How one man could have hacked every Mac developer (73% of them, anyway)

By Paul Ducklin

Here’s a cool fact: Macs run Unix.

OK, in some ways that’s only very loosely true, when you think of all the non-Unixy stuff on top of the Darwin base layer, and we welcome your comments below to explain just how carelessly loose we have been…

…but Macs are Unix computers – in fact, they’re UNIX computers – at least if they’re running a currently supported macOS, and that means lots of cool, useful, well-known and powerful tools for sysadmins, developers and power users, preinstalled and ready to go.

Here’s an eclectic, alphabetically-ordered subset of the utility programs that arrive on every brand new Mac, taken from the /usr/bin directory.

If Perl and Ruby don’t @float your $boat (language-war comments below, please, no need to hold back), you can also choose from other open-source programming languages such as Java, PHP, Python and Tcl.

Despite all this ready-to-go choice, however, Mac developers miss the ease with which their Linux chums can grab additional open source software packages.

Linux distros famously come with one or more package managers that can be told, with a single command in a terminal window, to call home, find the latest version of super-useful toolkit X, fetch it and install it.

No need to hunt down the X project online, find the right fork, identify the latest version, download the source code, inspect it, apply any needed tweaks, configure it, compile it, and install it.

Read more at https://nakedsecurity.sophos.com/2018/08/10/how-one-man-could-have-hacked-every-mac-developer-73-of-them-anyway/

Comcast Xfinity web flaws exposed customer data

By John E Dunn

There is no comfortable way for an organization to learn that its website is leaking customer data but one of the most alarming must surely be getting that bad news from a journalist.

This is what appears to have happened to US communications giant Comcast Xfinity, which has had to patch two significant web vulnerabilities after Buzzfeed News learned of the issues from researcher Ryan Stevenson.

Flaw #1

The first was found on the in-home authentication page through which customers can pay bills without the inconvenience of having to log in.

It seems the company authenticated users by asking them to choose their home address from one of four possibilities, selected by looking at one of the headers added to the HTTP request.

The HTTP header used to “identify” the user contained their public-facing Comcast IP address – data that isn’t suitable to use as a secret identifier.

An attacker who knew your IP number could therefore insert it into their own web requests, and keep refreshing the identification page – each time they refreshed, the list of home addresses returned would include your address plus three randomly chosen other addresses.

The address that showed up every time would, rather obviously, be yours – the attacker wouldn’t ever even need to guess and risk getting locked out.

Read more at https://nakedsecurity.sophos.com/2018/08/10/comcast-xfinity-web-flaws-exposed-customer-data/

15,000-strong army of Twitter robots found spreading cryptocurrency spam

By Lisa Vaas

Twitter may be fighting the bot battle, but it’s still got plenty of multi-legged e-millipedes crawling around its ecosystem.

That was evidenced by a large, cryptocurrency scam-spewing collection of robot accounts – at least 15,000 of them – found by Duo Security researchers while they were conducting a three month study.

The researchers announced the find on Wednesday at the Black Hat security conference.

The bots in this case were aimed at parting you from your precious cryptocoins with bogus posts – posts of the #Blockchain #Crypto #tokens #bitcoin #eth #etc #loom #pundix #icx #ocn #nobs #airdrop #ICO #Ethereum #giveaway type.

Of course, Twitterbots can be useful: they help keep weather, sports and other news updated in real-time, and they can help find the best price on a product or track down stolen content.

Bad bots, however, are the bane of Twitter’s existence.

For example, Twitter has recently purged tens of thousands of accounts associated with Russia’s meddling in the 2016 US presidential election.

More recently, in June, Twitter described how it’s trying to fight spam and malicious bots proactively by automatically identifying problematic accounts and behavior.

Read more at https://nakedsecurity.sophos.com/2018/08/10/15000-strong-twitter-robot-army-found-spreading-cryptocurrency-spam/

Facebook ‘regrets’ balloons and confetti triggered by earthquake posts

By Lisa Vaas

Does your stomach churn a little when your Facebook post triggers saccharine animations of popping hearts or confetti and balloons?

