February 17, 2020
Senator calls for dedicated US data protection agency
By Danny Bradbury
The US needs a data protection agency of its own, and Kirsten Gillibrand wants to be the one that makes it happen.
Gillibrand, the US senator for New York, released the call to action last week. She announced draft legislation known as the Data Protection Act on Thursday 13 February, a day after explaining her reasoning in a post on Medium. We need to do this to catch up, she said:
The United States is vastly behind other countries on this. Virtually every other advanced economy has established an independent agency to address data protection challenges, and many other challenges of the digital age.
At the moment, the US doesn’t have a single body dedicated to enforcing privacy rules. It’s a side-mission at the Federal Trade Commission (FTC), which is limited in its approach.
Under Section 5 of the FTC Act, it can’t issue fines for privacy violations immediately. Instead, it has to issue a consent decree (the violator has to agree that it won’t be naughty again) and it can only fine a company if it violates that decree. That’s why it didn’t fine Facebook for privacy infractions in 2011 but did levy a $5bn fine last year.
In any case, the FTC doesn’t just focus on privacy. Gillibrand wants a federal data agency dedicated to the task with three core missions.
The first would give Americans control over their own data by enforcing data protection rules. The key word here is ‘enforcing’ – it would be able to not just conduct investigations and share its findings, but to impose civil penalties. These would be capped at $1m for each day that an organization knowingly violates the Act. This money would go into a relief fund that the Agency would use to help compensate victims of data privacy violations.
The second mission would be to promote privacy innovations, including technologies that minimize the collection of personal data or eliminate it altogether. Under this mission, Gillibrand would also come down hard on service contracts that gave customers no choice but to give up their privacy. She also says that she’d protect against “pay for privacy” provisions in service contracts.
Read more at https://nakedsecurity.sophos.com/2020/02/17/senator-calls-for-dedicated-us-data-protection-agency/
Police bust alleged operator of Bitcoin mixing service Helix
By Lisa Vaas
The guy who allegedly wanted to be the Dark Net’s “go-to” money launderer by acting as a “Bitcoin mixer” – soliciting cryptocurrency from crooks, slicing and dicing the coins, and then remixing them in an ultimately futile attempt to obscure their source – has been busted.
The US Department of Justice (DOJ) announced on Thursday that Larry Harmon, 36, of Akron, Ohio, has been indicted on three counts of allegedly running a Bitcoin mixer service called Helix from 2014 to 2017.
These services are also called Bitcoin tumblers, which is how Harmon allegedly referred to Helix in his sales pitch to the underworld. This is how the indictment summarizes Harmon’s alleged first post about his service in June 2014 – a pitch to convince criminals to pay him to hide their transactions from law enforcement:
Before launching Helix. HARMON posted online that Helix was designed to be a ‘bitcoin tumbler’ that ‘cleans’ bitcoins by providing customers with new bitcoins ‘which have never been to the darknet before.’
Harmon allegedly went on to promise that there was no way that law enforcement could tell which addresses are Helix addresses, given that the service uses new addresses for each transaction. His alleged “I’ll-scare-you-crooks-into-paying” follow-up advertising spiel:
No one has ever been arrested just through bitcoin taint, but it is possible and do you want to be the first? …Most markets use ‘Hot Wallets’, they put all their fees in these wallets. [Law enforcement] just needs to check the taints on these wallets to find all the addresses a market uses.
In short, “taints” are the trail left by bitcoins as they travel from wallet to wallet. Here’s a discussion about traceability from Stack Exchange.
Harmon’s Helix bitcoin mixer allegedly moved at least 354,468 bitcoin on behalf of customers: a sum that was valued at over $300 million at the time of the transactions and which is now worth about USD $3.6 billion. Most of those customers came in from Dark Net markets. Helix had partnered with AlphaBay – one of the largest Dark Net markets before law enforcement seized it in July 2017 – to provide bitcoin laundering for AlphaBay’s customers.
Read more at https://nakedsecurity.sophos.com/2020/02/17/police-bust-alleged-operator-of-bitcoin-mixing-service-helix/
Bluetooth bugs – researchers find 10 “Sweyntooth” security holes
By Paul Ducklin
A trio of researchers from Singapore just published a paper detailing a number of security holes they discovered in Bluetooth chips from several different vendors.
The good news is that they disclosed the holes responsibly back in 2019 and waited 90 days – a sort-of industry standard period popularized by Google’s Project Zero team – before releasing the paper.
The bad news is that not all of the affected devices have received patches yet, and even for chips where the vendor has provided new firmware, it’s hard to be sure:
- Which products out in the market use those chips.
- Which products that could have been patched have actually received updates.
- Which products might be affected but don’t support patching at all.
The researchers name seven different Bluetooth chip manufacturers as having buggy chips, though they insist that their list is “By no means […] exhaustive in terms of being affected.”
We assume they’re saying that out of a sense of fairness to the vendors they did name, which just happen to be the major Bluetooth chip makers whose chips appeared in the products they tried.
In other words, they’re not claiming that they tested a long list of chips and found all the other vendors to be safer, or suggesting that by avoiding the named vendors you’ll immediately be more secure.
The researchers also say that they were quickly able to find about 480 different products using the affected Bluetooth chips they’d identified, including fitness trackers, digital locks, remotely controllable plugs and more.
Read more at https://nakedsecurity.sophos.com/2020/02/14/bluetooth-bugs-researchers-find-10-sweyntooth-security-holes/
Google pulls 500 malicious Chrome extensions after researcher tip-off
By John E Dunn
Google has abruptly pulled over 500 Chrome extensions from its Web Store that researchers discovered were stealing browsing data and executing click fraud and malvertising after installing themselves on the computers of millions of users.
Depending on which way you look at it, that’s either a good result because they’re no longer free to infect users, or an example of how easy it is for malicious extensions to sneak on the Web Store and stay there for years without Google noticing.
That they were noticed at all is thanks to researcher Jamila Kaya who used Duo Security’s CRXcavator tool (also available at CRXcavator.io) to spot a handful of extensions that seemed suspicious, mostly themed around marketing and advertising.
Spotting dodgy extensions was only the start – she still had to connect them to one another to uncover recurring patterns that might highlight other offenders.
The first giveaway was that the extension code often looked like copycats of one another despite small changes to the names of internal functions designed to obscure this.
Another troubling similarity was the number of permissions requested. Enough to allow them to access browsing data and run when visiting websites using HTTPS.
Working with Duo Security, they eventually identified 70 extensions that seemed to be related to one another. All also contacted similar command and control networks and seemed to have been designed to detect and counteract sandbox analysis.
Ad fraud was the biggest activity – contacting domains without the user being aware – as well as redirecting users to malware and phishing domains.
Read more at https://nakedsecurity.sophos.com/2020/02/17/google-pulls-500-malicious-chrome-extensions-after-researcher-tip-off/
Google forced to reveal anonymous reviewer’s details
By Danny Bradbury
It’s a small business’s worst nightmare: someone leaves a review on a popular site trashing your company, and they do it anonymously. That’s what happened to Mark Kabbabe, who runs a tooth whitening business in Melbourne, Australia. Last week, a court forced Google to reveal the details of an anonymous poster who published a bad review of his business.
According to the court judgement, the anonymous poster used the pseudonym CBsm 23 to publish a review on Google about a procedure they had undergone at Kabbabe’s clinic. The review said that the dentist made the whole experience “extremely awkward and uncomfortable”, claiming that the procedure was a “complete waste of time” and was not “done properly”. It seemed like Kabbabe “had never done this before”, said the review, adding that other patients had “been warned!” and should “STAY AWAY”. Ouch.
Kabbabe contacted Google in November 2019, according to the court order, asking it to take down the review, but Google refused. He mailed again on 5 February, asking for information about the poster, but Google replied that:
We do not have any means to investigate where and when the ID was created.
This was enough for Justice Murphy, presiding over the case, who has ordered that Google hand over the anonymous poster’s details. In his court ruling, he said:
Dr Kabbabe is not required to make inquiries that will be fruitless and in my view he has done enough.
He added:
…notwithstanding Google’s response, I consider that Google is likely to have or have had control of a document or thing that would help ascertain that description of the prospective respondent CBsm 23…
Read more at https://nakedsecurity.sophos.com/2020/02/17/google-forced-to-reveal-anonymous-reviewers-details/