iPhone attack may have targeted Android and Windows too

By John E Dunn

Last week’s significant hack of iPhones also targeted Android smartphones and Windows computers, it has been reported.

According to unnamed sources speaking to a news site TechCrunch, the campaign was part of the Chinese Government’s attempts to monitor the Uighur ethnic group.

Google already dropped hints about nation-state involvement in its announcement, but a separate report that Windows and Android devices were also on the target list offers a new twist to the story.

If correct, the inclusion of Windows and Android shouldn’t be surprising – it makes sense when targeting specific groups of people through a small group of websites to target as many computing devices as possible so as not to miss anyone.

Of course, none of this can currently be verified. For now, these are simply unnamed sources talking to a few journalists, offering information that might never be confirmed.

Indeed, the fact that it is being taken seriously at all is partly down to the fact that the companies involved – Google, Microsoft, Apple – seem unwilling to deny any of it.

Read more at https://nakedsecurity.sophos.com/2019/09/03/iphone-attack-may-have-targeted-android-and-windows-too/

China’s new face-swapping app Zao gets whiplash-fast privacy backlash

By Lisa Vaas

Launched on Friday and viral practically right off the bat, the brand-new, AI-outfitted, deepfake face-swapping app Zao can swap users’ photos to those of celebrities zippity quick.

And just as fast as greased lightning, the app got itself banned from China’s top messaging app service, WeChat, after its meteoric rise in China’s app stores was countered by a fierce privacy backlash.

Sina Technology reports that on Sunday, the company behind the Zao mobile app had posted onto Weibo – China’s Twitter-like microblogging service – an apology and a request to please give it some time to figure out privacy issues.

Forbes gave this translation:

We thoroughly understand the anxiety people have towards privacy concerns. We have received the questions you have sent us. We will correct the areas we have not considered and require some time.

Regardless of that apology and a tweak to Zao’s originally “we own your stuff forever” terms of service, that same day, WeChat banned the posting of any external links shared from Zao, saying that…

The app has security risks.

Read more at https://nakedsecurity.sophos.com/2019/09/03/chinas-new-face-swapping-app-zao-gets-whiplash-fast-privacy-backlash/

FBI asks Google for help finding criminals

By Danny Bradbury

How would you prepare to rob a bank? You’d scope out the location, suss out the quietest times, and use clothing to conceal your identity. But would you leave your phone at home? Judging by news that surfaced last week, you probably should – at least if it has Google’s software on it.

The Verge reports that FBI agents issued the search and advertising giant with a warrant in November 2018, seeking its help with a bank robbery the month before.

The robbery took place at 9:02am on 13 October 2018 at the Great Midwest Bank in Hartland, Wisconsin. Two robbers entered the building, one of them waving a handgun and forcing staff to the floor. He filled a plastic bag with cash and demanded the key to the vault. He took three drawers of cash from the vault, and then both robbers left the building by the back door. The whole thing took just seven minutes.

Investigators, hitting a brick wall, turned to Google. The search warrant said:

Google collects and retains location data from Android-enabled mobile devices when a Google account user has enabled Google location services. The company uses this information for location-based advertising and location-based search results. This information is derived from GPS data cell site/cell tower information, and Wi-Fi access points.

It added:

It is probable that the unknown suspects of this investigation had cellular telephones which utilized either Google’s Android or Apple OIS [sic] operating systems.

Read more at https://nakedsecurity.sophos.com/2019/09/03/fbi-asks-google-for-help-finding-criminals/

XKCD forums breached

By Lisa Vaas

The forum for the techie-darling comic strip XKCD was still offline on Monday afternoon after Troy Hunt’s breach site, Have I Been Pwned, reported on Sunday that 562,000 of the forum’s accounts had been breached sometime in August.

A breach notice on the echochamber.me/xkcd forums echoed Hunt’s message: portions of the forums’ phpBB user table showed up in a cache of leaked data, it said. The forum exposed usernames, email addresses, passwords salted and hashed using the obsolete MD5 hashing function, and IP addresses.

To translate: MD5 is a hashing function, and it’s not a good one. For over a decade, it’s been recognized as not producing truly random hashes and there have been far, far better solutions for storing passwords for decades.

As Naked Security’s Mark Stockley said back when he ditched his Yahoo account, the final nail in the coffin was the fact that Yahoo said, in its December 2016 mega-breach announcement, that it was hashing passwords with MD5 (and, in some cases, encrypted or unencrypted security questions and answers).

Was Yahoo bolstering the not-so-random randomness of MD5 hashing by using it in the context of a more complex “salt, hash and stretch” password storage routine, like PBKDF2, bcrypt or scrypt?

Yahoo didn’t say – not a good sign. So out the window went Mark’s Yahoo account.

Read more at https://nakedsecurity.sophos.com/2019/09/03/xkcd-forums-breached/

WordPress sites are being backdoored with rogue admin users

By John E Dunn

Lock up your WordPress – a recent malvertising campaign targeting vulnerable plugins is now trying to backdoor sites by creating rogue admin accounts.

In July when web firewall company WordFence (aka Defiant) first noticed the campaign, it was attempting to hijack sites to push popup ads, tech support scams and malicious Android apps.

Plugins targeted included vulnerable versions of Coming Soon Page & Maintenance Mode, which followed attacks in April and May on the Yellow Pencil Visual CSS Style Editor and Blog Designer.

Six weeks on, perhaps encouraged by the number of vulnerable sites they found, the attackers have upgraded their attacks to take complete control of sites vulnerable to their attacks.

A new vulnerable plugin, Bold Page Builder, has also been added to the exploitation list, which attackers reportedly started targeting on 22 August.

Read more at https://nakedsecurity.sophos.com/2019/09/02/wordpress-sites-are-being-backdoored-with-rogue-admin-users/