Wi-Fi signals let researchers ID people through walls from their gait

By Lisa Vaas

Yasamin Mostofi asks us to imagine this scenario: police have video footage of a robbery. They suspect that one of the robbers is hiding in a house nearby.

Can a pair of off-the-shelf Wi-Fi transceivers, located outside the house, look through the walls to see who’s inside?

That’s easy to answer, since we’ve seen it done before.

In 2015, MIT researchers created a device that can discern where you are and who you are, detecting gestures and body movements as subtle as the rise and fall of a person’s chest, from the other side of a house, through a wall, even though subjects were invisible to the naked eye, by using the human body’s reflections of wireless transmissions.

Then, 11 months ago, a team of researchers at University of California Santa Barbara demonstrated using a streamlined set of technologies – just a smartphone and some clever computation – how to see through walls and successfully track people in 11 real-world locations, with high accuracy.

But here’s a new question: Can Wi-Fi signals be used to identify the person in the house? Can off-the-shelf hardware determine if whoever’s in the house is one of the people in the video surveillance footage police are scrutinizing?

Yes. UC Santa Barbara researchers are back again to show that they’ve built on their previous work: It can be done by analyzing people’s walking gaits and comparing them to the gait of whoever’s in the CCTV footage.

Read more at https://nakedsecurity.sophos.com/2019/10/07/wi-fi-signals-let-researchers-id-people-through-walls-from-their-gait/

Buying a new laptop? Here’s how to secure it

By Maria Varmazis

October is National Cybersecurity Awareness Month (NCSAM) and this year’s theme of ‘Own IT. Secure. IT. Protect IT.’ aims to encourage personal accountability for security. Computer security is a broad and complex subject but the truth is that criminals like low-hanging fruit and getting the basics right affords you an awful lot of protection.

Naked Security asked me to come up with an easy to follow guide that will help you get the security basics right if you’re buying a new laptop.

1. Have a plan for your data

Ah, the thrill of buying a new laptop. It’s so much faster than your last one! It can do all these great new things! It has so much more space! New lid space for stickers!

Well, it’s thrilling if it was planned, that is.

Often enough we end up buying a new laptop in something of an emergency situation, when the old one is finally so slow that it’s unusable or has a catastrophic failure. When the old laptop’s breakdown is a bit sudden, you might be caught trying to do data rescue on a fried computer, which is a frustrating and time-consuming situation at best.

Spare future-you a lot of grief by making sure you keep your data freshly backed up in at least one place, separate from your old laptop. This can include cloud-synced backups via services like DropBox, Carbonite, or iCloud, or physical periodic backups onto an external hard drive. Mac users can do this on a schedule via Time Machine, and Windows 10 offers its own automatic backup option under “Backup and Restore” in the Control Panel. Additionally, many external hard drive makers bundle their own backup software with the hard drives they make.

So yes, back it all up, in one place, so you know you have everything that you need without the time pressure and frustration of trying to dig it all out from a dead or dying hard drive.

Read more at https://nakedsecurity.sophos.com/2019/10/04/buying-a-new-laptop-heres-how-to-secure-it/

WhatsApp vulnerability could compromise Android smartphones

By John E Dunn

A researcher has released details of a WhatsApp remote code execution (RCE) flaw it is claimed could be used to compromise not only the app but the mobile device the app is running on.

Reported to Facebook some weeks ago by a researcher called ‘Awakened’, the critical issue (CVE-2019-11932) affects users of the Android versions of the app, specifically versions 8.1 and 9.0 although not, apparently, version 8.0 (Apple’s iOS doesn’t appear to be affected).

It’s described as a double-free memory vulnerability in a WhatsApp image preview library called libpl_droidsonroids_gif.so, and some aspects of how it might execute remain unclear.

The researcher says an attack would involve first sending a malicious GIF image using any channel, that is by email, a rival messaging app, or sent direct through WhatsApp itself.

If WhatsApp is being used, and the attacker (or hapless intermediary) is on the contacts list of the user as a friend, apparently this GIF would download to the device automatically.

Execution would happen when the recipient subsequently opens the WhatsApp Gallery even if no file is selected or sent. Writes Awakened:

Since WhatsApp shows previews of every media (including the GIF file received), it will trigger the double-free bug and our RCE exploit.

To back this up, Awakened has released a video showing the sequence of events running on WhatsApp v2.19.203.

Read more at https://nakedsecurity.sophos.com/2019/10/04/whatsapp-vulnerability-could-compromise-android-smartphones/

£3 billion Safari iPhone privacy lawsuit given go-ahead

By Danny Bradbury

A UK class action privacy lawsuit against Google can go ahead, according to the UK Court of Appeal. The suit claims up to £3bn ($3.9bn) in damages based on Google’s manipulation of Apple’s Safari browser in 2011-12.

In 2010, Apple included anti-tracking technology in Safari that would stop advertising companies from inserting cookies into the browser.

Google developed a workaround, enabling it to put cookies from its DoubleClick advertising technology into users’ browsers anyway. Safari’s anti-tracking technology at the time made an exception for sites that users interacted with, so Google included code in advertisements that made it look as though the user was filling out a form.

This technique enabled the company to place cookies in Safari. Those small files could tell when the user visited a site participating in the DoubleClick advertising program, how long they spent on the site, what pages they visited, and in some cases even their rough geographic location.

The complaint calls this data ‘browser generated information’ or BGI, and says that over time it allowed Google to draw more conclusions about people, helping it to understand things like their sexual orientation, religious views, and political leanings. The company used this data to segment people into customer groups, which it used to target them with advertisements from its customers. So, in other words, Google bypassed Apple’s technology protections to carry on its advertising operations as usual.

Read more at https://nakedsecurity.sophos.com/2019/10/04/uk-appeals-court-gives-nod-to-3bn-google-privacy-case/

Hacker’s parents sentenced for selling his cryptocurrency

By Lisa Vaas

All you brilliant kids who use your fine brains to do idiotic things like, say, hack TalkTalk and the EtherDelta exchange, do yourself a favor: when you wind up in jail, warn your parents not  to “help” you by transferring your stolen cryptocurrency.

That’s what happened to TalkTalk and (alleged) EtherDelta hacker Elliott Gunton, whose parents have both been handed suspended sentences after admitting to having removed some of his ill-gotten cryptocurrency from a hardware wallet.

It was a “misguided” attempt to help him, according to what Judge Stephen Holt told mom and dad, Carlie Gunton and Jason Gunton, on Wednesday. The Eastern Daily Press – a local paper in the Guntons’ hometown of Norwich, in the English county of Norfolk – quoted the judge:

You misguidedly tried to help your son and what you did didn’t help him at all, and I’m sure it’s something you’re regretful about.

History of a youthful, repeat offender

Elliott Gunton, now 20, was convicted in 2016 at the age of 16 for his role in attacking the UK broadband and telecom giant TalkTalk.

In 2017, the UK’s Information Commissioner’s Office (ICO) fined TalkTalk £400,000 for security failings that led to the attack and which allowed customer data to be accessed “with ease”. The attacker accessed the personal information of more than 150,000 customers, including the sensitive financial data of more than 15,000 people (sensitive data that TalkTalk’s CEO, bizarrely enough, had said that the company wasn’t required to encrypt).

Read more at https://nakedsecurity.sophos.com/2019/10/04/hackers-parents-sentenced-for-selling-his-cryptocurrency/