September 4, 2018
Hollywood accuses itself of piracy
By Lisa Vaas
“Hey!” Hollywood studios are saying to those darn IMDb “pirates:” “Those listings of our own work look suspiciously like our own work!”
As Torrent Freak reports, it’s not Sony Pictures Television, National Geographic or Columbia Pictures’ copyright lawyers that have spontaneously developed dementia, per se. Rather, it’s the armies of “largely automated” bots they deploy each day to scour the internet for references to pirated content.
The result: a slew of bone-headed DMCA notices have been sent out to perfectly legitimate sites, including IMDb, which stands for Internet Movie Database and contains a wealth of information about films, TV programs, video games, and internet streams, including cast, production crew and personnel biographies, plot summaries, trivia, and fan reviews and ratings. It is, in short, the holy scriptures of film, yet because of buggy bots, it’s being treated as a copyright-infringing ragamuffin.
After the bots spot piracy, they report the links to various online services, including Google. It works fine, except when it doesn’t.
Last month, bots with bugs started to wheeze. As Torrent Freak reported, even its own publication was targeted with takedown notices, along with several other sites that cover censorship-related issues. Multiple Hollywood studios have thus been inadvertently asking Google to remove IMDb listings of their own work, according to the publication.
Read more at https://nakedsecurity.sophos.com/2018/09/04/hollywood-accuses-itself-of-piracy/
Google Ads cracks down on tech support scammers
By John E Dunn
Remember Google’s boast earlier this year that it took down 3.2 billion bad ads during 2017?
A few months on and the company has now admitted its systems for detecting one especially tenacious form of malevolent ad – those pushing tech support scams – needs a lot more help.
In an announcement late last week, Google said that in future, any company wanting to advertise technical support services would have to pass manual verification checks first.
Assuming this resembles Google Ads’ established advanced verification system, this means that tech support is about to join other abused services such as payday loans and locksmiths on the league table of suspicion.
Presumably, Google has been using some form of automated ad checking, but this hasn’t worked. It’s not hard to imagine how this could go wrong. Wrote Google’s director of product policy, David Graff:
As the fraudulent activity takes place off our platform, it’s increasingly difficult to separate the bad actors from the legitimate providers.
Which is to say that when Google accepts paid ads, it has no quick way of knowing whether they’re honest because users who fall victim to scammers can’t feed that fact back to them.
Read more at https://nakedsecurity.sophos.com/2018/09/04/google-ads-cracks-down-on-tech-support-scammers/
Firefox to start blocking ad-tracking by default
By John E Dunn
Mozilla has announced plans to tweak Firefox’s privacy controls so that advertising trackers will be blocked by default. Trackers, it is often said, compromise privacy and have a big negative impact on performance, and yet browser makers have often seemed unable or unwilling to put blocks in place.
It’s a phenomenon that has driven a growing number of internet users to start using adblockers and privacy plug-ins, but many of these have commercial interests of their own that allow some advertising systems to continue their activities.
It certainly makes sense to do the ad-control from within the browser itself, but this is not offered by all browser makers, and where it is, it is usually not turned on by default.
Performance and cross-site tracking
Future versions of Firefox will assume the user wants tracking controls turned on, starting with version 63 in September which will automatically block slow-loading trackers of the sort that bog down page loading speeds.
From version 65 in January, the same will apply to cross-site trackers, a spying technique advertisers use to ‘follow’ users from site to site while building profiles based on their activity.
Read more at https://nakedsecurity.sophos.com/2018/09/03/firefox-to-start-blocking-ad-tracking-by-default/
‘Sick sadist’ admits to trolling dead people on social media
By Lisa Vaas
Yes, said a 38-year-old troll in the UK: he does deserve jail time, admitting to making Facebook posts falsely calling a tragically killed 20-year-old university student a “sex worker” and “prostitute”, among similarly offensive lies about others.
The South East Northumberland Magistrates’ Court heard on Thursday that the admitted troll – Paul Hind, from Westacres in Wark – posted offensive material about four people to Facebook, according to The Telegraph.
One of his high-profile targets was Olivia Burt, a Durham University student who died of head injuries in February when she was trapped under a fence in a crush of people outside of Durham’s Missoula nightclub.
Beyond calling the dead woman a prostitute, Hind also doctored one of her images and posted pictures of children who were “clearly terminally ill” on her Facebook page on 20 April.
Sky News reports that Ms. Burt’s father, Nigel, called Hind’s trolling a “desecration” of his daughter’s memory. He told the court that the posts had made him and Ms. Burt’s mother “physically sick” even after they’d been removed and that the perpetrator must be a “sick sadist”:
The person who carried out this trolling can only be described as a sick sadist who knows that they are adding to our anguish and gets enjoyment out of this.
Even though the Facebook posts have now gone, we keep expecting them to reappear on some other social media platform.
This is causing us continuing anxiety and distress.
Hind also admitted to targeting a tribute page for Hannah Witheridge, a 23-year-old who was killed on the Thai island of Koh Tao in 2014.
Another target was Joe Tilley, a 24-year-old reality star who was found dead at the bottom of the Fin del Mundo waterfall in Colombia in May. Hind’s fourth target was 19-year-old Duncan Sim, a Scottish college student whose remains were found at West Sands in St Andrews in June.
Read more at https://nakedsecurity.sophos.com/2018/09/03/sick-sadist-admits-to-trolling-dead-people-on-social-media/
Chrome: Flash is almost, almost, almost dead
By Maria Varmazis
If you use Google’s Chrome browser after 4 September the latest update will make it even harder to use in-browser Adobe Flash.
Starting with Chrome update 69, the browser will require users to explicitly enable Flash every single time they want to use it. Chrome will no longer remember this preference between sessions, so every time a user hits a site that uses Flash, they’ll have to say “yes, I really want to enable this extension.”
If it sounds annoying, it absolutely is, and that’s by design. This is just another step on the timeline that Chrome and many other browsers have set upon to slowly, slowly wean the public off Flash in anticipation of Adobe’s official plan to end support for the plugin by 2020.
Flash may have been the plugin of choice some time ago for fun in-browser games and interactive features, but it was also the go-to plugin for many attackers, as it was notoriously vulnerable to exploitation.
Read more at https://nakedsecurity.sophos.com/2018/09/03/chrome-flash-is-almost-almost-almost-dead/
Possible Satori botnet hacker indicted by Feds
By Danny Bradbury
A 20-year-old man has been indicted for computer crimes by a federal court in Alaska. Evidence suggests that he could be linked to the Satori botnet that exploited a previously unknown bug in a Huawei router. If so, one of the most virulent botnets in recent times might have been engineered not by a sophisticated organized criminal or nation state actor, but by a relatively inexperienced dabbler who happened across a zero-day vulnerability.
Kenneth Currin Schuchman of Vancouver, Washington, has been indicted in an Alaskan federal court on two charges. Firstly, from August through November 2017, he allegedly:
Knowingly caused the transmission of a program, information, code, and command, and, as a result of such conduct, intentionally caused damage without authorization to protected computers; the offense caused damage affecting 10 or more protected computers during a 1-year period.
The second charge mirrors the first but focuses on a specific unnamed victim. Both of these offenses happened in Alaska, the indictment alleges.
Possible Satori link
Reporting by the Daily Beast speculates that Schuchman may have created the Satori botnet. This botnet, also tracked as Okiru, was identified in the wild on November 23 2017 exploiting a zero-day vulnerability in Huawei HG532 routers.
Read more at https://nakedsecurity.sophos.com/2018/09/03/possible-satori-botnet-hacker-indicted-by-feds/
Google quietly bought Mastercard credit and debit card records
By Lisa Vaas
It’s common knowledge that Google knows when we click on ads. But now, it also knows what we buy in brick-and-mortar shops, due to a previously unreported deal it cut with Mastercard to get our transaction histories, Bloomberg has discovered.
The offline credit card spending data, which anonymous Google insiders said cost millions of dollars, gives Google an unprecedented advantage over competitors such as Amazon, by helping it track users’ offline spending in stores.
The deal hasn’t been made public. The two companies reportedly hammered it out over the course of four years, according to four people with knowledge of the agreement, three of whom worked directly on it.
Mastercard has denied suggestions that the data could be used to identify exact purchases, but the Open Rights Group told the BBC that the confidential nature of the deal raises privacy issues.
Open Rights Group legal director Myles Jackman wondered – given that Google can now tell advertisers that people’s clicking on ads led to actual store sales – whether the company will cut any of those people in on the profit:
This raises serious concerns regarding the use of private financial data. Will Mastercard be compensating their clients for the data they have given away to Google for their own financial gain?
Don’t count your micropayments before they microhatch: The answer, of course, is that it will likely be a cold day in retail hell before that happens.
Christine Bannan, counsel with Electronic Privacy Information Center (EPIC), told Bloomberg that this is surprising news for consumers, and it’s not coming with enough context regarding what’s being done with our data or what we can do about it:
People don’t expect what they buy physically in a store to be linked to what they are buying online. There’s just far too much burden that companies place on consumers and not enough responsibility being taken by companies to inform users what they’re doing and what rights they have.
At any rate, both Mastercard and Google are claiming that shoppers’ individual details aren’t being tied to the buying profiles.
Read more at https://nakedsecurity.sophos.com/2018/09/03/google-quietly-bought-mastercard-credit-and-debit-card-records/