July 17, 2019

Microsoft, Google and Apple clouds banned in Germany’s schools

By Danny Bradbury

Germany just banned its schools from using cloud-based productivity suites from Microsoft, Google, and Apple. The tech giants aren’t satisfying its privacy requirements with their cloud offerings, it warned.

The Hessische Beauftragte für Datenschutz und Informationsfreiheit (Hesse Commissioner for Data Protection and Freedom of Information, or HBDI) made the statement following a review of Microsoft Office 365’s suitability for schools.

Microsoft launched its Azure Deutschland presence in 2016, with a focus on the ‘data trustee’ model. A third party partner, Deutsche Telekom, provided the Azure services and used a private cloud to ensure that none of the resident data went through the public internet. Even Microsoft needed to jump through plenty of hoops to get at its customers’ data. That was a bid to placate German customers who were sensitive about data sovereignty and wanted to keep their data on German soil.

That made HBDI confident enough to allow schools there to use Office 365 in August 2017, just so long as they only used the German cloud.

An issue with data Microsoft is storing, and where

Then, in August 2018, things changed. Microsoft pulled out of the data trustee arrangement in Germany and started using its regular data center model instead, removing the barrier between the rest of the global Azure cloud and its own German data centers.

Read more at https://nakedsecurity.sophos.com/2019/07/17/germany-bans-schools-from-using-tech-giants-clouds/

Facebook rolls out anti-scam reporting tool in UK

By Danny Bradbury

UK TV celebrity Martin Lewis was all smiles this week after a five-month alliance with Facebook to crack down on scam ads finally bore fruit.

The company has coughed up £3m (around US $3.7m) to help support anti-scam services as well as introducing a tool to report scam ads on the UK version of the site.

Lewis, a TV presenter and journalist who advises people on financial issues, sued Facebook in April 2018 after scammers used his name in fake ads on the platform to con people out of their money. He settled with the company in January 2019, recouping his legal fees and persuading it to donate £3m to Citizens Advice and create a new scam ad reporting tool.

Facebook made good on that promise this week.

One man lost £19,000 ($23,500), he recalled. A woman who was looking after her orphaned grandchildren put the money that was set aside for them into one of these fake schemes and lost everything. They all blamed him, even though he had nothing to do with the ads.

This week Facebook launched a button on its UK site to report scam ads. This lets users click the three dots ‘. . .‘ on the top right of an ad and then select the ‘Report Ad‘ function, followed by ‘Misleading or scam ad‘. Then, they have to confirm that they want to send a detailed scam report. Hopefully, if successful, this will roll out to other markets.

Read more at https://nakedsecurity.sophos.com/2019/07/17/facebook-launches-anti-scam-initiative/

Researchers hide data in music – and human ears can’t detect it

By John E Dunn

Researchers have developed a way for data to be secretly transferred inside a music track at a usable rate without turning it into unlistenable mush.

While using sound waves as a data carrier is not new, applying the principle to music has always been a challenge because even small distortions made when adding data will be noticed by the human ear.

If one could overcome this, music would make a good medium for data transfer because it can easily be picked up by the microphones used by smartphones and computers without annoying people by blasting unstructured sound at them.

How does it work?

The technique outlined by Manuel Eichelberger and Simon Tanner of ETH Zurich uses orthogonal frequency-division multiplexing (OFDM) to add data to the musical frequencies humans are less likely to notice whilst avoiding the ones they are sensitive to.

It sounds easy enough in principle but applying it to music tracks with individual harmonic compositions across different genres quickly becomes a highly technical challenge.

Then there’s the problem of being able to transfer enough data at a given distance to make the whole idea worthwhile.

Read more at https://nakedsecurity.sophos.com/2019/07/17/researchers-hide-data-in-music-and-human-ears-cant-detect-it/

GandCrab ransomware revisited – is it back under a (R)evil new guise?

By Paul Ducklin

Remember GandCrab?

It was a well-known strain of ransomware that was sold as a ‘service’ on the cyberunderground.

The idea of CaaS, or crimeware-as-a-service, is borrowed from the outsourcing and cloud computing models that regular businesses use.

These days, for example, if you want to publish your own videos, you don’t have to learn about video compression, color gamut, pixel formats, transcoding, bitrates, how to run a live streaming server, or any of that stuff…

…you just press [Record] on your phone, capture your video footage and then click a button to share the video with anyone you like via a whole range of free video hosting networks such as YouTube.

CaaS works in a similar fashion – if you want to have a go at making money out of ransomware, for example, and you know the right places to go in the cyberunderground, you can get someone else to take care of the technical side in return for a cut of the takings – no upfront fees.

Instead of learning about malware, teaching yourself how encryption works, writing ransomware code, running an anonymous webserver on Tor to collect the loot, distributing decryption keys, and so on…

…all you have to do is sign up, download your malware samples as needed, and victimize individual and organisation’s with your ready-made ransomware.

The crooks behind the service collect the ransoms, distribute the decryptors, even offer online ‘tech support’ to victims to make sure they know how to buy bitcoins, how to make payments, what to do after they’ve paid, and so on.

