Creeps outed as massage app exposes database with workers’ comments

By Lisa Vaas

A popular massage-booking app has spilled the beans on 309,000 customer profiles, including comments from their masseurs or masseuses on how creepy their customers are.

The app’s wide-open, no-password-required database was discovered by researcher Oliver Hough, who tipped off TechCrunch.

Hough said in a Tweet on Tuesday that the breach was caused by unimplemented security that should have been easy-peasy, and that the failing could lead to “some serious blackmail.”

TechCrunch reports that Urban left the database for a Google-hosted Elasticsearch instance – that’s an enterprise search tool – online without a password, “allowing anyone to read hundreds of thousands of customer and staff records.”

Anyone who knew where to look could access, edit or delete the database.

The makers of the app, which was previously known as Urban Massage but is now going by simply “Urban,” confirmed the breach on Tuesday. In its FAQ, Urban said that customers’ names, email addresses and phone numbers were exposed, as well as, potentially, their postcodes if they placed a booking on the platform. Urban says it’s going to contact those whose information it thinks was exposed.

Read more at https://nakedsecurity.sophos.com/2018/11/29/creeps-outed-as-massage-app-exposes-database-with-workers-comments/

Google’s “deceitful” location tracking is against the law, say 7 EU groups

By Danny Bradbury

The row over Google’s location tracking has spread to Europe.

Consumer organizations from across the region said this week that they will complain about Google’s location tracking activities to their data protection authorities, alleging that it is breaching the General Data Protection Regulation (GDPR).

BEUC, an umbrella group of 43 European consumer organizations, said that Norway, Netherlands, Greece, Czech Republic, Slovenia, Poland and Sweden will all file complaints.

They’re basing their gripes on a report from the Norwegian Consumer Council (Forbrukerrådet) called Every Step You Take that explains what Google is doing and why they think it might be flouting Europe’s privacy laws.

Monique Goyens, Director General of The European Consumer Organization, summed up the complaints in a statement on the BEUC site:

Google’s data hunger is notorious but the scale with which it deceives its users to track and monetise their every move is breathtaking. Google is not respecting fundamental GDPR principles, such as the obligation to use data in a lawful, fair and transparent manner.

The report takes a deep dive into Google’s location tracking activities. The company tracks you in two ways, according to the research: Location History and Web & App Activity.

Alongside basic data such as where you went and what mode of transport you took to get there, Location History also stores other data in the background, such as barometric pressure, nearby Wi-Fi hotspots and even your battery level. Google says that this is a voluntary, opt-in feature.

Read more at https://nakedsecurity.sophos.com/2018/11/29/googles-deceitful-location-tracking-is-against-the-law-say-7-eu-groups/

Facial recognition traffic camera mistakes bus for famous woman

By Lisa Vaas

It is said of Dong Mingzhu, known as China’s most successful businesswoman, that wherever the driven, I-haven’t-taken-a-day-off-in-27-years Queen of Air Conditioning walks, no grass grows.

Yeah, well, forget about the grass: she’s a scofflaw JAYWALKER!!!

That, at any rate, was the erroneous conclusion arrived at recently by a facial recognition traffic camera that obviously can’t tell an advertisement on a bus from a human face.

Hence was the face of the famous woman known throughout the land as “Sister Dong” splashed onto a huge screen erected along a street in the port city of Ningbo for purposes of naming and shaming jaywalkers. Dong’s photo included a line of text saying that she’d just broken the law by crossing the street against a red light.

The South China Morning Post (SCMP) reported that the surveillance system captured Dong’s image on Wednesday from an advertisement on the side of a moving bus.

Read more at https://nakedsecurity.sophos.com/2018/11/29/facial-recognition-traffic-camera-mistakes-bus-for-famous-woman/

Microsoft’s Office 365 MFA security crashes for second time

By John E Dunn

Microsoft’s multi-factor authentication (MFA) for Office 365 and Azure Active Directory has fallen over for the second time in a week.

Azure’s service status page delivered Tuesday’s bad news:

Between 14:25 UTC and 17:08 UTC on 27 Nov 2018, customers using Multi-Factor Authentication (MFA) may have experienced intermittent issues signing into Azure resources, such as Azure Active Directory, when MFA is required by policy.

Officially, that’s just shy of three hours with either no or intermittent MFA, although it took until 18:53 UTC for Microsoft’s Twitter account to become confident enough to announce that the service was definitely up and running again.

Microsoft’s initial root cause analysis (RCA): something went wrong at DNS level which led the infrastructure supporting MFA to become “unhealthy”.

The solution was to reboot – which seemed to work but at the expense of receiving several sarcastic tweets congratulating Microsoft on a successful reboot/turning it off and on again.

Read more at https://nakedsecurity.sophos.com/2018/11/29/microsofts-office-365-mfa-security-crashes-for-second-time/

Iranian hackers charged in the US for SamSam ransomware attacks

By Paul Ducklin

We’re sure you know what ransomware is by now.

ICYMI, ransomware is malicious software that scrambles your files with a randomly generated cryptographic key…

…and then sends the one and only copy of that decryption key to the crooks.

Who promptly offer to sell it back to you so that you can unlock your data and get your business moving again.

And we’re sure you’ve heard of a strain of ransomware known as SamSam – named, apparently, after a French cartoon – that we’ve written about depressingly often on Naked Security.

The crooks behind SamSam have been using a tricky technique that is quite different to that used by early strains of ransomware from a few years ago, such as CryptoLocker, CryptoWall and TeslaCrypt.

Instead of using mass spamming techniques to blast their malware to millions of recipients in the hope of collecting thousands of dollars each from thousands of victims scattered all over the world, the SamSammers used a more pin-point approach.

Read more at https://nakedsecurity.sophos.com/2018/11/28/iranian-hackers-charged-in-the-us-for-samsam-ransomware-attacks/

JavaScript library used for sneak attack on Copay Bitcoin wallet

By John E Dunn

A mystery payload that was sneaked into a hugely popular JavaScript library seems to have been a deliberate plot to ransack bitcoins from a mobile cryptocoin wallet known as Copay, from a company called BitPay.

Back in September 2018, the author of a popular Node.js utility package called event-stream, used for sending and receiving data, handed over the reins to a new maintainer going by the handle of Right9ctrl.

Days later, the new maintainer released an update to the package, version 3.3.6, to which he’d added additional code from an apparently related package called flatmap-stream.

In early October, another event-stream update appeared, as though Right9ctrl were throwing himself enthusiastically into his new role at the helm of the project…

…except that, on 20 November 2018, someone investigating an error in event-stream discovered cryptocurrency-stealing malware, hidden in the flatmap-stream component.

Lock up your Bitcoins

Read more at https://nakedsecurity.sophos.com/2018/11/28/javascript-library-used-for-sneak-attack-on-copay-bitcoin-wallet/