Repairs & Upgrades

April 18, 2019 »

Google plays Whack-A-Mole with naughty Android developers

By Lisa Vaas

Following updates to Android application programming interfaces (APIs) and Google Play policies, some developers have been surprised to find they’ve been blocked from distributing apps through Google Play.

Sorry, Google said on Monday: we’re playing Whack-A-Mole with “bad-faith” developers.

Google said that the “vast majority” of Android developers are good at heart, but some accounts are rotten to the core.

At least, some accounts are suspended after “serious, repeated” violations of policies meant to protect Android users, according to Sameer Samat, VP of Product Management, Android & Google Play.

Samat said that such developers often try to slip past Google’s checks by opening up new accounts or hijacking other developers’ accounts in order to publish their unsafe apps.

In order to fend off those repeat offenders, developers without an established track record can henceforth expect to be put through a more thorough vetting process, Samat said.

Sorry for the 1% of blunders

As with any move made to boost Android security, this one’s bound to misfire, he said – although he claimed that 99% of Google’s suspension decisions are correct.

The company isn’t always able to share the reasoning behind deducing that a given account is related to another, he said, but developers can immediately appeal any enforcement.


Chrome flaw on iOS leads to 500 million unwanted pop-up ads

By John E Dunn

If you own an iOS device and use the Chrome browser, there is a chance during the last week that you’ve encountered some strange-looking advertising pop-ups.

There are no rewards, of course, because these pop-up ads are run by a cybercrime group and exist to generate revenue for the crooks – you don’t get to share the spoils.

But the bigger question that bugged Confiant’s researchers when they analysed the pop-ups was how they were bypassing Chrome’s iOS ad-blocking protection.

The volume of campaigns was massive – 500 million pop-ups since 6 April 2019, apparently – featuring 30 adverts connected to a cybercrime group called eGobbler.

Aiming such a large volume of ads at the users of one platform and browser, iOS Chrome, also looked a little unusual.

Sure enough, Confiant discovered the campaigns had found a way to beat Chrome’s pop-up blocker by exploiting a previously unknown and unpatched security vulnerability.

Google was told of the issue last week, which Confiant hasn’t yet explained in detail because it remains unpatched:

We will be offering an analysis of the payload and POC [proof-of-concept] exploit for this bug in a future post given that this campaign is still active and the security bug is still unpatched in Chrome as of this blog post.


Oracle issues nearly 300 patches in quarterly update

By Danny Bradbury

Oracle is keeping people busy before the Easter weekend. The company has issued a raft of quarterly security updates for 297 vulnerabilities, along with an urgent warning to patch now.

The latest Critical Update Patch contains vulnerabilities spanning dozens of products including its Fusion Middleware product set, which received 53 new security fixes overall – 42 of them for vulnerabilities that could in theory be exploited remotely over a network with no user credentials

The Oracle E-Business Suite accounted for 35 new security fixes in the critical patch update – 33 of them for remotely exploitable bugs. The Suite encompasses business applications including enterprise resource planning, customer relationship management, and supply chain management.

Also high on the list of affected product groups was Oracle Communications Applications, which received 26 security fixes for vulnerabilities, 19 of which were remotely exploitable.

The software giant’s suite of retail applications got 24 security fixes between them; Oracle Database Server had six; Java SE, which Oracle acquired along with Sun Microsystems in 2010, had five holes patched.


April 17, 2019 »

Mozilla to Apple: Protect user privacy with rotating phone IDs

By Danny Bradbury

Mozilla has criticized Apple for its latest privacy marketing campaign, urging it to provide more automatic protection for users behind the scenes. The nonprofit Mozilla Foundation has launched a petition to enhance a little-known feature in iOS devices that could make it harder for advertisers to track mobile users.

In a blog post, Mozilla praised Apple for its privacy track record but criticized its latest marketing campaign, with the slogan “Privacy. That’s iPhone.” The iPhone vendor has produced tongue-in-cheek videos showing people in various situations they’d rather keep private. Mozilla responded:

A key feature in iPhones has us worried, and makes their latest slogan ring a bit hollow.

Mozilla has a problem with the Identifier for Advertisers (IDFA), which is a hexadecimal code unique to every iPhone. When mobile users click a banner, play a video, or install an app, media companies can pass that information to advertisers along with the IDFA. The code doesn’t identify you, but it enables them to build up a profile of your activities.

The IDFA is a crucial tool in advertisers’ quest for attribution. This marketing concept ties individual product purchases or subscriptions to the advertisements that promoted them. The missing link is an individual’s series of responses to those advertisements over time. This is what the IDFA provides, and Mozilla finds it distasteful:

It’s like a salesperson following you from store to store while you shop and recording each thing you look at. Not very private at all.

Apple has sided with privacy advocates against advertisers before. In September 2017, it shipped IOS 11 with a new feature for the mobile version of Safari called intelligent tracking prevention. This feature, which also hit macOS Safari the same month, used machine learning to better manage cookies. These are small files, different to IDFAs, that websites and advertisers place in the browser to identify users later on.


Ad blocker firms rush to fix security bug

By Danny Bradbury

If you’re using an ad blocker to filter out online commercials, then beware: You might be vulnerable to a new attack revealed on Monday that enables hackers to compromise your browser.

The vulnerability, discovered by security researcher Armin Sebastian, affects Adblock, Adblock Plus, and uBlock (but not uBlock Origin). It stems from a filtering option introduced into the ad blockers in July 2018. The option allowed the programs to rewrite web requests, cleaning them of tracking data.

The problem is that an attacker can exploit this rewrite function using XMLHttpRequest. This is a programming feature all modern browsers use to request data from a server after a page has loaded. They can also attack the server using an API called Fetch, which allows similar operations. An attacker can load a JavaScript string using either of these features and execute the returned code.

For the attack to work, the browser must visit another server after hitting a legitimate web page. Hackers can force that if the server allows open redirects. This is when the server takes a URL as input from the client and redirects to it, no matter what it is.

An attacker can also get their executable code into the browser via the $rewrite function if they can get it onto the legitimate web page. That’s possible if the server lets the user post their own content (such as in a comments section or social media timeline) and doesn’t use proper input validation to check the post for malicious commands.

Finally, for the attack to work, the server must not restrict where it can fetch content from. It must not validate the final request URL either, because the attacker will have tampered with it.


Internet Explorer browser flaw threatens all Windows users

By John E Dunn

Nearly four years after it was replaced by Edge as Microsoft’s preferred Windows browser, researchers keep finding unpleasant security flaws in Internet Explorer (IE).

The latest is a proof of concept (POC) published by researcher John Page (aka hyp3rlinx) that exploits a weakness in the way the browser handles MHTML (MHT) files, IE’s default web page archiving format.

If Windows 7, Windows 10 or Windows Server 2012 R2 encounters one of these, it attempts to open them using IE which means that an attacker simply has to persuade the user to do that. Success would…

Allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information.

IE should throw up a security warning, but this could be bypassed Page said:

Opening a specially crafted .MHT file using malicious <xml> markup tags the user will get no such active content or security bar warnings.

No escape

Does this matter to users who’ve moved on to Windows 10 or simply stopped using IE years ago?

Unfortunately, it does because IE 11 ships with every consumer Windows PC – including Windows 10 – for compatibility reasons (only Enterprise and Education licensees can optionally exclude it).

However, on Windows 10, IE still needs to go through a short setup process when it runs for the first time, something that might draw attention to attacks targeting the flaw discovered by Page.


Microsoft confirms and Hotmail accounts were breached

By John E Dunn

Between 1 January and 28 March this year hackers were able to access a “limited number” of consumer, Hotmail and MSN Mail email accounts, Microsoft has confirmed.

News of the attack first emerged late last week when the company started sending emails to what seems to be a small subset of affected users which ended up being discussed on Reddit:

We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account.

Microsoft says that data access was limited:

This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments.

When Microsoft realized the stolen credentials were being abused, it disabled the access, the company added. The crucial sentence:

It is important to note that your login credentials were not directly impacted by this incident.

Microsoft still recommends that everyone receiving a notification should change these as a precaution, and also warned that affected users were now at risk of receiving phishing emails.


Watch out! Don’t fall for the Instagram ‘Nasty List’ phishing attack

By John E Dunn

For nearly a week, Instagram users have been receiving odd messages from followers expressing shock that their accounts have somehow ended up on something called the “Nasty List.”

If you receive one, the message with an embedded link will look something like the following example (the list and placement numbers vary):

OMG your actually on here, @TheNastyList_xx, your number is 26! it’s really messed up.

In the cold light of day, it looks dubious but social media is all about rapid clicking so that’s what some people do, unaware of the danger they are heading towards.

According to Bleeping Computer, clicking on TheNastyList profile link leads to a page containing a second link that says it will let the user see everyone on the imaginary list.

Readers will probably have worked out what’s coming next – anyone following this is asked for their Instagram username and password (the link on the login page isn’t a legitimate Instagram address but it seems a lot of people don’t notice this).

Anyone entering their credentials will find themselves in a spot of trouble, starting with their entire base of followers receiving the same message telling them that they too are on the Nasty List – and so the social media phishing attack grows.

They’ll also potentially have handed control of their account to criminals to do whatever they want with.


Google’s location history data shared routinely with police

By Danny Bradbury

Law enforcement officials in the US have been routinely mining Google’s location history data for criminal investigations. Requests have escalated in the last six months, according to The New York Times.

The location data resides in Sensorvault, a Google system that logs information provided by the search and advertising giant’s mobile applications. Applications may gather the data even when not running, depending on the phone’s settings. However, for Sensorvault to store their data a user must have opted in to Location History, a feature that Google introduced in 2009. It stores daily movements based on raw data communicated via these apps.

Police officers don’t request the phone data of a particular suspect. Instead, they serve reverse location warrants, also known as ‘geofence’ warrants. These request anonymous IDs and locations relating to all phones found in a particular area over a particular time.

Officers analyze this data, looking for movement patterns that correlate with potential suspects or witnesses. When they narrow down the search to a handful of devices, they can request those users’ names and other information from Google.

The report highlighted several instances in which federal law enforcement have used this technique. They include the March 2018 bombings in Austin, Texas, along with a 2016 murder in Florida.


US feds’ names, home and email addresses hacked and posted online

By Danny Bradbury

A group of hackers that doxed thousands of federal law enforcement employees last week has followed up with more posts offering even more victims’ personal information.

The hacking group, which we won’t name here, published the personal details of around 4.000 federal law enforcement employees last week after breaching three related websites. It had defaced at least two of the three websites, publishing its logo on them, which remained viewable until at least Sunday.

Employees at the FBI, Secret Service, Capitol Police, and US Park Police were among those doxed, alongside police and sheriffs’ deputies in North Carolina and Florida, according to reports. Records posted on the group’s website included the individuals’ home addresses, phone numbers, emails and employers’ names.

The attackers harvested the information from websites associated with the FBI National Academy Associates (FBINAA), which is a non-profit organization of 17,000 law enforcement professionals. In a statement released Saturday, FBINAA said the attack had affected three of its chapters, all of which used an unnamed third party’s software. It added:

We believe we have identified the three affected Chapters that have been hacked and they are currently working on checking the breach with their data security authorities. We have checked with the national database server/data provider and they have assured us that the FBINAA national database is safe and secure.

The hacking group soon followed up with what it claimed were more hacked databases. On Saturday, 13 April, it posted a 1.1GB file containing what it said were dumps from six government databases. These appeared to be from three nonprofit associations for government professionals. Four of the hackers were from one group’s state-level chapters, according to information posted on the page.


Security weakness in popular VPN clients

By John E Dunn

Numerous enterprise VPN clients could be vulnerable to a potentially serious security weakness that could be used to spoof access by replaying a user’s session, an alert from the Carnegie Mellon University CERT Coordination Center (CERT/CC) has warned.

Connecting to an enterprise VPN gateway made by a specific company usually requires a dedicated application designed to work with it. So far, the issue has only been confirmed in applications from four vendors – Palo Alto, F5 Networks, Pulse Secure, and Cisco – but others could be affected.

The problem is the surprisingly basic one that applications have been insecurely storing session and authentication cookies in memory or log files which renders them vulnerable to misuse. CERT/CC explains:

If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.

Which, if it were to happen on a network imposing no additional authentication, would be like handing over the privileges of an enterprise VPN to anyone able to get their hands on the vulnerable data.


April 15, 2019 »

Facebook admits “supply chain data leak” in new Oculus headsets

By Paul Ducklin

Oculus, Facebook’s virtual reality subsidiary, has fessed up to what might be the weirdest ever data leak.

OK, so it might not actually be a data leak at all, even though messages that weren’t supposed to be released seem to have got out.

And even if it is a data breach, it’s kind of cool – did we say that aloud, or just think it? – and may end up making the affected devices more sought after, and worth more money on online auction sites, than vanilla ones.

At any rate, if we were a Data Privacy Officer – a job that we suspect might be thin on opportunities for fun, games and humor – we’d be cracking a smile at this one, if not breaking into laughter, instead of reaching for our breach report forms.

The leaked messages are, literally and physically, printed characters that ended up hidden inside “tens of thousands” of new Oculus motion controllers.

We’re not big VR fans ourselves, but we think that motion controllers are the things you strap onto your hands so you can waft your way through vitality, rather than the masochistic-looking faux diving goggles [Can we just say ‘sinister’ or ‘peculiar’ instead?Ed.] that you wear while immersed in unreality.


Assange arrested, faces extradition for hacking

By Paul Ducklin

Julian Assange, founder of whistleblowing organization WikiLeaks (or co-founder, depending on whom you ask) , and arguably Ecuador’s most famous Londoner (or infamous, depending on whom you ask), is in custody following his arrest yesterday.

Assange rose to fame by leaking secret government documents that the WikiLeaks organization acquired from a wide range of sources.

The best-known WikiLeaks exposé is probably Cablegate, a massive dump of US State Department diplomatic cables exfiltrated by junior US soldier Bradley Manning, now Chelsea Manning, who was arrested in 2010 for making off with some 30 years’ worth of confidential US data.

Manning apparently burned the data to a rewritable CD, pretending she was listening to Lady Gaga tunes from the CD while writing hundreds of thousands of diplomatic cables onto it.

Amazingly, one person – and a soldier with the rank of Private, at that – was able to copy everything without triggering any sort of “data access overload” warning at any point.


Feds say Russian 2016 election meddling spanned all US states

By Danny Bradbury

A multi-agency report has strengthened claims that Russia meddled with election systems in all 50 US states during the last presidential race.

The report is called a joint intelligence bulletin (JIB), and it comes from the Department of Homeland Security and the FBI. It is an unclassified document intended for internal distribution to state and local authorities.

Intelligence newsletter OODA Loop reports that the JIB reveals stronger evidence of Russian interference. Agencies believe that Russian agents targeted more than the 21 states initially suspected.

According to the bulletin:

Russian cyber actors in the summer of 2016 conducted online research and reconnaissance to identify vulnerable databases, usernames, and passwords in webpages of a broader number of state and local websites than previously identified, bringing the number of states known to be researched by Russian actors to greater than 40.

Although there are some gaps in the data, the bulletin claims “moderate confidence” that Russia conducted “at least reconnaissance” against all US states because its research was so methodical, it added.

Russia’s cyberspace election meddling played out between June and October 2016, with most activity occurring in July, the JIB said. They researched election-related websites and information in at least 39 states or territories, with Secretary of State websites drawing the most attention. They proceeded alphabetically through the states “with some exceptions”, although OODA Loop doesn’t say what they were.


Flickr tackling online image theft with new AI service

By Danny Bradbury

Photo-sharing website Flickr is trying to combat copyright infringement with a service that spots copies of its users’ images online. The company is partnering with image monitoring company Pixsy to offer the AI-powered feature.

Flickr began offering the service this week, claiming it as a step forward in the fight to protect its members’ rights, stating:

We remain aware of the fact that photo theft is a sad reality of the online world and a major issue for photographers trying to make a living off of their work

It will offer the service to paying members under its Pro subscription. It enables them to monitor up to 1000 images and lets users send 10 DMCA takedown notices for free. The Digital Millennium Copyright Act lets copyright owners send cease and desist letters to people using their content online without permission.

Pixsy scours the internet looking for images that are registered with it, and tries to find a match. The BBC tested the service with mixed results. The AI tool found an image of its reporter Cody Goodwin used in a news story on its site used by 26 other news websites.

However, it also tested a picture of the same reporter in its Los Angeles bureau with the Hollywood sign in the background, and it flagged up an image of (very different person) Stormy Daniels in that studio instead. Apparently, the software still has some work to do.

What if you are not a Flickr Pro user? All is not lost. You can head over to Pixsy and sign up for a free account, which gives you the ability to monitor 500 images without paying a penny. You don’t get the free takedown notices that you get with a Flickr Pro account, though.


Android phones transformed into anti-phishing security tokens

By John E Dunn

Google just announced a new security feature that allows users of Android 7 and later to use their smartphones to authenticate themselves to their Google accounts.

The surprise announcement was buried inside a pile of enterprise-oriented enhancements revealed at Google Cloud Next 2019 in San Francisco on Wednesday.

Released in beta, the feature is designed to protect Google users from phishing attacks. Once enabled, the user logs into their Google account using their username and password as normal before authenticating that their enrolled smartphone is present by clicking on a message that appears on the screen.

It’s identical in principle to using a FIDO USB token such as the YubiKey (or Google’s Titan key equivalent launched last year), except that the smartphone itself becomes the token.

This defeats phishing in the same way a token does because even if attackers get hold of someone’s Google username and password, they can’t access the account without also having the smartphone.


To use your Android phone (tablets don’t appear to be supported yet) as a security key, you must have a phone running Android version 7.x or later, and you need to turn on Bluetooth.

Your computer must also have Bluetooth, and be running the latest version of the Chrome browser, on a Chrome OS, macOS X or Windows computer.


April 11, 2019 »

Ban the use of ‘dark patterns’ by tech companies, say US lawmakers

By Danny Bradbury

Lawmakers are getting wise to online companies’ manipulative user interface design practices. Congressional leaders in the US unveiled a new law this week to ban the use of ‘dark patterns’ by large online players.

What are these dark patterns? Senator Mark Warner, one of the Act’s sponsors, describes them as design choices based on psychological research. They are…

…frequently used by social media platforms to mislead consumers into agreeing to settings and practices advantageous to the company.

Warner’s Deceptive Experiences To Online Users Reduction (DETOUR) Act makes it illegal for online companies with over 100 million users to design interfaces that aim at:

Obscuring, subverting, or impairing user autonomy, decision-making, or choice to obtain consent or user data.

What kinds of techniques are we talking about, and what decisions do they coerce users into making?

The website, created by user experience consultant Harry Brignull, calls out several kinds of manipulative user interface behaviors with some delightful names.

These include confirmshaming. This guilts the user into opting into something. You’ll have seen this on some passive-aggressive websites that try to make you sign up for mailing lists. Instead of just offering a ‘No’ option, they’ll say something like “no, I don’t want to stay abreast of current industry trends”.

Other examples include Privacy Zuckering, which trick users into publicly sharing more information about themselves than they wanted to. Guess who it’s named after?


App could have let attackers locate and take control of users’ cars

By Danny Bradbury

A smartphone app used to control vehicles across North America left them wide open to attackers, it was revealed on Monday. The MyCar application, from Canada-based AutoMobility Distribution, allowed anyone that knew about the vulnerability to control, monitor, and access vehicles from an unauthorized device, experts said.

MyCar is an app available on both iOS and Android devices that serves the aftermarket telematics market. Users can install connected devices into their cars, turning them into IoT devices that they can control via a cellular connection. According to its website, the MyCar app lets users control their cars remotely from anywhere by communicating with one of these devices via AutoMobility Distribution’s servers.

Users can remotely start their car, lock and unlock vehicles, or locate them. Other features include getting the temperature and vehicle battery levels, and sharing your vehicle with other users or even transferring it to a new owner.

The company sells the app under a service plan. Users get the smartphone app, the hardware device to install in their car, and service for a set period of one or three years.

It all sounds very convenient, especially when you want a nice warm car waiting for you on those cold winter mornings. Unfortunately, according to a vulnerability note issued by Carnegie Mellon University’s Software Engineering Institute, the app also enabled attackers to take control of your car.


Toddler locks father out of iPad for 25.5 MILLION minutes, or until 2067

By John E Dunn

Last week a father thought he’d been permanently locked out of his Apple iPad after his young son repeatedly entered an incorrect passcode.

‘Permanently’ in this context means 25.5 million minutes (or 25,536,442), equivalent to over 48 years. That’s the wait time that confronted journalist Evan Osnos last week when he looked at the iPad screen after recovering it from the youngster’s grasp.

Naturally, he turned in his hour of need to the world’s biggest tech support system, Twitter.

But how does such a thing happen? The short answer is not easily.

A lot of stories mention that Osnos’s son entered an incorrect passcode 10 times without mentioning how hard that is to do this in a short space of time.

It’s common knowledge that if you get the code wrong five times, the user is locked out for one minute – that could have happened in seconds.


April 10, 2019 »

Mar-a-Lago intruder had instant-malware-inflicting thumb drive

By Lisa Vaas

It turns out that Yujing Zhang, the Chinese woman arrested when she tried to enter President Donald Trump’s private Mar-a-Lago club in Palm Beach, Florida, on 30 March, had a number of suspicious devices in her hotel room – as in, tools good for inflicting malware and spying, and more than $8,000 in cash, all suggesting that she was here for espionage.

As it was, she was carrying four cellphones, a thumb drive containing malware, and other electronics when she breached security at President Trump’s private Florida club. In getting past multiple security checkpoints, she first told US Secret Service agents that she was bound for the hotel’s pool.

Then, supposedly confused by a language barrier that came and went as Zhang used and then apparently forgot competent, nuanced English, Mar-a-Lago staff thought she might be the daughter of a club member with the same last name – one that’s common in China. Next, Zhang told Secret Service agents that she was headed for some kind of United Nations Chinese American Association event that night… or, as she said in her next version, a “United Nations Friendship Event” between the US and China.

As the Miami Herald reports, during a bond hearing in a Florida federal court on Monday, federal prosecutor Rolando Garcia said that a search of Zhang’s room yielded still more gadgetry: a “signal-detector” device used to reveal hidden cameras, USD $7,500 in $100 bills, $663 in Chinese currency, nine USB drives, five SIM cards and other electronics.

…and no swimsuit.

CNN quoted Garcia during the hearing, which was held to determine whether Zhang would be released on bail:

She lies to everyone she encounters.

Zhang was charged with two counts: making false statements to federal authorities and a misdemeanor offense of entering a restricted area without authorization. She hasn’t been charged with offenses that could be associated with international spying, but an FBI counterintelligence squad is investigating the incident as part of a broader investigation into Chinese espionage, and prosecutors are treating Zhang’s case as a national security matter, sources told the Miami Herald.


Two robocallers fined $3m for Google listings scam

By Danny Bradbury

Two robocall scammers have been fined over $3 million in a US court for defrauding small businesses. The pair pretended to represent Google and falsely took unwitting business owners’ money in return for the promise of better search results.

Judge Cecilia Altonaga fined Dustin Pillonato and Justin Ramsey, owners of Pointbreak Media, LLC and Modern Source Media LLC, $3,367,666.30 for their robocalling campaign.

According to a court affidavit filed last May, they used their robocall system to phone small businesses offering Google listing ‘claiming and verification’ services. They said that they were affiliated with Google and warned them that their businesses would be removed from Google search results unless they paid up. It was, in short, a shakedown. As in, ‘nice search ranking you’ve got there. It’d be a shame if something happened to it.’

They went further, though, trying to upsell the victims with extra services like higher rankings on certain keywords. When victims paid up, they got nothing.

To add insult to injury, this pair even called people on the FTC’s National Do Not Call Registry, which is the system that it set up to protect consumers from nuisance calls.

Pointbreak Media had already drawn attention from Bank of America Merchant Services, according to the affidavit, which closed the company’s account in October 2017 due to predatory services, scare tactics, and high chargeback rates. It added:

Point Break then wrote itself hundreds of checks, without authorization, using prior or existing customer checking account data.


Two teens charged with jamming school Wi-Fi to get out of exams

By Lisa Vaas

Two 14-year-old boys have been charged with jamming their school’s Wi-Fi network to get out of taking exams, authorities said on Monday.

According to, the New Jersey high school freshmen have been charged with computer criminal activity and conspiracy to commit computer criminal activity. School officials reportedly notified police on Thursday after a week of the Wi-Fi network having been forced to crash multiple times.

According to, Capt. Dennis Miller said that school officials at Secaucus High reached out to the Secaucus Police Department to notify them that the two students were part of a “scheme where they would disrupt the school’s WiFi service upon demand.”

Their names haven’t been released, given that they’re minors. The boys were released to their parents and are expected to appear in juvenile family court in Jersey City at an unknown date.

Schools Superintendent Jennifer Montesano said on Monday that the Wi-Fi is back up and is running just fine. She didn’t give details, but she did say that an investigation found two students “who may have been involved in the disruption of our system.”

How did they do it?

Some students told that they believe the boys were using a Wi-Fi interrupter program or app to crush the school’s routers with traffic in a denial of service (DoS) attack – an attack that caused the network to fail when students tried to log on to do classwork or take online exams.

The news outlet talked to a junior at Secaucus High who said that she learned about the Wi-Fi being down when a friend told her that she’d asked one of the suspects to jam the signal during an exam.


Knock and don’t run: the tale of the relentless hackerbots

By Matt Boddy

If you have an IoT device in your home, you could be receiving an average of 13 login attempts to these devices per minute.

That’s what I found in my latest research project. Over the past 3 months, I’ve setup and monitored 10 honeypots located across 5 different continents. These have been waiting patiently for SSH login attempts to better understand how often you face cybercriminals knocking at your network’s metaphorical front door.

Once I’d set up the honeypots, it took no time at all for the hackers to begin their login attempts. In one instance, a device was attacked less than one minute after deployment, in others it took nearly two hours before login attempts began. But once the login attempts started, the attacks were relentless and continuous. In total, I saw more than 5 million attempted attacks on all my honeypots, over the 30-day period they were live.

But that wasn’t all I found.

Default usernames and passwords

The research revealed that a lot of the login attempts monitored on these honeypots were using default usernames and passwords of devices that the average person would find in their home.

I saw default username and password combinations for routers, CCTV cameras and NAS devices, and combinations like the username pi with the password raspberry popping up together many times over.

This is the default username and password combination for Raspbian, which is a distribution of Linux designed for the Raspberry Pi.


April 9, 2019 »

Chrome, Safari and Opera criticized for removing privacy setting

By John E Dunn

It’s a browser feature few users will have heard of, but forthcoming versions of Chrome, Safari and Opera are in the process of removing the ability to disable a long-ignored tracking feature called hyperlink auditing pings.

This is a long-established HTML feature that’s set as an attribute – the ping variable – which turns a link into a URL that can be tracked by website owners or advertisers to monitor what users are clicking on.

When a user follows a link set up to work like this, an HTTP POST ping is sent to a second URL which records this interaction without revealing to the user that this has happened.

It’s only one of several ways users can be tracked, of course, but it’s long bothered privacy experts, which is why third-party adblockers often include it on their block list by default.

Until now, an even simpler way to block these pings has been through the browser itself, which in the case of Chrome, Safari and Opera is done by setting a flag (in Chrome you type chrome://flags and set hyperlink auditing to ‘disabled’).

Notice, however, that these browsers still allow hyperlink auditing by default, which means users would need to know about this setting to change that. It seems that very few do.

In contrast, Firefox changed the hyperlink auditing flag to off by default from version 30 in 2008, since when users have had to turn it on via about:config > browser.send_pings set to ‘true’.


Airbnb says sorry after man detects hidden camera with network scan

By Lisa Vaas

A New Zealand infosec consultant on holiday with his family in Cork saved them all from being livestreamed by a hidden Spycam in an Airbnb by a) being good and paranoid and b) knowing his way around a network scan.

You can see all seven of them smiling up at the webcam in this 1 April Facebook post from Nealie Barker.

That photo came from a camera camouflaged to look like a smoke alarm. The Barker family only discovered it was actually a spycam because, as Nealie told CNN, her husband, Andrew Barker, routinely runs scans of networks when they check into lodgings and sign on to the Wi-Fi networks.

Nealie says that their first impulse was to call Airbnb. Talk about unhelpful. CNN quoted her:

They had no advice for us over the phone. The girl just said that if you cancel within 14 days, you won’t get your money back.

OK …and if you don’t pack up and vamoose, you get what? Your kids live-streamed on some creepster site, maybe? That’s certainly happened.

Next move: Andrew called the host. The host’s reaction: *Click!*

After the host initially hung up on Andrew, he later called back and insisted that the camera in the living room was the only one in the house.


We didn’t feel relieved by that.

She said that the host refused to say whether he was recording the livestream or capturing audio.


Hacker unlocks Samsung S10 with 3D-printed fingerprint

By Danny Bradbury

A lone security researcher just gave Samsung’s mobile phone cybersecurity technology the finger. According to a video posted on the Imgur site on Friday, it’s possible to bypass the biometrics on the new Galaxy S10 range in just a few minutes, using a 3D-printed fingerprint.

Released in February, almost every phone in the Galaxy S10 range features a fingerprint reader under the screen, contrasting with the previous generation of Galaxy S phones which put it on the back of the device. The only exception is the S10 Essential, which has a capacitive resistor on the side of the phone.

Capacitive technology is what most modern non-display fingerprint sensors use. It measures the electrical resistance between the tiny ridges and valleys of your fingerprint as they contact the sensor, creating a 2D image of it.

Under-display sensors take a different approach, using ultrasonic technology to bounce sound waves off the user’s finger. This creates a 3D ultrasound image of your fingerprint, containing information about the depth of its ridges and valleys.

Cool, right? Not according to Darkshark, an anonymous researcher who appeared to show themselves unlocking a Samsung S10 using a 3D printed-fingerprint.

