get-root/

Real-time cellphone location data leaked for all major US carriers

By Lisa Vaas

LocationSmart – a US company that aggregates real-time location data of cellphones – has leaked the location data of all major US mobile carriers, in real time, without their consent, via its buggy website, security journalist Brian Krebs reported on Thursday.

Krebs says the data could be had without a password or any other form of authentication or authorization.

Krebs was tipped off about an unsecured service on the site by Robert Xiao, a security researcher at Carnegie Mellon University who was tinkering with a free demo of a find-your-phone service from LocationSmart. Xiao’s interest had been piqued after he read about the company supplying real-time phone location data to one of its customers – 3Cinteractive – which then reportedly supplied the data to Securus Technologies.

Securus, which provides and monitors calls to inmates, was the subject of a 10 May article from the New York Times, about how its location service – typically used by marketers who offer deals to people based on their location – can easily be used to find the real-time location of nearly any US phone to as close as a few hundred yards.

Read more at https://nakedsecurity.sophos.com/2018/05/21/real-time-cellphone-location-data-leaked-for-all-major-us-carriers/

Chrome drops ‘secure’ label for HTTPS websites

By John E Dunn

When it comes to browser security, how important are the address bar icons and labels that tell users about a site’s security status?

For Google at least, they matter a lot. In 2017 the Chrome browser started marking transactional sites not using HTTPS as ‘Not Secure’. In July 2018, all sites not offering HTTPS will get this label.

This always risked making the Chrome address bar look a bit crowded. In addition to ‘Not Secure’ with a red warning triangle, there was ‘Secure’ (for sites using HTTPS), as well as the famous green padlock symbol dating back more than a decade.

But which signal matters most – virtue or deficiency?

Given that HTTPS security is rapidly becoming the norm – thanks largely to arm-twisting by Google itself – the company has announced that, in future, it will only inform users when a site is insecure.

Consequently, from Chrome version 69 due in the September, the ‘Secure’ label will disappear from HTTPS sites and the green padlock will turn grey.

At some point beyond that, the padlock will vanish completely, leaving the address bar empty save for the URL.

It’s a move that turns the address bar from something that tells people that something is good (using HTTPS) into something that only tells users when something is bad (using insecure HTTP).

Read more at https://nakedsecurity.sophos.com/2018/05/21/chrome-drops-secure-label-for-https-websites/