Two people indicted for massive Anthem health data breach

By Lisa Vaas

On Thursday, the Justice Department unsealed an indictment against two people who prosecutors say are part of a sophisticated hacking group, based in China, that was behind not just the Anthem attack, but also attacks against three other US businesses.

The DOJ didn’t name the other businesses but did say they were data-rich. One was a technology business, one was in basic materials, and the third was in communications: all businesses that have to store and use large amounts of data – some of it confidential business information – on their networks and in their data warehouses.

The suspects are 32-year-old Fujie Wang – following the Chinese convention of putting a surname first, that would be Wang Fujie; he also used the Western nickname of “Dennis” – and a John Doe. Investigators haven’t yet figured out Doe’s real name, but the indictment said he goes by various online nicknames, as well as “Deniel Jack,” “Kim Young” and “Zhou Zhihong.”

The charges are one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer.

The four-count indictment alleges that beginning in February 2014 and up until around January 2015, Wang, Doe and other members of the gang hacked into the targeted businesses using “sophisticated techniques” including spearphishing and malware.

They allegedly rigged tailored spearphishing emails with links to malware and sent the messages to employees at the targeted companies. When employees clicked on the links, their systems would get infected by malware that, among other things, planted a backdoor that gave the hackers remote access via their command and control server.

Once in, the suspects and their accomplices moved laterally across the infected network in order to escalate their network privileges and to thereby boost their ability to get at information and to tweak the network environment.

Read more at https://nakedsecurity.sophos.com/2019/05/13/two-chinese-hackers-indicted-for-massive-anthem-breach/

Study finds Android smartphones riddled with suspect ‘bloatware’

By John E Dunn

One of the oft-discussed downsides of choosing an Android device is the phenomenon of pre-loaded “bloatware.”

Broadly speaking, these are apps and services pre-loaded on smartphones and tablets by phone vendors, mobile carriers, and their partners along with the basic suite of Google apps and Android itself.

Not all of this software is necessarily useless, and some vendors load less than others, but often it can’t be uninstalled, leaving users stuck with space-consuming software they might never use.

Worse still, according to a new study by researchers at the Universidad Carlos III de Madrid in Spain and Stony Brook University in the US, which analysed crowdsourced data from 1,742 devices made by 214 vendors, bloatware can also create hidden security and privacy risks.

Their first discovery was the sheer amount and mysterious origins of the software shipping on Android devices, which totaled 424,584 firmware files, only 9% of which corresponded to app APKs found on Google Play.

That amounted to around 140,000 apps, built using 11,665 different third-party software libraries (TPLs), and 1,200 developers closely associated with smartphone makers.

Read more at https://nakedsecurity.sophos.com/2019/05/13/study-finds-android-smartphones-riddled-with-suspect-bloatware/

Break up Facebook, cofounder says: it’s an un-American monopoly

By Lisa Vaas

Mark’s power is unprecedented and un-American. It is time to break up Facebook.

That’s the gist of what Facebook co-founder Chris Hughes had to say in a lengthy op-ed published by the New York Times on Thursday. Of course, he was referring to Facebook CEO Mark Zuckerberg.

Well, he can probably kiss that friendship goodbye, Hughes said in an interview with CBS This Morning. The two were roommates while they attended Harvard and launched what would become the world’s most dominant social media platform. They’ve been friends ever since, even after Hughes left the company 10 years ago.

Do you think you're going to stay friends with Mark Zuckerberg?



"I don't know. Probably not... but there are some friendships where you have disagreements and still stay friends." -- @chrishughes pic.twitter.com/8GbrPpjENl

Great guy, perhaps a little power mad, and definitely in charge of a social media monopoly that’s strangling innovation in the cradle, Hughes said of Zuckerberg:

Mark is a good, kind person. But I’m angry that his focus on growth led him to sacrifice security and civility for clicks. I’m disappointed in myself and the early Facebook team for not thinking more about how the News Feed algorithm could change our culture, influence elections and empower nationalist leaders. And I’m worried that Mark has surrounded himself with a team that reinforces his beliefs instead of challenging them.

He has too much power.

Read more at https://nakedsecurity.sophos.com/2019/05/13/break-up-facebook-cofounder-says-its-an-un-american-monopoly/

Chrome browser pushes SameSite cookie security overhaul

By John E Dunn

Slowly but steadily, web developers are being given the tools with which to tame the promiscuous and often insecure world of the browser cookie.

The latest big idea is an IETF standard called SameSite (aka RFC6265bis), which Google and Mozilla have promoted since 2016 and the former announced this week it will start pushing more aggressively in Chrome from version 76 this July.

Cookies look simple on the surface – they’re a little chunk of text data that a website can ask your browser to remember, and that your browser will return to that website whenever the browser fetches a page, image or anything else from it. As a security measure, cookies can only be handed over to the domain that set them.

The most common use for cookies is user identification – a site stores an ID in a cookie and the browser returns that ID with each request, so that the site knows who it’s talking to. It’s this simple technique that allows sites to provide authentication and personalization.

What gives cookies a bad name are third-party cookies, usually put there by advertisers or social media giants as a way of tracking users across sites.

For example, if a user visits a page on example.org with a Facebook button on it, their browser fetches that button from facebook.com as the page is loaded. As with any HTTP interaction, the browser will include any facebook.com cookies in the request to Facebook, along with a referrer header saying what page on example.org the request is coming from.

If you happen to be logged into Facebook (and even sometimes if they aren’t), that request for a button reveals to Facebook who you are, which page you visited and when.

If a social media or advertising company can persuade enough sites to include code hosted on a domain they own, they can turn these cookies into cross-site trackers that build up a map of each user’s behavior and interests as they browse the web.

Read more at https://nakedsecurity.sophos.com/2019/05/10/chrome-browser-pushes-samesite-cookie-security-overhaul/

275m personal records swiped from exposed MongoDB database

By Danny Bradbury

Another day, another massive MongoDB exposure. This time, a security researcher has discovered a public-facing database with over 275 million records containing personal information on citizens in India.

The researcher is Bob Diachenko, who spends a lot of time poring over Shodan search results. Shodan is a search engine, but unlike Google or Bing it indexes devices and software applications connected to the internet and viewable by the public. Shodan regularly surfaces everything from unsecured webcams to exposed databases.

Shodan first indexed the MongoDB instance on 23 April 2019. Its records included not only the individuals’ name, gender, and email address but also their employment history, current employer, current salary, and mobile phone number.

In his blog post on the topic, Diachenko explains that there were no clues in the database about who owned it. His best guess is that the database was the product of a data scraping operation.

Putting people at risk

This is one of the most frustrating things about public database exposures: Someone who doesn’t know what they’re doing can put millions of people in danger, and there’s no way to get hold of them so they can rectify the problem.

We’ve seen this before. Late last month, researchers stumbled on a database with information about 80 million US households, owner unknown.

Diachenko found another last September, again without an owner, exposing email addresses and physical addresses in a 43.5 GB data set. He has a long track record of exposed database discoveries.

Read more at https://nakedsecurity.sophos.com/2019/05/10/275m-indian-citizens-records-exposed-by-insecure-mongodb-database/

FTC renews call for single federal privacy law

By Lisa Vaas

The US Federal Trade Commission (FTC) is yet again beating the drum for the long-discussed, much-debated, when-in-the-world-will-this-happen national data privacy law, the lack of which keeps the country from parity with the EU and its General Data Protection Regulation (GDPR)…

…or, for that matter, with the state of California, with its California’s Consumer Privacy Act (CCPA).

FTC commissioners testified before the House Energy and Commerce subcommittee on Wednesday. As the New York Times reports, they addressed how a national privacy law could regulate how big tech companies like Facebook and Google collect and handle user data.

Besides consumer protection, the FTC is looking for more power. Commissioners asked Congress to strengthen the agency’s ability to police violations, asking for more resources and greater authority to impose penalties.

At this point, as lawmakers squabble over the details of various approaches to a national law, the US lags behind European and other nations that have acted to rein in the growing might of big tech.

In February, both the House and Senate held hearings on privacy legislation, transparency about how data is collected and shared, and the stiffening of penalties for data-handling violations.

A new, single federal law

Lawmakers tend to agree that we need a new, single federal privacy law. At this point, we’ve got a hodgepodge of state laws and a slew of proposed federal laws. Lawmakers are now considering one such: the Data Care Act.

Other bills: In September, Suzan DelBene introduced a privacy bill that would require information transparency and personal data control. In November, Senator Ron Wyden proposed a bill that would throw execs into jail for up to 20 years if they play loosey-goosey with consumer privacy. Senator Marco Rubio announced yet another bill in January, titled the American Data Dissemination Act.

Read more at https://nakedsecurity.sophos.com/2019/05/10/ftc-renews-call-for-single-federal-privacy-law/

Sextortion mail from yourself? It doesn’t mean you’ve been hacked…

By Paul Ducklin

Over the past few months, we’ve written and spoken many times about a scam known as sextortion.

Sextortion is an online crime that combines sex and extortion – the crooks say that they have embarrassing pictures of you, and they’ll send the pictures to your friends and family…

…unless you pay them blackmail money.

To make the scam seem more believable, the crooks typically claim to have acquired the pics via your own webcam by hacking into your computer using malware and snooping on your online activities.

Sadly, this sort of malware, known as a remote access trojan (RAT), is not only technically possible, but has been used in the past in a number of widely publicised attacks.

One well-known RAT attack involved a college student called Jared James Abrahams, who supposedly spied on 150 young women including Miss Teen USA. Abrahams was caught, pleaded guilty and went to prison back in 2014. More recently, Jonathan Lee Eubanks got seven years for RATting his former employer’s business, wiping servers, diverting the website and ripping off company funds after he was fired.

Even if you never look at porn, sextortion emails are pretty confronting, and raise the question, “How much might the crooks know about me?”

Read more at https://nakedsecurity.sophos.com/2019/05/09/sextortion-mail-from-yourself-it-doesnt-mean-youve-been-hacked/