News in brief: tech firms ‘must do more’ on terror’; romance scammers jailed; Disney film heist ‘a hoax’

Készült: 2017. máj. 26

Your daily round-up of some of the other stories in the news

Tech firms ‘must do more’ to combat terrorism

British prime minister Theresa May (pictured) has called on the leading technology companies to do more to stop extremist content online, saying that the fight against Islamic State has moved from “the battlefield to the internet”.

Speaking at the G7 summit in Sicily at the end of a week that saw 22 people killed in a terrorist bomb attack in Manchester, May said that internet companies such as Facebook, Twitter, Google and its subsidiaries such as YouTube have not done enough to stop the spread of extremist material online.

A British government official told the Financial Times that the UK wants to see “revised guidelines on what constitutes harmful material. Those who don’t abide by those guidelines should be held to account.”

Google told Naked Security that it “shares the government’s commitment to ensuring that terrorists do not have a voice online. We employ thousands of people and invest hundreds of millions of pounds to fight abuse on our platforms and will continue investing and adapting to ensure that we are part of the solution.”

Three ‘romance scammers’ jailed

Three Nigerian “romance scammers” who defrauded their victims out of tens of millions of dollars were sentenced to 235 years in prison between them after carrying out “numerous internet-based fraud schemes dating back to at least 2001”, said the US Department of Justice on Thursday.

The three men – Oladimeji Seun Ayelotan, Rasaq Aderoju Raheem and Femi Alexander Mewase – lured their victims via dating websites, where they created false profiles and established romantic relationships with their marks.

Once they’d gained the trust of their victims, said the Department of Justice, the men “would convince the victim to either send money or help carry out fraud schemes. The defendants admitted that they used romance victims to launder money via Western Union and MoneyGram, to repackage and reship fraudulently obtained merchandise and to cash counterfeit checks.”

The three were extradited to Mississippi from South Africa in 2015, said Mississippi and New Orleans law enforcement officials.

Disney film hack ‘was a hoax’

We recently reported the tale of how hackers had claimed to have stolen a Disney blockbuster movie, thought to be the latest in the Pirates of the Caribbean franchise starring Johnny Depp, and how the thieves were threatening to release it online unless Disney coughed up a ransom in Bitcoin.

That came from Bob Iger, Disney’s chief executive – but now he’s saying that it was all a hoax. Speaking to Yahoo Finance on Thursday, Iger said: “To our knowledge, we were not hacked. We had a threat of a hack of a movie being stolen. We decided to take it seriously but not reach in the manner in which the person who was threatening us had required.”

However, TorrentFreak said that after Iger had said Disney had been the focus of a hoax, it had found itself talking to someone who claimed to be the hacker, who said they could provide “the original emails sent to Disney as well as some other unknown details”. The putative hacker told TorrentFreak that the movie they had threatened to release online wasn’t the Pirates film, but The Last Jedi, the next instalment in the Star Wars franchise which is due to be released in December.

Researchers cast doubt over the veracity of the claims – and as yet, no ransoms have been paid nor have any chunks of either film turned up online.

Catch up with all of today’s stories on Naked Security

Source: Naked Security


Crysis ransomware master keys posted to Pastebin

Készült: 2017. máj. 26

Some days, you get lucky. Maybe you’ve got a bit of technical savvy, or maybe you can get help from a friend who can help you get untangled from ransomware without paying up.

Then there are the less-lucky days: like when your files are caught in a chokehold by one of the most recent file-encrypting ransomware variants, like CryptoLocker, CryptoWall, TeslaCrypt, or the most recent, WannaCry.

On such luckless days, you have to decide whether to pay up or give up: a question regarding which Sophos has mostly taken a neutral stance. After all, some organizations, such as hospitals, can feel like they simply have no choice.

But then there those most rare of ransomware days: the days when you’re graced, for whatever reason, with a get-out-of-jail free card for your encrypted files.

Today is one of those days: if you haven’t already deleted files that crooks encrypted with the Crysis ransomware, you’re in luck. Here’s a bonus: the keys can also be used to decrypt files encrypted with .wallet and .onion extensions.

A member of forums named lightsentinelone has posted a Pastebin link that leads to a C header file with 198 decryption keys. According to BleepingComputer, the keys have been confirmed as valid. Security researchers have used them to create a Wallet Ransomware decryptor.

He or she didn’t give a rationale, but did include this jovial message:


This isn’t the first time we’ve seen ransomware keys released. A year ago, the TeslaCrypt ransomware gang did the same thing.

Then too, in July 2016, the operators behind the Petya and Mischa double-pack of ransomware trouble skewered a rival gang by releasing about 3,500 RSA private keys for Chimera.

Keys for Dharma, based on Crysis, first appeared in November 2016, and the keys were released in March.

Of course, just like with earlier key releases, this latest one isn’t going to be joyous for all victims. It’s good news only for those who’ve been hit recently and who haven’t yet paid up, or victims who backed up their already-encrypted data just in case.

We can only conjecture as to the motivations behind key release. Fellow Naked Security writer Paul Ducklin came up with this list of possibilities with an earlier key release:

  • The crooks are genuinely sorry, and have retired in a fit of conscience.
  • The crooks were hacked by another gang, who spilled the master key to ruin their rivals’ business.
  • The crooks have switched their time and effort to newer ransomware.
  • The crooks have made so much money that they want to retire in a media-friendly way before they get caught.

Then too, there’s the gang war possibility: do it as a way to pull the rug out from under the competition!

Researchers at security firm ESET say that this is the third Crysis key release we’ve seen. ZDNet quoted them:

This has become a habit of the Crysis operators lately—with this being the third time keys were released in this manner. Since the last set of decryption keys was published, Crysis ransomware attacks have been detected by our systems over ten thousand times.

ESET has taken the latest Crysis keys and created a decryption tool that you can download here.

Source: Naked Security


Samba exploit – not quite WannaCry for Linux, but patch anyway!

Készült: 2017. máj. 26

Samba is an open source project that is widely used on Linux and Unix computers so they can work with Windows file and print services.

Samba can work as a client that lets you connect to Windows servers, and as a server that can accept connections from Windows clients.

You can even use Samba as an Active Directory server to handle logon, authentication and access control for a Windows network.

In case you’re wondering about the name, it’s derived from SMB, short for Server Message Block, the underlying protocol used in Windows networking.

SMB, of course, has been all over the security news recently thanks to the WannaCry virus – self-spreading ransomware that wormed its way automatically from network to network thanks to a security hole in the SMB networking code in Windows.

The vulnerability that led to the WannaCry outbreak had been in Windows for many years, apparently undiscovered by everyone except the US National Security Agency (NSA).

The NSA kept that information up its sleeve under the codename ETERNALBLUE, until some time in 2016…

…when a bunch of cybercrooks somehow got hold of it in a cache of leaked, breached or stolen data, and threatened to make the information public.

What happened next is that Microsoft patched the ETERNALBLUE hole (whether Microsoft was tipped off by the NSA as a sort of public service once the breach was noticed, or found the vulnerability itself, doesn’t really matter to the story), and that ought to have been that.

But the crooks then quickly publicised the details of ETERNALBLUE, along with a raft of other stolen information, presumably realising that the window of opportunity for stirring up security trouble was shrinking as fast as the patch was being applied.

And then, as we all surely know by now, the WannaCry ransomware appeared, using the now-public ETERNALBLUE exploit to attack unpatched computers and to spread with no user intervention needed.

For those with long memories, WannaCry was an echo of numerous infamous viruses of yesteryear, such as the Internet Worm (1988), Slammer (2003) and Conficker (2008).

Not just Windows

Because of cross-platform tools like Samba, network security holes due to SMB and Windows file sharing services aren’t unique to the Windows platform.

In fact, it turns out that there’s been a remote code execution hole in Samba’s SMB implementation for several years, too.

In theory, this latest hole, dubbed CVE-2017-7494, could be used for what’s known as a “wormable attack” – that’s the jargon name for an intrusion that can be automated so that a compromised computer automatically looks for new victims, attacks them, breaks into them in turn, and so on.

Greatly simplified, the CVE-2017-7494 hole can be exploited by starting off something like this:

  • Find a writable network share on a vulnerable Samba server.
  • Copy a special sort of Linux/Unix program called a shared object (a .so file) into that writable share.

At this point, if you’re a crook with a maliciously crafted .so program file, you have already introduced your malware to the victim’s system.

But that is a far cry from actively infecting the target, because the malware is merely sitting there in a file, doing nothing.

Because of the CVE-2017-7494 bug, however, a crook operating remotely may be able to trick the Samba server into loading and running the just-uploaded .so file:

  • Guess the local filename of the uploaded file on the server you are attacking. (The remote name via the share might be \\SERVER\SHARE\; that file might end up in the server’s local directory tree as, say, /var/samba/share/
  • Send Samba a specially-malformed IPC request (interprocess communication, or computer-to-computer message) that identifies the local copy of the malware by full path name.

The malformed IPC request tricks the server into loading and running the locally-stored program file, even though that file came from an untrusted external source.

Bingo – RCE, or Remote Code Execution.

What to do?

Unlike ETERNALBLUE and WannaCry, not every vulnerable SMB service can actively be exploited, so the risk is easier to control.

Here’s what you need to know:

  • If you have Samba installed but are only using it as a client to connect out to other file shares, the exploit can’t be used because there is no listening server for a crook to connect to.
  • If you have Samba shares open but they are configured read-only (for example if you are using Samba to publish updates to Windows PCs on your network), the exploit can’t be used because the crooks can’t upload their malware file to start the attack.
  • If you have writable Samba shares but you have set the Samba configuration option nt pipe support = no, the exploit can’t be used because the crooks can’t send the malformed IPC requests to launch the malware they just uploaded.
  • If you update your Samba version to 4.6.4 (4.5.10 or 4.4.14 if you are on older release branches), the exploit can’t be used because Samba won’t accept the malformed IPC request that references the uploaded malware by its local path name.

The last point above raises a thorny question: what to do about appliances such as Network Attached Storage (NAS) devices, and home or small business routers that allow you to plug in USB drives to add shared storage?

Like many IoT devices, home routers and NAS boxes are often built down to a price, using Linux-based firmware with Samba to provide the needed connectivity.

Is your NAS box or router using Samba? What version does it have? How is it configured? Has it been patched? Where to get the patch?

Sadly, we don’t have a generic answer, because it depends on the device, the model, the vendor, and many other factors; all we can do is to suggest that you:

  • Check with the vendor of your NAS and other network storage devices whether patches are needed, and if so how to apply them (and how to verify that the update has happened).
  • Don’t open up your NAS boxes to the internet, whether by accident or by design.

Thanks to the publicity surrounding WannaCry, cybercrooks are now especially interested in SMB services that are listening out for connections on the public internet – so if you don’t check your own network to make sure you aren’t exposed unnecessarily, the crooks certainly will!

Note. Sophos products aren’t vulnerable to this attack. For details and an explanation, please see our Community Knowledge Base article entitled Samba CVE-2017-7494 exploit.

Source: Naked Security


Campaigners demand halt to Vermont’s use of facial recognition

Készült: 2017. máj. 26

It’s not ambiguous: Vermont state law is perfectly clear on whether the Department of Motor Vehicles (DMV) can use biometrics to identify people when they get a license or other identity card.

The Department of Motor Vehicles shall not implement any procedures or processes … that involve the use of biometric identifiers.

But despite that law, the American Civil Liberties Union has found documents that describe the DMV’s use of facial recognition. On Tuesday, ACLU Vermont demanded an immediate halt to the program.

As the ACLU describes it, Vermont invites state and federal agencies to submit photographs of persons of interest to its DMV. The program entails comparison of those photos against its database of some 2.6m photos, as well as the sharing of potential matches. Since 2012, the agency has run at least 126 such searches on behalf of state and local police from around the country, the State Department, the FBI, and Immigrations and Customs Enforcement (ICE).

James Lyall, executive director of the ACLU of Vermont:

Once again, we see Vermont DMV overstepping its authority and thumbing its nose at state law. In addition to violating Vermont law, DMV’s facial recognition program invades Vermonters’ privacy, disproportionately targets people of color, places immigrants at increased risk of harm, and lacks due process protections to prevent further abuse. This program was banned for a reason, and must be halted immediately. The ACLU is calling on legislators to hold DMV accountable and take action to protect Vermonters from runaway government surveillance and discrimination.

As it is, nearly half of all Americans are in a facial recognition database that the FBI and other law enforcement agents can get at without warrants or without even having to prove they have reasonable suspicion that we’ve done anything wrong.

Our likenesses are captured in civil and criminal mugshot photos, the State Department’s visa and passport databases, the Defense Department’s biometric database, and the drivers’ license databases of 18 states.

In March, during a House oversight committee hearing, politicians and privacy campaigners hauled the FBI over the coals for its use of facial recognition technology, which the bureau has used for years without first publishing a privacy impact assessment as required by law.

The committee called for stricter regulation of facial recognition technology at a time when it’s exploding, both in the hands of law enforcement and in business.

As the ACLU states, studies have found that minorities are disproportionately targeted by facial recognition. According to a study from Georgetown University’s Center for Privacy and Technology, in certain states, black Americans are arrested up to three times their representation in the population, which means that they’re overrepresented in face databases. And just as African Americans are overrepresented, so too is their misidentification multiplied. Adding to this all is that facial FRT algorithms have been found to be less accurate at identifying black faces.

During the committee hearing in March, it emerged that 80% of the people in the database don’t have any sort of arrest record. Yet the system’s recognition algorithm inaccurately identifies them during criminal searches 15% of the time, with black women most often being misidentified.

As goes the FBI’s use of facial recognition, so goes that of Vermont DMV. The ACLU cited records that show that the agency has conducted searches involving people merely alleged to be involved in “suspicious circumstances”. That includes minor offenses such as trespassing or disorderly conduct, while some records fail to reference any criminal conduct whatsoever.

The ACLU gave these examples:

  • The FBI sent one man’s image to the Vermont DMV for facial recognition scanning after the man allegedly asked “unusual and suspicious” questions at a local gun shop. DMV records show the FBI listed the charges as “N/A”. Nonetheless, DMV responded by sharing Vermont ID photos and associated information with the FBI.
  • DMV scanned and sent Vermont ID holders’ photos and information to U.S. Marshals, ostensibly to locate the girlfriend of an alleged fugitive based upon a photo of the girlfriend.
  • The program has also been used to search for immigrants alleged to have overstayed their visas: what the ACLU describes as “another troubling example of DMV’s continuing entanglement in federal immigration operations”.

Vermont DMV commissioner Robert Ide told a local weekly, Seven Days, that Vermonters should have “absolute confidence in how we are accepting and carrying through our responsibility”. He also said that he was oblivious about the state law banning the use of biometrics.

According to Seven Days, when the facial recognition program was first rolled out in 2012, director of operations Michael Smith told the publication that it was just for protection against identity fraud, and that it wouldn’t be used for other law enforcement purposes.

But according to records obtained by the ACLU and reviewed by Seven Days, in that same year, DMV higher-ups debated whether to allow police to get at its facial-recognition database.

Seven Days quotes correspondence between DMV project manager Michael Charter and his colleagues:

Personally, I think it seems like a good idea. However, this may be the one piece most likely to stir up the tinfoil-hat crowd.

According to the report from Georgetown Law, government agencies have facial-recognition programs in at least 36 states, and, in all but three, lawmakers never voted to approve them.

And again, in Vermont, legislators explicitly voted not to approve such a program.

So much for laws!

Source: Naked Security


WannaCry: the rush to blame XP masked bigger problems

Készült: 2017. máj. 26

As the world reeled from WannaCry earlier this month, many fingers were pointed at organizations still using Windows XP. As we now know, the contagion actually infected Windows 7 systems the most.

It’s still a bad idea to use XP. It’s no longer supported, has a long history of being exploited, and the latest versions of Windows are far more secure. But making XP the scapegoat distracted security pros from other aspects of the attack that needed to be understood.

SophosLabs continues to investigate why WannaCry couldn’t remotely infect XP nearly as effectively as Windows 7  – if it could at all – and whether the mechanics of the outbreak were the deliberate actions of an attacker or merely a case of buggy code run amok. What they know so far is described below.

Regardless of why Windows 7 was the easier conduit, this much is certain:

  • Windows 7 computers were infected because they hadn’t been patched against the Windows SMB vulnerability that WannaCry exploited.
  • Like countless attacks before it, WannaCry had no trouble spreading because so many unpatched systems had their port 445 open to the outside.

Failure to patch – again

WannaCry spread because of a vulnerability in Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. It’s the same type of old-school vulnerability that allowed worms like Slammer and Conficker to spread around the globe more than a decade ago.

Microsoft had addressed the issue in its MS17-010 bulletin in March, but companies using older, no-longer-supported versions of the operating system wouldn’t have seen it unless they were signed up for custom support, ie Microsoft’s special extended – and paid-for – support.

Microsoft has begun phasing out Windows 7, though it continues to offer limited extended support options for business customers. Windows 7 Service Pack 1 will expire in two and a half years’ time, on January 14 2020. Despite that, Windows 7 remains in heavy use and, as the WannaCry outbreak demonstrated, many of those systems are not getting patched in a timely manner.

Unpatched Windows 7 + port 445 = trouble

During its investigation, SophosLabs has confirmed that systems most at risk in the attack had been running unpatched versions of SMB on Windows 7.

Take all those unpatched computers and leave them with port 445 open on a public or even private network and you’re asking for trouble. In that scenario, once a single device is compromised, the attack can spread like wildfire across your internal network.

That’s why the usual advice is to not have open 445 ports looking to the outside.

XP was a poor conduit

Though the lack of patching and exposure of port 445 were easily identified problems, the reasons why Windows 7 was an easier target than XP remain somewhat clouded.

During testing, SophosLabs found that XP wasn’t the effective conduit for infection via the EternalBlue SMB exploit that many thought it was, while Windows 7 was easily infected. The research showed that WannaCry ransomware can affect XP computers – but not via the SMB worm mechanism, which was the major propagation vector for WannaCry.

The screenshot below shows the attack (at the network level, in Wireshark) going against an XP target. You can see that very early on, the servers respond with an error and it fails to proceed any further:

Here is the same attack on Windows 7. Note that the same error does not appear in this case:

The Windows 7 infection then continues to an actual payload state:

Various security companies arrived at a similar conclusion, putting the infection rate among Windows 7 computers at between 65% and 95%. SophosLabs puts that number even higher: our analysis of endpoint data for the three days that followed the outbreak shows that Windows 7 accounted for nearly 98% of infected computers.

That percentage came as a surprise to some, since XP was almost universally cited as the exploited operating system. Microsoft even took the highly unusual step of making a security update for platforms in custom support (such as Windows XP) available to everyone.

The tiny amount of XP computers reporting WannaCry detections were likely test machines or PCs infected through a different vector.

A difference of SMB drivers?

Early in the outbreak, researchers determined that both SMBv1 and SMBv2 packets were used in the attack. Since both versions of SMB were in play, it could be theorized that Windows XP proved hard to infect because it does not include SMBv2, which was introduced in Windows Vista.

But so far, it’s hard to reach that conclusion with 100% confidence.

Lessons learned

For organizations still running Windows 7 and other versions of the OS, recent events highlight an important lesson that continues to go unheard:  that organizations must keep a close watch for patch updates and deploy the fixes immediately.

Some will criticize organizations that are slow to patch or use the latest Windows versions. It can be especially easy to blame the victim. But slow patching or the use of outdated versions of Windows isn’t always the result of laziness or apathy.

It’s long been the case that IT shops hold back some patches because they need to tweak their systems for compatibility. Otherwise, they risk deploying a patch that breaks other programs. Meanwhile, some organizations have continued to use old versions of Windows because:

  • They lack the financial and human resources to upgrade.
  • Their legacy systems simply aren’t yet equipped to work with the likes of, say, Windows 10.

There are other reasons, but those are two big challenges.

But as Sophos CTO Joe Levy noted shortly after the outbreak, there are cases when a patch shouldn’t be viewed as optional, no matter what the company’s patching policy – like when the vulnerabilities fall into the category of common-mode failure.

Patch often and block port 445

The bottom line: if you use older versions of Windows, you’re at greater risk for attacks like these.

The best advice is still for organizations to keep their patching up to date and use current versions of Windows. Or, if you must continue using older versions for compatibility reasons, sign up for Microsoft custom support so you continue to receive security updates.

Just as importantly, for the reasons stated above, organizations need to set their firewalls to block access to port 445.

Source: Naked Security


News in brief: Twitter pays $7,500 bounty; China gets ‘tweaked’ Windows; how to hide passwords

Készült: 2017. máj. 25

Your daily round-up of some of the other stories in the news

Twitter pays bug bounty and patches flaw

Twitter has patched a vulnerability that allowed an attacker to pose as another user and post as if from their account. The flaw, according to Motherboard, was in Twitter’s Ad Studio, which allowed advertisers to upload media.

The bug, which was discovered in February and quickly patched, is described in detail by kedrisch, the researcher who discovered it – and reported it to Twitter.

An attacker could target another Twitter user first by sharing media with them and then modifying the post request with the victim’s account ID.

The researcher was awarded a bug bounty of $7,500 – but a former Twitter exec, Charlie Miller, tweeted that he was “not shocked” that this vulnerability was in code from the ads team.

Redmond creates Chinese version of Windows 10

Chinese government officials are getting a custom version of Windows 10 built by Microsoft for Beijing, the Redmond software giant said earlier this week.

A blog post from Terry Myerson of Microsoft’s Windows and Devices group was a bit sparse on details of what tweaks Redmond has made for the Chinese government.

Myerson said that as a result of “earnestly co-operating” with Beijing, they had built the “China Government Edition [that] will use these manageability features to remove features that are not needed by Chinese government employees like OneDrive, to manage all telemetry and updates and to enable the government to use its own encryption algorithms within its computer systems”.

Big technology companies have struggled with China’s heavy-handed approach to their products: many platforms such as Facebook and Google are banned in China, while China has demanded to see the source code of products. Microsoft had joined big tech hitters including Intel in declining to share their code, but it seems now that Redmond and Beijing have come to an agreement.

Password manager creates ‘travel mode’

We’re fans of password managers here at Naked Security, and we’ve also been covering the ongoing issues of travellers being asked to hand over their phones and passwords to immigration officials, so we’re pleased to see that one app has come up with a way to protect your sensitive passwords from prying eyes at a border.

1Password has come up with what it’s calling Travel Mode: before you leave home, you add the passwords you might not mind sharing want access to into a “safe for travel” vault in the app, then turn on travel mode. At that point, all your other passwords are removed from the device.

Then, when you’re safely over the border and customs officials have finished with your phone, you turn off travel mode and all your more sensitive passwords are restored to the device.

It’s not foolproof – a smart customs official could ask you to disable travel mode – but it could help you keep sensitive passwords safe while you travel.

Catch up with all of today’s stories on Naked Security

Source: Naked Security


Put down the popcorn and patch your media player

Készült: 2017. máj. 25

Researchers have uncovered an alarming “zero resistance” security hole in the way several popular media players handle film subtitles that could allow attackers to take full control of a user’s computer.

Subtitle files, which exist in any one of a surprising mess of 25 different formats, are normally loaded as a convenience for the hearing impaired or because the film was made in another language from the watcher.

The discovery by Check Point is that these apparently harmless text files nobody has paid any attention to can be used to hide malicious content.

All attackers would have to do is get a player application to pick up their subtitle file, which could be achieved by sneakily bumping it up the list of files held in popular open-source repositories.

Lo and behold, the known affected players – VLC, Kodi (formely XMBC), Popcorn Time and Stremio – treat these subtitle files as trusted content and use them, no questions asked.

In fact, this is not a vulnerability so much as a new class of vulnerability that affects one type of software with the same results – the user is pwned without doing anything, hence the “zero resistance” moniker.

Media players have been a rich hunting ground for security researchers and attackers over the years, but finding a fundamental issue affecting several products at the same time is highly unusual.

Let’s untangle the good from the bad. The fact researchers discovered the issue before attackers exploited it is a thumbs-up. It’s also positive that it’s been disclosed and patched on all four players cited:

VLC: fixed and available to download.

Kodi: fixed and available for download.

Stremio: fixed and available to download.

Popcorn Time: fixed and available to download manually.

Now for a less positive view. First, if your favourite media player isn’t one mentioned above, don’t assume it’s not affected. Say the researchers:

We have reason to believe similar vulnerabilities exist in other media players as well.

We could also complain about the fact that while the weakness doesn’t appear to have been exploited in real-world attacks, that such a glaring problem exists under everyone’s noses is wearying.

But the immediate concern is that the hundreds of millions of software players need to be updated before cybercriminals work out how to exploit the weakness. The description of the technique on Check Point’s website is vague, but that’s not an indefinite defence.

How quickly this updating will happen isn’t clear because the process varies from product to product and platform to platform. In most cases, it will require manual updating and that inevitably means some won’t receive it for a while – or ever.

It’s not clear whether mobile platforms such as Android are as badly affected as, say, Windows, but it’s safer to assume that the compromise could potentially be tweaked to work across different operating systems.

Our advice is to update any media player on any platform ASAP. The next time you play a movie on any device, make sure cybercriminals aren’t playing you.

Source: Naked Security


Google debuts a new way to follow your footsteps around the web

Készült: 2017. máj. 25

Sure, Google etc know how to target-market you. Looking at women’s clogs on Zappos, are we? Presto! Slashdot is now serving up ads for Dansko nurses’ footwear!

But how can Google convince its marketing clients that their investments are turning into sweet payola? It’s not like the search behemoth is following us around, jotting down what we buy with our credit cards, right? It’s not as if it first serves us ads, then notes what we buy, right?

Well, maybe it hasn’t so far, but get ready for that to change.

On Tuesday in San Francisco, at Google’s annual Marketing Next conference, where it unleashes its latest tools for ads, analytics and DoubleClick, the company announced that it’s ready to answer the question that’s been bugging marketers for ages: “Is my marketing working?”

To deliver the answer, it will be training a machine learning tool called Google Attribution on our buying activity. It’s now in beta and will roll out to more advertisers over the coming months.

As Google’s schematic shows, the artificial intelligence (AI) marketing analytics tool will be following us across devices and channels – mobile, desktop, and probably while we’re scuba diving or trying to shop while we’re hiding in a cave, once Google figures those ones out – to see what we’re buying and match it up with what ads we’ve seen. It will then automatically tell marketers what we’re up to.

The AI piece of the puzzle will be “data-driven attribution” – ie the determination of how much credit to assign to “each step in the consumer journey”. When did you first “engage” with those Dansko clogs or whatever other fill-in-the-blank brand you’ve been looking at? What else did you do after that ad, leading up to that final click to purchase?

Then, the tool mulls over your online meanderings in the time between when you looked at the brand and when you bought something – or, yikes! didn’t. If you decided that clogs are actually pretty ugly, how does your meandering compare with that of somebody who did in fact buy them?

In marketing speak, that’s analyzing an account’s conversion patterns.

Google Attribution integrates with ads tools like AdWords and DoubleClick Search.

If you don’t like the idea of Google knowing what you buy, you might be consoled by Google’s reassurance that, according to Consumerist, the company’s planning to anonymize the data and then hash it over. From Consumerist:

The data won’t have your name attached, Google makes sure to point out. It’s anonymized and then hashed over, so what advertisers see is that user 08a862b091c379fe9767615d10873 saw these 10 \ads in the morning, and spent $27.73 at a certain grocery store that afternoon.

Sure, “anonymizing” our data might console some of us. It shouldn’t, though. Just because data is anonymized doesn’t mean it can’t be used to track us. As both AOL and researchers have shown, making data truly anonymous is hard.

If you want to check out what Google already knows about you, it introduced a tool called My Activity last July to let you see.

Depending on which of its tools we use, Google knows what we think, what we need, what we desire, our political and spiritual beliefs, our age, our gender, what music we listen to, what we watch, what we read, where we’ve been, where we plan to go, where we work, where we hang out, where we live, who we meet, where we shop, when we shop, what we buy, how much money we’re worth, how much we spend, and how much energy we consume.

How does it amass all that data? Through Google search, the Chrome browser, Gmail, Google News, Google+, Book Search, YouTube, Picasa, Translation, Maps, Street Views, Waze, Nest, and… well, the list keeps going, and growing, as Google acquires more companies and more data-crunching ability.

As Consumerist notes, studies have shown that it only takes three pieces of data to identify you by credit card spending alone, or two to identify you from a social media app.

Google says it now has access to 70% of all credit/debit card transactions in the US.

Of course, you can always opt out of Google logging some of your activity, and you can tell it to stop showing you some ads. But all that information is still out there, Consumerist notes, tied to your credit card spending.

Good luck trying to rub out that trail!

Source: Naked Security


YouTube, Twitter and Facebook face curbs on hate speech videos

Készült: 2017. máj. 25

The European Union is on the brink of forcing Facebook, YouTube, Twitter and other social media companies to block videos with hate speech.

On Tuesday, ministers on the European Council – which sets the EU’s political direction and priorities – announced that they’ve approved a set of proposals that would require such companies to block videos that promote terrorism, incite hatred, or contain toxic, violent content.

The European Parliament needs to agree the Council’s proposals before they become law, but it sounds like this issue is being put on the fast track.

If the proposals do become law, it means that so-called “on-demand services” – that includes video-sharing platforms such as YouTube and social media services such as Twitter and Facebook – will be treated the same as TV broadcasters and held to the same rules.

One EU diplomat told Reuters that livestreaming such as Facebook Live would be exempt. The new law would apply just to videos stored on a platform.

Andrus Ansip, vice-president of the European Commission’s Digital Single Market initiative, said in a statement:

It is essential to have one common set of audiovisual rules across the EU and avoid the complication of different national laws. We need to take into account new ways of watching videos, and find the right balance to encourage innovative services, promote European films, protect children and tackle hate speech in a better way.

Europe has been threatening to take action over illegal content on social media for years.

In December 2015, Facebook, Twitter, and Google agreed with Germany’s demands and pledged to delete hate speech from their services within 24 hours in order to fight a rising tide of online racism in the wake of the country’s influx of refugees.

24 hours may sound like a quick turnaround, but Facebook, for one, had been laying the groundwork for months before that.

In September 2015, under pressure from Germany, the company  launched a hate-speech task force.

In fact, before it even sat down with German justice minister Heiko Maas in September 2015, Facebook had agreed to do three things in the wake of the previous month’s anti-immigration violence:

  • Partner with FSM, a German non-profit that works with multimedia service providers.
  • Start the hate-speech task force, working with nonprofits, companies, and government officials, including Maas.
  • Establish a campaign to promote “counter speech” in Germany, drawing in experts from the UK and Scandinavia to develop ways to combat racism and xenophobia through discussions on social media.

In other words, the tools to battle hate speech are known. That doesn’t mean the companies have done a good job in removing illegal speech, though. A year ago, three French anti-racism groups declared that they would file legal complaints against Facebook, Twitter and YouTube for failing to remove hateful posts aimed at the Black, Jewish and LGBT communities.

Unlike the US, where all three of the big video-disseminating platforms are based, hate speech is a crime in France and other EU countries.

It’s illegal to deny the Holocaust, to justify terrorism or to spread racist, anti-semitic or homophobic messages. French law requires websites to take down such material and to tell authorities about it. Nonetheless, the French anti-racism groups said that “only a small minority” of hate speech was removed during a five-week social media survey, during which they tracked 586 examples of illegal content.

A year later, it’s still bad.

Earlier this month, British MPs threatened Facebook, Twitter and other social media companies with huge fines over their failure to remove hate speech, extremist content and child abuse material, calling their failure to do so “a disgrace”.

Yvette Cooper, chair of the Commons Home Affairs committee, said in response to a report by the committee into hate speech and extremism online:

These are among the biggest, richest and cleverest companies in the world… this isn’t beyond them to solve and yet they are failing to do so.

Germany has now approved a plan to fine social networks up to €50m per post for not taking down clearly illegal hate speech after 24 hours or more ambiguous material after a week.

One assumes that Mark Zuckerberg, for one, is not loving the news out of the EU. In the furore over hate speech and fake news, the Facebook CEO has repeatedly insisted, for years, that Facebook is “a tech company, not a media company”.

Facebook would far prefer to be seen as an impartial platform that doesn’t get its hands dirty by vetting content, but that attitude clearly hasn’t impressed Europe.

Source: Naked Security


News in brief: drones could be hobbled; cost of ransomware counted; Target agrees $18.5m deal

Készült: 2017. máj. 24

Your daily round-up of some of the other stories in the news

Drones’ wings could be clipped

If you’ve got a drone made by manufacturer DJI, make sure you’ve read the email it sent out to its customers earlier this week – or your drone could be hobbled.

DJI has warned customers that they need to activate their devices to ensure they “will use the correct set of geospatial information and flight functions for your aircraft as determined by your geographical location and user profile”.