Read more at https://nakedsecurity.sophos.com/2019/07/16/gandcrab-ransomware-revisited-is-it-back-under-a-revil-new-guise/

Bluetooth LE’s anti-tracking technology beaten

By John E Dunn

Researchers have found a way around the Media Access Control (MAC) address randomization feature used by Bluetooth Low Energy (BLE) to protect users and their devices from being identified and tracked.

For anyone unfamiliar with the ins and outs of BLE security (see below), the first and most surprising issue confirmed by Tracking Anonymized Bluetooth Devices from Boston University’s Johannes Becker, David Li, and David Strobinski, is that device makers have a lot of leeway in how they implement BLE security, or whether they need to bother at all.

But the team has now confirmed that even software where BLE device privacy is implemented carefully – Windows 10, macOS and Apple’s iOS being the stand-out examples – is a lot less secure than everyone has assumed.

Rabbit hole

The under-appreciated fact about Bluetooth is that behind its friendly ‘turn on, connect, forget’ reputation, the technology has gradually become one of security’s rabbit holes.

That’s mainly because it’s a 20-year-old standard that has evolved in a series of jumps, the most significant of which was the arrival of Bluetooth Low Energy (BLE, formerly Bluetooth Smart) in 2011.

Part of Bluetooth 4.0 (and its successor Bluetooth 5), the headline advance of BLE was its improved power consumption as well as its introduction of a sophisticated security and privacy architecture.

However, an unavoidable weak point was the need for a Bluetooth device to publicly ‘advertise’ itself without encryption to other devices around it without leaking details of that device to snoopers – BLE’s answer to which was something called address randomization.

Read more at https://nakedsecurity.sophos.com/2019/07/16/bluetooth-les-anti-tracking-technology-beaten/

$5b privacy fine against Facebook seen as ‘chump change’

By Lisa Vaas

Two people familiar with the Federal Trade Commission’s (FTC’s) 16-month-long investigation into Facebook’s privacy practices – a probe kicked off by the Cambridge Analytica scandal – told the Wall Street Journal that the commission voted last week to approve a settlement worth about $5 billion.

The FTC settlement could end the investigation, which began in March 2018 after reports that Facebook had let the political research firm Cambridge Analytica (CA) access the personal data of up to 87 million Facebook users without their knowledge, which some said violated a 2011 agreement between Facebook and the FTC to improve its privacy practices.

The next stop for the proposed Facebook settlement is the Department of Justice (DOJ), which typically finalizes FTC settlements. It’s rare for the DOJ to nix FTC settlements, though.

The vote hewed to party lines, with the FTC’s three Republicans supporting it and two Democrats voting against it.

$5b worth of sputtering

Democrats are calling the record-setting fine a slap on the wrist. An early Christmas present. A drop-in-the-bucket penalty. Chump change. A mosquito bite.

Rhode Island Congressman David Cicilline, who oversees an antitrust panel in the House:

It’s very disappointing that such an enormously powerful company that engaged in such serious misconduct is getting a slap on the wrist. This fine is a fraction of Facebook’s annual revenue. It won’t make them think twice about their responsibility to protect user data. If the FTC won’t protect consumers, Congress surely must.

Read more at https://nakedsecurity.sophos.com/2019/07/16/5b-privacy-fine-against-facebook-seen-as-chump-change/

Ransomware attackers demand $1.8m from US college

By Lisa Vaas

Credit where credit’s due: Monroe College, frozen by a ransomware attack since 6:45 a.m. Wednesday 10 July 2019, has seen a silver lining: it’s gone back to ye good old analog, friendlier, more-in-person ways of yore to keep working.

From a statement sent by Marc Jerome, president of Monroe College, a for-profit institution based in the Bronx borough of New York City, to Inside Higher Ed:

Our team is working feverishly to bring everything back online, and we are working with the appropriate authorities to resolve the situation as quickly as possible.

In the meantime, Monroe continues to operate. We’re simply doing it the way colleges did before email and the internet, which results in more personal interactions. As we have done throughout our 86-year history, we are coming together to assure that our students, faculty and staff are well served.

As of yesterday, the college was still relying on what it says is a microsite that it put up last week in response to the outage.

It also sent workaround instructions to students in its latest Tweet, sent last Friday.

Nearly 8,000 students affected

The NY Daily News reports that the attack paralyzed systems at all of Monroe’s campuses in Manhattan, New Rochelle and St. Lucia, where a total of nearly 8,000 students are enrolled.

The attackers told the school that it could get back up and running once it paid 170 Bitcoin. The going price as of Monday for one Bitcoin was US $10,522, putting the total ransom at US $1,788,740.

Will Monroe pay? Or will the college tell the attackers to take a long walk off a short pier, which the US Conference of Mayors last month resolved would be the go-to response for all the government entities that keep getting hit in ransomware attacks?

Read more at https://nakedsecurity.sophos.com/2019/07/16/ransomware-attackers-demand-1-8m-from-us-college/


Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation