Cryptojacking for beginners – what you need to know

By John Shier

Cryptojacking has hit the headlines in recent months. But what is it? And do you need to be worried?

Cryptojacking occurs when a computer is used to mine cryptocurrency without the permission of the user. There are two main ways that this is done: in-browser and via installed malware on the machine.

In-browser cryptominers vs installed cryptomining malware

With an in-browser approach, cybercriminals break into a web server and inject browser-based cryptomining code that mines whenever anyone visits the website. For example, researchers recently discovered that a Coinhive Monero miner had been running on an LA Times website. Any time a user visited the Homicide Report web page offered by the LA Times, the hacker was able to steal their CPU power to mine for Monero, a popular digital currency.

We saw a similar example of this recently when a whole raft of government websites was infected with a cryptomining script through browsealoud DOT com – a service that converts pages on a website to speech, to help out visitors who aren’t fluent in written English or good at reading.

The bad news for consumers is that in-browser cryptojacking is platform-agnostic. That means that all of your devices – including your phone – are potential targets. We’ve seen Coinhive-based miners added to popular apps, like Netflix and Instagram, and there have even been reports recently about mobile phones being physically damaged by cryptominers.

The good news, though, is that in-browser crypto software generally isn’t doing anything malicious to your system, other than general wear and tear. The software might make your laptop use slightly more juice, but you’d be hard-pressed to notice those fractions of a penny on your electricity bill. The fact that it’s all self-contained within the browser itself means that cryptominers never get near your data, they’re just jacking up your CPU.

Read more at https://nakedsecurity.sophos.com/2018/07/31/cryptojacking-for-beginners-what-you-need-to-know/

Prisoners exploit tablet vulnerability to steal nearly $225K

By Lisa Vaas

Idaho prison officials said on Thursday that 364 inmates in five of the state’s prisons exploited vulnerable software in the JPay tablets they use for email, music and games in order to pump up the cash balances of their accounts.

The inmates transferred nearly $225K into their JPay accounts, according to the Associated Press.

The handheld tablets are used in prisons across the country, where inmates use them to stay in touch with the outside world via money transfers, emailing families and friends, buying and listening to music, video visitation, parole and probation payments, and downloading and playing games. The devices are made available through a contract between JPay and CenturyLink. Inmates can pay for entertainment, games and additional services with JPay credits.

Idaho Department of Correction spokesman Jeff Ray said on Thursday that no taxpayer money was involved in the fraud. The tablets operate over a secure network and don’t offer access to the wider internet.

The transfer scam was discovered earlier in the month by a special investigations unit, Ray said.

Mark Molzen, a spokesman for CenturyLink, told the AP that the problem involved inmates “intentionally exploiting a software vulnerability to increase their JPay account balances.” The company declined to give details, considering any such to be proprietary information. Molzen did say that the vulnerability has since been fixed, however.

Read more at https://nakedsecurity.sophos.com/2018/07/30/prisoners-exploit-tablet-vulnerability-to-steal-nearly-225k/

Social media rumors lead to PepsiCo lawsuit

By Lisa Vaas

Kurkure is PepsiCo’s finger-licking, lip-smacking, Indian corn puff snack. PepsiCo is happy to tell anybody who’ll listen that it makes Kurkure in state-of-the-art, automated, hygienic, food-safety-award-winning, certified factories. Here’s a 5-minute video of the process on YouTube. As you can see, we’re talking rice meal, edible vegetable oil (palm oil), corn meal, gram meal, spices, sugar and whatnot.

“Whatnot” is not code for “plastic.” There is no plastic in Kurkure. But somehow, the plastic jokes keep coming.

And because PepsiCo is so not laughing, and because the grain-based, beverage-centric multinational company is laughing so very not hard and has so very many lawyers, it’s sued to get all those despicable jokes and plastic rumors taken offline.

As Media Nama reported on Thursday, PepsiCo has obtained an interim order from the Delhi High Court to delete hundreds of posts on Facebook, Twitter, Instagram and YouTube.

Read more at https://nakedsecurity.sophos.com/2018/07/30/social-media-rumors-lead-to-pepsico-lawsuit/

Google bans Android miners from Play Store

By Danny Bradbury

Google has cracked down on apps that mine for cryptocurrency, banning them entirely from its official Google Play Store.

The company quietly updated its developer policy page with the following statement:

We don’t allow apps that mine cryptocurrency on devices. We permit apps that remotely manage the mining of cryptocurrency.

The policy change means that programs using the device’s own processing power to mine cryptocurrency will no longer be allowed in the official Google Play Store, but that Google is still OK with programs that manage cryptocurrency mining services operating elsewhere.

The move mirrors one by Apple, which banned cryptocurrency miners from its stores in June. It also follows other measures by Google to stamp out cryptocurrency mining programs delivered via its products and services. In April, it banned cryptocurrency mining extensions for its Chrome browser from the Chrome store.

This may stop cryptomining, where people voluntarily give up their phone’s processing power to generate digital coins. It is less likely to stop cryptojacking, where apps deliver a legitimate service but also do some cryptomining on the side without the user’s explicit consent.

Cryptojacking has been a growing problem in Android apps. Last year, cryptomining code was found in several apps that had been approved by the Google Play Store. In April, researchers discovered that users had downloaded various Play Store apps that secretly mined for cryptocurrency more than 100,000 times.

Read more at https://nakedsecurity.sophos.com/2018/07/30/google-bans-android-miners-from-play-store/

“Simple trick” floors home security camera, gives anyone access

By Lisa Vaas

A few weeks ago, a headline popped up on the BBC that caught the eye of security researchers: “Swann home security camera sends video to wrong user”.

It was clear what happened: the camera uploaded a bunch of data on purpose, and then it sent it to the entirely wrong person. As in, Louisa Lewis started to get “motion detected” alerts on her phone that showed somebody else’s kitchen, in somebody else’s house, with somebody she didn’t know, washing their dishes.

But it wasn’t clear why it happened, beyond the camera manufacturer’s explanation that it was human error, caused by two cameras being manufactured with the same cryptographic key to secure communications with their owners, and the duplicate camera owner having ignored the warning prompt that the “Camera is already paired to an account.”

…Nor was it clear that it wouldn’t happen again. Which it did. Nor was any evidence given to support Swann’s promise that “this was a one-off incident.” Which, it’s now clear, it was not.

We know this because a team of Europe-based security researchers came together to pick apart the security on these internet-connected cameras, to get a better sense of the “why”: Ken Munro, Andrew Tierney, Vangelis Stykas, Alan Woodward and Scott Helme.

Read more at https://nakedsecurity.sophos.com/2018/07/27/simple-trick-floors-home-security-camera-gives-anyone-access/