May 26, 2020
What is the dark web? Your questions answered, in plain English
By Paul Ducklin
You can’t read much about cybercrime these days without hearing mention of “the dark web”.
Often, the term is used with the metaphorical meaning of dark, to describe those parts of the internet that are evil, being dedicated to odious and often very serious criminal offences.
We’re not just talking about stories of websites where illegal drugs can be bought and sold, but also about much more worrying crimes including child abuse, terrorism and murder.
Sometimes, however, the term is used in the literal sense of dark to describe a part of the web where the network traffic going to and from it is effectively invisible or untrackable, so that it is dark in the sense of being unilluminated.
And there you have it: dark as in evil, and dark as in unilluminated.
Read more at https://nakedsecurity.sophos.com/2020/05/25/what-is-the-dark-web-your-questions-answered-in-plain-english/
The ransomware that attacks you from inside a virtual machine
By Mark Stockley
Yesterday, SophosLabs published details of a sophisticated new ransomware attack that takes the popular tactic of “living off the land” to a new level.
To ensure their 49 kB Ragnar Locker ransomware ran undisturbed, the crooks behind the attack bought along a 280 MB Windows XP virtual machine to run it in (and a copy of Oracle VirtualBox to run that).
It’s almost funny, but it’s no joke.
The attack was carried out by the gang behind Ragnar Locker, who break into company networks, make themselves admins, conduct reconnaissance, delete backups and deploy ransomware manually, before demanding multi-million dollar ransoms.
Like a lot of criminals who conduct similar “targeted” or “big game” ransomware attacks, the Ragnar Locker gang try to avoid detection as they operate inside a victim’s network with a tactic dubbed “living off the land”.
Living off the land entails using legitimate software administration tools that either already exist on the network the crooks have broken into, or that don’t look suspicious or out of place (PowerShell is a particular favorite).
Read more at https://nakedsecurity.sophos.com/2020/05/22/the-ransomware-that-attacks-you-from-inside-a-virtual-machine/
Signal secure messaging can now identify you without a phone number
By Paul Ducklin
Signal is a popular instant messaging (IM) app with a difference.
That difference – or at least its major difference – is simple: it’s not owned and operated by an industry behemoth.
WhatsApp belongs to Facebook, Skype is part of Microsoft, and iMessage is owned by Apple, but the open-source app Signal belongs, inasmuch as it belongs to anyone, to Signal.
Signal is a US-registered non-profit organization that was founded entirely around making and supporting the messaging app.
As a result, Signal’s big selling point is, well, that it isn’t selling anything.
Sharing information about you with third parties isn’t part of Signal’s business model, so there’s actually no point in it figuring out how to do so…
…which means that there’s a much more compelling reason to believe the organization when it claims to have an unbending focus on end-to-end encryption.
Signal not only has no desire, but also has no need, to take any interest in what you’re saying, or whom you’re saying it to.
Signal is also endorsed by a privacy celebrity that other IM service providers can’t match, namely Edward Snowden.
Snowden is quoted on Signal’s website with the five simple words, “I use Signal every day.”
(With apologies to well-known cryptographers Bruce Schneier and Matt Green, who are two of Signal’s other celebrity endorsers.)
Read more at https://nakedsecurity.sophos.com/2020/05/22/signal-secure-messaging-can-now-identify-you-without-a-phone-number/
Office 365 exposed some internal search results to other companies
By John E Dunn
As the well-worn internet saying goes – there is no cloud, it’s just someone else’s computer.
It opens our coverage of the news last February that some Google Photos data had been inadvertently made accessible to the wrong users.
Now Microsoft has suffered its own smaller version of the same phenomenon on the Office 365 platform (or Microsoft 365 as its business versions are now called).
The Register reported that an admin was told that their company’s internal search results had been made visible when queries were run by users from another company.
The glitch was temporary, and any files displayed were not accessible:
At no time were the files that were displayed accessible to the user who received the incorrect search results.
It’s not clear how many accounts were caught up in the incident but Microsoft is said to have made available the URL paths and metadata associated with the results so admins could “identify the exact search query results data which were inadvertently viewed.”
Microsoft acknowledged the problem, describing it as “resolved.”
Read more at https://nakedsecurity.sophos.com/2020/05/20/office-365-exposed-some-internal-search-results-to-other-companies/
FBI finally unlock shooter’s iPhones, Apple berated for not helping
By Lisa Vaas
The FBI said on Monday that it figured out how to unlock the iPhones of the shooter who killed three young US Navy students and injured eight at a Pensacola, Florida naval base in December 2019.
No thanks to you, Apple, Attorney General William P. Barr said in a news release:
Thanks to the great work of the FBI – and no thanks to Apple – we were able to unlock Alshamrani’s phones.
Barr has on multiple times issued public calls for encryption backdoors.
On Monday, the AG joined FBI Director Christopher Wray in a virtual press conference. Barr used the opportunity to once again call for a “legislative solution” to the roadblock of Apple’s encryption, while Wray referred to the FBI’s “Apple problem.”
Both gave FBI workers a pat on the back for the months they spent working to unlock the damaged iPhones.
In January, following the shootings, the bureau had asked Apple to help it unlock two iPhones that belonged to murderer Mohammed Saeed Alshamrani. Also in January, the Department of Justice (DOJ) said that its investigations showed the incident was an act of terrorism, motivated by jihadist ideology. On 2 February, al-Qaeda in the Arabian Peninsula (AQAP) claimed responsibility for the shooting spree.
The FBI had gotten a subpoena allowing it to search content on the iPhones, both of which were password-protected and one of which Alshamrani put a bullet hole through, further complicating forensics on the device and its data.
An FBI press release related to Monday’s conference included a photo of the hole in one iPhone and of an iPhone alert saying “Authorized Service Provider Only.”
Read more at https://nakedsecurity.sophos.com/2020/05/20/fbi-finally-unlock-shooters-iphones-berate-apple-for-not-helping/