You don’t have to sequence your DNA to be identifiable by your DNA

By Lisa Vaas

In April, the power of online genealogy databases to help track down and identify people became clear.

That’s when police arrested Joseph James DeAngelo on suspicion of being the Golden State Killer: the man allegedly responsible for more than 50 rapes, 12 murders and more than 120 burglaries across the state of California during the 70s and 80s.

Investigators had collected and stored DNA samples from the crime scenes over the years. They ran the genetic profile they derived from those samples through an online genealogy database and found it matched with what turned out to be distant relatives – third and fourth cousins – of whoever left their DNA at the crime scenes.

Getting a match with the database’s records helped investigators to first locate DeAngelo’s third and fourth cousins. The DNA matches eventually led to DeAngelo himself, who was arrested on six counts of first-degree murder.

It wasn’t that DeAngelo submitted a DNS sample to any one of numerous online genealogy sites, such as 23andMe or AncestryDNA. Rather, it was relatives with genetic makeups similar enough to whoever left their saliva on something at a crime scene who made the search possible.

The more people who submit DNA samples to these databases, the more likely it is that any of us can be identified. According to new research published in Science Magazine, the US is on track to have so much DNA data on these databases that 60% of searches for individuals of European descent will result in a third cousin or closer match, which can allow their identification using demographic identifiers.

Read more at https://nakedsecurity.sophos.com/2018/10/18/you-dont-have-to-sequence-your-dna-to-be-identifiable-by-your-dna/

Twitter publishes data on Iranian and Russian troll farms

By Lisa Vaas

A few weeks ahead of mid-term elections in the US, as social media platforms try to plug leaks that let in waves of meddling and propaganda that soaked the country in 2016, Twitter on Wednesday released all the tweets, images and videos it believes have been planted by “state-backed information operations.”

In other words, Russian and Iranian troll farms.

Researchers can get the massive datasets at Twitter’s Election Integrity hub.

The two datasets comprise more than 10 million public, non-deleted tweets, two million images and videos, and thousands of accounts linked to operatives based in Russia and Iran. Many of the accounts have previously been reported.

The Russia-linked dataset contains accounts created by the Russian government-linked propaganda factory known as the Internet Research Agency (IRA).

It also contains a lot more personality, according to Ben Nimmo, a senior fellow at the Atlantic Council’s Digital Forensic Research Lab (DFRLab) who got a sneak peek at the data before the sets were published.

Both regimes put a huge amount of effort into churning out propaganda: The Iranian troll farm employed 770 users and put out one million tweets, while Russia’s 3,841 accounts posted nine million tweets.

Read more at https://nakedsecurity.sophos.com/2018/10/18/twitter-publishes-data-on-iranian-and-russian-troll-farms/

Weirdo Twitter messages were a glitch, not a hack

By Lisa Vaas

Were you one of the dozens of people who got a bizarre Twitter message yesterday?

The messages were a long string of what looked like random numbers and letters. They were so mystifying that even Twitter CEO Jack Dorsey himself was like, whaaa?

Naturally enough, recipients assumed that the messages were the probably result of…

1. A disturbance in the Matrix,
2. The End of Days,
3. Kanye West’s new password,
4. What started as a coded mathematical declaration before the sender fell down the stairs,
5. Encrypted messages from Numbers Stations whose senders forgot to include creepy-sounding chains of dispassionately enunciated letters or numbers, sometimes 24 hours a day, from high-powered shortwave transmitters, or
6. Those darn hacking Russians.

It was, in fact, none of the above.

Read more at https://nakedsecurity.sophos.com/2018/10/17/weirdo-twitter-messages-were-a-glitch-not-a-hack/

Serious SSH bug lets crooks log in just by asking nicely…

By Paul Ducklin

 

Big, bad, scary bug of the moment is CVE-2018-10933.

This is a serious flaw – in fact, it’s a very serious flaw – in a free software library called libssh.

The flaw is more than just serious – it’s scary, because it theoretically allows anyone to log into a server protected with libssh without entering a password at all.

It’s scary because ssh, or SSH as it is often written, is probably the most widely deployed remote access protocol in the world.

Almost all Unix and Linux servers use SSH for remote administration, and there are an awful lot of awfully large server farms out there, and so there’s an awful lot of SSH about.

SSH stands for secure shell, where the term shell is Unix-speak for a command prompt, the place where most Unix-style system administration functions are performed, whether manually by a logged-in human, or automatically via a logged-in script.

But SSH is used for much more than just shell logins because it creates what’s often called a secure tunnel – a general-purpose encrypted data channel between two computers on the internet.

Notable uses for SSH include secure file transfer between servers, and secure data synchronization between data centers.

Security holes in SSH are therefore the stuff of nightmares for many sysadmins out there, and this one has certainly got the security newswires buzzing.

Read more at https://nakedsecurity.sophos.com/2018/10/17/serious-ssh-bug-lets-crooks-log-in-just-by-asking-nicely/

New iPhone lock screen bypass exposes your photos

By John E Dunn

Apple’s iOS security team must be starting to feel as if they’re being besieged by security sleuth José Rodríguez.

In his latest YouTube proof-of-concept, the Spaniard demonstrates how an attacker with physical access to an Apple device running iOS 12.0.1 (including the latest X and XS models) can gain access to photos stored on it.

The bypass needs 13 steps and requires good timing but at the end of the process, photos can be extracted by selecting and sending them to any number.

Embarrassingly, Apple released iOS 12.0.1 last week to address a range of issues that had cropped up with iOS 12, including two separate lock screen bypass flaws publicized by Rodríguez in late September.

Admittedly, one of these was more serious because it allowed access to a device’s contacts, emails, telephone numbers, and photos, but at 37 steps it was also a lot trickier to pull off than his latest compromise.

The root cause of the issue is the same in all of these – namely using Siri to activate Voiceover to perform certain tasks without having to unlock the phone.

Read more at https://nakedsecurity.sophos.com/2018/10/17/new-iphone-lock-screen-bypass-exposes-your-photos/

Is this the simple solution to password re-use?

By John E Dunn

Persuading people not to reuse the same password across multiple websites has become one of security’s big head-scratchers.

Asking people not to do something only gets you so far – because there will always be people who think it doesn’t apply to them, or who simply can’t be bothered.

But might there be a simpler fix? A new Indiana University (IU) study, Factors Influencing Password Reuse: A Case Study, thinks it has hit on an answer that’s been hiding in plain sight for years –  set policies that mandate longer and more complicated passwords.

It sounds too good to be true, but the researchers arrived at this disarmingly straightforward recommendation after using some slightly involved inference about the level of password reuse at 22 US universities, including IU itself.

First, they analysed the institutions’ published password policies, paying attention to variables such as length and character type, whether the reuse of previous passwords was possible, and whether they expired.

Next, they combed a database of 1.3 billion known breached credentials, looking for email addresses connected to one of these university domains – and discovered 7.3 million that were connected.

Read more at https://nakedsecurity.sophos.com/2018/10/17/is-this-the-simple-solution-to-password-re-use/