Facebook admits “supply chain data leak” in new Oculus headsets

By Paul Ducklin

Oculus, Facebook’s virtual reality subsidiary, has fessed up to what might be the weirdest ever data leak.

OK, so it might not actually be a data leak at all, even though messages that weren’t supposed to be released seem to have got out.

And even if it is a data breach, it’s kind of cool – did we say that aloud, or just think it? – and may end up making the affected devices more sought after, and worth more money on online auction sites, than vanilla ones.

At any rate, if we were a Data Privacy Officer – a job that we suspect might be thin on opportunities for fun, games and humor – we’d be cracking a smile at this one, if not breaking into laughter, instead of reaching for our breach report forms.

The leaked messages are, literally and physically, printed characters that ended up hidden inside “tens of thousands” of new Oculus motion controllers.

We’re not big VR fans ourselves, but we think that motion controllers are the things you strap onto your hands so you can waft your way through vitality, rather than the masochistic-looking faux diving goggles [Can we just say ‘sinister’ or ‘peculiar’ instead? – Ed.] that you wear while immersed in unreality.

Read more at https://nakedsecurity.sophos.com/2019/04/15/facebook-admits-supply-chain-data-leak-in-new-oculus-headsets/

Assange arrested, faces extradition for hacking

By Paul Ducklin

Julian Assange, founder of whistleblowing organization WikiLeaks (or co-founder, depending on whom you ask) , and arguably Ecuador’s most famous Londoner (or infamous, depending on whom you ask), is in custody following his arrest yesterday.

Assange rose to fame by leaking secret government documents that the WikiLeaks organization acquired from a wide range of sources.

The best-known WikiLeaks exposé is probably Cablegate, a massive dump of US State Department diplomatic cables exfiltrated by junior US soldier Bradley Manning, now Chelsea Manning, who was arrested in 2010 for making off with some 30 years’ worth of confidential US data.

Manning apparently burned the data to a rewritable CD, pretending she was listening to Lady Gaga tunes from the CD while writing hundreds of thousands of diplomatic cables onto it.

Amazingly, one person – and a soldier with the rank of Private, at that – was able to copy everything without triggering any sort of “data access overload” warning at any point.

Read more at https://nakedsecurity.sophos.com/2019/04/12/assange-arrested-faces-extradition-for-hacking/

Feds say Russian 2016 election meddling spanned all US states

By Danny Bradbury

A multi-agency report has strengthened claims that Russia meddled with election systems in all 50 US states during the last presidential race.

The report is called a joint intelligence bulletin (JIB), and it comes from the Department of Homeland Security and the FBI. It is an unclassified document intended for internal distribution to state and local authorities.

Intelligence newsletter OODA Loop reports that the JIB reveals stronger evidence of Russian interference. Agencies believe that Russian agents targeted more than the 21 states initially suspected.

According to the bulletin:

Russian cyber actors in the summer of 2016 conducted online research and reconnaissance to identify vulnerable databases, usernames, and passwords in webpages of a broader number of state and local websites than previously identified, bringing the number of states known to be researched by Russian actors to greater than 40.

Although there are some gaps in the data, the bulletin claims “moderate confidence” that Russia conducted “at least reconnaissance” against all US states because its research was so methodical, it added.

Russia’s cyberspace election meddling played out between June and October 2016, with most activity occurring in July, the JIB said. They researched election-related websites and information in at least 39 states or territories, with Secretary of State websites drawing the most attention. They proceeded alphabetically through the states “with some exceptions”, although OODA Loop doesn’t say what they were.

Read more at https://nakedsecurity.sophos.com/2019/04/12/feds-say-russian-2016-election-meddling-spanned-all-us-states/

Flickr tackling online image theft with new AI service

By Danny Bradbury

Photo-sharing website Flickr is trying to combat copyright infringement with a service that spots copies of its users’ images online. The company is partnering with image monitoring company Pixsy to offer the AI-powered feature.

Flickr began offering the service this week, claiming it as a step forward in the fight to protect its members’ rights, stating:

We remain aware of the fact that photo theft is a sad reality of the online world and a major issue for photographers trying to make a living off of their work

It will offer the service to paying members under its Pro subscription. It enables them to monitor up to 1000 images and lets users send 10 DMCA takedown notices for free. The Digital Millennium Copyright Act lets copyright owners send cease and desist letters to people using their content online without permission.

Pixsy scours the internet looking for images that are registered with it, and tries to find a match. The BBC tested the service with mixed results. The AI tool found an image of its reporter Cody Goodwin used in a news story on its site used by 26 other news websites.

However, it also tested a picture of the same reporter in its Los Angeles bureau with the Hollywood sign in the background, and it flagged up an image of (very different person) Stormy Daniels in that studio instead. Apparently, the software still has some work to do.

What if you are not a Flickr Pro user? All is not lost. You can head over to Pixsy and sign up for a free account, which gives you the ability to monitor 500 images without paying a penny. You don’t get the free takedown notices that you get with a Flickr Pro account, though.

Read more at https://nakedsecurity.sophos.com/2019/04/12/flickr-signs-with-ai-service-to-find-infringing-images-online/

Android phones transformed into anti-phishing security tokens

By John E Dunn

Google just announced a new security feature that allows users of Android 7 and later to use their smartphones to authenticate themselves to their Google accounts.

The surprise announcement was buried inside a pile of enterprise-oriented enhancements revealed at Google Cloud Next 2019 in San Francisco on Wednesday.

Released in beta, the feature is designed to protect Google users from phishing attacks. Once enabled, the user logs into their Google account using their username and password as normal before authenticating that their enrolled smartphone is present by clicking on a message that appears on the screen.

It’s identical in principle to using a FIDO USB token such as the YubiKey (or Google’s Titan key equivalent launched last year), except that the smartphone itself becomes the token.

This defeats phishing in the same way a token does because even if attackers get hold of someone’s Google username and password, they can’t access the account without also having the smartphone.

Requirements

To use your Android phone (tablets don’t appear to be supported yet) as a security key, you must have a phone running Android version 7.x or later, and you need to turn on Bluetooth.

Your computer must also have Bluetooth, and be running the latest version of the Chrome browser, on a Chrome OS, macOS X or Windows computer.

Read more at https://nakedsecurity.sophos.com/2019/04/12/android-phones-transformed-into-anti-phishing-security-tokens/