Wikipedia fights off huge DDoS attack

By John E Dunn

Last Friday, 7 September, Wikipedia suffered what appears to be the most disruptive Distributed Denial of Service (DDoS) attack in recent memory.

It’s not that Wikipedia isn’t attacked regularly – it is. It’s just that the DDoS that hit it around 17:40 p.m. (UTC) on that day was far larger than normal and carried on its attack for almost three days.

The site quickly became unavailable in Europe, Africa, and the Middle East, before later slowing or stopping for users in other parts of the world such as the US and Asia.

The size of the attack has not been made public, although from details offered by mitigation company ThousandEyes it’s clear that it was an old-style volumetric flood designed to overwhelm the company’s web servers with bogus HTTP traffic.

Given the protection sites employ these days, this suggests that it was well into the terabits-per-second range used to measure the largest DDoS events on the internet.

In fact, most of that flood would never have reached Wikipedia’s servers, instead of being thrown away by upstream ISPs as a protective measure when it became obvious that a DDoS was underway.

Read more at https://nakedsecurity.sophos.com/2019/09/11/wikipedia-fights-off-huge-ddos-attack/

LinkedIn can’t block public profile data scraping, court rules

By Lisa Vaas

An appeals court has told LinkedIn to back off – no more interfering with a third-party data-analytics startup’s use of the publicly available data of LinkedIn’s users.

The court’s decision, which affirmed that of a lower court, has been closely anticipated for what some legal scholars consider to be the case’s important constitutional and economic issues, as well as what critics believe could be a chilling effect on digital competition.

Constitutional scholar and Harvard law professor Laurence Tribe, for one, has weighed in on this issue to offer advice to the data-scraping startup in question, hiQ Labs.

At issue, Tribe has said, was that social media is the modern equivalent of the public square. He’s called LinkedIn’s attempts to stop hiQ from using its users’ publicly available data “a serious challenge to free expression in the modern world.”

Freedom of speech is not just about flag-burning. It’s about how you use information in the digital economy. Data is the new form of capital in creating products and services.

The decision was applauded for providing clarity around the scope of the nation’s major hacking law, the Computer Fraud and Abuse Act (CFAA). The Electronic Frontier Foundation (EFF), for one, said that it should come as a relief to researchers, journalists, and companies…

who have had reason to fear cease and desist letters threatening liability simply for accessing publicly available information in a way that publishers object to.

Read more at https://nakedsecurity.sophos.com/2019/09/11/linkedin-cant-block-public-profile-data-scraping-court-rules/

Telegram fixes ‘unsend message’ bug that held on to your pictures

By Danny Bradbury

Imagine this: you’re at a party one Saturday night and, at 1 a.m. decide to send your best pal a picture of yourself doing a headstand wearing nothing but a pink tutu, slamming a litre of Smithwick’s finest from a beer bong.

Unfortunately, your best pal’s name is Sue, which also happens to be your boss’s name, and you selected the wrong contact. Ruh-roh. That’s a quick way to sober up.

Luckily, you sent the photo using Telegram Messenger, and you remember that it lets you delete entire messages and the pictures they contain both from yours and the recipient’s phone. Sue was probably asleep, so you can quickly wipe the message and no one will be any the wiser.

Phew, no harm done. Except for one important fact: it turns out that ‘unsend’ feature didn’t work properly.

Telegram introduced its ‘unsend message‘ feature in version 3.16 back in 2017. It’s another feature in an app that has attracted privacy advocates everywhere for its ability to cloak communications, but security researcher Dhiraj Mishra has uncovered a flaw.

The Android version of Telegram stores any images received in the /Telegram/Telegram Images/ folder. When deleting a message, you’d expect it to delete the image as well. In fact, it left the picture intact in the folder. The recipient would have to know to look there, of course, but if they checked, they’d be able to see you in all your tutu-sporting, beer-bonging glory. Bang goes your promotion.

Read more at https://nakedsecurity.sophos.com/2019/09/11/telegram-fixes-picture-saving-bug/

Facebook says location data in iOS 13, Android 10 may be confusing

By Lisa Vaas

On Monday, Facebook gave users a heads-up about changes coming in Android and iOS updates and how they let you see and manage your location data, how apps track you, and how Facebook’s use of your location data fits into all of it.

The post explains how Facebook’s app collects and uses background location data from smartphones: “background,” as in, when you’re not actually using the app.

You can see why Facebook might want to get its location data story out there now, in front of Apple’s release of iOS 13, which is expected in just a few days, on 19 September. (Android 10 was already publicly released – at least for Pixel devices – on 3 September.)

Facebook’s is, after all, one of the apps whose snail-slime trails of users’ location data iOS 13 is going to depict in maps.

From Facebook’s newsroom post:

If you are using iOS 13, you will begin to receive notifications about when an app is using your precise location in the background and how many times an app has accessed that information. The notification will also include a map of the location data an app has received and an explanation why the app uses that type of location information.

Apple announced the background location feature in June.

Craig Federighi, Apple’s senior vice president of software engineering, said at the time that sharing your location data with a third-party app can “really enable some useful experiences,” but that “we don’t expect to have that privilege used to track us.”

iOS 13 will show users a map of where apps have been tracking you when requesting permission

Read more at https://nakedsecurity.sophos.com/2019/09/11/facebook-says-location-data-in-ios-13-android-10-may-be-confusing/

Mozilla increases browser privacy with encrypted DNS

By Danny Bradbury

Mozilla is about to turn on-by-default an oft-overlooked privacy feature in Firefox. The desktop version of the browser will soon automatically encrypt your website requests using a feature called DNS-over-HTTPS (DoH), it said on Friday.

DNS (short for Domain Name System) is the service that takes a human-readable name like nakedsecurity.sophos.com and turns it into an IP address a computer can use. (Your DNS service provider is usually your ISP, but it doesn’t have to be. There are free and commercial DNS services too.)

The problem is that computers normally send DNS requests in the clear. Doing that allows an evil man-in-the-middle sniffing the Wi-Fi in your local coffee shop, or stationed on any of the computers between you and your DNS resolver, can meddle with your DNS. They can spy on it, to see what sites you’re visiting, or change it, to send you somewhere else.

The Internet Engineering Task Force (IETF) has worried about the privacy implications of DNS for years. In 2018, it attempted to solve them by introducing DoH. It handles all DNS queries over the HTTPS protocol, which is protected by TLS encryption. Not only does this encrypt DNS, but it also uses the same ports that handle HTTPS sessions, which are different to the ports used for DNS queries. That makes DoH requests look the same as regular HTTPS traffic and makes it impossible for ISPs to block the use of DoH without also blocking all web access.

The desktop version of Firefox has provided DoH support since Firefox 62, but it was turned off by default. Mozilla had been experimenting with it before switching it on by default to make sure that it didn’t break anything – such as parental control systems or the safe search capability on some search engines, like Google.

Read more at https://nakedsecurity.sophos.com/2019/09/10/mozilla-increases-browser-privacy-with-encrypted-dns/

Google & Apple pushed to reveal gun scope app users’ names to feds

By Lisa Vaas

US Immigration and Customs Enforcement (ICE) is looking into illegal exports of a gun scope, and its investigation includes going after Apple and Google to get them to hand over the names of who’s using an associated gun-scope app.

The Department of Justice (DOJ) on Thursday filed a court order demanding that the two companies turn over data on some 10,000 users of Obsidian 4: an app from American Technologies Network Corp. (ATN) that connects the scope to smartphones or tablets via Wi-Fi so that gun owners can watch a live video stream of their hunt and calibrate their smart scope.

Apple doesn’t release app download numbers, but Google Play says that the app’s been downloaded over 10,000 times. How many of those installs are from actual users is another question, though, given how many recent reviews say that they’re only downloading in protest of the government demanding that Google and Apple hand over a list of the app’s users.

Read more at https://nakedsecurity.sophos.com/2019/09/10/google-apple-pushed-to-reveal-gun-scope-app-users-names-to-feds/

Facebook loses control of key used to sign Android app

By Lisa Vaas

Android apps are digitally signed by their developers. Digital signatures are created using a private cryptographic key, and the word ‘private’ means just what it says – the value of the signature depends on keeping the signing key private.

After all, if someone else gets hold of your private key then they can sign their own apps with it and pass them off as yours.

Facebook, however, is reportedly shrugging off the fact that it lost control of one of its app-signing keys and that apps signed with that same key are popping up in unofficial repositories.

The signing key that Facebook lost was apparently used to vouch for the Free Basics by Facebook app. According to Artem Russakovskii, the owner of the Android Police website and its sister site, APK Mirror, which hosts Android apps for download, third-party apps signed with that key have appeared online.

Free Basics, in case you are wondering, is part of Facebook’s 2016 plan to connect everyone on the planet, for free.

Read more at https://nakedsecurity.sophos.com/2019/09/04/facebook-loses-control-of-key-used-to-sign-android-app/