Twitter used 2FA phone numbers for targeted advertising

By John E Dunn

Does Twitter know your email address and your phone number?

Depending on how long ago you started using Twitter, it’s a near certainty the company has at least one of these – the email address – because people often hand that over when registering.

As for phone numbers (usually mobile numbers) these are entered to enable Twitter’s two-factor authentication (2FA) security, Login Verification.

We mention this because Twitter this week made the you have to be kidding admission that it might have “inadvertently” handed this data from some users to advertisers as part of the company’s Tailored Audiences system that targets users’ feeds with ads.

As apologies go, this one is unsatisfactory, particularly if you like Twitter but think ‘targeted’ ads sound intrusive:

We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again.

Twitter glosses over some of the detail so let’s explain how Tailored Audiences is supposed to work.

Read more at https://nakedsecurity.sophos.com/2019/10/10/twitter-used-2fa-phone-numbers-for-targeted-advertising/

California outlaw’s facial recognition in police bodycams

By Lisa Vaas

On Tuesday, California passed into law a three-year block of the use of facial recognition in police bodycams that turns them into biometric surveillance devices.

This isn’t surprising, coming as it does from the state with the impending, expansive privacy law – California’s Consumer Privacy Act (CCPA) – that’s terrifying data mongers.

As it is, in May, San Francisco became the first major US city to ban facial recognition. It might well be a tech-forward metropolis, in a state that’s the cradle of massive data gobbling companies, but lawmakers have said that this actually confers a bit of responsibility for reining in the privacy transgressions of the companies headquartered there.

When facial recognition gets outlawed, lawmakers point to the many tests that have found high misidentification rates. San Francisco pointed to the ACLU’s oft-cited test that falsely matched 28 members of Congress with mugshots.

The ACLU of Northern California repeated that test in August, finding that the same technology misidentified 26 state lawmakers as criminal suspects.

One of the misidentified was San Francisco Assemblyman Phil Ting, the lawmaker behind the bill that passed and which was signed into law by Gov. Gavin Newsom on Tuesday: AB1215.

The law, which goes into effect on 1 January 2020 and which expires on 1 January 2023, prohibits police from “installing, activating, or using any biometric surveillance system in connection with an officer camera or data collected by an officer camera.”

Read more at https://nakedsecurity.sophos.com/2019/10/10/california-outlaws-facial-recognition-in-police-bodycams/

Job seekers are scrubbing clean their social media accounts

By Lisa Vaas

We’re thrilled to pass along the findings of a new report that says that job seekers are doing what we’ve been begging them (as well as those people who are just fine with their current jobs, thank you very much) to do for years: button down privacy on their social media accounts, and mop up the splatter tracks of their nonprofessional galivanting if they want to keep it from squashing their career opportunities.

After all, while we’re all for free speech, those rights don’t stop bosses from firing us if we publicly diss them or the company, and they don’t mean that recruiters are required to consider your candidacy if you do something like bad-mouth a previous employer on social media.

The finding comes from JDP, a candidate screening company in the US that surveyed 2,007 US participants about what they’re hiding from employers and how far they’ll go to keep it hidden.

According to its latest study, 43% of respondents enable privacy settings to keep material hidden from current employers and from whatever social media screenings future employers might run on them. In fact, one in four have every platform set to private. Forty percent of respondents say they’ve gone so far as to create alias accounts.

It’s not that they’re not posting career landmines: one in five admit to posting material that could jeopardize a current or future opportunity, JDP found.

Read more at https://nakedsecurity.sophos.com/2019/10/10/job-seekers-are-scrubbing-clean-their-social-media-accounts/

October Patch Tuesday: Microsoft fixes critical remote desktop bug

By Danny Bradbury

Microsoft fixed 59 vulnerabilities in October’s Patch Tuesday, including several critical remote code execution (RCE) flaws.

One of the most significant was a flaw (CVE-2019-1333) in the company’s Remote Desktop Client that enables a malicious server to gain control of a Windows computer connecting to it. An attacker could accomplish this using social engineering, DNS poisoning, a man-in-the-middle attack, or by compromising a legitimate server, Microsoft warned. Once they compromised the client, they could execute arbitrary code on it.

Another critical RCE vulnerability affected the MS XML parser in Windows 8.1, Windows 10, Windows Server 2012 through 2019, and RT 8.1. An attacker can trigger the CVE-2019-1060 flaw through a malicious website that invokes the parser in a browser.

A memory corruption bug in Edge’s Chakra scripting engine (CVE-2019-1366) also enables a malicious website to trigger RCE, operating at the user’s account privileges, while an RCE vulnerability in Azure Stack, Microsoft’s on-premises extension of its Azure cloud service, escapes the sandbox by running arbitrary code with the NT AUTHORITY\system account.

The company also patched a critical RCE bug in VBScript that lets an attacker corrupt memory and take control of the system, usually by sending an ActiveX control via a website or Office document. Hopefully bugs in VBScript will become less important over time now that the company has deprecated the language.

Read more at https://nakedsecurity.sophos.com/2019/10/09/microsoft-fixes-critical-remote-desktop-bug-on-patch-tuesday/

Deepfakes have doubled, overwhelmingly targeting women

By Lisa Vaas

OK, let’s pull deepfakes back from the nail-biting, perhaps hyperbolic, definitely hyperventilating, supposed threats to politicians and focus on who’s really being victimized.

Unsurprisingly enough, according to a new report, that would be women.

96% of the deepfakes being created in the first half of the year were pornography, mostly being nonconsensual, mostly casting celebrities – without compensation to the actors, let alone their permission.

The report, titled The State of Deepfakes, was issued last month by Deeptrace: an Amsterdam-based company that uses deep learning and computer vision for detecting and monitoring deepfakes and which says its mission is “to protect individuals and organizations from the damaging impacts of AI-generated synthetic media.”

According to Deeptrace, the number of deepfake videos almost doubled over the seven months leading up to July 2019, to 14,678. The growth is supported by the increased commodification of tools and services that enable non-experts to churn out deepfakes.

One recent example was DeepNude, an app that used a family of dueling computer programs known as generative adversarial networks (GANs): machine learning systems that pit neural networks against each other in order to generate convincing photos of people who don’t exist. DeepNude not only advanced the technology, it also put it into an app that anybody could use to strip off (mostly women’s) clothes so as to generate a deepfake nudie within 30 seconds.

We saw another faceswapping app, Zao, rocket to the top of China’s app stores last month, sparking a privacy backlash and just as quickly getting itself banned from China’s top messaging app service, WeChat.

While Deeptrace says most deepfakes are coming from English-speaking countries, it says it’s not surprising that it’s seeing “a significant contribution to the creation and use of synthetic media tools” from web users in China and South Korea.

Deeptrace says that non-consensual deepfake pornography accounted for 96% of the total number of deepfake videos online. Since February 2018 when the first porn deepfake site was registered, the top four deepfake porn sites received more than 134 million views on videos targeting hundreds of female celebrities worldwide, the firm said. That illustrates what will surprise approximately 0% of people: that deepfake porn has a healthy market.

Read more at https://nakedsecurity.sophos.com/2019/10/09/deepfakes-have-doubled-overwhelmingly-targeting-women/

TOMS hacker tells people to log off and enjoy a screenless day

By Lisa Vaas

TOMS seems like a really nice shoe company, and it just got hacked in a really nice way.

Motherboard Vice reports that on Sunday, a hacker going by the name Nathan emailed TOMS subscribers and told them to log off, go out and enjoy the day:

hey you, don’t look at a digital screen all day, there’s a world out there that you’re missing out on.

just felt some people need that.

CEO Jim Alling acknowledged the hack in an email to customers, telling them that an unauthorized email was sent out to the TOMS community by “an individual who gained access to a TOMS account in a third-party system.”

The company is asking members of its mailing list to refrain from clicking on any links or replying to the pleasant but unauthorized and illegal message.

TOMS is investigating the incident, but Alling said that the company immediately took steps to deactivate the account and implement additional layers of account security. He said that TOMS had spent 24 hours doing “close examination” with the company’s partners, but so far, it doesn’t look like full payment card details were accessed or that TOMS’ marketing customer email list was downloaded.

Well, no, why would he have done that? That would have taken a lot of time. Plus it would have been rude, Nathan told Vice:

I had TOMS hacked for quite a while, but with a busy life and no malicious intent, it was pretty useless to have them hacked.

Of course, he could have just responsibly disclosed whatever security hole he exploited, but for reasons he didn’t give, Nathan didn’t consider that an option:

By this point responsible disclosure is not a option. So I thought I [may] as well send out a message I believe in just for fun. End purpose was to spread my message to a large amount of people.

Read more at https://nakedsecurity.sophos.com/2019/10/09/toms-hacker-tells-people-to-log-off-and-enjoy-a-screenless-day/