Archive | Link list

Cluley 250 thumb

Oculus chief latest social media hack victim

BBC News reports:

The chief executive of Facebook-owned virtual reality company Oculus, Brendan Iribe, has become the latest in a string of company bosses to have their social media accounts hacked.

The Oculus boss had his Twitter account compromised, but it is now restored.

Brendan. Take your bloody stupid virtual reality goggles off and see the wood for the trees.

Hackers are trawling through the huge database of leaked LinkedIn passwords and trying their luck to see if it will help them get into your other online accounts.

Anyone who has a Twitter account should enable two-step verification to make their accounts harder to hack into (that goes for Facebook too, by the way, as well as many other sites).

And while we’re on the topic - can everyone please start using different passwords for different websites? It’s really not that hard if you use a password manager (which can also remember your long and complicated passwords for you).

You can read more, including some comments from me, in the BBC News report.

Cluley 250 thumb

Not using Adobe’s PDF reader doesn’t mean you’re avoiding PDF malware

Something like 400 million people use Foxit’s PDF reader.

And as a dozen vulnerabilities have been found in the software, one hopes that 400 million people are checking they have updated their copy.

ThreatPost has the details about the vulnerabilities found in builds and earlier of Foxit Reader and Foxit PhantomPDF:

To exploit the vulnerabilities an attacker could use an image file – either a BMP, TIFF, GIF, or JPEG image – to trigger a read memory past the end of an allocated buffer, or object. From there, depending on the vulnerability, an attacker could either leverage the vulnerability as is, or use it in conjunction with other vulnerabilities to “execute code in the context of the current process.”

In other words, an attacker could simply send you a boobytrapped PDF file and if you happened to open it in Foxit’s PDF reader - kaboom!

Alternatively, you could be tricked into visiting a webpage containing a malformed PDF file.

I would understand completely if you have turned your back on Adobe’s PDF reader. The software, and its Adobe Flash Player stablemate, have often been found lacking with exploitable vulnerabilities.

But don’t think that avoiding Adobe Reader means that you somehow have protected yourself from PDF-borne malware. Foxit users would be wise to check that they are running an updated version of the software.

Read Foxit’s security bulletin here.

Cluley 250 thumb

Microsoft rethinks Windows 10 upgrade push following complaints

Dave Lee at BBC News reports:

In recent months, in an apparent bid to accelerate adoption of Windows 10, Microsoft altered the way it asked users if they wanted to upgrade. It gave the Windows 10 update “recommended” status, normally reserved for critical security updates.

If when prompted to update to Windows 10 users clicked the red “X”, the upgrade would not immediately start. However, the update process would automatically be scheduled for a later time.

From this week, Microsoft said it would change that process, admitting that it was confusing.

The new experience has clearer options to upgrade now, choose a time, or decline the free offer,” said Terry Myerson, executive vice president, Windows and Devices Group, in an emailed statement.

If the red-x is selected on this new dialog, it will dismiss the dialog box and we will notify the device again in a few days.”

I’ve complained before about the “dirty trick” Microsoft pulled when it changed the behaviour of its update nag screen - duping users into believing that clicking “X” would simply make the pop-up disappear rather than scheduling an unwanted Windows 10 update.

I understand that Microsoft believes Windows 10 is great, and appreciate that it wants as many users as possible to update to it, but the way it has handled the process has pretty bloody awful.

News of the rethink comes as news emerges that Microsoft has agreed to pay a Californian woman $10,000 after an unwanted Windows 10 update caused her computer to crash.

Cluley 250 thumb

Unwanted Windows 10 update wins woman $10,000 from Microsoft

The Seattle Times reports:

A few days after Microsoft released Windows 10 to the public last year, Teri Goldstein’s computer started trying to download and install the new operating system.

The update, which she says she didn’t authorize, failed. Instead, the computer she uses to run her Sausalito, Calif., travel-agency business slowed to a crawl. It would crash, she says, and be unusable for days at a time.

I had never heard of Windows 10,” Goldstein said. “Nobody ever asked me if I wanted to update.”

When outreach to Microsoft’s customer support didn’t fix the issue, Goldstein took the software giant to court, seeking compensation for lost wages and the cost of a new computer.

She won. Last month, Microsoft dropped an appeal and Goldstein collected a $10,000 judgment from the company.

There is no doubt that Microsoft has taken its aggressive pushing of Windows 10 onto users’ computers too far, with many users claiming that it has been installed on their PCs without their explicit consent.

If a malicious hacker made unauthorised changes to your computer without your permission you would expect the police to take an interest.

So what makes it any different when it’s a company called Microsoft messing around with your computer?

Cluley 250 thumb

Automated bots bombard EU referendum petition with fake signatures

BBC News reports:

An online petition calling for a second EU referendum has been hijacked by automated bots adding false signatures.

Posts on the 4chan message board indicated that some users had scripted programs to automatically sign the petition.

Thousands of signatures appeared to have come from people in Vatican City and Antarctica.

The House of Commons petitions committee said it had removed 77,000 signatures and was investigating.

The problem is that the UK government petitions site isn’t doing enough to weed out fake participants.

Every time you sign a petition on the site, you are asked for an email address and have to click on a link in a message sent to that email address to prove you are a “real” human rather than an automated script.

Of course, it doesn’t take a huge amount of effort to write an automated script that gives the petition site a throwaway email address and then - seconds later - automatically “click” on the link sent to that address.

The site may wish to invest in some better CAPTCHA technology to make it a little more difficult for the mischief-makers of 4Chan to flood the petition with bogus signatures.

Of course, 77,000 bogus signatures is a tiny proportion of the 3.7 million who have so far signed that particular petition.

Cluley 250 thumb

Comodo stands down from trademark tussle with Let’s Encrypt

Looks like Comodo has had second thoughts about entering a trademark dispute over the term “Let’s Encrypt”, as Steve Ragan at CSO Online reports:

A Comodo staffer, Robin Alden, said that the company had abandoned their let’s encrypt trademarks.

Comodo has filed for express abandonment of the trademark applications at this time instead of waiting and allowing them to lapse. Following collaboration between Let’s Encrypt and Comodo, the trademark issue is now resolved and behind us and we’d like to thank the Let’s Encrypt team for helping to bring it to a resolution.”

It’s good to see common sense winning through.

Cluley 250 thumb

Intel to quit the security business (again), and jettison McAfee?

A long time ago, Intel used to have its own anti-virus product. They called it Intel LanDesk Virus Protect.

Intel LanDesk Virus Protect got gobbled up by Symantec in 1998, and most of us thought that the chip giant had quit the security business.

Fast forward 12 years to 2010 and Intel surprised us all by acquiring Symantec’s arch-rival McAfee for over $7.6 billion, hoping that the hot security market would help its growth plans.

Intel, the world’s leading CPU producer, claimed that the price they paid for McAfee was a good one, as they would redefine the security industry - integrating protection into microprocessors.

Let’s be honest - that never seemed a terribly convincing plan, and came to nothing.

Six years later, and the Financial Times is reporting that Intel may be planning to quit the anti-virus business again:

Intel is looking at options for Intel Security, including potentially selling the antivirus software maker formerly known as McAfee which it bought for $7.7bn almost six years ago.

The Silicon Valley chipmaker has been talking to bankers about the future of its cyber security unit in a deal that would be one of the largest in the sector, according to people close to the discussions.

The news comes two years after Intel rebranded its security division Intel Security, for umm… quite easy-to-understand reasons.

Leave it another 12 years, and who knows if Intel will be tempted to buy into the computer security business again?

I guess if they do they’ll be hoping it’s a case of third time lucky.

Cluley 250 thumb

Privacy, risk and trolls: Dealing with the security challenges of YouTube fame

Interesting exploration by Joan Goodchild of CSO Online about the privacy issues facing YouTube vloggers:

Unlike television and movie stars, these online celebrities face a different kind of privacy challenge because, by nature of the work they do, they are expected to be accessible and to interact with fans.

