Fake Android apps uploaded to Play store by notorious Sandworm hackers

By John E Dunn

The Russian ‘Sandworm’ hacking group (not to be confused with the malware of the same name) has been caught repeatedly uploading fake and modified Android apps to Google’s Play store.

They were detected by Google Threat Analysis Group (TAG), making the attacks public during a presentation at the recent CyberwarCon conference.

In a blog on the topic this week, Google says the first attack connected to the group happened in South Korea in December 2017 when the group used bogus developer accounts to upload eight different apps to the Play Store.

On the face of it, the campaign was unsuccessful, garnering fewer than 10 installs per app, but it’s likely that the targets were highly selective.

That came after an attack in September 2017, when TAG detected that Sandworm hackers had uploaded a fake version of the UKR.net email app, downloaded by 1,000 users before it was stopped.

In late 2018, the group switched to inserting backdoors into the apps of legitimate developers in one of its favorite locations, Ukraine.

However, the Google Play Protect team caught the attempt at the time of upload. As a result, no users were infected, and we were able to re-secure the developer’s account.

There’s nothing unusual about this – hackers compromising developer keys to pass their own malware off as legitimate apps has been happening for years.

Read more at https://nakedsecurity.sophos.com/2019/12/02/fake-android-apps-uploaded-to-play-store-by-notorious-sandworm-hackers/

Uncle Sam opens arms to friendly hackers

By Danny Bradbury

All you bug hunters out there are about to get a nice Christmas gift – the US federal government finally wants to hear from you. Unhelpful websites and cybersecurity departments will soon be a thing of the past, thanks to a new missive from the Cybersecurity and Infrastructure Agency (CIRA).

The Agency, which is part of the Department of Homeland Security, issued a surprising tweet on 27 November announcing that it would force federal agencies to be welcoming and responsive to cybersecurity bug reports from the general public.

Binding Operational Directive 20-01 would finally give ‘helpful hackers’ a sense of legitimacy when reporting bugs to federal government agencies in the US, solving some problems that CIRA admits to pretty freely in the document. It says:

Choosing to disclose a vulnerability can be an exercise in frustration for the reporter when an agency has not defined a vulnerability disclosure policy – the effect being that those who would help ensure the public’s safety are turned away.

The directive acknowledges that researchers often don’t know how to report a bug when agencies don’t include an authorized disclosure channel in the form of a webpage or email address. They shouldn’t have to search out security employees’ personal contact information, it points out.

Communication after a bug report is just as important, CIRA says. An inadequate response to a bug report, or no response at all, may prompt a researcher to report the bug elsewhere outside the agency’s control.

Read more at https://nakedsecurity.sophos.com/2019/12/02/uncle-sam-opens-arms-to-friendly-hackers/

Convicted murderer wins ‘right to be forgotten’ case

By Danny Bradbury

Google must remove a convicted murderer from online search results in Europe following a German court ruling, it emerged last week.

A man convicted of murdering two people on a yacht in 1982 and released in 2002 took the case to the constitutional court in Karlsruhe in a bid to distance his family name from his crime, reports said.

The man shot and killed his two victims and injured another in an argument aboard a ship, the Apollonia, while sailing in the Caribbean. He got out of jail in 2002. In 1999, German publication Der Spiegel uploaded three reports mentioning his name to its website.

After learning of the articles in 2009, the man requested their removal, claiming that they violated his rights. A court dismissed the case three years later but he appealed the decision.

Right to be forgotten

The right to be forgotten (RTBF) refers to a person’s wish to remove information about their past activities from the online record, including from search engines that can amplify that information. While article 17 of the GDPR explicitly outlines the right, it’s a concept that predates the Regulation. The European Commission discusses internet protection for individuals in the Data Protection Directive, which GDPR superseded. Courts have forced Google to delete search results under that directive in the past.

In 2014, the European Court of Justice upheld a Spanish court ruling instructing the company to remove links to newspaper articles about Costeja Gonzalez. Gonzalez was involved in insolvency proceedings relating to Social Security debts in the late 1990s. That led the search giant to launch a RTBF registration form the same year.

Read more at https://nakedsecurity.sophos.com/2019/12/02/convicted-murderer-wins-right-to-be-forgotten-case/

TikTok owner to separate company over US national security worries

By John E Dunn

Chinese-owned teen video-sharing app TikTok might be under fire from US politicians but it’s not going to go down without a fight.

In the latest twist in a difficult year for TikTok, a Reuters report claims its Beijing-based parent company ByteDance has hatched a plan to firewall itself from the US division of the app in the hope of mollifying an investigation by the US Committee on Foreign Investment in the United States (CFIUS).

Suspected by some influential US politicians of being a national security risk, a negative CFIUS report could spell big trouble for ByteDance.

Reading between the lines, it appears the company’s plan is to guarantee that the data held on US citizens will be stored inside the US, rather than moved to China as it may, in theory, have been before.

Will this be enough? ByteDance perhaps shouldn’t get its hopes up.

Trouble started when it bought music-sharing app musical.ly in 2017, combining it with a Chinese app called Douyin under a new brand, TikTok. The app has been downloaded up to 110 million times in the US alone and has a worldwide user base several times that number.

Suspicions revolve around issues of data on US citizens being held by a Chinese company, and that company having to comply with US government requests around the safeguarding and storage of that data. As well as potentially being able to censor content that appears on the site, there’s an implicit danger of Chinese authorities being able to carry out direct surveillance on US users if they wanted to.

Read more at https://nakedsecurity.sophos.com/2019/12/02/tiktok-owner-to-separate-company-over-us-national-security-worries/

Netflix account freeze – don’t click, it’s a scam!

By Paul Ducklin

Another Netflix phishing scam!

We’ve written about these scams before, and we’ll probably write about them again…

…for the sadly simple reason that THEY WORK.

They work because scammers know that the less inventive, they are, the more believable their messages become.

It’s also a lot less effort to copy genuine content and adapt it just a little than to try to create your own material from scratch.

That’s what Naked Security Editor-in-Chief, Anna Brading, thought when she received this scam yesterday:

This is a notice to remind you that you have an invoice due on, 27/11/2019. We tried to bill you automatically but you local bank being held a transaction.

Sadly, for the crooks, and fortunately for anyone who received this scam, the tiny bit of text that the criminals decided to write by themselves contains several rather jarring errors.

For the most part, however, this email is disarmingly simple, and therefore surprisingly believable, for all that it’s given away by typos, grammatical mistakes and orthographic errors.

It’s not overly dramatic, it’s not threatening, and it’s polite.

It’s the sort of thing that might easily happen from time to time – a recurring credit card transaction that’s temporarily failed – and that in real life is usually pretty easy to sort out.

Indeed, it’s the sort of glitch you’ve probably dealt with once or twice before, and that you may well have resolved entirely online without even leaving your browser.

Read more at https://nakedsecurity.sophos.com/2019/11/29/netflix-account-freeze-dont-click-its-a-scam/

US tightens rules on drone use in policy update

By John E Dunn

When it comes to the issue of managing drones (Unmanned Aircraft Systems, or UAS) the US Department of Justice wants Americans to know it’s on the case.

In 2015, the DOJ published what was meant to be a comprehensive policy governing how US Government departments and law enforcement use drones to take account issues such as privacy, law and the Constitution.

Four years on and things have moved on a bit, prompting tweaks addressing more recent concerns, including misuse, access to airspace, and the cybersecurity of the drones themselves.

Large parts of the 2015 policy and its 2019 update sound almost identical. On privacy, both policies limit departments gathering drone data that contains personally identifiable information (PII) to 180 days unless there’s a specific reason to keep it longer.

In other words, it’s much the same mix of privacy rules, limits, and exceptions applied to all areas of technology which give officials just enough wiggle room to gather and retain data in defined circumstances.

Cybersecurity

That said, a few of the 2019 policies could turn out to be significant, the most important relating to the cybersecurity design of the drones themselves.

It’s a complex new front that won’t be any easier to manage with drones than it is in other areas of computing. For instance, the section on drone procurement states:

The procurement of IT must comply with applicable laws, policies, and regulations, including those administered by the Office of the Chief Information Officer. The Department ensures appropriate security and privacy protections for data and IT through the risk-based Department Cybersecurity Program and effective IT management.

Which is a way of saying that before buying them departments must do the same cybersecurity assessment on drones that they would on other IT equipment.

Read more at https://nakedsecurity.sophos.com/2019/11/29/us-tightens-rules-on-drone-use-in-policy-update/