Here's the latest anti-virus and System Security news from the Naked
Security Blog at Sophos. You can access these for yourself at
http://nakedsecurity.sophos.com
You can also sign up to receive a daily digest (Monday through Friday)
of security issues and links, delivered right to your email box.
It's a reminder to PRACTICE SAFE HEX!! You could lose your data via
an attack of malware, ransomware, or be a victim of identity theft,
otherwise.
Note that text in some of the links may content text that some may
find vulgar, profane, offensive, explicitly sexual, etc. -- these are
provided to alert you that your system may have been infected!!
***
Note: The BBS was OFFLINE from mid-September to late October, 2018...
due to moving back to my Mom's home, and getting her placed into a
nursing home, plus dealing with the finances with it, as her Power
Of Attorney. As a result, I have COMBINED all of the "missed items"
into one message. You can go to the URL noted at the top of this
message, and search for the various items. These may not be in
chronological order. Note that this is over a months worth of data.
***
Is Google's Android app unbundling good for security?
If you live in the EU, turning on a new Android device after 29 October
2018 could look quite different...
***
You don't have to sequence your DNA to be identifiable by your DNA
If you have European ancestry, there's a 60% chance that somebody vaguely
related to you can be used to find out who you are.
***
Twitter publishes data on Iranian and Russian troll farms
Over 1m tweets show that we're suckers for funny/sarcastic/edgy, not so
much for blah-blah-blah "news" spreaders.
***
Weirdo Twitter messages were a glitch, not a hack
Were you one of the dozens of people who got a bizarre Twitter message
yesterday? It's OK. It wasn't a disturbance in the Matrix.
***
Serious SSH bug lets crooks log in just by asking nicely!
A serious bug in libssh could allow crooks to connect to your server -
with no password requested or required. Here's what you need to know.
***
What Kanye West can teach us about passcodes
Pulling out an iPhone XS to show the assembled throng a picture of the
hydrogen-powered aircraft that "our president should be flying in,"
West casually unlocked it using the passcode "000000".
***
35 state attorney generals tell FCC to pull the plug on robocalls
The AGs want the FCC to adopt SHAKEN and STIR.
***
Experian credit-freeze PINs could be revealed by a simple trick
The credit bureaus' struggles with PINs continue...
***
Payment skimmers sneaking on to websites via third party code
Whatever Magecart is, it's been blamed for several high-profile payment
card breaches this summer.
***
Facebook opens up about data breach details
Two weeks after Facebook's first serious data breach, and the social
network has shared what it has figured out so far.
***
Beware sextortionists spoofing your own email address
In the past, they've pretended to have your passwords - now they're
pretending to send email from your "hacked" account, too.
***
Literary-minded phishers are trying to pilfer publishers' manuscripts
In a twist on Business Email Compromise, they're spoofing literary
agents and going after manuscripts at Penguin Random House and
Pan Macmillan.
***
Are your jilted apps stalking you?
"Uninstall?" HA! Uninstall trackers enable app developers to game iOS
and Android and continue sending push notifications to fleeing users.
***
WordPress takes aim at ancient versions of its software
If you're running a very old version of WordPress on your website,
the project's staff would like a word with you.
***
Poorly secured SSH servers targeted by Chalubo botnet
SophosLabs has detected a new DDoS botnet targeting poorly secured
SSH servers - called Chalubo, it is named in honour of its use of
the ChaCha stream cipher.
***
Former high school teacher pleads guilty to hacking celebrities
A fifth man has pleaded guilty to federal charges of phishing
celebrities' and non-celebrities logins and raiding their iCloud
accounts for nude photos.
***
Are you Cyber Aware? How about your friends and family?
A Cyber Aware survey found 30% of Britons still have just one password
for all their accounts - so let's help that 30% change their lives!
***
Firefox 63 gets tough with trackers
Mozilla's Enhanced Tracking Protection is going mainstream.
***
Google and Facebook accused of secretly tracking users' locations
Google and Facebook have been hit separately by class action lawsuits
accusing them of secretly tracking user locations.
