June 4, 2018
Apple lifts two-month ban on Telegram updates in iOS store
By Lisa Vaas
Russia’s official ban of Telegram has spread, CEO Pavel Durov tweeted on Thursday, saying that Apple had been blocking updates to the encrypted messaging app on a global scale since Russian authorities ordered the company to remove Telegram from the App Store in April.
Durov said on his Telegram channel that Apple’s update block meant that some features that were fixed weeks ago – such as stickers – weren’t working correctly under the recently released iOS 11.4.
Apple’s upgrade block also prevented Telegram from complying with General Data Protection Regulation (GDPR) for its European Union users by the 25 May deadline.
Read more at https://nakedsecurity.sophos.com/2018/06/04/apple-lifts-two-month-ban-on-telegram-updates-in-ios-store/
Cloudflare mistakes own 1.1.1.1 DNS for DDoS attack
By John E Dunn
When is a DDoS attack not a DDoS attack?
In the case of Cloudflare’s much-vaunted and recently-launched 1.1.1.1 DNS service, the answer is when the company diligently starts blocking a DDoS event which turns out to have been caused by something much closer to home.
Users pointing their DNS resolution at 1.1.1.1 (or 1.0.0.1) at router level on 31 May would have noticed a 17-minute disruption to DNS resolution for all network devices, starting at 17:58 UTC.
Users doing the same from a Windows, Linux or Mac computer would have noticed the same effect but only on that device.
Anyone who had the presence of mind to switch to a different DNS service – the Global Cyber Alliance’s 9.9.9.9 or their ISP’s default, say – would have noticed that website domains were suddenly resolving again. This would have been a good clue that something wasn’t quite right.
A DNS resolver disappearing for that long might indicate some kind of DDoS attack which, given that Cloudflare offers tier-one DDoS mitigation through something called Gatebot, would have to have been pretty remarkable to make any headway.
Cloudflare has now posted a blog in which it admitted it suffered an unusual and rare type of DDoS attack – an imaginary one.
Explained simply, Cloudflare’s Gatebot suddenly started interpreting traffic to 1.1.1.1 (that is, sent to and from its users) as a DDoS attack on its infrastructure.
Whoops! It sounds bizarre at first but, as the company explains, Gatebot normally queries a hard-coded list of IP address ranges to check whether traffic is emanating from Cloudflare or is external.
Read more at https://nakedsecurity.sophos.com/2018/06/04/cloudflare-mistakes-own-1-1-1-1-dns-for-ddos-attack/
Facebook faces furious shareholders at annual meeting
By Lisa Vaas
The US Senate had its chance to rake Facebook over the coals. The House of Representatives had its own day-long shake-down.
Last week, it was shareholders’ turn.
On Thursday, at Facebook’s annual meeting, CEO Mark Zuckerberg found himself confronted with a roomful of rebellion as angry activist investors forced what The Guardian reports were votes on six proposals to change the company’s governance or institute other reforms.
The proposals were all voted down, of course, courtesy of what one of those shareholder activists, James McRitchie, called Zuckerberg’s “corporate dictatorship.” McRitchie referred to US President George Washington’s decision to step down as president, telling Zuckerberg to be more like that, not like a certain Russian politician:
Mr. Zuckerberg, take a page from history. Emulate George Washington, not Vladimir Putin.
Zuckerberg doesn’t own the majority of voting shares. Nonetheless, Facebook’s stockholder voting structure allows the CEO to control the majority of votes, given that his shares have 10 times the voting power of regular investors’ shares. Hence, it was a foregone conclusion that Zuck and his board of directors would emerge from the meeting unscathed.
NBC News reported that the doomed proposals included one that called on the company to give all shareholders one vote per share, thus stripping Zuckerberg of his special voting rights.
It didn’t pass. Nothing passed.
Read more at https://nakedsecurity.sophos.com/2018/06/04/facebook-faces-furious-shareholders-at-annual-meeting/
Going to Infosec Europe? Grab yourself a goody bag
By Charlotte Williams
Are you making your way to Olympia, London for Infosecurity Europe tomorrow?
If the answer is yes, make sure to come to stand F160 to say hello, and stick around for talks from Sophos and Naked Security experts.
We’ll be presenting on a range of topics, including:
- Fixing your digital tattoo. Tattoos are permanent, much like the information we post online. A look at the implications this online information, even if you’ve tried to delete it, could have on your security.
- Hacking Android: How to find out which apps are spying on you. You’ve read his article, and now you’ll have the chance to see Matt Boddy in action.
- Cryptography explained so you can actually understand it. Paul Ducklin will be using his clear and jargon-free style to explain the often-complicated subject of cryptography, so you can go home and impress your friends and family with it!
- Steal Bitcoin, mine Monero: is cryptojacking the next ransomware? Criminals have taken a shine to cryptomining recently, but how does it fit into the bigger picture of threats?
- Have your cloud and eat it too. Straight-talking tips on how to get security right without a load of old-fashioned rules.
- Are you part of a zombie army? From “smart” home thermostats and refrigerators to lights and cars, there’s great potential to make our lives easier – but there’s also untold risk that these devices can bring to our day to day lives.
Read more at https://nakedsecurity.sophos.com/2018/06/04/going-to-infosec-europe-grab-yourself-a-goody-bag/
Doctor sues patient for $1m over bad online reviews
By Lisa Vaas
A Manhattan gynecologist is suing a patient for $1m over her one-star online reviews, claiming that she has committed defamation and libel and caused him emotional distress.
On Monday, the New York Post reported that the woman, Michelle Levine, has already spent nearly $20,000 defending herself against a suit filed by the physician, Dr. Joon Song of New York Robotic Gynecology & Women’s Health.
The essence of her reportedly lengthy bad reviews, posted to review sites including Yelp, ZocDoc, Health Grades and Facebook, is that the first time she went for an annual checkup, she was charged for it. She claims it was supposed to be free. Also, Levine claimed that the practice performed unnecessary procedures.
Following notice of the lawsuit, Levine took down the reviews.
She told the NY Post that after she found Dr. Song’s practice online in July 2017, she went in for a checkup. A week later, she got the bill:
He billed my insurance company $1,304.32 for the new-patient visit and ultrasound, and I got a bill for $427 that wasn’t covered.
The annual was supposed to be free!
Read more at https://nakedsecurity.sophos.com/2018/06/01/doctor-sues-patient-for-1m-over-bad-online-reviews/