Has that website been pwned? Firefox Monitor will tell you

By John E Dunn

Firefox Monitor, a breach notification website launched by Mozilla in September, can now deliver alerts from inside the Firefox browser.

Once the service goes live in the coming weeks, Firefox users running version 62 and later will see an icon appear in the address bar when they visit a known breached website.

Clicking on this will reveal details of the specific breach supplied through Firefox’s integration with the Have I Been Pwned (HIBP) website, which Naked Security covered in September.

This will read something like:

More than x number of email accounts from example.domain were compromised in 2018. Check Firefox Monitor to see if yours is at risk.

Notice the alert won’t tell Firefox users that their personal account has been breached, only that they should check for themselves, offering them a link to do this.

The first time Firefox users see a breach alert for any website, it will relate to those added to the HIBP database in the preceding 12 months (the actual breach may have happened years earlier of course).

From there on, to avoid alert fatigue, the cut-off will be websites added within the preceding two months.

It will also be possible to turn alerts off completely by hitting ‘never show Firefox Monitor alerts’ on the notification drop-down box.

Read more at https://nakedsecurity.sophos.com/2018/11/19/has-that-website-been-pwned-firefox-monitor-will-tell-you/

Did a copy-paste error reveal the US’s secret case against Assange

By Lisa Vaas

What a rough few weeks it’s been for WikiLeaks founder/Ecuadorian embassy poltergeist Julian Assange: Ecuador told him that if he wants to stay wrapped up in his asylum cocoon, he needs to shut up about politics, clean his own damn bathroom and scoop the poop from his cat’s litter box lest the kitty be given to somebody who knows how to take care of it.

Then last week there were rumors that the US finally, after six long years, filed charges against him for publishing stolen information.

It’s a big “maybe.” The supposition that the US secretly charged Assange comes from a mistake on a court filing that could have been a slip-up or might have been just a copy-paste error.

The “evidence:” the name “Assange” was mentioned in an unrelated court filing in a case from a prosecutor in the US District Court for the Eastern District of Virginia, Assistant US Attorney Kellen Dwyer.

Assange wasn’t the defendant in the case; rather, that was Seitu Sulayman Kokayi, who’s charged with coercion and enticement of a minor. He’s charged with coercing a 15-year-old girl to have sex with him and to give him sexual images.

Read more at https://nakedsecurity.sophos.com/2018/11/19/did-a-copy-paste-error-reveal-the-uss-secret-case-against-assange/

How to rob an ATM? Let me count the ways…

By John E Dunn

How many computer users still regularly use Windows XP?

It’s a trick question, of course, because the answer is that millions of people do every time they take money out of an ATM cash machine; a significant proportion of which still run some variant of the geriatric OS.

It’s a finding that jumps out of a new probe of ATM security by Positive Technologies, which found that 15 out of the 26 common designs it tested were running embedded versions of XP.

The report doesn’t differentiate between Windows XP and the various Windows Embedded products based on it, but in technology terms they’re all ancient. XP gasped its last breath in April 2014, as did Windows XP Professional for Embedded Systems. The end of extended support has come and gone for most other embedded products based on XP too, and those that are still hanging on by their fingernails only have a few months left.

A further eight ATMs used Windows 7, while only three used Windows 10. While ATM security shouldn’t be reduced to which OS version is in use, the fact that over half were using an OS that even Microsoft thinks is on life support underscores the challenge of keeping them safe.

A quick check on Naked Security shows a string of stories of ATM compromises going back into the mists of time, including August’s multinational cashout warning by the FBI, and a wave of “jackpotting” attacks.

Read more at https://nakedsecurity.sophos.com/2018/11/16/how-to-rob-an-atm-let-me-count-the-ways/

Judge asks if Alexa is witness to a double murder

By Lisa Vaas

Christine Sullivan was stabbed to death on 27 January 2017, in the kitchen of the New Hampshire home where she lived with her boyfriend. Her friend, Jenna Pellegrini, was also murdered that day, in an upstairs bedroom.

There might have been a witness who heard Sullivan’s murder as it happened, given that an Echo smart speaker equipped with Amazon’s Alexa voice assistant was sitting on the kitchen counter the whole time.

What did it hear?

A New Hampshire judge says that Amazon must let us know. Last week, the judge ordered Amazon to turn over any recordings the Echo device may have made between the day of the murder and two days later, when police found the women’s bodies beneath a tarp under the porch. The murder weapons – three large knives – were found wrapped in a flannel shirt buried one foot below the bodies.

From court documents seen by the Washington Post:

The court finds there is probable cause to believe the server(s) and/or records maintained for or by Amazon.com contain recordings made by the Echo smart speaker from the period of Jan. 27 to Jan. 29, 2017… and that such information contains evidence of crimes committed against Ms. Sullivan, including the attack and possible removal of the body from the kitchen.

A 36-year-old New Hampshire man, Timothy Verrill, has been charged with two counts of first-degree murder in the fatal stabbings and is expected to stand trial in May. Prosecutors allege that Verrill killed the two women when he grew suspicious that one of them was tipping off the police about a suspected drug operation. Verrill has pleaded not guilty.

Read more at https://nakedsecurity.sophos.com/2018/11/16/judge-asks-if-alexa-is-witness-to-a-double-murder/

Hacking MiSafes’ smartwatches for kids is child’s play

By Lisa Vaas

MiSafes, the maker of surveillance devices meant to track kids, is back in the news. This time it’s due to the company’s smartwatches that researchers say are drop-dead simple to hack.

Pen Test Partners has found that attackers can easily eavesdrop on children’s conversations; track them; screw with the geofencing so that parents don’t receive notices when their children wander off; see kids’ names, genders, birthdays, heights and weights; see parents’ phone numbers; and see what phone number is assigned to the watch’s SIM card.

Pen Test Partners researchers Ken Munro and Alan Monie told the BBC that they got curious about the watches after a friend bought one for his son earlier this year.

The watches, in kid-happy kartoon kolors, use a GPS sensor to locate a wearer and a 2G mobile data connection to let parents see where their child is via a smartphone app. They allow one-press phone calls and feature an SOS feature that records a 10-second clip of your kid’s surroundings that’s sent to parents via text. It also sends the child’s exact location, with automatic updates every 60 seconds until the emergency is canceled.

The phones also let parents create “safe zones” and, if everything is working as intended, be alerted if their child leaves the area. Parents can also eavesdrop on kids at any time and initiate two-way calls.

Read more at https://nakedsecurity.sophos.com/2018/11/16/hacking-misafes-smartwatches-for-kids-is-childs-play/

AI-generated ‘skeleton keys’ fool fingerprint scanners

By Danny Bradbury

We’ve had fake videos, fake faces, and now, researchers have developed a method for AI systems to create their own fingerprints.

Not only that, but the machines have worked out how to create prints that fool fingerprint readers more than one time in five. The research could present problems for fingerprint-based biometric systems that rely on unique patterns to grant user access.

The research team, working at New York University Tandon and Michigan State University, used the fact that fingerprint readers don’t scan a whole finger at once. Instead, they scan parts of fingerprints and match those against what’s in the database. Previous research found that some of these partial prints contain features common to many other partial prints. This gives them the potential to act as a kind of skeleton key for fingerprint readers. They are called MasterPrints.

The researchers set out to train a neural network to create its own MasterPrints that could be used to fool fingerprint readers into granting access. They succeeded, with a system that they call Latent Variable Evolution (LVE), and published the results in a paper.

Read more at https://nakedsecurity.sophos.com/2018/11/16/ai-generated-skeleton-keys-fool-fingerprint-scanners/