STE WILLIAMS

IOActive security bod Sofiane Talmat has found two since-patched privilege escalation vulnerabilities in Lenovo System Update utility.

The tool keeps drivers and BIOS up to date.

Talmat found the tool’s help function contains a vulnerability (CVE-2015-8109) that can allow regular users to gain administrative access.

“Since the main application Tvsukernel.exe is running as Administrator, the web browser instance that starts to open a help URL inherits the parent administrator privileges,” Talmat says.

“From there, an unprivileged attacker has many ways to exploit the web browser instance running under administrator privileges to elevate his or her own privileges to administrator or SYSTEM.”

A second flaw (CVE-2015-8110)relates to weak cryptography allowing the tool’s temporary administrative account to be determined and used again to elevate privileges.

“The first call to this function is used to generate the 10-letter suffix for the Administrator username that will be created as “tvsu_tmp_xxxxxXXXXX …s ince it is based on rand, the algorithm is actually predictable,” Talmat says.

“This means an attacker could under certain circumstances predict both the username and password and use them to elevate his or her privileges to administrator on the machine.”

Talmat has published two advisories [PDF] [PDF] detailing the vulnerabilities. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/26/lenovo_slings_privelege_patches_at_inbuilt_tools/

An Australian (maybe, unless he lied on his profile) man (your guess is as good as mine) who in January 2015 whined about his Facebook account being “shut down multiple times” (take that with a tub of salt) has confessed that it was all a hoax.

The name that he originally claimed gave him headaches: Phuc Dat Bich.

Included with that January post was a photo of his passport which did indeed show his name as being Phuc Dat Bich.

Thus, it’s unclear whether he …

1. …altered his passport, perhaps with Photoshop or other image-manipulation applications. It’s illegal to physically alter a valid passport. If he’s not guilty of this crime, then he might have …
2. …called it a hoax as an, erm, hoax.

In the post he put up on Tuesday, Bich or Carr or whatever his name is said that it all started as a prank between friends that “made a fool out of the media.”

What started as a joke between friends, became a prank that made a fool out of the media and brought out the best in the people who reached out to me. It didn’t bring out the anger and darkness that we often see on the internet, but it brought a levity and humanity in a time we need it most.
Out of this ordeal I’ve concluded not to trust the credibility of the media, it’s twisted by the hungry journalists who mask the truth.

Always interesting when a liar points a finger at those who believe him and accuses them of lacking credibility, isn’t it? Talk about a pot calling the kettle black.

The name used to sign off on the Facebook admission: Joe Carr.

Get it? Get it? “Joker.”

He or she expressed support for those who authentically have problems with cultural acceptance of their names.

Which is appropriate, given that issues with Facebook’s real-name policy have been a serious and ongoing story.

In July, a privacy watchdog ordered Facebook to allow pseudonyms.

The Nameless Coalition, consisting of 75 human rights, digital rights, LGBTQ, and women’s rights advocates – including the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) – in October penned an open letter to Facebook explaining why the policy is broken and how Facebook could mitigate the damages it causes.

The coalition included an appendix to the letter that contained multiple stories of how people have been harmed by the real-name policy.

We printed a few of those before, but Mr. or Ms. Carr’s prank presents good cause to reiterate that there are real people who actually do suffer, and why the media should in fact pay attention to their stories (and, of course, verify, to the extent possible when dealing with a prankster), so here they are again, as excerpted from the appendix:

• Journalists and human rights activists in Vietnam have been flagged en masse and forced to stop using pen names on Facebook. One user, a mother with two imprisoned sons, had largely used her account to campaign for their release from prison. In every case, Facebook asked the activists to verify their identities. To make matters worse, in several cases, when the activists submitted their identity documents, Facebook unilaterally altered their accounts to list their legal names, without consent or notice.
• Facebook enforced the policy against a user known as Lily in December 2014, forcing her to use her legal name. Only two weeks later a man who had, two decades earlier, beat and sexually abused Lily sent her a private message. “My blood ran cold, I was sweating, and [having] heart palpitations opening the message.”
• In the United States, Native American Dana Lone Hill was locked out of her account and repeatedly refused reactivation even after submitting multiple IDs, a library card, and a piece of mail showing her Lakota name. As one Native user points out, “I think that Facebook has to have no general knowledge of Native Americans or their surnames.”

Facebook responded to the open letter by promising that changes to the real-name policy will arrive in December.

In the meantime, if you’re interested in how to pronounce the Vietnamese name Phuc Dat Bich, the BBC’s Nga Pham has explained that it would sound like Phoo Da Bic.

I posted a comment on Bich’s/Carr’s post asking if he altered his passport or if the confession that this is a hoax was in itself a hoax. I’ll let you know if I hear back.

Follow @NakedSecurity

Follow @LisaVaas

Image of Mr Bich courtesy of his Facebook page.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7Cpo0sZa8T0/

Hilton Worldwide has confirmed that malware found its way onto point-of-sale systems that targeted payment card information.

Targeted data included cardholder names, payment card numbers, security codes and expiry dates. Addresses and PINs were not exposed, Hilton concluded, after an investigation that brought in third-party forensics experts, law enforcement and payment card companies.

Hilton omits to say how many or which hotel locations may have been affected by the breach, but is telling customers to review their payment card statements – particularly if they used their cards at a Hilton Worldwide hotel between specified dates (8 November – 5 December 2014 or 21 April – 27 July 2015). The hotel chain is also keeping quiet about the number of people or credit card records exposed at a result of the breach.

In its statement, Hilton sought to assure guests that the malware had been purged and the security of its systems strengthened in the wake of the attack.

Hilton Worldwide has identified and taken action to eradicate unauthorized malware that targeted payment card information in some point-of-sale systems. Hilton immediately launched an investigation and has further strengthened its systems.

Confirmation of the breach on Tuesday doesn’t come as a surprise since it comes weeks after reports in September that the hotel chain had suffered a hack attack. Again the number of records exposed was left unclear.

The breach follows a succession of attacks on other hotel chains, including Starwood and Trump Hotels over recent months.

Ryan Wilk, director at fraud prevention firm NuData Security, commented: “This credit card breach announcement is just one of a spate of similar hacks that have occurred over the last year or so targeting hotels.

“While we can’t know for sure what [the] hackers’ long-term plans are, it does seem credible that they are targeting specific industries that likely have the same exploits in order to maximise their efforts before moving on to the next industry. Once they get the card numbers, hackers then sell them on the dark web, use them directly in credit card cycling scams, or tie them to other data leaks to create full personas ripe for identity theft or fraudulent account creation,” he added.

Kevin Watson, chief exec at Netsurion, a provider of remotely managed security for multi-location businesses, added: “It’s especially important during the holiday season for merchants, retailers, hotels and hospitality businesses that process payment data to understand that they are lucrative targets. Therefore, it’s essential to take the necessary steps to protect customer data and ensure that stronger security measures are in place for their networks, payment systems and on-premise Wi-Fi services. Making those areas a priority now will allow them to focus on the core business,” he added. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/25/hilton_credit_card_breach_confirmed/

Microsoft and French research organization Inria have jointly published the source code for a more secure implementation of TLS – hopefully increasing the security of millions online in the process.

The software library emerged from a project called MiTLS, whose website mitls.org is curiously missing in action at time of writing. Its GitHub account can be found here: there you’ll find implementations of TLS written in F* and F7.

TLS is used worldwide to provide secure HTTPS connections for online banking and shopping, among many other things. The goal of MiTLS is to produce a TLS library that can be mathematically proven to work as intended, verified bug free – certainly free of the sorts of bugs that turn into security vulnerabilities in today’s TLS software libraries, such as OpenSSL.

Work on the verifiable library led to the discovery of the Triple Handshake, Freak, and Logjam vulnerabilities in other TLS libraries, we’re told.

“We did not find them because we were looking for attacks. We found them as a side effect,” said Cedric Fournet, a principal researcher at Microsoft Research Cambridge and one of the project’s lead researchers, in a blog post.

Fournet told El Reg that the team expected to find small errors, but in the end unearthed more substantial flaws, something that came as a surprise.

While the MiTLS gang works towards creating a library that can be mathematically proven to be secure, the source code releases now are geared toward helping academic and security experts create their own bug-free implementations of TLS.

The project started off back in 2011 as a way to address the differences between the theoretical security models being created in research labs and the practical implementations of internet security. What initially started off as a six-month project was expanded into an open-ended research exercise.

The vulnerabilities the Microsoft/Inria team discovered along the way highlighted that many companies were using outdated cryptographic algorithms in their TLS implementations, leaving their customers more open to attack as a result. Fournet said that some avoided updating because upgrading to a new set of algorithms can be costly and time-consuming, and may result in elements of a system not working properly or running more slowly.

In addition, many fail to see the benefits of upgrading until a particular serious vulnerability in older technologies is exposed.

The MS/Inria joint research team is working closely with other security experts and academics also working to overhaul the TLS protocol, a combined effort led by the IETF that is scheduled to spawn the next version of the protocol sometime next year. The Snowden revelations of mass surveillance by Western intel agencies have pushed participants in the process to be “more ambitious” about the forthcoming revamp, according to Fournet. This has resulted in technologies such as Perfect Forward Secrecy getting pushed into TLS 1.3, for example.

The MS/Inria Centre brings together a total of 100 researchers comprising 40 permanent researchers from Inria, 30 permanent researchers from Microsoft Research, and 30 non-permanent researchers (interns, postdoctoral, and PhD students). Alongside security, other fields of research including machine learning and cloud computing are being studied. Workers are focused on fundamental, long-term research. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/25/ms_tls_revamp_push/

Alphabet-owned Nest says there is no truth to the allegation that its internet-connected home CCTV cameras continue to record video even when switched off.

This assertion comes after a report from ABI Research found that the Nest Cam keeps drawing a healthy amount of current even when told to turn off, suggesting it’s still watching.

According to the ABI Teardown report, the Nest Cam draws 343mA while off, and up to 370mA or 418mA while on, depending on the resolution of the video being streamed to the cloud.

ABI vice president of teardowns Jim Mielke said that while most surveillance cameras would be expected to drop power consumption when moved to their off state, the Nest camera continues to suck juice.

This, as a result, suggests that the Nest Cam does not actually power down and continues to observe what is going on in the room.

“In this case, the current drain only changed slightly when given the turn off command, reducing from 370mA to 340mA. Typically a shutdown or standby mode would reduce current by as much as 10 to 100 times,” Mielke said.

“This means that even when a consumer thinks that he or she is successfully turning off this camera, the device is still running, which could potentially unleash a tidal wave of privacy concerns.”

Nest denies the claim, saying that its home surveillance camera does in fact stop watching you when it is powered off. Rather, the Google stablemate claims, it has to keep pulling current so it can wake up and record video at a moment’s notice when asked to, rather than waste time powering up and connecting to the internet.

“When Nest Cam is turned off from the user interface, it does not fully power down, as we expect the camera to be turned on again at any point in time,” Nest said in a statement to El Reg.

“With that said, when Nest Cam is turned off, it completely stops transmitting video to the cloud, meaning it no longer observes its surroundings.”

It seems that rather than being a privacy menace that ogles you even when powered down, the Nest Cam is simply an energy hog that sucks up electricity even when you don’t need it. Now then, anyone want to monitor the network activity of a Nest Cam when powered off? ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/25/nest_cam_doesnt_spy/

Analysts expect an increase in POS attacks against retailers and others during this holiday shopping season.

News this week about a data breach at Hilton Worldwide has focused attention on what many security researchers say is an uptick in the use of point-of-sale (POS) system malware to steal payment card data from retailers and other organizations.

Hilton on Tuesday confirmed that unknown attackers had broken into some of its POS systems and stolen names, card numbers, expiration dates and security codes belonging to an unspecified number of credit and debit cardholders. But personal identification numbers (PINs) or addresses were not compromised, the company said.

[PoS malware, ways to trick new payment technology, and zero tolerance for down-time or slow-time make for a stressful combination. Read “Black Friday Security: Brick-and-Mortar Retailers Have Cyber Threats, Too.”]

Hilton’s statement suggests that hackers had access to its POS systems for a total of at least 17 weeks spanning two different time periods, the first between Nov. 18 and Dec. 5, 2014 and the second between April 21 and July 27, 2015.

Hilton did not say whether this meant it suffered two separate incursions or whether the same hackers who had accessed its POS systems in 2014 accessed them again this year. As has become standard in such situations, the company has offered one year of free credit monitoring services to customers impacted by the breach.

Hilton is the second hotel chain to announce a breach in the past several days. Just last week, Starwood Hotels — the owner of brands like Sheraton, Westin, and W Hotels — disclosed that hackers had breached POS systems at over two dozen of its properties.

Like Hilton, Starwood did not disclose the number of people affected by the breach but confirmed that sensitive cardholder data had been compromised. In Starwood’s case, the relevant POS systems appear to have been attacked separately over a time span starting November 2014 and continuing through the end of June 2015.

The PoS malware responsible for the attacks on Hilton and Starwood have not been named. No indications have been given yet that the stealthy ModPOS, detailed by iSIGHT Partners this week, was to blame.

The breaches are just the beginning of what security analysts predict will be a spate of attacks on vulnerable POS systems this holiday season. “Point of sale (POS) systems – what consumers often call the checkout system – are often the weak link in the chain,” for retailers and businesses in the hospitality industry said Mark Bower, global director of product management for HPE Security following the recent attack on Starwood.

“A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data,” said Bower.

The holiday shopping rush creates the perfect opportunity for attackers to target POS systems, compliance services provider Trustwave said in a recent report. According to the company, some 40 percent of breaches in 2014 were POS-related, with almost all of them resulting from remote access vulnerabilities and weak passwords. Attackers targeted POS systems using at least 70 individual POS malware tools. Input validation errors stemming from SQL injection flaws and unpatched vulnerabilities caused 75 percent of the breaches that Trustwave reviewed.

Such issues could pose even bigger concerns this year, say some security vendors.  For one thing, retailers are still only working to meet PCI 3.0 compliance requirements, says Chris Strand, senior director of compliance, Bit9+Carbon Black.

This is also the first holiday shopping season after the EMV liability shift went into effect, which means that in the event of payment card fraud, whichever party — merchant or card issuer — has failed to implement EMV Chip-and-PIN technology is the one stuck with liability for the fraud. Thus, EMV will now be in greater use, and many consumers will have an entirely new purchasing experience this season.

The fact that the end of life for Windows XP embedded is coming up in January adds to the problem, says Strand, referring to the fact that many POS systems still continue to run the operating system.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/hilton-data-breach-focuses-attention-on-growing-pos-malware-threat/d/d-id/1323326?_mc=RSS_DR_EDT

The Thanksgiving holiday is this Thursday, the unofficial start to the Christmas shopping season in the US, followed by Black Friday and Cyber Monday.

People will surely go online in droves searching for deals, and cybercrooks and scammers know this is the perfect time of year to take advantage of those who aren’t aware of the risks.

For the past few days, SophosLabs has seen plenty of spam promoting suspicious and deceptive websites under the guise of great deals.

In one example, our spam traps caught a message purporting to offer Black Friday deals on “the car of your dreams.”

The email claimed to be from JC Penney, a well-known US retailer…

…that sells affordably priced clothing and home goods, not cars.

The email wasn’t really from JC Penney at all, of course – the “from” header was forged – and the Black Friday auto deals don’t exist.

If you click on the image in the email, you’re taken to a blank website that immediately redirects you to another website hosting ads for a variety of deals, for everything from home and auto insurance to diet, online education and travel deals -the car deal is “no longer available.”

SophosLabs researcher Biprotosh Bhattacharjee tells me that this is a common technique for spammers who can change out the “default” content of the website at any time and replace it with scams or malicious webpages.

Another suspicious “deal” SophosLabs saw this week was spam offering deep discounts on Ugg boots, which normally retail in the US for upwards of $100, but the email subject line claimed to offer Uggs “on sale” for only $65.

The spam links to a domain with “Black Friday 2015” in the URL, a website which redirects to another site offering “crazy” Thanksgiving deals on Ugg boots, and displays an Ugg logo.

Looking more closely, however, we can see there are several indicators that this website is a scam, beyond the obvious typo (“Thanksgivin”).

The biggest warning sign is that the scam website does not use the URL of the actual Ugg website (uggaustralia.com).

And if you attempt to purchase any of the items, you’re taken to an insecure payment page that doesn’t use HTTPS (signified by a padlock in the browser address bar).

The payment page asks for your credit card information, but there is only one option from the dropdown menu which doesn’t differentiate between the different types of credit card, such as Visa or Mastercard.

Although it’s tempting to believe offers for items priced well below retail, there’s a good chance these “Ugg” boots are cheap knock-offs – Ugg itself has warned customers that it has worked with law enforcement to take down over 60,000 sites offering counterfeit versions of its products.

Don’t fall for online deals like this. So-called affiliate networks help spammers to make money by driving people to these websites offering knock-off versions of well-known brands, like Apple products and even prescription drugs like Viagra.

In general, Naked Security writer and Sophos expert Paul Ducklin says, you should steer clear of super-cheap product offers that arrive in unsolicited emails:

Even if you think that the crooks will take every care with your payment details and your identity, and even if the goods you are buying turn out to be the genuine article, why give these guys your business? Instead, ask yourself, “Do I consider a spam campaign to be the basis of a business relationship founded on mutual trust?”

Tips for safe online shopping

1. If it sounds too good to be true, it IS too good to be true. There is no such thing as a free iPhone 6!
2. Never fill in purchase details on a website that doesn’t use a secure (encrypted) connection. Don’t be fooled by padlock images in the webpage itself: look for the padlock in your browser’s address bar.
3. Don’t click on links in unsolicited emails. Those links could land you on a phishing website or a website that will infect you with malware via what’s known as a drive-by download. Always type in the website address, but be careful of mistyped addresses where cybercrooks may be squatting. Bookmark the sites you typically visit for shopping, banking, etc.
4. Watch out for sites that ask for way too much information, such as your card PIN – which is not used online – Social Security number or national ID number. And never share your passwords. IF IN DOUBT, GIVE NOTHING OUT!
5. Scrutinize your bank statements. Check your bank account transactions regularly for signs of fraud, particularly after making purchases online. If you discover payments that you can’t identify, notify your bank immediately.

Follow @NakedSecurity

Follow @JohnZorabedian

Image of mega-explosive sale sign courtesy of Shutterstock.com.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cBkv7PpTnag/

Heft that beribboned package!

Does it weigh less than 55 pounds? Does it perhaps have the mass and dimensions to be a hobby drone?

Get ready to register that new toy if it does turn out to be a small, unmanned aircraft system weighing between half a pound (250 grams) – and 55 lbs (25 kgs).

In other words, what the FAA likes to call sUAS.

The US Federal Aviation Administration (FAA), scampering to prepare for flocks of drones expected to be unwrapped next month over the holidays, on Monday released a list of recommendations for how to better monitor recreational use of the machines.

Under the proposal, most drone owners would have to register the machines with the federal government, which would place the information in a national database in what would be the first time for such requirements.

The skies are already filled with hobby drones.

The swarms are going to be thicker still: The Consumer Technology Association forecasts that 400,000 drones will be sold in the US this holiday season.

That figure doesn’t even include the commercial drones being developed by Google (now known as Alphabet), Amazon, Wal-Mart and others.

The FAA’s recommendations aren’t rules yet, but they likely will be in the coming month.

FAA Administrator Michael Huerta last week said in a post that there’s still time for public comment, but a final version of the rules will likely be released in December and go into effect shortly thereafter.

Registering drones will “instill a sense of accountability and responsibility among UAS pilots,” he said.

From his post:

By some estimates, as many as 400,000 new unmanned aircraft will be sold during the holiday season. Pilots with little or no aviation experience will be at the controls of many of these aircraft. Many of these new aviators may not even be aware that their activities in our airspace could be dangerous to other aircraft – or that they are, in fact, pilots once they start flying their unmanned aircraft.

The recommendations come out of a special task force the FAA pulled together with the purpose of figuring out how to wrangle the proliferation of drones.

The task force was co-chaired by FAA drone chief Earl Lawrence and Dave Vos, who leads Google’s drone program, known as Project Wing.

Also on board were 24 other drone, aeronautics and aviation experts from Amazon, Best Buy, GoPro, Walmart and multiple industry groups and associations.

