July 8, 2019
Researchers hack VR worlds
By Danny Bradbury
Hackers just infiltrated virtual reality (VR), enabling them to manipulate users’ immersive 3D worlds.
At the Recon cybersecurity show in Montreal, researchers Alex Radocea and Philip Pettersson demonstrated how to hack virtual reality worlds on three platforms.
- The first was VR Chat, a virtual chat room available via online gaming platform Steam and Facebook-owned Oculus.
- The second was Steam’s own Steam VR platform, which provides games designed for VR and also allows users to play traditional games on a giant virtual screen.
- Finally, High Fidelity, an open source VR system with its own blockchain-based digital currency, got the hacking treatment.
Hacking an immersive VR world enables an attacker to take complete control of the victim’s virtual world, Radocea and Pettersson warned. An attacker can listen to what the victim is saying, and can also create fake images.
What kinds of real-world attacks could someone engineer in a VR world? In the hacking demonstration, the researchers opened the Calc.exe Windows program, which is a common way to demonstrate that you can run arbitrary code on a system. In most demonstrations, this would just appear on the desktop, but in this case, it replaced one of the VR users’ hands like a giant sticky note that they couldn’t get rid of.
Read more at https://nakedsecurity.sophos.com/2019/07/08/researchers-hack-vr-worlds/
Privacy and security risks as Sign In with Apple tweaks Open ID protocol
By Lisa Vaas
To many, it sounded like a good idea when Apple announced its Sign In with Apple service at WWDC 2019 last month: a privacy-focused login feature that will let macOS Catalina and iOS 13 users sign into third-party apps and websites using their Apple IDs.
It’s a service that’s designed to rival those of the data-gobbling behemoths, Google, Twitter and Facebook, each of which have their own no-no-how-about-you-sign-in-with-ME authentication services. All of these services allow you to use your ID for a quick, one-click sign up or sign on, no password required, as long as you’re signed into whatever tech bigwig’s service that you’re using.
But on 27 June 2019, Apple’s implementation of a sign-in service that doesn’t send personal information to app and website developers was critiqued by the OpenID Foundation (OIDF), the standard-setting organization behind the OpenID open standard and decentralized authentication protocol. The non-profit organization includes tech heavyweights such as Google, Microsoft, PayPal, and others.
The OIDF published an open letter to Apple software chief Craig Federighi, lauding the company for having “largely adopted” OpenID Connect into Sign In with Apple. OpenID Connect is a standardized protocol used by many existing sign-in platforms that lets developers authenticate users across websites and apps without them having to use separate passwords.
Read more at https://nakedsecurity.sophos.com/2019/07/08/privacy-and-security-risks-as-sign-in-with-apple-tweaks-open-id-protocol/
ISPs call Mozilla ‘Internet Villain’ for promoting DNS privacy
The UK Internet Service Providers Association (ISPA) has provocatively shortlisted Mozilla for the sort of award that, on the face of it at least, no tech company should be keen to win – ‘2019’s Internet Villain’.
Mozilla’s claim to infamy? From ISPA’s point of view, it’s Firefox’s imminent inclusion of DNS over HTTPS (DoH) – a technology many experts endorse as the biggest jump for internet privacy since the expansion of HTTPS itself.
The problem, according to the ISPA press release, is that the arrival of this technology in the Firefox browser used by millions will make it possible to:
Bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK.
The point of DoH (and the related DNS over TLS, or DoT) is to encrypt DNS requests, which makes it impossible, or at least very difficult, for entities such as ISPs or governments to monitor which websites people are visiting. And because the DNS requests are sent inside encrypted HTTPS requests, they’re also indistinguishable from other web traffic, so they can’t be blocked without blocking all web traffic.
To privacy enthusiasts, this is good because neither ISPs nor governments have any business knowing which domains users happen to frequent.
For ISPs, by contrast, DoH hands them several headaches, including how to fulfil their legal obligation in the UK to store a year’s worth of each subscriber’s internet visits in case the government wants to study them later for evidence of criminal activity.
