California bill regulates IoT for first time in US

By Danny Bradbury

California looks set to regulate IoT devices, becoming the first US state to do so and beating the Federal Government to the post.

The State legislature approved ‘SB-327 Information privacy: connected devices’ last Thursday and handed it over to the Governor to sign. The legislation introduces security requirements for connected devices sold in the US. It defines them as any device that connects directly or indirectly to the internet and has an IP or Bluetooth address. That covers an awful lot of devices.

The legislation says:

This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.

What does ‘reasonable security feature’ mean? The legislation goes on to define it explicitly: If someone can log into the device outside a LAN, then it must have either preprogrammed passwords that are unique to each device (so, no more default login credentials), or a way to generate new authentication credentials before accessing it for the first time.

Read more at https://nakedsecurity.sophos.com/2018/09/13/california-bill-regulates-iot-for-first-time-in-us/

Update now! Microsoft’s September 2018 Patch Tuesday is here

By John E Dunn

Patch Tuesday is upon Windows users once again, delivering fixes for 61 security flaws, including one confirmed zero day, several vulnerabilities in the public domain, and the now-standard Adobe Flash vulnerability to remind everyone they should stop using it.

There are several ways to cut every Patch Tuesday, but the headline vulnerabilities are usually the best place to start: 61 CVEs, 17 flaws rated as critical, and a flaw affecting Adobe Flash Player.

ALPC zero day

The standout this month is CVE-2018-8440, a system-compromising issue in the Windows Task Scheduler’s Advanced Local Procedure Call (ALPC) function, revealed on 27 August by someone on Twitter using the ID SandboxEscaper, complete with a GitHub proof-of-concept.

By early September an in-the-wild exploit had been spotted. Security company Acros Security quickly issued its own micropatch for the flaw, although only for Windows 10 64-bit version 1803.

A limitation is that the attacker would need to be logged in to the affected system locally but as that could easily happen using a malicious attachment, this one needs immediate attention.

Public flaws

According to Microsoft, three other flaws are in the public domain, with the biggie being CVE-2018-8475 – a critical-rated remote code execution (RCE) in the Windows Graphics Component that could allow an attacker to compromise a system simply by getting a user to view an image file.

Read more at https://nakedsecurity.sophos.com/2018/09/13/update-now-microsofts-september-2018-patch-tuesday-is-here/

Microsoft purges 3,000 tech support scams hiding on TechNet

By John E Dunn

Microsoft has taken down thousands of ads for tech support scams that had infested the company’s TechNet support domain in a sly attempt to boost their search ranking.

According to Cody Johnston, the self-styled ad hunter who reported the issue to Microsoft, until a few days ago Microsoft’s site was home to around 3,000 of these ads, mostly associated with the gallery.technet.microsoft.com downloads section.

The ads covered a wide range of fraudulent support issues, from virtual currency sites to Google Wallet and Instagram. Johnston told ZDNet:

I was able to find a total of 3,090 results, ranging back to August 2018. Twelve new ones have been created in the last week.

After reporting the problem to Microsoft, the ads were taken down within 24 hours, he said on Twitter.

However, within hours new ads quickly replaced the deleted ones on the same domains, which brings home the scale of Microsoft’s content monitoring challenge.

How is this possible?

Finding the ads wasn’t hard, requiring a custom Google search that anyone could run. So why didn’t Microsoft notice the issue and react sooner? Probably because it didn’t anticipate how quickly this can become a problem – and it doesn’t appear to be only one caught napping.

Read more at https://nakedsecurity.sophos.com/2018/09/12/microsoft-purges-3000-tech-support-scams-hiding-on-technet/

Beware: WhatsApp scammers target children with ‘Olivia’ porn message

By Lisa Vaas

Somebody calling themselves “Olivia” is sending WhatsApp messages to kids, claiming to be from a friend of a friend who has a new phone number. However, she soon cuts the small talk short and starts sending links to porn sites.

Last week, British police in Cheshire asked parents to check their kids’ messages if they use the app.

Read more at https://nakedsecurity.sophos.com/2018/09/12/beware-whatsapp-scammers-target-children-with-olivia-porn-message/

Younger Facebook users 4 times more likely to delete app, study shows

By Lisa Vaas

Post-Cambridge Analytica, Facebook users have been taking a break from their relationship with the “we didn’t know what all those scampy apps were doing with our users’ data!” platform.

According to a new study from the Pew Research Center, 42% of adult users – those 18 and older – have taken a break from checking the platform, for several weeks or more.

The survey, conducted from 29 May to 11 June, asked 4,594 people just how much arm’s-length they’ve been holding Facebook at. If you’ve been following the news…

…wait, scratch that. Unless you’ve been on sabbatical for the past few months – say, vacationing in the Mariana Trench – you can’t have missed the news that’s been boiling around Facebook, what with some 50 million users getting their personal data scraped by psychographic tests (whether they’d agreed to it or not), CEO Mark Zuckerberg getting dragged in front of Congress to answer some pointed questions about that and how Russians played hacky-election-sack with the platform, and a rash of fines that may well hit it as a result of data slurping.

Given all that, you might imagine that users have been like rats jumping the sinking Facebook ship. And indeed, the Pew Research Center study found that 54% of adults have adjusted their privacy settings in the past 18 months.

Read more at https://nakedsecurity.sophos.com/2018/09/12/younger-facebook-users-4-times-more-likely-to-delete-app-study-shows/