This applies even to those who’ve already activated their devices, said the manufacturer – and if you don’t, your drone will be limited to a height of just 30 metres and a range of 50 metres.

The move comes as concern has been rising about drone pilots who ignore laws and fly their aircraft alarmingly near airports: there has been a growing number of reports from airline pilots of too-close-for-comfort encounters with drones as they approach airports.

Ransomware damage ‘to top $5bn’

The WannaCry ransomware outbreak that crippled PCs around the world carried with it a ransom demand of $300 in Bitcoin, the cryptocurrency – although it seemed that very few victims had actually paid up, according to a Twitter bot that monitors the payments made to the three wallets associated with the attackers.

As of 1700 BST on Wednesday, the wallets contained just over 49 Bitcoins, worth $116,542.

However, that’s a fraction of what researchers Cybersecurity Ventures said it expects the cost of ransomware damage to be this year: in a report released last week, it predicted that the total global costs of ransomware would exceed $5bn – up from $325m in 2015 and $1bn in 2016.

Marc van Zadelhoff at IBM said: “This is a new business model and it is growing at an extraordinary rate. “In 2016 an average of 40% of spam emails contained malware links to ransomware, an increase of 6,000% over 2015, when less than 1% contained ransomware.”

Had everyone who was hit by WannaCry paid up, estimated, the attackers could have scooped more than $60m.

Target agrees $18.5m settlement

Target, the US retailer, has agreed to pay $18.5m in a settlement with 47 states and the District of Columbia over the giant 2013 data breach that hit some 70m customers.

The breach, the result of a major malware infection in its payment systems, saw the exposure and skimming of up to 70m credit and debit cards.

The money however doesn’t go to the victims of the breach – the customers whose cards were compromised – but to the individual state, and, as The Register pointed out, amounts to about eight hours’ worth of profits for the giant retailer. However, in 2015 Target offered a fund of $10m for its customers whose data had been exposed.

Catch up with all of today’s stories on Naked Security

Source: Naked Security


Police swoop on gang that planted banking Trojan on 1m phones

Készült: 2017. máj. 24

Russia’s Ministry of Internal Affairs has busted a gang that infected more than 1m Android devices with a banking Trojan that forced the devices to make transfers and intercepted the banks’ text messages, the MIA announced on Monday.

The MIA said the so-called Cron gang had managed to siphon off more than 50m rubles – about $890,000, or £684,000. The ministry was helped by the Russia-based security outfit Group-IB, which said that the Cron crooks were nabbed right before they were going to unleash another malware on customers of French banks.

Group-IB first caught wind of the Cron crooks in March 2015 when its intelligence system picked up on a new criminal group distributing malicious Android packages named viber.apk, Google-Play.ap, and Google_Play.apk on underground forums.

The hackers themselves called the malware Cron, so that’s what Group-IB called the gang.

Here’s how the heist worked: first, to infect an Android device, the gang had a few tricks. One was to spam out text messages with a link to a website rigged with the banking Trojan.

The message read either:

Your ad is posted on the website…


Your photos are posted here.

Another infection vector was fake apps: malware disguised as legitimate applications such as Navitel, Framaroot, Pornhub and Avito.

The Cron gang also advertised. They planted links to compromised sites that showed up as top search results when people searched “mobile app” with the name of a bank. The phishing sites were set up to look just like an official bank site.

After a victim’s phone was infected, the Trojan could automatically transfer money from the user’s bank account to accounts controlled by the gang. To withdraw the stolen funds, the hackers opened more than 6,000 bank accounts.

After installation, the malware added itself to auto-start. It had the power to send SMS messages to the phone numbers indicated by the criminals, to upload SMS messages received by the victim to command and control servers, and to hide text messages coming from the bank.

The gang was very busy: every day, on average, the gang infected 3,500 devices. And every day, the Cron malware tried to sneak money out of the bank accounts of between 50 and 60 victims. The average theft was about 8,000 rubles ($100).

By April 2016, the Cron crooks were ready to expand. They took to a hacker forum to announce the lease of a mobile Trojan called cronbot that purportedly could intercept SMS messages and calls, send USSD requests – that’s a GSM cellular phone protocol used to communicate with a service provider’s computers – and perform web injections.

It was only offered to one person, which led Group-IB to assume that the gang decided to recruit a new member. As it was, the group consisted of organizers, operators, “cryptors”, “traffickers” and money mules.

Another sign that the Cron gang was expanding beyond Russia came in June 2016, when the team rented a mobile banking Trojan, Tiny.z, for $2,000 a month. The tool was capable of attacking Android devices belonging to the customers of both Russian and international banks.

The Cron crew tweaked Tiny.z to attack banks in Great Britain, Germany, France, the USA, Turkey, Singapore, Australia and other countries. The Trojan scanned the victim’s phone for a banking application and displayed a universal window with the icon and name of the bank retrieved from Google Play that prompted the user to enter their login.

France was first on the list of targeted countries: the gang tailored web injections for the financial institutions Credit Agricole, Assurance Banque, Banque Populaire, BNP Paribas, Boursorama, Caisse d’Epargne, Societe Generale and LCL.

The French assault never happened. By November 2016, Russian police had identified all 20 gang members and collected digital evidence of their crimes. Between November 2016 and April 2017, they carried out 20 raids in six regions of Russia, arrested 16, and now have four under house arrest. The last arrest took place in April when police arrested a man in St. Petersburg.

Cron-b-gone: fending off Play Store malware

Now, to walk this epic bust back to the initial infection vectors: you might wonder how nastyware like Cron gets past Google’s vetting procedures to keep out booby-trapped apps.

When you look at the numbers, it’s not hard to understand. As fellow Naked Security writer Paul Ducklin has explained , as of January 2016, there were about 50,000 new apps being admitted to Google Play each month. At this point, it’s accelerated: the current number was near 55,000 apps for this month, feeding into a total of nearly 3m apps.

Google’s good, but it’s not perfect. During 2015, malware samples from more than 10 different families made it past Google’s checks and were installed more than 10m times.

If you’re curious to know how crooks slip past Google’s safeguards, you’ll want to read the article The Secrets of Malware Success on Google Play Store, from SophosLabs’ Rowland Yu.

And if you want to inoculate yourself against Android malware, these are the three primary tips we pass along:

  • Install patches for your device as soon as they are available. (Sadly, for some devices, that’s rarely or never.)
  • Use a product such as Sophos Free Antivirus and Security to keep an eye out for malware, dodgy websites, adware and other potentially unwanted apps.
  • Turn off Allow installation of apps from unknown sources in the Android security settings if you can.

It’s also worth noting that it’s smart to avoid clicking on URLs in emails, in text messages or on social media, even if you think a message is coming from somebody you know. Such links can be rigged with malware.

Also, stick to downloading apps from official app stores or official websites. Even though Google’s Play Store has a sizable chunk of malware apps, it’s still likely a safer bet than clicking on a random link sent by who-knows-who posing as your best buddy or your boss.

Source: Naked Security


LastPass’s new cloud backup option – sunny skies or a brewing storm?

Készült: 2017. máj. 24

As eagle-eyed users of LastPass will have noticed, the company recently introduced a cloud backup option for the company’s popular smartphone Authenticator app.

Authenticator implements multi-factor authentication for LastPass and a range of third-party services supporting the Time-based One-Time Password (TOTP) algorithm such as Google, Facebook, Microsoft, WordPress, Dropbox, and so on.

It’s possible to do this from Google’s Authenticator app but, frankly, LastPass is better at it because it offers features such as one-tap push notifications which make using it quick and easy.

However, the convenience comes with a small pitfall for the unwary – what happens if the smartphone running Authenticator tied to a user’s account is lost or stolen?

Because the phone’s subscriber IMEI is paired to the service during enrollment, setting up a new one requires users to go back to square one, which means re-enrolling (or re-instating using backup codes) every single third-party service it was being used with.

What the new cloud backup option offers is a to dodge this hassle by backing up the multi-factor tokens to the LastPass vault in an encrypted state.

Doubtless, a few people will find this alarming – indeed, some do. Backing up multi-factor tokens to one place sounds risky because you are putting the multi-factor eggs in one basket. On the face of it, that goes against the point of multi-factor authentication – which is that there should never be one point of failure.

Or you could argue that putting tokens inside a password manager is no less secure than putting lots of passwords inside a password manager in the first place. Anyone wanting access to the vault will still have to get around both password and multi-factor security to gain access to critical data.

There is one hypothetical difference. If LastPass is somehow compromised for users not using LastPass Authenticator, the attackers have access to all the passwords plus a way of bypassing LastPass’s own multi-factor authentication. What they won’t have without the phone or a reliable man-in-the middle compromise is a way of compromising the subset of sites inside the vault that have multi-factor authentication turned on independently.

In theory – and it’s only “in theory” because the multi-factor backup is secured using the same security as any other LastPass data – anyone using Authenticator with multi-factor backup turned on might lose this defence in the same situation.

In the end, the argument in favour of cloud backup is that it’s a compromise designed to cope with the fact that multi-factor security doesn’t scale well. The technology is great for a handful of sites, but apply it to dozens and it starts to weigh people down in exactly the same way passwords do. Make reinstatement too onerous and people won’t use it at all.

Password managers were invented to manage lots of passwords people couldn’t remember in the same way that authentication apps manage lots of multi-factor systems that eventually slow people down.

LastPass is doing what its users have asked it to do. Security often edges its way forward by making these sorts of compromises without which we must revert to physical tokens, offline databases or paper and pen. As long as LastPass users know they have a choice.

Source: Naked Security


1. oldal / 688

<< Első < Előző 1 2 3 4 5 6 7 8 9 10 Következő > Utolsó >>


Hacktivity 2014


Nincs esemény létrehozva még.

mySec talk #7 (ITBN)

A Facebook lecserélte az e-mail címed

A Facebook minden előzetes figyelmeztetés nélkül az összes felhasználó email címét megváltoztatta „”

Atombiztos szervezethez törtek be a hackerek

A Nemzetközi Atomenergia-ügynökség immár hivatalosan is elismerte, hogy az informatikai infrastruktúrájába ismeretlen elk

Az Internet Explorer a legbiztonságosabb?

A leggyakoribb és legnagyobb hatással bíró biztonsági fenyegetések, amelyekkel a felhasználóknak szembe kell nézniük n

Átverés a Google spam

"Önnek két sérült üzenete volt, amiket észleltünk és sikeresen visszaállítottunk" - ezzel a t

A „TooHash” művelet, avagy hogyan működnek a célzott támadások

Szakértőink a G Data SecurityLabs-nál felfedeztek egy kiberkémkedési kampányt, amely tökéletesen példázza, hogy

Alig egy hét múlva Hacktivity

Október 21–22-én, immáron 13. alkalommal gyűlnek össze az etikus

Az újságírója lett az „Év információbiztonsági újságírója”

A Hétpecsét Információbiztonsági Egyesület 2006-ban alap&iac

Boldog Új Évet Kívánunk! - 2016.

Az nevében Minden Kedves Olvasónknak Egészségben, siker

Ez történt 2015-ben

Nem volt eseménytelen esztendő a 2015. - sem. A legizgalmasabb incidense

mySec Információ

Cron Job Starts