October 1, 2018

Monero fixes major ‘burning bug’ flaw, preventing mass devaluation

By John E Dunn

The developers of Monero (XMR) call it the “burning bug” and they might never have done anything about it if an anonymous user hadn’t posed an awkward hypothetical question on the cryptocurrency’s subreddit last week.

What happens if I spend from a specific stealth address and then someone sends more to it? Are the funds inaccessible as the key image has already been used?

The query must have sounded naïve until the developers realized that the apparent non-expert had just confirmed a major flaw in wallets used to transact the controversial and what is reportedly the world’s tenth most popular cryptocurrency.

Funnily enough, it appears that the same issue was brought up last year when it met with a sort of why would anyone do that? response.

The TL;DR is that a software patch was this week issued to exchanges on top of the v0.12.3.0 release branch as a source code pull request, which presumably they’ll apply promptly assuming they’re on the mailing list and know about it.

As for the burning bug itself, this presents an interesting problem created by the use of stealth wallet addresses, an anonymity concept used across the cryptocurrency world but which has become especially important to privacy-sensitive Monero users.

These are used by the recipients of currency (merchants or exchanges) so that anyone sending them currency must do so by creating their own one-time address in order to veil lots of transactions from everyone on the blockchain except themselves.

Read more at https://nakedsecurity.sophos.com/2018/10/01/monero-fixes-major-burning-bug-flaw-preventing-mass-devaluation/

Big Facebook data breach: 50 million accounts affected

By Anna Brading

Facebook has suffered a data breach affecting almost 50 million accounts. Another 40 million have been reset as a “precautionary step”.

What’s happened?

In a post on the site earlier today, Facebook’s VP of Product Management, Guy Rosen, said that the breach was discovered on Tuesday 25 September 2018.

Attackers exploited a vulnerability in Facebook’s “View As” feature to steal access tokens, which are the keys that allow you to stay logged into Facebook so you don’t need to re-enter your password every time you use the app.

Rosen says the vulnerability is now fixed.

We have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year.

Those affected will now have to log back into Facebook, and any apps that use Facebook Login.

Facebook has also turned off the “View As” feature while it investigates. This function allows you to see what a particular friend, or people you aren’t friends with, can see on your profile, such as old profile photos or posts.

Read more at https://nakedsecurity.sophos.com/2018/09/28/big-facebook-breach-50-million-accounts-affected/

WhatsApp cofounder: “I sold my users’ privacy”

By Lisa Vaas

WhatsApp cofounder Brian Acton has revealed that he left the Facebook-acquired company 10 months ago because Facebook wanted to do things that made him squirm. He told Forbes:

It was like, okay, well, you want to do these things I don’t want to do. It’s better if I get out of your way. And I did.

Yes, he did. He got way out of the way, leaving $850 million on the table because he left Facebook a year before his stock grants vested. He’s still worth $3.6 billion though.

The Forbes interview is the first time Acton has talked about his reasons publicly.

He did, though, wave this terse farewell to Facebook back when the Cambridge Analytica scandal hit.

That was his last Tweet.

So, what was it that made Acton join the rapidly inflating ranks of the Silicon Valley mea-culpa-rati? A group that now includes an ex-Reddit mogul who’s apologised for making the world “a worse place”, and the former Facebook president wringing his hands over the company’s exploitation of “a vulnerability in human psychology”.

Read more at https://nakedsecurity.sophos.com/2018/09/28/whatsapp-cofounder-i-sold-my-users-privacy/

Android password managers vulnerable to phishing apps

By John E Dunn

Researchers have discovered that several leading Android-based password managers can be fooled into entering login credentials into fake phishing apps.

Password managers can be used to create, store, enter and autofill passwords into apps and websites. As well as allowing users to maintain scores of strong passwords, password managers can also provide some defense against phishing – their autofill features will enter passwords on sites they’re associated (and their mobile apps), but not on fakes.

The University of Genoa and EUROCOM’s Phishing Attacks on Modern Android study explores the difference between accessing a service through its mobile app and accessing it through its website on a desktop browser.

With desktop browsers, when a site is visited for the first time the password manager creates an association between its domain (verified by its digital certificate) and the credentials used to access it.

However, when somebody uses the website credentials to log in to an app, the process of verifying the app is more complicated and potentially less secure.

The main way password managers tell good apps from bad apps is by associating the website domain for that app with the app package name, a metadata ID checked using static or heuristically-generated associations.

The flaw is that package names can be spoofed – all the attacker has to do is create a fake app with the correct package name and the password manager will trust it enough to present the correct credentials.

Read more at https://nakedsecurity.sophos.com/2018/09/28/mobile-password-managers-vulnerable-to-phishing-apps/

Power to the people! Google backtracks (a bit) on forced Chrome logins

By Paul Ducklin


Even the mighty, all-seeing EoG (eye of Google) can’t always predict how its users are going to feel about new features that are so “obviously” cool that they get turned on by default.

Here at Naked Security, we’ve always favored opt in, where new features really are so nice to have that users can’t wait to enable them, rather than opt out, where users get the choice made for them and can’t wait to find out how to undo it.

So, we weren’t surprised that there was quite some backlash from Google Chrome users when the latest update to the world’s most widely-used browser changed the way that logging in worked.

As we reported earlier this week:

Users were complaining this week after discovering they’d been logged in to Google’s Chrome browser automatically after logging into a Google website.

In the past, by default, logging into Gmail and Chrome were two separate actions – if you fired up Chrome to read your Gmail, you wouldn’t end up logged in to Chrome as well.

You could choose to enable what’s often referred to as single sign-on, but it wasn’t out-of-the-box behavior.

But Google – surprise, surprise – figured that what it calls “sign-in consistency” would be such a great help (to Google, if not necessarily to you) that it started doing a sort of single sign-on by default, instead of treating your various Google accounts separately.

Read more at https://nakedsecurity.sophos.com/2018/09/28/power-to-the-people-google-backtracks-a-bit-on-forced-chrome-logins/

Robocallers slapped with huge fines for using spoofed phone numbers

By Lisa Vaas

Wednesday was a busy day for the Federal Communications Commission (FCC) when it comes to putting some pecuniary hurt on marketing companies for illegally spoofing millions of calls.

One of the fines – a proposed one – was a first for the Commission, in that it’s the first major enforcement action against a company that apparently “commandeered consumers’ phone numbers,” the FCC said in its announcement.

The FCC is looking to penalize Affordable Enterprises of Arizona for more than $37.5 million for what it says are more than 2.3 million illegally spoofed robocalls that pretended to be from consumers’ phone numbers.

Affordable Enterprises was at it for 14 months, starting in 2016. Its shtick was to sic its robots on unsuspecting people in order to telemarket home improvement and remodeling services.

The calls were spoofed to look like they came from phone numbers that had nothing to do with the telemarketer. The calls also appeared to come from unassigned phone numbers and numbers assigned to pre-paid “burner” phones, the FCC said. The caller ID was spoofed in every one of the millions of calls, making it impossible to identify who was actually calling.

The FCC pointed to one poor soul whose phone number was hijacked in order to make those calls. The Arizona woman said she received more than five calls a day on her cell phone, all coming from irate people complaining about the telemarketing calls they got from “her” phone number. In fact, they were from Affordable Enterprises, records showed.

The FCC said:

Such calling tactics harm both the consumers receiving the deceptive calls and those whose numbers are essentially commandeered by the telemarketer.

The FCC notes that the Truth in Caller ID Act prohibits spoofing when it comes to “transmitting misleading or inaccurate caller ID information with the intent to defraud, cause harm or wrongly obtain anything of value.”

Read more at https://nakedsecurity.sophos.com/2018/09/28/robocallers-slapped-with-huge-fines-for-using-spoofed-phone-numbers/

Firefox Monitor starts tracking breached email addresses

By John E Dunn

After a summer of testing, Mozilla has formally launched Firefox Monitor, a privacy-engineered website that hooks up to Troy Hunt’s Have I Been Pwned? (HIBP) breach notification database.

The site – which despite the Firefox tag is open to anyone – can be used either to check an email address against known breaches, or to register for breach notification should that address be detected in future breaches logged by HIBP.

Both of these things can already be done from the main HIBP website, which begs the question: What does Firefox Monitor do that HIBP doesn’t?

There are several answers. The first of which is that connecting HIPB to a site run by and branded under the Firefox name will promote breach checking and notification to a larger audience.

Expanding the numbers signing up for notification from the hundreds of thousands to the millions would be a major advance for breach detection not least because HIPB has a record of detecting breaches before some breached companies do. (The Disqus breach of 2012, for example.)

The earlier a user hears that their email address is part of a breached cache of data, the sooner they can change their password. Until HIBP, that might have been years after the address entered the public domain – or perhaps never.

A second reason has to do with Mozilla’s interest in integrating breach notification into the Firefox browser itself, a logical next step which has already been completed by password management tool, 1Password.

Read more at https://nakedsecurity.sophos.com/2018/09/27/firefox-monitor-starts-tracking-breached-email-addresses/


Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation