September 23, 2019

Google pulls more fake adblockers from Chrome Web Store

By John E Dunn

Google has again been reprimanded for not spotting fake extensions impersonating popular brands in its Chrome Web Store.

The victims this time were AdBlock by AdBlock Inc (easily confused with legitimate extension AdBlock by getadblock) and uBlock by Charlie Lee (similar-sounding to uBlock.org’s uBlock or Raymond Hill’s uBlock Origin).

The impersonation was made public in a blog by rival adblocker maker, AdGuard, whose Andrey Meshkov decided to take a closer look at the fake software’s behavior.

The short and surprising answer – they block ads – perhaps not a huge ask given that both appear to have been based on the same code as the original AdBlock.

However, according to Meshkov, 55 hours after installation, they start doing something called ‘cookie stuffing’, a common ad fraud technique.

Cookie stuffing

Normally, an eCommerce website will check cookies to work out how that user arrived at their site, paying a fee to the affiliate responsible when a purchase is made.

It’s a hidden cornerstone of the internet economy which criminals subvert by ‘dropping’ floods of cookies on to a computer to make it appear the user clicked on an affiliate ad when they didn’t.

Because only a small number of users will make a purchase from a site, the fraudsters need to sneak their cookie stuffing programs on to as many computers as possible. Writes Meshkov:

These two add-ons have more than 1.6 Million ‘weekly active users’, who were stuffed with cookies of over 300 websites from Alexa Top 10,000. It is difficult to estimate the damage, but I’d say that we are talking about millions of USD monthly.

Unchecked, it’s easy to see how this sort of scam could cost large brands a lot of money which explains why a handful of people accused of this scam in the US have ended up in jail.

Read more at https://nakedsecurity.sophos.com/2019/09/23/google-pulls-more-fake-adblockers-from-chrome-web-store/

Could EarEcho change the way we authenticate our phones?

By Danny Bradbury

We’re used to identifying ourselves to our phones using our fingers, our faces, and even our irises, but now, researchers are targeting a new piece of our body that they say could be the perfect identifier: The inside of our ears.

Researchers at University at Buffalo, State University of New York and Syracuse University have discovered a way to use wireless earbuds as a biometric authentication system. Called EarEcho, it uses a small microphone inserted in a regular pair of wireless earbuds. When the earbuds play audio, it records the sound that bounces back from the ear canal, creating a unique profile of the user’s inner ear.

EarEcho feeds the audio that the microphone picks up into a support vector machine (SVM), which is a machine learning model that learns how to identify the user’s unique ear pattern.

The result is an accurate verification method, according to their paper. It tested the system on 20 subjects, listening to five different pieces of prerecorded conversation in different environments such as a shopping mall, a cafe, and the street. It reached around 97.5% accuracy when identifying people based on just three seconds of audio, it reported.

More secure than other biometrics?

Fingerprints may be among the most popular biometric authentication methods, say the researchers, but they argue it is also subject to spoofing attacks. They also criticize facial recognition, and specifically Apple’s FaceID, for the same reason (researchers claim to have spoofed Apple’s technology before and we know there are use cases that it has difficulty coping with). Earbud-based authentication is a better idea, they added:

With the popularization of wireless earphones, more and more users are getting used to wearing earphones while working, studying or strolling…

Compared with face IDs, fingerprints and voiceprints, the EarEcho presents a more unobtrusive authentication approach with great usability potentials.

Read more at https://nakedsecurity.sophos.com/2019/09/23/could-earecho-change-the-way-we-authenticate-to-our-smartphones/

Two charged with tech-support scamming the elderly for $10m

By Lisa Vaas

Two US people have been charged with the alleged tech-support scumbaggery of spooking old people by shoving scary “Your computer has a virus, call us!!!!” pop-ups in their faces and then fleecing them for services they didn’t need and never got.

The band of crooks did this to about 7,500 victims, most of them elderly, shaking them down for more than $10 million.

The US Attorney’s Office for the Southern District of New York announced the arrests last week, on Wednesday, 18 September.

On that day, police arrested Romana Leyva, 35, of Las Vegas, and Ariful Haque, 33, of Bellerose, New York. They’re both being charged with one count of wire fraud and one count of conspiracy to commit wire fraud. Each charge carries a maximum sentence of 20 years in prison, though maximum sentences are rarely handed out.

Targeting the elderly in US and Canada

According to the indictment, from March 2015 through December 2018, the two were allegedly members of a fraud gang based in the US and India that targeted the elderly across the US and Canada. The goal: to snooker seniors into believing that their computers were riddled with malware so that they’d pony up hundreds or thousands of dollars for bogus computer repair services.

They’d cause pop-up windows to appear on victims’ computers that lied about their systems being infected with a virus. Better call this number, the pop-ups urged, to get some tech support to help you out. Sometimes, those pop-ups scared victims with dire prognostications: don’t restart or shut down your computer, they’d warn, lest it “cause serious damage to the system,” including “complete data loss”!

Sometimes, the crooks gussied up those pop-ups with official corporate logos – which, of course, they ripped off and which they had no lawful right to plaster on top of their bucket of lies – from what the indictment referred to as a “well-known, legitimate technology company.”

Read  more at https://nakedsecurity.sophos.com/2019/09/23/two-charged-with-tech-support-scamming-the-elderly-for-10m/

Server-squashing zero-day published for phpMyAdmin tool

By Danny Bradbury

A researcher has just published a zero-day security bug in one of the web’s most popular database administration software packages.

The bug makes it possible for an attacker to delete a server by hijacking a user’s account in phpMyAdmin, a 21-year-old open-source tool used to manage MySQL and MariaDB databases.

The flaw is a classic cross-site request forgery (CSRF). It’s a long-used attack in which an attacker can force a logged-in user’s browser to perform malicious actions such as changing their account details. A browser request includes any details associated with the site, such as the user’s session cookie, making it difficult to distinguish between the real request and a forged one.

The bug report on the Full Disclosure mailing says that an attack would have to target phpMyAdmin’s setup page. The CVE listing for the bug gives it a medium severity rating.

According to the Full Disclosure listing, an attacker can create a fake hyperlink containing the malicious request. It mentions that the CSRF attack is possible because of an incorrectly used HTTP method.

The researcher who discovered it, Manuel Garcia, explained to us:

The post/get requests are not validated. To avoid the CSRF attacks you need to implement a token.

Read more at https://nakedsecurity.sophos.com/2019/09/20/server-squashing-zero-day-published-for-phpmyadmin-tool/

IBM’s new 53-qubit quantum ‘mainframe’ is live in the cloud

By John E Dunn

IBM has boosted its growing stable of quantum computers with a new 53-quantum bit (qubit) device, the most powerful ever offered for commercial use.

Google announced a more powerful 72-qubit ‘Bristlecone’ model last year, but that was for its internal techies only. IBM’s, by contrast, feels significant because it can be used by absolutely anyone who can find a use for such a computer.

The new and still-to-be-named computer will sit in the company’s Quantum Computation Center in Poughkeepsie, New York State, which has recently turned into a hotbed for commercial development.

The facility also houses an array of older quantum computers, including five with 20 qubits (including the first Q System One launched in January), four with 5 qubits, and one with 14 qubits.

The involvement of Poughkeepsie is no coincidence – this is the heritage site where IBM built many of the mainframes that made its name synonymous with business computing.

Might quantum computers be on course to be the mainframes of the 21st century?

Lab coats

Readers will doubtless know that the qubit is a rough measure of the amount of work a quantum computer can do (read our detailed backgrounder on how quantum computers work for more on this), which loosely parallels the number of bits in a classical computer.

It’s not a perfect analogy, but what matters is that the more qubits you have, the more work you can do (IBM favors a different measure called ‘quantum volume’ which takes into account things such as connectivity and ‘gate set’ performance, algorithm errors, and the efficiency of software and compilers).

Read more at https://nakedsecurity.sophos.com/2019/09/20/ibms-new-53-qubit-quantum-mainframe-is-live-in-the-cloud/

ACS

Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880
863-229-4244

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.


Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation