Facial recognition on 42 Android phones beaten by photo test

By John E Dunn

How easy is it to bypass the average smartphone’s facial recognition security?

According to the Dutch consumer protection organization Consumentenbond, in the case of several dozen Android models, it’s a lot easier than most owners probably realise.

Its researchers tested 110 devices, finding that 42 could be beaten by holding up nothing more elaborate than a photograph of a device’s owner.

Consumentenbond offers little detail of its testing methodology but it seems these weren’t high-resolution photographs – almost any would do, including those grabbed from social media accounts or selfies taken on another smartphone.

While users might conclude from this test that it’s not worth turning on facial recognition, the good news is that 68 devices, including Apple’s recent XR and XS models, resisted this simple attack, as did many other high-end Android models from Samsung, Huawei, OnePlus, and Honor.

Confusingly, many of the models that failed were from the same vendors, including Asus, Huawei, Lenovo/Motorola, LG, Nokia, Samsung, BlackBerry, and Xiaomi. In the case of Sony, every model tested failed. A further six – an Honor and six LG models – only passed the test when put into a ‘strict’ mode.

Generally, expensive handsets performed better than cheaper ones but this wasn’t always the case. For example, Sony’s $1,000 Xperia XZ2 Premium (US version) failed while Motorola’s Moto G6 costing less than a third of that price tag passed. A full list of the models that passed the photo test can be found on Consumentenbond’s website.

Read more at https://nakedsecurity.sophos.com/2019/01/08/facial-recognition-on-42-android-phones-beaten-by-photo-test/

How to spot a social media hoax

By Lisa Vaas

Well, well, well, if it isn’t the WhatsApp Gold/’martinelli’ video scam, back again, as half-bunk and half-real-threat as ever.

Excellent! It’s a great opportunity to offer some advice on pulling the rug out from under these and other scammers. For the dissection of Gold/martinelli, read on. For some advice to forward to the prey of the scammers, jump on further down!

The current bunk

As Snopes tells it, the WhatsApp Gold scam messages have been kicking around since at least 2016 in varyingly worded messages, claiming that some new “premium service” would get users extra goodies, such as video calling and new emojis.

Hey Finally Secret WhatsApp golden version has been leaked, this version is used only by big celebrities. Now we can use it too.

Users who clicked on the link got no goodies. They got baddies, in the form of a malware-rigged, non-WhatsApp website. The malware, nicknamed WhatsApp Gold, was designed to break into phones and steal victims’ messages and other private data.

Bad enough, eh? Well, the mad cyber scientists decided to make it a bit more poisonous when they wrapped a true warning about the real WhatsApp Gold malware around a bogus warning about a fictional video called martinelli.

Read more at https://nakedsecurity.sophos.com/2019/01/08/how-to-spot-a-social-media-hoax/

Hacker uses early warning system for fake message campaign

By Danny Bradbury

Australians got scary texts, emails and phone calls from a trusted emergency warning service late last week after a hacker broke into its systems and used it to send fake messages.

On 5 January, the intruder compromised systems operated by the Early Warning Network, an Australian company that provides early warning information about severe weather events and bushfires to clients across the country. Started in 2007, the company provides emergency warning services to federal, state and municipal government clients to help protect their citizens.

The hacker used EWN’s systems to send messages to citizens via email, landline phone calls, and SMS. The messages, sent from alerts@ewn.com.au, were titled “EWM Hacked – Privacy Alert” and read:

EWM has been hacked. Your personal data stored with us is not safe. We are trying to fix the security issues. Please email support@ewn.com.au if you wish to subscribe. ewn.com.au ASX AER

The company moved quickly to fix the problem, catching the attack and shutting off the system. Nevertheless, a “small proportion” of its database received the alert, it said in a Facebook notice. Reports indicated that tens of thousands of people had been affected.

Read more at https://nakedsecurity.sophos.com/2019/01/08/hacker-uses-aussie-early-warning-system-for-fake-message-campaign/

LA sues The Weather Channel over selling users’ location data

By Lisa Vaas

Los Angeles has sued The Weather Channel (TWC), claiming that it’s been posing as a “personalized local weather data, alerts and forecasts” app but in truth makes profits by tracking users “throughout the day and night” so as to sell their private, personal location data.

The lawsuit calls The Weather Company’s practices “fraudulent and deceptive” and says they violate California’s Unfair Competition Law. TWC fails to disclose that it collects users’ location data and sends it to third parties, the suit maintains.

It isn’t about analyzing the clouds above our heads for a personalized weather forecast, LA says. Rather, it’s about collecting location data for “advertising and other commercial purposes unrelated to weather data, alerts and forecasts.”

None of the marketing purposes of collecting geolocation data are disclosed on either Apple’s App Store or Google’s Android Play Store versions of the free app, which is also available in an ad-free version for $3.99, the lawsuit notes.

When users download the app, TWC prompts them to allow it to access their location data, but it doesn’t say anything about sharing that data, the lawsuit says:

The permission prompt also fails to reference or link to any other source containing more detailed information about what users’ geolocation information will be used for.

Granted, the app’s privacy policy does note that data could be used for targeted advertising and might be shared with “partners,” the lawsuit says. But why would users even think to look at the policy, given that the prompt doesn’t mention that their data will be used in those ways?

Read more at https://nakedsecurity.sophos.com/2019/01/08/la-sues-the-weather-channel-over-selling-users-location-data/

Hacker doxes hundreds of German politicians

By Lisa Vaas

Since 1 December, one or more hackers have been publishing data and documents from hundreds of German politicians in a Twitter advent calendar – a massive assault on the government that wasn’t discovered until Thursday night.

Apparently, nobody noticed until the hacker hijacked the Twitter account of German YouTube star Simon Unge.

On Friday, Berlin public broadcaster RBB Inforadio was the first to report on the hack.

RBB reported that it’s not yet known who the culprit(s) are. But there are theories: A YouTuber named Tomasz Niemiec told news outlet T-online.de that a guy who’s out to gain attention is behind the attacks.

Niemiec said that he knew the hacker strictly through online communications and that the man has been active for years, collecting data and hacking YouTube accounts.

Niemiec says he talked to the hacker on Friday in an effort to get him to surrender Unge’s hijacked account: a highly valuable one with two million YouTube followers. According to what Niemiec told T-online.de, the hacker has hinted that he hijacked Unge’s account by exploiting a supposed bug in two-factor authentication – a purported bug that he doesn’t intend to publish, Niemiec said.

Read more at https://nakedsecurity.sophos.com/2019/01/07/hacker-doxes-hundreds-of-german-politicians/

Update now! Adobe Acrobat and Reader have critical flaws

By John E Dunn

Adobe has patched two critical flaws in Acrobat and Reader that warrant urgent attention.

Officially, Adobe patches security vulnerabilities around the middle of each month to coordinate with Microsoft’s Patch Tuesday, but recently it’s become almost routine for the company to issue out-of-band updates in between.

APSB19-02, the first of such updates to reach customers in the new year, addresses critical flaws with a priority rating of ‘2’.

That means that the flaw is potentially serious, but Adobe hasn’t detected any real-world exploits (the latter would entail issuing an ‘emergency’ patch with a ‘1’ rating).

The first flaw, identified as CVE-2018-16011, is described by Adobe as a use-after-free bug that could be exploited using a maliciously crafted PDF to take control of a target system with their malware of choice.

The second, CVE-2018-16018 (replacing CVE-2018-19725), is a security bypass targeting JavaScript API restrictions on Adobe Reader DC and seems to have been in the works since before Christmas.

Read more at https://nakedsecurity.sophos.com/2019/01/07/update-now-adobe-acrobat-and-reader-have-critical-flaws/