Russian ISPs plan internet disconnection test for entire country

By John E Dunn

At a time and date during 2019 yet to be confirmed, Russia’s major ISPs will in unison temporarily disconnect their servers from the internet, effectively cutting the country off from the outside world.

From the point of view of Russian internet users, everything will appear normal – as long as they are connecting to websites hosted in Russia, which will still work. Anything beyond its borders will suddenly become unavailable, presumably with a message telling them why. It’s not clear how long the test disconnection will go on for.

According to a translated report by Russian news agency RosBiznesKonsalting (RBK), the aim will be to test the feasibility of a concept dubbed the “sovereign RuNet”, or the Russian Internet.

A draft law proposing such a thing reached Russia’s parliament in December, since when the implications of the test disconnection, however temporary, have dawned on nervous local ISPs.

ISPs want more money to help with the test, as well as guarantees they won’t be saddled with the bill to implement a separate proposed system of control in which internet traffic will be routed via the country’s telecom regulator, Roskomnazor.

Read more at https://nakedsecurity.sophos.com/2019/02/12/russian-isps-plan-internet-disconnection-test-for-entire-country/

Apple sued for ‘forcing’ 2FA on accounts

By Lisa Vaas

New York resident Jay Brodsky has filed a class action lawsuit against Apple, claiming that the company forces users into a two-factor authentication (2FA) straitjacket that they can’t shrug off, that it takes up to five minutes each time users have to enter a 2FA code, and that the time suck is causing “economic losses” to him and other Apple customers.

The lawsuit, filed on Friday in Newport Beach, California, is accusing Apple of “trespass,” based on Apple’s “locking [Brodsky] out” of his devices by requiring 2FA that allegedly can’t be disabled after two weeks.

From the filing:

Plaintiff and millions of similarly situated consumers across the nation have been and continue to suffer harm. Plaintiff and Class Members have suffered economic losses in terms of the interference with the use of their personal devices and waste of their personal time in using additional time for simple logging in.

The reference to two weeks comes from support email that Apple sometimes sends out to Apple ID owners after it enables 2FA. That email contains what the lawsuit claims, with italicized emphasis, is an unobtrusive last line that says that owners have two weeks to opt out of 2FA and go back to their previous security settings.

Read more at https://nakedsecurity.sophos.com/2019/02/12/apple-sued-for-forcing-2fa-on-accounts/

Kids as young as eight falling victim to online predators

By Maria Varmazis

Barnardo’s, a major children’s charity in the UK, has found that children as young as eight are being sexually exploited online via social media. In prior years, the youngest respondents to the Barnardo’s survey were 10, suggesting an unfortunate downward trend in progress.

The newest draw for young children, and sadly those who prey on them, is live streaming. Barnardo’s says that video streaming apps like TikTok, as well as streaming within already-popular apps like Instagram, are both extremely popular and very hard to moderate. When you add in the real-time comments posted directly to the person streaming, unfortunately you have an environment that’s ripe for exploitation.

Just last year, Barnardo’s ran a survey via YouGov in the UK and found 57% of 12-year-olds surveyed and 28% of 10-year-olds had live-streamed content on apps that are supposed to be used only by over-13s. In addition, about a quarter of the 10 to 16-year-olds surveyed said they regretted something they had posted online via live streaming.

Barnardo’s Chief Executive Javed Khan:

It’s vital that parents get to know and understand the technology their children are using and make sure they have appropriate security settings in place. They should also talk to their children about sex and relationships and the possible risks and dangers online so children feel able to confide in them if something doesn’t feel right.

Contrary to some popular opinion on the subject, Barnardo’s says that based on the children they have helped, there’s no typical profile of a child who tends to fall victim to sexual exploitation online. The stereotype of the child from a troubled home being a ripe target for exploitation online doesn’t appear to hold true.

Read more at https://nakedsecurity.sophos.com/2019/02/12/kids-as-young-as-eight-falling-victim-to-online-predators/

Brave browser explains Facebook whitelist to concerned users

By Danny Bradbury

Privacy-conscious web browser company Brave was busy trying to correct the record this week after someone posted what looked like a whitelist in its code allowing its browser to communicate with Facebook from third-party websites.

Launched in 2016, Brave is a browser that stakes its business model on user privacy. Instead of just serving up user browsing data to advertisers, its developers designed it to put control in the users’ hands. Rather than allowing advertisers to track its users, the browser blocks ad trackers and instead leaves users’ browsing data encrypted on their machines. It then gives users the option to receive ads by signaling basic information about their intentions to advertisers, but only with user permission. It rewards users for this with an Ethereum blockchain-based token called the Basic Attention Token (BAT). Users can also credit publishers that they like with the tokens.

Read more at https://nakedsecurity.sophos.com/2019/02/12/privacy-browser-braves-user-concern-over-facebook-whitelist/

Facebook defends gun-law loophole firm as “political advertisers”

By Lisa Vaas

A gun safety group has criticized Facebook for taking what The Telegraph reports is millions of dollars in advertising money to sell permits to carry concealed weapons to people who lack real-life training in handling firearms.

The Telegraph quoted David Chipman, a senior policy adviser at the Giffords Law Center to Prevent Gun Violence as well as a former SWAT team officer who has a concealed carry permit:

A company has choices to make, to look if it’s in the interests of their company to support people carrying guns that haven’t been trained to use them.

I would just want [Facebook] to make that decision with eyes wide open. You don’t get that training by answering multiple guess questions on the internet.

Facebook’s records reportedly show that the platform has taken in at least $3.7 million since May, advertising what’s called the “Virginia loophole”.

The Virginia loophole

Virginia, a gun-friendly state, allows people from other states to take an online class, pay a $100 fee and, after a background check, get a concealed “non-resident” carry license.

As local Texas station WFAA reported in May 2018, some other US states will honor the Virginia non-resident license, in spite of applicants never having to show that they know how to load a gun or shoot safely.

Read more at https://nakedsecurity.sophos.com/2019/02/12/facebook-defends-gun-law-loophole-firm-as-political-advertisers/

Crypto mirror on the wall, who’s the smartest of them all?

By Paul Ducklin

A recent BBC TV series entitled Icons asked the question, “Who was the greatest person of the 20th century?”

That’s a huge and controversial question in any country, in any language, in any category – and, as you can imagine, the answer’s even bigger, and no doubt even more controversial.

There were seven categories: Artists & Writers, Sports Stars, Activists, Entertainers, Scientists, Explorers and Leaders.

The nominees had to be both important and influential – people whom you’d recognise not only for being top in their field, but also for the significance of what they did.

For example (these are off the top of our head): George Orwell, Jesse Owens, Mohandas Gandhi, Dame Vera Lynn, Rosalind Franklin, Sir Edmund Hillary and Nelson Mandela.

In fact, only one of the people listed above made the final seven…

…and didn’t win.

Read more at https://nakedsecurity.sophos.com/2019/02/11/crypto-mirror-on-the-wall-whos-the-smartest-of-them-all/

McDonalds app users hatin’ it after being hacked by hungry hamburglars

By Danny Bradbury

At least two users of the McDonalds mobile app aren’t lovin’ it after thieves hijacked their accounts and ordered hundreds of dollars of food for themselves.

Lauren Taylor of Halifax, Nova Scotia was shocked to find her bank account almost empty after someone used the McDonald’s mobile app to buy $500 of fast food over 1200 kilometers away in Montreal, Quebec.

The crook managed to compromise her account to run up the bills in a five-day period from 25-29 January. Every time the hungry hijacker scored a Big Mac and fries, a receipt showed up in her inbox. Unfortunately, she doesn’t check her email that regularly. By the time she did, she had just $1.99 left. She explained that she had to find rent, and presumably someone in Montreal had to find a larger pair of pants with an elasticated waist.

After ordering food through the McDonalds app, customers can check in when they reach the restaurant. The app then charges the debit card that they registered onto the system, and a member of staff will deliver it to them curbside. To get the food, the customer has to provide a four-digit code given to them by the app.

McDonalds Canada denied that there was a security problem with the app in an email to Canada’s CBC. A spokesperson said:

We take appropriate measures to keep personal information secure, including on our app. Just like any other online activity, we recommend that our guests use our app diligently by not sharing their passwords with others, creating unique passwords and changing passwords frequently.

Taylor claims that she did, though, arguing that she changes her passwords regularly, never shares them, and keeps them strong. The McDonalds app requires passwords to be eight to 12 characters long, with upper and lowercase characters and at least one number.

Read more at https://nakedsecurity.sophos.com/2019/02/11/mcdonalds-app-users-hatin-it-after-losing-hundreds-to-thieves/