November 26, 2018
That Black Mirror episode with the social ratings? It’s happening IRL
By Lisa Vaas
What do you get when you cross the worst aspects of social media, people’s actual lives and giant, centralized databases?
The outcomes are already playing out. Certain cities in China have been piloting the country’s social credit score system – a system that’s due to be fully up and running by 2020, according to a plan posted on the Beijing municipal government’s website on Monday (the plan is dated 18 July).
One of the many repercussions of such a system is that people get blacklisted for not paying off their debts when a court thinks they’re capable of doing so, regardless of what the debtor says.
The ID photos, names and numbers of blacklisted people are displayed on billboards throughout the city, and they’re then barred from booking flights or high-speed trains (considered “luxury” travel) and blocked from staying in hotels. By the end of May, people with bad credit in China had been blocked from booking more than 11 million flights and 4 million high-speed train trips, according to the National Development and Reform Commission.
A permanent stigma?
Read more at https://nakedsecurity.sophos.com/2018/11/26/that-black-mirror-episode-with-the-social-ratings-its-happening-irl/
The phone went dark, then $1m was sucked out in SIM-swap crypto-heist
By Lisa Vaas
A SIM-swap robber allegedly lifted $1 million in crypto-coin from Robert Ross, who was saving to pay for his daughters’ college tuition.
According to the New York Post, Ross “watched helplessly” on 26 October as his phone went dark. Within seconds, $500,000 drained out of his Coinbase account, and another $500,000 was suctioned out of a Gemini account. That was his entire life savings, West said.
Erin West, the deputy district attorney for Santa Clara County in California, told reporters that 21-year-old Nicholas Truglia, of Manhattan, has agreed to be extradited. Santa Clara officials plan to pick him up in December. According to court documents, he’s been charged with 21 felony counts against six victims, including identity theft, fraud, embezzlement, crimes that “involve a pattern of related felony conduct,” and attempted grand theft.
Truglia allegedly hacked the phones of Silicon Valley executives from his cushy West 42nd Street high-rise apartment.
Ross was apparently Truglia’s one success, though officials allege that he went after a half dozen other Silicon Valley cryptocoin players, including Saswata Basu, CEO of the block-chain storage service 0Chain; Myles Danielsen, vice president of Hall Capital Partners; and Gabrielle Katsnelson, the co-founder of the startup SMBX.
Read more at https://nakedsecurity.sophos.com/2018/11/26/his-phone-went-dark-then-1m-was-sucked-out-in-sim-swap-crypto-heist/
Spectre mitigation guts Linux 4.20 performance
By John E Dunn
One of Intel’s fixes for the Spectre variant 2 chip flaw (CVE- 2017-5715) appears to have taken a big bite out of the performance of the latest Linux kernel.
The mitigation in question is the Single Thread Indirect Branch Predictors (STIBP), one of three that Intel proposed not long after details of the Meltdown and Spectre flaws were made public in January.
Duly implemented in Linux 4.20, benchmarks run by Phoronix suggest that running it with Intel chips using Intel’s proprietary hyper-threading technology (principally Core i3s, and Core i7s and above) comes at a heavy cost.
Depending on the application, that could be anything from 30% to 50% on a top-of-the-line Core i9, a clearly unacceptable hit – and that’s before factoring in the smaller losses from previous mitigations for Spectre and Meltdown.
When the flaws were made public in January, performance drops were always on the cards, but a consensus emerged that this might be somewhere in the ballpark of a few percent for most users.
Less than a year on from that and anyone running 4.20 (and 4.19.2, which apparently has backported STIBP) is staring down the barrel of something much worse.
Read more at https://nakedsecurity.sophos.com/2018/11/26/spectre-mitigation-guts-linux-4-20-performance/
Cryptocurrency ‘minting’ flaw could have leached money from exchanges
By John E Dunn
Are Ethereum’s new-fangled smart contracts the ultimate point of the blockchain or a risky experiment whose vulnerabilities presage trouble?
Right now, few doubt that smart contracts – instruction workflows in a language called Solidity that automate complex, profitable processes on Ethereum – require close scrutiny.
The latest security flaw was discovered by smart contract developers Level K – a ‘minting’ flaw that would allow an attacker to drain Ethereum exchanges initiating smart contracts.
There are several scenarios in which the vulnerability could be exploited, which has already been revealed to most of the exchanges the researchers thought might be affected.
Explaining gas
Before getting to the weakness, it’s necessary to understand that on the Ethereum network sending Ether cryptocurrency from one address to another means paying a minimum fee to miners in a unit called ‘gas’.
This rewards miners according to the amount of computation involved in executing each set of Solidity smart contract instructions.
Recently, someone had the idea of turning gas into a sort of tokenised currency of its own – GasTokens – generated thanks to Ethereum’s complicated storage refund system (blockchains desire storage efficiency).
GasTokens are a new thing but seem to have taken off because gas price varies according to smart contract demand (and some think Ethereum gas is too expensive in the first place).
Read more at https://nakedsecurity.sophos.com/2018/11/23/cryptocurrency-minting-flaw-could-have-leached-money-from-exchanges/
Hacker says USPS ignored serious security flaw for over a year
By John E Dunn
The US Postal Service (USPS) ignored a security flaw affecting millions of its registered website users for over a year until a researcher took his discovery to prominent blogger Brian Krebs, it has been alleged.
According to Krebs’s write-up, the unnamed researcher contacted him a week ago with news of a weakness he’d uncovered in the USPS.com ‘Informed Visibility’ API.
This API enables a USPS service that gives customers real-time tracking data on mailshot campaigns and deliveries.
Although described in general terms (see the before and after APIs), the authentication flaw found by the researcher…
…let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.
Krebs estimates that there are 60 million USPS account holders, all of whose data (passwords excluded) would have been viewable and, for fields such as email addresses or phone numbers, potentially modifiable.
Read more at https://nakedsecurity.sophos.com/2018/11/23/hacker-says-usps-ignored-serious-security-flaw-for-over-a-year/