February 20, 2019

Hackers unleash social media worm after bug report ignored

By Danny Bradbury

What happens when you report a vulnerability to a website and it completely ignores your request, in spite of running a bug bounty program that’s supposed to pay for disclosures?

Some hackers might just walk away, but a group of app developers in Russia chose another approach. They used the vulnerability to spam thousands of users on Russia’s largest social network.

The group, called Bagosi, develops apps that run on St Petersburg-based VKontakte (VK), a social network with over 500m users owned by Russian Internet company Mail.ru.

According to ZDNet, the group discovered a vulnerability in the social network and alerted developers there a year ago.

In a post on VKontakte, Bagosi explained that the social network ignored the bug report and didn’t pay the person that discovered it for their submission or acknowledge it in any way. This is in spite of the fact that VKontakte runs a bug bounty program with Hacker One. VK told Naked Security that the program has been running since 2015 and has paid out $250,000 in bounties. However, Hacker One also told us that the VK program is self-managed, meaning that the social network handles bug reports using its own internal teams rather than relying on Hacker One’s employees.

Read more at https://nakedsecurity.sophos.com/2019/02/20/white-hat-hackers-go-large-with-social-media-spam-prank/

Facebook tracks users it thinks may harm its employees

By Lisa Vaas

Have you ever been so enraged at Facebook that you’ve messaged CEO Mark Zuckerberg and told him to f— off? …or maybe you simply left that type of comment in a post somewhere on Facebook or one of its apps?

If so, you might well have been inducted into what CNBC reports is the company’s BOLO watch list. That’s an acronym for Be On Lookout: a list of hundreds of people who have threatened Facebook or its staff, sulked over losing a contract, or gotten fired, be it with or without sulking or emotional outbursts.

Keeping a list like that is not, in itself, unusual. Lots of companies keep similar lists, according to CNBC’s sources, which include former security staff from Facebook who are familiar with its program and at least one expert from the physical security field: Tim Bradley, senior consultant with Incident Management Group, a corporate security consulting firm that deals with employee safety issues.

What’s unique about Facebook’s approach to BOLOs is that it doesn’t just disseminate a list of names to security staff. Facebook also mines its platform for threatening posts. Sometimes, Facebook goes so far as to use its apps to discern the whereabouts of people whom it finds threatening, to determine whether they pose a credible threat.

CNBC talked to more than a dozen former Facebook security employees, some of whom questioned the ethics of Facebook’s security strategies. One former security staffer called the tactics “very Big Brother-esque.”

Read more at https://nakedsecurity.sophos.com/2019/02/20/facebook-tracks-users-it-thinks-may-harm-its-employees/

Google’s working on stopping sites from blocking Incognito mode

By Lisa Vaas

Google Chrome’s Incognito mode hasn’t been an impenetrable privacy shield: For years, it’s been a snap for web developers to detect when Chrome users are browsing in private mode and to block site visitors who use it.

Google’s known all about it. And finally, 9to5Google reports, it looks like the company plans to close the loophole that’s enabled sites to detect when you’re using Incognito mode.

That loophole: websites have detected Incognito mode by trying to use an API that the mode turns off.

There are many ways to detect Incognito mode: as 9to5Google suggests, if you search for “how to detect Incognito mode,” you’ll find that developers have contributed ways to do so on Stack Overflow.

One easy way has been to sniff out that API: a developer can simply try to use Chrome’s FileSystem API, which is disabled in Incognito mode. That API is used by apps to store files, be it temporarily or more permanently. Incognito shuts it off entirely so that the API won’t create permanent files that could jeopardize somebody’s privacy.

Read more at https://nakedsecurity.sophos.com/2019/02/20/googles-working-on-stopping-sites-from-blocking-incognito-mode/

Facebook flaw could have allowed an attacker to hijack accounts

By John E Dunn

If you’re a security researcher in search of a fat bug bounty, Facebook must look like a good place to start your next hunt.

The site has suffered a lot of niggling security flaws in recent times, to which can now be added a new Cross Site Request Forgery (CSRF) protection bypass flaw that could have allowed an attacker to hijack a user’s account in several ways.

Discovered by researcher ‘Samm0uda’ in January, the problem centers around what is technically known as a vulnerable URL “endpoint”, in this case facebook.com/comet/dialog_DONOTUSE/?url=XXXX.  Explains the researcher:

This endpoint is located under the main domain www.facebook.com which makes it easier for the attacker to trick his victims to visit the URL.

CSRF attacks happen when an cybercriminal tricks the user into clicking on a malicious link that submits instructions to the vulnerable site that appear to come from the user’s browser.

All that is required for this to work is that the user must be authenticated (i.e. logged in) when this happens, although the victim remains unaware that anything untoward is happening.

The technique has been popular for years, which is why websites use anti-CSRF tokens that are reset every time there is a state-changing request.

Read more at https://nakedsecurity.sophos.com/2019/02/19/facebook-flaw-could-have-allowed-an-attacker-to-hijack-accounts/

Millions of “private” medical helpline calls exposed on internet

By Paul Ducklin

Thanks to Sophos security expert Petter Nordwall for his help with this article.

You know when you call a helpline and a cheery voice advises you that your call may be recorded for a variety of reasons, all of which are supposed to be for your benefit?

Have you ever wondered what happens to all those recordings?

Could something you said confidentially on the phone back in 2014 – personal and private information disclosed during a call to an official medical advice line, for example – suddenly show up in public in 2019?

As millions of people in Sweden are suddenly realizing, the answer is a definite “Yes”.

One of the subcontractors involved in running the Swedish medical assistance line 1177 (a bit like 111 in the UK – the number you use for urgent but not emergency medical help) apparently left six years’ worth of call records – 2,700,000 sound files in WAV and MP3 format – on a server that was openly accessible on the internet.

All you’d have needed was a web browser to scroll through and download years of confidential calls.

Read more at https://nakedsecurity.sophos.com/2019/02/19/milions-of-private-medical-calls-exposed-on-internet/

Thousands of Android apps bypass Advertising ID to track users

By John E Dunn

Six years after it was introduced, it looks as if Android’s Advertising ID (AAID) might no longer be the privacy forcefield Google claimed it would be.

New research by AppCensus has found that 18,000 Play Store apps, many with hundreds of millions of installs, appear to be sidestepping the Advertising ID system by quietly collecting additional identifiers from users’ smartphones in ways that can’t be blocked or reset.

Among the best-known offenders were news app Flipboard, Talking Tom, Clean Master AV Cleaner & Booster, Battery Doctor, Cooking Fever, and Cut the Rope Full Free, which were found to be sending data to advertising aggregators.

But what is the Advertising ID and why does it matter?

Few Android users pay much attention to it, but in 2013 the Advertising ID seemed like a great idea.

At that time, apps were allowed to collect a lot of data unique to the user’s device, such as its Android ID, IMEI number, hardware MAC address, and SIM serial card number – any one or combination of which could be used to track and profile users.

Read more at https://nakedsecurity.sophos.com/2019/02/19/thousands-of-android-apps-bypass-advertising-id-to-track-users/


Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation