FBI director warns of sustained Russian disinformation threat

By Danny Bradbury

Russia is still using social media in a sustained campaign to dabble in US affairs, according to FBI director Chris Wray.

Wray, speaking at a House Judiciary Hearing on FBI Oversight on Wednesday 5 February, said that Russia is still engaged in an “information warfare” campaign against the US, according to a report by the Associated Press.

Wray singled out disinformation campaigns as a particular threat to the US in his testimony, warning:

The goal of these foreign influence operations directed against the United States is to spread disinformation, sow discord, push foreign nations’ policy agendas, and ultimately undermine confidence in our democratic institutions and values.

The FBI has a three-pillar approach, Wray said, beginning with an open investigation into foreign influence activities spanning field offices around the country. Second, it works with international partners and US intelligence agencies to share information. Finally, it regularly meets with social media companies to brief them on the latest threats, sharing specific account information, he said.

Read more at https://nakedsecurity.sophos.com/2020/02/10/fbi-director-warns-of-sustained-russian-disinformation-threat/

Frustrated author cybersquats novelist’s website

By Danny Bradbury

If you visit the website of renowned Canadian novelist Patrick deWitt today, you’ll see a surprising message. “THIS IS NOT PATRICK DEWITT”, it says.

That’s because the domain has been taken over by a cybersquatter. Not just any cybersquatter, mind – this one has literary ambitions.

The unpublished writer apparently noticed that deWitt had let the domain lapse, and decided to register it for themselves. Clicking on the page takes you to an about section, which announces:

Patrick deWitt is an award-winning author who has written 4 best-selling novels.

This is not his site.

I have not made any films. I have not written any award-winning books.

If you want to do something that is singularly unrewarding, write a novel.

Anyway, Patrick deWitt wasn’t using this site, so rather than waste your time with a blank page, I thought I would join you here and we could share a moment.

As if that wasn’t cheeky enough, the sneaky scribe has also posted their own manuscript on the site. Called in God’s Silence, Them Devils Sang, the author describes it as an acid western.

The news hit the internet last week, but this has been going on for a while. The first instance of the cybersquatter’s site shows up on the Wayback Machine (a site that archives snapshots of web pages) on 10 November 2018. Let’s Encrypt issued an SSL certificate for the domain on 11 July 2019, although the mysterious cybersquatter doesn’t seem to be using it as yet. As of today, the site was still using plain old HTTP.

Read more at https://nakedsecurity.sophos.com/2020/02/10/frustrated-author-cybersquats-novelists-website/

RobbinHood – the ransomware that brings its own bug

By Paul Ducklin

Ransomware is one of the most feared cybercrime problems of the modern era.

The idea of malware that scrambles your files and demands money to get them back is not new – the first widespread attack happened back in 1989 – but the scale of the threat has changed dramatically in the last few years.

Up to about 2010 or 2011, ransomware was little more than a lab curiosity…

…until the crooks finally figured out how to extract money from their desperate victims, thanks to the anonymity (more or less) afforded by the Dark Web and the untraceable (more or less) payments offered through the use of cryptocurrencies.

Crooks such as the gang behind the Cryptolocker ransomware were able to make millions, perhaps even hundreds of millions, of dollars by infecting hundreds of thousands of users and businesses, and then demanding $300 a time to unlock each user’s files.

But that approach has changed recently, with the big-money ransomware criminals carrying out fewer but much bigger attacks.

These days, ransomware operations are very often aimed at whole networks, or even at centrally-managed collections of networks.

The idea is that the crooks are still planning to scramble hundreds or thousands of computers in an attack, but instead of blackmailing the owner of each computer to pay a few hundred dollars, they blackmail the operators of the entire network to pay a huge lump sum.

Those sums typically run from $50,000 to $5,000,000, with the victims sometimes left with little choice but to pay up because their whole business has ground to a halt, not just a few computers here and there.

Read more at https://nakedsecurity.sophos.com/2020/02/07/robbin-hood-the-ransomware-that-brings-its-own-bug/

Researchers transmit data covertly by altering screen brightness

By Danny Bradbury

The normal way to steal data from a compromised computer is to retrieve it over a network. If that computer isn’t connected to one, it gets a little trickier.