That’s nothing. The let’s-festoon-everything-with-glee impulse got Facebook into trouble this week: it pulled the animated confetti-and-balloons shtick on posts from people reporting that they had survived a 6.9 magnitude earthquake that killed at least 259 people and left some 150K homeless on the Indonesian island of Lombok on Sunday.

The death toll will rise. The BBC reports that as of Thursday, rescue workers were still digging people out of the rubble.

Facebook has apologized for survivors’ “I’m safe” messages triggering the celebratory animations. The misstep comes out of a bungled translation of the word “selamat,” which in Indonesian can mean “to survive” or “congratulations.”

Herman Saksono, an Indonesian computer science PhD student at Northeastern University in Boston, noticed the inappropriate Facebook action over the weekend and tweeted out a screen capture that shows the word highlighted in red as it triggers the inappropriately gleeful animation.

Read more at https://nakedsecurity.sophos.com/2018/08/10/facebook-regrets-balloons-and-confetti-triggered-by-earthquake-posts/

Google to warn companies targeted in government-backed attacks

By Maria Varmazis

Is your company running G Suite? If so, from August you’ll have the option to enable alerts if Google suspects government-backed hacking attempts on any of your accounts.

Since 2012, Google has been alerting individual Google account users if they suspect their account has been targeted by government-backed attackers using any number of phishing- or malware-based methods (malicious attachments, scripts embedded in files, dodgy links). This August update now offers these alerts to G Suite administrators as well so they can take action to protect their users.

In the case of suspected government-backed activity on an organization’s G Suite account, an email alert would go directly to the G Suite super admins – not the user. From there, the admins can then choose what to do with that information: Bolster security on that user’s account, share the information with other team members, and/or warn the user directly.

Google notes that “less than 0.1% of all Gmail users” receive a notification of potential government-backed attacks on their accounts, and the notification is not sent in real-time. Google also takes pains to note that:

1. Their suspicion of an attack could very well be a false alarm.
2. Google will not name the specific methods they’ve detected that could be triggering the alarm.
3. Google will not attempt to attribute the attack to any party, government or nation.

In any case, since the notifications are light on details and aren’t sent in real-time, users and admins alike may be left scratching their heads wondering what exactly triggered this warning. This could be frustrating for G Suite administrators who might want this information to understand what kinds of targeted attacks are coming their organization’s way. However, Google argues that the end result is the same regardless of whether you’re a user or an admin: Take additional precautions to secure user accounts.

Read more at https://nakedsecurity.sophos.com/2018/08/09/google-to-warn-companies-targeted-in-government-backed-attacks/

“Attack” on FCC over net neutrality was legitimate traffic, report says

By Lisa Vaas

Oh, that poor, poor, net neutrality commenting system. If it wasn’t HBO’s John Oliver unleashing his flying monkeys on the Federal Communications Commission (FCC) – him with that site of his, giving people an actual, direct, non-convoluted way to get to the spleen-venting comments page – it was those gosh-darned distributed denial of service (DDoS) attacks.

As you may recall, in May 2017, the FCC was advancing its plan to curtail the USA’s net neutrality rules when Oliver served up an epic 19-minute rant inciting vast mobs of internet users to rise up and demand that the FCC get out of their faces.

At the height of the net neutrality debate, the commenting system struggled under the strain of responding to the mighty onslaught of visitors, leaving people stuck stewing in that spleen for a few days. At the time, FCC CIO Dr. David Bray blamed the bombardment on all those nasty hackers:

These were deliberate attempts by external actors to bombard the FCC’s comment system… While [it] remained up and running the entire time, these DDoS events tied up the servers and prevented them from responding to people attempting to submit comments.

Yes. Well. So. Anyway. About those DDoS attacks.

On Monday FCC Chairman Ajit Pai issued a statement ahead of an FCC Office of Inspector General (OIG) report that found that no evidence of DDoS attacks had been found.

https://nakedsecurity.sophos.com/2018/08/09/attack-on-fcc-over-net-neutrality-was-legitimate-traffic-report-says/