Google tests biometric authentication for Android autofill

By Danny Bradbury

Google is testing out a feature to make Android’s built-in password manager safer, according to online sleuths who have picked apart its software. The update, still in development, concerns the mobile operating system’s autofill feature.

In the past, entering passwords into websites and apps on your mobile phone was a huge pain because of the way mobile operating systems locked down applications. In the bad old days, using a password manager like 1Password or Dashlane on an Android device was difficult, because there was no built-in support that connected them to other apps and websites so that they could automatically fill in your credentials for you.

Instead, they’d use Android’s accessibility setting as a bridge to other apps, but it didn’t work perfectly and you had to configure it manually to begin with. The alternative was even worse – opening the password manager, looking up the password, and then copying and pasting it into the app or site you were accessing.

The answer came in the form of autofill, which lets the mobile OS fill in the password for you from a trusted list. Google introduced this feature in Android 8, (code-named Oreo), in August 2017. You could use it to take autofill input from third-party password managers, or if you wanted to keep everything in your Google account, you could use autofill with Google’s own password management service.

The problem with autofill when using Google’s own password manager was that it doesn’t ask for any extra authorization. You tap the part of the form to fill out your own credentials, and it collects the data from Google’s password manager and pastes it in without checking who you are. That means if someone else grabs your phone while you’re distracted, they could potentially log in as you.

Read more at https://nakedsecurity.sophos.com/2020/01/14/google-tests-biometric-authentication-for-android-autofill/

Lottery hacker gets 9 months for his £5 cut of the loot

By Lisa Vaas

Back in November 2016, 26,500 accounts for the UK’s National Lottery got credential-stuffed like they were a bunch of Thanksgiving turkeys.

And last week, 29-year-old Anwar Batson from London, who supplied his criminal buddies with the brute-force, automated password-guessing, Dark Web-delivered tool behind the credential-stuffing attack – a hacking tool called Sentry MBA – was sentenced to up to nine months in jail.

All this, for what? The shrinky-dinky sum of £5 (USD $6.50), that’s what. As The Register reports, that was his agreed-upon cut of whatever ill-gotten goods the thieves managed to pry out of accounts.

On Friday, Crown Prosecutor Suki Dhadda told the court that Batson had downloaded Sentry MBA and joined a chat group discussing the software and swapping the configuration files necessary to use it. Batson, the father of one, “counseled others on how to hack” and “enabled them to successfully use Sentry MBA to hack others’ accounts,” Dhadda said.

At least back in May 2016, Sentry MBA was considered the most popular tool for these kind of attacks, which involve taking sets of breached credentials, combining them with configuration files that are specific to a targeted site or service, and using a hacking tool like Sentry MBA to automatically plug in the credentials to see which ones will get a crook into a live account.

If account holders have reused passcodes across sites/services, there’s much more of a chance that their credentials will get a crook into a targeted site/service. Which is why it is really, truly a bad idea to use the same password on different sites!

Read more at https://nakedsecurity.sophos.com/2020/01/14/lottery-hacker-gets-9-months-for-his-5-cut-of-the-loot/

Microsoft now reviewing Skype audio in ‘secure’ places (not China)

By Lisa Vaas

Following reports about text transcriptions of live Skype calls being vetted by humans, meaning that sensitive conversations could have been bugged, Microsoft says it’s moved its human grading of Cortana and Skype recordings into “secure facilities”, none of which are in China.

On Friday, The Guardian published a report after talking to a former Microsoft contractor who lived in Beijing and transcribed thousands of audio recordings from Skype and the company’s Cortana voice assistant – all with little cybersecurity protection, either from hackers or from potential interception by the government.

The former contractor said that he spent two years reviewing potentially sensitive recordings for Microsoft, with “no security measures”, often working from home on his personal laptop. He told the Guardian that Microsoft workers accessed the clips through a web app running in Google’s Chrome browser, on their personal laptops, over the Chinese internet.

They received no help to protect the recordings from eavesdroppers, be they Chinese government, disgruntled workers, or non-state hackers, and were even told to work off new Microsoft accounts that all shared the same password – for “ease of management.”

The Guardian quoted the former contractor:

There were no security measures, I don’t even remember them doing proper KYC [know your customer] on me. I think they just took my Chinese bank account details.

Being British, he was put to work listening to people whose Microsoft devices were set to British English. After a while, he was allowed to work from home in Beijing, where he used a simple username and password to access the clips – a set of login credentials that he said were emailed to new contractors in plaintext. The password was the same for every employee who joined in any given year, he said.

Read more at https://nakedsecurity.sophos.com/2020/01/14/microsoft-now-reviewing-skype-audio-in-secure-places-not-china/

Snake alert! This ransomware is not a game…

By Paul Ducklin

Here’s some goodish news: The Snake ransomware seems to have made the news last week on account of its name rather than its prevalence.

Because, well, SNAKE!

Like most ransomware, Snake doesn’t touch your operating system files and programs, so your computer will still boot up, log in, and let you open your favorite apps, so that in purely technical terms you have a working system…

…but all your important data files, such as documents, spreadsheets, photos, videos, music, tax returns, business plans, accounts payable and accounts receivable, are scrambled with a randomly chosen encryption key.

Scrambled files consist of the encrypted content written back over the original data, with decryption information added at the end.

The original filename and directory are recorded, the decryption key is stored too, and the special tag EKANS, which is SNAKE written backwards, finishes off the encrypted file.

Note that the decryption key for each file is itself encrypted using public-key encryption, which is a special sort of encryption algorithm in which there are two keys, rather than one, so that the key used to lock data can’t be used to unlock it.

The key used for locking data is called the public key, because you can reveal it to anyone; the unlocking key is called the private key, because as long as you keep it private, you’re the only one who can later unlock the encrypted data.

Read more at https://nakedsecurity.sophos.com/2020/01/13/snake-alert-this-ransomware-is-not-a-game/

Powerful GPG collision attack spells the end for SHA-1

By Danny Bradbury

New research has heightened an already urgent call to abandon SHA-1, a cryptographic algorithm still used in many popular online services.

In a paper called SHA-1 is a Shambles, researchers Gaëtan Leurent and Thomas Peyrin have demonstrated a new, powerful attack on the system that could enable attackers to fake digital certificates for as little as $45,000.

Leurent, from INRIA in France, and Peyrin, from the Nanyan Technological University in Singapore, demonstrated their attack by creating a fake digital certificate using the GNU Privacy Guard (GPG or GnuPG) system.

Published in 1995, SHA-1 is a hashing function that creates a digital fingerprint calculated from a block of data such as a file.

Hashes of this sort serve two useful purposes: they let you and I confirm we have the same file without having to exchange the entire file again for verification; and they let me uniquely (or as good as uniquely) identify a file for later on in such a way that I don’t have to share the actual contents with you now.

This relies on one of several properties in a cryptographic hashing function, namely that is should be impossible (or as good as impossible) to create two files that have the same hash.

That’s known as a collision, and it subverts the idea that a hash pinpoints a specific file.

People had long suspected weaknesses in SHA-1, but then in 2017, researchers at CWI Amsterdam along with Google successfully performed a collision attack against the algorithm.

They were able to append a prefix to the original file being hashed that produces the same hash when prefixed to another file.

Read more at https://nakedsecurity.sophos.com/2020/01/13/powerful-gpg-collision-attack-spells-the-end-for-sha-1/

Reddit bans ‘impersonation,’ but satire and parody are still OK

By Lisa Vaas

When it comes to deepfakes, don’t worry: Reddit says it likes seeing Nic Cage in unexpected places just as much as you do.

What it doesn’t like: mimicry done with malicious intent. Reddit had already banned pornographic deepfakes in 2018. Now, in the run up to the 2020 US presidential election, it’s expanded its deepfake ban: Reddit is now prohibiting impersonation, including domains that mimic others.

Satire and parody are still safe, a Reddit admin said on Thursday in an announcement about the updated policy.

This doesn’t apply to all deepfake or manipulated content – just that which is actually misleading in a malicious way.

Here’s the updated policy:

Do not impersonate an individual or entity

Reddit does not allow content that impersonates individuals or entities in a misleading or deceptive manner. This not only includes using a Reddit account to impersonate someone, but also encompasses things such as domains that mimic others, as well as deepfakes or other manipulated content presented to mislead, or falsely attributed to an individual or entity. While we permit satire and parody, we will always take into account the context of any particular content.

Reddit says the “classic” case of impersonation is a Reddit username that tries to come off as another person or thing, be it a politician, brand, Reddit admin, or anybody/anything else. But from time to time, Redditors post things that take it beyond that and into the realm of serious misinformation attempts, such as…

…fake articles falsely attributed to real journalists, forged election communications purporting to come from real agencies or officials, or scammy domains posing as those of a particular news outlet or politician (always be sure to check URLs closely – .co does NOT equal .com!).

Impersonation is actually near the bottom of what gets reported on Reddit, the Reddit admin, u/LastBluejay, said. But even though impersonation is one of the rarest report classes, the platform wants to stay on the safe side:

We also wanted to hedge against things that we haven’t seen much of to date, but could see in the future, such as malicious deepfakes of politicians, for example, or other, lower-tech forged or manipulated content that misleads.

Reddit isn’t the only one who feels that way. The impersonation ban comes just days after Facebook banned deepfakes.

Read more at https://nakedsecurity.sophos.com/2020/01/13/reddit-bans-impersonation-but-satire-and-parody-are-still-ok/