Google locks out extensions that don’t come from its Chrome Web Store

By Lisa Vaas

As of Tuesday, 12 June, Google started on a phase-out of Chrome extensions that come from third-party websites. In the coming months, that means that extensions have got to either hit the Chrome Web Store or hit the highway.

It’s about time, many will say – third-party extensions cause too many headaches.

Extensions Platform Product Manager James Wagner said in an announcement on the Chromium blog that inline extensions (i.e., those from third-party sites) are far more likely to cause Chrome users problems than the ones they get from the Chrome Web Store:

When installed through the Chrome Web Store, extensions are significantly less likely to be uninstalled or cause user complaints, compared to extensions installed through inline installation.

Here’s the timeline:

• Starting on Tuesday 12 June 2018, inline installation was made unavailable to all newly published extensions. Extensions first published on that day or later that attempt to call the chrome.webstore.install() function will now automatically redirect the user to the Chrome Web Store in a new tab to complete the installation.
• Starting 12 September 2018, inline installation will be disabled for existing extensions, and users will be automatically redirected to the Chrome Web Store to complete the installation.
• In early December 2018, the inline install API method will be removed from Chrome 71.

Wagner advised developers who distribute an extension using inline installation that they’ll have to update install buttons on their websites to link to their extension’s Chrome Web Store page prior to the stable release of Chrome 71.

Read more at https://nakedsecurity.sophos.com/2018/06/14/google-locks-out-extensions-that-dont-come-from-its-chrome-web-store/

Tech pioneers: new copyright law a step towards an internet of surveillance and control

By Lisa Vaas

You’re throwing a monkey wrench into the internet with all this copyright zeal.

That’s essentially what the people who created the internet said in a letter to the president of the European Parliament in regards to Article 13 of the EU Copyright Directive.

The letter (PDF), posted on Tuesday, was signed by a who’s who of internet somebodies that included the inventor of the World Wide Web, Tim Berners-Lee; Wikipedia co-founder Jimmy Wales; and internet pioneer Vint Cerf. Together with a slew of other experts, they warn that:

[Article 13] takes an unprecedented step towards the transformation of the internet, from an open platform for sharing and innovation, into a tool for the automated surveillance and control of its users.

What is Article 13?

The article’s mouthful of a name is article 13 of the Proposal for a Directive of the European Parliament and of the Council on copyright in the Digital Single Market. Its purpose is to reshape copyright law for the internet age.

It wants to make service providers that “store and provide to the public access to large amounts of works or other subject-matter uploaded by their users” responsible for enforcing copyrights through measures such as “effective content recognition technologies.”

The service providers shall provide rightholders with adequate information on the functioning and the deployment of the measures, as well as, when relevant, adequate reporting on the recognition and use of the works and other subject-matter.

…zzzzz…. Oh, excuse me, I fell asleep while typing. But while it all sounds dry and legalistic, the foes of Article 13 fear that its goal of “[preventing] the availability” of protected works suggests that service providers will need to adopt technology that can recognize and filter work created by someone other than the person uploading it.

Read more at https://nakedsecurity.sophos.com/2018/06/13/tech-pioneers-new-copyright-law-a-step-towards-an-internet-of-surveillance-and-control/

FBI arrests 74 in global Business Email Compromise takedown

By John E Dunn

Finally, after years of laughing in the face of a growing list of mainly SMB victims, Business Email Compromise (BEC) criminals appear to have taken one on the chin.

In an FBI action dubbed Operation WireWire, 42 people accused of being involved in BEC have been arrested in the US, plus a further 29 in Nigeria, and one each in Canada, Mauritius and Poland.

These numbers alone make it one of the biggest cybercrime busts ever recorded and that’s without factoring in $16.4 million of fraudulent wire transfers recovered during the operation.

What is BEC? In short: it’s a bit like phishing but without the fake website. Employees at predominantly small companies are contacted – often through spoofed email addresses but also by phone – by criminals impersonating suppliers or customers and conned into wiring money to them.

Its victims tend to be SMBs without lots of financial checks but also individuals conducting certain kinds of high-value transactions, for example people buying houses through a realtor or estate agent.

Once the money has been transferred, it’s incredibly unlikely that much, if any, of it will ever be seen again.  With transfers that are initiated by the victim, there is no comeback and insurance is out of the question. As US Attorney General Jeff Sessions put it:

Fraudsters can rob people of their life’s savings in a matter of minutes.

Or of large sums of money that put entire businesses in peril.

Overshadowed by better-publicized crimes such as ransomware, BEC has surreptitiously grown into one of the most dangerous methods of cybercrime targeting SMBs.

The biggest problem is that, up until now, very little has been done about it. Between 2013 and 2015 losses reported to the FBI’s Internet Crime Complaint Center (IC3) totalled $1.2 billion, a lot of money by any standards.

Read more at https://nakedsecurity.sophos.com/2018/06/13/fbi-arrests-74-in-global-business-email-compromise-takedown/

MP gets 600 rape threats in a night, wants an end to online anonymity

By Lisa Vaas

Two years ago, Jess Phillips, Labor MP for Birmingham Yardley, joined others to launch #Recl@im the Internet: a campaign based on the Reclaim the Night effort to enable women to walk freely at night without the fear of being attacked.

After Phillips launched the campaign, she spent a bank holiday playing in the garden with her kids. But while she was enjoying her holiday, Twitter’s bilge pumps went into turbo-drive, resulting in some 5,000 abusive tweets.

There were the initial poison arrows from the troll ringleaders, followed by the troll-lettes that dogpiled on. As she told the BBC’s Victoria Derbyshire at the time, many of the messages threatened rape. Many others said that Phillips wasn’t worthy of being raped, as if rape was something attackers would only do to someone they liked.

The rate of sewage flow was quite high. Fast-forward to the 2018 Cheltenham Science Festival this past weekend, where Phillips said that she received 600 rape threats in one night and was threatened with violence and aggression every day.

Two years ago, Phillips said that she intended to contact Twitter about the ringleaders of the dogpile. More recently, she has stressed that legal action, be it civil or criminal, is the best way to attack the abusers. Phillips told The Metro that she contacted the police, who’ve issued harassment orders against two individuals for “constantly emailing me with bile and abuse.”

That’s not enough, however. The MP wants the social platforms to join the fight: she said at the weekend conference that she wants trolls to more or less be stripped of their anonymity online. At least, they’d have to disclose their identities to companies such as Facebook and Twitter, but they could still post messages anonymously.

Read more at https://nakedsecurity.sophos.com/2018/06/13/mp-gets-600-rape-threats-in-a-night-wants-an-end-to-online-anonymity/

Serious Security: How three minor bugs make one major exploit

By Paul Ducklin

More insecure webcams! Inattention to IoT security! Who would have thought?

Unfortunately, cybersecurity still seems to sit way down in Nth place for many vendors when they start programming their latest and greatest Internet of Things (IoT) devices.

In this case, the bugs are in a family of webcams – and not just any old webcams, but security webcams.

In other words, the very product you bought to protect you from real-world crooks plundering your warehouse at night could be the gateway for cybercrooks to plunder your network at any time.

This story, published by researchers at IoT security company VDOO, documents a sequence of security holes in various Foscam products.

Note. These bugs were responsibly disclosed by VDOO, and quickly fixed by Foscam, so that updates were ready before the details you see below were made public. In other words, the story is now safe to tell on educational grounds: the more we revisit security basics, the more likely we are, collectively, to get them right in the future.

It’s a fascinating reminder of how crooks can combine vulnerabilities that seem unimportant or unexploitable on their own into an “attack chain” that ultimately lets them take over a device entirely.

VDOO’s own post has the full technical details, but here’s our own high-level version.

By the way, we’ve added a fourth vulnerability, which we’ve given the number zero – a design decision that made things worse overall.

Read more at https://nakedsecurity.sophos.com/2018/06/13/serious-security-how-three-minor-bugs-make-one-major-exploit/

6 million cards compromised in Dixons Carphone breach – act now!

By Matt Boddy

In what could be the largest data breach since the GDPR came into effect, Dixons Carphone has revealed what it’s calling an “attempt to compromise 5.9 million [credit or debit] cards”, and a leak of “1.2m records containing non-financial personal data, such as name, address or email address”.

Dixons Carphone – a large European electrical and telecommunications company that owns familiar brands like Dixons, Currys, PC World and Carphone Warehouse – has only revealed vague details about the breach so far, but of the 5.9 million cards compromised:

• 5.8 million are protected by Chip and PIN.
• 105,000 non-EU issued cards are not protected by Chip and PIN.

The ICO (Information Commissioner’s Office) have issued a statement saying:

An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.

Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud.

If you’re a Carphone Warehouse customer, there is good news and bad news.

Let’s start with the good news.

The risk to the owners of the 5.8 million affected payment cards protected by chip and PIN is lowered because crooks will likely need additional data in order to use them to make transactions. According to Dixons Carphone:

The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made.

That being said, there has also been a loss of personal data which could include contact details for the individuals affected by the card theft.

Now the bad news.

The data that has been stolen makes it much easier for crooks to acquire the rest of the information they need to use your Chip and PIN credit card.

Read more at https://nakedsecurity.sophos.com/2018/06/13/6-million-cards-compromised-in-dixons-carphone-beach-act-now/