***
Could TLS session resumption be another "super cookie"?
Researchers think they've spotted a tracking technique that nobody has
been paying attention to - TLS session resumption.
***
Patch now! Multiple serious flaws found in Drupal
Drupal website owners have some important patching homework to do.
***
Phishing is still the most commonly used attack on organizations,
survey says
The survey found that the majority of cyberattacks - 75% - came from
outsiders, while 25% were due to insiders.
***
Adult websites shuttered after 1.2 million user details exposed
It's not even close to the number of users affected by the massive
Ashley Madison breach, but the results could be just as devastating
to those who are affected.
***
Why is Elon Musk promoting this Bitcoin scam? (He's not)
While scrolling through my Twitter feed I saw a Bitcoin scam so
unabashed that it got me thinking.... do such scams really work?
***
Pirates! Don't blame your illegal file sharing on family members
Stop blaming your piracy on your mum. You can no longer avoid
liability by saying that a family member had access to your
connection.
***
Popular website plugin harboured a serious 0-day for years
The flaw in the popular file uploader allows an attacker to upload
files and run their own command line shell on any affected server.
***
Alleged robber busted after Facebook-friending victim to apologize
He told her to put down the pizza delivery and all her money on top
of it. 26 days later, he found her on Facebook and reached out.
***
Up to 9.5 million net neutrality comments were fake
New York has expanded its probe to subpoena 14 industry groups and
lobbyists, saying that fake comments "distort[ed] public opinion."
***
Maker of LuminosityLink RAT gets 30 months in the clink
Prosecutors said that the 21-year-old LuminosityLink author had no
respect for the law and showed contempt for moral rules and social norms.
***
"We know you watch porn" (and here's fake proofà) [PODCAST]
Here's Episode 6 of the Naked Security podcast... enjoy!
***
Serious D-Link router security flaws may never be patched
Six routers with serious security flaws are considered end of life (EOL)
and may never be updated.
***
Apple privacy portal lets you see everything it knows about you
The Apple website's privacy and data area lets you download and correct
your data.
***
The libssh "login with no password" bug - what you need to know [VIDEO]
Here's a video that explains the libssh "no password needed" bug -
jargon-free and in plain English. Enjoy...
***
New iPhone lock screen bypass exposes your photos
Jose Rodriguez has demonstrated how an attacker with physical access
to a device running iOS 12.0.1 can gain access to photos stored on it.
***
Is this the simple solution to password re-use?
Researchers concluded that passphrase requirements such as a 15-character
minimum length deter the majority users from reusing them on other sites.
***
35 million US voter records up for sale on the dark web
He or she is selling off the databases by state. Kansas's voter database
has already been sold and published, and Oregon is next up for sale.
***
Donald Daters app for pro-Trump singles exposes users' data at launch
A security researcher found a publicly exposed Firebase data repository
that was hardcoded in the dating app.
***
US embassy accidentally emails invitation to "cat pyjama-jam" meeting
Canberra's US embassy accidentally exposed details of one of its more
enticing get-togethers last week, featuring a cat in a Cookie Monster
outfit.
***
How Chrome and Firefox could ruin your online business this month
Last year, Symantec sold off its web certificate business. The new
owners are reissuing certs for free - but there's a deadline looming!
***
Google using lock screen passwords to encrypt Android Cloud backups
If, that is, your phone has updated to the Android 9 operating system, otherwise
known as Pie. If so, say hi to the Titan chip!
***
How to buy (and set up) a safe and secure baby monitor
Wi-Fi enabled or not? Digital or analog? Here are the features to look
for, and how to secure your baby monitor out of the box.
***
Instagram tests sharing your location history with Facebook
Instagram is testing Facebook Location History - which allows the
tracking of precise locations from your device - in its app.
***
Millions at risk from default webcam passwords
Hangzhou Xiongmai Technology Co.,Ltd (Xiongmai), the Chinese manufacturer
that made many of the devices left vulnerable to Mirai, is back with
another vulnerability that puts millions of devices across the world
at risk yet again.
