Should company bosses face jail for mishandling your privacy?

By Lisa Vaas

Mark Z, how do you feel about orange? Like, say, in a jumpsuit style?

Kidding! No court has found that you, the Facebook CEO, has purposefully misled the government about how your company did/did not protect consumers’ data during, say, the multifaceted, ever-unfolding, Cambridge Analytica privacy debacle.

Senator Oregon Ron Wyden’s on the case, though, and has now put on the table a bill that would throw execs into jail for up to 20 years if they play loosey-goosey with consumer privacy.

Under his proposed bill, introduced on Thursday and called the Consumer Data Protection Act, execs who knowingly mislead the Federal Trade Commission (FTC) about how their companies protect consumer data could face up to 20 years in prison and $5 million fines.

He’s proposing sunshine. He’s proposing “radical transparency.” He’s proposing legislation with “real teeth” when it comes to punishing companies that vacuum up our data without telling us “how it’s collected, how it’s used and how it’s shared,” Wyden said in a statement.

This is a way to arm consumers against the massive data monetization industry that’s flourished over the past decade, dragging privacy scandals along with it, Wyden said:

Today’s economy is a giant vacuum for your personal information – Everything you read, everywhere you go, everything you buy and everyone you talk to is sucked up in a corporation’s database. But individual Americans know far too little about how their data is collected, how it’s used and how it’s shared.

Besides fines and jail time, Wyden’s proposal would also dramatically beef up resources to go after data miscreants. The cops in this case would be the FTC: to give the Commission the muscle it would need, the senator is proposing jacking up its authority, funding and staffing to crack down on privacy violations. The bill would also mandate easy opt-out for consumers to shrug off hidden tracking of their sensitive personal data.

Read more at https://nakedsecurity.sophos.com/2018/11/05/should-company-bosses-face-jail-for-mishandling-your-privacy/

PortSmash attack steals secrets from Intel chips on the side

By Danny Bradbury

Researchers have developed an exploit that uses a feature in Intel chips to steal secret cryptographic keys.

The proof of concept code, called PortSmash, comes from researchers at Finland’s Tampere University of Technology and the Technical University of Havana, Cuba. It uses a category of exploit called a side channel attack, in which one program spies on another as it runs.

The attack exploits a feature called Simultaneous Multi-Threading (SMT), which runs two programs separately on a single physical CPU core. Although this concept has been around in various chips since the late sixties, this attack focuses on Intel’s version of it, Hyper-Threading, which it started building into its processors in 2002.

Side channel attacks don’t peek at the victim program’s secret directly. Instead, one thread (the attack thread) looks for clues that reveal what the other thread (the victim thread) is doing, and works the secret out from there. They can use a range of signals, including the timing of instructions. PortSmash uses instruction timing based on port contention.

Read more at https://nakedsecurity.sophos.com/2018/11/05/portsmash-attack-steals-secrets-from-intel-chips-on-the-side/

Another day, another update, another iPhone lockscreen bypass

By John E Dunn

Apple keeps releasing iOS updates and Spanish researcher José Rodríguez keeps finding new ways to bypass each version’s lockscreen security.

This week’s target was iOS 12.1, which appeared on Tuesday. By Wednesday, Rodríguez had posted a YouTube video showing how the lockscreen could be beaten with the help of Siri and Facetime to reveal the device’s contact phone numbers and email addresses.

Apart from having physical access to the target iPhone, all an attacker would need is the phone number of the target (if they don’t know the number, they can just ask Siri “who am I?” from the target phone).

Read more at https://nakedsecurity.sophos.com/2018/11/02/another-day-another-update-another-iphone-lockscreen-bypass/

Popular browsers made to cough up browsing history

By Lisa Vaas

Anonymous Coward, in commenting on a report from The Register about vulnerabilities that expose people’s browsing histories, pithily sums up potential repercussions like so:

Sweetheart, what’s this ‘saucyferrets.com’ site I found in your browsing history?

If you value your privacy and your ferret predilections, be advised that in August, security researchers from Stanford University and UC San Diego presented, during the 2018 USENIX Workshop on Offensive Technologies (WOOT), four new, privacy-demolishing attack methods to get at people’s browsing histories.

The novel attacks fit into two classic categories – visited-link attacks and cache-based attacks – and exploit new, modern browser features such as the CSS Paint application programming interface (API) and the JavaScript bytecode cache: two examples of evolving web code that don’t take privacy into account when handling cross-origin URL data, the researchers say.

So-called history sniffing vulnerabilities are as old as dirt, and browser code has addressed them in the past. Here’s a paper written on the issue back in 2000, and here’s a Firefox bug reported that same year about how CSS page disclosure could let others see what pages you’ve visited.

