Facebook, Twitter profiles slurped by mobile apps using malicious SDKs

By Lisa Vaas

On Monday, Twitter and Facebook both claimed that bad apples in the app stores had been slurping hundreds of users’ profile data without permission.

After getting tipped off by security researchers, the platforms blamed a “malicious” pair of software development kits (SDKs) – from marketing outfits One Audience and MobiBurn – used by the third-party iOS and Android apps to display ads. Neither Twitter nor Facebook have named names of the data-sucking apps, nor how many bad apps they’ve found.

Twitter said that this wasn’t enabled by any bug on its platform. Rather, after getting a heads-up from security researchers, its own security team found that the malicious SDK from One Audience could potentially slip into the “mobile ecosystem” to exploit a vulnerability.

That vulnerability – which is to do with a lack of isolation between SDKs within an app –  could enable the malicious SDK to slurp personal information, including email, username, and last tweet. Twitter hasn’t found any evidence that any accounts got hijacked due to the malicious SDKs, mind you, but that’s what the vulnerability could have led to.

While Twitter hasn’t found any account takeovers, it’s found evidence of slurping. The unauthorized data grab was just done to Android user profiles, via unspecified Android apps:

We have evidence that this SDK was used to access people’s personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS.

Facebook, however, said in a statement that it was suffering at the hands of both those bad SDKs, both of which it’s told to cease and desist:

Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores. After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn.

Facebook plans to notify the people whose personal data – including name, email and gender – was likely swiped after they gave permission for apps to access their profile information. Twitter says it’s informed Google and Apple about the malicious SDK, so they can take further action if needed, as well as other industry partners.

Read more at https://nakedsecurity.sophos.com/2019/11/27/facebook-twitter-profiles-slurped-by-mobile-apps-using-malicious-sdks/

Splunk customers should update now to dodge Y2K-style bug

By John E Dunn

If you’re a Splunk admin, the company has issued a critical warning regarding a showstopping Y2K-style date bug in one of the platform’s configuration files that needs urgent attention.

According to this week’s advisory, from 1 January 2020 (00:00 UTC) unpatched instances of Splunk will be unable to extract and recognize timestamps submitted to it in a two-digit date format.

In effect, it will understand the ‘year’ up to 31 December 2019, but as soon as this rolls over to 1 January 2020, it will mark it as invalid, either defaulting back to a 2019 date or adding its own incorrect “misinterpreted date”.

In addition, beginning on 13 September 2020 at 12:26:39 PM UTC, unpatched Splunk instances will no longer be able to recognize timestamps for events with dates based on Unix time (which began at 00:00 UTC on 1 January 1970).

Left unpatched, the effect on customers could be far-reaching.

What platforms like Splunk do is one of the internet’s best-kept secrets – turning screeds of machine-generated log data (from applications, websites, sensors, Internet of Things devices, etc.) into something humans can make sense of.

There was probably a time when sysadmins could do this job but there are now so many devices spewing so much data that automated systems have become a must.

This big data must also be stored somewhere, hence the arrival of cloud platforms designed to do the whole job, including generating alerts when something’s going awry or simply to analyze how well everything’s humming along.

Read more at https://nakedsecurity.sophos.com/2019/11/27/splunk-customers-should-update-now-to-dodge-y2k-style-bug/

EU raises eyebrows at possible US encryption ban

By Danny Bradbury

The growing battle over end-to-end encryption took another turn last week, when EU officials warned that they may not take kindly to a US encryption ban or insertion of crypto backdoor technology.

In June 2019, senior US government officials met to discuss whether they could legislate tech companies into not using unbreakable encryption. According to Politico, the National Security Council pondered whether to ask Congress to outlaw end-to-end encryption, which is a technology used by companies to keep your data safe and secure.

To recap briefly, US law enforcement worries about its targets such as criminals and terrorists “going dark” by using this technology to shield their communications. Banning it outright would make it easier for government agencies to access those messages and documents. Encryption advocates counter that making encryption breakable would also allow malicious actors such as foreign governments to steal domestic secrets and they also worry about unlawful access to information by their own governments.

US officials didn’t reach a decision on the issue, but news of the conversation spooked MEP Moritz Körner enough to ask the European Commission some formal questions picked up by Glyn Moody over at Techdirt. Körner asked whether the Commission would consider a similar ban on encryption in the EU. He also asked what a US ban would mean for existing data exchange agreements between the EU and the US:

Would a ban on encryption in the USA render data transfers to the US illegal in light of the requirement of the EU GDPR for built-in data protection?

Currently, the two regions enjoy an agreement known as the EU-US Privacy Shield, which they introduced after the European Court of Justice invalidated a previous agreement called the International Safe Harbor Privacy Principles.

The Privacy Shield is a voluntary certification scheme for US businesses. By certifying under the scheme, US companies prove their adequacy to transfer and process data on EU citizens. It shows that they have made some effort to follow Europe’s strict privacy principles in the absence of any cohesive federal privacy law in the US.

Read more at https://nakedsecurity.sophos.com/2019/11/27/eu-raises-eyebrows-at-possible-us-encryption-ban/

Police arrest alleged Chuckling Squad member who hijacked @Jack Dorsey

By Lisa Vaas

Police have arrested an alleged member of The Chuckling Squad: the hacking group behind the recent SIM-swap and hijacking of Twitter founder and CEO Jack Dorsey’s @Jack account.

Joseph Cox, writing for Motherboard, reported on Saturday that a Chuckling Squad leader – who goes by the handle Debug – told them that the individual was arrested about two weeks prior. Motherboard withheld their name, because they’re a minor.

Debug told Motherboard that the minor – whom they identified as a “he” – was a SIM-swapping aficionado whom the group kicked out in October:

He was a member of Chuckling Squad but not anymore. He was an active member for us by providing celebs/public figure [phone] numbers and helped us hack them.

The arrest was confirmed by the Santa Clara County District Attorney’s Office in California, which manages the Regional Enforcement Allied Computer Team (REACT) and which emailed this statement to Motherboard:

We applaud the efforts of all the law enforcement agencies involved in this arrest. REACT continues to work with and assist our law enforcement partners in any way we can. We hope this arrest serves as a reminder to the public that people who engage in these crimes will be caught, arrested and prosecuted.

Dorsey’s high-profile, high-value account – he’s got more than 4 million followers – was taken over in late August 2019 by hackers who used their brief access to go on a joyride to Nasty Town, tweeting out a racist/anti-Semitic/bomb-hoaxing exhaust cloud.

A week later, Twitter temporarily yanked the ability to tweet via SMS – one of the possible ways that Dorsey’s account got taken over.

In a successful SIM-swap attack, hackers persuade a mobile phone provider to transfer a victim’s phone number to the hacker’s SIM card, giving the hacker access to the victim’s calls and messages.

At the time, Twitter said that it was suspending the ability to tweet via text due to vulnerabilities that mobile carriers need to address, and due to its reliance on having a linked phone number for two-factor authentication (2FA) – something it said it’s working to improve.

Read more at https://nakedsecurity.sophos.com/2019/11/27/police-arrest-alleged-chuckling-squad-member-who-hijacked-jack-dorsey/

Firefox gets tough on tracking tricks that sneakily sap your privacy

By Paul Ducklin

We just did an informal survey around the office – we asked 10 people in various departments, technical and non-technical, to say the first thing that came into their head when we said, “Browser tracking.”

(No one heard anyone else’s answer, in case you’re wondering how independent each reply might have been.)

All 10 said, “Cookies.”

That’s not surprising, because many websites these days pop up a warning to say they make use of cookies for tracking you across visits – the theory seems to be that you can’t then later complain you didn’t know.

Cookies, therefore, are a well-documented part of online tracking, and the phrase “web cookie” can be considered everyday terminology now, rather than jargon – we encounter it all the time and have become used to it.

Indeed, some sites openly and visibly allow you to choose to accept or reject their cookies…

…although there’s an amusing irony that the most reliable way for a website to remember that you don’t want cookies set is to set a cookie to tell it not to set any more cookies.

Read more at https://nakedsecurity.sophos.com/2019/11/27/firefox-gets-tough-on-tracking-tricks-that-sneakily-sap-your-privacy/