***
Jailbroken PS4 seller sued by Sony
The consoles allegedly sold on eBay by the California man were packed
with over 60 pirated games.
***
Update now! Microsoft fixes 49 bugs, 12 are critical
Microsoft's October Patch Tuesday update made its scheduled appearance
on Tuesday with fixes for 49 security flaws across its family of
products, 12 of which are listed as "critical".
***
How a WhatsApp call could have taken over your phone
A WhatsApp buffer overflow that crashed your phone due to audio data
sent by a caller meant that just answering a call could spell trouble.
***
Google+ wakes up to what the rest of us already knew
Google's closing down the platform nobody uses and might face a
class-action lawsuit over a G+ spawned breach it took 7 months to report.
***
291 records breached per second in first half of 2018
Over 4.5 billion data records were breached in the first half of this
year, according to Gemalto's Breach Level Index released this week.
***
Cyber tormentor leaves a trail that lands him 17.5 years
Ryan S. Lin pleaded guilty to cyberstalking, distribution of child abuse
imagery, hoax bomb threats, computer fraud and abuse, and ID theft.
***
Airport mislays world's most expensive USB stick
In October 2017, a member of the public found a USB stick containing a
trove of data on security systems and procedures at one of the world's
busiest airports.
***
Apple and Amazon hacked by China? Here's what to do (even if it's not true)
Are major US companies really under attack from Chinese "zombie
microchips" - and what should we do, whether it's true or not?
***
Microsoft hits the brakes on latest Windows 10 update - what to do
Microsoft has paused the Windows 10 October 2018 update while it
investigates reports of deleted profiles and missing files.
***
Don't fall for the Facebook "2nd friend request" hoax
Cloned accounts are a real thing, but this viral message isn't. Don't
forward it!
***
Hey Portal, what's that Facebook device in my kitchen?
The company that wants to move fast and break things is moving in!
***
Google ramps up G Suite protections against government-backed attacks
Security alerts become opt-out by default from 10 October because so
few admins opted in.
***
Unpatched routers bad, doubly unpatched routers worse - much, much worse!
Two bugs can be four times the trouble! If you missed the last Microtik
router patch, you're at risk, but if you're *two* patches behind ...
***
Attackers use voicemail hack to steal WhatsApp accounts
The Israeli National Cybersecurity Authority issued an alert warning
that WhatsApp users could lose control of their accounts.
***
Phantom Secure CEO sold encrypted phones to drug cartels
The CEO of "uncrackable" phone seller, Phantom Secure, has pleaded guilty
to helping drug sellers keep their business locked away from the eyes of
law enforcement.
***
Seven Russian cyberspies indicted for hacking, wire fraud, ID theft
"Bungling" Russian GRU operatives picked up by Dutch police, linked to
OPCW and World Anti-Doping Agency hacks.
***
Fitbit data leads to arrest of 90-year-old in stepdaughter's murder
Her device recorded her heart rate slowing rapidly, then stopping about
five minutes before her stepfather left the house.
***
Prison smuggler busted by his own drone camera
It turns out that drones advertised off the back of beautiful aerial
shots also take great videos of murky drug dens.
***
Wi-Fi versions to get names people can actually understand
The high priests of Wi-Fi just made your life - and the lives of wireless
network equipment vendors everywhere - a little easier.
***
Facebook doubles cooling off period to cash in on your FOMO
Facebook has doubled its grace period because so many leavers are getting
cold feet.
***
Google's Intra app secures older Androids with encrypted DNS
DNS encryption is the Next Big Thing in web encryption and Google doesn't
want Android users to miss out.
***
Setting up a Mac for young children
A step-by-step guide to preparing a Mac for young children.
***
Cop charged with selling phone tracking service on dark web
A French police officer has been charged with using police intelligence
data to power a mobile phone tracking service sold via the dark web.
***
Facebook finds "no evidence" attackers accessed third-party apps
To play it safe, it's building a tool to let developers manually identify
any of their users who may have been affected by the big breach.
***
NSA staffer takes top-secret hacking tools home "to study", gets 66 months
Nghia Hoang Pho may not have had malicious intent, but removal of the
materials forced the NSA to abandon years of signals collection work.
***
Update now: Adobe fixes 85 serious flaws in Acrobat and Reader
Adobe has released updates fixing a long list of security vulnerabilities
discovered in the Mac and Windows versions of Acrobat and Reader.
***
Hacked Fortnite accounts and rent-a-botnet being pushed on Instagram
The gaming and hacking communities overlap: Some of the hacker accounts
are offering botnet access as well as Fortnite accounts.
***
Google's new rules for developers make Chrome extensions safer for all
Google has announced a range of security changes to its Chrome browser
that will make the use of extensions more secure.
***
The Facebook dilemma - stick it out or pack it in? [PODCAST]
It's been a while but we're back at the microphone - here's Episode 5 of
the Naked Security podcast.
***
Hackers demand ransom from hijacked Instagram influencers
Hackers are taking over high-profile Instagram users' accounts and
holding them to ransom, revealed reports this week.
***
Lock screen bypass already discovered for Apple's iOS 12
AppleÆs iOS 12 is barely out of the gates and already someone has found
a way to beat its lock screen security to access a device's contents.
***
Suspect forced to unlock iPhone with his face
The order so far hasn't raised Fifth Amendment objections either, your
face being something you are, rather than something you know.
***
Students swap data for coffee at cashless cafe
In this US-based cashless cafe, university students hand over personal
data in exchange for a dose of caffeine and sponsorship propaganda.
***
How to have that difficult "stay safe online" conversation with your kids
As your children start using the internet with greater independence, help
keep them - and their data - safe with these simple tips.
***
You gave your number to Facebook for security and it used it for ads
Facebook has been adding phone numbers registered for 2FA to the other
data it uses to target people with advertising.
***
Monero fixes major "burning bug" flaw, preventing mass devaluation
The flaw arises from the use of stealth wallet addresses, an anonymity
concept that's especially important to privacy-sensitive Monero users.
***
Big Facebook data breach: 50 million accounts affected
Facebook has suffered a data breach affecting almost 50 million accounts.
Another 40 million have been reset as a "precautionary" measure.
***
Firefox Monitor starts tracking breached email addresses
Mozilla has formally launched Firefox Monitor, a privacy-engineered
website that hooks up to Troy Hunt's Have I Been Pwned? (HIBP) breach
notification database.
***
Spotify offers playlists tailored to your DNA
Spotify and Ancestry have teamed up to let you use your real DNA to
tell your "musical" DNA.
***
Malware hits fashion giant SHEIN; 6.42 million online shoppers affected
The online fashion store is now contacting affected users and asking
them to change passwords for their online store accounts.
***
Finally, a fix for the encrypted web's Achilles' heel
Everyone knew that SNI needed to be fixed sooner or later, but nobody
was quite sure how.
***
Microsoft is killing passwords one announcement at a time
Windows 10 and Office 365 users can now log in to Azure AD applications
using only the Authenticator App.
***
Domain flub leaves 30 million customers high and dry
Zoho's CEO begged for help on Twitter after his domain registrar
effectively took the company offline, stranding millions of users.
***
Facebook scolds police for using fake accounts to snoop on citizens
Put down that "Bob Smith" fake account and back off, Facebook told the
Memphis Police Department, waving its real-names policy in the air.
***
Millions of Twitter DMs may have been exposed by year-long bug
Though the bug was present for over a year, Twitter hasn't found any DMs
or protected tweets that were delivered to the wrong developer.
***
Users fret over Chrome auto-login change
Users were complaining this week after discovering they'd been logged in
to Google's Chrome browser automatically, after logging into a Google
website.
***
AdGuard adblocker resets passwords after credential-stuffing attack
AdGuard has taken the decision to reset all user accounts after suffering
a credential-stuffing and brute-force password attack.
***
Woman hijacked CCTV cameras days before Trump inauguration
The ransomware attack on DC's outdoor surveillance cameras came just a
few days before the 2017 inauguration of President Trump.
***
Wendy's faces class action over collecting staff fingerprints
Two former Wendy's employees want to know what the company does with
employee fingerprints collected by biometric clocks.
***
Bankrupt NCIX customer data resold on Craigslist
What happens to sensitive customer data when a large company that has
collected it over many years suddenly goes bust?
***
Facebook faces sanctions if it drags its feet on data transparency
The EU justice commissioner said she's out of patience. Also, she quit
Facebook because it's a "channel of dirt."
***
App developers are STILL allowed to read your Gmails
Google is still allowing third-party developers access to access its
users' Gmail data, it said in a letter to Senators last week.
***
Police accidentally tweet bookmarks that reveal surveilled groups
The Massachusetts State Police (MSP) accidentally spilled some of its
opsec onto Twitter last week, uploading a screenshot that revealed
browser bookmarks.
***
iTunes is assigning you a "trust score" based on emails and phone calls
It's just a number to detect fraud, not a Black Mirror-esque score that's
going to rate us all as social misfits unworthy of wedding invitations.
***
WhatsApp cofounder: "I sold my users' privacy"
Regretful WhatsApp cofounder Brian Acton has joined the ranks of the
Silicon Valley mea-culpa-rati.
***
Mobile password managers vulnerable to phishing apps
Several leading Android-based password managers can be fooled into
auto-filling login credentials on behalf of fake phishing apps.
***
Power to the people! Google backtracks (a bit) on forced Chrome logins
Google thought it was a such a great idea to start logging you into
everything when you logged into something... that it forgot to ask.
***
Robocallers slapped with huge fines for using spoofed phone numbers
One poor woman whose phone number was hijacked by robocallers got several
calls a day from irate consumers who thought she was trying to market to
them.
***
Cryptojacking - coming to a server-laptop-phone near you (and how to
stop it)
Cryptomining apps were banned from the Play Store some time ago - but
that hasn't stopped the crooks getting cryptojackers past Google...
***
Bitcoin flaw could have allowed dreaded 51% takeover
The scenario was always hypothetical but the fact such a thing was even possible
until this week has left some in the Bitcoin community feeling alarmed.
***
Warning issued as Netflix subscribers hit by phishing attack
Netflix phishing scammers are at it again, sending emails that try to
steal sensitive details from subscribers.
***
Man who shared Deadpool movie on Facebook faces 6 months in jail
US government recommended six months behind bars. That's one month for
every million people that viewed a part of the pirated movie, apparently.
***
US military given the power to hack back/defend forward
The new preventative cybersecurity powers include potentially acting
against countries considered friendly toward the US - a risky move,
some say.
***
FBI wants to keep "helpful" Mirai botnet authors around
The young men behind the powerful IoT device botnet have been working undercover
with law enforcement since they were first fingered.
***
Western Digital goes quiet on unpatched MyCloud flaw
Western Digital has failed to patch a serious security vulnerability
in its MyCloud NAS drives that it was told about more than a year
ago, researchers have alleged.
***
URL spoofing - what it is and what to do about it [VIDEO]
What happens if your browser doesn't tell you the truth about the
identity of the website you're looking at?
***
iOS 12 is here: these are the security features you need to know about
One year to the day after iOS 11 appeared, Apple yesterday released
its replacement, iOS 12.
***
Here we Mongo again! Millions of records exposed by insecure database
Another day, another poorly configured MongoDB database.
***
Years on, third party apps still exposing Grindr users' locations
A third party app can use Grindr's distance data to pinpoint a users
location down to a room within a house.
***
How Facebook wants to protect political campaigners from hacking
The social network is trying to protect candidates, elected officials
and their staff from "hackers and foreign adversaries".
***
Intel releases firmware update for ME flaw
It's only September and yet 2018 is well on its way to being remembered
as the year of fixing flaws we didn't realise were possible in hardware
we'd never heard of.
***
--- SBBSecho 3.06-Win32
* Origin: ILinkNet: The Thunderbolt BBS - wx1der.dyndns.org (454:1/33)
|
