January 4, 2019
Vein authentication beaten by wax hand and photograph
By John E Dunn
For anyone who believes vein authentication is more secure than fingerprints or facial recognition, we have good news – researchers have just showed how the technology can be beaten.
Before we explain why that statement isn’t a contradiction, let’s dive a bit deeper into what researchers Jan Krissler and Julian Albrecht reportedly outlined at last weekend’s Chaos Communication Congress (CCC) in Germany.
As with fingerprints, faces, or the iris of the human eye, the complex shape, size and position of veins in someone’s palm is unique to each person, including for identical twins.
These patterns are read using near-infrared light (i.e. almost visible as opposed to the non-visible ‘far’ infrared emitted by warm objects) and are less prone to physical injury than fingerprints. Unlike fingerprints, we also don’t leave them on the objects we touch for someone to copy.
There are disadvantages: vein patterns change slightly as people age, ambient light can interfere with recognition, and the precision needed to make the technology work makes it expensive.
That last issue might explain why, beyond a handful of banks and high-end users such as the HQ of Germany’s Bundesnachrichtendienst (BND) intelligence agency, few people are currently likely to encounter the use of vein authentication.
Read more at https://nakedsecurity.sophos.com/2019/01/04/vein-authentication-beaten-by-wax-hand-and-photograph/
Don’t fall victim to the Chromecast hackers – here’s what to do
By Paul Ducklin
If you ever used dial-up networking to access the internet, you probably remember it mostly for being cumbersome and slow.
But it was also astonishingly insecure, because your computer – which was probably running Windows 95, Windows 3, or even good old DOS – ended up with a public-facing IP number, connected straight onto to the internet.
Other users out there could, literally and figuratively, reach out and probe your computer directly.
In recent years, however, we’ve got used to the idea that home computers don’t get plugged directly onto the internet – they typically connect through a router instead, and it’s the router that’s plugged into the internet connection.
Indeed, it’s tempting to assume that home routers came about specifically to address the security risks inherent in connecting laptops and other home devices straight onto the internet…
…but the truth is that the main reason for having a home router is to support multiple devices through connection sharing.
That means your ISP only needs to hand out one IP number per household, rather than one IP number per device.
Read more at https://nakedsecurity.sophos.com/2019/01/04/dont-fall-victim-to-the-chromecast-hackers-heres-what-to-do/
EU to offer nearly $1m in bug bounties for open-source software
By Lisa Vaas
The internet runs on open-source, and it’s often hardworking volunteer developers who spend long hours keeping the projects alive. Unfortunately, they don’t always have the time or resources they need to hunt down the bugs that inevitably spring up in these large, complex code bases.
The European Commission (EC) just made a move to improve the situation: it’s ponying up serious money for bug hunters who track down vulnerabilities in some of the most popular free and open source software around.
The full list of 15 bounty programs includes the file archiver 7-zip, the Java servlet container Apache Tomcat, the content management framework Drupal, the cross-platform FTP application Filezilla, the media player VLC, the password manager KeePass, the text/source code editor Notepad++, plus other popular tools. Rewards start at €25,000 and go on up to €90,000 ($28,600 to $103,000), for a total offered amount of €851,000 ($973,000).
Fourteen of the programs will launch this month, while the 15th will start in March.
As with other bug bounties, the amount paid by the EC will depend on the severity of the discovered vulnerabilities and how important the given software is.
Read more at https://nakedsecurity.sophos.com/2019/01/04/eu-to-offer-nearly-1m-in-bug-bounties-for-open-source-software/
US newspapers battle ransomware
By John E Dunn
As if the US newspaper industry doesn’t have enough to contend with, on the morning of 29 December one of its largest publishing groups, Tribune Media, found itself battling a major ransomware attack.
This caused big problems for many newspapers in its stable including the Chicago Tribune and New York Daily News, as well as the Los Angeles Times and San Diego Union-Tribune, sold last year but share Tribune Media’s publishing platform.
The disruption varied from title to title, but in most cases, Saturday’s delivery was delayed for up to 24 hours while others were printed without regular sections.
Even The New York Times and The Wall Street Journal, which were not directly affected but share an LA printing press for some editions, were disrupted.
But who was to blame?
A report in the Los Angeles Times said an informed source had identified a “foreign entity,” before going on to mention an important detail:
One company insider, who was not authorized to comment publicly, said the corrupted Tribune Publishing computer files contained the extension “.ryk,” which is believed to be a signature of a “Ryuk” attack.
As our recent article on the topic noted, Ryuk has been connected to North Korea on the basis of some similarities (such as the encryption used) between it and another ransomware called Hermes, which some people attribute to North Korea’s Lazarus Group.
Read more at https://nakedsecurity.sophos.com/2019/01/03/us-newspapers-battle-ransomware/
Dark Overlord hackers release alleged 9/11 lawsuit documents
By Lisa Vaas
Bright new year, slimy return of The Dark Overlord (TDO), a well-known group of highly self-amusing cyber extortionists who’ve now chosen 9/11-related firms to pick on.
The group announced on Pastebin (content now removed) on New Year’s Eve that it had hacked a law firm that handles cases relating to the 11 September 2001 terrorist attacks. It threatened to publicly release what it claimed are gigabytes of confidential, litigation-related documents:
E-mails, retainer agreements, non-disclosure agreements, settlements, litigation strategies, liability analysis, defense formations, collection of expert witness testimonies, testimonies, communications with government officials in countries all over the world, voice mails, dealings with the FBI, USDOJ, DOD, and more, confidential communications, and so much more.
The gang is apparently expanding its repertoire to include capitalizing on conspiracy theories. It tweeted on Monday about “providing many answers” about such conspiracies with the document cache.
Come and get ’em, TDO said to terrorists and enemy states:
If you’re a terrorist organization such as ISIS/ISIL, Al-Qaeda, or a competing nation state of the USA such as China or Russia, you’re welcome to purchase our trove of documents.
Then, on Wednesday morning, TDO announced on Pastebin (content now removed) that it had released a teaser’s worth of documents to verify its claims. It presented a tiered plan to “release each layer of damaging documents that are filled with new truths, never before seen.”
Each layer contains more secrets, more damaging materials, more SSI [Sensitive Security Information], more SCI [Special Compartment Information], more government investigation materials, and generally just more truth. Consider our motivations (money, specifically Bitcoin), we’re not inclined to leak the juiciest items until we’re paid in full.
As of yesterday afternoon, the group’s bitcoin wallet had received three payments. Also yesterday, Twitter suspended an account, @tdo_h4ck3rs, that recently began selling access to stolen legal documents.
Read more at https://nakedsecurity.sophos.com/2019/01/03/dark-overlord-hackers-release-alleged-9-11-lawsuit-documents/
Warn your friends they can’t bypass Facebook with this hoax
By Lisa Vaas
Sorry to say, but 2019 has not ushered in new “tips to bypass FB” as it supposedly limits posts on your news feed.
Nor has Facebook ushered in a new algorithm that “chooses the same few people – about 25 – who will read your posts”, at least not that we’ve heard.
Rather, we’re still stuck with whatever murky, stubbornly unfathomable algorithms Facebook uses to determine the order of content in our feeds, regardless of what the latest, breathless spin on this wheezy old hoax wants you to believe. To wit:
Thanks for the tips to bypass FB – it WORKS!! I
have a whole new news feed. I’m seeing posts from people I haven’t seen in
years.
Here’s how to bypass the system FB now has in place that limits posts on your
news feed.
Their new algorithm chooses the same few people – about 25 – who will read your
posts. Therefore, Hold your finger down anywhere in this post and “copy” will
pop up. Click “copy”. Then go your page, start a new post and put your finger
anywhere in the blank field. “Paste” will pop up and click paste. This will
bypass the system. Hi new and old friends!
Read more at https://nakedsecurity.sophos.com/2019/01/03/warn-your-friends-they-cant-bypass-facebook-with-this-hoax/