Voting machine manual tells officials to reuse weak passwords

By Lisa Vaas

Sysadmins will tell you that pathetically weak passwords are, in the words of one Redditor, “crazy normal.”

You have no idea how many Excel sheets containing passwords have “Passw0rd1!” peppered in them.

Right. But in this case, we’re not talking about any old vanilla set of users who get it into their heads, in spite of what one presumes/hopes to be organizational policy to the contrary, to cook up weak and/or iterative passwords. Rather, we’re talking about a vendor manual for voting machines that instructs users – and in this case, that means election officials – to use weak, iterative passwords.

On Monday, Motherboard published a report by Kim Zetter about these manuals, which, Zetter says, are used in about 10 states.

The manuals tell customers to use easy-to-guess, easy-to-crack passwords… and, in spite of the legions of security experts who advise against the practice of password reuse, to go right ahead and reuse those passwords when changing login credentials per federally mandated password-change prompts.

Motherboard hasn’t been able to verify what vendor produced the manual, but given that it’s for a Unisyn optical vote-counting machine, and that “unisyn” is one of the passwords suggested in the manual, one imagines it might have some ideas on the matter. However, it hadn’t responded to Zetter’s requests for comment as of Tuesday evening.

Unisyn machines are used in 3,629 precincts in 12 states, plus Puerto Rico.

Read more at https://nakedsecurity.sophos.com/2018/11/07/voting-machine-manual-tells-officials-to-reuse-weak-passwords/

Serious XSS flaw discovered in Evernote for Windows, update now!

By Danny Bradbury

Online note sharing company Evernote has patched a hole that allowed attackers to infect notes shared via its service. The vulnerability (CVE-2018-18524) could have allowed an attacker to run programs remotely on a victim’s computer simply by sharing a note with them and persuading them to view it.

Evernote has patched the vulnerability in Evernote for Windows 6.16.1 beta.

The vulnerability, discovered by TongQing Zhu, a researcher at Chinese cybersecurity company Knownsec, was a form of cross-site scripting (XSS) attack. XSS attacks allow attackers to inject malicious code into websites, and they come in two forms:

The first is the way we normally think of XSS, called reflected XSS. Reflected XSS works by poisoning links to legitimate websites with malicious, executable code. When the victim clicks the link, the vulnerable website processes the link’s information as normal, to work out which page to give you, and inadvertently runs the malicious code at the same time.

For this to work, the attacker has to fool you into clicking on link they’ve given you, either by sending it to you in an email or adding it to another website or social media post.

The second type of XSS exploit, which is what Zhu found in Evernote, is called stored or persistent XSS. Instead of poisoning a malicious link and hoping you click it, the attacker embeds their malicious code into the website directly.

To pull this off they typically have to find a place on a website that embeds user-supplied data, such as a comment form, into which they inject their code. Anyone landing on the page after the attacker will automatically execute the code they’ve left behind.

Read more at https://nakedsecurity.sophos.com/2018/11/07/serious-xss-flaw-discovered-in-evernote-for-windows-update-now/

WhatsApp ‘martinelli’ warning is a hoax, don’t forward it

By Lisa Vaas

Here’s a WhatsApp chain letter that’s been making the rounds:

If you know anyone using WhatsApp you might pass on this. An IT colleague has advised that a video comes out tomorrow from WhatsApp called martinelli do not open it , it hacks your phone and nothing will fix it. Spread the word. If you receive a message to update the Whatsapp to Whatsapp Gold, do not click !!!!!

Now said on the news this virus is difficult and severe

Pass it on to all

Received by a Sophos staffer, it might be easy to dismiss it offhand, given its mangled English-ish syntax.

Unfortunately, it’s only half rubbish. It’s a cocktail of one shot of bogus and one shot of authentic “yikes!” …It includes:

1. A fictional threat: the “martinelli” video, supposedly carrying virus and mayhem.
2. A real threat: WhatsApp Gold, a supposedly premium service offered by WhatsApp that’s anything but.

Read more at https://nakedsecurity.sophos.com/2018/11/07/whatsapp-martinelli-warning-is-a-hoax-dont-forward-it/

Android November update fixes flaws galore

By John E Dunn

Studying Android’s November security bulletin, you’ll notice that there’s a fair amount to patch.

In total, there are 36 vulnerabilities assigned a CVE, and another 17 relating to Qualcomm components rather than Android itself.

Within Android, four rated are critical and 13 rated as high. If there’s a standout it might be CVE-2018-9527, simply because it’s a Remote Code Execution (RCE) vulnerability affecting all versions of from Android 7.0 (Nougat) onwards.

The other RCEs are CVE-2018-9531 and CVE-2018-9521, although both relate to version 9.0 (Pie), which mainly affects devices released since the summer.

CVE-2018-9531 turns out to be one of a clutch of CVEs arising from the Libxaac library, which Google says has been marked “experimental” and “and is no longer included in any production Android builds.”

Leaving aside the extra flaws added to the mix this month by Qualcomm, November looks very similar to every other month this year – plenty of fixes, exactly what one might expect.

Read more at https://nakedsecurity.sophos.com/2018/11/06/android-november-update-fixes-flaws-galore/

Facebook wants to reveal your name to the weirdo standing next to you

By Lisa Vaas

Not entirely unlike dogs socializing via their nether regions, Facebook’s latest idea is to wirelessly sniff out people around you and make friend suggestions based on what it finds. Only it’s slightly more intrusive than how dogs do it.

The patent, which got the go-ahead last month, is like the current People You May Know feature sprouting legs and trotting up to random strangers who have the awesome good luck of finding themselves in your proximity.

Does Facebook need yet more technology for this? It’s not as if it’s not already adept – to put it lightly – at rummaging through our everything to find ties that bind.

Take, for example, the interview published by Fusion editor Kashmir Hill a few years ago: it was with a father who attended a gathering for suicidal teens. The father was shocked to discover that following the highly sensitive meeting one of the participants duly appeared in his People You May Know feed.

The only thing the two people seemed to have in common was that they’d been to the same meeting.

According to Hill:

The two parents hadn’t exchanged contact information (one-way Facebook suggests friends is to look at your phone contacts). The only connection the two appeared to have was being in the same place at the same time, and thus their smartphones being in the same room.

Hill said that Facebook’s response gave her “reportorial whiplash”: first, it suggested that location data was used by People You May Know if it wasn’t the only thing that two users have in common, then said that it wasn’t used at all, and then finally admitted that it had been used in a test late in 2015 but was never rolled out to the general public.

Read more at https://nakedsecurity.sophos.com/2018/11/06/facebook-wants-to-reveal-your-name-to-the-weirdo-standing-next-to-you/