STE WILLIAMS

What’s the difference between a real job and the horde of fake ones found on the internet?

It’s even more basic than the fact that one is fake – fake jobs are suspiciously easy to get interviews for.

These hiring scams sound like child’s play. Post fake employment opportunities on legitimate job sites, which link to spoofed sites impersonating known brands, which in turn leads to an email offering a teleconference ‘interview’ from an imaginary HR department.

Next comes the job offer, but only after collecting the applicant’s social security number, a scan of their driving license and – the important bit – a credit-card fee to cover the recruitment, training, or background checks they are told will be reimbursed by their new employer.

That never happens because there is no employer to pay them back, and of course, no job.

These scams date back to the earliest days of the internet but seem to be getting, if not more common, then a lot more ambitious.

This week the FBI’s Internet Crime Complaint Center (IC3) put out its latest warning about the fake job problem about which it has received numerous complaints over the past year.

What’s surprising is that financial losses now run to almost $3,000 per victim, plus the loss of personally identifiable information (PII) which can be abused for years.

But why do people keep falling for them?

It’s a matter of speculation but one possibility is the widespread notion that the internet has created plenty of quick-and-dirty jobs that only get advertised on unusual channels.

Everyone will have encountered these job ads at some point, which in their crudest form go something like:

Earn $$$ working from home.

Unfortunately, if some of these were once legitimate, many are now just the front door to trouble for anyone brave or desperate enough to apply.

Others can be more sophisticated, with the UN having to warn that fake positions were being advertised under its name, sometimes quite plausibly.

The IC3 offers a checklist to separate legitimate job adverts from scams, which can be boiled down to:

• If a job interview is offered only via videoconference, be suspicious.
• Employment agencies and their claimed representatives should always be thoroughly researched first.
• Check that a job has been advertised on the company’s website and not only on a job board.
• Emails should come from known domains rather than third-party lookalikes.
• Never pay for anything upfront and never hand over a credit card number under any circumstances or agree to a bank transfer (background checks involving fees are only necessary for a small number of jobs that will always involve face-to-face interviews).
• The pay rates sound too high for unskilled work (i.e. customer response work at $50 per hour).

It’s troubling that pretty much the same advice was handed out by government agencies a decade ago and yet the IC3 is still receiving reports of citizens who’ve fallen for such scams.

At some point, law enforcement and government agencies will have to accept that having to repeat the same advice over and over is a clear sign that the warnings aren’t getting through.

What to do if you’re the victim of a hiring scam

The FBI recommends taking the following actions:

• Report the activity to the Internet Crime Complaint Center at www.ic3.gov or your local FBI field office, which can be found online at www.fbi.gov/contact-us/field-offices.
• Report the activity to the website in which the job posting was listed.
• Report the activity to the company the cyber criminals impersonated.
• Contact your financial institution immediately upon discovering any fraudulent or suspicious activity and direct them to stop or reverse the transactions.
• Ask your financial institution to contact the corresponding financial institution where the fraudulent or suspicious transfer was sent.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/gAFkIxgbe1k/

When you buy a cloud-connected appliance, how long should the vendor support it for with software updates? That’s the question that home audio company Sonos raised this week when it dropped some unwelcome news on its customers.

The company has announced that it will discontinue software updates for older products in May this year (here’s a list of products that it marks as legacy). Stopping software updates for legacy kit is nothing new, but it’s the way the company has done it that has Sonos customers’ hackles up.

Sonos points out that it supports software updates on products for at least five years after it stops selling them. However, the issue here is that all products in a Sonos network must run on the same software, meaning that any newer (‘non-legacy’) equipment connected to the speakers will also stop downloading new software updates. The only way around this for Sonos users is to disconnect their new equipment from their legacy kit and run them independently of each other.

From Sonos’s email to customers:

Please note that because Sonos is a system, all products operate on the same software. If modern products remain connected to legacy products after May, they also will not receive software updates and new features.

This carries service implications for users, because while products will continue working without software updates, it doesn’t mean that they will work as well. Sonos explains that as third-party connected cloud partners change their own services, they may become incompatible with the legacy software.

This isn’t just a product service issue; it’s a cybersecurity problem. Any cloud-connected equipment is potentially vulnerable to attack, and researchers frequently discover new exploits. Ugo Vallauri is co-founder and policy lead of the Restart Project, a European organisation that promotes user repairs of consumer electronics in a bid to cut down on e-waste. He told us:

A big issue is the lack of separation between security updates and software updates. While we can’t expect a product’s software to be improved indefinitely, security updates should be ensured for as long as possible. In this case, Sonos is not even mentioning security updates when suggesting that “legacy” products could continue to be used.

When we asked Sonos about this, it replied:

We take our customer’s security seriously and will work to maintain the existing experience and conduct critical bug fixes where the computing hardware will allow.

So perhaps there’s hope, but there’s no official policy that tells you exactly what to expect in terms of cybersecurity fixes.

Contrast that with computer software companies like Microsoft. It also ceases support for its products (a concept known as end of life, or EOL). However, it lets customers know about it years in advance, rather than giving them four months’ notice, as Sonos has done. It offers cybersecurity updates for an extended period and allows customers to buy extended support after that. And EOL Microsoft software connected to the network doesn’t affect software support for non-EOL software.

Sonos customers are furious. On the company’s forum, one, named Stueys said:

Just received the legacy email that tells me that half my 10 unit system will be obsolete from May. So it appears that I can either pile more money into Sonos, accept that my modern equipment (less than 2 years old) will no longer be updated because I have the audacity of being a long term customer or go somewhere else.

So how long should companies maintain software support for their products?

Gay Gordon Byrne is executive director of the Repair Association, a US non-profit that advocates for the right for people to repair products. She told us:

There are ZERO support obligations in the US. There are no requirements that any product be updated for any reason other than for “Defect Support”. Even fixing known defects is voluntary until/unless there is a mandatory recall or other banishment, such as when the Samsung Galaxy 7 phones were so prone to battery fires that they were prohibited on planes.

We asked Sonos why it couldn’t have introduced a software feature that would enable newer products to maintain backwards compatibility with older products. After all, games console vendors engineer entire operating systems to be backwards-compatible with old games, which is a much tougher task. We’ll update this article when the company respond.

Stueys asked Sonos:

So I can make an informed decision Sonos must now publish the support windows for all products currently available. At least try to recover some credibility.

We put this to Sonos, and it restated that it will support products with regular software updates for at least five years after it stops selling them.

Sonos explains that if customers don’t want to keep their old legacy kit, they can trade up. This program, announced in October 2019, gives customers a 30% credit for each legacy product they replace.

There’s a catch, though: to take advantage of the trade-in deal they have to activate ‘recycle mode’, which is effectively a kill switch for legacy equipment. Activating this mode deliberately bricks Sonos equipment in 21 days with no chance of recovery. It’s designed to stop legacy kit from falling into the hands of second-hand customers and degrading their experience, Sonos told The Verge.

All this leads to a bigger question: Do you really own your equipment when it’s connected to a cloud service? Companies have trampled over user rights in the past, such as when Nest bought IoT home hub device Revolv and then bricked all the devices in the field. It’s an ongoing problem and we document other examples.

Vallauri concluded:

Increasingly, products are rendered useless via software before they are physically obsolete. We first experienced this with mobiles and tablets, but we will experience this with many of the products we buy. This is totally unacceptable, given their cost to consumers and their environmental cost.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/4YXp5F5XJZ0/

In spite of Apple having turned over the shooter’s iCloud backups in the case of the Pensacola, Florida mass shooting last month, the US government has been raking it over the coals for supposedly not helping law enforcement in investigations.

But according to a new allegation, Apple has been far more accommodating than the FBI has been willing to admit. Specifically, according to six sources – Reuters relied on the input of one current and three former FBI officials and one current and one former Apple employee – a few years ago, Apple, under pressure from the FBI, backed off of plans to let iPhones users have end-to-end encryption on their iCloud backups.

The bureau had griped that such encryption would gum up its investigations.

Last week, US Attorney General William Barr fumed at Apple over its refusal to break encryption per FBI request:

So far, Apple has not given any substantive assistance.

President Donald Trump piled on, tweeting that Apple refuses to unlock phones used by “killers, drug dealers and other violent criminal elements.”

But if the recent allegation proves true, it means that Apple has been far more accommodating to US law enforcement than headlines, politicians’ ire, and Apple’s marketing would indicate.

Its sources told Reuters that more than two years ago, Apple told the FBI that it planned to offer end-to-end encryption for iCloud backups, primarily as a way to thwart hackers. If it had gone through with the plan, it would have meant that Apple wouldn’t have a key to unlock encrypted data and would thus be unable to turn over content in readable form, even if served with a court order to do so.

The next year, in private talks with the FBI, the plan to fully encrypt iCloud backups had disappeared. Reuters couldn’t determine why, but without giving details, a former Apple employee said it wasn’t hard to fill in the blanks:

Legal killed it, for reasons you can imagine.

Reuters’ source said that Apple didn’t want to run the risk of “being attacked by public officials for protecting criminals, sued for moving previously accessible data out of reach of government agencies or used as an excuse for new legislation against encryption.”

If that was indeed Apple’s intent, it hasn’t worked out all that well. The company has been excoriated on Capitol Hill for its refusal to put in a backdoor that would enable the government to read encrypted messages.

Last month, responding to Apple and Facebook reps who testified about the worth of intact encryption, Sen. Lindsey Graham had this to say about the government’s ongoing quest for a backdoor:

You’re going to find a way to do this or we’re going to do this for you.

Backdoors are a product-crippling move that Apple has declined to take in spite of the FBI’s many demands to do so since the case of the San Bernardino terrorists.

One of Reuters’ sources said that it was that 2016 court battle with the FBI that subsequently made Apple back down:

They decided they weren’t going to poke the bear anymore.

A former FBI official who wasn’t involved in the iCloud encryption talks said that during the fight over encryption of the San Bernardino shooter’s iPhone, the bureau had managed to convince Apple that evidence from iCloud backups had made a difference in thousands of cases.

It’s because Apple was convinced. Outside of that public spat over San Bernardino, Apple gets along with the federal government.

The allegation relies on hearsay. Reuters doesn’t have solid proof. But one former Apple employee suggested that the encryption project – variously code-named Plesio and KeyDrop – might have been abandoned for other reasons besides legal trepidation, such as the possibility that customers would get disgruntled over being locked out of their data more often. At any rate, as three of Reuters’ sources tell it, Apple pulled about 10 experts off the encryption project after deciding to dump it.

Apple has handed over iCloud backups in 1,568 cases, covering about 6,000 user accounts, Reuters reports. In fact, the company has turned over at least some data for 90% of the requests it’s received.

It’s much easier to get at the online backups than it is to crack an iPhone, for a number of reasons. It can be done secretly, for one. You don’t need to physically possess the device to get at its data if you can get access to its iCloud backups.

And even though investigators have access to tools to bypass the iOS lock screen – tools believed to be used by companies such as Grayshift and Cellebrite – the window of time to extract a device’s data sometimes runs out before a full extraction has been done.

One example came up in 2018, in a case concerning an investigation into a pedophile ring in the US state of Ohio.

With search warrant in hand, investigators searched a suspect’s house, demanding that he use Face ID to unlock the iPhone X that they found. He complied, which gave the FBI access to photos, videos, correspondence, emails, instant messages, chat logs, web cache information and more on the iPhone.

Or, at least, that’s what the search warrant authorized investigators to seize. However, they couldn’t get everything that they were after before the phone locked. A device can be unlocked by using Face ID, but unless you know the passcode, you can’t do a forensic extraction. The clock starts ticking down, and after an hour, the phone will require a passcode.

According to the suspect’s lawyer, the FBI wanted to use Cellebrite tools to get more data from his client’s phone, but they weren’t successful.

Neither Apple nor the FBI has responded to media requests for comment on the reported abandonment of iCloud encryption.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qyltSL5-IRc/

A forensic examination of Amazon CEO Jeff Bezos’s mobile phone has pointed to it having allegedly been infected by personal-message-exfiltrating malware – likely NSO Group’s notorious Pegasus mobile spyware – that came from Saudi Arabia’s Crown Prince Mohammed bin Salman’s personal WhatsApp account.

The United Nations backed up the allegation by releasing details of the evidence on Wednesday.

The UN’s report said that full details from the digital forensic exam of Bezos’s phone were made available to its special rapporteurs. The release of the report followed a story about the hack from The Guardian that was published earlier on Wednesday.

The report was drafted by Agnes Callamard, a UN expert on extrajudicial killings who’s been probing the murder of The Washington Post columnist Jamal Khashoggi, and by David Kaye, who’s been investigating violations of press freedom. Bezos owns The Washington Post.

Khashoggi was killed in October 2018 by agents of the Saudi government after they allegedly used Pegasus to hack his friend’s phone.

According to the UN’s report, the crown prince’s WhatsApp account sent Bezos a taunting message a month after Khashoggi was murdered. From the report:

A single photograph is texted to Mr. Bezos from the Crown Prince’s WhatsApp account, along with a sardonic caption. It is an image of a woman resembling the woman with whom Bezos is having an affair, months before the Bezos affair was known publicly.

The richest man in the world had been having a seemingly friendly WhatsApp conversation with bin Salman when, on 1 May 2018, an unsolicited file was sent from the crown prince’s phone.

Within hours, a trove of data was exfiltrated from Bezos’s phone, although the forensic exam did not reveal what was in the messages.

According to the forensic details released by the UN, the unsolicited message coming from bin Salman’s WhatsApp account was a video. After it was received, Bezos’s phone started pumping out data at an extraordinary rate: the data egress increased by 29,156%. It not only stayed that high for months; it also hit rates as much as 106,031,045% higher than the phone’s normal data egress rates.

It looks like Bezos’s phone could have been infected with Pegasus mobile spyware, experts concluded. From the UN’s statement:

Experts advised that the most likely explanation for the anomalous data egress was use of mobile spyware such as NSO Group’s Pegasus or, less likely, Hacking Team’s Galileo, that can hook into legitimate applications to bypass detection and obfuscate activity. For example, following the initial spike of exfiltration after receipt of the suspect video file, more than 6GB of egress data was observed using exfiltration vectors.

Before it was patched in May 2019, a zero-day vulnerability in WhatsApp meant that with just one call, spies could access your phone and plant spyware – specifically, Pegasus.

The mobile spyware has been unleashed against Mexican political activists; targeted at the human rights-focused NGO Amnesty International in a spearphishing attack; and used against Ahmed Mansoor, a prominent human rights activist and political dissident in the United Arab Emirates who was sentenced to 10 years in jail and a fine of 1,000,000 Emirati Dirham (USD $272K) after being charged with “insulting the UAE and its symbols”.

In May 2019, Amnesty International filed a lawsuit seeking to stop the “web of surveillance” it says is enabled by NSO Group, the Israeli firm that makes Pegasus.

As described in its affidavit, a Pegasus infection can happen in several ways. Most commonly, a target clicks on an exploit link, often sent as a text message. That triggers the download onto a mobile device.

Once installed, Pegasus turns into what Citizen Lab has called a “silent, digital spy.” It can get at everything – including contacts, photos, call history and previous text messages – regardless of encryption or other protections. It also allows its operator the ability to remotely operate a device’s camera and microphone, enabling remote eavesdropping on conversations, as well as passive or active tracking of a target’s location data.

The timing of the attack on Bezos’s phone could point to what may turn out to be the exfiltration of painfully intimate content behind a tabloid’s tell-all. Namely, the data grab preceded the National Enquirer’s publication last January of intimate details of Bezos’s life, including sexts from his extramarital affair.

The tabloid’s story set off what The Guardian’s sources described as a “race” by the Amazon CEO’s security team to figure out how his phone got hacked. American Media Inc (AMI), which publishes the National Enquirer, has denied being tipped off by the Saudi prince, but the Amazon CEO’s own team found with “high confidence” that Saudis were behind the hack.

That denial came in March 2019, following Bezos’ security consultant Gavin de Becker having written an op-ed for the Daily Beast in which he said that his investigation had concluded that the Saudis had accessed the Amazon security chief’s phone.

Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos’ phone, and gained private information. As of today, it is unclear to what degree, if any, AMI was aware of the details.

Saudi Arabia has dismissed the allegations against bin Salman as being “absurd.”

Recent media reports that suggest the Kingdom is behind a hacking of Mr. Jeff Bezos’ phone are absurd. We call for… twitter.com/i/web/status/1…

—
Saudi Embassy (@SaudiEmbassyUSA) January 22, 2020

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cudbgBhrFvg/

Citrix and FireEye have released a new security tool to help admins find out if their servers have been hacked via the high-profile CVE-2019-19781 flaw that was disclosed in December but only patched on Monday.

The free application, shared under the Apache 2.0 open-source license, will scan devices for indications of compromise for the so-called “Shitrix” arbitrary code execution vulnerability in Citrix’s Application Delivery Controller and Gateway products. The tool can be run on any Citrix instance to check for signs of an intrusion.

Using some of the samples collected from attacks in the wild, including the recently unearthed Notrobin‘ malware, the scanner’s makers were able to piece together their app.

“The tool combines Citrix’s technical knowledge of the Citrix ADC and Gateway products and CVE-2019-19781 with industry-leading FireEye Mandiant’s forensics expertise and current knowledge of recent CVE-2019-19781 related compromises,” Citrix said.

As miscreants prey on thousands of vulnerable boxes, Citrix finally emits patches to fill in hijacking holes in Gateway and ADC

READ MORE

The tool, Citrix warned, will only detect specific indicators of compromise, tell-tale signs that a miscreant has exploited the bug to get access to machines. It is not intended as a vulnerability scanner and is not guaranteed to spot any attack against other flaws.

“Remember, the tool will not make an assertion that a system has not been compromised. The tool will only state when IoCs [Indicators of Compromise] are identified,” FireEye warned.

“It will also not provide formal malware family names of all malicious tools and scripts identified on compromised systems, nor will it identify the existence of all malware or evidence of compromise on the system.”

Still, the free scanner will at least allow admins to get a general idea of the state of their Citrix gear. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/23/citrix_attack_detector/

For all the cautions against doing so, one-third of organizations in a Proofpoint survey said they paid their attackers after getting infected with ransomware.

Ransomware attacks on organizations are likely to continue unabated in the near term if the results of a new survey by Proofpoint are any indication.

The security vendor recently polled 600 IT security professionals from around the world on trends related to phishing and other email-borne threats.

The results showed that 33% — or nearly 200 of the organizations represented in the survey — paid a ransom last year to get their data back after experiencing a ransomware infection. Another 32% reported being infected with ransomware but refusing to accede to attacker demands for payment.

Sixty-nine percent of the organizations that paid a ransom said they got back access to their data and systems after the first payment. But 22% never regained access to their data after paying the demanded ransom, while 7% got hit with additional demands and ended up walking away empty-handed anyway. Two percent were forced to pay more money to regain access to encrypted systems and data.

Proofpoint said it is unclear what the organizations that didn’t pay a ransom did to recover access to encrypted systems and data or what disruption they might have endured as a result of their refusal to pay.

Results from the Proofpoint survey are another reminder that for all the cautions against doing so, many ransomware victims are willing to pay off their attackers if it means avoiding the disruption, work, and cost involved in restoring data on their own. A September 2019 Dark Reading survey showed a nearly fourfold increase over 2018 — from 4% to 15% — in ransomware victims that paid to get their data back after an infection.

“We regularly observe that cybercriminals target entities that could be highly motivated to pay a ransom,” says Gretel Egan, security awareness training strategist at Proofpoint.

For example, healthcare organizations are a particularly appealing target for ransomware attacks because of the nature of their business, she says. Even those with good data backup systems could be motivated to pay because of the time required to restore ransomware-infected systems. Recent reports have shown how a ransomware attack can force hospitals and medical centers to essentially shut down and turn patients away, Egan says.

“Because of this, a hospital that loses access to critical data and systems may feel it’s to their benefit to pay the ransom and get the servers decrypted and functional instead of exhausting traditional remedies, like restoring from backup,” she notes.

Going Against Advice
The survey results are likely to dismay many security experts who say that paying ransoms is only going to encourage more attacks. Over the past 18 months or so, threat actors have shifted from mass-volume spray-and-pray attacks on consumers to more targeted and carefully planned ransomware campaigns against businesses, government, and public-sector entities. Municipal entities, in particular, have been targeted heavily.

According to security vendor Kasperksy, there were at least 174 municipal institutions and more than 3,000 affiliated organizations targeted in ransomware attacks in 2019. The average ransom demands in these attacks tended to range from around $1 million to over $5.3 million. Scores of school districts and colleges were also targeted in ransomware attacks last year.

Most victims refused to pay. In July, for example, some 1,400 mayors from around the country committed to not paying a ransom in case they were attacked. Cities and municipalities that refused to pay ended up spending millions of dollars and multiple weeks to recover access to locked up data. The attacks also crippled city services and forced many to resort to manual operation for days. Some victims — like the City of Riviera in Florida — paid their attackers to regain access to locked-up data.

For enterprise organizations, it is not just the volume of ransomware attacks that is a concern, but also their growing sophistication. These days many ransomware attacks are multiphased in nature, with attackers first breaking into a target network and lurking around for some time to identify the most high-value systems before striking. Threat actors are increasingly attacking backup systems, threatening public disclosure of corporate data, and generally making recovery much harder for victims in order to force them to pay.

“We’ve observed cybercriminals often launching ‘quieter’ primary infections via targeted emails with banking Trojans, downloaders, etc., that can potentially sit on infected machines for extended periods collecting data,” Egan says. In many cases, once a cybercriminal gains a foothold into a corporate network this way, that person then uses the network as a platform to launch incredibly targeted secondary attacks, she says.

For organizations, the trend highlights the need for a more people-centric security focus. “As widespread, critical technical vulnerabilities become increasingly rare and therefore more expensive to acquire and use, cybercriminals have shifted their efforts to target individuals through email” and social engineering, Egan says.

Related Content:

• Ransomware Situation Goes From Bad to Worse
• US Mayors Commit to Just Saying No to Ransomware
• 8 Head-Turning Ransomware Attacks to Hit City Governments
• 5 Security Resolutions to Prevent a Ransomware Attack in 2020

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem.”

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/to-avoid-disruption-ransomware-victims-continue-to-pay-up/d/d-id/1336863?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Five identical Elasticsearch databases containing 250 million records of Microsoft customer support incidents were exposed on the internet for all to see for at least two days right at the end of 2019.

On 28 December 2019, these databases were found by BinaryEdge, which crawls the internet looking for exposed data. This was then picked up by security researcher Bob Diachenko, who reported the problem to Microsoft.

Microsoft secured the databases over 30-31 December, winning praise from Diachenko for “quick turnaround on this despite [it being] New Year’s Eve”.

That is cold comfort for customers whose data was exposed. What has been picked up by security researchers may well also have been found by criminals.

What data was published? These are logs of customer service and support interactions between 2005 and now. The good-ish news is that “most of the personally identifiable information — email aliases, contract numbers, and payment information—was redacted”, according to Comparitech. However, a subset contained plain-text data including email addresses, IP addresses, case descriptions, emails from Microsoft support, case numbers and “internal notes marked as confidential”.

Armed with this information, there is plenty of scope for identifying the customers, learning more about their internal IT systems if they are businesses, and using the data for activities such as impersonating Microsoft support and thereby gaining access to personal computers or business networks. “Just a quick follow-up on case xxxx…”

Eric Doerr, general manager of the Microsoft’s Security Response Center (MSRC), said: “We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate.”

It is not yet clear how many of the records include identifiable information, nor how they break down in terms of business versus consumer interactions. We have asked Microsoft for comment and will update with information received. Microsoft has posted further information about the incident here.

Despite the absence of financial or username/password data in the leaked database, the incident is embarrassing for Microsoft, undermining its efforts to keep its customers secure.

Calls from fake Microsoft support staff are nothing new; they are so widespread that most of us have received a few. What’s different now is that they may be better informed than before, so the solution is to be even more wary. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/22/microsoft_support_database_leak/

Google security researchers have published details about the flaws they identified last year in Intelligent Tracking Protection (ITP), a privacy scheme developed by Apple’s WebKit team for the company’s Safari browser.

In December, Apple addressed some of these vulnerabilities (CVE-2019-8835, CVE-2019-8844, and CVE-2019-8846) through software updates, specifically Safari 13.0.4 and iOS 13.3. Those bugs could be exploited to leak browsing and search history and to perform denial of service attacks.

But they’re not quite fixed, according to Google’s boffins. In a paper [PDF] titled, “Information Leaks via Safari’s Intelligent Tracking Prevention,” authors Artur Janc, Krzysztof Kotowicz, Lukas Weichselbaum, and Roberto Clapis claim that the proposed mitigations “will not address the underlying problem.”

And on Wednesday, Justin Schuh, Google engineering director for Chrome security and privacy, made a similar claim via Twitter. Google, he said, had found similar security flaws in a Chrome tool called XSS Auditor and had decided they were fundamentally unfixable.

“After several back and forths with the team that discovered the issue, we determined that it was inherent to the design and had to remove the code,” he explained.

Schuh expressed skepticism that Apple will be able to salvage ITP. “They attempt to mitigate tracking by adding state mechanisms, but adding state often introduces worse privacy/security issues,” he wrote.

The Register asked famously non-communicative Apple to weigh in. And as might be expected, we haven’t heard back.

Intelligent Tracking Protection’s reason for being is to protect users from being tracked online. It tries to do so by preventing web resources from being loaded in a third-party context. For example, it stops third-parties (e.g. Google) from knowing when users visit non-Google websites that contain code for fetching Google resources (e.g. images or scripts).

But the techniques ITP uses to shield users from third-party tracking are trackable, Google says.

You had one job, Cupertino: Apple’s Intelligent Tracking Protection actually gets tracking protection

READ MORE

One such method involves creating a list of websites that make cross-site resource requests and counting an “ITP strike” when that happens. Given enough of these, ITP takes steps to enforce privacy, specifically removing relevant cookies and trimming the Referer header so it only includes the origin (domain) instead of the referring document’s full URL. This reduces the information available to infer a user’s identity and to associate it with third-party requests from other websites.

“As a result of customizing the ITP list based on each user’s individual browsing patterns, Safari has introduced global state into the browser, which can be modified and detected by every document,” the paper explains. “Any site can issue cross-site requests, increasing the number of ITP strikes for an arbitrary domain and forcing it to be added to the user’s ITP list.”

In effect, ITP’s global list can be force-fed new entries which can then be read to reveal the ITP state for any domain, a process not unlike the side-channel techniques used to probe processor memory registers. The end result is that ITP itself is a fingerprinting vector.

“What you end up with is a personalized anti-tracking model baked into your browser,” explained Artur Janc, a Google security engineer and one of the paper’s co-authors, via Twitter. “That model is not only a unique identifier, but also reveals information about sites you visited since last clearing browsing state. That’s not great.”

The Google research paper describes five attacks and provides links to four PoC implementations (best experienced using Safari):

• 1) Revealing domains on the ITP list
• 2) Identifying individual visited websites
• 3) Creating a persistent fingerprint via ITP pinning
• 4) Forcing a domain onto the ITP list
• 5) Cross-site search attacks using ITP

Though the paper discusses mitigations, which Apple applied with its patches in December, it contends that the ITP fingerprinting attack and and the ITP list exposure attack should still be possible.

Janc credits Apple with trying to improve online privacy and observes that these side-channel concerns apply to anyone altering browser data based on locally gathered data where those changes can be detected remotely. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/22/apple_intelligent_tracking_protection/

The Crown Prince of Saudi Arabia, Mohammad bin Salman, has been officially fingered as the man responsible for hacking Amazon CEO Jeff Bezos’s phone, causing a massive stir in diplomatic circles.

Following a report yesterday that Bezos’s smartphone had been compromised by a malware-poisoned video sent directly by bin Salman to Bezos through WhatsApp, on Wednesday two UN special rapporteurs named the head of the oil state as the source of digital spyware, and called for an “immediate investigation by US and other relevant authorities” into the “continuous, multi-year, direct and personal involvement of the Crown Prince in efforts to target perceived opponents.”

Shortly thereafter, a technical report ordered by Bezos back in 2018, and completed in 2019, into the security breach – a report on which the UN staff had based their assessment – publicly leaked. It includes significant details on how the hack worked, as well as messages sent from bin Salman to Bezos that contained sexist jokes and taunts about his private life.

“In contravention of fundamental international human rights standards, a WhatsApp account belonging to the Crown Prince of the Kingdom of Saudi Arabia in 2018 deployed digital spyware enabling surveillance of The Washington Post owner and Amazon CEO, Jeffery Bezos,” the UN said in an unusually blunt statement.

Obviously, no one thinks bin Salman wrote the exploit and spyware code himself. A annex [PDF] accompanying the UN assessment argues the spyware was possibly supplied to Saudi Arabia by the NSO Group – surveillanceware called Pegasus. It also noted that Hacking Team’s Galileo software may also have been responsible. NSO has denied any involvement.

The forensic team observed a vast amount of data being pulled off the phone soon after Bezos opened a video file sent to him from bin Salman. For what it’s worth, in November last year, Facebook patched a remote-code execution hole in WhatsApp that could be exploited by an MP4 video file (CVE-2019-11931).

Hooking up

The spyware can “hook into legitimate applications to bypass detection and obfuscate activity,” the UN report noted, adding: “For example, following the initial spike of exfiltration after receipt of the suspect video file, more than 6GB of egress data was observed using exfiltration vectors.”

That information contrasted with screengrabs from Bezos’s phone in the leaked technical report [PDF]. Bezos gave bin Salman his number over dinner in Los Angeles on April 4, 2018 and the two connected immediately over WhatsApp.

Then on May 1, bin Salman sent Bezos a video that “appears to be an Arabic language promotional film about telecommunications” featuring the Saudi and Swedish flags. There was no discussion that the file would be sent and Bezos played it – assuming, presumably, that the head of a country would be unlikely to try to hack his phone.

The technical report’s wording is a bit confused, but it seems an encrypted downloader in the 4MB video file was able to run spyware on the phone, presumably via a software flaw. The team was unable to decrypt the payload. As such there is no physical evidence of infection. However, within hour of Bezos playing the video there was an “extreme change in behavior” in his phone – and it started sending gigabytes of information to an unknown location over the course of several months.

As it turned out some of that information contained text messages and pictures exchanged between Bezos and his new girlfriend: details of that secret relationship eventually emerged in tabloid rag The National Enquirer.

Before those details were published, however, bin Salman sent Bezos an odd WhatsApp message that implied he knew about the Amazon boss’s new beau. The message contained a photo of a woman that the forensic team argues looks like his paramour, along with the poor-taste joke: “Arguing with a woman is like reading the software license agreement. In the end you have to ignore everything and click I agree.”

High confidence

It’s far from complete proof but, combined, the fact that personal text messages had leaked from Bezos’s phone and its odd behavior after receiving the video file was sufficient for Bezos’s investigators – and subsequently the UN rapporteurs – to conclude that they had “medium to high confidence” that bin Salman was personally responsible.

One odd detail: according to the report, Bezos used an alarmingly small amount of data (averaging 430KB a day) in his day-to-day use of his phone – something that made the sudden dumping of gigabytes of data that much more obvious. One possible explanation is that the phone in question was one he only used on occasion or for a limited number of tasks – such as sexting his girlfriend and chatting with heads of state.

Of course there is a lot of relevant context: Saudi Arabia has repeatedly hacked the phones of critics and dissidents of its regime. And Facebook recently sued NGO Group over its Pegasus software which exploits a hole in WhatsApp to infect a phone. The method of infection? A video file.

Why Bezos? Because, as publisher of The Washington Post, he was ultimately in charge of an influential newspaper, particularly in US political circles, that was being highly critical of bin Salman’s regime at a time when everyone else was heralding his reform efforts.

In particular, Washington Post columnist Jamal Khashoggi was subsequently murdered by Saudi Arabian agents at the country’s embassy in Turkey almost certainly on bin Salman personal orders, according to the US intelligence agencies.

Pecker-checker Becker’s hacker wrecker: Saudi cyber-crew stole Bezos’s sexts from phone, fed them to tabloid – claim

READ MORE

Both the UN and forensic team provide a timeline of events around Bezos’s phone hack, Washington Post articles, Khashoggi’s death and the targeting of Saudi dissidents that flags a long series of what would extraordinary coincidences.

This is what the UN’s Callamard and Kaye said in relation to the report: “The information we have received suggests the possible involvement of the Crown Prince in surveillance of Mr. Bezos, in an effort to influence, if not silence, The Washington Post’s reporting on Saudi Arabia.

“The allegations reinforce other reporting pointing to a pattern of targeted surveillance of perceived opponents and those of broader strategic importance to the Saudi authorities, including nationals and non-nationals. These allegations are relevant as well to ongoing evaluation of claims about the Crown Prince’s involvement in the 2018 murder of Saudi and Washington Post journalist, Jamal Khashoggi.

“The alleged hacking of Mr Bezos’s phone, and those of others, demands immediate investigation by US and other relevant authorities, including investigation of the continuous, multi-year, direct and personal involvement of the Crown Prince in efforts to target perceived opponents.”

They also call for greater controls over “the unconstrained marketing, sale and use of spyware” and a “moratorium on the global sale and transfer of private surveillance technology.”

Meanwhile, the Saudi government has called the hacking reports “absurd.” ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/22/saudi_bezos_phone_hack/

Exactly who is king of the castle here?

Source: Kyle Buchanan/ABC

What security-related videos have made you laugh? Let us know! Send them to [email protected].

Beyond the Edge content is curated by Dark Reading editors and created by external sources, credited for their work. View Full Bio

Article source: https://www.darkreading.com/we-only-have-two-of-the-blinky-boxes-left-to-go/d/d-id/1336855?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple