Archive | Link list

Cluley 250 thumb

Turns out that you can’t trust ‘Trump free Wifi’ at the Republican National Congress

The cheeky japesters at Avast created a series of fake Wi-Fi networks at various locations around the Republican National Congress in Cleveland, as Silicon Angle reports:

Avast’s team set up several networks, using names such as “Trump free Wifi” or “Google Starbucks,” which were designed to look as though they were set up for convention attendees. Upon connecting, trusting a random and unprotected network they found in a public setting, the users unwittingly gave Avast access to spy on their devices.

Over the course of a day, Avast found over a thousand attendees that were completely negligent in their device’s security. Over 60 percent of the users who connected had their identity completely exposed, and slightly less than half of them checked their email or used messenger apps.

By the way, whether the SSID “Trump free Wifi” is supposed to represent a Wi-Fi that is “free of Trump”, or “free on behalf of Trump” is unclear to this writer. Your preference may vary.

Apparently some RNC attendees also used the fake Wi-Fi hotspots to access their umm.. Tinder and Grindr accounts. Oh, and about 5.1% of people who accessed the phony free Wi-Fi used it to play Pokémon Go.

I guess they wanted to mix the serious business of choosing a US presidential candidate with a little fun. Who can blame them?

You should always take care about what Wi-Fi hotspots you connect to, and use a VPN to help keep their sensitive information out of the hands of snoopers.

You can learn more about Avast’s findings in its press release.

Cluley 250 thumb

Salesforce will only support Nexus and Samsung Galaxy phones to avoid Android fragmentation

Ina Fried at Recode writes:

One of the big challenges for Android app developers is the fact that there are just so many different phones out there using a variety of versions of Google’s operating system.

That often means a lot more time and money spent testing and supporting Android than Apple’s iOS, but with Android running on the majority of smartphones out there, what’s a large developer to do?

Salesforce is taking a rather unusual stance in an effort to avoid this problem. Starting with an update to its Salesforce1 app later this year, the company will offer support for its app only to those using certain Google Nexus or Samsung Galaxy devices.

When I have friends and family who ask me which Android they should buy, I normally answer by saying “Get an iPhone instead.”

Because security updates matter.

When they continue to insist they *really* do want an Android, I tell them to get a Google Nexus. Or, maybe at a stretch, a Samsung. But personally I would steer clear of anything else because of this fragmentation issue.

Seems like I was right, or at least Salesforce agrees with me. Android is a painful operating system to properly support.

When popular apps like Salesforce basically throw in the towel and admit it’s too hard to properly support the multitude of different devices running Android, you know you’ve got a problem.

Cluley 250 thumb

Russian security firm linked to cybercrime gang

Brian Krebs has been doing what he does best, following a trail of clues scattered across the internet and joining the dots.

This week he followed-up on information shared with him by security researcher Ron Guilmette, who uncovered “interesting commonalities” in website registration records, revealing strange links between a Russian security firm called Infocube (also known as Infokube) and the notorious Carbanak cybercrime gang.

Carbanak, of course, has been blamed for stealing hundreds of millions of dollars, after targeting e-payment systems and installing malware on ATM infrastructure that resulted in theft from cash machines.

Infokube, meanwhile, claims to work with some of the best known firms in computer security.

Krebs reached out to Artem Tveritinov, Infokube’s apparent CEO, to ask if he had any explanation for the website registration details showing such similarities:

“Our company never did anything illegal, and conducts all activities according to the laws of Russian Federation,” Tveritinov said in an email. “Also, it’s quite stupid to use our own personal data to register domains to be used for crimes, as [we are] specialists in the information security field.”

Krebs reports that as he sent Tveritinov questions by email, the Russian deleted his social media presence:

I noticed that the Vkontakte social networking profile that Tveritinov had maintained regularly since April 2012 was being permanently deleted before my eyes. Tveritinov’s profile page and photos actually disappeared from the screen I had up on one monitor as I was in the process of composing an email to him in the other.”

Read the whole fascinating story on Krebs on Security.

Cluley 250 thumb

Adobe cockup means you may have two different versions of Flash installed on your PC

Shaun Nichols writing for The Register:

Adobe says a buggy installer is the reason some people have two different versions of Flash Player on their Windows PCs.

The software house told The Register it had to create an additional build of the browser plugin specifically for Microsoft’s Internet Explorer after the version made for other browsers – such as Mozilla’s Firefox and Microsoft’s Edge – wouldn’t install properly for IE.

So, for example, if you have Internet Explorer and Firefox on your machine, you’ll have two slightly different copies of Flash that should be functionally the same.

Quality control? Testing? What’s that then?

I wouldn’t blame you if you feel that this is the straw that broke the camel’s back. Here is how to completely uninstall Adobe Flash from your computer.

Cluley 250 thumb

Android banking malware stops you calling customer service to cancel your cards

Symantec describes some Android banking malware making things more complicated for victims in Russia and South Korea:

Typically, when a banking customer calls a customer care number through a registered mobile device, their call will be routed to an Interactive Voice Response (IVR) System. By blocking these numbers, the malware creators can stop a victim from asking their bank to cancel payment cards that the variants stole. This also gives the malware more time to steal data from the compromised device. Affected users can still find other channels, such as email or landline calls, to reach customer care.

We’re used to seeing malware preventing victims from reaching anti-virus company websites, now we have banking malware stopping you from calling the banks.

Although this particular malware appears to be targeting Russians and South Koreans, there is clearly the opportunity for this technique to be used elsewhere in the world.

Cluley 250 thumb

How you could steal money from Instagram, Microsoft and Google with help from a premium rate phone number

Researcher Arne Swinnen found an ingenious way to make money from the likes of Google, Microsoft and Instagram - getting their two-factor authentication registration schemes to call a premium rate phone number:

They all offer services to supply users with a token via a computer-voiced phone call, but neglected to properly verify whether supplied phone numbers were legitimate, non-premium numbers. This allowed a dedicated attacker to steal thousands of EUR/USD/GBP/… Microsoft was exceptionally vulnerable to mass exploitation by supporting virtually unlimited concurrent calls to one premium number”


Swinnen told the tech companies concerned about the issue. Despite the fact that it was clear that no customer data was being put at risk through the technique (the actual potential damage was for the tech companies to lose some cash), the researcher was awarded $2000 and $500 by Instagram’s and Microsoft’s respective bug bounties.

You can learn more in Arne Swinnen’s blog post.

Cluley 250 thumb

Ubuntu Forums hacked (again)

Canonical, the company behind Ubuntu, has warned that there has been a security breach on the Ubuntu Forums site, resulting in the theft of two million members’ usernames, IP addresses, and email addresses:

At 20:33 UTC on 14th July 2016, Canonical’s IS team were notified by a member of the Ubuntu Forums Council that someone was claiming to have a copy of the Forums database.

After some initial investigation, we were able to confirm there had been an exposure of data and shut down the Forums as a precautionary measure. Deeper investigation revealed that there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched.

Yes, you read that correctly. A patch was available, but no-one bothered to install the patch at Ubuntu Forums.

What a goof. If you don’t patch the software running on your website, don’t be surprised if a hacker compromises your system and makes off with your customer’s data.

If you think you may have heard a similar story in the past, your memory isn’t deceiving you. Ubuntu Forums was previously hacked in 2013.

Cluley 250 thumb

Be careful in your inbox. Massive Locky ransomware campaign underway

F-Secure is warning computer users about a significant increase in sightings of the Locky ransomware, typically spammed out posing as invoices or profiles for positions at your company.

Here is how researcher Päivi Tynninen described the scale of the malware campaign:

Yesterday, Tuesday, we saw two new campaigns with a totally different magnitude: more than 120,000 spam hits per hour. In other words, over 200 times more than on normal days, and 4 times more than on last week’s campaigns.

If you make the mistake of opening one of the ZIP files attached to the spammed out messages, you will find a JavaScript file inside. Clicking on it would be a big mistake and lead to your computer being hit by the notorious Locky ransomware. Before you know it, you may have lost access to your files and find yourself being blackmailed for their safe return.

Stay safe folks. Always be suspicious of unsolicited attachments.

Cluley 250 thumb

Couldn’t care less about Pokémon Go? Get this Chrome extension

Chrome users may be interested in a new browser extension called PokeGone:

Remove Pokemon from the Internet!

Sick and tired of hearing about Pokemon? PokeGone will take care of that! This extension will stop your eyes from seeing grown adults raving on about Pokemon - simple as.

Remove all traces of Pokemon from the internet with one simple extension!

Unfortunately, there are mixed reports of PokeGone’s ability to “catch ’em all” - so it may be that you find it an ineffective way to filter talk of Pokémon Go from your screen.

This was a public service announcement.

Cluley 250 thumb

Here’s the very best advice on what you should do with Adobe Flash

On Tuesday, Adobe released a critical update patching over 50 security holes in its Flash Player plugin.

Security blogger Brian Krebs says it better than me:

It’s bad enough that hackers are constantly finding and exploiting zero-day flaws in Flash Player before Adobe even knows about the bugs.

The bigger issue is that Flash is an extremely powerful program that runs inside the browser, which means users can compromise their computer just by browsing to a hacked or malicious site that targets unpatched Flash flaws.

The smartest option is probably to ditch this insecure program once and for all and significantly increase the security of your system in the process.

That seems pretty reasonable to me.

Here is our guide on how you can update Adobe Flash on your computer or (even better) uninstall it entirely.

If that seems too drastic a step for you take right now, at the very least consider enabling “click to play” to reduce the chances of attackers exploiting Flash as you browse the web.

The full advisory on the Flash security vulnerabilities can be read on Adobe’s website, as can details of the security update they have released for another of their beleaguered products - Adobe Reader.

Cluley 250 thumb

Android users warned of malicious Pokémon Go app

Security researchers at Proofpoint have discovered a malicious Pokémon Go app that installs a backdoor on Android devices:

Proofpoint researchers discovered an infected Android version of the newly released mobile game Pokemon GO. This specific APK was modified to include the malicious remote access tool (RAT) called DroidJack (also known as SandroRAT), which would virtually give an attacker full control over a victim’s phone.

The malicious app hasn’t sneaked its way onto the official Google Play store, so any victims would need to install it from an unofficial third-party store.

Although Proofpoint says that it hasn’t seen any reports of the malicious app infecting users in the wild, the current mania for Pokémon Go (its international roll-out is apparently being “paused” while Nintendo wrestles with its overloaded servers) may mean that there are some avid gamers who could put themselves at risk.

The official Android Google Play store doesn’t have a spotless record when it comes to keeping malware out, but it certainly appears to do a better job than many of the unpoliced unofficial Android app stores out there.

If you’re an Android user and care about your security and privacy, only download apps from a legitimate store and always pay attention to the permissions they request.

Cluley 250 thumb

Apple devices held for ransom, amid massive iCloud account hack rumours

Steve Ragan of CSO Online:

On July 1, Alanna Coca noticed her iPad had started beeping. When she opened the cover, the lock screen had a message displaying a phrase in Russian – “Dlya polucheniya parolya, napshite na email” – followed by a Gmail address.”

Roughly translated, the phrase was telling her that in order to receive a password, she’ll need to email the address displayed.”

Such attacks aren’t unusual (you may remember a message from Russian hacker Oleg Pliss popping up on some users’ iMacs, iPhones and iPads back in 2014), and are perpetrated by a hacker putting a victim’s device into lost mode after breaking into their Apple ID account.

A message sent by the hacker to the locked device asks for the victim to get in touch to arrange the ransom payment, and may even make a veiled threat that the device’s data will be erased if cash is not transferred promptly.

What spices things up a little more this time is that Ragan reports rumours of a massive data breach at Apple potentially impacting 40 million iCloud accounts.

That may be nonsense, of course - it’s possible that accounts have fallen under the control of hackers because of less sensational reasons - such as poor password choices, phishing or reusing the same password on multiple sites.

What is clear is that some Apple users are having their devices hijacked by extortionists. So make sure that you have a unique, hard-to-crack, hard-to-guess password protecting your Apple ID account.

And, if you haven’t already done so, I strongly recommend enabling two-step verification on your Apple ID account to make it harder for hackers to break in.

Read more on CSO Online.

Cluley 250 thumb

US government tells Symantec and Norton Antivirus users to apply security patches immediately

Google security researcher Tavis Ormandy has uncovered critical vulnerabilities in a range of Symantec and Norton Antivirus products, which could be exploited by malicious hackers to launch attacks.

Here’s the skinny from the United States Computer Emergency Readiness Team (US-CERT):

The large number of products affected (24 products), across multiple platforms (OSX, Windows, and Linux), and the severity of these vulnerabilities (remote code execution at root or SYSTEM privilege) make this a very serious event. A remote, unauthenticated attacker may be able to run arbitrary code at root or SYSTEM privileges by taking advantage of these vulnerabilities. Some of the vulnerabilities require no user interaction and are network-aware, which could result in a wormable-event.

US-CERT encourages users and network administrators to patch Symantec or Norton antivirus products immediately. While there has been no evidence of exploitation, the ease of attack, widespread nature of the products, and severity of the exploit may make this vulnerability a popular target.

Exploitable security holes in security software are a serious problem. Malicious attackers know that you’re likely to be running popular security products, just like you’re likely to have Windows and Adobe Flash installed. That, combined with the fact that your anti-virus product is running at a low-level on your computer with powerful privileges, can make for a noxious cocktail.

So, patch your anti-virus software. And - if you’re a security vendor - try to iron out any vulnerabilities in your software *before* a malicious hacker or a Google employee uncovers them.

Check out Symantec’s SYM16-008 and SYM16-010 security advisories for more details of the available patches.

Cluley 250 thumb

Big news in the anti-virus industry. Avast to acquire AVG for $1.3 billion

Two of Europe’s most famous anti-virus companies, famous for their free product editions and founded in what was at the time Czechoslovakia, are looking to become one.

How much money is on the table from Avast to acquire AVG? A tidy $1.3 billion.

Here is what Avast CEO Vince Steckler has to say:

“Under an agreement signed with AVG, Avast will be making an offer ($25 per share or about $1.3 billion in total) to buy all shares of AVG’s stock which AVG’s board is recommending their shareholders accept. If the AVG shareholders do accept, following the various governmental regulators approvals, AVG will become part of Avast and we will jointly work on a great future together. We expect this to take a few months.”

I do think this combination is great for our users. We will have over 250 million PC/Mac users enabling us to gather even more threat data to improve the protection to our users. In mobile, our combined 160 million mobile users will be used to improve protection as well as to provide an important stepping stone into the Internet of things. Additionally, we will be gaining some exciting mobile technology designed to protect families on line. In SMB, we will be better able to support our business users with a larger geographic footprint, better technical support, and the best technologies from our two companies.”

When those early pioneers started writing anti-virus software in their back bedrooms in the late 1980s and early 1990s, they can never have imagined things would grow so big.

Read Avast’s corporate press release here.

Cluley 250 thumb

NASA spacecraft has its Twitter hacked by someone’s butt

Popular Science reports:

NASA’s Kepler spacecraft looks for Earth-like planets orbiting other stars. This morning, Kepler’s Twitter account got hacked… and showed its 569,000 followers a moon.

The hacker(s?) pinned a tweet displaying a red underwear-clad butt, which has since been deleted, but not before showing up on the NASA homepage.

Sadly, it’s not unusual to encounter Twitter accounts hijacked by porn spammers in this way. Your best defence? Choose a strong, hard-to-crack, unique password for your Twitter account and enable two-step verification to make it harder for hackers to break in.

It is also good practice to periodically check what applications and third-party sites you have connected to your Twitter account, and revoke access to anything you don’t need any longer.

Uranus, anybody? I’ll get my coat…

Cluley 250 thumb

Hackers should beware bogus UPS couriers bearing handcuffs…

Alexander J Martin of The Register describes the arrest of British student Lauri Love, who allegedly hacked the FBI and NSA, and is wanted for extradition by the United States:

Lauri Love was arrested on suspicion of offences under the Computer Misuse Act 1990 early in the evening of 25 October 2013, when a National Crime Agency officer wearing dungarees and posing as a UPS courier told Love’s mother that Lauri himself had to come to the porch to collect his delivery.

In his dressing gown and pyjamas, Love confirmed his identity and was then informed of the ruse and handcuffed. Over the next five hours a total of 14 NCA officers attended the property wearing agency-branded windbreakers, which were easy visible to the neighbours.

Six of these officers had been tasked with searching for digital media which are alleged to contain evidence that the 28-year-old had criminally accessed private sector, military and government computer systems in the United States.

The agency believed their courier ruse had been necessary because, they claimed, intelligence had suggested that Love’s computer equipment could be encrypted “at the press of a button” which, if activated, would “frustrate the object of the search,” though even with this successfully executed approach the officers still collected encrypted devices.

Quite what UPS thinks of its brand being used by the police in this way is unclear…

Last month, the National Crime Agency (NCA) failed in its court attempt to force Love into disclose his passwords, and decrypt seized computers. The extradition proceedings, however, are ongoing.