Researchers at Ben-Gurion University of the Negev have made a name for themselves figuring out how to get data out of air-gapped computers. They’ve dreamed up ways to communicate using speakers, blinking LEDs in PCs, infrared lights in surveillance cameras, and even computer fans.

Now, they’ve figured out a way to retrieve data from a disconnected computer by altering its LCD display’s pixel density just enough for a nearby camera to pick it up.

In a paper published this month, the researchers describe what they call an “optical covert channel” which cameras can detect, but which users cannot. They use one of the three colors in LCD pixels which normally combine to give the pixel a range of hues.

Their technique adjusts the red color component in pixels on the screen by 3%, which is apparently not enough for users to notice. A camera located six metres from the 19-inch screen was nevertheless able to detect the difference.

Optical exfiltration techniques have cropped up before, they explain, but most of them have been easily detectable by users. Conversely, an attacker could theoretically use this one even while a user was working at the compromised machine.

We say “theoretically” because in practice there are a lot of challenges involved in this attack. The first is that the computer has to be compromised in the first place, which means getting to its physical location. Then, you could infect it with a USB stick, but if you’ve reached that point, presumably you could just copy the data to the stick.

Read more at https://nakedsecurity.sophos.com/2020/02/07/researchers-transmit-data-covertly-by-altering-screen-brightness/

Facebook, Google, YouTube order Clearview to stop scraping faceprints

By Lisa Vaas

Clearview AI, the facial recognition company that’s scraped the web for three billion faceprints and sold them all (or given them away) to 600 police departments so they could identify people within seconds, has received yet more cease-and-desist letters from social media giants.

The first came from Twitter. A few weeks ago, Twitter told Clearview to stop collecting its data and to delete whatever it’s got.

Facebook has also demanded that Clearview stop scraping photos because the action violates its policies, and now Google and YouTube are likewise telling the audacious startup to stop violating their policies against data scraping.

Clearview’s take on all this? Defiance. It’s got a legal right to data scraping, it says.

In an interview on Wednesday with CBS This Morning, Clearview AI founder and CEO Hoan Ton-That told listeners to trust him. The technology is only to be used by law enforcement, and only to identify potential criminals, he said.

The artificial intelligence (AI) program can identify someone by matching photos of unknown people to their online photos and the sites where they were posted. Ton-That claims that the results are 99.6% accurate.

Besides, he said, it’s his right to collect public photos to feed his facial recognition app:

There is also a First Amendment right to public information. So, the way we have built our system is to only take publicly available information and index it that way.

Not everybody agrees. Some people think that their facial images shouldn’t be gobbled up without their consent. In fact, the nation’s strictest biometrics privacy law – the Biometric Information Privacy Act (BIPA) – says doing so is illegal. Clearview is already facing a potential class action lawsuit, filed last month, for allegedly violating that law.

Read more at https://nakedsecurity.sophos.com/2020/02/07/facebook-google-youtube-order-clearview-to-stop-scraping-faceprints/

Update now – WhatsApp flaw gave attackers access to local files

By John E Dunn

Does WhatsApp have a lot of vulnerabilities or are there simply a lot of people looking for them?

Ask PerimeterX researcher Gal Weizman, who last year set about poking the world’s most popular messaging platform to see whether he could turn up any new weaknesses.

Sure enough, this week we learned that he uncovered a clutch of vulnerabilities that led him to a tasty cross-site scripting (XSS) flaw affecting WhatsApp desktop for Windows and macOS when paired with WhatsApp for iPhone.

Patched this week as CVE-2019-18426, it’s the sort of weakness iPhone WhatsApp desktop users will be glad to see the back of.

The immediate problem was caused by a gap in WhatsApp’s Content Security Policy (CSP), a security layer used to protect against common types of attack, including XSS.

Using modified JavaScript in a specially crafted message, an attacker could exploit this to feed victims phishing and malware links in weblink previews in ways that would be invisible to the victim.

According to Weizman, this is probably remotely exploitable although the users would still need to click on the link for an attack to succeed.

However, it could also be used to gain read permission to the local file system, that is the ability to access and open files and, potentially, for remote code execution (RCE).

Read more at https://nakedsecurity.sophos.com/2020/02/06/update-now-whatsapp-flaw-gave-attackers-access-to-local-files/