May 6, 2019

Mozilla bug throws Tor Browser users into chaos

By Paul Ducklin

Update. Shortly after publishing this article we were able to fetch Firefox 66.0.4, which claims to fix this issue by repairing a broken certificate chain. We haven’t yet received notification of an update to the Tor Browser, but we expect to see one soon. [2019-05-05T22:15Z]

It’s a long weekend here in the UK, so the atmosphere is relaxed…

…except, we suspect, for any British members of the Mozilla Firefox programming squad.

Mozilla is currently stuck in the middle of a cybersecurity blunder involving digital signatures.

The bug reports we’ve seen so far don’t give much more detail than “expired intermediate certificate” problems, but the symptoms are obvious, especially for Tor users.

We didn’t get hit by this bug immediately – we were off the grid yesterday and left our computing kit at home. (Nothing Bear Gryllsy, you understand – we took ourselves off to Bristol on Brunel’s famous Great Western Railway to visit a bicycle show but left our mobile phone behind entirely by mistake.)

But today, not long after firing up the Tor Browser, which is a special version of Firefox with numerous privacy-centric settings turned on and baked into the build, we received a worrying popup warning.


Belgian programmer solves cryptographic puzzle – 15 years too soon!

By Paul Ducklin

Thanks to Alex Bakewell of SophosLabs for his help with this article.

April 2019 was a good month for bold Belgians!

Professional Belgian cyclist Victor Campanaerts broke the world hour record, covering an amazing, unassisted, undrafted 55km in a velodrome (55,089 meters, in fact) in 60 minutes.

The previous record, set by Sir Bradley Wiggins in 2015, had stood for nearly four years.

But professional Belgian programmer Bernard Fabrot conquered an even more durable challenge.

He cracked a computational puzzle that was set back way in 1999, by none other than Professor Ron Rivest of MIT, who’s the R in the well-known public key encryption algorithm RSA.

Fabrot’s achievement is particularly interesting because Rivest specially designed the puzzle in the hope it would take 35 years to solve, assuming you started as soon as it was published.

In the end, Fabrot required 3.5 years of computer running time, thus outpacing Rivest’s estimate by a factor of 10.

The puzzle is what’s known as a “time-lock problem” – a time-consuming calculation that can only be accelerated by tuning your algorithm or by building faster computer hardware.

Time-lock puzzles are interesting, and important, because they can’t be short-circuited simply by splitting the problem into pieces and throwing more computers at it.

Time-lock puzzles are inherently sequential, typically requiring a number of loops through an algorithm where the input to each iteration of the loop can only be acquired by reading in the output of the previous iteration.

The idea is to put everyone in the same boat: you can be the biggest, richest, most energy-slurping cloud computing company in the world, but all those servers, CPUs and CPU cores won’t let you buy your way to victory.


Criminals are hiding in Telegram – but backdoors are not the answer

By John E Dunn

When it comes to an easy life, the criminals behind the fearful Anubis banking malware have become big fans of Twitter and, increasingly, the secure messaging of Telegram.

There’s nothing new in malware piggybacking on popular services but why Twitter and Telegram, and is the recent migration to secure messaging significant?

As SophosLabs explains in a new analysis, Anubis borrows these services to host the command and control (C2) instructions malware reaches out for after first installing on a target system.

Twitter is attractive because its popularity and ubiquity means that its domains are less likely to be blocked by web filtering.

Despite this, SophosLabs has recently noticed Anubis moving from Twitter to use Telegram almost exclusively, on the face of it a strange thing to do.

Perhaps Twitter’s in-house security has got better at whacking the mole – blocking the Anubis domains as quickly as they are set up. Malware writers know that’s going to happen at some point but if it’s within minutes or a few hours, that can be inconvenient.

In fact, Telegram is also quite good at suspending accounts that abuse its service in this way. Nevertheless, writes SophosLabs’ researcher, Jagadeesh Chandraiah:

By the time Telegram removes the account being used for C2, it’s likely that several victims have already installed the malware and obtained their initial C2 server address from the malevolent Telegram account.

That Anubis has also taken to using Chinese characters as a form of obfuscation perhaps offers a clue to the criminals’ motivation – it’s an attempt to buy a bit more time by making things more complicated for malware analysts.


Cryptocoin theft, scam and fraud could total more than $1.2b in Q1

By Lisa Vaas

In December 2018, the CEO of Canada’s major cryptocurrency exchange, QuadrigaCX, allegedly died of Crohn’s disease while in India without telling anybody the password for his storage wallet.

Oh, really? Funny, that. Experts say that Crohn’s is hardly likely to kill an otherwise healthy 30-year-old. Nor was there an autopsy. Or, apparently, a body. It’s also odd that days earlier, Gerry Cotten made out a will leaving everything to his wife. And that Ernst & Young used public blockchain records to review the transactional activity of the six identified cold wallets set up by Cotten, where his wife claims the assets were locked up without access to the password keys, and found that they’d been emptied of $137m.

And, well, you can see where this is headed: straight into the likelihood that it was one of the year’s most scorching exit scams.

CipherTrace analysts think it’s highly unlikely to be anything but fraud, theft or foul play, they noted in the company’s 2019 Q1 Cryptocurrency Anti-Money Laundering Report. Gerry Cotten probably isn’t really six feet under, they suggest. Rather, he could have slipped underground in another way entirely as he and his “widow” actually work to launder a total of nearly $195m worth of customers’ funds.

We’ll likely never know what really happened. But we do know that the lost QuadrigaCX funds have added to a total estimated US$356 million stolen (stolen or “lost,” if you buy the death-by-Crohn’s story) from exchanges and cryptocurrency infrastructure during the first quarter of 2019.

According to CipherTrace, which develops cryptocurrency and blockchain tracing and security capabilities, that figure could swell further still, given that the New York Attorney General last month accused cryptocurrency exchange Bitfinex and cryptocurrency Tether of an $850m fraud. If the allegations bear out, the total losses in Q1 will be more than $1.2 billion.


Cybersecurity experts battle for right to repair

By Danny Bradbury

A battle is playing out between manufacturers and users over who has the right to repair a product – and tech companies are using cybersecurity concerns as a weapon.

Across the US, states have been mulling right-to-repair legislation that would let users repair their own devices, opening up access to verified parts and technical documentation. It’s a reaction to moves by manufacturers such as Apple to lock down the repair process to authorized partners.

Earlier this week, California State Assembly Democrat Susan Talamantes Eggman pulled proposed right-to-repair legislation from consideration by the State’s Privacy and Consumer Protection Committee because it didn’t have the support it needed. She accused industry lobbyists of shooting down the bill, telling Motherboard:

Manufacturers had sown enough doubt with vague and unpacked claims of privacy and security concerns.

Privacy, security and injury

According to the site, vendors and industry associations had been lobbying lawmakers to argue that the right to repair was a bad idea. Apple warned that people trying to repair their own iPhones might puncture the battery and injure themselves.

Industry group CompTIA had also approached lawmakers with a letter sounding the cybersecurity alarm. It warned them that opening up repair rights to the general public could make products less secure. This is similar to claims it made in March 2017, when it sent a statement to the Nebraska Legislature protesting a potential right-to-repair bill in that state. The Nebraska letter pointed out that hackers are constantly trying to break into devices, adding:

Any weakening of the current standards, including sharing sensitive diagnostic tools and proprietary hardware data, could expose customers to risk.

Not so, say cybersecurity professionals. Last November, technology journalist Paul Roberts founded, an advocacy group that supports right-to-repair legislation. This week, it announced support from over 20 cybersecurity rock stars, who will speak out for right-to-repair legislation across the US.


Google rolling out auto-delete for your location and activity history

By Lisa Vaas

You may be pleased, or perhaps underwhelmed, by the news that you no longer have to remember to log in and delete the stuff you didn’t know Google was tracking about you.

Google announced new auto-delete controls for Location History and activity data on Wednesday.

…not that Location History and Web & App Activity aren’t the best things since sliced bread – or places where sliced bread is served, Google said:

Whether you’re looking for the latest news or the quickest driving route, we aim to make our products helpful for everyone.

The data can make Google products more useful for you – like recommending a restaurant that you might enjoy, or helping you pick up where you left off on a previous search.

However, it’s been getting feedback about users wanting simpler ways to manage or delete all that data.

You can already use your Google Account to access simple on/off controls for Location History and Web & App Activity or to delete all or part of that data manually.


DHS policies allow unlimited, warrantless device search

By Lisa Vaas

A lawsuit against warrantless searches at US border points has revealed that the Department of Homeland Security (DHS) has given its border patrol agents free rein to conduct warrantless, suspicion-less device searches for pretty much any reason at all.

The lawsuit was filed against DHS in 2017 by the Electronic Frontier Foundation (EFF) and the ACLU on behalf of 11 people. Those people include a military veteran, journalists, students, an artist, a NASA engineer, and a business owner, all of whom experienced forced, warrantless searches of their cellphones and laptops at the border.

On Tuesday, the ACLU and the EFF filed evidence in court showing policies and practices of Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP) that authorize officers to conduct warrantless, suspicion-less device searches for purposes that have nothing to do with immigration or customs laws, including:

…enforcing bankruptcy, environmental, and consumer protection laws, and for intelligence gathering or to advance pre-existing investigations.

The documents show that border agents are also allowed to consider requests from other government agencies to search devices, the EFF said.

Agents are empowered to search electronic devices even when the actual target isn’t the traveler standing in front of them – such as when the traveler is a journalist or scholar with foreign sources who are of interest to the US government, or when the traveler is the business partner of someone under investigation.

Both agencies also allow agents to retain the data they copy off devices and share it with other government entities, including state, local, and foreign law enforcement agencies. They’re none too careful with that data, either, as we learned in December when the Office of Inspector General (OIG) filed a report with DHS about border agents copying travelers’ data and leaving it kicking around on USB drives that they don’t always erase and sometimes misplace.


Is a sticky label the answer to the IoT’s security problems?

By John E Dunn

If the security of Internet of Things (IoT) devices is one of tech’s big worries, how might this be turned around?

In the UK, the Government just published new details of its surprising and unfashionable answer – a sticky label.

Called ‘Secure by Design’ since first being mooted in 2018, this won’t simply be a nice to have sticker. In time it could become a legal requirement to display it on anything sold with IoT features, such as internet TVs, home security cameras, IoT toys, and home appliances.

Right now, the legal bit remains an aspiration subject to further consultation, but legislation appears to be on the cards at some point, perhaps by next year.

Rather than get mired in complicated security concepts, Secure by Design cleverly zeros in on three fundamental problems that bedevil IoT devices and device security in general.

“IoT device passwords must be unique and not resettable to any universal factory setting.”

The industry has been getting better at avoiding this pitfall in recent years (witness the way broadband routers now ship with unique admin and Wi-Fi passwords) but a lot of mass-market IoT gadgets still ignore this simple principle.

“Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.”

A simple and radical suggestion – if you make something there should be a way for researchers to tell you that something’s broken in it that needs fixing. There’s plenty of anecdotal evidence that some mass-market manufacturers at least, are completely oblivious to this concept.


Extortionists leak data of huge firms after IT provider refuses to pay

By Lisa Vaas

Financial data from some the world’s biggest companies – including Porsche, Oracle, Toshiba and more – has been stolen and published in a ransomware attack on the large, Germany-based IT provider Citycomp.

Citycomp, which says that it maintains over 70,000 servers and storage systems “of every type and size” in 75 countries, issued a statement saying that it had “successfully fended off a hacker attack” in early April and that it has no intention of complying with the blackmail attempt.

Given its refusal to capitulate, Citycomp said, the data couldn’t be saved from being doxxed. “Full transparency” was in place and it informed its customers “right from the start,” it said.

[Citycomp] does not yield to blackmail. The repercussion is the publication of the stolen customer data.

While Citycomp said that the attack had been stopped, a security firm it’s working with and which was authorized to speak to Motherboard told the publication that as of Tuesday, it was ongoing. Michael Bartsch, executive director of Deutor Cyber Security Solutions:

Citycomp has been hacked and blackmailed and the attack is ongoing. We have to be careful as the whole case is under police investigation and the attacker is trying all tricks.

The hackers created a .onion Dark Web site where the stolen data can be browsed and downloaded. The list of victims includes names such as Porsche, Oracle, Toshiba, the New Yorker, Ericsson, Leica, UniCredit, British Telecom, Hugo Boss, NH Hotel Group, and Airbus, among many others. On the site, the hackers claim that they have “312,570 files in 51,025 folders, over 516GBb data financial and private information on all clients.”


US Government halves deadline for applying critical patches to 15 days

By Danny Bradbury

US federal agencies must fix their security bugs more quickly under new rules issued by the Department of Homeland Security (DHS) this week. The rules also expand the scope of bugs that agencies must pay attention to.

The Cybersecurity and Infrastructure Security Agency (CISA), which is a branch of the DHS dealing with cybersecurity, issued the rules in the form of a new Binding Operational Directive (BOD) this week. BODs are rules that federal agencies must follow. Called BOD 19-02, it tightens requirements for federal agencies to fix the vulnerabilities that the DHS finds.

The DHS regularly scans federal agency systems to try and find vulnerabilities. Called the Cyber Hygiene scan, this practice generates a weekly report that the DHS sends to agencies.

The new directive supersedes BOD 15-01, which forced federal agencies to review and remediate critical vulnerabilities on internet-facing systems within 30 days of their weekly Cyber Hygiene report. BOD 15-01 led to a “substantial decrease” in the number of critical vulnerabilities over 30 calendar days, according to the DHS.

BOD 19-02 ups the ante. It forces agencies to remediate critical vulnerabilities within 15 calendar days of detection. They must also now fix high vulnerabilities within 30 calendar days. CISA measures vulnerabilities according to the National Institute of Standards and Technology’s Common Vulnerability Scoring System (CVSS).



Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation