DNS-over-HTTPS is coming to Windows 10

By John E Dunn

For fans of DNS-over-HTTPS (DoH) privacy, it must feel like a dam of resistance is starting to break.

Mozilla Firefox and Cloudflare were the earliest adopters of this controversial new way to make DNS queries private by encrypting them, followed not long after by the weight of Google, which embedded DoH into Chrome as a non-default setting.

This week an even bigger name joined the party – Windows 10 – which Microsoft has announced will integrate the ability to use DoH, and eventually also its close cousin DNS-over-TLS (DoT), into its networking client.

It looks like game over for the opponents of DoH, predominantly ISPs which have expressed a nest of worries – some rather self-serving (we can’t monetise DNS traffic we can’t see) and others which perhaps deserve a hearing (how do we filter out bad domains?).

Things got so hyperbolic that last summer the UK ISP Association (ISPA) even shortlisted Mozilla for an “Internet Villain” award to punish its enthusiasm for DoH before backing down after a public backlash.

Earlier this month, Mozilla retaliated, accusing ISPs of misrepresenting the technical arguments around encrypted DNS.

Read more at https://nakedsecurity.sophos.com/2019/11/21/dns-over-https-is-coming-to-windows-10/

Official Monero site delivers malicious cash-grabbing wallet

By Lisa Vaas

On 18 November, somebody swapped out the legitimate command line wallet binaries for the Monero (XMR) cryptocurrency and replaced them with software that stole users’ funds.

The malicious versions of the Linux and Windows binaries were first spotted by a user on Monday who noticed that the software failed an integrity check.

Like a lot of software vendors, The Monero Project publishes SHA-256 hashes of its software. Users can check their software download by running it through a SHA-256 hashing function to see if it matches the published hash.

In this case, it didn’t.

The Monero team confirmed the swap on Tuesday, assuring users that the malicious wallet binaries were up for only a short time – 35 minutes, to be precise.

The malware-impregnated binaries were immediately dealt with, according to binaryFate – a member of the XMR core team who said on Tuesday that the binaries were now being served from a new, safe, “fallback” source.

A half hour was long enough to lead to at least one wallet getting drained, however: one user claimed on Reddit that 9 hours after they ran the binary, a single transaction scooped $7,000 worth of coins out of their wallet.

Read more at https://nakedsecurity.sophos.com/2019/11/21/official-monero-site-delivers-malicious-cash-grabbing-wallet/

Tories change Twitter name to ‘factcheckUK’ during live TV debate

By Lisa Vaas

The Tories changed their verified Twitter press account’s display name to read “factcheckUK” for Tuesday’s live TV general-election debate between Boris Johnson and Jeremy Corbyn, switched it back right after, and triggered much gleeful parodying of the attempt to pull on the mask of nonpartisan fact-checkers.

Hey, if the UK’s Conservative Party gets to do that with its @CCHQPress account, then “@BorisJohnson_MP” (a parody account) evidently feels that they get to rename their account “CCHQ Press” and issue this apology on the party’s behalf:

We apologize for any misunderstanding caused by the changes to our account last night. It was an honest attempt to… twitter.com/i/web/status/1…

—

CCHQ Press (@BorisJohnson_MP) November 20, 2019

Twitter has officially tsk-tsk’ed the Tories, telling the BBC that it plans to take “decisive corrective action” if they pull that stunt again … though it apparently didn’t do anything at all in response to this particular incident.

A Twitter spokesperson:

Twitter is committed to facilitating healthy debate throughout the UK general election.

We have global rules in place that prohibit behavior that can mislead people, including those with verified accounts. Any further attempts to mislead people by editing verified profile information – in a manner seen during the UK Election Debate – will result in decisive corrective action.

Twitter told the BBC that according to its terms of service, it can remove an account’s “verified” status if the account owner is “intentionally misleading people on Twitter by changing one’s display name or bio”.

Read more at https://nakedsecurity.sophos.com/2019/11/20/tories-change-twitter-name-to-factcheckuk-during-live-tv-debate/

Android camera bug could have turned phones against their users

By Danny Bradbury

Android users beware: rogue apps could be using your phone’s camera against you, taking pictures and videos without your knowledge and sending them to attackers. They could even record your phone calls and make others aware of your location.

News of the vulnerability, which affects the Android camera app used by millions of Google Pixel and Samsung Android users, comes courtesy of application security testing company Checkmarx which has been working with Google and Samsung to fix it. The company’s researchers figured out a way to hijack the camera on Android phones using a permission bypass vulnerability.

Aware that access to camera functions is highly sensitive, Google created a special set of permissions that the user would have to grant to an application before it could use the phone’s camera. These permissions are:

• android.permission.CAMERA
• android.permission.RECORD_AUDIO
• android.permission.ACCESS_FINE_LOCATION
• android.permission.ACCESS_COARSE_LOCATION

The vulnerability that Checkmarx discovered enables apps to bypass the need for those permissions as long as they have storage permissions that enable an application to access the SD card. In a report on the vulnerability, the company explained:

An application that has access to storage not only has access to past photos and videos (which it already had, by permission design, nothing new there), but also has a way to access newly taken photos and videos by abusing the Google Camera app exported components.

This means an app with SD card permissions gets access to the user’s phone, which enables an attacker to turn the camera into a remotely-controlled sensor:

By manipulating the specific actions and intents, an attacker can now control the Google Camera app to take photos and/or record videos through a rogue application that has no permissions to do so.

Certain conditions on the phone could enable them to harvest more data still, the report continued. If the phone’s location data settings embedded location information in the photos’ EXIF metadata, they could access that data and find out where the photos were taken (and therefore where the user has been).

Read more at https://nakedsecurity.sophos.com/2019/11/21/android-camera-bug-could-have-turned-phones-against-their-users/