Forget VPNfilter – here’s BACKLASH, a networking hack from way, way back

By Paul Ducklin

Do you remember the infamous Morris worm that paralyzed the internet back in 1988, or the Christmas Tree worm that hit IBM mainframes in December 1987?

Well, BACKLASH goes back further than both of those – all the way back, indeed, to the 1830s, so it predates even electrical telecommunications, let alone the era of electronics.

Until the first commercial installation of an electrical telegraph by Englishmen William Cooke and Charles Wheatstone in the late 1830s, telegraphy – short for “distant writing” – relied on optical signaling devices.

These devices worked mechanically and typically relayed messages between observers perched in towers, equipped with telescopes.

And it was a on just such a mechanical system, known as the Chappe Telegraph after its French inventor, Claude Chappe, that the BACKLASH vulnerability was exploited in the early nineteenth century.

Read more at https://nakedsecurity.sophos.com/2018/05/31/forget-vpnfilter-heres-backlash-a-networking-hack-from-way-way-back/

Nuisance call bosses, get your wallets ready!

By Lisa Vaas

UK’s data protection watchdog, circa 2010: Curse you, nuisance callers! We’re going to fine you up to £500,000 if you break the law!

Nuisance callers: What’s that, you say? Can’t hear you over these rustling bankruptcy declaration papers!

UK’s data protection watchdog, circa 2018: Oh. Hmm. OK, how about this: we don’t fine the companies; we personally fine the companies’ bosses!

That’s the plan that the Department for Digital, Culture, Media and Sport (DCMS) is now mulling. Last week, the data protection watchdog said that it’s only managed to recover a little over half – 54% – of the £17.8 million in fines issued for nuisance calls since 2010, given that companies go into belly-up liquidation mode to slip out from under the fat penalties.

Ofcom, the UK’s communications regulator, estimates that British consumers were pestered with 3.9 billion nuisance phone calls and texts last year.

The DCMS says that over the past two years, the Information Commissioner’s Office (ICO) issued 23 companies more than £1.9m in fines for nuisance marketing. It’s now easier for regulators to fine those who breach the direct-marketing rules, given that the government has forced companies to display their number when calling customers and has increased fines for wrongdoers.

Ofcom data suggests this action is working: complaints to the ICO and Ofcom have fallen for two consecutive years.

But the nuisance-calling firms play whack-a-mole. As it now stands, only the businesses themselves are liable for the fines. Some directors try to escape paying penalties by declaring bankruptcy. Then they scurry off, only to pop up under a different name and start the pestering anew. The DCMS notes that this is illegal: failing to adhere to a ruling can lead to a prison sentence. Also, the UK’s Insolvency Service can disqualify people from boardroom positions for this kind of shenanigan.

Read more at https://nakedsecurity.sophos.com/2018/05/31/nuisance-call-bosses-get-your-wallets-ready/

California tests digital license plates. Is tracking cars next?

By Lisa Vaas

Alex Roy’s father had a saying:

Anything is possible, but not everything is necessary.

Some would say you could apply this sentiment to the Internet of Things (IoT). You could certainly apply it to the Rplate: “the world’s first digital license plate and cloud app store.”

Yes, now we can add license plates to the pile of “do we really need xyz IoT thing,” which already includes internet-enabled fridges, toasters, washing machines and coffee makers.

Roy, editor of a website called The Drive, points out that contrary to the manufacturer’s claim, the Rplate isn’t the first digital license plate.

But it is, in fact, the one that California is now piloting.

The IoT sitting inside your car’s license plate: what could possibly go wrong? But let’s start with this question: Why?

As the Sacramento Bee reports, California is the first state to adopt the digital plates. A pilot project was launched last week. Sacramento is also scheduled to start testing the plates on some of the cars in the city’s fleet.

The plates will enable those motorists who choose to buy them (the digital plates aren’t required, and they’re certainly not cheap; think in the ballpark of $699, plus installation fees, plus a monthly fee of about $7) to electronically register their vehicles. That means no more stickers that you have to slap onto your plates every year. If the Department of Motor Vehicles (DMV) decides to allow it, the plates will also be able to display personal messages that car owners can change at will.

Read more at https://nakedsecurity.sophos.com/2018/05/30/california-tests-digital-license-plates-is-tracking-cars-next/

Despacito YouTube video hack – teenagers charged

By John E Dunn

Web defacement is supposed to be an old-fashioned type of hack, but it probably didn’t look that way to YouTube viewers on 10 April this year.

That was the day a string of popular videos were defaced on the service, including songs by Chris Brown, Shakira, DJ Snake, Selena Gomez, Drake, Katy Perry, and Taylor Swift, many with pro-Palestinian messages and imagery.

The biggest attention-grabber of all was the defacement of Luis Fonsi and Daddy Yankee’s song Despacito – which with more than five billion views ranks as the most-viewed video in YouTube’s history.

The video was only briefly unavailable, but the attack’s brevity seemed insignificant beside the fact that someone had managed to muck around with gold star content on YouTube in front of millions of watchers.

Six weeks on and police in Paris now say they’ve arrested and charged two 18-year-old teens with the attack, named as Nassim B and Gabriel KAB, who allegedly used the online identifiers Prosox and Kurois’h.

How did two teens allegedly deface so many massively popular videos hosted on a company like YouTube?

It soon became clear that the pair had found a way in by hacking a syndication account operated by Vevo, which is owned by Warner Music Group, Universal Music Group and Sony Music Entertainment, with YouTube itself having a 7% stake.

Read more at https://nakedsecurity.sophos.com/2018/05/30/despacito-youtube-video-hack-teenagers-charged/