January 16, 2019
Are you sure those WhatsApp messages are meant for you?
By Danny Bradbury
Senior Amazon technical expert Abby Fuller had a bit of a shock when she logged into WhatsApp using a new telephone number earlier this month. She found someone else’s messages waiting for her.
WhatsApp, which Facebook purchased for $19bn in 2014, advertises itself as a secure, reliable messaging app.
The service prides itself on not retaining messages on its servers once they have been delivered. Fuller was using a new telephone number on a new mobile device. Her SIM card was new, and she hadn’t restored any backed-up messages from anywhere. So what gives? How did messages meant for someone else get onto her phone?
WhatsApp ties user accounts to their phone numbers. The problem is that people don’t always keep their phone numbers forever. When someone stops using a number, by ending their smartphone contract for example, it goes back into a pool of numbers and under FCC rules it can be reassigned to someone else after 90 days.
Read more at https://nakedsecurity.sophos.com/2019/01/16/whatsapp-messages-may-not-be-for-you-just-ask-this-software-engineer/
Intel patches another security flaw in SGX technology
By John E Dunn
Intel last week released six advisories covering a range of products, the most interesting of which is a flaw discovered in the company’s Software Guard Extensions (SGX) built into all Intel processors since the company’s sixth-generation Skylake processors in 2015.
Discovered by independent researcher SaifAllah benMassaoud, the latest SGX vulnerability (CVE-2018-18098) is a weakness in the software layer that enables SGX hardware that could allow what Intel euphemistically describes as “escalation of privilege or information disclosure.”
SGX makes possible ‘secure enclaves’ that can be used for a variety of purposes, including Digital Rights Management (DRM). Essentially, an application can put whatever data it is working on into one of these so that no other application can access, compromise or copy it.
Intel offers few details as to how this flaw affects that integrity. However, benMassaoud told The Register that a simple batch script sent via email could be used to launch an attack exploiting the flaw:
Once the file is opened by the victim who uses the affected software, it will automatically download and execute a malicious code from attacker’s server to the vulnerable setup version of Intel SGX SDK and Platform Software on the victim’s machine.
There’s also a video that demonstrates the proof of concept.
Read more at https://nakedsecurity.sophos.com/2019/01/16/intel-patches-another-security-flaw-in-sgx-technology/
Beware buying Fortnite’s V-Bucks, you could be funding organised crime
By Lisa Vaas
Crooks are laundering money through Fortnite’s in-game currency, known as V-Bucks, according to an investigation carried out by The Independent and cybersecurity firm Sixgill.
They’re using stolen credit cards to purchase V-Bucks, then selling the currency at a discount to players on the Dark Web and thereby cleaning the money.
Why do we keep hearing about yet more scams that revolve around Fortnite? Same reason that robbers rob banks: that’s where the money’s at.
Be they young, old, and/or dressed up in the skin of an anthropomorphic tomato, players worldwide flock to the free Fortnite Battle Royale, to the tune of what its maker, Epic Games, said was more than 125 million players across all platforms as of June 2018.
Before its release, we saw fraudsters exploit gamers’ keen anticipation to get invitations to the release, flogging their fictional “extra free invites!!!” as they looked for profit or for pumped-up Twitter followers/likes/retweets/comments.
Then we saw scammers seed the internet with fake Fortnite apps that never loaded the actual game and instead churned victims through the downloading of other apps that the fraudsters got paid to disseminate.
Then, within a year of its 2017 launch, we saw hijacked Fortnite accounts being hawked on Instagram: what Kotaku called a “booming industry”.
Read more at https://nakedsecurity.sophos.com/2019/01/16/beware-buying-fortnites-v-bucks-you-could-be-funding-organised-crime/
Feds can’t force you to unlock your phone with finger or face, says judge
By Lisa Vaas
A Northern California federal judge ruled last week that police can’t force suspects to unlock their phones with their fingers, eyes or face, even with a warrant, because it amounts to the same type of self-incrimination as being forced to hand over your passcode.
If other courts apply her decision, it could set an important precedent in Fifth Amendment interpretation and the debate between compelling suspects to use “what they are” (i.e., forced use of their bodies) vs. “what they know” (i.e., forcing suspects to unlock their brains to get at their passcodes).
As Forbes reports, Judge Kandis Westmore ruled that compelled testimony is compelled testimony, regardless of whether it’s a passcode uttered aloud or a forced finger swipe. In this day and age, multiple forms of authentication unlock treasure troves of personal data, she wrote.
If a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device.
Judge Westmore wrote the decision in denial of a warrant to police who were investigating alleged extortion in Oakland, California. The suspects allegedly used Facebook Messenger to threaten a man with the release of an embarrassing video unless he coughed up money.
Read more at https://nakedsecurity.sophos.com/2019/01/16/police-cant-compel-biometric-phone-unlocking-rules-judge/
Windows 7 users get fix for latest updating woe
By John E Dunn
Microsoft has vexed its users with another misbehaving update.
The latest problem occurred on 8 January when enterprise users running Windows 7 or Windows Server 2008 R2 with a Key Management Service (KMS) started complaining on Microsoft’s TechNet forums and Reddit that they were seeing two errors, the first relating to licensing, the second networking.
In the first, users were seeing a “Windows is not genuine” error dialogue after logging in, which allowed them to run their copy with this message embedded as a desktop watermark.
The second error appears to have been a problem with different symptoms resulting in users not being able to access SMB2 shares or start remote desktop connections through both admin and non-admin accounts.
At first it was assumed that the problems were connected to separate security and feature updates for Windows 7 – KB4480960 and KB4480970 – which were issued as part of Patch Tuesday.
It later transpired that the problem wasn’t with either of those updates and was instead connected to a change made to the Microsoft Activation and Validation servers affecting anyone who had installed an old update, KB971033, which originally appeared last April.
Read more at https://nakedsecurity.sophos.com/2019/01/15/windows-7-users-get-fix-for-latest-updating-woe/
Blockchain burglar returns some of $1m crypto-swag
By Danny Bradbury
It isn’t often that the villains show their soft side, but a blockchain burglar apparently did just that last week. An unidentified thief who stole over $1 million from the Ethereum Classic blockchain has given some of it back.
The thief exploited a loophole that exists in Ethereum Classic along with several other cryptocurrencies called a “51% attack”, which enables attackers to rewrite the blockchain and spend cryptocurrency twice. They used the technique to attack several cryptocurrency exchanges with fraudulent transactions.
Then, less than a week later, they returned some of the cash, said affected exchange Gate.io in a statement:
On Jan.10, we found that the recent ETC 51% attacker returned 100k USD value of ETC back to Gate.io.
Cryptocurrencies like Ethereum Classic are based on a proof-of-work algorithm, in which many different computers compete to solve a mathematical problem. The computer that wins the competition gets to seal the last few minutes’ transactions into a block (a little like a page in an accounting ledger).
Read more at https://nakedsecurity.sophos.com/2019/01/15/blockchain-burglar-returns-some-of-1m-crypto-swag/
Shutdown hits government websites as certificates begin to expire
By Danny Bradbury
The US government shutdown is affecting more than just physical sites like national parks and monuments. Now, government websites are shutting down as their TLS certificates expire, according to internet security and statistics company Netcraft. In an online post, the company says that more than 80 websites using the .gov domain have been made insecure or inaccessible thanks to expired certificates.
TLS certificates are used by websites communicating over encrypted, HTTPS connections. A certificate is used to sign a website’s public encryption key, which ensures that your communication with that website is private and secure: you know which site you’re talking to, and that nobody else is listening in.
The website’s certificate is itself signed for by a CA (Certificate Authority) that your browser trusts. Site owners have to renew their certificates every so often, to prove that they’re still the legitimate owners of the site’s encryption keys.
If you visit a site with an expired certificate then your browser will notice and issue a strong warning.
The US government isn’t doing anything deemed nonessential under the current shutdown, and that seems to include renewing TLS certificates. As they expire, sites are beginning to throw expired certificate warnings, and in many cases become unavailable altogether.
One example is NASA’s rocket testing site at https://rockettest.nasa.gov, which throws what’s called an interstitial warning. This means that the certificate has expired, but the browser gives you the option to ignore the warning and visit the website anyway at your own risk. Another site taking this approach to its expired certificate is https://ecf-test.ca6.uscourts.gov, a site used by the US Court of Appeals.
Read more at https://nakedsecurity.sophos.com/2019/01/14/shutdown-hits-government-websites-as-certificates-begin-to-expire/
