Category Archives: Anti-social media

21st April 2018 resource updates

Note that for reasons of time management I may have to start spacing these out more.

Updates to Anti-Social Media 

(1) Reuters: Exclusive: Facebook to put 1.5 billion users out of reach of new EU privacy law – “The previously unreported move, which Facebook confirmed to Reuters on Tuesday, shows the world’s largest online social network is keen to reduce its exposure to GDPR, which allows European regulators to fine companies for collecting or using personal data without users’ consent.” (HT to Artem Baranov)

(2) Steven Englehardt et al: No boundaries for Facebook data: third-party trackers abuse Facebook Login – “Today we report yet another type of surreptitious data collection by third-party scripts that we discovered: the exfiltration of personal identifiers from websites through “login with Facebook” and other such social login APIs. Specifically, we found two types of vulnerabilities:

  • seven third parties abuse websites’ access to Facebook user data
  • one third party uses its own Facebook “application” to track users around the web.”

Commentary from The Register: Facebook’s login-to-other-sites service lets scum slurp your stuff – “A security researcher has claimed it’s possible to extract user information from Facebook’s Login service, the tool that lets you sign into third-party sites with a Facebook ID.”

(3) Help Net: Researchers develop algorithm to detect fake users on social networks – “Ben-Gurion University of the Negev and University of Washington researchers have developed a new generic method to detect fake accounts on most types of social networks, including Facebook and Twitter.”

Paper is here: Generic anomalous vertices detection utilizing alink prediction algorithm

Commentary from The Register: Gang way! Compsci geeks coming through! AI engine can finger fakes on social networks – “Take note Twitter, Facebook et al, it’s really not that hard to weed out bots”

(4) Graham Cluley: Facebook pushes ahead with controversial facial recognition feature in Europe “Facebook uses facial recognition software to automatically match people in photos your friends upload with the other billions of images on Facebook’s servers in which you might appear.”

(5) Help Net: LocalBlox found leaking info on tens of millions of individuals – “The discovery was made by UpGuard researcher Chris Vickery, who stumbled upon the unsecured Amazon Web Services S3 bucket holding the data, bundled in a single, compressed file. When decompressed, it revealed 48 million records in a format that’s easy for anyone to peruse.”

Here’s the Upguard blog post.

And commentary from Graham Cluley for Hot for security: 48 million people put at risk after firm that scraped info from social networks left it exposed for anyone to download

(6) Sophos: Facebook: 3 reasons we’re tracking non-users – more light cast into the shadows by the House Energy and Commerce Committee’s questions to Mark Zuckerberg.

(7) The Guardian: Far More Than 87 Million Facebook Users Had Data Compromised by Cambridge Analytica

(8) Sophos: Google in hot water over privacy of Android apps for kids

(9) Tech Crunch: A flaw-by-flaw guide to Facebook’s new GDPR privacy changes
“Just click accept, ignore those settings”

(10) Brian Krebs: Is Facebook’s Anti-Abuse System Broken?

Updates to Cryptocurrency/Crypto-mining News and Resources

(1|) Help Net: Cryptominers displace ransomware as the number one threat. Summarizes a report from Comodo and also observes: “Another surprising finding: Altcoin Monero became the leading target for cryptominers’ malware, replacing Bitcoin.” Maybe not that surprising: see Cameron Camp’s article for ESET – Monero cryptocurrency: Malware’s rising star

(2) The Next Web: Crypto YouTuber hacked out of $2 million during a livestream. That’s going to undermine his influence on casual investors…

(3) Trend Micro: Ransomware XIAOBA Repurposed as File Infector and Cryptocurrency Miner

Updates to Meltdown/Spectre and other chip-related resources

The Verge: Intel is offloading virus scanning to its GPUs to improve performance and battery life

Updates to Internet of (not necessarily necessary) Things

Catalin Cimpanu for Bleeping Computer: FDA Wants Medical Devices to Have Mandatory Built-In Update Mechanisms. Refers to the FDA’s Medical Device Safety Action Plan document.

David Tomaschik, System Overload: The IoT Hacker’s Toolkit

Sophos: Russia’s Grizzly Steppe gunning for vulnerable routers

Updates to: Ransomware Resources

Help Net: Cryptominers displace ransomware as the number one threat. Summarizes a report from Comodo and also observes: “Another surprising finding: Altcoin Monero became the leading target for cryptominers’ malware, replacing Bitcoin.” Maybe not that surprising: see Cameron Camp’s article for ESET – Monero cryptocurrency: Malware’s rising star

Updates to Specific Ransomware Families and Types

Trend Micro: Ransomware XIAOBA Repurposed as File Infector and Cryptocurrency Miner and XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing

Bleeping Computer: RansSIRIA Ransomware Takes Advantage of the Syrian Refugee Crisis: “A new ransomware called RansSIRIA has been discovered by MalwareHunterTeam that encrypts your files and then states it will donate your ransom payments to Syrian refugees. This ransomware is a variant of the WannaPeace ransomware and is targeting Brazilian victims.”

Updates to Mac Virus – Miscellaneous mobile malfeasance

Updates to Chain Mail Check – UK ID Theft, IWF report on child abuse, Gold Galleon BEC

David Harley

Advertisements

April 16th 2018 updates

Updates to Anti-Social Media 

Updates to Meltdown/Spectre – Related Resources

Bleeping Computer: Intel SPI Flash Flaw Lets Attackers Alter or Delete BIOS/UEFI Firmware

Updates to: Ransomware Resources  and Specific Ransomware Families and Types

Researchers at Princeton: Machine Learning DDoS Detection for Consumer Internet of Things Devices. “…In this paper, we demonstrate that using IoT-specific network behaviors (e.g. limited number of endpoints and regular time intervals between packets) to inform feature selection can result in high accuracy DDoS detection in IoT network traffic with a variety of machine learning algorithms, including neural networks.” Commentary from Help Net: Real-time detection of consumer IoT devices participating in DDoS attacks

Updates to Specific Ransomware Families and Types

Pierluigi Paganini: Microsoft engineer charged with money laundering linked to Reveton ransomware

Updates to Mac Virus

Mozilla: Latest Firefox for iOS Now Available with Tracking Protection by Default plus iPad Features. Commentary from Sophos: Tracking protection in Firefox for iOS now on by default – why this matters

The Register: Android apps prove a goldmine for dodgy password practices “And password crackers are getting a lot smarter…An analysis of free Android apps has shown that developers are leaving their crypto keys embedded in applications, in some cases because the software developer kits install them by default.” Summarizes research described by Will Dormann, CERT/CC software vulnerability analyst, at BSides.

David Harley

April 15th resource updates

Updates to Anti-Social Media 

The Register: Super Cali’s frickin’ whiz kids no longer oppose us: Even though Facebook thought info law was quite atrocious – “Zuck & Co end fight against California’s privacy legislation” Extra points to El Reg for the title, even if it doesn’t actually scan very well. 🙂

Sophos: Facebook shines a little light on ‘shadow profiles’ (or what Facebook knows about people who haven’t signed up to Facebook).

Also from Sophos: Interview: Sarah Jamie Lewis, Executive Director of the Open Privacy Research Society. OPRS is a privacy advocacy and research group aiming to “to make it easier for people, especially marginalized groups (including LGBT persons), to protect their privacy and anonymity online…”

Updates to Cryptocurrency/Crypto-mining News and Resources

F5: WINDOWS IIS 6.0 CVE-2017-7269 IS TARGETED AGAIN TO MINE ELECTRONEUM – “Last year, ESET security researchers reported that the same IIS vulnerability was abused to mine Monero, and install malware to launch targeted attacks against organizations by the notorious “Lazarus” group.”

The Register: Tried checking under the sofa? Indian BTC exchange Coinsecure finds itself $3.5m lighter. “Indian Bitcoin exchange Coinsecure has mislaid 438.318 BTC belonging to its customers.”

Help Net Security: 2.5 billion crypto mining attempts detected in enterprise networks – “The volume of cryptomining transactions has been steadily growing since Coinhive came out with its browser-based cryptomining service in September 2017.” This is commentary on an earlier article from Zscaler: Cryptomining is here to stay in the enterprise.

Updates to Meltdown/Spectre – Related Resources

Help Net Security: AMD users running Windows 10 get their Spectre fix – microcode to mitigate Spectre variant 2, and a Microsoft update for Windows 10 users.

Updates to Specific Ransomware Families and Types

[14th April 2018] Bleeping Computer re PUBG (and RensenWare, a blast from the past): PUBG Ransomware Decrypts Your Files If You Play PlayerUnknown’s Battlegrounds, based on research from MalwareHunter. Described as a joke, but apart from the fact that such messing with a victim’s data might conceivably go horribly wrong in some circumstances – it doesn’t appear to be an impeccably well-coded program – and is likely in any case to cause the victim serious concern, it looks to me as though this is criminal activity, involving unauthorized access and modification in most jurisdictions.

Updates to Mac Virus

The Register: Exposed: Lazy Android mobe makers couldn’t care less about security  “Never. Is never a good time to get vulnerability fixes? Never is OK with you? Cool, never it is”

Graham Cluley for Bitdefender: China forces spyware onto Muslim’s Android phones, complete with security holes. Links to Adam Lynn’s report for the Open Technology Fund: App Targeting Uyghur Population Censors Content, Lacks Basic Security

Updates to Anti-Malware Testing

[14th April 2018]

Fairness and ethical testing: Pointer to a blog for ESET by Tony Anscombe: Anti-Malware testing needs standards, and testers need to adopt them “A closer look at Anti-Malware tests and the sometimes unreliable nature of the process.” A good summary, and a useful reminder of the work that AMTSO is doing, but it’s a shame that after all these years we still need to keep making these points.

David Harley

Thoughts on Sophos commentary on FB and YouTube

Here are a couple of Sophos articles that caught my eye, and which I felt compelled to comment on at more length.

  • For Sophos, Paul Ducklin picked up on Facebook’s page How can I tell if my info was shared with Cambridge Analytica? Useful, I suppose, if you can’t remember whether you might have clicked on Cambridge Analytica’s This is your digital life app. And of limited use if it tells you that one or more of your friends clicked on it and so may have shared your profile data. Limited in that it won’t tell you which of your friends did so. Well, I suppose you should be grateful that Facebook is preserving somebody’s privacy, even if it’s not yours.  And it may be useful in that it prompts you to check your privacy settings.
  • Another Sophos article by Lisa Vaas notes that YouTube illegally collects data from kids, group claims. The group of privacy advocates in question asserts that ‘a study … found that 96% of children aged 6-12 are aware of YouTube and … 83% of children that know the brand use it daily … The group is urging the FTC to investigate the matter as it is illegal to collect data from kids younger than 13 under the Children’s Online Privacy Protection Act (COPPA).’ YouTube’s fallback position would presumably be that it isn’t intentionally contravening COPPA because ‘YouTube is not for children’. Hence the creation of the separate YouTube Kids app.

David Harley

Would the last security guru to leave Facebook please turn out the lights?

Veteran (in the nicest possible way) security commentator Graham Cluley is no longer maintaining his Facebook page, saying: ‘For years I’ve been uncomfortable with Facebook, and called them out for their exploitation of a userbase which is mostly unaware of how their personal information is being exploited … Quitting Facebook is hard enough for many people, I don’t want to give anybody another reason to stay.’ In his article An apology to my Facebook followers he does, of course, point out all the other ways in which his opinions and advice (always worth reading) can be followed. 

And he has a point: while my own Facebook audience is much smaller and probably more specialized, I’m considering (again) doing the same thing. (Which would also have the advantage of reducing the number of places where I have to flag my own posts, he said selfishly.) But if the entire security community heads for the exit, that might not be a Good Thing for all the people who rarely use anything but Facebook and who might actually be benefiting occasionally from sound security comment published there. 

(And no, I’m absolutely not trying to say that Graham – or the rest of us – shouldn’t leave.)

David Harley

Anti-social media: a heavy day

Updates to the Anti-Social Media page:

I’ll be adding some links to which I added more commentary shortly.

David Harley

Trust me, I’m Facebook: CEO on the record

John Gruber, at Daring Fireball, flagged an interesting sidelight on the current Facebook debate.

Zeynep Tufekci for Wired explained ‘WHY MARK ZUCKERBERG’S 14-YEAR APOLOGY TOUR HASN’T FIXED FACEBOOK’. Apparently, before Facebook Zuckerberg had another site a website called Facemash which “began nonconsensually [sic] scraping pictures of students at Harvard from the school’s intranet and asking users to rate their hotness.”

Zuckerberg apologized at the time for his lack of foresight, while managing to imply that his intentions were misunderstood. You may wonder about his sincerity, since a little later he was describing Facebook users in these terms: “They trust me — dumb f***s”. But he has assured the New Yorker since that “I think I’ve grown and learned a lot” . If you haven’t read that 2010 New Yorker article by Jose Antonio Vargas, give it a go. You might find it illuminating, if not altogether comfortable with your relationship with Facebook (if you have one).

David Harley

Facebook Facepalms, CubeYou and Cryptojacking on the Verge

Updates to Anti-Social Media 

Updates to Cryptocurrency/Crypto-mining News and Resources

David Harley

Social media and privacy

Resource updates: April 5th-7th 2018

Updates to Anti-Social Media 

Updates to Cryptocurrency/Crypto-mining News and Resources

Updates to Meltdown/Spectre – Related Resources

Only distantly related, but…

Updates to Specific Ransomware Families and Types

[3rd April 2018] Peter Kálnai and Anton Cherepanov for ESET: Lazarus KillDisks Central American casino – “The Lazarus Group gained notoriety especially after cyber-sabotage against Sony Pictures Entertainment in 2014. Fast forward to late 2017 and the group continues to deploy its malicious tools, including disk-wiping malware known as KillDisk, to attack a number of targets.”

Updates to Mac Virus

 

David Harley