In the description, Darkshark said that they photographed their finger on the side of a wine glass using their smartphone. Then they used Photoshop to increase the contrast and create an alpha mask (which is a fully-opaque version of an image). Using the 3DS Max 3D modeling software, they created a geometry displacement, which is a version of the alpha image with depth information from the original. Then, they used an Anycubic Photon resin-based 3D printer, which costs around US$500, to reproduce the print.


Fired sysadmin pleads guilty to doxxing five senators on Wikipedia

By Lisa Vaas

Jackson A. Cosko, a former sysadmin for US Sen. Maggie Hassan, has admitted to breaking into her office after he got fired, installing keyloggers, and using ripped-off employee credentials to get into senators’ Wikipedia entries so as to dox their contact information, the Department of Justice (DOJ) announced on Friday.

Cosko, 27, pleaded guilty to two counts of making public restricted personal information, one count of computer fraud, one count of witness tampering and one count of obstruction of justice related to publicizing the private information of five senators in autumn 2018.

He’s looking at between 30 and 57 months of prison time. The plea agreement also requires Cosko to forfeit computers, cellphones and other equipment he used in the crimes.

Getting fired steamed him

In his plea agreement, Cosko admitted that he was angry after getting fired from his job as a sysadmin at Hassan’s office in May 2018 and knew it would make it tough for him to get a new job.

The office had shut down his work accounts, but that didn’t stop Cosko from burglarizing the senator’s office at least four times. He started his nighttime forays in July, letting himself in with a former colleague’s keys. That former colleague is now themselves a former employee, according to Hassan’s office. At least once, the colleague allegedly had handed Cosko the keys, knowing that Cosko was going to illegally enter the office, according to the plea agreement.

During the burglaries, Cosko carried out what the court filing called “an extraordinarily extensive data theft scheme,” copying entire network drives and then cherry-picking the nuggets of sensitive information he might be able to use later. He stole the data by installing unobtrusive, innocent-looking keyloggers on at least six computers.


Bootstrap supply chain attack is another attempt to poison the barrel

By Lisa Vaas

Last week, malicious code was slipped into Bootstrap for Sass, the free, open-source, very popular, and widely deployed front-end web framework.

The good news: the good guys stamped it into oblivion lickety-split.

According to the timeline provided by Snyk – a company that provides tools to find and fix known vulnerabilities in open source code – the malicious version of the package was published on the RubyGems repository for Ruby libraries on 26 March (but not on GitHub, where the library’s source code was being managed).

Malicious actors had rigged that bad package – version – with a stealthy backdoor that would have allowed for remote code execution (RCE) in server-side Rails applications.

Later that same day, software developer Derek Barnes smelled a rat and opened a GitHub issue for what he thought was a suspicious snippet of code in the brand-new – what would turn out to be malicious – version of bootstrap-sass. Just an hour later, the malicious version was yanked from the RubyGems repository, and the two developers responsible for maintaining the code had updated their credentials.

As of Wednesday, it hadn’t yet been confirmed how the attacker(s) had managed to publish the malicious RubyGem package, but the assumption was that they had gotten hold of a set of credentials.

So that’s the good news: it was actually spotted and dealt with very quickly, so kudos to Derek Barnes for spotting the problem and for everybody else who jumped on the fix so quickly.


April 8, 2019 »

Microsoft lets Windows users off the update leash

By Danny Bradbury

Windows users, you know those mandatory OS updates that sometimes break your computer and leave you steaming at the ears? Microsoft is making some big changes that will finally give you more control over them.

The company is changing the way that Windows Update downloads and installs releases, enabling users to delay them.

In older versions of Windows, users could choose which updates they wanted to install. Home editions of Windows 10 bucked that trend with a single ‘check for updates’ button that downloaded and installed everything. Not clicking the box wouldn’t save you from forced updates; the OS would eventually go and get them anyway.

Professional editions were at least able to delay updates using a ‘defer upgrades’ option. This allowed business users to wait until sacrificial guinea pigs using the home edition had been burned first.

This mandatory approach to updates caused some notable problems for users. Microsoft offers a mixture of updates for Windows 10. Monthly updates include security patches that keep Windows safer. Then, there are feature updates that serve as a larger upgrade to the system. There are two of those each year.

The last feature update was in October, and it broke so many PCs that Microsoft had to pause its rollout. Clearly a bit sore over the whole affair, it is shaking up the way that it handles updates.

In a blog post announcing the change, corporate VP of Windows Mike Fortin acknowledged that the mandatory update process isn’t every user’s cup of tea:


Firefox draws battle lines against push notification spam

By John E Dunn

Mozilla doesn’t yet know how to solve the problem of website push notification spam in the Firefox browser, but it wants you to know it’s working on it.

If you’re a sentient web user, the push notification phenomenon needs little explanation: visit a site and it almost immediately throws up a prompt that asks you whether you’re happy to “allow notifications.”

Unlike other annoying website pop-ups, push permissions are powerful because they can activate even when users are not on that website.

In extreme examples, they’re deployed by scam sites as a way of pushing fake extensions and rogue sites, unleashing today’s equivalent of the endless adware pop-ups that used to swarm browsers.

Push notifications have become so ubiquitous that Mozilla’s own telemetry suggests they are now by some distance the most frequently shown permission request, generating 18 million of them in the month to 25 January for a sample set of its users.

Only 3% of users accepted the prompts, while one in five caused visitors to leave the site immediately. This is at odds with other permission requests, as Mozilla’s Johann Hofmann explains:

This is in stark contrast to the camera/microphone prompt, which has an acceptance rate of about 85%!

It’s a bombardment that, at best, delays users and at worst drives them away from sites.


Myspace songs come back from the dead

By Lisa Vaas

Somebody stuck their arm into the back of their backup cupboard, rummaged around, and dragged out a small (but perhaps important to someone) fraction of the 50 million Myspace songs that the social platform admitted to losing in a server migration.

The Internet Archive has published those retrieved tunes and put them up in a catalog of 490,000 mp3 files.

The source of the collection, it said, is an “anonymous academic study,” conducted between 2008 and 2010, that was analyzing music networks while Myspace was still active. During the research, those participating in the study downloaded 1.3 terabytes of music from the service. When the news of Myspace’s mega-fumble came to light, the researchers contacted the Internet Archive and offered to send over the files.

The rediscovered songs represent no more than 1% of the songs/videos that Myspace lost.

You can play the dusted-off music through an online interface that’s been designed to look like Myspace’s original player. Searching and playing is a bit unwieldy, but the Internet Archive says that the database’s search and playing mechanism, “Hobbit,” is still being optimized and will eventually be open-sourced.


Serious Security: GPS week rollover and the other sort of “zero day”

By Paul Ducklin

I bet you’ve heard of GPS, short for Global Positioning System.

It’s owned and operated by the US government but it’s available for free to anyone in the world – and, boy, is it widely used.

GPS is a fantastic feat of science and engineering that is anything but simple in implementation, but that is fairly simply explained.

A number of orbiting satellites (31 are active at the moment) continuously broadcast both their position in space and the current time.

Radio receivers on earth listen out for these broadcasts, and as long as they can “hear” the signals from three different satellites at the same time, and have their own reliable way of measuring the time, they can solve a system of mathematical equations to compute their own position.

The calculations rely on the fact that the time it takes for the signal to travel from the satellite to the receiver determines its distance, and with three distances you can lock in your position uniquely in three dimensions.

The time from satellite to receiver pinpoints the distance reliably because radio waves travel at a constant speed, and distance = speed × time.

Radio waves, known collectively as EMR, short for electromagnetic radiation, travel at what’s commonly called the speed of light, because light is just a special type of radio wave in the right frequency range to set off the detectors in the human retina. This speed is denoted by c, as in the famous equation E = mc2, and is defined in the GPS standard as 299,792,458 meters per second.

Fascinatingly, GPS positional calculations need to take Einstein’s theories of relativity into account.


Patch now! Magento e-commerce sites targeted by SQLi attacks

By John E Dunn

Cybercriminals are reportedly exploiting a critical flaw in the Magento e-commerce platform only days after it was made public by the researchers who discovered it.

Scoring a 9.0 on CVSS, the bug doesn’t yet have a CVE number to identify it but Magento refers to its patching list as PRODSECBUG-2198 (the number being the important bit).

It’s an SQL injection flaw which can be exploited with no authentication or privileges, which is why for admins tending sites using Magento it’s a stop what you’re doing and patch this now situation.

That’s not difficult as the Adobe-owned Magento patched this among several dozen other security flaws as part of a security update published last week. The affected versions are:

  • Version 1 before 2.1.17
  • Version 2.2 before 2.8,
  • Version 2.3 before 3.1
  • Magento Open Source before 9.4.1
  • Magento Commerce before 14.4.1

The patch for 2198 can be installed on its own but, ideally, sites should install the whole update. From Magento’s announcement:

To protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. We strongly suggest that you install these full patches as soon as you can.

Among a total of 37 flaws covering Cross-Site Request Forgery (CSRF), and Cross-Site Scripting (XSS), there’s also a serious (CVSS 9.8) Remote Code Execution (RCE) flaw identified as PRODSECBUG-2192 deserving careful attention.


Hoax! Nope, hackers aren’t posting invisible sexual videos on your wall

By Lisa Vaas

Should you “share, share, share” the “urgent warning” that hackers are “posting sexual videos and pictures on your walls” that are completely invisible to you?

No, you should not sharedy-sharedy-SHARE-share-share, because this latest viral Facebook copy-and-paste-me warning is just another social media sneeze, spreading its hoaxy germs in spite of the fact that it’s been around, growing hair and getting debunked multiple times, since 2011.

I caught this variant on Thursday morning.

And here’s a fancied-up one, archived from its Facebook original, which was made by somebody who evidently thinks that yellow type on a red background gives the message an aroma of truthiness:


To all Facebook users!

Friends be careful!

This is serious!

Hackers are posting sexual videos and pictures on your walls! You don’t see them, but your friends do, then it seems as if you posted it. If you see any such garbage posted under my name, please let me know because

“I did not post it!”

Share this to protect yourself and your friends.

That post was picked up by Facebook’s false news bloodhound and reported on by Politifact, one of the fact-checking organizations that’s partnering with the social network to fight fake news.

It’s declaring the latest outbreak of invisible-to-you Facebook porn to be unsupported by credible evidence and that the warnings are vague and unsourced.


April 3, 2019 »

Is your hard drive exposed online?

By Danny Bradbury

Over 13,500 internet-connected storage devices have been exposed online by users who failed to set access passwords for them, it emerged last week.

The affected drives all use the Internet Small Computer Systems Interface (iSCSI), which is an implementation of the older SCSI interface that connected disk drives directly to computers.

iSCSI, which was standardized in 2000, enabled that protocol to operate over IP connections so that devices could connect to drives across local area networks, or wide-area connections including the general internet.

Today, people use iSCSI to connect to a range of devices including the kinds of network-attached storage (NAS) drives that you’d find in a small office, and larger banks of network storage devices in datacenters.

iSCSI is also a common way for computers to connect to virtual machines (VMs). These are software files containing entire operating systems that run on a thin layer of software rather than directly on a physical server, making it possible to run many of them on a single computer at once. VMs are the basis for modern cloud computing, which relies entirely on virtualised resources.

Here’s the problem with putting things on the internet, though: They’re usually easy to find and connect to. If you put something like an iSCSI device online and then fail to secure it with login credentials, it means that it’s publicly available for anyone to access.


2m credit cards ripped off from restaurant chain, sold on the dark web

By Lisa Vaas

Earl Enterprise – the owner behind a slew of US restaurant chains – confirmed on Friday that one or more hackers had installed credit card slurping malware on point-of-sale (PoS) systems at a half dozen of its restaurant brands.

The company said that potentially affected restaurants include its brands Buca di Beppo, Earl of Sandwich, Planet Hollywood, Chicken Guy!, Mixology and Tequila Taqueria. It’s set up a look-up tool at this site that lets you search for affected locations by city, state and brand.

The company said that the malware was designed to capture payment card data, which may have included credit and debit card numbers, expiration dates and, in some cases, cardholder names.

The dates of potentially affected transactions vary by location, though overall, customers who used their payment cards at the potentially affected locations between 23 May 2018 and 18 March 2019 might have been affected. The malware didn’t affect orders paid for online through third-party applications or platforms.

Earl Enterprise said that the breach has now been contained and that it’s working with two cybersecurity firms on an internal investigation, as well as with federal law enforcement. It’s working “diligently” with security experts on further remediation, it said, and plans to closely monitor its systems and take additional security measures “to help prevent something like this from happening again in the future.”

Earl Enterprise first got a heads-up about the PoS malware back in February, when security journalist Brian Krebs contacted the company to let it know that he’d found a big cache of credit and debit card numbers belonging to the company’s customers that were being sold on the Dark Web.


Patch Android now! April updates fixes three critical flaws

By John E Dunn

Android’s April update just landed and this month the headline story is two critical CVE-level patches among a total of 11 affecting anyone with handsets running versions 7, 8, and 9.

The good news is that as far as Google knows, none of this month’s flaws are being exploited. That could change, of course, which is why getting the updates should be a priority as soon as they become available from this week.

The first two criticals are identified as CVE-2019-2027 and CVE-2019-2028, affecting all versions 7.x, 8.x, and 9.0 of the core AOSP, the part of the OS that is universal to anything running Android.

Both are Remote Code Execution (RCE) vulnerabilities in the oft-patched media framework, either of which could allow an attacker to “execute arbitrary code within the context of a privileged process.”

The final critical bug is CVE-2019-2029, another RCE affecting all versions from 7.x and up that will be shipped to users on the 2019-04-05 patch level (see below for an explanation of what that means).

The other eight AOSP flaws are all marked high priority, including six elevation of privilege (EoP) flaws and three information disclosure.


As usual, Qualcomm gets a small blizzard of fixes, 30 of which are in open-source components and another 44 in proprietary software. The first group includes one critical along with others rated high. The second includes six criticals with the rest marked high priority.


Government spyware hidden in Google Play store apps

By Lisa Vaas

We’ve seen malicious government cyberweapons leaked out of the National Security Agency (NSA) and injected via ransomware, but security researchers recently found government spyware squatting in plain sight, pretending to be harmless vanilla apps on Google’s Play store.

This time around, the malware doesn’t come from the NSA. Rather, it allegedly comes from the Italian government, which apparently purchased it from a company that sells surveillance cameras.

According to Motherboard, this is the first time that security researchers have seen malware produced by the surveillance company, known as eSurv.

It was discovered in a joint investigation carried out by Motherboard and researchers from Security Without Borders – a non-profit that often investigates threats against dissidents and human rights defenders.

Security Without Borders published a technical report of their findings on Friday:

We identified previously unknown spyware apps being successfully uploaded on Google Play Store multiple times over the course of over two years. These apps would remain available on the Play Store for months and would eventually be re-uploaded.

They’re calling the malware Exodus, after the name of the command and control servers the apps connected to.

The connection with Italy was apparently made due to snippets of Italian text in the code, such as mundizza, a dialect word from Calabria that means trash or garbage, and RINO GATTUSO, a famous retired footballer from Calabria, the region where eSurv is based.


TP-Link router zero-day offers your network up to hackers

By Paul Ducklin

Just last week, we talked in the Naked Security podcast about what you can do if you’re stuck with a router with security holes that you can’t easily fix.

One way this can happen is if your ISP won’t let you connect at your end unless you use a router provided by them.

These “forced routers” are typically locked down so you can’t update them yourself, and may even have remote access permanently enabled so that your ISP can wander in at will.

Our recommendation, when you’re faced with someone else’s router in your own home, is simply to treat it as if it were miles away at the other end of your phone line or cable connection, back in the ISP’s data center or the phone company’s local exchange where you can’t see it.

Buy a second router (or get yourself the free Sophos XG Firewall Home Edition), plug the ISP’s router LAN (internal) port into the WAN (external) port of the device you look after yourself, and pretend the ISP’s equipment doesn’t exist.

Don’t bother with the Wi-Fi and firewall parts of the ISP’s router – just treat it as a straight-up modem that interconnects your home ethernet network with the phone, cable or fiber network used by your ISP.


Are there viable alternatives to Facebook and Twitter?

By Maria Varmazis

The thinking goes that the reason so many of us who hate social networks are still stuck using them is because it’s simply where everyone else is (which is certainly the case with me).

If only everyone would make a mass migration to some other kind of service altogether, then perhaps we could finally regain some control over our data without stepping out of our social lives. But are there actual alternatives available?

Spoiler alert: Indeed there are, so let’s take a look at them and what kind of benefits they might offer over the usual suspects. Do these alternatives protect user privacy and data, and are they user-friendly enough for everyone to use or just techy pipe dreams?

Decentralized social network – what does that mean?

There is growing interest in social networks that prioritize putting control back in the hands of users. Two of the more popular “alternative” social platforms are Mastodon and Diaspora – platforms that run a constellation of decentralized, or federated, communities.

Instead of going to a central site like or, users join separate “instances” (Mastodon) or “pods” (Diaspora) to make connections to other like-minded members.

This means members can join a smaller local community where they have their own specific rules, and moderate membership to make their social village feel like an online home, but they can also still interact with other members in other instances or pods if they choose to.

In other words, a Mastodon or Diaspora user has a smaller home base where they’re likely spending most of their time, but they’re not fenced in if they want to wander elsewhere into the bigger world.


Possible Toyota data breach affecting 3.1 million customers

By John E Dunn

Several Toyota companies have announced that they might have suffered data breach attempts, with one affecting 3.1 million Toyota and Lexus customers.

In a brief account describing the most significant of these, the Japanese parent company said that on 21 March attackers gained “unauthorized access on the network” which led them to customer data belonging to eight sales subsidiaries in the country.

Toyota said it is still investigating what data might have been breached, or even whether any data has been breached:

We have not confirmed the fact that customer information has been leaked at this time, but we will continue to conduct detailed surveys, placing top priority on customer safety and security.

So far, it has at least managed to establish that…

…The information that may have been leaked this time does not include information on credit cards.

Clearly, the company isn’t taking any chances and has decided to tell its customers something now rather than sitting on bad news.

Normally a data breach affecting Japanese Toyota subsidiaries wouldn’t get that much attention if it weren’t for the fact that it fits a larger pattern of attacks against the company.


« older