October 22, 2018
Up to 9.5 million net neutrality comments were fake
By Lisa Vaas
New York Attorney General Barbara Underwood has subpoenaed 14 companies and organizations as part of the state’s investigation into the blizzard of fake public comments over net neutrality that inundated the Federal Communications Commission (FCC), according to The New York Times.
From Underwood’s statement:
The FCC’s public comment process was corrupted by millions of fake comments. The law protects New Yorkers from deception and the misuse of their identities. My office will get to the bottom of what happened and hold accountable those responsible for using stolen identities to distort public opinion on net neutrality.
As far as the identity theft piece of the puzzle goes, the Wall Street Journal cited an anonymous source who’s familiar with the investigation who said that the civil subpoenas are aimed at determining who was behind millions of comments posted with real people’s names but without their permission.
Underwood said in her statement that her office found up to 9.5 million comments that, the WSJ writes, “appear to have been filed using the names and addresses of real people who had no idea they were being cited in the comments.”
The subpoenas went out to telecommunications industry groups such as Broadband for America – a coalition supported by cable and telecommunications companies – and conservative groups such as the political consultancy Century Strategies and Media Bridge, a conservative messaging company whose site boasts about having placed nearly 800,000 comments opposing internet regulation.
Read more at https://nakedsecurity.sophos.com/2018/10/22/up-to-9-5-million-net-neutrality-comments-were-fake/
Maker of LuminosityLink RAT gets 30 months in the clink
By Lisa Vaas
The 21-year-old developer who cooked up LuminosityLink – the $39.99, turnkey, remote-access Trojan (RAT) used as spyware, keylogger, electricity/CPU-stealing cryptocurrency miner, and distributed denial-of-service (DDoS) launchpad by cybercrooks in 78 countries – was sentenced last week to 30 months in federal prison.
In a plea deal, Colton Grubbs also gave up the $725,000 worth of bitcoin he made from peddling the malware, which was marketed as a legitimate remote-administration tool but which he knew full well was being used by plenty of customers to remotely access and control their victims’ computers without their knowledge or consent.
The Department of Justice (DOJ) for the Eastern District of Kentucky announced last Monday that Grubbs had signed a plea deal that covered charges of conspiracy to unlawfully access computers in furtherance of a criminal act, conspiracy to commit money laundering, and the illegal removal of property to prevent its lawful seizure.
Grubbs pleaded guilty in July to the federal charges of creating, selling and providing technical support for the RAT to his customers, who used it to gain unauthorized access to thousands of computers across 78 countries worldwide. Grubbs also pleaded guilty to trying to hide incriminating evidence.
According to the plea agreement after learning the FBI was about to search his apartment in Lexington, Kentucky, Grubbs gave his laptop to his roommate and asked him to conceal it in the roommate’s car.
Read more at https://nakedsecurity.sophos.com/2018/10/22/maker-of-luminositylink-rat-gets-30-months-in-the-clink/
Serious D-Link router security flaws may never be patched
By John E Dunn
Stop me if you’ve heard this one before.
In May, Polish researcher Blazej Adamczyk of the Silesian University of Technology contacted D-Link to tell it he’d discovered a trio of important security flaws affecting eight of its Wi-Fi routers.
According to Adamczyk, D-Link replied two weeks later to say that two of the products would be patched in due course but that the remaining six were considered end of life (EOL), the implication being that they wouldn’t be updated.
After receiving no further communication regarding the vulnerabilities by September, he gave them one month to announce updates or he would make the flaws public.
Last Friday, 12 October, he held true to his word, revealing the vulnerabilities, which included a proof-of-concept video showing how they could be used together to compromise vulnerable models.
We haven’t had D-Link’s side of the story, in fairness, but on the face of it this looks like another example of how responsible disclosure can occasionally end in an uncomfortable impasse.
Read more at https://nakedsecurity.sophos.com/2018/10/19/serious-d-link-router-security-flaws-may-never-be-patched/
Apple privacy portal lets you see everything it knows about you
By Lisa Vaas
A month after its most recent iPhone and Mac launches, Apple has refreshed its privacy pages.
There isn’t much that’s changed: those pages still espouse Apple’s long-held commitment to privacy being a “fundamental human right” and that your information is, for the most part, kept on your iPhones, iPads and Macs.
Apple’s iOS 12 was loaded with useful security upgrades and patches for software vulnerabilities (though, granted, not one lock-screen bypass, but two have already been discovered).
As expected, the updated pages cover the new security and privacy features in iOS 12 and macOS Mojave, including new information about end-to-end encrypted group FaceTime video calls and improvements to intelligence tracking protections, as well as how Apple uses differential privacy to understand which are the most popular features, without being able to identify individual users.
But there is, actually, something new on those pages: Apple’s now allowing US customers to download all the data it holds on them through a new privacy portal.
Besides giving users the ability to download their data, it also enables them to request corrections if they spot errors.
Read more at https://nakedsecurity.sophos.com/2018/10/19/apple-privacy-portal-lets-you-see-everything-it-knows-about-you/
Is Google’s Android app unbundling good for security?
By John E Dunn
Is Android about to change for better or worse?
If you live in the European Union (actually, the Europen Economic Area, which consists of the EU plus Norway, Iceland, and Liechtenstein), turning on a new Android device after 29 October 2018 could be less familiar than in the past.
Until now, almost all Android users have been greeted by Google’s own suite of 11 factory-installed apps that includes Gmail, Chrome, Maps, Search, and – most important of all to most users – Google Play.
This happened because Google’s licensing compelled device makers to install apps such as Search and Chrome if they wanted to install Google’s well-stocked app repository, the Play Store.
In July 2018, the European Commission (EC) concluded this was a ploy to give Google Search a monopoly on Android, fined the company €4.34 billion ($5.1 billion) on anti-trust grounds.
Even though Google has appealed the latest ruling, which will likely wend its way through the courts for several years, the company nevertheless yesterday announced plans to comply with the decision.
However, there’s a sting in the tail: device makers will no longer have to bundle Google’s apps, but if they do they’ll pay for the privilege.
Read more at https://nakedsecurity.sophos.com/2018/10/18/is-googles-android-app-unbundling-good-for-security/