Stalker found pop star by searching eyes’ reflections on Google Maps

By Lisa Vaas

A predator has confessed to stalking and attacking a young Japanese pop star by zooming in on the reflections in her eyes from photos she posted on social media.

Oriental Daily reports that 21-year-old Japanese idol Matsuoka Nagato was attacked on her way home by someone who covered her head with a towel, wrestled her to the ground and physically assaulted her, injuring her face in the struggle.

A 26-year-old man by the name of Sato was arrested and confessed to police that he’d used the star’s selfies to figure out where she lived. Each of her pupils reflected the nearby streetscape, which he plugged into the street map function of Google Map to find out matching bus stops and scenery.

Sato told police that he waited at Matsuoka’s bus stop until his victim showed up, then followed her home on the night of 1 September.

He also confessed to observing other reflections in Matsuoka’s eyes: curtains, windows, and the angle of the sun. That enabled Sato to guess at which floor she lived on in the building.

AsiaOne notes that there have been several high-profile stalking and assault cases of J-pop stars in recent years, and fans have called for better protection of their female idols as a result. Such incidents have included one against Maho Yamaguchi, ex-member of pop group NGT48, who spoke out in January about an alleged assault in which two men entered her home and tackled her.

For her part, singer Mayu Tomita tried to report a stalker 12 days before he stabbed her 34 times. Leading up to the attack, police had dismissed the threat, in spite of Tomita telling them that she was getting several social media messages a day, threatening to kill her.

Read more at https://nakedsecurity.sophos.com/2019/10/14/stalker-found-pop-star-by-searching-eyes-reflections-on-google-maps/

Soldering spy chips inside firewalls is now a cheap hack, shows researcher

By John E Dunn

The tiny ATtiny85 chip doesn’t look like the next big cyberthreat facing the world, but sneaking one on to a firewall motherboard would be bad news for security were it to happen.

In fact, this has already happened as part of a project by researcher Monta Elkins, designed to prove that this sort of high-end hardware hack is no longer the preserve of nation-states.

Elkins soldered the 5mm x 5mm ATtiny85 chip from an Arduino board to his test firewall’s circuit board just in front of the system’s serial port.

After reading his account of the proof of concept in Wired, it’s not hard to grasp why soldering tiny chips to circuit boards is a threat – they’re impossible to see let alone detect once they’re installed inside equipment.

The proof of concept is also cheap, requiring little more than some knowhow, access to the supply chain of current products, and a few hundred dollars for parts.

Rumors of secret chips, or secret interfaces on legitimate chips, have long been the stuff of legend, but the implication of Elkin’s work is that anyone could now do this.

Read more at https://nakedsecurity.sophos.com/2019/10/14/soldering-spy-chips-inside-firewalls-is-now-a-cheap-hack-shows-researcher/

Computing enthusiast cracks ancient Unix code

By Danny Bradbury

Old passwords never die – they just become easier to decode. That’s the message from a tight-knit community of tech history enthusiasts who have been diligently cracking the passwords used by some of the original Unix engineers four decades ago.

On 3 October, an enthusiast on the Unix Heritage Society mailing list asked a question about cracking passwords stored in old Unix systems. The source code for various revisions of Unix from the seventies onward is available online for anyone to download, and these revisions store the passwords for various staff members in the etc./passwd file.

Unix hashed these passwords by running them through an algorithm called descrypt (also known as crypt (3)), which used the original DES encryption algorithm and limited the password length to eight characters. This was good enough to stop people recovering the password from the original hashes at the time, but 40 years on, computers are a little bit faster.

Developer Leah Neukirchen replied that she’d cracked several of them contained in a version of the BSD operating system from January 1980. However, she still hadn’t managed to crack Ken Thompson’s password. Thompson is one of the fathers of Unix. His original work on its predecessor Multics formed the basis for much of the operating system.

Neukirchen complained:

I never managed to crack Ken’s password with the hash ZghOT0eRm4U9s, and I think I enumerated the whole 8 letter lowercase + special symbols key space.

Read more at https://nakedsecurity.sophos.com/2019/10/14/computing-enthusiast-cracks-ancient-unix-code/

Hacker wants $300 for 250,000 records stolen from sex worker site

By Lisa Vaas

A hacker has stepped through a hole in vBulletin web software to steal all email addresses from a Dutch website for prostitution and escort customers and for sex workers themselves, Hookers.nl.

According to local news outlet NOS, the total number of accounts whose email addresses were exposed is 250,000. Besides the email addresses, the hacker also got at user names, IP addresses and passwords, NOS reports.

The passwords are reportedly encrypted. We don’t have details of exactly how they’re encrypted, but as we reported in June, vBulletin is one of the content management systems (CMSes) that are properly securing passwords. That means that it’s doing hashing right – hashing being one part of the encrypting/hashing/salting recipe for securing passwords – by using bcrypt, a password hashing function that’s resistant to GPU-based parallel computing cracks.

(Here’s a primer on how to securely store users’ passwords that delves into the details.)

On Thursday, the site’s main moderator announced the breach and advised users to change their login details, in spite of passwords apparently not being affected.

According to the notification, Hookers.nl found out about the breach from its external software supplier, vBulletin, which reported that a software error was discovered in its software that gave access to the site’s database.

Hookers.nl said that vBulletin took action “as quickly as possible,” releasing a software patch that the site tested and promptly implemented.

The Hookers.nl moderator said that the hacker has put the email addresses up for sale online. NOS said that they’re asking $300.

Visitors to Hookers.nl swap experiences and tips on the site. Prostitution is legal, and heavily regulated, in the Netherlands. But that doesn’t mean that visitors to Hookers.nl want their association with the industry to be publicly broadcast, be they sex workers or clients.

Read more at https://nakedsecurity.sophos.com/2019/10/14/hacker-asking-300-for-250000-records-stolen-from-sex-worker-site/

Most Americans don’t have a clue what https:// means

By Lisa Vaas

55% of US adults couldn’t identify an example of 2FA, and only 30% knew that starting a URL with https:// means that the information sent to that site is encrypted.

… and the Pew Research Center discovered plenty of other sobering facts about what Americans know and don’t know about cybersecurity and privacy.

The survey

The Pew Research Center conducted a survey which tested Americans and their digital knowledge, asking 4,272 adults in the US a series of 10 questions about a range of digital topics, such as cybersecurity or who the bearded guy in the photo was (answer: Twitter co-founder Jack Dorsey. Only 15% got that one right, but how that fits into cybersecurity and privacy concerns is a question that Pew didn’t address.)

How well the respondents did depended a great deal on what the topic, term or concept was, as well as how old they were and what their level of educational attainment was. Young people, you did better. College-educated people, you did better, too.

Respondents did A+ work when it came to identifying where you can get phished, for example. In an email? On social media? In a text message? On a website? Or how about the correct answer: “all of the above?” Ding-ding-ding, we have a winner! 67% of Americans knew that you can get phished all over the place.

Respondents aced the question about what cookies are, as well – 62% correctly said that websites that use cookies can track your visits and activity on the site.

Where we fall flat on our 2FA faces

Here’s where we aren’t so smart: only 28% of adults could identify an example of 2FA, which is one of the most important ways that people can protect their personal information on sensitive accounts.

To be fair, the question tossed a number of images of security strategies together: if you go to pages 14-15 of the survey, which you can download here, you’ll see that respondents were asked to pick the image that represented 2FA.

Read more at https://nakedsecurity.sophos.com/2019/10/11/most-americans-dont-have-a-clue-what-https-means/

Hackers bypassing some types of 2FA security FBI warns

By John E Dunn

Some types of two-factor authentication (2FA) security can no longer be guaranteed to keep the bad guys out, the FBI is reported to have warned US companies in a briefing note circulated last month.

FBI reporting identified several methods cyber actors use to circumvent popular multi-factor authentication techniques in order to obtain the one-time passcode and access protected accounts.

The simplest and therefore most popular bypass is SIM swap fraud, in which the attacker convinces a mobile network (or bribes an employee) to port a target’s mobile number, allowing them to receive 2FA security codes sent via SMS text.

Naked Security now regularly covers this kind of hack, almost always because it was used to empty people’s bank accounts, steal cryptocurrency from wallets or exchange accounts, or to attack services such as PayPal.

From the victim’s point of view, it’s the ultimate gotcha – a security weakness caused by the failings of a service provider they can do little to prevent.

A second technique is the man-in-the-middle phishing attack that tricks people into entering their credentials and OTP code into a fake site which then instantly passes it to the real one. A good example of this is last months’ attack on YouTube users, some of whom had 2FA turned on.

More advanced still is session hijacking where the site is genuine, but the credentials and codes are stolen from traffic travelling to and from the user.

According to the FBI, in one case from 2019, a security vulnerability on the website of a bank allowed a hacker to bypass PIN and security questions after phishing basic credentials.

Read more at https://nakedsecurity.sophos.com/2019/10/11/hackers-bypassing-some-types-of-2fa-security-fbi-warns/