Booking a restaurant? Let Google’s Duplex AI make the call for you

By John E Dunn

What’s the easiest way to book a restaurant table by phone?

If you own a Google Pixel smartphone and live in one of 43 US states, the new answer to that question might be to ask Google Assistant to make that call on your behalf.

It’s as simple as telling it to “book a table for four people at [restaurant name] tomorrow night”, confirming details such as party size and preferred time. You can then leave Google’s deeply clever Duplex AI system to confirm details with the restaurant. Helpfully, writes Google:

Once your reservation is successfully made, you’ll receive a notification on your phone, an email update and a calendar invite so you don’t forget.

If you’re wondering what that conversation might sound like, that’s the clever bit – Google’s Duplex neural network AI is designed to sound and respond like a human being.

Not long after Google played this voice demo, it found itself in the middle of a backlash about creepy AI systems that simulate humans in ways that (it was argued) risked being deceptive.

To counter this, Google now says the system will announce that “the call is from Google,” while the call will also be recorded and offer the option to talk to a human if people feel intimidated.

Read more at https://nakedsecurity.sophos.com/2019/03/11/booking-a-restaurant-let-googles-duplex-ai-make-the-call-for-you/

FTC says taxpayer voice phishing scams are up nearly 20x

By Lisa Vaas

Have you gotten a (fake!) call from a (not!) US Social Security Administration rep? Maybe one in which you’re told that your Social Security number (SSN) has been suspended because of “suspicious” activity, or because it’s been involved in a crime?

Sometimes, the real Social Security Administration (SSA) phone number – or a number that’s close to it – shows up on your caller ID.

All you have to do to clear up the mess is to confirm your taxpayer ID, the scammer will sometimes say. Or maybe you can take care of it by paying a fine… via gift cards, the codes for which you can read to the imposter over the phone.

Of course, you never want to do any of that: if you hand over your SSN, you’re setting yourself up for identity fraud. If you buy gift cards and hand over the codes, you can kiss that money goodbye. We should never give our SSN, credit card or bank account number to anyone who contacts us.

Unfortunately, some people do. And given that we’re in tax fraud season right now, in the months leading up to the April US filing deadline, it’s time for an updated report from the US Federal Trade Commission (FTC).

Read more at https://nakedsecurity.sophos.com/2019/03/11/ftc-says-taxpayer-voice-phishing-scams-are-up-nearly-20x/

Serious Security: When randomness isn’t – and why it matters

By Paul Ducklin

We’ve written many times about ';--have i been pwned? (HIBP), a website run by security researcher Troy Hunt where you can check how many times your email address has shown up in data breaches.

Amazingly, the number of breached accounts that Troy has processed into his database over the years is just under 7 billion.

We’re not looking at 7 billion real accounts or even still-active accounts, of course, and we’re definitely not looking at 7 billion unique users, which would just about cover everyone on the planet…

…but the cumulative amount of breached data exposed publicly in recent years is alarming.

Fortunately, HIBP doesn’t have passwords for all those breached accounts, because well-run websites store your passwords in salted-hashed-and-stretched form, so that the original passwords can’t be recovered easily in the event of a hack.

Read more at https://nakedsecurity.sophos.com/2019/03/08/serious-security-when-randomness-isnt-and-why-it-matters/

Firefox picks up advertiser-dodging tech from Tor

By Danny Bradbury

Firefox users will soon get yet another privacy feature to help them avoid snooping advertisers – and the measure comes straight from its cousin, the Tor browser.

The new privacy protection will help Firefox users avoid a long-used snooping technique called fingerprinting. Browser cookies are not the only way to track users as they visit different websites. Even with cookies turned off, advertisers can still identify you across multiple sites.

They do this by looking at other characteristics that your computer reveals when visiting a website such as the size of your browser window.

Many people resize browser windows by manually dragging their corners around. This creates random window sizes that few people will share. The chances are you’ll visit several websites in that window, which communicates its size to each one. Advertisers can use that data to track you across multiple sites.

To combat this, Firefox has borrowed a technique called letterboxing from Tor as part of a bigger, more structured program to transfer features between the browsers.

Read more at https://nakedsecurity.sophos.com/2019/03/08/firefox-browser-picks-up-advertiser-dodging-tech-from-tor/

Zuck says Facebook is becoming more “privacy focused”

By Lisa Vaas

Facebook CEO Mark Zuckerberg has either 1) written a Microsoft-esque, Trustworthy Computing-inspired call for the company to perform an about-face on privacy and security, or 2) he’s managed to pull a brand-healing move by infusing Thursday’s headlines with a bunch of words that include “privacy-focused” and NOT “disaster,” “breach,” or “dumpster fire.”

…or, then again, maybe 3) both.

At any rate, on Wednesday, the CEO unveiled what he framed as a major strategy shift that will involve developing a highly secure private communications platform based on Facebook’s Messenger, Instagram, and WhatsApp services.

The redesign entails streamlining communication between the three messaging services – something that Facebook announced in January. At the time, sources told the New York Times that the plan was to keep the three as standalone apps but to stitch their technical infrastructure together so that users of each app can talk to each other more easily.

Tightly connecting the messaging networks could help Facebook fend off being forced by US antitrust regulators to divest one or more of its messaging services. It would, at any rate, make divestiture a lot tougher to do.

Read more at https://nakedsecurity.sophos.com/2019/03/08/zuck-says-facebook-is-becoming-more-privacy-focused/

Serious Chrome zero-day – Google says update “right this minute”

By Paul Ducklin

Chrome users, make sure you’ve got the very latest version.

Or, as Justin Schuh, one of Chrome’s well-known security researchers, put it:

[L]ike, seriously, update your Chrome installs… like right this minute.

We’re not big Chrome fans – we’ve always thought that Firefox is better in both form and function, to be honest – but we have Chrome installed at the moment and can tell you that the version you want is 72.0.3626.121, released at the start of March 2019.

To check that you’re up-to-date, go to the About Google Chrome… window, accessible from the address bar by typing in the special URL chrome://settings/help.

This will not only show the current version but also do an update check at the same time, just in case any recent auto-updates have failed or your computer hasn’t called home yet.

Read more at https://nakedsecurity.sophos.com/2019/03/06/serious-chrome-zero-day-google-says-update-right-this-minute/