Tag Archives: Privacy

AVIEN resource updates 8th June 2018

Updates to Cryptocurrency/Crypto-mining News and Resources

Help Net Security: Traffic manipulation and cryptocurrency mining campaign compromised 40,000+ machines – “Unknown attackers have compromised 40,000+ servers, networking and IoT devices around the world and are using them to mine Monero and redirect traffic to websites hosting tech support scams, malicious browser extensions, and so on.”

Updates to GDPR page

James Barham of PCI Pal for Help Net: Shape up US businesses: GDPR will be coming stateside  – “European consumers have long been preoccupied by privacy which leaves us wondering why the US hasn’t yet followed suit and why it took so long for consumers to show appropriate concern? With the EU passing GDPR to address data security, will we see the US implement similar laws to address increased consumer anxiety?” And yes, Facebook gets more than one mention here.

Caleb Chen for Privacy News Online: Apple could have years of your internet browsing history; won’t necessarily give it to you – “Apple has years of your internet browsing history if you selected “sync browser tabs” in Safari. This internet history does not disappear from their servers when you click “Clear internet history” on Safari  … Additionally, the data stored and provided seems to be different for European Union based requesters versus United States based requesters. Discovering these sources of metadata is arguably one of the side effects of GDPR compliance. ”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary – you may not be able to read this without a router. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface. And sometimes even necessary devices entail security risks.]

Stephen Cobb for ESET: VPNFilter update: More bad news for routers 
“New research into VPNFilter finds more devices hit by malware that’s nastier than first thought, making rebooting and remediating of routers more urgent.”

The Register: IoT CloudPets in the doghouse after damning security audit: Now Amazon bans sales “Amazon on Tuesday stopped selling CloudPets, a network-connected family of toys, in response to security and privacy concerns sounded by browser maker and internet community advocate Mozilla.” Commentary by Graham Cluley for BitDefender: Creepy CloudPets pulled from stores over security fears

Updates to Tech support scams resource page

Help Net Security: Traffic manipulation and cryptocurrency mining campaign compromised 40,000+ machines – “Unknown attackers have compromised 40,000+ servers, networking and IoT devices around the world and are using them to mine Monero and redirect traffic to websites hosting tech support scams, malicious browser extensions, and so on.”

Updates to Chain Mail Check

Tomáš Foltýn for ESET: You have NOT won! A look at fake FIFA World Cup-themed lotteries and giveaways

“With the 2018 FIFA World Cup in Russia just days away, fraudsters are increasingly using all things soccer as bait to reel in unsuspecting fans so that they get more than they bargained for”

Updates to Mac Virus

John E. Dunn for Sophos: Apple says no to Facebook’s tracking
“Later this year, users running the next version of Apple’s Safari browser on iOS and macOS should start seeing a new pop-up dialogue box when they visit many websites…this will ask users whether to allow or block web tracking quietly carried out by a certain co”mpany’s ‘like’, ‘share’ and comment widgets.” And the dialog text in the demo to which the article refers specifically mentions Facebook.

Caleb Chen for Privacy News Online: Apple could have years of your internet browsing history; won’t necessarily give it to you – “Apple has years of your internet browsing history if you selected “sync browser tabs” in Safari. This internet history does not disappear from their servers when you click “Clear internet history” on Safari  … Additionally, the data stored and provided seems to be different for European Union based requesters versus United States based requesters. Discovering these sources of metadata is arguably one of the side effects of GDPR compliance. ”

And from the New York Times: Facebook Gave Device Makers Deep Access to Data on Users and Friends –
“The company formed data-sharing partnerships with Apple, Samsung and
dozens of other device makers, raising new concerns about its privacy protections.” And commentary by Help Net Security: Facebook gave user data access to Chinese mobile device makers, too

David Harley

Advertisements

Resource updates 1st April 2018

Updates to Anti-Social Media 

Updates to Meltdown/Spectre – Related Resources

Updates to Mac Virus

[Android]

Virus Bulletin paper on ‘app collusion’

Sometimes Virus Bulletin publishes papers outside its normal yearly conference cycle, and they’re always worth reading: New paper: Distinguishing between malicious app collusion and benign app collaboration: a machine-learning approach.

It’s a follow up to this conference paper: VB2016 paper: Wild Android collusions. (Which I missed at the time – I don’t often get to conferences nowadays, though I did present at VB2017 – so I’m glad of the opportunity to catch up with it.)

David Harley

Attack of the Mutant Zombie Flesh Eating Chickens From Mars

Yesterday there was widespread reportage of one of those periodic stories that make media types drool; and make security experts cringe in despair.

However, this ‘summer slow day news story’ was so widely (mis)reported, that it does bear commenting on. The story in question was titled (by the BBC) as “First Human Infected with Computer Virus“. This of course conjures up the idea of a person getting sick, by means of malicious computer code (a claim that is, and will remain for a significant amount of time, well within the realm of science fiction).

What actually happened is much more mundane. It appears that the ‘researcher’ placed a piece of replicating code onto an RFID chip, and used that to infect the reader control system which then (at least in theory) could then pass the code back to other similar RFID devices. So far, so boring. We know that it is possible to have storage devices contain code (malicious or not) and pass that code between themselves via other systems. The difference in this case is that the researcher then injected the ‘infected’ (rather bizzarely he refers to this as ‘corrupted’ making me doubt that it was even a virus) chip into his hand, and claimed that this made him infected.

The news stories all got caught up with the fact that this gave him special Jedi powers enabling him to open doors with a simple wave of his hands (ok, maybe they didn’t exactly say that, but hand waving was involved), or…horror of all horrors….activate his mobile phone. Surely a deadly device if one had ever been made. So; we already know that RFID chips can open doors (after all, that’s a valid use for many of them) and they can carry code. The ONLY difference is that this ‘researcher’ inserted the chip into his flesh. To claim that this makes him ‘infected by a computer virus’ is a bit like saying that if I dropped the same chip into a cup of coffee, a steaming fresh cow pat, or even a mutant zombie flesh eating chicken from Mars, those would also be ‘infected’.

As Graham Cluley pointed out, the only interest that this story might have generated otherwise would be in a security research into vulnerabilities of RFID readers. You need a vulnerable reader to get affected by the code, and then you need to be able to read the other RFID tags/chips with that reader to ‘infect’ them. There’s a valid point in that RFID exploits could be used to compromise security and or privacy – but that’s not new knowledge, we’ve known that for many years.

As Chris Boyd (@paperghost on Twitter) nicely summed up “In conclusion then, “man infected with computer virus” is basically “device for opening doors works as intended”.”

Andrew Lee
AVIEN CEO / CTO K7 Computing

You can’t always read Facebook on a train

When I saw an MSN article headed Facebook friendships ‘not real’, I was expecting something about lack of validation of Facebookers’ identities. Which is indeed an issue, though not a new one. “On the Internet, nobody knows you’re a dog.” Or, indeed, a wolf in sheep’s clothing.

But no… All this time we’ve been making a fuss about the lack of security and privacy on social network sites, it seems that we’ve been getting it wrong. The problem isn’t security at all.

According to a recent survey, most of us see our friends much more on Facebook than we do in person. Apparently, this becomes truer as you move up the age range. Well, I guess you have to meet your friends in order to get smashed with them.

Anna Richardson, described by MSN as a “Channel 4 presenter and relationship expert” apparently commented:

A Facebook friendship is a poor substitute for actually meeting up with a friend as you miss out on the personal engagement and real connection that you need to build a strong friendship.

It is difficult to make time for friends when juggling busy lives, but without making the effort, there’s a danger that precious friendships are becoming lost in the digital era.

Her advice is to log onto http://www.railcards.co.uk/, buy a railcard and… oh, wait a minute. You can apparently get taxis, finance, holidays, accommodation, broadband, car insurance and many other things at railcards.co.uk, but not railcards. I guess she (or more probably MSN – nice proofing, guys…) meant http://www.railcard.co.uk/, which offers a range of discounted passes for rail travel in the UK. OK, so I should login and buy a railcard (yes, Ken, I am eligible for a Senior Railcard: don’t rub it in…) at www.railcard.co.uk… oh, wait another minute. Isn’t that who commissioned the survey? Well there’s a coincidence….

So I get my railcard and wander down to the station, and get on a train at a reduced rate, and go and see my Facebook friends.

“I’d like a ticket please, to Western Australia, Pennsylvania, Bratislava, Florida, San Diego, the Philippines, Helsinki, Reykjavik, Chennai…”

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://avien.net/blog
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macvirus.com

With all the Buzz, some education is in order

So, the not very surprising news that Google has once again attempted to launch a social networking site – following its spectacularly unsuccessful 2004 launch of Orkut (no, unless you live in Brazil or India, you won’t have heard much about it either).

The new network, called “Buzz” integrates directly into the Gmail email client. To me this just opens up lots of new ways to exploit the users – although if you are using Gmail to do anything private or confidential, you already do need to have a brain check (more-so now the NSA will be ‘helping’ to secure it). It looks like Google want some of the big dollars that Facebook and Twitter make – and of course everything will be searchable and exploitable for ad companies to target.

All the fuss around social networking has  really highlighted to me the need for good security education – we’ve moved into a new world, one where children are growing up with social networking and mobile phones etc as an integral part of life. I can’t imagine how my parents ever managed without being able to contact me by phone, or being able to look up my status on Facebook, but somehow they did. Parents have a different problem today, one of how to preserve the privacy of their families and children while taking advantage of what these new technologies offer. The sad fact is that in many cases, the kids know much more about the technology than the parents, but neither the parents or the children understand the threats. I’m often called paranoid, but it’s my belief that in some ways you can’t be too careful; our privacy and therefore our rights to a private life for ourselves and our progeny are daily being eroded by the whim of government and the campaigning of large corporations. It’s therefore refreshing that the British government has got behind a new campaign to highlight the dangers of the online world; targeting children as young as five. While the campaign understandably does focus on protection from paedophiles, the advice has wider use, though sadly it doesn’t seem to stretch to take in malware issues.

While I’m encouraged that the government is finally doing something, I’d be much happier to see a comprehensive plan in place that focuses on education in schools where security is taught as a discipline along side all IT classes. We’re a long way from that, but I (and several others who blog here) will keep tilting at that particular windmill.

Andrew Lee
CEO, AVIEN & CTO K7 Computing

Who owns you?

David recently blogged here (http://avien.net/blog/?p=253) on his concerns over the ways that our personal data is increasingly online and available to everyone who might want it.

On a similar theme, a site called “Web 2.0 Suicide Machine” has recently been sent a cease and desist order by Facebook on the grounds that by “collecting login credentials, the site violates its Statement of Rights and Responsibilities”. This sort of controversy raises the question of who owns an account on a site – not just a social networking site – what about a webmail account? But, more on that shortly. It’s a tricky question, and I suspect that the answer is that the information is jointly owned once you give the information, you enter a contract to allow the recipient to use your info according to their terms and conditions (which could be to publish it all over the place, or just to change your password and never let you back into the account).

It’s only recently that Facebook provided its members with a facility to fully delete (rather than deactivate) their accounts. As someone who spends a lot of time on social networking sites, I’ve often felt the urge to be able to ‘get away from it all’. The idea of being able to commit ‘Web 2.0 suicide’ is in some ways quite appealing, and it does remove the awful problem of trying to delete all that data yourself – and avoids the thorny problem of always being able to get back in and start again. I did actually do this at one point, I entirely deleted my accounts on MySpace and Bebo, removed as much as I could from Orkut (more on Google below) and deactivated (the only option available at the time) my Facebook account. However, after some time after constant messages still arriving from Facebook I succumbed and reactivated my account (although I’m much less obsessive about it, and used the privacy controls to lock it down far more than had been the case before). I’ve never revived the other accounts, basically because I’m to lazy to set them up again. I’m pretty sure that I’d not have come back to Facebook had my account been actually deleted – but Web 2.0 Suicide Machine (and similar services) are in some ways even better, they leave you no option but to start again, because they change your password, and your profile will still exist, only you can’t get to it.

Of course, giving a third party (whether an SN site like Facebook or a service like W2.0SM) your account information is a risk, because you don’t really know what they’re going to do with it, maybe W2.0SM are going to sign you up to all sorts of groups or services on FB, or use your account to click through on site advertising to raise revenue, maybe they’ll harvest  your email addresses and send them to spammers, maybe they’re going to use your phone number and address to do all manner of things. I doubt it, but it’s possible were less ethical people in charge of it. At least, if you’re going to use such a service, remove your most critical private information first.

You can read more on this story here: http://news.bbc.co.uk/1/hi/technology/8441080.stm

Sometime last year, I got an invitation to Google Wave (http://wave.google.com) and had a play around with it. It’s interesting in many ways – not all of them obvious. There has been plenty of comment in other places about what Google Wave does, or what it doesn’t do, but I’m not really interested in that. As far as I’m concerned it was pretty much a failure because nobody could really think of a problem that it solved in a better way than existing technologies. But, what does interest me is what that sort of platform offers to Google. In a collaboration system you have multiple people working on topics. They will discuss the topic, and the group will be focused on a single issue (or set of issues). This is a goldmine for a company like Google which makes money from selling advertising. Nearly everything that Google does is ‘free’ to the user, and the cost is that everything you do is tracked and monetized somehow for Google’s advertising clients. The more services Google provides, and the more you sign up to use, the more exposed you are (and therefore the more useful to Google). I have Gmail (and therefore Gmail Chat), Picasa, Google Wave, Google Apps, a Google Books library, a Google Calendar and so on (as mentioned above I also have a Google Orkut account, though relatively denuded of information). Now, all of those things provide information about me and my interests to Google, allowing targeted advertising to be delivered, and useful demographic information to be collected.

Google wave is a whole different beast, because it doesn’t just connect a few random parts of my life that may or may not be current (for instance, me posting photographs of me with funny hair as a teenager isn’t really that interesting to Google – nor anyone else I should think), it connects people who are discussing a topic of mutual interest, in real time. Planning a trip to India? Great, in real time, to your group specifically, Google can target advertising from firms offering travel services in India. Working on a conference in Sydney? Google can target advertising from firms in the area. Even better, your conference is at the Four Points Sheraton? Great, Google can advertise a room discount, the restaurants withing walking distance, a limo service, the theaters, cinemas etc. About to go for a coffee break? Google can pop up the location of the nearest StarCostaPacket coffee store and offer a 50c discount good for the next two hours.

It’s clear that corporations are interested in getting the most relevant information to consumers, and what better way than exploiting real time data on topics currently under discussion. It’s a goldmine, or would be, if only there was a problem that only Google Wave could fix.

Andrew Lee CISSP
AVIEN CEO, CTO K7 Computing Pvt Ltd.

Privacy, AVG, Facebook, Uncle Roger Thompson and all

My last post (http://avien.net/blog/?p=209) on Roger Thompson’s article about privacy concerns, “public” information and so on raised some interesting discussion.

Ironically (or perhaps appropriately) a lot of it was on Facebook.

I carried on the theme on the ESET blog, if you’re interested. “Your Data and Your Credit Card”, at:

http://www.eset.com/threat-center/blog/2009/12/14/your-data-and-your-credit-card

Note that due to a couple of system crashes, a link to Allan Dyer’s excellent article disappeared in the first published version, but is fixed now:

http://articles.yuikee.com.hk/newsletter/2009/12/a.html 

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

Roger Thompson on Privacy Concerns

Exactly who has your data?

Roger’s blog suggests that even legitimate businesses are getting a much wider spread of data than they’re getting directly from you as a customer.

Scary, definitely.

http://thompson.blog.avg.com/2009/12/now-_this_-is-scary.html#axzz0ZYOquqRO

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

The Internet Book of the Dead (pointer)

I’ve just put up an article at ESET’s blog page that you might find interesting. In fact, if I wasn’t desperately trying to clear a backlog of stuff so that I can take a couple of days off, I’d have posted more on the topic here, but I am desperate, so here’s a simple pointer instead.

http://www.eset.com/threat-center/blog/2009/12/12/the-internet-book-of-the-dead

It’s basically a mock-up of an interview for the BBC that unfortunately didn’t take place, concerning the way your data outlive you.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

Security Smörgåsbord

Wow! December already – well, it’s been a fast and furious year, kicking off with the media fest that was the Conficker worm, through various other disasters and debacles all of which have only confirmed to many of us in the industry that our utopian malware free world is not likely to arrive any time soon (sorry David, you’ll have to delay that retirement for a while).

Things haven’t slowed down much, and over the last days a few things have caught my ever roving eye,

Firstly, there was a rather amusing spat caused by software company Prevx firstly accusing Microsoft security patches for causing a ‘black screen of death’, (which of course was fixed by their own patch), and later retracting the statement when it became clear that it wasn’t the security patches, but more likely the actions of malware on the systems that causes the problem. (Link: http://news.bbc.co.uk/2/hi/technology/8388253.stm). One has to wonder how the Prevx patch was supposed to really fix the problem if they had no real idea of the cause – at least, they hadn’t checked whether it really was the fault of MS.

Secondly, there was the rather splendid news that the URL shortening service bit.ly – among the most popular shorteners for users of sites like Twitter – has signed up with three major security vendors (Sohpos, Verisign and Websense) to try to block spam and malicious links on their site. This can only be a “Good Thing” (TM). (Link: http://www.wired.com/epicenter/2009/11/bitly-partners-with-security-firms-to-block-spams-scams-from-twitter/). Some of the other services offer previewing of the links, but this is extra annoyance for users and also pushes the decision on whether to visit the site to the user (not a Good Thing).

Thirdly, there is some heartening news from Facebook in that they’re going to offer more granular control over content privacy. There have been quite a few articles and papers on this subject, (including one by yours truly) so it’s good to see that the issues have been considered. I don’t know that it will solve all of the problems, but it may well highlight the privacy issue to more FB users who perhaps weren’t aware that, say, joining a Network exposes their content to all the members of that network unless they specifically block that (Link: http://blog.facebook.com/blog.php?post=190423927130). Social networks are great things for keeping up with people, particularly if you’re a continent hopping researcher with friends all over the world, but the rapid explosion in their use has led to frequent lapses in security and the discovery that – as is often the case – security and privacy issues have been secondary to service development and uptake.

Lastly, and I hope you’ll forgive me for the quick tune on my own trumpet, I’m happy to announce that K7 Security Solutions are now available in German, and can be found at http://k7.de (Disclosure of interest: I am also the CTO of K7 Computing Ltd).

Andrew Lee CISSP
AVIEN CEO