May 21, 2019

Amnesty sues maker of Pegasus, the spyware let in by WhatsApp zero day

By Lisa Vaas

Last week, Facebook’s WhatsApp whispered out a warning to update the mobile messaging app after learning that it had a vulnerability that really deserved to be shouted from the rooftops: a zero-day vulnerability that allowed hackers to silently install government spyware onto victims’ phones had been exploited in the wild.

The zero day meant that with just one call, spies could access your phone and plant spyware – specifically, the notorious Pegasus software.

Pegasus has been unleashed against Mexican political activists; targeted at the human rights-focused NGO Amnesty International in a spearphishing attack; and used against Ahmed Mansoor, a prominent human rights activist and political dissident in the United Arab Emirates who was sentenced to 10 years in jail and a fine of 1,000,000 Emirati Dirham (USD $272K) after being charged with “insulting the UAE and its symbols”.

WhatsApp quickly patched the vulnerability.

Just as quickly, Amnesty International filed a lawsuit that seeks to stop the “web of surveillance” it says is enabled by NSO Group, the Israeli firm that makes Pegasus.

Last Monday, Amnesty announced that it’s taking the Israeli Ministry of Defense (MoD) to court to force it to revoke NSO Group’s export license.

Thirty members and supporters of Amnesty International Israel and others from the human rights community are alleging that NSO Group’s spyware has been used to surveil Amnesty staff and other human rights defenders, thereby putting human rights at risk.


Rats leave the sinking ship as hackers’ forum gets hacked

By Lisa Vaas

Prepare yourself for the warm glow of schadenfreude: OGUsers, a forum devoted to trading stolen Instagram, Twitter and other accounts, has apparently been hacked, its forum hard drives wiped, and its user database stolen and published on a rival hacking community site for any and all comers to download for free.

As Motherboard reported last year, OGUsers – called OGU by its members – is a forum popular among hackers who specialize in hijacking people’s accounts, particularly through SIM swapping.

Trading in desirable usernames

Launched in April 2017, the forum is a market for buying and selling “OG” usernames. That’s short for “original gangster” and refers to usernames that are considered desirable, whether it’s because they’re short – such as @t or @ty – or because they’re considered cool, such as @Sex or @Eternity, or then again, because they belong to celebrities, such as, say, the Twitter accounts of Wikipedia co-founder Jimmy Wales, comedian Sarah Silverman, or NASA, to name just a few.

According to Motherboard, OGUsers traded in hijacked social media accounts, as well as in PlayStation Network, Steam, Domino’s Pizza, and other online accounts.

The administrator of OGUsers, known as “Ace”, announced the attack in a post on the forum on 12 May 2019. According to security journalist Brian Krebs, Ace told forum members that an outage had been caused by hard drive failure that erased months’ worth of private forum posts and prestige points. Ace said they’ve restored a backup from January 2019.


WordPress plugin sees second serious security bug in six weeks

By Danny Bradbury

Researchers have uncovered the second serious bug in a WordPress plugin this month that could lead to the mass compromise of WordPress websites.

The bug in the WP Live Chat Support plugin allows attackers to inject their own code into websites running it. It follows a bug discovered in the plugin six weeks ago that allowed attackers to execute code on affected websites. 

WP Live Chat Support is an open source third-party plugin for WordPress that allows users to install live chat functionality on their sites for customer support purposes. There are over 60,000 active installations of the software today, according to its WordPress page.

According to Sucuri, the vulnerability lies in an unprotected admin_init hook. A hook is a way for one piece of code to interact with and change another. 

WordPress calls the admin_init hook whenever someone visits a WordPress site’s admin page, and developers can use it to call various functions at that point.

The problem is that admin_init doesn’t require authentication, meaning that anyone who visits the admin URL can cause it to run code. WP Live Chat’s admin hook calls an action called wplc_head_basic, which updates the plugin settings without checking the user’s privileges. 

An unauthenticated attacker could use this flaw to update a JavaScript option called wplc_custom_js. That option controls the content that the plugin displays whenever its live chat support window appears. An attacker can insert malicious JavaScript into multiple pages on a WordPress-powered website, the researchers explain.


CEO told to hand back 757,000 fraudulently obtained IP addresses

By John E Dunn

A company accused of fraudulently obtaining 757,000 IPv4 addresses has been ordered to hand them back after the American Registry for Internet Numbers (ARIN) won a landmark judgment against it.

The dispute began in late 2018 when ARIN, which allocates IPv4 addresses in the US, Canada and parts of the Caribbean on a non-profit basis, discovered that a company called Micfo and its owner Amir Golestan had fraudulently tricked it into handing over the IP blocks.

IPv4 addresses are in incredibly short supply (see below), which means that getting hold of them involves waiting lists. Scarcity also makes them valuable on resale – between $13 and $19 each. That would make the IP addresses Micfo obtained worth between $9.8 million and $14.3 million.

Not surprisingly, cases of pocket-lining IP address fraud have risen, as ARIN’s senior director of global registry knowledge, warned about in a conference presentation in 2016.

Second-hand addresses

How do the fraudsters get hold of the addresses? By using the simple technique ARIN accused Micfo of deploying.

The key is that a lot of IPv4 addresses were handed out in the past when nobody worried about shortages, and a surprising proportion of those addresses fell into disuse.

Criminals attempt to detect these dormant ranges using public data from ARIN and Whois, checking which ones are still being used (i.e. routed).

If they’re not, and no longer have an active admin, they attempt to take them over using re-registration, claiming rights to them from ARIN.


Brave browser concerned that Client Hints could be abused for tracking

By Danny Bradbury

The people at privacy-focused browser, Brave, have criticised an industry proposal it says would make it easier for websites to identify a browser using a passive, cookie-less technique called fingerprinting.

Called HTTP Client Hints, the proposal provides a standard way for a web server to ask a browser for information about itself. It comes from the Internet Engineering Task Force (IETF). This organization works with industry members to create voluntary standards for internet protocols, and it has a lot of power. It standardized TCP and HTTP, two of the internet’s foundational protocols. 

HTTP already offers a technique called proactive negotiation, which lets a server ask a browser about itself. This technique makes the browser describe its capabilities every time it sends a request, though. That takes too much bandwidth, says the IETF.

Client Hints makes things easier. It defines a new response header that servers can send whenever they like, asking the browser for information about things like its display width and height in pixels, the amount of memory it has, and its color depth. 

The IETF says that Client Hints would make it easier for servers to deliver the right content for a browser. You wouldn’t want a massive picture delivered if you’re viewing on a mobile device, for example.

So, Client Hints doesn’t seem to ask the browser for information that a server couldn’t already find by other means. And, in fact, in its security guidelines for those implementing the proposed standard, the IEFT urges them not to request any information to the server that isn’t available via other means (such as HTML, CSS, or JavaScript). 



Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation