July 2, 2018
Brave adds Tor to reinvent anonymous browsing
By John E Dunn
The Brave privacy browser has added another feature to bolster its blossoming anti-surveillance credentials – the ability to use the Tor anonymity system by launching a tab.
Called Private Tabs with Tor (beta version 0.23), launching a session involves clicking on the Private Tab with Tor option from a drop-down list.
Naked Security has covered the inner workings of Tor (The Onion Router) in previous articles, but the privacy benefit of using it is summed up quite nicely in the Brave announcement:
Private Tabs with Tor help protect Brave users from Internet Service Providers, guest Wi-Fi providers, and visited sites that may be watching their internet connection or even tracking and collecting IP addresses, a device’s internet identifier.
Browsers already offer so-called incognito modes, but these offer limited privacy. Sessions are isolated from those opened by the main browser and ostensibly leave no traces of your browsing habits on your computer (although not everyone agrees this is strictly true).
What incognito mode doesn’t do is hide browsing from ISPs, which typically will keep a record of the websites visited from a given IP address.
As Google itself notes:
Going incognito doesn’t hide your browsing from your employer, your internet service provider or the websites that you visit.
Tor is a major step up from this because it blocks the ISP from tracking which websites someone is visiting and hides a visitor’s true IP address and country of origin from the website they visit (as long as the user doesn’t log into them).
Read more at https://nakedsecurity.sophos.com/2018/07/02/brave-adds-tor-to-reinvent-anonymous-browsing/
Second former Equifax staffer charged with insider trading
By Danny Bradbury
In another entry for the ‘what were they thinking’ file, a second former Equifax executive has been charged with insider trading in advance of the company’s massive data breach announcement last September.
According to an SEC release, Sudhakar Reddy Bonthu, a former software engineering manager at the credit information company, traded on confidential information that he received while creating a website for consumers affected by the Equifax breach.
The breach saw 146.6 million US consumers affected, with most records containing social security numbers. Some 99 million lost their address information while 17.6 million lost their drivers’ license numbers. In the UK, a file of 15.2 million records was hacked, and 693,665 consumers had sensitive personal details exposed.
Bonthu, 44, was told that he was building a site for an unnamed client, however, he soon worked out that it was for his employer, Equifax. He allegedly used this information to buy put options in the company’s shares.
A put option is a contract to sell stock for a specific price (the ‘strike price’) within a specified period. You can purchase put options whether you own a stock or not. If a stock trades at $140 per share and you know it will go down, then purchasing a put option to sell 100 shares with a $140 strike price lets you capitalize on the stock’s movement. If the stock drops to $95, then the put option contract becomes a valuable commodity that you can sell to someone else. It’s a classic tool for ‘shorting’ a stock by betting on its decline.
According to the SEC, Bonthu wasn’t betting at all. Instead, he knew that the Equifax stock would fall thanks to insider knowledge.
Equifax fired Bonthu in March after he refused to cooperate with its insider trading investigation. He has agreed to return his gains from the put option trades plus interest to settle the SEC’s civil charges, subject to court approval. However, he also faces criminal charges from the US Attorney’s Office from the Northern District of Georgia.
Read more at https://nakedsecurity.sophos.com/2018/07/02/second-former-equifax-staffer-charged-with-insider-trading/
Facebook and Google accused of manipulating us with “dark patterns”
By Danny Bradbury
By now, most of us have seen privacy notifications from popular web sites and services. These pop-ups appeared around the time that the General Data Protection Regulation (GDPR) went into effect, and they are intended to keep the service providers compliant with the rules of GDPR. The regulation requires that companies using your data are transparent about what they do with it and get your consent for each of these uses.
Facebook, Google and Microsoft are three tech companies that have been showing their users these pop-ups to ensure that they’re on the right side of European law. Now, privacy advocates have analysed these pop-ups and have reason to believe that the tech trio are playing subtle psychological tricks on users. They worry that these tech giants are guilty of using ‘dark patterns’ – design and language techniques that it more likely that users will give up their privacy.
In a report called Deceived By Design, the Norwegian Consumer Council (Forbrukerrådet) calls out Facebook and Google for presenting their GDPR privacy options in manipulative ways that encourage users to give up their privacy. Microsoft is also guilty to a degree, although performs better than the other two, the report said. Forbrukerrådet also made an accompanying video.
