April 22, 2019
WannaCry hero Hutchins now officially a convicted cybercriminal
By ul Ducklin
Remember the reluctant WannaCry hero?
WannaCry was ransomware that made big headlines in mid-2017 for two important reasons.
First, it was a true computer worm, or virus, that automatically propagated itself to the next guy, and the next guy…
…and so on, meaning that although it drew attention to itself very quickly, it was nevertheless able to spread far and fast.
SophosLabs estimated that it infected 200,000 computers in 150 countries within four days of showing up in the wild.
Second, WannaCry’s spreading mechanism used a exploit code known as ETERNALBLUE, allegedly developed by the US National Security Agency for secret intelligence-gathering purposes.
That exploit, along with many others, was subsequently stolen in a data breach at the NSA, offered for sale for a while at an outrageous price, and finally dumped for anyone to use for free around the start of 2017.
Microsoft pushed out a patch at the start of 2017 that effectively immunised everybody who applied it, but those who neglected or declined that update ended up at risk.
Read more at https://nakedsecurity.sophos.com/2019/04/21/wannacry-hero-hutchins-now-officially-a-convicted-cybercriminal/
Facebook: we logged 100x more Instagram plaintext passwords than we thought
By Paul Ducklin
About a month ago, Facebook owned up to a programming blunder that’s been a top-of-the-list coding “no-no” for decades.
The social networking behemoth admitted that it had been logging some passwords in plaintext, saving a record of exactly what your password was, character by character, rather than just keeping a cryptographic hash used for verifying that your password was correct.
Well, it’s just updated its March 2019 admission to state that the number of plaintext passwords found scattered round its systems in various logfiles is greater that originally thought.
Back in March, the damage was said to involve hundreds of millions of Facebook Lite users, tens of millions of Facebook users, and tens of thousands of Instagram users, but yesterday the company updated its bulletin to say:
Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.
Simply put, the chance that your Instagram password was stored somewhere in a logfile, somewhere in Facebook’s network, turns out to be 100 times greater than you might have thought last month.
Serious Security: Ransomware you’ll never find – and how to stop it
By Paul Ducklin
Imagine that you’ve been hit by ransomware.
All your data files are scrambled, you’re staring at a ransom note demanding $1000, and you’re thinking, “I wish I hadn’t put off updating that cybersecurity software.”
When the dust has settled – hopefully after you’ve restored from your latest backup rather than by paying the blackmail charge – and you’ve got your anti-virus situation sorted out, your burning question will be…
…where did the malware come from?
But what if, no matter how carefully and deeply you scan, you can’t find any trace that there ever was any malware on your computer at all?
Unfortunately, as our friends over at Bleeping Computer recently reported, that can happen, and it’s one case where not being infected yourself is actually a bad sign, rather than a good one.
The Bleeper crew have had several reports of users whose files were scrambled from a distance across the internet, by ransomware running on someone else’s computer.
Read more at https://nakedsecurity.sophos.com/2019/04/18/serious-security-ransomware-youll-never-find-and-how-to-stop-it/
Facebook user data used as bargaining chip, according to leaked docs
By Lisa Vaas
User privacy is super-duper important, Facebook has said publicly for years out of one side of its mouth, while on the other side it’s been whispering to third-party app developers to come on in and feast – this user data is tasty.
Well, that’s confusing, its own employees have said, according to yet more newly revealed internal discussions.
NBC News, one of a handful of media outlets that got its hands on the documents, said that the cache contains about 4000 pages of leaked company documents that largely span Facebook communications from 2011 to 2015.
(Computer Weekly reported on Monday that it was 7000. At any rate, it was a lot of documents.)
Photos visible to “Only me?” Says YOU
As NBC reports, the documents show that in April 2015, Facebook product designer Connie Yang told colleagues that she’d discovered apps collecting profile data she’d marked as visible only to herself. Yang wrote that apps were displaying her “only [visible to] me” data as being visible to…
…both you and *other people* using that app.
The documents show that regardless of users locking down their accounts so that their photos and other data were visible to “only me,” they could still be transferred to third parties, according to the documents.
That’s only one of an ocean’s worth of revelations in the cache of internal documents, which include emails, chats, presentations, spreadsheets, and meeting summaries that show that top Facebook execs – including CEO Mark Zuckerberg and chief operating officer Sheryl Sandberg – mulled the idea of selling access to user data for years.
Read more at https://nakedsecurity.sophos.com/2019/04/18/facebook-user-data-used-as-bargaining-chip-according-to-leaked-docs/