Fortnite World Cup champion and family swatted while live streaming

By Lisa Vaas

16-year-old Fortnite player Kyle “Bugha” Giersdorf, recent, $3 million winner of the inaugural World Cup Solo finals, was swatted Sunday night while live streaming his game play, Kotaku reports.

He was live streaming on Twitch.TV, which means that the video recording captured the arrival of the police. Yet again – this isn’t the first time live streamers have had their game play interrupted by police banging at the door – the recording was interrupted by Giersdorf’s father telling him that there were armed police at the door.

“Did he just leave?” one of the players asked, incredulous, as the sound of the game’s gunfire continued and Bugha’s character slumped to the ground.

Yes, he did leave, because there were guns IRL.

After about 10 minutes, Bugha returned, telling his buddies that he’d been swatted. “That was definitely a new one,” he said.

They come in with guns, bro. They literally pulled up, holy sh*t.

He was lucky, Bugha said: it all ended quickly and peacefully, likely due at least in part to the fact that one of the officers was a neighbor:

I was lucky because the one officer, yeah, he lives in our neighborhood.

The situation was far more harrowing for Joshua Peters, a gamer who got swatted while live streaming RuneScape in 2015. His Twitch.TV video showed him just moments after armed police stormed his house, pointed their guns at his 10-year-old brother who answered the door, and forced the gamer himself to lie face down on the floor in yet another swatting incident in the gamer community.

Read more at https://nakedsecurity.sophos.com/2019/08/14/fortnite-world-cup-champion-and-family-swatted-while-live-streaming/

Coinbase explains background to June zero-day Firefox attack

By John E Dunn

Targeted phishing attacks, it is often said, can be difficult for even the wariest organisations to defend themselves against.

But how difficult?

This week’s detailed post-incident analysis of a recent, highly targeted attack on cryptocurrency exchange Coinbase by its chief information officer Philip Martin offers a glimpse into how good these attacks can be.

We’ll start with the punchline – Coinbase successfully resisted the attack, something we could already have guessed when the company tweeted the news in June that it had come under attack.

That snippet also mentioned that the attack deployed two Firefox zero-days, something that immediately grabbed the interest of news reporters as well as Firefox, which issued patches for CVE-2019-11707 and CVE-2019-11708 after Coinbase reported their use by cybercriminals.

Fending off an attack using a combination of two zero-days is already unusually challenging but, according to Martin, the sophistication of the attack didn’t stop there.

It seems the campaign began on 30 May when around a dozen Coinbase employees received an email from someone claiming to be Gregory Harris, a Research Grants Administrator at the University of Cambridge.

This email came from the legitimate Cambridge domain, contained no malicious elements, passed spam detection, and referenced the backgrounds of the recipients.

The approach was so convincing that even as more emails were received over a two-week period, “nothing seemed amiss.”

Read more at https://nakedsecurity.sophos.com/2019/08/14/coinbase-explains-background-to-june-zero-day-firefox-attack/

Fake news doesn’t (always) fool mice

By Lisa Vaas

Mice can’t vote.

They can neither fill in little ovals on ballots nor move voting machine toggles with their itty bitty paws. That’s unfortunate, because the teeny rodents are less inclined than humans to be swayed by the semantics of fake news content in the form of doctored video and audio, according to researchers.

Still, the ability of mice to recognize real vs. fake phonetic construction can come in handy for sniffing out deep fakes. According to researchers at the University of Oregon’s Institute of Neuroscience, who presented their findings during a presentation at the Black Hat security conference last Wednesday (7 August), recent work has shown that “the auditory system of mice resembles closely that of humans in the ability to recognize many complex sound groups.”

Mice do not understand the words, but respond to the stimulus of sounds and can be trained to recognize real vs. fake phonetic construction. We theorize that this may be advantageous in detecting the subtle signals of improper audio manipulation, without being swayed by the semantic content of the speech.

No roomfuls of adorable mice watching YouTube

Jonathan Saunders, one of the project’s researchers, told the BBC that – unfortunately for those who find the notion irresistibly cute – the end goal of the research is not to have battalions of trained mice vetting our news:

While I think the idea of a room full of mice in real time detecting fake audio on YouTube is really adorable, I don’t think that is practical for obvious reasons.

Rather, the goal is to learn from how the mice do it and then to use the insights in order to augment existing automated fakery detection technologies.

Read more at https://nakedsecurity.sophos.com/2019/08/13/fake-news-doesnt-always-fool-mice/

Hacked devices can be turned into acoustic weapons

By Lisa Vaas

It’s bad enough that our devices can listen to us, whether it’s to use ultrasound to track us (even if we’re on an anonymous network) or whether it’s voice assistants picking up on our private conversations (including with human contractors listening in).

Now, PricewaterhouseCoopers (PwC) security researcher Matt Wixey brings us news of attacks that can make our devices’ embedded speakers scream at us, be it at inaudible, high-intensity frequencies or audible sounds at hearing-damaging volumes.

On Sunday at the Defcon security conference, he presented a talk on what he calls acoustic cyber-weapons.

Wixey, head of research at PwC’s cyber security practice, said that his experiments were done as part of his PhD research at University College London, where he delves into what he calls “unconventional” uses of sound as applied to security – including digital/physical crossover attacks that use malware to create physical and/or acoustic harm.

REALLY LOUD STUFF MAKES YOUR HEAD EXPLODE

If you aren’t already aware of how much damage given sounds can cause, in his slideshow for the Defcon talk, Wixey annotated a decibel chart from Survival Life to show what level of sound will cause…

1. Your eyes to twitch – 100 dB, or somewhere between a chainsaw and a lawnmower.
2. Your lungs to collapse/death imminent – 188 dB.
3. Your bones to shatter and your internal organs to rupture – 194 dB.
4. Instant death – 200 dB, or the sound of Windows XP starting up*.

(*I’m fairly sure the Windows XP reference is just a joke. But if you want to see what level of noise will cause your eardrums to rupture, check out this training manual from Purdue University.)

Wixey talked about how inflicting “aural barrages” can cause both psychological and physiological effects, from neurasthenia, cardiac neurosis, hypotension, bradycardia, nausea, fatigue, headaches, tinnitus, ear pain and far more.

Read more at https://nakedsecurity.sophos.com/2019/08/13/hacked-devices-can-be-turned-into-acoustic-weapons/

Chrome Incognito mode detection fix busted by researchers

By Danny Bradbury

Remember that Chrome update that stopped websites from detecting Incognito mode? Well, researchers claim to have found a way around it.

Chrome’s Incognito mode is supposed to let people use computers for browsing sessions without affecting that computer’s history or polluting the browser with session cookies. That means you can search for something on a computer without it showing up there, which is useful for everyone from victims of domestic abuse through to people searching for gifts.

People also discovered another use for incognito mode, though: getting past paywall sites. Incognito mode’s cookie blocking enabled people to start a fresh session with each visit. Visitors to metered paywall sites that provide a certain number of stories for free before demanding a subscription could effectively reset the meter each time they accessed the site.

Sites got wise to this and figured out a way to spot Chrome browsers in Incognito mode. In regular browsing sessions, Chrome uses the chrome.fileSystem API to read and write to the local filesystem. Google disabled that API in Incognito Mode because it never reads or writes cookies during those sessions.

Read more at https://nakedsecurity.sophos.com/2019/08/13/chrome-incognito-mode-detection-fix-busted-by-researchers/