Keeping things private and running a successful video log (vlog) are not exactly two compatible goals. This is because, according to LaToya Forever, an online personality with two popular vlogs on YouTube, one of the secrets of YouTube success is keeping things “100 percent real and genuine.” This means broadcasting everything from adorable kid moments to family drama for the world to see.

Sometimes it’s hard to wade through and decide what to share and what not to share,” said Nikki Phillipi, a lifestyle vlogger with over a million subscribers.

I understand the appeal to many of watching vloggers who are sharing their personal lives in a “100% real and genuine” fashion, but how on earth can they hope to balance such a lifestyle with privacy?

Read more on CSO Online.

Cluley 250 thumb

Let’s Encrypt and Comodo in trademark tussle

The non-profit Let’s Encrypt project, set up to help more websites switch on HTTPS for free, has found itself in a kerfuffle with Comodo, one of the largest commercial vendors of website certificates.

Let’s Encrypt writes:

Some months ago, it came to our attention that Comodo Group, Inc., is attempting to register at least three trademarks for the term “Let’s Encrypt,” for a variety of CA-related services. These trademark applications were filed long after the Internet Security Research Group (ISRG) started using the name Let’s Encrypt publicly in November of 2014, and despite the fact Comodo’s “intent to use” trademark filings acknowledge that it has never used “Let’s Encrypt” as a brand.

Since March of 2016 we have repeatedly asked Comodo to abandon their “Let’s Encrypt” applications, directly and through our attorneys, but they have refused to do so. We are clearly the first and senior user of “Let’s Encrypt” in relation to Internet security, including SSL/TLS certificates – both in terms of length of use and in terms of the widespread public association of that brand with our organization.

Comodo, which claims to be the world’s most widely used SSL Certificate Authority, wants to trademark “Let’s Encrypt”, “Let’s Encrypt with Comodo” and “Comodo Let’s Encrypt.”

Things are getting ugly… and I can’t see how this is going to help create a more secure internet.

Cluley 250 thumb

154 million voter records exposed, revealing gun ownership, Facebook profiles, and more

Security researcher Chris Vickery came across an online database, hosted on a Google Cloud server, containing 154 million US voter records.

It emerged that the poorly-secured database belonged to an unnamed client of data brokerage firm L2. The client has blamed hackers for leaving the database accessible from the outside world, without even the simplest password.

The Daily Dot asks an important question:

Why does this keep happening, and what is our government doing about it? The answer to the former is linked to the answer to the latter: Our government is currently doing little to nothing, so why should entities make more effort to secure our information?

Attempts to regulate voter registration list dissemination are unlikely to succeed because political organizations and fund-raising organizations rely upon them, and their lobby makes mincemeat of any privacy lobbying efforts. No federal agency is enforcing data security in political organizations or non-profits, and so far, neither are state attorneys general.

But while Americans quickly shrug and go back to our daily lives after a bit of outraged protesting online, citizens of other countries seem to take this all much more seriously.

It really is scandalous that when personal information like this is being collected by organisations it is being protected so shoddily.

Learn more at The Daily Dot.

Cluley 250 thumb

Yes, even coders make the mistake of reusing passwords

GitHub has issued a security advisory:

On Tuesday evening PST, we became aware of unauthorized attempts to access a large number of accounts. This appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts. We immediately began investigating, and found that the attacker had been able to log in to a number of GitHub accounts.

The end result is that for some accounts “other personal information including listings of accessible repositories and organizations may have been exposed.” Yuck.

GitHub has reset passwords for affected accounts and is reaching out to affected users.

It’s important to underline that GitHub itself didn’t suffer a breach. The passwords were probably gleaned from mega-breaches on other sites such as LinkedIn and Tumblr.

Repeat after me:

Thou shalt not make to thyself the same password on different websites, and thou shalt enable two-factor authentication pronto.

Cluley 250 thumb

Apple will require HTTPS connections for iOS apps by the end of 2016

Kate Conger at TechCrunch reports:

“Today, I’m proud to say that at the end of 2016, App Transport Security is becoming a requirement for App Store apps,” Apple’s head of security engineering and architecture, Ivan Krstic, said during a WWDC presentation. “This is going to provide a great deal of real security for our users and the communications that your apps have over the network.”

App Transport Security, or ATS, is a feature that Apple debuted in iOS 9. When ATS is enabled, it forces an app to connect to web services over an HTTPS connection rather than HTTP, which keeps user data secure while in transit by encrypting it.

This cannot come soon enough in my opinion.

People ask me all the time which operating system is more secure: iOS or Android?

The truth is that the choice of mobile operating system shouldn’t be your primary concern.

You should be more worried about the apps that you’re running on your smartphone, and how good a job they are doing at keeping your data secure and private - both when in communication with the internet, and when stored on a third-party developer’s servers.

Forcing iOS apps to use HTTPS is a definite step in the right direction, and will help make it harder for criminals to steal information as you use your iPhone or iPad.

Roll on 2017…

Cluley 250 thumb

Telegram calls claims of bug in messaging service bogus

The most interesting part of this ThreatPost report is where they share some background on Sadegh Ahmadzadegan and Omid Ghaffarinia, the researchers who claim to have uncovered the flaw in Telegram:

Regarding claims by the Iranian researchers, Telegram’s Markus Ra told Threatpost that the allegations were “click bait fear mongering” on the part of the researchers.

Both Ahmadzadegan and Ghaffarinia, who co-authored the research on the Telegram flaw, self-identify themselves as two of seven accused Iranian hackers indicted by the U.S. Justice Department in March for state-sponsored hacking of U.S. networks and targeting U.S. industries.

According to the indictment, Ahmadzadegan and Ghaffarinia are accused of working for the Iranian Revolutionary Guard Corps and carried out DDoS attacks against 46 U.S. financial institutions.

You can find the US Department of Justice indictment against Ahmadsadegan (also known as “Nitr0jen26”) and Ghaffarinia (“PLuS”) here.

Cluley 250 thumb

Computer crash wipes out years of Air Force investigation records

Defense One:

The U.S. Air Force has lost records concerning 100,000 investigations into everything from workplace disputes to fraud.

A database that hosts files from the Air Force’s inspector general and legislative liaison divisions became corrupted last month, destroying data created between 2004 and now, service officials said. Neither the Air Force nor Lockheed Martin, the defense firm that runs the database, could say why it became corrupted or whether they’ll be able to recover the information.

Apparently they did have backups, but ermm… the backups are corrupted too.

Remember folks, there’s no point making backups of your data if you don’t sometimes test that the backups actually work. That’s perhaps timely advice given the prevalence of ransomware right now.

(There’s no indication that the US Air Force’s database corruption is due to malicious meddling, by the way).

Update: Good news. The US Air Force says it has managed to achieve a “full recovery” of its data.

Cluley 250 thumb

Critical Adobe Flash bug under active attack currently has no patch

Adobe is working on a patch for a newly-discovered vulnerability in Adobe Flash that is being actively exploited by hackers in targeted attacks. Ars Technica has the details:

The active zero-day exploit works against the most recent Flash version and was detected earlier this month by researchers from antivirus provider Kaspersky Lab, according to a blog post published Tuesday by Costin Raiu, the director of the company’s global research and analysis team. It’s being carried out by “ScarCruft,” the name Kaspersky has given to a relatively new hacking group engaged in “advanced persistent threat” campaigns that target companies and organizations for high-value information and data.

Details on how to mitigate the threat can be found on Symantec’s website.

Adobe has published minimal information on its website, and a fix may arrive as early as tomorrow (Thursday 16 June).

By which time you’ll hopefully also have had a chance to roll out the critical Patch Tuesday fixes Microsoft published yesterday.