G Suite admins can now disallow SMS and voice authentication

By John E Dunn

Users of Google’s cloud-based suite of productivity apps may find when logging in that their usual two-factor authentication options (2FA, or 2-step verification, as Google calls it) have disappeared.

If G Suite users have previously been logging in with SMS or voice call verifications, they could now be asked to authenticate using another method such as Google’s Prompt system or a security token based on the FIDO/2.0 standards.

Hopefully, this won’t come as a surprise to users because their G Suite admins will have mentioned this change in their 2FA options to users in advance.

Tough love

What lies behind the change is a new setting Google has made available in the G Suite console that for the first time gives admins the power to migrate users from one method of authentication to another.

Previously, admins could simply enable 2FA, choosing from a range of possible ways this could happen. Now, although admins can allow any type of authentication if they wish, two specific types of authentication – SMS and voice calls – can also be disallowed by policy.

Read more at https://nakedsecurity.sophos.com/2019/03/18/g-suite-admins-can-now-disallow-sms-and-voice-authentication/

WordPress 5.1.1 patches dangerous XSS vulnerability

By John E Dunn

Researchers have offered more detail on a recently patched vulnerability that would allow an attacker to take over a WordPress site using something as simple as a maliciously crafted comment.

Discovered by RIPS Technologies, the flaw is a cross-site request forgery (CSRF) flaw that exists on any site running version 5.1 or earlier with default settings and comments enabled.

The problem at the heart of this flaw is the problem of how WordPress protects itself (or rather, doesn’t) from CSRF-based takeovers in comments.

CSRF attacks happen when an attacker hijacks an authenticated user session so that the malicious instructions appear to come from that user’s browser.

In the case of the latest flaw, all the attacker has to do is lure a WordPress admin to a malicious website serving a cross-site scripting (XSS) payload.

Websites defend themselves against CSRF in different ways, but the complexity of the task means there are always cracks attackers can slip through.

Read more at https://nakedsecurity.sophos.com/2019/03/18/wordpress-5-1-1-patches-dangerous-xss-vulnerability/

You left WHAT on that USB drive?!

By Lisa Vaas

Back in 2012, Sophos picked up a stash of USB keys from a lost property auction as an experiment. It turned out that they were a scary bunch of sticks: 66% of them contained malware, and not a single one was encrypted.

Well, the more things change, the more things USB drive-related remain hair-raising…

A new study found that you don’t just run a good chance of catching something from second-hand drives: you also run the risk of getting an eyeful of sensitive data that the previous owner may or may not have even bothered to drag to the trash – not that that would actually delete the data, mind you, but at least it’s an attempt.

The study, done by the University of Hertfordshire and commissioned by a consumer product comparison website called Comparitech, looked at what could be found on second-hand drives picked up on eBay, in second-hand shops and through traditional auctions.

The researchers found that about two-thirds of second-hand USB memory sticks bought in the US and the UK have recoverable and sometimes sensitive data. In one-fifth of the devices studied, the past owner could be identified.

They bought 200 USB drives – 100 in the US and 100 in the UK – between January and May 2018.

People in the US who offload their sticks turned out to at least be aware of the need to erase their data, with only one of the drives showing no sign of an erasure attempt. In the UK, however, 19 of the devices showing no sign of attempted cleansing.

Read more at https://nakedsecurity.sophos.com/2019/03/15/you-left-what-on-that-usb-drive/

Facebook outage coincides with (or causes?) 3m new Telegram users

By Lisa Vaas

Facebook fell flat on its face on Wednesday, which seems to have led to Telegram having a busy, busy day.

On Thursday, the founder and CEO of Telegram – a popular encrypted messaging app that describes itself as the “more secure alternative” to common messaging apps like WhatsApp – announced that it had picked up three million new users in the past 24 hours: a period that coincided with nearly a day-long, worldwide outage at Facebook.

The outage brought down not only Facebook’s core service, but also its Messenger, Instagram and WhatsApp services. On Thursday, Facebook blamed a misconfigured server.

Of course, we can’t say for sure if the Facebook outage actually caused the 3m user uptick. Maybe the two just happened to coincide. Durov didn’t mention what the typical, non-Facebook-flattened new-user signup rate is. At any rate, in any given week, there are multiple news stories that might cause users to seek out a messaging service that doesn’t suck their data blood like a cyber vampire.

Telegram is a free, encrypted messaging service that’s similar to WhatsApp, except that it doesn’t slurp up users’ data in order to make money from targeted ads. Rather, it runs on user donations.

Read more at https://nakedsecurity.sophos.com/2019/03/15/facebook-outage-coincides-with-or-causes-3m-new-telegram-users/

How to make DuckDuckGo your default Chrome search engine

By Danny Bradbury

Privacy-conscious web users now have a new way to search in Chrome’s address bar. Version 73 of the browser, released Tuesday, now includes the DuckDuckGo search engine as an option.

Included without fanfare, the feature enables users to search DuckDuckGo by default from the address bar, but they must set this option in the preferences.

DuckDuckGo bases its business model on the idea that advertising needn’t invade users’ privacy. The company still gets its revenues from displaying ads, but it bases them on immediate searches rather than building data profiles of people.

Earlier this month, DuckDuckGo founder Gabriel Weinberg testified before the US Senate Judiciary Committee hearing on GDPR and California’s equivalent privacy legislation, CCPA. He told the Committee:

We simply do not collect or share any personal information at all.

Kudos to Google for taking the plunge, but it is five years late to the party. Safari has supported DuckDuckGo since OSX Yosemite, released in fall 2013, and Mozilla added support in Firefox around the same time.

Read more at https://nakedsecurity.sophos.com/2019/03/15/duckduckgo-shows-up-as-chrome-search-option/

Man drives 3,300 miles to talk to YouTube about deleted video

By Lisa Vaas

On Sunday, police in Mountain View, California, where Google is headquartered, arrested a man who drove more than 3,300 miles from Maine to discuss what he thought was the company’s removal of his YouTube account and the one video he’d posted – one about getting rich quick.

It was not, in fact, deleted by YouTube. It turns out, his wife deleted it, concerned as she was about her husband’s mental state. She told BuzzFeed News that the video, created by 33-year-old Kyle Long, was “rambling” and “bizarre.”

According to a press release from the Mountain View police department (MVPD), Iowa State Patrol on Friday gave them a heads-up about Long’s journey. Iowa police spoke to Long twice that day: once when he got into a collision (without injuries) and then again after he vandalized a restroom at a gas station store a short time later.

Employees at the gas station store didn’t want to press charges, and the collision didn’t warrant Long’s detention, so Iowa police let him go.

Three baseball bats and a serious need to chat

Then, on Sunday, the MVPD got another heads-up. This one came from police in Long’s hometown of Waterville, Maine. Waterville police told MV police that they’d been tipped off about Long having made it to California. They’d also gotten a tip that he intended to resort to physical violence if his meeting with Google execs didn’t go well.

Read more at https://nakedsecurity.sophos.com/2019/03/14/man-drives-3300-miles-to-talk-to-youtube-about-deleted-video/