Tor-linked nonprofit raided by police

By Lisa Vaas

On 20 June, at 6:00 a.m., German police knocked on the doors at the homes of three members of the board of directors for Zwiebelfreunde: a non-profit organization whose name, in English, translates as “Onion Friends” and which operates Tor services for Torservers.net.

On Wednesday, the group said on its blog on Torservers.net – which is one part of a large, decentralized network of Tor nodes – that police seized most of the group’s electronic storage equipment: disks, laptops, PCs, GnuPG Smartcards/Yubikeys, and mobile phones.

In a coordinated set of raids, police also ransacked the group’s registered headquarters in Dresden – which is the group’s lawyer’s office – and the home of a previous board member.

Der Spiegel reported on Wednesday that police also seized a number of documents, including paper receipts identifying donors and membership lists for previous years. Police also raided the Augsburg headquarters of the Chaos Computer Club (CCC).

Well, so much for striving to promote anonymity, privacy and security on the internet.

As Der Spiegel notes, Onion Friends has for years been collecting donations on behalf of alternative and non-commercial providers whose confidential communication services are used by social movements worldwide.

That, obviously, is “the only reason why the German investigators went so far against the club,” the newspaper said.

The raids were reportedly sparked by the Munich Attorney General’s search for the authors of a left-wing blog, Krawalltouristen, which translates to “riot tourists.” Police claim that the blog called for violent protests aimed at the annual convention of the right-wing Alternative for Germany (AfD) party, the largest opposition party in the German parliament.

But German police didn’t bother to go after the email provider behind that email address, which was Riseup.net. As Zwiebelfreunde tells it, the group has a partnership with Riseup Labs, a US non-profit focused on technological research, development, and education for the purpose of furthering social justice and supporting social movements. Onion Friends manages donations to Riseup Labs and says the two groups collaborate to spend the money on software development, travel reimbursements and Riseup’s Tor infrastructure.

Read more at https://nakedsecurity.sophos.com/2018/07/05/tor-linked-nonprofit-raided-by-police/

7-year-old’s avatar sexually assaulted on “family-friendly” Roblox

By Lisa Vaas

Roblox, a gaming site for kids and teens, says it’s the largest user-generated online gaming platform. It calls itself “a family-friendly, immersive, 3D environment.”

A North Carolina mother is calling it something else entirely after she watched her 7-year-old’s avatar being “violently gang-raped on a playground” by two male players’ avatars… And then witnessing the female avatar of an onlooker jump on her daughter’s avatar when the virtual rapists were through.

Amber Petersen said in a 28 June Facebook post that she and her husband had thought they had done due diligence when they allowed their daughter to play the game. She noted that Roblox is rated Pan European Game Information (PEGI) 7: PEGI being a European video game content rating system that assigns age recommendations and content descriptions. Hence, a PEGI 7-rated game such as Roblox should be appropriate for those children who are at least 7 years old.

The game has a multiplayer online gaming platform in which users can create their own personal avatar and their own adventures, similar to Minecraft. Then, players can interact with each other in virtual reality.

Of particular interest to parents such as Petersen and her husband: Roblox has security settings that allow parents to block outside conversations and invitations. Moderators and automatic filters also block potentially inappropriate content.

Read more at https://nakedsecurity.sophos.com/2018/07/05/7-year-olds-avatar-sexually-assaulted-on-family-friendly-roblox/

Want to beat facial recognition? Join the Insane Clown Posse

By Lisa Vaas

Over the weekend, a computer science blogger for WonderHowTo who’s known on Twitter as @tahkion announced his revelation that makeup worn by fans of the hip hop duo Insane Clown Posse (ICP) – collectively known as Juggalos or Juggalettes – makes it very difficult for facial recognition (FR) software to figure out the wearer’s identity.

Tahkion says he discovered the facial recognition trickery while working on his own FR research project and was pretty surprised to find that Juggalo face paint was:

Some of the most effective camouflage I’ve found, even more effective than some styles created deliberately to fool such systems.

Of course, while Juggalo face paint may well fool automated FR, it makes the wearer far more recognizable to just about anyone else – say, humans, Tahkion said. For those who are truly devoted to avoiding facial recognition, this isn’t the answer. Rather, the surveillance-allergic would be better off with an FR-foiling disguise that still looks completely normal to the human eye.

Read more at https://nakedsecurity.sophos.com/2018/07/04/want-to-beat-facial-recognition-join-the-insane-clown-posse/

Elderly scam victims are too embarrassed to speak up

By Lisa Vaas

“Christine” was a pensioner in her 70s with a terminally ill husband when she got an email out of the blue: she could receive £500,000 if certain “fees” were paid, it said. Well, hallelujah.

So she began paying… And paying… And paying. Over the course of a few months, Christine spent the couple’s life savings – £108,000, or about USD $142,555. The reality of the fleecing didn’t become clear until she tried to re-mortgage their home, at which point her solicitors suggested she’d been scammed.

It took a long time to drain Christine dry, with those “fees” drip, drip, dripping away until the couple’s bank account was empty. Didn’t family or friends notice the duress the couple was under? Why did it take a solicitor to spot what might seem like a blatant fraud perpetrated on the elderly – and why did it only come after the damage was done?

Unfortunately, Christine’s plight is all too common. According to a new, joint report from Reassura, a new anti-fraud helpline for pensioners, and the University of Portsmouth’s Centre for Counter Fraud Studies (CCFS), 22% of elderly people – those aged 65 and over – are unwilling to talk about their personal finances at all, even in good times. But if the elderly have been victimized by fraudsters or scammers, that number jumps to 36% who are too embarrassed to talk about what’s gone down.

Read more at https://nakedsecurity.sophos.com/2018/07/04/elderly-scam-victims-are-too-embarrassed-to-speak-up/

Samsung phones sending photos to contacts without permission

By John E Dunn

At least two Samsung smartphone models have reportedly spontaneously started sending photographs to contacts without being asked to do so.

It’s never easy to tell how widespread smartphone problems are – forums are regularly filled with an assortment of issues – but the pattern of behavior in anecdotal reports from US owners has a consistent ring to it.

Multiple images are said to have been sent to contacts without users being aware that it’s happening or having any indication after the fact in the Samsung Messages app.

One user claimed it sent his entire photo gallery to his girlfriend during the night, while another reported photographs had been sent to multiple contacts. Presumably, users find out when recipients tell them.

Judging from one Reddit thread, the affected devices are the latest Galaxy S9 and S9+, but it’s possible that other models are affected too.

What might cause such an issue – and how photographs could be sent to contacts – is a mystery.

Read more at https://nakedsecurity.sophos.com/2018/07/04/samsung-phones-sending-photos-to-contacts-without-permission/

Facebook accidentally unblocks people

By Lisa Vaas

There are so, so many reasons to block the Facebook annoyarati. As Ranker enumerates in its 15 reasons why they’re so annoying, they can be selfie-saturaters, romance oversharers, my life is SO GREAT!-ers, feed cloggers, or whining whiner babies, for example.

Annoying is one thing. On the other end of the spectrum are the dangerous or illegal social media accounts: the stalkers, the child predators, the trolls, the bots, the scammers. But they all have one thing in common. They deserve to be blocked, and Facebook users deserve the benefits of blocking them, as in, to be spared their grating or endangering presence.

Well, Facebook goofed on that front. On Monday, the company admitted that it’s notifying over 800,000 users about a bug in Facebook and Messenger that unblocked some people they’d blocked. Facebook Chief Privacy Officer Erin Egan said in a Facebook newsroom post that the glitch was active between 29 May and 5 June.

She said that while someone who was unintentionally unblocked couldn’t actually see content shared with friends, they could have seen things posted to a wider audience: for example, pictures shared with friends of friends.

Read more at https://nakedsecurity.sophos.com/2018/07/04/facebook-accidentally-unblocks-people/

Someone else is reading your Gmails

By Danny Bradbury

Remember when privacy advocates used to worry about Google scanning your email? Well now they have another problem on their hands: real people reading them.

We’re not talking about Google employees. We’re talking about developers in third-party companies, and in some cases the developers in other organizations that those companies partner with.

Google has a history of tussling with people over email privacy. It scanned emails for years, using what it gleaned from the text to target users with personalized advertisements. As early as 2004, privacy activists were urging it to stop, and the company has battled lawsuits from disgruntled users since then.

A year ago, it partially caved, announcing that it would stop using content from its consumer Gmail service to personalize ads, bringing it in line with an existing policy for its business accounts.

That doesn’t mean that the company stopped automatically reading your mail, though. In fact, Google spokespeople confirmed in May that the company still uses email content to help drive a range of other services.

Earlier this week, the story took another turn after the Wall Street Journal reported that third-party developers can read the emails of millions of Gmail users.

Many companies develop apps that need access to your mail for processing purposes. An AI-driven assistant might ask to read your mails to automatically book appointments for you, say. Other apps that might want access to your email include itinerary planners that scan travel emails for appropriate details. Google made this easier to do in 2014 when it created APIs to help third party developers access Gmail accounts.

There was always a caveat. Users had to agree to share that information first, granting explicit permission for an app to access your Gmail account or your broader Google account. However, what users may not have known is that this doesn’t only give the third party company’s software access to your email. It gives developers inside those companies the ability to manually access them too.

Read more at https://nakedsecurity.sophos.com/2018/07/04/someone-else-is-reading-your-gmails/