Tech companies use so-called dark patterns to do everything from making it difficult to close your account through to tricking you into clicking online ads (for examples, check out darkpatterns.org‘s Hall of Shame).
In the case of GDPR privacy notifications, Facebook and Google used a combination of aggressive language and inappropriate default selections to keep users feeding them personal data, the report alleges.
Read more at https://nakedsecurity.sophos.com/2018/06/29/facebook-and-google-accused-of-manipulating-us-with-dark-patterns/
Linux distro hacked on GitHub, “all code considered compromised”
By Paul Ducklin
Data breaches are always bad news, and this one is peculiarly bad.
Gentoo, a popular distribution of Linux, has had its GitHub repository hacked.
Hacked, as in “totally pwned”, taken over, and modified; so far, no one seems to be sure quite how or why.
That’s the bad news.
Fortunately (we like to find silver linings here at Naked Security):
- The Gentoo team didn’t beat around the bush, and quickly published an unequivocal statement about the breach.
- The Gentoo GitHub repository is only a secondary copy of the main Gentoo source code.
- The main Gentoo repository is intact.
- All changes in the main Gentoo repository are digitally signed and can therefore be verified.
- As far as we know, the main Gentoo signing key is safe, so the digital signatures are reliable.
Like Drupal before it, the Gentoo team has started by assuming the worst, and figuring out how to make good from there.
That way, if things turn out to be better in practice than in theory, you’re better off, too.
Read more at https://nakedsecurity.sophos.com/2018/06/29/linux-distro-hacked-on-github-all-code-considered-compromised/
The Ticketmaster breach – what happened and what to do
By John E Dunn
Live Nation Entertainment subsidiary Ticketmaster has admitted it has suffered a serious data breach affecting 40,000 of its British and international customers.
Anyone who used the Ticketmaster UK, GETMEIN! and TicketWeb sites to book tickets from February 2018 and 23 June 2018 may have had data compromised, including their name, email address, physical address, telephone number, Ticketmaster logins, and payment card details.
In addition, so-called “international customers” who bought, or tried to buy, tickets between September 2017 and 23 June 2018 could also be affected. (US customers are not part of the alert.)
The issue was caused by malware, spotted on 23 June 2018, that had infected a customer support system managed by Ticketmaster partner Inbenta Technologies, according to an email sent to affected account holders on Wednesday afternoon.
So far, the breach response is still at a stage described by Ticketmaster as follows:
Forensic teams and security experts are working around the clock to understand how the data was compromised.
In other words, we now all know that there was a breach, but not yet how it happened.
What’s happened to the stolen data?
Often, breach notifications refer to card payment data almost in passing, which invites readers to infer that although the data could have been compromised in theory, it wasn’t accessed in practice.
In this case, however, it seems pretty certain that payment card data was not only stolen but is also already being abused.
Read more at https://nakedsecurity.sophos.com/2018/06/28/ticketmaster-breach-what-happened-and-what-to-do/
Windows 10 security can be bypassed by Settings page weakness
By John E Dunn
The file type used to link to Windows 10’s settings page can be abused to run malicious executables or commands in a way that bypasses the OS’s defenses.
Researcher Matt Nelson of SpecterOps made the discovery while he was looking for new formats for attackers to abuse now that the HTML Applications (HTA files), Visual Basic programs (VBS), JavaScript (JS), PDF and Office files are tightly controlled by Office 365 and Windows 10.
Nelson came across a format that few beyond Microsoft will have heard of: SettingContent-ms, used to create shortcuts to the settings page, the successor to the Control Panel.
A file with this extension is simply an XML file that contains paths to the programs used to configure Windows 10’s settings.
That brings with it some power through an option in. SettingContent-ms called “DeepLink”, which specifies the disk location that gets invoked when opening the Settings page or the Control Panel.
Nelson discovered that “DeepLink” could be used to open anything, for example CMD.EXE, PowerShell, or even a chain of commands, triggered by an internet link:
So, we now have a file type that allows arbitrary shell command execution and displays zero warnings or dialogs to the user.
Office would normally block commonly-abused file types when they’re referenced externally, but this file format is apparently not seen as risky.
Read more at https://nakedsecurity.sophos.com/2018/06/28/windows-10-security-can-be-bypassed-by-settings-page-weakness/
