SHOCK! HORROR! SURPRISE! Bitcoin priceplosion may have been market manipulation

By Lisa Vaas

Last year’s meteoric rise in the value of Bitcoin and other cryptocurrencies might well have been artificially inflated, according to a paper released on Wednesday by University of Texas finance professor John Griffin and graduate student Amin Shams.

The suspected culprit: people using Tether, one of the most-traded cryptocurrencies, to buy bitcoin when the price dips:

Tether seems to be used both to stabilize and manipulate Bitcoin prices.

Bitcoin hit a 16 December 2017 peak of $19,343 before it bumped and thumped on down to USD $6,591.94 (the current price as of writing).

That’s a massive deflation, but it’s looking like the inflation itself might have been based on little besides hot air and market manipulation. According to Griffin, the drive up to nearly $20,000 was likely manipulated by coordinated purchases of bitcoin when they were selling low at exchanges. And according to the New York Times, Griffin knows what he’s talking about: he has a history of spotting financial fraud.

The paper, which attempts to causally determine if price manipulation is taking place, suggests that a concentrated campaign may account for half of last year’s spiked cryptocurrencies prices.

Read more at https://nakedsecurity.sophos.com/2018/06/15/shock-horror-surprise-bitcoin-priceplosion-may-have-been-market-manipulation/

Apple iPhone’s USB Restricted Mode gives Feds a cracking headache

By John E Dunn

Apple thinks it has restricted a bypass that allowed companies working with agencies such as the FBI to gain access to locked iPhones.

According to Reuters, a forthcoming software release – probably iOS 12 in September – will block all communication through the lightning port if the phone hasn’t been unlocked for an hour.

Under the new ‘USB Restricted Mode’, which is already at the beta stage in iOS11.4.1, only power charging will be possible after that.

This has been mentioned before but the timescale of one hour is dramatically shorter than the one week mooted when the story raised its head a month ago.

On the face of it, a small tweak, but almost certainly enough to severely limit the use of tools from companies such as Grayshift and Cellebrite, which are believed to depend on a USB port connection to attack Apple’s security.

It recently emerged that Grayshift’s GrayKey is a small box with an Internet connection and two Lightning cables sticking out of it – images on the Internet show as much.

These connect to two iPhones at a time and somehow instigate what must be a brute force of the passcode – essentially trying lots of options until the correct one is found.

This would be a simple process if it weren’t for onerous time restrictions Apple has built into iPhones that limit the rate at which incorrect guesses can be made.

Another factor is the length of the passcode with informed reports suggesting days being needed where a passcode of six digits is being attacked.

Read more at https://nakedsecurity.sophos.com/2018/06/15/apple-iphones-usb-restricted-mode-give-feds-a-cracking-headache/

Football app tracks illegal broadcasts using your microphone and GPS

By Lisa Vaas

Are you watching an illegal broadcast of a Spanish football game? Are you sure?

Spanish football league La Liga is asking, because, it says, it’s losing about 150 million euros a year (USD $173.5m) when venues illegally broadcast matches, which…

…translates into direct damage for clubs, operators and fans, among others.

… and which is why it started turning on the microphones and GPSes of Android users of its mobile app, La Liga said in an updated privacy policy posted on Monday.

It’s asking users for their explicit consent to turn on the new, eavesdroppy-feeling function, which captures the binary code of audio fragments. The “sole purpose” of the new function is to figure out if Android users are watching football matches of competitions “disputed” by La Liga teams, it said. In other words, nobody’s ever going to access the content of the recordings, La Liga promised.

Read more at https://nakedsecurity.sophos.com/2018/06/15/football-app-tracks-illegal-broadcasts-using-your-microphone-and-gps/

The $99 digital padlock that kept crooks out… for 2 whole seconds

By Paul Ducklin

Imagine if you could walk up to your bicycle, unlock it within two seconds, and ride off without grubbing in your pocket for keys, without spinning a combination dial with cold, wet hands, and without fiddling around with a mobile phone app to tell the lock to open.

What if you could just swipe your finger over the lock and open it as easily as you unlock your mobile phone with its fingerprint scanner?

Well, Canadian company Tapplock sells a product that not only works that way, but also boasts “unbreakable design”.

Admittedly, the small print on its website ultimately tones that punchy claim down to say “virtually unbreakable”, but the Tapplock is certainly pitched as a secure product.

Tapplock claims that unlocking takes just 0.8 seconds, and that up to 500 different fingerprints can be registered with the lock, making it suitable for even the most extended family.

Those cool features are supposed to be what makes the Tapplock cost a bullish $99 – big money for a padlock.

Read more at https://nakedsecurity.sophos.com/2018/06/14/the-99-digital-padlock-that-kept-crooks-out-for-2-whole-seconds/

“Hey, Cortana, did Patch Tuesday fix a serious lock screen bug?”

By Maria Varmazis

This month’s Patch, er sorry, Update Tuesday includes fixes for 50 high-impact vulnerabilities in Microsoft Windows – 11 of which were rated Critical and 39 Important.

The majority of the Critical bugs patched in this update affect the Edge browser, while most of the Important bugs belonged to Windows 10.

One of the more interesting Windows 10 fixes in this update was a Cortana bug (CVE-2018-8140) that allowed an attacker to bypass the Windows lock screen entirely, accessing private data on the machine, and even running executables.

An Elevation of Privilege vulnerability exists when Cortana retrieves data from user input services without consideration for status. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions.

It’s worth noting that Cortana is automatically enabled on the default settings for Windows 10, including the lock screen. With about 150 million people using Cortana today, by Microsoft’s estimates, this vulnerability could affect a lot of people (although an attacker needs to be near enough to a vulnerable machine for it to hear them, obviously).

Apple fanboys would do well to remember that Siri is no stranger to lock screen bugs should they be tempted to throw any stones from the comfort of their glass houses!

Thankfully, there’s now a patch. If you aren’t planning to patch any time soon you can disable Cortana access on the lock screen.

Read more at https://nakedsecurity.sophos.com/2018/06/14/hey-cortana-did-patch-tuesday-fix-a-serious-lock-screen-bug/