Radiohead releases ‘OK Computer’ sessions that hacker tried to ransom

By Lisa Vaas

Well, bless your heart, the band Radiohead said after it was hacked and asked to pay a ransom for 18 hours of unheard music – a request that it eschewed, instead releasing the music on Bandcamp in order to aid Extinction Rebellion.

Want it? Here you go. It will cost you an £18 (around $23) donation to aid the climate advocacy group.

The extortionist demanded $150,000 after stealing 18 hours of music last week, according to a tweet from Radiohead guitarist Jonny Greenwood on Tuesday. It was stolen from Radiohead frontman Thom Yorke’s archive from around the time of the release of the 1997 album OK Computer.

Act fast: this offer won’t last. Greenwood said it’s good only for the next 18 days.

So, for £18 you can find out if we should have paid that ransom.

Though the music wasn’t intended for public consumption and is only “tangentially interesting,” Greenwood said, some clips did reach the cassette in the OK Computer reissue. Not only is it not particularly interesting, it’s also “very, very long,” he said – “not a phone download.”

One last blasé shrug from Greenwood:

Rainy out, isn’t it though?

Read more at https://nakedsecurity.sophos.com/2019/06/12/radiohead-releases-ok-computer-sessions-that-hacker-tried-to-ransom/

FBI warns users to be wary of phishing sites abusing HTTPS

By John E Dunn

Would you trust a website simply because the connection to it is secured using HTTPS backed by the green padlock symbol?

Not if you’re informed enough to understand what HTTPS signifies (an encrypted, secure connection with a server) and doesn’t signify (that the server is therefore legitimate).

This week the FBI issued a warning that too many web users view the padlock symbol and the ‘S’ on the end of HTTP as a tacit guarantee that a site is trustworthy.

Given how easy it is to get hold of a valid TLS certificate for nothing, as well as the possibility that a legitimate site has been hijacked, this assumption has become increasingly dangerous.

Unfortunately, cybercriminals have spotted the confusion about HTTPS, which accounts for the growing number of phishing attacks deploying it to catch people off guard. The FBI alert confirms:

They [phishing attackers] are more frequently incorporating website certificates – third-party verification that a site is secure – when they send potential victims’ emails that imitate trustworthy companies or email contacts.

How we got here

Today, all competently managed websites use HTTPS, a big change from even a handful of years ago when its use was limited overwhelmingly to sites either allowing password login or conducting transactions as required by the industry PCI-DSS card standard.

Read more at https://nakedsecurity.sophos.com/2019/06/12/fbi-warns-users-to-be-wary-of-phishing-sites-abusing-https/

Hackers stole photos of travelers and license plates from subcontractor

By Lisa Vaas

Images of travelers and license plates that a subcontractor copied from a database maintained by the US Customs and Border Protection (CBP) to his own network have been ripped off by hackers, the agency confirmed on Monday, adding yet more reasons for critics to warn about the perils to privacy that come with the government’s burgeoning use of facial recognition (FR) surveillance technologies.

A CBP spokesperson told news outlets that the agency learned on 21 May 2019 that the subcontractor “transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network.”

That transfer was done in “violation of CBP policies and without CBP’s authorization or knowledge,” the spokesperson said.

First hop: improperly copied to the contractor’s network. Second hop: hacked away by malicious actor(s). The CBP spokesperson:

The subcontractor’s network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised.

All eyes turn to Perceptics

If it’s got any more details, the CBP isn’t giving them out. The agency hasn’t publicly named the subcontractor, nor exactly how many photos were involved.

Read more at https://nakedsecurity.sophos.com/2019/06/12/hackers-stole-photos-of-travelers-and-license-plates-from-subcontractor/

Critical flaws found in Amcrest security cameras

By John E Dunn

Looking at the spec sheet, it’s not hard to understand why someone in search of an affordable but well-specified home security camera would choose the wireless IPM-721 series from US company Amcrest.

Launched around 2015, it offers 720p HD quality, two-way audio, the ability to pan and tilt, night vision, rounded off with four hours of cloud storage for your video footage at no extra cost.

This week, we learned that the camera had another less welcome characteristic in the form of six security flaws discovered back in 2017 by a researcher at security outfit Synopsys.

The 721 family has since been superseded by newer designs, which doesn’t, of course, mean that the many thousands of people who bought the product will stop using it just because a researcher has turned up security issues.

Those cameras are out there, an unknown number of which are in a vulnerable state that an attacker might identify using the Shodan search engine if they are configured to be accessible via the internet. Ideally, these cameras need to be identified and patched as soon as possible.

There are really three issues in play here – the nature and severity of the flaws, how users should go about updating the firmware to secure their cameras, and why it’s taken until 2019 for owners to hear about them.

The flaws

According to Threatpost, which spoke to the Synopsys researcher who uncovered the flaws, there are six vulnerabilities, now identified as CVE-2017-8226, CVE-2017-8227, CVE-2017-8228, CVE-2017-8229, CVE-2017-8230 and CVE-2017-13719.

We weren’t able to track down an advisory from Amcrest, but Synopsys posted outlines of each on Bugtraq.

Read more at https://nakedsecurity.sophos.com/2019/06/11/critical-flaws-found-in-amcrest-security-cameras/

iOS 13 will map the apps that are tracking you

By Lisa Vaas

As Apple continues its privacy march, the upcoming iOS 13 mobile update will be right there, and it’s pulling tracking apps along.

Apple showed off iOS 13 last week at its Worldwide Developers Conference (WWDC).

Beta testers at 9to5Mac have discovered that the upcoming release, now in preview, will tell you what apps are tracking you in the background and will give you the option of switching them off. Ditto for iPadOS.

The new feature comes in the form of a map that displays how a given app – 9to5mac showed screenshots of popup notifications about tracking apps from Tesla and the Apple Store – has been tracking you in the background, as in, when you’re not actually using the app.

The notifications show a map of the specific location data a given app has tracked, displaying the snail-slime trails that we all leave behind in our daily travels and which so many apps are eager to sniff at for marketing purposes.

Or for other reasons, as well. Besides the map, the popups will also provide the app’s rationale for needing access to a user’s background location.

Read more at https://nakedsecurity.sophos.com/2019/06/11/ios-13-will-map-the-apps-that-are-tracking-you/