Support wouldn’t change his password, so he mailed them a bomb

By Lisa Vaas

On 8 March, Cryptopay co-founder Wesley Rashid began to open a padded package addressed to two of his employees.

Something about it struck him the wrong way, though, so he didn’t open it all the way. That was a fortunate decision. The package held a bomb that could have injured or even killed him.

London’s Metropolitan Police announced on Friday that the sender, a 43-year-old Swedish man named Jermu Michael Salonen, has been sentenced to six and a half years in prison for sending the potentially lethal homemade bomb.

It turns out that the package had been delivered months earlier, around November 2017, to an office unmanned by Cryptopay employees. The UK crypto-wallet business had at one point employed an accounting firm that did have an office in that location, but fortunately nobody at the accounting company opened it on behalf of its client. The letter bomb just sat there, unopened, for five months.

Forensic specialists managed to retrieve some DNA samples from the package, but no matches were found in the UK. Investigators turned next to Interpol, and that’s when they hit a match, turning up Sorenson’s DNA sample in Sweden.

Police said he was known to Swedish authorities. In addition to being found guilty of attempted murder by Stockholm District Court, Salonen was also convicted of mailing threatening letters to Swedish lawmakers and government officials.

Read more at https://nakedsecurity.sophos.com/2018/11/14/support-wouldnt-change-his-password-so-he-mailed-them-a-bomb/

Microsoft update breaks Calendar and Mail on Windows 10 phones

By Lisa Vaas

Still reeling from last week’s Windows 10 Pro debacle, Microsoft dropped a fresh pile of “Oops!” onto Windows 10 Mobile users.

On Wednesday, users started reporting that an app update had broken Mail and Calendar:

Mail and Calendar no longer starts. After a short flash screen, the app crashed back to the main screen. Tried restart and soft reset.

App got updated today 07-11-2018. This morning before the update it worked fine.

The problems showed up immediately after Microsoft released update 16006.11001.20083.0.

As of the following Tuesday afternoon, the initial post had tallied 431 “I have the same question” and 306 replies: a combination of “me-too’s” and “Is it time to jump ship and climb on board with Android/iOS/Google?”

By Saturday, however, many users were sighing with relief as they got back Outlook Mail and Calendar on their mobile devices, in spite of Windows 10 Phone being a nearly dead platform. As in, Microsoft is no longer developing new features, though it’s still supporting it with bug fixes and security updates.

As one Redditor noted, they weren’t even sure a fix would be forthcoming, given that their phone’s build – they said they were on a Nokia Lumia 1520 – is no longer officially supported.

Read more at https://nakedsecurity.sophos.com/2018/11/14/microsoft-update-breaks-calendar-and-mail-on-windows-10-phones/

Google and Cloudfare traffic diverted to China… do we need to panic?

By Paul Ducklin

Conspiracy theorists can stand down from puce alert!

A network outage that affected US providers including Google and Cloudflare on Monday, intermittently diverting traffic via China…

…has been chalked up to a blunder.

Here’s why.

Internet traffic depends heavily on a system called BGP, short for Border Gateway Protocol, which ISPs use to tell each other what traffic they can route, and how efficiently they can get that traffic to its destination.

By regularly and automatically communicating with one another about the best way to get from X to Y, from Y to Z, and so on, internet providers not only help each other find the best routes but also adapt quickly to sidestep outages in the network.

Unfortunately, BGP isn’t particularly robust, and the very simplicity that makes it fast and effective can cause problems if an ISP makes a routing mistake – or, for that matter, if an ISP goes rogue and deliberately advertises false routes in order to divert or derail other people’s traffic.

Read more at https://nakedsecurity.sophos.com/2018/11/13/google-and-cloudfare-traffic-diverted-to-china-do-we-need-to-panic/

WordPress GDPR compliance plugin hacked

By Danny Bradbury

The EU General Protection Data Regulation (GDPR) is supposed to make companies take extra care with their customers’ personal data. That includes gathering explicit consent to use information and keeping it safe from identity thieves.

WP GDPR Compliance is a plugin that allows WordPress website owners to add a checkbox to their websites. The checkbox allows visitors handing over their data to grant permission for the site owners to use it for a defined purpose, such as handling a customer order. It also allows visitors to request copies of the data that the website holds about them.

Users send these requests using admin-ajax.php, which is a file that lets browsers connect with the WordPress server. It uses Ajax, a combination of JavaScript and XML technology that creates smoother user interfaces. This system first appeared in WordPress 3.6 and allows the content management system to offer better auto-saving and revision tracking among other things.

The GDPR plugin also allows users to configure it via admin-ajax.php, and that’s where the trouble begins. Attackers can send it malicious commands, which it stores and executes. They can use this to trigger WordPress actions of their own.

Read more at https://nakedsecurity.sophos.com/2018/11/13/wordpress-gdpr-compliance-plugin-hacked/

DEA and ICE hiding cameras in streetlights and traffic barrels

By Lisa Vaas

Drug and immigration cops in the US are buying surveillance cameras to hide in streetlights and traffic barrels.

Quartz spotted a number of contracts between a company called Cowboy Streetlight Concealments and two government agencies: the Drug Enforcement Administration (DEA) and Immigration and Customs Enforcement (ICE).

As government procurement documents show, since June, the DEA has spent about $22,000 to buy “video recording and reproducing equipment” in Houston, Texas, while the Houston ICE office paid out about $28,000 for the same type of equipment, all of it coming from Cowboy Streetlight Concealments.

It’s unknown where those surveillance cameras will be installed or where they’ve already been plugged in. Quartz reports that ICE offices in the Texas cities of Dallas, Houston, and San Antonio have all ponied up money to buy equipment from Cowboy Streetlight Concealments. The DEA’s most recent purchases were funded by the agency’s Office of Investigative Technology, in Lorton, Virginia.

Streetlight is owned by Christie Crawford and her husband, who’s a police officer in Houston. Crawford told Quartz that she wasn’t at liberty to go into detail about federal contracts: all she can say is that the government tells her company what it wants, and Streetlight builds it:

Basically, there’s businesses out there that will build concealments for the government, and that’s what we do. They specify what’s best for them, and we make it. And that’s about all I can probably say.

Does it really matter where the hidden surveillance cameras are being installed? Maybe to me and you, but that could just be because we aren’t aware of how ubiquitous surveillance cameras are. Crawford:

I can tell you this – things are always being watched. It doesn’t matter if you’re driving down the street or visiting a friend, if government or law enforcement has a reason to set up surveillance, there’s great technology out there to do it.

Another company in this space, Obsidian Integration, last week received a DEA contract for “concealments made to house network PTZ [Pan-Tilt-Zoom] camera, cellular modem, cellular compression device”. Obsidian, which sells “covert systems” and “DIY components,” lists among its customers the Department of Homeland Security (DHS), the Secret Service, the FBI, and the Internal Revenue Service (IRS), among other government agencies.

Last week, Obsidian was also granted a $33,500 contract with New Jersey’s Jersey City Police Department to buy a covert pole camera. The city’s resolution noted that the reason it needs a hidden camera is so that police can “target hot spots for criminal and nuisance activity and gather evidence for effective prosecutions.”

Quartz noted that it’s not just streetlights that are spying on us: the DEA is stashing hidden cameras in other places that can just as handily surveil the masses:

In addition to streetlights, the DEA has also placed covert surveillance cameras inside traffic barrels, a purpose-built product offered by a number of manufacturers. And as Quartz reported last month, the DEA operates a network of digital speed-display road signs that contain automated license plate reader technology within them.

Unfortunately, there’s scant oversight regarding where surveillance cameras can be put or how the government can use them, ACLU senior advocacy and policy counsel Chad Marlow told Quartz:

[Local law enforcement] basically has the ability to turn every streetlight into a surveillance device, which is very Orwellian, to say the least. In most jurisdictions, the local police or department of public works are authorized to make these decisions unilaterally and in secret. There’s no public debate or oversight.

What little effort has gone into curtailing local governments’ pervasive surveillance hasn’t met with much success. In January 2018, a California committee passed senate bill SB-712: a piece of legislation that would tweak the law that says you can’t cover your car’s license plate. It basically amounted to “keep your spying, data-collecting, privacy-invading cameras away from our cars.” As it is, there are businesses that send automated license plate readers (ALPRs) up and down streets to document travel patterns and license plates and sell the data to lenders, insurance companies, and debt collectors.

Read more at https://nakedsecurity.sophos.com/2018/11/13/dea-and-ice-hiding-cameras-in-streetlights-and-traffic-barrels/