Vizio to send class notices through the TVs that spied on viewers

By Danny Bradbury

In a sign that we’re actually all living in a science fiction novel, millions of smart TVs may soon be forced to admit to viewers that they have been spying on them.

TV manufacturer Vizio is working on the feature to help satisfy a class action suit against it by disgruntled customers.

Back in 2015, investigative journalism site ProPublica revealed that Vizio’s smart TVs were just a little too smart for their own good. The TVs included a feature – switched on by default in 11 million devices – called ‘Smart Interactivity’, which tracked its customers’ viewing habits.

Vizio’s Inscape data services operation collected data including snippets of the programs that the viewers watched, along with the date, time, channel, and whether they were viewed live, or as recordings. It also gathered data on over-the-top services such as Netflix, along with data from DVDs and even streaming devices. In short, if you watched it on a Vizio TV, Vizio knew about it.

The company then linked that data to your IP address and sold the whole package to advertisers, who could then combine it with information about other devices associated with that IP address. So if, as most of us do, you connected your phone or your home computer to your home Wi-Fi network, advertisers could use your viewing data to serve you ads via those devices too.

The manufacturer, which was preening itself for an IPO at the time, argued that laws preventing cable TV companies from selling their customers’ viewing data didn’t apply to its business. In fact, it doubled down by using data brokers to append more information to its customers’ viewing data, including sex, age, income, marital status, household size, education level, home ownership, and household value. It then promoted “highly specific viewing behavior data on a massive scale with great accuracy” as a way to boost its margins for investors.

The company’s frankly anti-privacy stance got it into hot water. It was investigated by the Federal Trade Commission, which along with the New Jersey Attorney General made it agree to a $2.2m settlement in February 2017. Alongside the hefty fine, the federal court order forced the company to delete data collected before 1 March 2016, implement a privacy program, and to get explicit consent for its data slurping.

Read more at https://nakedsecurity.sophos.com/2018/09/12/vizio-to-send-class-notices-through-the-tvs-that-spied-on-viewers/

The rise of targeted ransomware

By Mark Stockley

Thanks to Peter Mackenzie of Sophos Support for his behind-the-scenes work on this article.

In the year since the “shock and awe” of WannaCry and NotPetya – outbreaks that spread globally in a matter of hours – ransomware has been making a lot less noise.

You’d be forgiven for thinking that it’s had its day, but reports of the demise of ransomware have been greatly exaggerated, as they say.

While cryptomining and cryptojacking have been sucking all the air out of the press room, a snowball that started rolling well before anyone had ever heard of WannaCry has been gathering pace and size.

The snowball is a trend for stealthier and more sophisticated ransomware attacks – attacks that are individually more lucrative, harder to stop and more devastating for their victims than attacks that rely on email or exploits to spread.

And they do it in a way that’s hard to stop and easy to reproduce.

WannaCry’s reliance on an exploit stolen from the NSA (the USA’s National Security Agency) made its success hard to replicate, and its promiscuous spread attracted the attention of law enforcement everywhere while leaving countless copies of the malware to be analysed by researchers and security companies.

The criminals behind targeted ransomware attacks have no such limits. They rely on tactics that can be repeated successfully, commodity tools that are easily replaced, and ransomware that makes itself hard to analyze by staying in its lane and cleaning up after itself.

And while the footprint of a targeted attack is tiny in comparison to an outbreak or spam campaign, it can extract more money from one victim than all of the WannaCry ransoms put together.

Targeted attacks can lock small businesses out of critical systems or bring entire organisation’s to a grinding halt, just as a recent SamSam attack against the city of Atlanta showed.

Read more at https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/

Airbnb launches investigation after man finds hidden camera in clock

By Lisa Vaas

Do you really want to be the crazy guest who checks alarm clocks and coat hooks and smoke alarms and USB power plugs and lightbulbs and air fresheners and picture frames and wall outlets for hidden cameras when you check into an Airbnb?

Oh, YES.

On Thursday, Scottish traveler Dougie Hamilton was sitting there, staring at his Airbnb’s alarm clock, wondering whether he wanted to be that tinfoil hat kind of guest. After 10 minutes, he gave in to the weird feeling he was getting from that odd clock, which he says was wired like a phone charger.

As he told the Daily Record, he “felt a bit weird even thinking it” and kept telling himself “not to be daft. But there was just something.”

Oh yeah, there was something. There was, in the device that was pointed right at the open-plan bedroom, a hidden webcam:

I took the charger out of it and saw there was a lithium battery in the back. At this point, I slid the front facing off the clock and could see there actually was a camera.

