Stalker app maker Retina-X settles FTC charges

By Lisa Vaas

Spyware maker Retina-X Studio has settled charges brought by the Federal Trade Commission (FTC) about not keeping its products from being used as illegal stalking apps.

Retina-X, maker of the spyware tools PhoneSheriff, TeenShield, SniperSpy and Mobile Spy, threw in the towel on all that snooping in March 2018, putting the kibosh on the products as a result of two hacks: the first in April 2017 and the second in February 2018.

Those tools were used to track targets’ call logs (including deleted ones), text messages, photos, GPS locations, and browser histories, as well as to eavesdrop on victims, wherever they might be.

The hacker who claimed responsibility for the breaches said at the time that he got access to all that, but he didn’t post any of it online. He did, however, claim to have wiped some of the servers he’d been allegedly rooting around in.

Like we said after news of the second attack surfaced, even if you find spyware repugnant, it’s still illegal to hack the companies that make it, for good reason. The hacker wasn’t helping anybody, let alone surveillance victims. By telling others how he did it, putting out blueprints and encouraging them to do the same, he and other spyware-focused hackers put the victims at that much greater risk of having their personal data accessed, meaning they’re twice victimized. Besides, who’s to say that a hacker who claims not to have posted material isn’t lying?

At any rate, back to the FTC complaint: the FTC claimed that Retina-X wasn’t making sure that spyware purchasers were using it for legitimate purposes. In fact, to install the tools, spyware purchasers often had to weaken security protections on a targeted phone – i.e., to jailbreak or root the phone.

Once the spy had installed the app on their target’s phone, they could then remove the icon showing that it was there. Thus, the target wouldn’t know they were being monitored.

Read more at https://nakedsecurity.sophos.com/2019/10/24/stalker-app-maker-retina-x-settles-ftc-charges/

Alexa and Google Home phishing apps demonstrated by researchers

By Lisa Vaas

Amazon and Google have blocked spying, phishing apps that keep your smart speaker listening after you think it’s gone deaf, lie to you about there being an update you need to install, and then vish (voice-phish) away the password you purportedly need to speak so you can get that bogus install.

Long story short, don’t believe a smart speaker app that asks for your password. No regular app does that.

Eight of these so-called “Smart Spies” were built by Berlin-based Security Research Labs (SRL) and put into app stores under the guise of being horoscope or random-number generators.

SRL says that it managed to sneak in the spyware because third-party developers can extend the capabilities of Amazon Alexa – the voice assistant running in its Echo smart speakers – and Google Home through small voice apps, called Skills on Alexa and Actions on Google Home.

Those apps currently create privacy issues, SRL says, in that they can be abused to eavesdrop on users or to ask for their passwords.

Read more at https://nakedsecurity.sophos.com/2019/10/23/alexa-and-google-home-phishing-apps-demonstrated-by-researchers/

Hacker breached servers used by NordVPN

By John E Dunn

Leading VPN provider NordVPN has been forced to admit that a hacker stole an expired TLS certificate key used to securely connect customers to the company’s web servers.

According to a statement, the attack happened in early 2018 at the Finnish data center of a service provider used by the company, exploiting a vulnerability in a remote management interface which NordVPN wasn’t told about.

Not a good look for a company offering a VPN service which customers buy to boost the security and privacy of their internet connection. However, in a statement released earlier this week the company downplayed the risk of misuse:

The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.

There’s no evidence the stolen key was abused, nor that it could have been given its expiration.

So that’s that? Unfortunately, not. Indeed, this is where the story of the NordVPN hack takes a confusing turn involving rival VPN companies.

Read more at https://nakedsecurity.sophos.com/2019/10/23/hacker-breached-servers-used-by-nordvpn/

Facebook pulls fake news networks linked to Russia and Iran

By Lisa Vaas

Facebook has yanked four networks of coordinating accounts that it linked to Iran, Russia and election meddling.

One of the networks that was targeting the 2020 US presidential elections appeared to be linked to the Russian troll agency known as the Internet Research Agency (IRA): the operation that concocted a slew of cardboard cutout accounts to churn out divisive blogs.

Nathaniel Gleicher, head of cybersecurity for Facebook, said in a post on Monday that the networks, made up of fake and hijacked accounts, were masquerading as local accounts so as to post political content in the run-up to the 2020 presidential election.

We’ve seen this type of inflammatory, partisan content before, in the 2016 US presidential election: posts about Israel demolishing Palestinian houses, a US Congresswoman calling President Trump racist, Black Lives Matter and other race relations hot-button topics in the US, Iranian foreign policy, and more.

Facebook said that three of the account networks originated in Iran and one in Russia. They targeted a number of different regions of the world: the US, North Africa and Latin America.

It’s not the content that Facebook is taking down, Gleicher stressed. Rather, the platform is taking action based on “inauthentic behavior.” Its policy on misrepresentation, which requires that people connect on Facebook using the name they go by in everyday life, is geared to “create a safe environment where people can trust and hold one another accountable.”

Read more at https://nakedsecurity.sophos.com/2019/10/23/facebook-pulls-fake-news-networks-linked-to-russia-and-iran/