Read more at https://nakedsecurity.sophos.com/2019/07/08/isps-call-mozilla-internet-villain-for-promoting-dns-privacy/
New Year’s eve gaming DDoSer lulz himself into a 27-month sentence
By Lisa Vaas
Back in 2014, an entity calling itself @DerpTrolling was one of a bunch of squabbling steamrollers that just about pancaked the gaming world with multiple distributed denial-of-service (DDoS) attacks before, during and after New Year’s Eve.
At the time, @DerpTrolling called itself a group of hackers and, in a chat with the YouTube gaming channel #DramaAlert, said that he/she/they simply attacked sites based on requests from people who tweeted suggested targets.
In other words, it was all just a game, and it was all for the lulz.
In November 2018, one of the “gang” of hackers – possibly the only one – behind the @DerpTrolling moniker got busted. Austin Thompson, a 23-year-old from the US state of Utah, pleaded guilty on 6 November 2018 in a San Diego Federal court to knowingly causing damage to third-party computers.
There’s no lulzing now: on Tuesday, Thompson was sentenced in federal court to 27 months in prison for carrying out a series of DDoSes against multiple victims between 2013 and 2014.
Read more at https://nakedsecurity.sophos.com/2019/07/08/new-years-eve-gaming-ddoser-lulz-himself-into-a-27-month-sentence/
5 tips to stay secure on social media
By Paul Ducklin
Here at Naked Security, we’re well aware that social networks aren’t for everyone, and if you’ve decided to stay away from them, we’re good with that.
After all, the best way to prevent privacy blunders and data breaches is simply not to give out the data in the first place – or, if you’re a vendor, not to pressurise people into sharing things that they don’t need to give you and that you’ll probably never use anyway.
But we’re not killjoys, either.
We enjoy spending time on social media – it’s a fun and effective way to keep in contact with our followers and to spread the word about cybersecurity without relying entirely on written articles.
We think you can be part of the social media scene and yet keep enough of your life and lifestyle private that you end up enjoying the benefits without being squashed by the risks…
…but you do need to follow some simple guidelines, both to protect yourself from online rogues, and to stop those same online rogues abusing your account to attack your friends.
Anyway, last weekend was #SocialMediaDay, which was meant to be a way to celebrate all the cool things that social networks let you do, but NOT a call to throw all caution to the winds and start sharing everything with everyone!
Read more at https://nakedsecurity.sophos.com/2019/07/05/5-tips-to-stay-secure-on-social-media/
OpenPGP experts targeted by long-feared ‘poisoning’ attack
By John E Dunn
Somebody out there has taken a big dislike to Robert J. Hansen (‘rjh’) and Daniel Kahn Gillmor (‘dkg’), two well-regarded experts in the specialized world of OpenPGP email encryption.
It’s not known who launched the attacks in late June 2019 (Hansen says he has suspects in mind), but it’s the nature of the campaign against them that has people in this corner of encryption worried – a “poisoning” attack against their personal certificate signatures held on the OpenPGP Synchronizing Key Server (SKS) network.
It sounds arcane but the effects of this on the sizeable number of people using implementations of the OpenPGP protocol – GnuPGP, SequoiaPGP, OpenPGP.js – are to varying degrees potentially very serious. Daniel Kahn Gillmor blogged last week:
My public cryptographic identity has been spammed to the point where it is unusable in standard workflows.
The most disconcerting thing about these attacks is how easy they were to launch simply by spamming large numbers of fake certificate signatures to the keyservers, effectively burying the real one belonging to the two men under thousands of bogus additions.
This sort of attack has been feared for a decade, with smaller attacks recorded a year ago fulfilling that prediction. What’s novel this time, however, is the scale and highly targeted nature of the campaign. As Hansen sums it up in his own reaction:
To have my own certificate directly spammed in this way felt surprisingly personal, as though someone was trying to attack or punish me, specifically.
And it really is a flood – comprising 55,000 fakes directed at Daniel Kahn Gillmor and twice that number at Hansen. This causes problems (see below) but what matters is that the pair now fear the attack will be used against others, expanding its scope in ways that will be very hard to counter.
Read more at https://nakedsecurity.sophos.com/2019/07/05/openpgp-experts-targeted-by-long-feared-poisoning-attack/