Mozilla to Apple: Protect user privacy with rotating phone IDs

By Danny Bradbury

Mozilla has criticized Apple for its latest privacy marketing campaign, urging it to provide more automatic protection for users behind the scenes. The nonprofit Mozilla Foundation has launched a petition to enhance a little-known feature in iOS devices that could make it harder for advertisers to track mobile users.

In a blog post, Mozilla praised Apple for its privacy track record but criticized its latest marketing campaign, with the slogan “Privacy. That’s iPhone.” The iPhone vendor has produced tongue-in-cheek videos showing people in various situations they’d rather keep private. Mozilla responded:

A key feature in iPhones has us worried, and makes their latest slogan ring a bit hollow.

Mozilla has a problem with the Identifier for Advertisers (IDFA), which is a hexadecimal code unique to every iPhone. When mobile users click a banner, play a video, or install an app, media companies can pass that information to advertisers along with the IDFA. The code doesn’t identify you, but it enables them to build up a profile of your activities.

The IDFA is a crucial tool in advertisers’ quest for attribution. This marketing concept ties individual product purchases or subscriptions to the advertisements that promoted them. The missing link is an individual’s series of responses to those advertisements over time. This is what the IDFA provides, and Mozilla finds it distasteful:

It’s like a salesperson following you from store to store while you shop and recording each thing you look at. Not very private at all.

Apple has sided with privacy advocates against advertisers before. In September 2017, it shipped IOS 11 with a new feature for the mobile version of Safari called intelligent tracking prevention. This feature, which also hit macOS Safari the same month, used machine learning to better manage cookies. These are small files, different to IDFAs, that websites and advertisers place in the browser to identify users later on.

Read more at https://nakedsecurity.sophos.com/2019/04/17/mozilla-to-apple-protect-user-privacy-with-rotating-phone-ids/

Ad blocker firms rush to fix security bug

By Danny Bradbury

If you’re using an ad blocker to filter out online commercials, then beware: You might be vulnerable to a new attack revealed on Monday that enables hackers to compromise your browser.

The vulnerability, discovered by security researcher Armin Sebastian, affects Adblock, Adblock Plus, and uBlock (but not uBlock Origin). It stems from a filtering option introduced into the ad blockers in July 2018. The option allowed the programs to rewrite web requests, cleaning them of tracking data.

The problem is that an attacker can exploit this rewrite function using XMLHttpRequest. This is a programming feature all modern browsers use to request data from a server after a page has loaded. They can also attack the server using an API called Fetch, which allows similar operations. An attacker can load a JavaScript string using either of these features and execute the returned code.

For the attack to work, the browser must visit another server after hitting a legitimate web page. Hackers can force that if the server allows open redirects. This is when the server takes a URL as input from the client and redirects to it, no matter what it is.

An attacker can also get their executable code into the browser via the $rewrite function if they can get it onto the legitimate web page. That’s possible if the server lets the user post their own content (such as in a comments section or social media timeline) and doesn’t use proper input validation to check the post for malicious commands.

Finally, for the attack to work, the server must not restrict where it can fetch content from. It must not validate the final request URL either, because the attacker will have tampered with it.

Read more at https://nakedsecurity.sophos.com/2019/04/17/adblocker-firms-rush-to-fix-security-bug/

Internet Explorer browser flaw threatens all Windows users

By John E Dunn

Nearly four years after it was replaced by Edge as Microsoft’s preferred Windows browser, researchers keep finding unpleasant security flaws in Internet Explorer (IE).

The latest is a proof of concept (POC) published by researcher John Page (aka hyp3rlinx) that exploits a weakness in the way the browser handles MHTML (MHT) files, IE’s default web page archiving format.

If Windows 7, Windows 10 or Windows Server 2012 R2 encounters one of these, it attempts to open them using IE which means that an attacker simply has to persuade the user to do that. Success would…

Allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information.

IE should throw up a security warning, but this could be bypassed Page said:

Opening a specially crafted .MHT file using malicious <xml> markup tags the user will get no such active content or security bar warnings.

No escape

Does this matter to users who’ve moved on to Windows 10 or simply stopped using IE years ago?

Unfortunately, it does because IE 11 ships with every consumer Windows PC – including Windows 10 – for compatibility reasons (only Enterprise and Education licensees can optionally exclude it).

However, on Windows 10, IE still needs to go through a short setup process when it runs for the first time, something that might draw attention to attacks targeting the flaw discovered by Page.

Read more at https://nakedsecurity.sophos.com/2019/04/17/internet-explorer-browser-flaw-threatens-all-windows-users/

Microsoft confirms Outlook.com and Hotmail accounts were breached

By John E Dunn

Between 1 January and 28 March this year hackers were able to access a “limited number” of consumer Outlook.com, Hotmail and MSN Mail email accounts, Microsoft has confirmed.

News of the attack first emerged late last week when the company started sending emails to what seems to be a small subset of affected users which ended up being discussed on Reddit:

We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account.

Microsoft says that data access was limited:

This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments.

When Microsoft realized the stolen credentials were being abused, it disabled the access, the company added. The crucial sentence:

It is important to note that your login credentials were not directly impacted by this incident.

Microsoft still recommends that everyone receiving a notification should change these as a precaution, and also warned that affected users were now at risk of receiving phishing emails.

Read more at https://nakedsecurity.sophos.com/2019/04/17/microsoft-confirms-outlook-com-and-hotmail-accounts-were-breached/

Watch out! Don’t fall for the Instagram ‘Nasty List’ phishing attack

By John E Dunn

For nearly a week, Instagram users have been receiving odd messages from followers expressing shock that their accounts have somehow ended up on something called the “Nasty List.”

If you receive one, the message with an embedded link will look something like the following example (the list and placement numbers vary):

OMG your actually on here, @TheNastyList_xx, your number is 26! it’s really messed up.

In the cold light of day, it looks dubious but social media is all about rapid clicking so that’s what some people do, unaware of the danger they are heading towards.

According to Bleeping Computer, clicking on TheNastyList profile link leads to a page containing a second link that says it will let the user see everyone on the imaginary list.

Readers will probably have worked out what’s coming next – anyone following this is asked for their Instagram username and password (the link on the login page isn’t a legitimate Instagram address but it seems a lot of people don’t notice this).

Anyone entering their credentials will find themselves in a spot of trouble, starting with their entire base of followers receiving the same message telling them that they too are on the Nasty List – and so the social media phishing attack grows.

They’ll also potentially have handed control of their account to criminals to do whatever they want with.

Read more at https://nakedsecurity.sophos.com/2019/04/16/watch-out-dont-fall-for-the-instagram-nasty-list-phishing-attack/

Google’s location history data shared routinely with police

By Danny Bradbury

Law enforcement officials in the US have been routinely mining Google’s location history data for criminal investigations. Requests have escalated in the last six months, according to The New York Times.

The location data resides in Sensorvault, a Google system that logs information provided by the search and advertising giant’s mobile applications. Applications may gather the data even when not running, depending on the phone’s settings. However, for Sensorvault to store their data a user must have opted in to Location History, a feature that Google introduced in 2009. It stores daily movements based on raw data communicated via these apps.

Police officers don’t request the phone data of a particular suspect. Instead, they serve reverse location warrants, also known as ‘geofence’ warrants. These request anonymous IDs and locations relating to all phones found in a particular area over a particular time.

Officers analyze this data, looking for movement patterns that correlate with potential suspects or witnesses. When they narrow down the search to a handful of devices, they can request those users’ names and other information from Google.

The report highlighted several instances in which federal law enforcement have used this technique. They include the March 2018 bombings in Austin, Texas, along with a 2016 murder in Florida.

Read more at https://nakedsecurity.sophos.com/2019/04/16/police-cast-wide-search-net-with-googles-sensorvault-location-data/

US feds’ names, home and email addresses hacked and posted online

By Danny Bradbury

A group of hackers that doxed thousands of federal law enforcement employees last week has followed up with more posts offering even more victims’ personal information.

The hacking group, which we won’t name here, published the personal details of around 4.000 federal law enforcement employees last week after breaching three related websites. It had defaced at least two of the three websites, publishing its logo on them, which remained viewable until at least Sunday.

Employees at the FBI, Secret Service, Capitol Police, and US Park Police were among those doxed, alongside police and sheriffs’ deputies in North Carolina and Florida, according to reports. Records posted on the group’s website included the individuals’ home addresses, phone numbers, emails and employers’ names.

The attackers harvested the information from websites associated with the FBI National Academy Associates (FBINAA), which is a non-profit organization of 17,000 law enforcement professionals. In a statement released Saturday, FBINAA said the attack had affected three of its chapters, all of which used an unnamed third party’s software. It added:

We believe we have identified the three affected Chapters that have been hacked and they are currently working on checking the breach with their data security authorities. We have checked with the national database server/data provider and they have assured us that the FBINAA national database is safe and secure.

The hacking group soon followed up with what it claimed were more hacked databases. On Saturday, 13 April, it posted a 1.1GB file containing what it said were dumps from six government databases. These appeared to be from three nonprofit associations for government professionals. Four of the hackers were from one group’s state-level chapters, according to information posted on the page.

Read more at https://nakedsecurity.sophos.com/2019/04/16/fbi-national-academy-associates-hackers-strike-twice-more/

Security weakness in popular VPN clients

By John E Dunn

Numerous enterprise VPN clients could be vulnerable to a potentially serious security weakness that could be used to spoof access by replaying a user’s session, an alert from the Carnegie Mellon University CERT Coordination Center (CERT/CC) has warned.

Connecting to an enterprise VPN gateway made by a specific company usually requires a dedicated application designed to work with it. So far, the issue has only been confirmed in applications from four vendors – Palo Alto, F5 Networks, Pulse Secure, and Cisco – but others could be affected.

The problem is the surprisingly basic one that applications have been insecurely storing session and authentication cookies in memory or log files which renders them vulnerable to misuse. CERT/CC explains:

If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.

Which, if it were to happen on a network imposing no additional authentication, would be like handing over the privileges of an enterprise VPN to anyone able to get their hands on the vulnerable data.

Read more at https://nakedsecurity.sophos.com/2019/04/16/security-weakness-in-popular-vpn-clients/