June 7, 2018
Hackable CloudPets pulled from Target, Walmart, Amazon and more
By Lisa Vaas
Most parents likely don’t want their kids’ talking stuffed toys to issue Dalek threats in those non-indoor voices of theirs.
But that’s exactly what happened, thanks to toy maker CloudPets‘ unsecured MongoDB server. The toys allow children to send and receive audio messages via the cloud and an iOS or Android app.
Last year, more than half a million people who bought the Bluetooth-enabled, Internet of Things (IoT), fluffy little suckers had their data and kids’ voice messages exposed.
The email addresses and password information for more than 800,000 accounts were also leaked. In fact, CloudPets users’ data was accessed multiple times by unauthorized parties on multiple occasions and held for ransom.
Now, finally, 16 months later, the toys are being yanked from the online shelves at Walmart, Amazon, eBay and Target.
As Consumer Affairs reports, researchers recently discovered that the security issues in CloudPets still haven’t been fixed, prompting the Electronic Frontier Foundation (EFF) to pen a letter to Walmart, Target, and Amazon, voicing concern that they were still selling the not-so-smart toys.
Read more at https://nakedsecurity.sophos.com/2018/06/07/hackable-cloudpets-pulled-from-target-walmart-amazon-and-more/
Oh, the irony! When cybercriminals are rubbish at cybersecurity
By John E Dunn
The Owari DDoS botnet, built by knocking over weakly-secured Internet of Things (IoT) devices, has had a bad week.
The disruption of a botnet is always cause for celebration but it’s the reason behind Owari’s hiccup that might linger longer in the memory.
According to the NewSky Security researchers who compromised it, the botnet’s command and control server was secured with credentials so weak most admins will find themselves doing a double take.
When we investigated the IP, we observed that port 3306, the default port for MySQL database, was open.
Trying their luck, they discovered:
To our surprise, it is connected to the attacker’s servers using one of the weakest credentials known to mankind – Username: root, Password: root.
No brute forcing required, then, but there were other discoveries too, including a table of botnet customers who seemed to have been given similarly weak credentials including “sin/sin”, “packet/packet”, and “logi”/f***”.
Most of the IPs attacked by the botnet appeared to have been rival botnets.
The researchers also discovered a second MySQL database on another IP, also secured using “root/root”.
Read more at https://nakedsecurity.sophos.com/2018/06/07/oh-the-irony-when-cybercriminals-are-rubbish-at-cybersecurity/
Norman the AI bot reads Reddit, becomes “psychopath”
By Lisa Vaas
When I looked at the Rorschach inkblot, I saw a giant, as seen from below, as if through a glass ceiling. A normal, well-adjusted artificial intelligence (AI) bot interpreted it as a black and white photo of a small bird.
A psycho bot who’s been trained on Reddit images saw a guy getting pulled into a dough machine. That’s what a bit too much exposure to the darkest subreddits will do to a bot, evidently – there’s nothing quite like an r/ dedicated to watching people die to mangle your wetware.
At any rate, say hello to Norman, a bot that MIT’s Media Lab claims is the “world’s first psychopath AI [artificial intelligence].”
This is what Norman sees when he looks at inkblots. It’s not his fault that he sees a man electrocuted when “normal” AIs see a group of birds sitting on a tree branch. (I see Siamese twin bats connected at the torso/head. Nobody has asked me to train AI, so any people who don’t like bats can relax.)
Rather than the non-gruesome images that most AI is trained on, Norman – named after Norman Bates, the homicidal hotel owner-manager in Alfred Hitchcock’s unforgettable psychological horror Psycho – “suffered from extended exposure to the darkest corners of Reddit,” MIT says.
The point of the Norman project is to present a case study on the dangers of AI gone bad when machine-learning algorithms are fed biased data. MIT says the Norman team trained the AI on image captions from an infamous subreddit whose name it redacted “due to its graphic content,” dedicated as it is to documenting and observing “the disturbing reality of death.”
Read more at https://nakedsecurity.sophos.com/2018/06/07/norman-the-ai-bot-reads-reddit-becomes-psychopath/
The Zip Slip vulnerability – what you need to know
By Mark Stockley
Research by security firm Snyk has revealed that thousands of projects may be affected by a serious vulnerability, one so simple you’ll need to put a cushion on your desk before you read any further (in case of involuntary headdesk injury).
As you might guess from its fancy name – Zip Slip – the vulnerability is all about Zip files.
In a nutshell, attackers can create Zip archives that use path traversal to overwrite important files on affected systems, either destroying them or replacing them with malicious alternatives.
Attackers might use that ability to target files they can execute remotely, such as parts of a website, or files that a computer or user are likely to run anyway, like popular applications or system files.
Zip Slip isn’t a problem with the Zip file format though, it’s a bit of bad programming that’s been repeated over and over and over again, in lots of different projects:
The vulnerability has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java, where there is no central library offering high level processing of archive (e.g. zip) files. The lack of such a library led to vulnerable code snippets being hand crafted and shared among developer communities such as Stack Overflow.
… [it] can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z.
Unfortunately, that coding faux pas has been committed in multiple software libraries, in multiple languages, which has the effect of spreading it far and wide whilst making it harder to fix.
Software libraries are bits of code that are designed to be included in other software projects. So, not only do the vulnerable libraries need to be fixed, but so does the software that uses those libraries. And, of course, a patch is no good until it’s deployed.
Snyk is maintaining lists of affected projects and libraries on GitHub.
Read more at https://nakedsecurity.sophos.com/2018/06/06/the-zip-slip-vulnerability-what-you-need-to-know/
Apple says no to Facebook’s tracking
By John E Dunn
Later this year, users running the next version of Apple’s Safari browser on iOS and macOS should start seeing a new pop-up dialogue box when they visit many websites.
Shown during a demo earlier this week at Apple’s WWDC conference by software chief Craig Federighi, this will ask users whether to allow or block web tracking quietly carried out by a certain company’s ‘like’, ‘share’ and comment widgets.
Said a bullish Federighi to loud applause.
We’ve all seen these like buttons, share buttons and comment fields. Well it turns out, these can be used to track you, whether you click on them or not. And so this year, we’re shutting that down.
Facebook wasn’t mentioned verbally, but nobody was left in any doubt about the primary target of the new feature when they read the dialog text used in Federighi’s demo:
Do you want to allow ‘facebook.com’ to use cookies and website data while browsing [example.com]? This will allow ‘facebook.com’ to track your activity.
Facebook’s chief security officer later tweeted back, testily:
It’s an unexpected turn of events for Apple, a company that normally uses public presentations to tout new features but has recently indulged a bit of rival bashing in ways that hark back to the late 1990s when it was at perpetual loggerheads with Microsoft.
Read more at https://nakedsecurity.sophos.com/2018/06/06/apple-says-no-to-facebooks-tracking/
Blocking facial recognition surveillance using AI
By John E Dunn
If Artificial Intelligence (AI) is increasingly able to recognise and classify faces, then perhaps the only way to counter this creeping surveillance is to use another AI to defeat it.
We’re in the early years of AI-powered image and face recognition but already researchers at the University of Toronto have come up with a way that this might be possible.
The principal at the heart of this technique is adversarial training, in which a neural AI network’s image recognition is disrupted by a second trained to understand how it works.
This makes it possible to apply a filter to an image that alters only a few very specific pixels but makes it much harder for online AI to classify.
The theory behind this sounds simple enough, explains the University of Toronto’s professor Parham Aarabi:
If the detection AI is looking for the corner of the eyes, for example, it adjusts the corner of the eyes so they’re less noticeable. It creates very subtle disturbances in the photo, but to the detector they’re significant enough to fool the system.
The researchers even tested their algorithm against the 300-W face dataset, an industry-standard pool based on 600 faces in a range of lighting conditions.
Against this, the University of Toronto system reduced the proportion of faces that could be identified from 100% to between 0.5% and 5%.
However, read the detailed paper published by the team and it becomes clear that there’s still a way to go. For a start, not all image recognition systems work in the same way, with architectures such as the Faster R-CNN offering a much bigger challenge.
Read more at https://nakedsecurity.sophos.com/2018/06/06/blocking-facial-recognition-surveillance-using-ai/
Microsoft faces wrath of developers after GitHub acquisition
By Lisa Vaas
It’s official: Microsoft has bought open-source developers’ beloved code-collaboration site, GitHub, for $7.5 billion in stock…
…a figure that basically transfers into ~”free”~ if stock market watchers are reading it right, particularly when it comes to encouraging more of those 28 million GitHub developers to build more cloud applications.
Hello, Microsoft Azure! That’s Microsoft’s cloud computing service, where customers rent digital resources and applications on demand and where, as the Wall Street Journal notes, Microsoft is racing to catch up to industry leader Amazon.
Microsoft says that GitHub developers work on code that sits in 85 million storage spaces, called repositories, used by people in nearly every country, from mega-corporations to wee startups. In other words, it’s an insanely popular, cloud-based Git repository with lots of bells and whistles for managing collaborative, open-source software projects. GitHub offers a free version to developers who commit to sharing code, though it began charging for private storage on the service six months after its launch. It charges corporate customers to host and run software projects: a service that includes security and identity-management features.
Microsoft has come a long way in the past 10 years, since former chief Steve Ballmer called open-source a malignant cancer: the company now says that it’s the most active organization on GitHub, with more than 200 million “commits” – in other words, updates – made to projects.
Read more at https://nakedsecurity.sophos.com/2018/06/06/microsoft-faces-wrath-of-developers-after-github-acquisition/
Google says fix for ‘weird’ 1975 text message bug is on the way
By Lisa Vaas
If you want to see your recent text messages on an Android device in the normal world, you just type “show me my texts” in the Google search bar.
But why be normal? If you want to get weird – as Redditor Krizastro discovered last week – you can also see your Android texts by typing in “the1975..com”.
Krizastro:
It’s like just about the weirdest glitch I have come by.
Krizastro was curious: Were others experiencing the glitch?
They certainly were. At the time of writing, Androids were still glitching out, given that the promised fix hadn’t been rolled out yet. But it gets even weirder…
Read more at https://nakedsecurity.sophos.com/2018/06/05/google-says-fix-for-weird-1975-text-message-bug-is-on-the-way/
Facebook defends practice of giving deep data access to device makers
By Lisa Vaas
Thanks to Facebook and its coziness with phone and device manufacturers, setting up your profile so as not to share your personal information is a futile act, according to reports by the New York Times:
Facebook allowed the device companies access to the data of users’ friends without their explicit consent, even after declaring that it would no longer share such information with outsiders. Some device makers could retrieve personal information even from users’ friends who believed they had barred any sharing.
According to Facebook officials, over the past decade – before Facebook apps were widely available on mobile phones – the social network developed data-sharing partnerships with “at least” 60 device makers, including the big ones: Apple, Amazon, BlackBerry, Microsoft and Samsung.
The point of the partnerships was to help Facebook expand and to enable device makers to offer Facebook’s popular features: for example, messaging, “like” buttons and address books.
Now that the scope of the data sharing has been brought to light, questions have arisen about how this jibes with a 2011 consent decree with the Federal Trade Commission (FTC). That decree required that Facebook notify users and receive explicit permission before sharing personal data beyond users’ specified privacy settings.
This practice of sharing data with device makers, sans explicit permission, didn’t come to a screeching halt because of the Cambridge Analytica scandal that erupted in March. The Times reports that most of the partnerships are still in effect, though Facebook started shutting them down in April, during its soul searching on privacy and data practices in the wake of the Cambridge Analytica fiasco.
The scope of how much data Facebook has fumbled over the years, through a diverse collection of data harvesters, continues to expand: initial estimates of data that Cambridge Analytica siphoned off for micro-targeted political ads was in the region of 50 million users.
Read more at https://nakedsecurity.sophos.com/2018/06/05/facebook-defends-practice-of-giving-deep-data-access-to-device-makers/