Read more at https://nakedsecurity.sophos.com/2018/11/02/popular-browsers-made-to-cough-up-browsing-history/

Google’s stealthy sign-in sentry can pick up pilfered passwords

By John E Dunn

Two things happened on Halloween with a bearing on cybersecurity.

The first is that the 15^th year of the National Cyber Security Awareness Month (NCSAM) came to an end. You have heard of NCSAM, right?

The second, apparently timed to coincide with 31 October, was that Google is yet again modifying the background security checks it performs during accounts sign-in as well as modifying its recovery process in the event of unauthorized access. There’s also important news if you’re a hold-out against enabling JavaScript.

The main tweak is that Google is upping its detection of people pretending to be you. If you’re unwittingly tricked into handing over your Google username and password in a phishing attack, all isn’t lost. Google thinks it can distinguish a sign-in by the phishing attacker from a sign-in by you.

Wrote Google product manager, Jonathan Skelker in a blog announcement:

When your username and password are entered on Google’s sign-in page, we’ll run a risk assessment and only allow the sign-in if nothing looks suspicious.

The company is deliberately vague about what signals indicate this but it alluded to similar ideas in the reCAPTCHA v3 announcement from earlier this week.

Read more at https://nakedsecurity.sophos.com/2018/11/02/googles-stealthy-sign-in-sentry-can-pick-up-pilfered-passwords/

Report reveals one-dimensional support for two-factor authentication

By Danny Bradbury

Online services have several options as they move beyond passwords to try and make accounts more secure. Think of five websites that you have a user account for. How many of them offer you greater security with multi- or two-factor authentication (MFA or 2FA)?

The move to support 2FA is happening, slowly, but a report released this week suggests that many sites are lagging behind.

Password management company Dashlane examined 34 of the more popular consumer websites in the US to see how well they supported MFA.

It scored each site out of five, based on several criteria.

They got one point if they offered SMS or email authentication. They got another for using software tokens like Google Authenticator. Dashlane clearly considers hardware-based authentication superior though, as it awarded three points for websites that offered this option. These are hardware-based cards or keys like Yubikey or Google’s Titan that must be plugged into the computer or held next to it to authenticate the user. The FIDO Alliance’s Universal Second Factor (U2F) authentication is a good example of a standard that supports hardware tokens for accessing online services.

Read more at https://nakedsecurity.sophos.com/2018/11/02/report-reveals-one-dimensional-support-for-two-factor-authentication/

Passcodes are protected by Fifth Amendment, says court

By Lisa Vaas

There was an underage driver at the wheel, driving on a Florida highway. Police say he was speeding.

When he crashed, one of the passengers in his car died. At the hospital, a blood test showed that the minor had a .086 blood-alcohol content: slightly over the legal limit of .08% for non-commercial drivers.

According to court documents, police found two iPhones in the car: one that belonged to a surviving passenger and one that allegedly belonged to the driver. The passenger told police that the friends had been drinking vodka earlier in the day and that she’d been talking with the driver on her iPhone.

The police wanted the driver’s phone, so they got a warrant to search it for data, photos, text messages, and more. They also sought an order compelling the minor to hand over the passcode for the iPhone and for an iTunes account associated with it.

And this is where we get into the evolving world of the Fifth Amendment and compelled passcode disclosure. Last Wednesday, 24 October, the Florida Court of Appeal quashed a juvenile court’s order for the defendant – identified only by his initials, G.A.Q.L., since he’s a minor – to disclose his passcodes.

Read more at https://nakedsecurity.sophos.com/2018/11/01/passcodes-are-protected-by-fifth-amendment-says-court/

Facebook is still approving fake political ads

By Danny Bradbury

Just a couple of weeks before the US midterm elections, journalists have revealed that Facebook is continuing to approve fake advertisements from fake sources. The discovery throws into question the company’s recent pledge to make advertising more transparent on its network.

Embarrassed by Russia’s use of its advertising system to interfere in the US 2016 election, the social media giant launched an initiative in June to make advertising on its network more transparent. This included a requirement for advertisers to disclose who paid for advertisements.

At the time, the company’s COO Sheryl Sandberg said:

Our ultimate goal is very simple: we want to reduce bad ads, we want to make sure that people understand what they’re seeing, who paid for it, and the fullness of what other people might see.

In September, Mark Zuckerberg followed this up with a missive explaining what the company was doing to combat election fraud. He said:

We now also require anyone running political or issue ads in the US to verify their identity and location. This prevents someone in Russia, for example, from buying political ads in the United States, and it adds another obstacle for people trying to hide their identity or location using fake accounts.

This month, VICE News showed that the transparency system for political ads isn’t working. Journalists there ran a test to see how closely Facebook was vetting these advertisers. As it turns out, it isn’t.

Read more at https://nakedsecurity.sophos.com/2018/11/01/facebook-is-still-approving-fake-political-ads/