Does wiping your iPhone count as destroying evidence?

By Lisa Vaas

Police are accusing a 24-year-old woman, arrested in connection with a drive-by shooting, of remote-wiping her iPhone and thereby destroying evidence – a felony offense.

Her defense: I don’t even know how to do that!

Daniel Smalls, the lawyer for the accused – 24-year-old Juelle L. Grant, of Schenectady, New York – on Monday told the local news outlet The Daily Gazette that his client wasn’t involved in the shooting, in which no one was injured; that she “didn’t access anything to remotely delete anything”; and that she “wouldn’t have any knowledge how to do that.”

His client is not a computer-savvy person, Smalls said. In fact, his staff is puzzling out this “remote wipe” thing now, he said:

We’re doing research on it ourselves.

Last week, police said that they believe that Grant may have been the driver of a vehicle involved in a drive-by shooting last month, so they seized her iPhone X as evidence at the time.

But then, according to court documents, Grant allegedly remote-wiped the device, in spite of knowing full well that the police intended to inspect it for possible evidence:

The defendant was aware of the intentions of the police department at the conclusion of the interview with her.

Police arrested Grant on 2 November and charged her with three felonies: two counts of tampering with physical evidence and one count of hindering prosecution. According to The Daily Gazette, one of the tampering charges has to do with the remotely wiped phone, while the other tampering charge and the hindering charge are concerned with her alleged actions on the day of the shooting.

Read more at https://nakedsecurity.sophos.com/2018/11/13/does-wiping-your-iphone-count-as-destroying-evidence/

Headmaster fired over cryptocoin mining on the school’s dime

By Lisa Vaas

A headmaster in a Chinese high school in Hunan has been fired for allegedly stealing electricity to mine cryptocurrency, reports the South China Morning Post.

According to local media, teachers got suspicious over “a whirring noise that continued day and night” and a whopping electricity bill: 14,700 yuan (USD $2,113, £1,628) for about a year.

‘Oh, that? It’s just the air conditioners and the heaters!’ the headmaster, Lei Hua, reportedly said.

Lei Hua is said to have picked up his first Ethereum mining rig for about 10,000 yuan (£1107, USD $1,437) and started cryptocoin mining at his home in June 2017.

As anybody who knows anything about mining for crypto will tell you, that surely led to a whopping electricity bill. In fact, the machine was eating up nearly 21 kilowatt-hours of electricity per day.

So to save money on his power bill, Lei allegedly relocated the machine to the school where he worked. By the time the setup was discovered about a year later, he’d allegedly plugged in another seven mining computers in the school’s computer room. His deputy headmaster also allegedly got caught up in the craze, picked up a ninth machine for himself in January, and added it to Lei’s eight rigs.

Lei was fired last month after the power thievery was detected. His deputy received an official warning. The profits went bye-bye: a local authority responsible for “discipline inspection” reportedly seized the money that Lei and his deputy allegedly made.

Read more at https://nakedsecurity.sophos.com/2018/11/12/headmaster-fired-over-cryptocoin-mining-on-the-schools-dime/

Botnet pwns 100,000 routers using ancient security flaw

By John E Dunn

Researchers have stumbled on another large botnet that’s been quietly hijacking home routers while nobody was paying attention.

This one’s been named BCMUPnP_Hunter by discoverers Qihoo 360 Netlab, which says it’s infected at least 100,000 routers in the US, India and China since September.

The BCM part of that name refers to a security flaw affecting a Broadcom router software interface that was first made public in February 2013 by DefenseCode.

The UPnP, of course, is Universal Plug and Play, a longstanding and widely abused networking protocol designed to make it easy for devices to talk to one another without the need for complicated configuration.

We’ll skip the sermon about turning that off if you don’t need it (it’s not the only risky router interface that deserves this treatment after all), and merely note that Qihoo’s use of ‘Hunter’ at the tail end of this bot’s name is a warning.

BCMUPnP_Hunter feels like a despairing story for at least two reasons; the first being the range of products it affects.

The botnet covers 116 devices, including models from Billion, D-Link, Cisco Linksys (now Belkin), TP-Link, Zyxel, Broadcom itself, and several others.

Read more at https://nakedsecurity.sophos.com/2018/11/12/botnet-pwns-100000-routers-using-ancient-security-flaw/

Terrorists told to hijack social media accounts to spread propaganda

By Lisa Vaas

Monika Bickert, Facebook’s global head of policy management, and Brian Fishman, head of counterterrorism policy said in a post on Thursday that the US Department of Justice (DOJ) had recently discovered an alleged IS supporter warning others that it’s gotten tougher to push propaganda on the platform.

As detailed in a criminal complaint, one of the alleged terrorist/sympathizer’s suggestions for fellow propagandists was to try to take over legitimate social media accounts that had been hijacked: to act like wolves pulling on sheepskins to escape from Facebook’s notice, as it were.

Facebook’s continued work on tackling terrorist propaganda is bearing fruit.

Bickert and Fishman also reported that Facebook has removed 14 million pieces of content dubbed likely to come from terrorists, as determined by new machine learning technology; its hashing of images, videos, audio and text to create content fingerprints; and its long-suffering human reviewers (thank you, you poor souls).

They said that most of the content, which is related to the Islamic State (IS), al-Qaeda, and their affiliates, was old material that Facebook dug up by using specialized techniques.

Of course, 14 million pieces of content represents scarcely a drop in the ocean when it comes to the content-stuffed platform. Facebook was reportedly seeing 300 million photo uploads alone, per day, way back in 2012, and 2.5 billion content items shared: numbers that have ballooned since then.