Hamilton and his girlfriend, who didn’t want to be identified, had just checked into their Airbnb in Toronto. They were there for about 20 minutes, relaxing after a busy day in the city, before Hamilton noticed the clock.

I just happened to be facing this clock and was staring at it for about 10 minutes. There was just something in my head that made me feel a bit uneasy.

Hamilton and his travel companion didn’t know if the rental’s owner had been watching them, but given that the hidden camera was facing into the living area and the open-plan bedroom, he certainly could have seen whatever he wanted.

It just felt really creepy, and we didn’t want to stay.

We’re innocent-minded people, but the clock was facing where our bed was, and we thought it might be for something more sinister like a sex ring.

Hamilton immediately got in touch with Airbnb, which promised him that it would launch an urgent investigation. The service also told him that the host in question has six other properties that he rents out.

Read more at https://nakedsecurity.sophos.com/2018/09/11/airbnb-launches-investigation-after-man-finds-hidden-camera-in-clock/

Fetish app put users’ identities at risk with plain-text passwords

By Lisa Vaas

Whiplr is an iOS app that describes itself as “Messenger with Kinks.” Understandably, its kinkster users expect a good deal of care when it comes to the privacy of their accounts.

After all, nobody wants their breathy play/bondage/latex photos to be found and attached to their true identities by just anybody, as writes one reviewer on iTunes:

The app itself is wonderful. … I … love having photos I can keep secret until I wish to share them.

Unfortunately for such users, their secret photos – and their identities – were put at risk.

Engadget recently discovered a security failure when a user was asked to submit their password, username and email address in plain-text format to verify their account.

This is the data the app demanded:

Pursuant to our records, we have not identified an account associated with [your email address]. In order to enable us to exercise your request to receive access to your personal data, we kindly request the below information (please respond with the below to this email):

· The email address you registered with on Whiplr;

· Your username on Whiplr;

· Your password on Whiplr.

Asking people to send passwords in email completely bypasses safe password storage, and leaves them lying around in plain text where anyone with access to either the sender’s sent items or recipient’s inbox could find them.

Worse yet, Whiplr confirmed that it had been storing users’ passwords in plain text. Therefore, any hackers who might have breached Whiplr’s database potentially could have discerned users’ real identities, either through Whiplr itself or through social media if users were in the habit of password reuse.

A breach isn’t the only thing to worry about. If passwords are stored in plain text then they’re visible to any rogue employee who has access to the database.

Read more at https://nakedsecurity.sophos.com/2018/09/11/fetish-app-put-users-identities-at-risk-with-plain-text-passwords/

Yikes: 1 in 5 employees share their email passwords with coworkers

By Maria Varmazis

19% of employees of small and medium-sized businesses (SMBs) share their passwords with coworkers or assistants, according to a recent survey by IT consultancy Switchfast.

Switchfast surveyed about 600 small businesses about how cybersecurity works, or doesn’t work, for them. It spoke to the C-suite level leaders of the business about their own habits, as well as the habits of their employees. Among its findings was the stat about employee email sharing.

One could imagine that in an SMB, this kind of shared password might be used for a crucial central piece of technology, like team remote fileshare or a customer service email account.

And, of course, it’s very convenient to share passwords. But as Mark Stockley wrote in his article 4 password mistakes small companies make and how to avoid them, there are huge downsides:

1. If something bad happens you can’t tell who did it.
2. It makes your more vulnerable to social engineering.
3. It makes changing passwords too painful to bother with.
4. Everyone with a password can cause maximum damage.
5. You don’t know who else has your passwords.

On top of it all, those shared passwords are often weak – easily guessed, brute-forced, and/or possibly already compromised from an older data breach – so no matter what way you slice it, password sharing is risky for these small businesses and their customers.

Even folks at bigger firms make this easy mistake of reusing passwords: In 2016, Facebook’s Mark Zuckerburg had several of his own social media feeds hijacked, as they all used the same extremely guessable password, “dadada,” which was initially leaked via a LinkedIn data breach.

What’s also quite telling in this survey is that many of the C-level leaders reported bad habits at higher rates than their own employees — for example, 76% of the SMB leaders say they haven’t enabled multi-factor authentication, compared to 69% of SMB employees. (Here’s why 2FA is a good idea.)

Read more at https://nakedsecurity.sophos.com/2018/09/11/yikes-1-in-5-employees-share-their-email-passwords-with-coworkers/