April 9, 2019
Chrome, Safari and Opera criticized for removing privacy setting
By John E Dunn
It’s a browser feature few users will have heard of, but forthcoming versions of Chrome, Safari and Opera are in the process of removing the ability to disable a long-ignored tracking feature called hyperlink auditing pings.
This is a long-established HTML feature that’s set as an attribute – the ping variable – which turns a link into a URL that can be tracked by website owners or advertisers to monitor what users are clicking on.
When a user follows a link set up to work like this, an HTTP POST ping is sent to a second URL which records this interaction without revealing to the user that this has happened.
It’s only one of several ways users can be tracked, of course, but it’s long bothered privacy experts, which is why third-party adblockers often include it on their block list by default.
Until now, an even simpler way to block these pings has been through the browser itself, which in the case of Chrome, Safari and Opera is done by setting a flag (in Chrome you type chrome://flags and set hyperlink auditing to ‘disabled’).
Notice, however, that these browsers still allow hyperlink auditing by default, which means users would need to know about this setting to change that. It seems that very few do.
In contrast, Firefox changed the hyperlink auditing flag to off by default from version 30 in 2008, since when users have had to turn it on via about:config > browser.send_pings set to ‘true’.
Read more at https://nakedsecurity.sophos.com/2019/04/09/chrome-safari-and-opera-criticised-for-removing-privacy-setting/
Airbnb says sorry after man detects hidden camera with network scan
By Lisa Vaas
A New Zealand infosec consultant on holiday with his family in Cork saved them all from being livestreamed by a hidden Spycam in an Airbnb by a) being good and paranoid and b) knowing his way around a network scan.
You can see all seven of them smiling up at the webcam in this 1 April Facebook post from Nealie Barker.
That photo came from a camera camouflaged to look like a smoke alarm. The Barker family only discovered it was actually a spycam because, as Nealie told CNN, her husband, Andrew Barker, routinely runs scans of networks when they check into lodgings and sign on to the Wi-Fi networks.
Nealie says that their first impulse was to call Airbnb. Talk about unhelpful. CNN quoted her:
They had no advice for us over the phone. The girl just said that if you cancel within 14 days, you won’t get your money back.
OK …and if you don’t pack up and vamoose, you get what? Your kids live-streamed on some creepster site, maybe? That’s certainly happened.
Next move: Andrew called the host. The host’s reaction: *Click!*
After the host initially hung up on Andrew, he later called back and insisted that the camera in the living room was the only one in the house.
Nealie:
We didn’t feel relieved by that.
She said that the host refused to say whether he was recording the livestream or capturing audio.
Read more at https://nakedsecurity.sophos.com/2019/04/09/airbnb-says-sorry-after-man-detects-hidden-camera-with-network-scan/
Hacker unlocks Samsung S10 with 3D-printed fingerprint
By Danny Bradbury
A lone security researcher just gave Samsung’s mobile phone cybersecurity technology the finger. According to a video posted on the Imgur site on Friday, it’s possible to bypass the biometrics on the new Galaxy S10 range in just a few minutes, using a 3D-printed fingerprint.
Released in February, almost every phone in the Galaxy S10 range features a fingerprint reader under the screen, contrasting with the previous generation of Galaxy S phones which put it on the back of the device. The only exception is the S10 Essential, which has a capacitive resistor on the side of the phone.
Capacitive technology is what most modern non-display fingerprint sensors use. It measures the electrical resistance between the tiny ridges and valleys of your fingerprint as they contact the sensor, creating a 2D image of it.
Under-display sensors take a different approach, using ultrasonic technology to bounce sound waves off the user’s finger. This creates a 3D ultrasound image of your fingerprint, containing information about the depth of its ridges and valleys.
Cool, right? Not according to Darkshark, an anonymous researcher who appeared to show themselves unlocking a Samsung S10 using a 3D printed-fingerprint.
In the description, Darkshark said that they photographed their finger on the side of a wine glass using their smartphone. Then they used Photoshop to increase the contrast and create an alpha mask (which is a fully-opaque version of an image). Using the 3DS Max 3D modeling software, they created a geometry displacement, which is a version of the alpha image with depth information from the original. Then, they used an Anycubic Photon resin-based 3D printer, which costs around US$500, to reproduce the print.
Read more at https://nakedsecurity.sophos.com/2019/04/09/hacker-unlocks-samsung-s10-with-3d-printed-fingerprint/
Fired sysadmin pleads guilty to doxxing five senators on Wikipedia
By Lisa Vaas
Jackson A. Cosko, a former sysadmin for US Sen. Maggie Hassan, has admitted to breaking into her office after he got fired, installing keyloggers, and using ripped-off employee credentials to get into senators’ Wikipedia entries so as to dox their contact information, the Department of Justice (DOJ) announced on Friday.
Cosko, 27, pleaded guilty to two counts of making public restricted personal information, one count of computer fraud, one count of witness tampering and one count of obstruction of justice related to publicizing the private information of five senators in autumn 2018.
He’s looking at between 30 and 57 months of prison time. The plea agreement also requires Cosko to forfeit computers, cellphones and other equipment he used in the crimes.
Getting fired steamed him
In his plea agreement, Cosko admitted that he was angry after getting fired from his job as a sysadmin at Hassan’s office in May 2018 and knew it would make it tough for him to get a new job.
The office had shut down his work accounts, but that didn’t stop Cosko from burglarizing the senator’s office at least four times. He started his nighttime forays in July, letting himself in with a former colleague’s keys. That former colleague is now themselves a former employee, according to Hassan’s office. At least once, the colleague allegedly had handed Cosko the keys, knowing that Cosko was going to illegally enter the office, according to the plea agreement.
During the burglaries, Cosko carried out what the court filing called “an extraordinarily extensive data theft scheme,” copying entire network drives and then cherry-picking the nuggets of sensitive information he might be able to use later. He stole the data by installing unobtrusive, innocent-looking keyloggers on at least six computers.
Read more at https://nakedsecurity.sophos.com/2019/04/09/fired-sysadmin-pleads-guilty-to-doxxing-five-senators-on-wikipedia/
Bootstrap supply chain attack is another attempt to poison the barrel
By Lisa Vaas
Last week, malicious code was slipped into Bootstrap for Sass, the free, open-source, very popular, and widely deployed front-end web framework.
The good news: the good guys stamped it into oblivion lickety-split.
According to the timeline provided by Snyk – a company that provides tools to find and fix known vulnerabilities in open source code – the malicious version of the package was published on the RubyGems repository for Ruby libraries on 26 March (but not on GitHub, where the library’s source code was being managed).
Malicious actors had rigged that bad package – version 3.2.0.3 – with a stealthy backdoor that would have allowed for remote code execution (RCE) in server-side Rails applications.
Later that same day, software developer Derek Barnes smelled a rat and opened a GitHub issue for what he thought was a suspicious snippet of code in the brand-new – what would turn out to be malicious – version 3.2.0.3 of bootstrap-sass. Just an hour later, the malicious version was yanked from the RubyGems repository, and the two developers responsible for maintaining the code had updated their credentials.
As of Wednesday, it hadn’t yet been confirmed how the attacker(s) had managed to publish the malicious RubyGem package, but the assumption was that they had gotten hold of a set of credentials.
So that’s the good news: it was actually spotted and dealt with very quickly, so kudos to Derek Barnes for spotting the problem and for everybody else who jumped on the fix so quickly.
Read more at https://nakedsecurity.sophos.com/2019/04/08/bootstrap-supply-chain-attack-is-another-attempt-to-poison-the-barrel/