AVIEN resource updates: July 15th 2018

Updates to Anti-Social Media 

(1) ESET: Facebook fined over data privacy scandal

You’re probably already aware of the gentle tap on the wrist administered by the UK’s Information Commissioner’s Office (ICO), but this does actually indicate why the penalty was so much less than you might have expected (in theory, up to 4% of the company’s total income).

(2) An article from The Next Web: Experts warn DeepFakes could influence 2020 US election – “Fake AI-generated videos featuring political figures could be all the rage during the next election cycle, and that’s bad news for democracy.”

(3) Graham Cluley: Facebook doesn’t want to eradicate fake news. If it did they’d kick out InfoWars – “Social networks giving sick conspiracy theorists a platform to spread hate.” Graham points out that InfoWars misinformation is also an issue on YouTube.

Updates to Meltdown/Spectre and other chip-related resources

John Leyden for The Register: Google’s ghost busters: We can scare off Spectre haunting Chrome tabs – “Site Isolation keeps pages fully separate on Windows, Mac, Linux, Chrome OS … Rather than solely defending against cross-site scripting attacks, the technology is now positioned as a necessary defence against infamous data-leaking Spectre CPU vulnerabilities, as a blog post by Google explained this week…”

Updates to Chain Mail Check

Brian Krebs: Sextortion Scam Uses Recipient’s Hacked Passwords

The scammer claims to have made a video of the intended victim watching porn, and threatens to send it to their friends unless payment is made. Not particularly novel: the twist with this one is that it “references a real password previously tied to the recipient’s email address.” Krebs suggests that the scammer is using a script to extract passwords and usernames from a known data breach from at least ten years ago.

The giveaway is that very few people are likely to be using the same password now – and it’s unlikely that there are that many people receiving the email who might think that such a video could have been made. Still, it seems that some people have actually paid up, and it’s possible that a more convincing attack might be made sending a more recent password to a given email address, and perhaps using a different type of leverage.

Commentary from Sophos here.

David Harley

Advertisements

Machine learning: science, engineering, or magic fairy dust?

Here’s an interesting article by Tristan Greene  for The Next Web: Academic expert says Google and Facebook’s AI researchers aren’t doing science. The expert in question is Simon DeDeo, and he’s a astrophysicist rather than a practitioner in AI. But he’s speaking as a scientist and an academic when he points out – rightly, in my opinion – that “Machine learning is an amazing accomplishment of engineering. But it’s not science. Not even close. It’s just 1990, scaled up. It has given us *literally* no more insight than we had twenty years ago.”

He also remarks that “They said they did social science, but it was nothing of the sort. It was homo economicus spread out over 50 GPUs.” Which reminds me very much of Facebook’s dabbling in psychological manipulation and emotional contagion. Well, I’ve been fairly scathing from time to time about Facebook’s reliance on algorithms that presumably work well enough for its paying customers but may be irritating or even painful to its product those of us who trade its intrusiveness and willingness to share our data for its social advantages. And I’m not even going to mention Cambridge Analytica.

I will quote one more of DeDeo’s tweets, though: “The real subjectivity is in ML, which spends all its time developing new techniques to optimize a subjectively-chosen goal function on a subjectively-chosen test set.” I could draw a parallel there with the way in which some so-called next-gen security companies still cite their use of machine-learning as if it was their very own magic fairy dust that detects all malware (yeah, right…) while propagating a series of myths about how mainstream products work. (Relying on signatures? Which century are you living in, Help Net? You know better than that, and so does Cylance…)

In fact, as I may have mentioned before, machine learning is used by mainstream companies to sift through the ludicrously high volumes of potentially malicious samples we see on a daily basis to prioritize other analytical techniques. But we – and the black hats behind malware – are all too aware of the risks of relying purely on machine-learning to distinguish between Good and Evil samples. But I don’t think I’ll go further into that yet again at this point.

David Harley

Other resource updates 11th July 2018

Updates to GDPR page

John Leyden for The Register: Thomas Cook website spills personal info – and it’s fine with that
– “Decides not to report code blunder despite Europe’s new GDPR privacy rules” Commentary from Graham Cluley  here.

Funny. I thought it was Nelson who turned a blind eye, not Captain Cook.

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

ESET: Polar Flow app exposes geolocation data of soldiers and secret agents plus: Zack Whittaker for ZDNet: Fitness app Polar exposed locations of spies and military personnel – “Location data revealed the home addresses of intelligence officers — even when their profiles were set to private.”

Updates to Meltdown/Spectre and other chip-related resources

The Register: Another Spectre CPU vulnerability among Intel’s dirty dozen of security bug alerts today – “Chipzilla preps for quarterly public patch updates”

Updates to Specific Ransomware Families and Types

The Hacker News: New Virus Decides If Your Computer Good for Mining or Ransomware – “Researchers at Russian security firm Kaspersky Labs have discovered a new variant of Rakhni ransomware family, which has now been upgraded to include cryptocurrency mining capability as well.”

John Leyden for The Register: Microsoft might not support Windows XP any more, but GandCrab v4.1 ransomware does

Updates to Mac Virus

Graham Cluley: New iOS security feature can be defeated by a $39 adapter… sold by Apple – “Unfortunately for Apple, and customers who like to believe that their phone is private, a workaround has been discovered whereby police could prevent an iPhone or iPad entering USB Restricted Mode if they act quickly enough … Researchers at Elcomsoft discovered that the one hour countdown timer can be reset simply by connecting the iPhone to an untrusted USB accessory.” Further commentary from Pierluigi Paganini: Just using a $39 device it is possible to defeat new iOS USB Restricted Mode.

This is what was supposed to happen, according to The Verge: Apple releases iOS 11.4.1 and blocks passcode cracking tools used by police. While the Register told us that Apple emits iPhone cop-block update – plus iOS, macOS, Safari patches, and Help Net said Apple releases security updates, adds new privacy protection for iOS users. Well, that didn’t last long…

Help Net: Android devices with pre-installed malware sold in developing markets – “This malware, designed to commit digital ad fraud, collects users’ personal information, depletes their mobile data allowance and triggers fraudulent charges to their pre-paid credit, without their knowledge or consent.”

Sophos: Apple and Google questioned by Congress over user tracking – “Inquiring minds want to know, for one thing, whether our mobile phones are actually listening to our conversations, the committee said in a press release.

David Harley

Hi ho, hi ho, off to cryptomine we go

Updates to Cryptocurrency/Crypto-mining News and Resources

Sophos: The Pirate Bay is plundering your CPU for cryptocash, again – “Popular file sharing site The Pirate Bay seems to have returned to its old tricks again by mining cryptocurrency in visitors’ browsers without telling them.” Graham Cluley: The Pirate Bay is cryptomining for Monero with your CPU again

The Hacker News: New Virus Decides If Your Computer Good for Mining or Ransomware – “Researchers at Russian security firm Kaspersky Labs have discovered a new variant of Rakhni ransomware family, which has now been upgraded to include cryptocurrency mining capability as well.”

The Register: Japanese cryptominer slapped with suspended sentence – “Said to have netted only £34…”

Sophos: Think that bitcoins and a VPN keep you anonymous? Think again… – “A security lapse by a VPN operator can therefore be very worrying news indeed, and that’s what popular online cybercurrency wallet service MyEtherWallet (MEW) is warning about right now…Hola is a free VPN that essentially shares out participating users’ browser connections out amongst the community in order to get around geoblocks.”

David Harley

Anti-social media: at least Twitter is doing some things right…

The Register: Brit privacy watchdog reports on political data harvests: We’ve read the lot so you don’t have to – “‘Cambridge Analytica had data ferreted away on disconnected servers, Twitter actually kicked the firm’s ads off its platform, and Facebook still has a lot of questions to answer.”

Washington Post: Twitter is sweeping out fake accounts like never before, putting user growth at risk – “Twitter suspended more than 70 million accounts in May and June, and the pace has continued in July”

Sophos: Apple and Google questioned by Congress over user tracking – “Inquiring minds want to know, for one thing, whether our mobile phones are actually listening to our conversations, the committee said in a press release.

Sophos: Facebook stares down barrel of $660,000 fine over data slurping. David Bisson notes: Facebook Fined £500,000 by ICO for Cambridge Analytica Data Scandal, And Graham Cluley comments: Facebook fined a paltry £500,000 (8 minutes’ revenue) over Cambridge Analytica scandal. Quite…

Pierluigi Paganini: Timehop data breach, data from 21 million users exposed. “The company admitted that hackers obtained access credential to its cloud computing environment, that incredibly was not protected by multifactor authentication.”

David Harley

Resource updates 5th July 2018

Updates to Anti-Social Media 

Graham Cluley: Carole Cadwalladr takes us behind the scenes of the Cambridge Analytica investigation – HOW MILLIONS OF FACEBOOK USERS’ PERSONAL DATA WERE USED TO INFLUENCE THE US ELECTION AND BREXIT. “Last week, Carole Cadwalladr won The Orwell Prize for Journalism for her work investigating the impact of big data on the EU Referendum at the US Presidential election.”

John E. Dunn for Sophos: Facebook gave certain companies special access to customer data – “What do Russian internet company Mail.ru, car maker Nissan, music service Spotify, and sports company Nike have in common? They, and 57 other companies, were revealed by Facebook in a US House of Representatives’ Energy and Commerce Committee submission to have been given temporary extensions to access private Friends data API despite the company supposedly changing the policy allowing this in May 2015.”

The Hacker News: Facebook Admits Sharing Users’ Data With 61 Tech Companies

Rhett Jones for Gizmodo: Google Says It Doesn’t Go Through Your Inbox Anymore, But It Lets Other Apps Do It

Updates to Cryptocurrency/Crypto-mining News and Resources

Pierluigi Paganini: Crooks leverage obfuscated Coinhive shortlink in a large crypto-mining operation – “Crooks leverage an alternative scheme to mine cryptocurrencies, they don’t inject the CoinHive JavaScript miner directly into compromised websites.”

Paul Ducklin for Sophos: Serious Security: How to cut-and-paste your way to Bitcoin riches – “Whether it’s cryptocurrency addresses, payment card details, ID numbers or other snippets of personal information, malware that sneakily changes data in the clipboard as you work online can trick you into paying the wrong people.”

Updates to GDPR page

The Register: United States, you have 2 months to sort Privacy Shield … or data deal is for the bin – Eurocrats – “MEPs call for urgent fix”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

DZone Security Zone: Glimpse Inside IoT-Triggered DDoS Attacks and Securing IT Infrastructures

Tech support scams resource page

SANS Ouch Newsletter: Phone Call Attacks & Scams

Updates to Mac Virus

Andrew Orlowski for The Register: Uh-oh. Boffins say most Android apps can slurp your screen – and you wouldn’t even know it – “Over 89 per cent of apps in the Google Play store make use of an API that requests screen capture or recording – and the user is oblivious as it evades the Android permission framework.” Summary of a paper”…titled Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications (summary and PDF).”

Pierluigi Paganini: A Samsung Texting App bug is sending random photos to contacts – ”

“The problem affected Galaxy S9 and S9+ devices, but we cannot exclude that other devices may have been affected…several users reported the anomalous behavior on Reddit and the company official forums.”

John E. Dunn for Sophos: Samsung phones sending photos to contacts without permission and also Your smartphone can watch you if it wants to, study finds.

Elcomsoft:  Apple Warns Users against Jailbreaking iOS Devices: True or False? Not whether Apple has issued the warnings – of course it has – but more about how justified the warnings are. The conclusion seems to be mostly true, with “with few caveats and one major exception.” Interesting article, anyway.

David Harley

June 29th AVIEN resource updates

Updates to Cryptocurrency/Crypto-mining News and Resources

FireEye: RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique

The Register: – How polite: Fun-bucks coin miners graciously ease off CPU pounding “…according to Johannes Ullrich, head of research at SANS, who today pointed out that malicious mining apps are scaling down activity and employing built-in encryption to make them harder for antivirus packages to detect.”

Updates to Meltdown/Spectre and other chip-related resources

Catalin Cimpanu for Bleeping Computer: Some Spectre In-Browser Mitigations Can Be Defeated “According to research published by Aleph Security … researchers were able to put together proof-of-concept code that retrieves sensitive data from a browser’s protected memory … their PoC bypassed Spectre mitigations and retrieved data from browsers such as Edge, Chrome, and Safari.” (But not Firefox, apparently.)

See also these anti-social media page updates.

David Harley

Updates to the ‘(Anti-)social media’ page

Tomáš Foltýn for ESET: How (over)sharing on social media can trip you up. In case you’d forgotten just how many ways there are in which oversharing information can harm you…

The Register: Facebook shells out $8k bug bounty after quiz web app used by 120m people spews profiles – “Facebook has forked out an $8,000 reward after a security researcher flagged up a third-party web app that potentially exposed up to 120 million people’s personal information from their Facebook profiles.” In case you thought Facebook was past all that…

Maria Varmazis for Sophos: Are you happy with this technology that Facebook’s developing? – actually commentary on a story in the New York Times about what Facebook’s patent applications tell us. It seems that there are few aspects of our personal lives that Facebook isn’t  interested in tracking.  Though Maria rightly points out that “these patents are not a product roadmap for Facebook, so it is entirely possible we’ll never see them in action.” Unless, perhaps, FB is encouraged to pursue them by future commercial and political developments…

Also from Sophos:

Facebook and Google accused of manipulating us with “dark patterns” – “In a report called Deceived By Design, the Norwegian Consumer Council (Forbrukerrådet) calls out Facebook and Google for presenting their GDPR privacy options in manipulative ways that encourage users to give up their privacy.” However, there are lots of more blatant manipulations to be seen: in many cases, it’s just a case of ‘let us drop our cookies or miss out on what we’re offering.”

David Harley

AVIEN resource updates 27th June 2018 (continued)

Updates to Anti-Social Media 

Metro: Facebook wants to hide secret inaudible messages in TV ads that can force your phone to record audio – this is so blatant I find it hard to believe, despite my own distrust of Zuckerberg and his minions. But I suppose we’ll see.

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

Help Net: GlobalSign launches IoT Identity Platform addressing IoT device security requirements

Updates to Specific Ransomware Families and Types

Talos: Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor – “Additionally, due to issues present within the encryption process leveraged by this ransomware, the malware authors are unable to return the data to the victim, even if he or she pays the ransom. While previous reports seem to indicate this is accidental, specific campaigns appear to demonstrate that in some cases, this is intentional on the part of the distributor.”

John Leyden for The Register: A year after devastating NotPetya outbreak, what have we learnt? Er, not a lot, says BlackBerry bod – “Say it with me: ‘Patch outdated systems.’ Good, and again…”

David Harley

AVIEN resource updates 27th June 2018

Updates to Cryptocurrency/Crypto-mining News and Resources

The Register: Top banker batters Bitcoin for sucky scalability, security – “Australia’s Reserve Bank sees no need for national cryptocurrencies, for now”

Sophos: Why Bitcoin’s about to give up one of its closely guarded secrets – “…the Bitcoin Core developers are finally set to unveil the not-as-secret-as-it-should-be private key that allows them to send messages to everyone on the entire Bitcoin network.”

Trend Micro: Cryptocurrency-Mining Bot Targets Devices With Running SSH Service via Potential Scam Site – “Through social engineering, users are tricked into installing the miner that directly funnels profit (in the form of Monero and Ethereum coins, in this case)…”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

The Register: So you’re doing an IoT project. Cute. Let’s start with the basics: Security – “And for heaven’s sake, don’t fall in love with the data…Data is seen as one of IoT’s biggest payoffs – generating and gathering it to help your business. But get IoT wrong, and you stand to be overwhelmed by that data wave. Cisco estimates IoT will generate 500 zetabytes of data by the end of 2019…”

The Register: A volt out of the blue: Phone batteries reveal what you typed and read – “Power trace sniffing, a badly-designed API and some cloudy AI spell potential trouble…Both snitching and exfiltration were described in this paper (PDF), accepted for July’s Privacy Enhancing Technologies Symposium.”

Updates to Meltdown/Spectre and other chip-related resources

Ars Technica: Hyperthreading under scrutiny with new TLBleed crypto key leak – “A new attack prompted OpenBSD’s developers to disable hyperthreading by default…developers on OpenBSD—the open source operating system that prioritizes security—disabled hyperthreading on Intel processors.

The Register: Meet TLBleed: A crypto-key-leaking CPU attack that Intel reckons we shouldn’t worry about – “How to extract 256-bit keys with 99.8% success…Intel has, for now, no plans to specifically address a side-channel vulnerability in its processors that can be potentially exploited by malware to extract encryption keys and other sensitive info from applications.”

Bleeping Computer: Changes in WebAssembly Could Render Meltdown and Spectre Browser Patches Useless – “Upcoming additions to the WebAssembly standard may render useless some of the mitigations put up at the browser level against Meltdown and Spectre attacks, according to John Bergbom, a security researcher at Forcepoint. WebAssembly (WA or Wasm) is a new technology that shipped last year and is currently supported within all major browsers, such as Chrome, Edge, Firefox, and Safari.”

Updates to Mac Virus

ThreatPost: – MALICIOUS APP INFECTS 60,000 ANDROID DEVICES – BUT STILL SAVES THEIR BATTERIES – “A battery-saving app that also allows attackers to snatch text messages and read sensitive log data has been downloaded by more than 60,000 Android devices so far…“Although the app these scam pages send users to does its advertised function, it also has a nasty secret—it infects victims’ devices and comes with a side of information-stealing and ad-clicking,” Yonathan Klijnsma, threat researcher at RiskIQ, said in a post on Thursday.”

An interesting example that bears out a definition of Trojan that I’ve used for decades – “…a program that pretends to offer some useful or desirable function, and may even do so, but whose primary function is something you don’t expect it to do, and wouldn’t want it to if you did.”

David Harley