Vos said that there was a lot of compromise involved in coming up with the guidelines:

It is a great statement that all of the members on this task force have really rolled up their sleeves and were willing to work very, very hard hard to find the right compromise.

Nobody gets exactly what they want, but everyone got most of what they want.

In its report, the task force recommended that drone operators:

1. Fill out a registration form online or through an app.
2. Immediately receive an electronic certificate of registration and a personal universal registration number for use on all sUAS owned by that person.
3. Mark the registration number (or registered serial number) on all applicable sUAS prior to their operation in the national airspace system (NAS).

Some important takeaways:

• The operators would be registered, not the drones. Google’s Vos said the recommendation is for the same registration number to be used on each drone owned by a given operator: “What we’re recommending at this point is that each owner has a registration number and if that owner owns one airplane or a hundred airplanes the same registration number can be used on all the airplanes that that owner owns.”
• The only registration requirements are name and address. There is, though, a suggested minimum age of 13. Sharing email addresses, phone numbers or mailing addresses would be optional for those who’d like to receive, for example, education materials or other information from the FAA. Registration wouldn’t require information on citizenship or residence status.
• Registration will likely be free, so watch out for scams. The FAA warned that one company has already offered to help people register their drones for a fee. Don’t fall for it, the FAA said: rather, hang tight and wait for details about the drone registration system before paying anyone to do the work for you.
• No rules are changing yet. The FAA’s guidance, at least for now, remains the same: Don’t fly anything that weighs more than 55 pounds; fly them within your line of sight and below 400 feet; stay at least 5 miles away from an airport or manned aircraft; avoid flying near people, stadiums or other crowded places; take classes or join a club for extra safety; and always inspect the craft before you fly.

Plenty of drones are, of course, getting into all sorts of trouble by avoiding such guidance, as they hover over playgrounds and London’s Hyde Park, drop packets of drugs into prisons, gawk at sunbathers, follow somebody home and then hover outside their bedroom window, buzz at 365 meters (1200 feet) above Liverpool city center, fly over a house of neighbors tied up in a six-year boundary dispute, linger above people to apparently record them as they enter their PINs into ATMs, get a bellyful of birdshot courtesy of a privacy-loving/rifle-toting neighbor, cause airborne wildfire fighters to drop their loads of fire retardant and turn around lest they collide, and get operators arrested for flying over the White House.

Busy little suckers.

Rules? Yes. Regulations?

Yes yes yes.

Bring it on.

Follow @NakedSecurity

Follow @LisaVaas

Image of Christmas drone courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ACBg5dQv450/

Do you know what words you use most on Facebook?

No? Well, there’s a game for that: one that will make a word cloud that shows your verbiage leanings, with your most-used words rendered front and center, nice and big.

“3,” much?

That was one of the biggest/most frequent “words” used by a friend of mine, as I saw in her word cloud.

And thanks to a post about the game – which is called Most Used Words on Facebook – from UK-based VPN comparison website Comparitech that recently called it a “privacy nightmare,” I was initially ready to urge friends like her to please not touch the game with a 12-foot pole.

The game maker has vehemently denied the accusations. More of that in a moment, but here’s what the initial dustup was about:

Over the course of just a few days, Most Used Words on Facebook has been shared millions of times, including, like I said, by my friends, and possibly yours.

As of Sunday, when Comparitech published its piece, the game had reportedly been shared over 16 million times, by people who agreed to sign over “almost every private detail about themselves to a company they likely know nothing about.”

Since that post, there have been multiple stories about how the viral app is hoovering up people’s personal information and is able to sell it to whoever it wants.

According to Comparitech, that includes:

1. Name, profile picture, age, sex, birthday, and other public info
2. Entire friend list
3. Everything you’ve ever posted on your timeline
4. All of your photos and photos you’re tagged in
5. Education history
6. Hometown and current city
7. Everything you’ve ever liked
8. IP address
9. Information about the device you’re using, including browser and language

But it’s not just your info, it’s also your friends’ info, Comparitech said.

After you click on a Most Used Words post, a page will pop up, offering the option to grant access to your profile so the app can see what you’ve posted.

The post goes on, noting that the game or quiz or app or whatever you want to call it wants access to everything you’ve ever liked, will gather information on your computer, such as IP address and browser used, information about your entire friends list, including people who’ve never used the app, and all the photos in which you’re tagged.

But as many commenters on Comparitech’s post have pointed out, the list of what Words Most Used pulls out of Facebook is basically just a description of what Facebook knows about us.

If your Facebook setting is set to “public,” that information list is about as private as your underwear drying on the clothes line.

Besides that, your IP address and all sorts of information about your computer (enough to produce a unique browser fingerprint) are handed over to every website you visit as a matter of course.

Still, Comparitech dove into the privacy policy of the company behind the game, which is South Korean startup Vonvon.me, and found some things that seemed pretty alarming at first blush, such as:

1. No takebacks if you’ve already taken the quiz: “…you acknowledge and agree that we may continue to use any non-personally-identifying information in accordance with this Privacy Policy (e.g., for the purpose of analysis, statistics and the like) also after the termination of your membership to this website andor use of our services, for any reason whatsoever.”
2. Vonvon’s hands-off after it’s purportedly sold personal information to third parties, who can do whatever they want with it: “…this Privacy Policy does not apply to the practices of entities Vonvon does not own or control, or to individuals whom Vonvon does not employ or manage, including any third parties to whom Vonvon may disclose personal information…”
3. Vonvon notes that it wouldn’t share your personal information with third parties unless it’s notified you first, but in the same sentence, it admitted that the privacy policy itself is already one way of notifying you.

Fast forward to early afternoon on Tuesday, and you’d find that Vonvon was, as we say in the States, having kittens over the coverage.

Vonvon CEO Jonghwa Kim sent Comparitech an indignant response, saying that the privacy policy quotes were selectively carved out to fit the writer’s premise, which was a “false accusation” about selling user data to third parties.

In fact, the company never stores personally identifying information (PII) on its servers, he said, and only uses PII to produce engaging content:

We only use your information to generate your results, and we never store it for other purposes. For example, in the case of the Word Cloud, the results image is generated in the user’s web browser, and the information gathered from the user’s timeline to create personalized results are not even sent to our servers.

Also, in the case of our quiz “What do people talk behind my back?” we use user’s school and hometown so that we may pull up close friends rather than pairing random person among your 500 fb friends in the results. We use this information only to process familiarity of friends, and again, the information is never stored in our databases.

The company doesn’t sell user data, he emphasized, since there’s nothing to sell:

As we do not store any personal information, we have nothing to sell. Period.

As far as the privacy policy goes, Kim noted that the “non-personally-identifying” information it hangs onto is just that: information that doesn’t identify a user:

“Non-personally-identifying” information is not the same with “personal” information. Are we the only company in this planet use analytics tools to better understand our users with cumulative behavioral data?

Nope, Mr. Kim, you certainly are not.

His letter goes on. Comparitech has appended it to the bottom of its original post.

I’d suggest it’s well worth a read. But then, so too is Vonvon’s privacy policy, as privacy policies always are.

Regardless of whose side you come down on, the fracas is a good example of the kind of access we routinely offer up in return for a mildly diverting 30 seconds of entertainment. It’s also a reminder of why we should read privacy policies before we sign up for Facebook apps.

Most Used Words on Facebook is far from the first or only app wanting to access our data.

You can always tweak what the app can access by getting rid of apps you’ve already authorized by clicking the lock icon on Facebook’s top right corner, going to “See More Settings,” and checking out the “Logged in with Facebook” list under the Apps section.

Click “x” to remove apps you don’t trust or recognize.

Of course, as Comparitech said, the best way to protect your data is to abstain from connecting third-party quizzes to your profile in the first place.

After all, even if Most Used Words on Facebook is as privacy-respecting as Mr. Kim insists, there are plenty of scam quizzes out there. Remember the Super Bowl survey scam of 2013?

None of those who clicked on the offer for a “fan pass giveaway” got a free pass. No, all they got was their personal details sold off to the highest crook bidder.

You can protect yourself, and your friends, by just staying away.

As much fun as it is to see what cat you’re most suited to or which Disney Princess is your soulmate; if you have to hand over the keys to your privacy to find out, repeat after me: it’s not worth it.

Follow @NakedSecurity

Follow @LisaVaas

Image of Facebook logo courtesy of 1000 Words / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/sC6Zojfg7jg/

Remember the Superfish controversy?

Computer vendor Lenovo shipped a range of laptops with a preinstalled application called Visual Discovery from a marketing company called Superfish.

Visual Discovery peeked at your web traffic, extracted images, and tried to figure out what you were interested in so it could send you related and relevant ads.

Sort of like what Google and others do with text (by looking at your searches, your webmail, and so on), but using images instead.

Unfortunately, Superfish decided it would be neat to look inside your secure web traffic (HTTPS) as well, which means:

• Intercepting encrypted connections from your browser.
• Connecting to the encrypted website on your behalf. (What’s known as proxying.)
• Decrypting the returned content in order to analyse it.
• Re-encrypting it.
• Passing it to your browser, which expects an encrypted reply.

But this causes one of two problems:

• Either the encrypted reply to the browser is marked as coming from Superfish, not from the official site.
• Or Superfish pretends to be the official site, and the encrypted reply has a suspicious digital certificate.

By default, both of these behaviours lead to a certificate warning in the browser, for every encrypted site.

LET’S PRETEND

The usual solution is for your browser to agree to trust “pretend” digital certificates from Superfish, or whoever else is acting as the so-called man-in-the-middle (MiTM), so that the MiTM can represent itself as any site it likes.

Typically, this is done by adding what’s known as a trusted root certificate to the browser or the operating system, authorising some intermediary program to take over encryption duty, so to speak, on behalf of all encrypted sites.

When the intermediary is a secure gateway or web filtering server, your computer only needs the trusted certificate and its public key, the part that lets you verify who signed the certificate.

The private key – the part that actually signs the “pretend” certificates in the first place – is stored on the gateway and protected strongly.

Of course, if the MiTM is actually runnning on every computer in your network, each computer needs a copy of the trusted certificate, its public key, and its private key, because the “pretend” certificates will be both signed (private key) and verified (public key) right there on the same computer.

That was the case with Superfish, and it created a security risk, because, generally speaking, private keys are more vulnerable to theft by malware on a general-purpose computer like a laptop than on a server locked away in the network room.

In fact, in the Superfish case, it created a giant security risk, because every computer had a copy of exactly the same private key, protected with exactly the same password, and the password was trivial to extract from the Superfish software.

Indeed, the password was the name of the third-party software company that created the software component used for the MiTM functionality.

Therefore every crook in the world suddenly knew how to issue “pretend” certificates for fake websites that would pass muster on any computer with the Superfish software installed.

Clearly, this opened a serious and non-obvious security hole, not least because a crook could have created “pretend” certificates to masquerade as your webmail service or your bank.

We showed you how to get rid of the offending trusted root certificate in the Superfish case, and how to remove the poorly-written Superfish MiTM software as well.

Problem solved.

MORE RISKY CERTIFICATES

Fast forward from February 2015 to November 2015, and this time, it’s Dell laptops at risk.

It seems that two Dell-issued trusted root certificates have been reported “in the wild” in the past few days, which show up in the Windows Certificate Manager as:

• eDellRoot
• DSDTestProvider

Dell has officially commented on the first of these, admitting its mistake, explaining how to remove the offending certificate by hand, and promising a software update that will remove it automatically, just in case.

We assume that the second certificate can be removed using similar instructions, and that it too will soon vanish anyway via an automatic security update. (We don’t have an affected Dell laptop handy to test this.)

Ironically, Dell says that the eDellRoot certificate “was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers.”

Why this needed a private key – the very same private key, apparently password protected with the decryption key dell – on every computer isn’t clear, but Dell’s prompt response is nevertheless appreciated.

It seems that the DSDTestProvider certificate has a similar sort of back-story, as it is apparently installed if you use the Dell System Detect (DSD) software that is supposed to help you figure out what hardware you have.

WHAT TO DO?

Follow the instructions provided by Dell, which are similar to the ones we issued back when Superfish was in the news, to use the Windows Certificate Manager to remove the abovementioned trusted root certificates.

It’s worth learning how to use the Certificate Manager anyway, even if you don’t have an affected Dell product…

…just in case this sort of thing happens again.

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xKvdnLSL-8w/