Opera integrates a cryptocurrency wallet – is this Web 3.0?

By John E Dunn

When it appears in the next few weeks, the latest version of Opera (“Reborn 3” or “R3”) for Windows, Mac and Linux will become the first mainstream desktop browser to integrate a cryptocurrency wallet.

If you believe cryptowallets are about to a become an important way to pay for things on the web, this will sound like another tick in the box for a Chromium-based browser that is still innovating furiously to stay in touch with Chrome, Safari and Firefox.

Alternatively, if you don’t use cryptowallets, you’ll wonder what all the fuss is about – what’s the big deal about a browser with a desktop wallet when there are already plenty of standalone mobile decentralized apps (DApps) that do the same job.

To begin answering this question, in December, Opera Mobile for Android integrated an Ethereum (ETH) Web3 API wallet of its own (served through a platform called Infura), effectively turning its mobile browser into a convenient interface for managing cryptocurrency.

This integrates with the wallet inside Opera R3, which avoids having to have a separate wallet for Windows or Mac as well as providing an easy way for the mobile device to authenticate desktop transactions using something as simple as a fingerprint.

Read more at https://nakedsecurity.sophos.com/2019/02/18/opera-integrates-a-cryptocurrency-wallet-is-this-web-3-0/

Will the EU’s new copyright directive ruin the web?

By Lisa Vaas

The Mars Rover wasn’t the only thing to die last Wednesday. The EU also took another copyright-focused step toward killing the freedom to use memes and what critics say will be the death of the web as a place to freely exchange information.

That tweet comes from one of many people who were concerned when the European Parliament on Wednesday finalized text in the Copyright Directive: legislation whose purpose is to drag copyright law into the digital age and ensure that content creators get paid for their work, be it newspaper copy, music or other copyrighted content.

Due to widely loathed articles in the directive, it or its articles have been called the ‘meme killer’, the ‘link tax’ and the ‘censorship machine’. Those articles, Articles 11 and 13, remain intact in the final text, as final efforts to remove them have failed.

At this point, the only thing standing in the way of the Copyright Directive becoming law is a full vote by the European Parliament and European Council.

Read more at https://nakedsecurity.sophos.com/2019/02/18/will-the-eus-new-copyright-directive-ruin-the-web/

Apple fighting pirate app developers, will insist on 2FA for coders

By Paul Ducklin

Remember how the world’s biggest social network got into trouble with Apple recently over an app called Facebook Research?

The app wasn’t designed for general use – in fact, Facebook couldn’t make it openly available to everyone because it was too snoopy to be allowed in the App Store.

Amongst other things, it peeked into some or all of the network traffic from your other apps, with the goal of improving Facebook by learning more about how people behaved online.

Keeping low-level tabs on what other apps are up to isn’t permitted in regular iPhone software, so Facebook got around these restrictions by offering the app in a limited-access version under Apple’s Enterprise Certificate programme.

That’s the system that businesses can use to write, build and digitally sign apps for their own staff without waiting for Apple to sign the app into the App Store first.

Simply put, it’s the closest thing that Apple has to Google’s “allow apps from unknown sources” option in Android, and it’s the only way, short of jailbreaking, to install software on an iPhone without going to the App Store.

Read more at https://nakedsecurity.sophos.com/2019/02/15/apple-fighting-pirate-app-developers-will-insist-on-2fa-for-coders/

Judge won’t unseal legal docs in fight to break Messenger encryption

By Lisa Vaas

On Monday, a federal judge ordered that legal documents about the government’s fight to force Facebook to break Messenger encryption will be kept secret, Reuters reports.

In doing so, the judge denied motions from the American Civil Liberties Union (ACLU), the Washington Post and other groups that sought to unseal a federal court’s order to force Facebook to wiretap Messenger conversations, which are encrypted end to end.

The case concerned encrypted voice conversations. Investigators wanted to listen in on the conversations as part of an investigation into MS-13, a violent international gang that originated in Los Angeles. The law had already been listening in on ordinary phone calls and Messenger texts between the alleged gang members, but there were reportedly three Messengers calls that they couldn’t hear.

Reuters reports that the suspects on those calls were arrested anyway.

Spokespeople for the ACLU and the DOJ declined to comment, and Facebook’s arguments are sealed. However, US District Judge Lawrence O’Neill, in Fresno, California, reportedly wrote that Facebook was in favor of unsealing the documents, while the DOJ was not.

Read more at https://nakedsecurity.sophos.com/2019/02/15/judge-wont-unseal-legal-docs-in-fight-to-break-messenger-encryption/

Should we profit from the sale of our personal data?

By Lisa Vaas

You are worth $7.37 to Facebook. You are worth $2.83 to Twitter. You are worth 30 cents to Reddit.

Dagnabbit, it’s time to cash in!

That’s the cry from newly minted California Governor Gavin Newsom, who, in delivering his first state of the state address on Tuesday, said it’s time for the state’s consumers to get a cut of the profit tech companies are making by selling users’ personal data.

He asked his aides to cook up a proposal for a “data dividend” to enrich the financial portfolios of California residents, but he gave no hint as to how that might work. Would Twitter cut each user a check? Would Facebook be hit up with a new tax?

We’ll have to wait and see, but in the meantime, Newsom said, these tech giants are rolling in data-derived dough:

Companies that make billions of dollars collecting, curating and monetizing our personal data have a duty to protect it. California’s consumers should also be able to share in the wealth that is created from their data.

Earlier this week, our worth to social media networks was estimated by Axios, which got to those you-are-worth-pennies estimates by pretty much just dividing the platforms’ annual revenues by their numbers of monthly active users.

Read more at https://nakedsecurity.sophos.com/2019/02/15/should-we-profit-from-sale-of-our-personal-data/

Chinese facial recognition database exposes 2.5m people

By Danny Bradbury

A company operating a facial recognition system in China has exposed millions of residents’ personal information online.

Shenzen-based SenseNets is an artificial intelligence company that uses a network of tracking cameras to spot people and log their movements in its database. Unfortunately, the company exposed that information publicly online allowing anyone to access the information in plain text, it emerged this week.

Dutch cybersecurity researcher Victor Gevers found the vulnerable database online and tweeted about it.

The database housed records on over 2.5m people, including their gender, nationality, address, date of birth, photo, and employer. A lot of this was linked to their ID card number, which was also revealed in the database records. China maintains a compulsory national identity card system for residents.

SenseNet maintained a collection of trackers which logged whomever it identified in the database. This created over 6.6m logged entries in a single 24-hour window, Gevers revealed.

Read more at https://nakedsecurity.sophos.com/2019/02/15/chinese-facial-recognition-database-exposes-25m-people/

Photography site 500px resets 14.8 million passwords after data breach

By John E Dunn

Photography website 500px has become the latest online brand to admit suffering a serious data breach.

In an advisory, the company said it became aware of the breach last week. It estimates that the breach took place around 5 July last year.

This affected the majority of the site’s nearly 15 million users, who should shortly receive an email asking them to change their passwords as soon as possible.

Data stolen included names, usernames, email addresses, birth date (if provided), city, state, country, and gender. Also at risk:

A hash of your password, which was hashed using a one-way cryptographic algorithm.

The company hasn’t said which hashing algorithms were in use beyond mentioning that any using the obsolete MD5 function were being reset.

The fact it was using MD5 at all is not terribly reassuring for reasons Naked Security has previously discussed at some length.

A sliver of good news:

At this time, there is no indication of unauthorized access to your account, and no evidence that other data associated with your user profile was affected, such as credit card information (which is not stored on our servers), if used to make any purchases, or any other sensitive personal information.

Who is affected?

Everyone who had an account with 500px on or before 5 July 2018 may be affected by the breach. Users who joined after that will also have to change their passwords (which initiates automatically the next time a user tries to log in) although they will receive notification to do this later than the bulk of affected account holders.

Read more at https://nakedsecurity.sophos.com/2019/02/15/photography-site-500px-resets-14-8-million-passwords-after-data-breach/

Inside a GandCrab targeted ransomware attack on a hospital

By Mark Stockley

Thanks to Sophos experts Vikas Singh and Peter Mackenzie for the research in this article.

Just before 9pm on Sunday, 3 February 2019, a GandCrab executable sparked into life for an instant, before its brief existence was snuffed out by antivirus software. Stopped in its tracks, the malware triggered the first of what would quickly become hundreds of separate alerts for a US healthcare provider in the grip of a targeted ransomware attack.

The organisation’s network of about 500 computers found itself fending off two attacks involving GandCrab ransomware. Because some of the computers on the network weren’t protected by antivirus, the attack provides an unusually colourful illustration of both how a targeted ransomware attack happens, and how different layers of protection interact in defense.

This is how the attack unfolded and how you can stop it happening to you.

Approach

Ransomware is malware that encrypts the contents of a computer and then demands a ransom in return for decrypting it. Ransomware is normally distributed in large scale, untargeted attacks that use malicious websites or email attachments to infect as many victims as possible. Victims are typically asked to pay a few hundred dollars’ worth of Bitcoin to free themselves from the ransomware’s grip.

Read more at https://nakedsecurity.sophos.com/2019/02/14/inside-a-gandcrab-targeted-ransomware-attack-on-a-hospital/

What’s behind this 1,000-character phishing URL?

By Danny Bradbury

Phishing sites are common, but this week the internet found a strange strain that’s a little rarer: a phishing site with a URL almost a thousand characters long. Experts have a good theory about why a scammer would go to all that trouble.

Bleeping Computer learned of a strange phishing campaign which uses an unusually long URL. The mail purports to come from your email provider, telling you that your account has been blacklisted due to multiple login failures. The phisher tries to hook your mail login credentials by getting you to log in again, but of course, the link it provides isn’t really a link to your login provider’s page.

Phishing links generally arrive behind an innocuous piece of text like ‘log in’, ‘reauthorise’ or ‘validate’. Hyperlinks separate the text from the actual links that they follow, though, and unless a victim hovers over the text or right-clicks it, or checks the address bar of their browser after clicking on the link, they won’t know what sites they’re really visiting.

Phishers are aware of this and diligent ones will try to lure you with a URL that looks plausible. They’ll use tricks like top-level domains (TLDs) designed to look like the last couple of words in a legitimate domain, or homographs that use foreign character sets to create English-looking letters. Hyphens and subdomains are also a good way of creating URLs that look like a legitimate site at first glance.

Read more at https://nakedsecurity.sophos.com/2019/02/14/whats-behind-this-1000-character-phishing-url/