Read more at https://nakedsecurity.sophos.com/2018/11/12/terrorists-told-to-hijack-social-media-accounts-to-spread-propaganda/

Microsoft mistake leaves Windows 10 users fuming

By Danny Bradbury

Microsoft Windows 10 users were left livid late last week after Microsoft mistakenly told them that their licenses were invalid.

On Thursday, Windows 10 Pro and Enterprise customers began complaining online that Microsoft was declaring their license keys invalid. The users, who confirmed that they had legal copies of the operating system, were told that they were actually using Windows Home. When they checked, the Pro version was still installed.

The problem led to Windows deactivation, according to some:

My digital entitlement is gone from my Microsoft account and I have a Windows 10 Home key now. Windows is deactivated because I went from Windows 10 Pro to Home and it doesn’t match anymore.

The issue affected both Pro and Home versions of Windows 10 that had been upgraded from earlier versions of the operating system, along with clean Windows 10 installs, according to posters on Reddit.

One Windows user reported that purchasing a Windows 10 Pro key in the Microsoft store was listed as an option for him, even though he had already upgraded to Windows 10 Pro years ago. When he tried to repurchase the key, it would not let him.

Read more at https://nakedsecurity.sophos.com/2018/11/12/microsoft-mistake-leaves-windows-10-users-fuming/

258,000 encrypted IronChat phone messages cracked by police

By Lisa Vaas

Police in the Netherlands announced on Tuesday that they’ve broken the encryption used on an cryptophone app called IronChat.

The Dutch police made the coup a while ago. They didn’t say when, exactly, but they did reveal that they’ve been quietly reading live communications between criminals for “some time.” At any rate, it was enough time to read 258,000 chat messages: a mountain of information that they expect to lead to hundreds of busts.

Already, the breakthrough has led to the takedown of a drug lab, among other things, according to Aart Garssen, Head of the Regional Crime Investigation Unit in the east of the Netherlands. He was quoted in the press release:

This operation has given us a unique insight into the criminal world in which people communicated openly about crimes. Obviously, this has led to some results. For example, we rolled up a drug lab in Enschede.

In the course of this investigation we also discovered 90,000 euros in cash, automatic weapons and large quantities of [hard drugs] (MDMA and [cocaine]). In addition, we became aware of a forthcoming retaliatory action in the criminal circuit.

IronChat used tinfoil marketing fluff by simply making up at least one celebrity endorsement, from Edward Snowden.

Also, on Tuesday, Dutch police shut down the site that sold the phones, Blackbox-security.com. An archived page shows this purported endorsement from Snowden …

I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation

… an endorsement that, Snowden said through a representative at the American Civil Liberties Union (ACLU), he never made. In fact, he’s never heard of the phone, Snowden said. Ben Wizner, director for the ACLU’s Speech, Privacy & Technology Project, relayed this message from Snowden in an email to Dan Goodin at Ars Technica:

Edward informs me that he has never heard of, and certainly never endorsed, this app.

Police said that they discovered the server through which encrypted IronChat communications flowed when police in Lingewaard, in the east of the Netherlands, traced a supplier of the cryptophones during a money-laundering investigation.

Read more at https://nakedsecurity.sophos.com/2018/11/09/258000-encrypted-ironchat-phone-messages-cracked-by-police/

Sent a photo to the wrong person? Facebook Messenger to let you unsend it

By Lisa Vaas

Back in April, Facebook automagically retracted CEO Mark Zuckerberg’s messages from recipients’ inboxes.

It was good enough for Zuck and other Facebook execs, but alas, beyond the reach of us mere mortal users. But relax, Facebook said at the time: we’re going to bring “Unsend” to one and all in a matter of months.

Well, the delete-messages time is finally nigh. Facebook said on Tuesday that Messenger is soon going to get an “Unsend” feature. Keep those fingers flexible, though: you’re only going to get up to 10 minutes to delete messages from chats after you send them.

Facebook mentioned the upcoming feature in the release notes for version 191.0 of the Messenger iOS app. Here’s what it said:

Coming soon: Remove a message from a chat thread after it’s been sent. If you accidentally send the wrong photo, incorrect information or message the wrong thread, you can easily correct it by removing the message within 10 minutes of sending it.

10 minutes? Well, it’s a lot less time than the hour Facebook gives users to delete WhatsApp messages, but it’s better than nothing, particularly when “nothing” translates into “dishonor and/or idiocy preserved for eternity.”

Read more at https://nakedsecurity.sophos.com/2018/11/09/sent-a-photo-to-the-wrong-person-facebook-messenger-to-let-you-unsend-it/

Update now! WordPress sites vulnerable to WooCommerce plugin flaw

By John E Dunn

Researchers have published details of a dangerous flaw in the way the hugely popular WooCommerce plugin interacts with WordPress that could allow an attacker with access to a single account to take over an entire site.

WooCommerce’s four million plus users were first alerted to the issue a few weeks back in the release notes for the updated version:

Versions 3.4.5 and earlier are affected by a handful of issues that allow Shop Managers to exceed their capabilities and perform malicious actions.

This week, PHP security company RIPS Technologies published the research that led to this warning which gives WooCommerce and WordPress admins more of the gory detail.

There are two parts to the vulnerability, the first of which the researchers describe as a “design flaw in the privilege system of WordPress.”

The second, in WooCommerce itself, is an apparently simple file deletion vulnerability affecting versions 3.4.5 and earlier.

Which of the two is the bigger issue will depend on whether you worry more about a site’s e-commerce function or happen to be its admin – either way, the combination spells trouble.

Read more at https://nakedsecurity.sophos.com/2018/11/09/update-now-wordpress-sites-vulnerable-to-woocommerce-plugin-flaw/