STE WILLIAMS

The managing director of a Manchester-based infosec firm has been fined for flying his helicopter into an air traffic control zone without permission, having first launched a rant at air traffic controller.

Joel Tobias, a helicopter owner and pilot who was described by the Manchester Evening News as a “wealthy businessman”, was fined £1,600 plus £870 in legal costs after his on-frequency rant at air traffic controller Andrea Tolley.

Tobias, who owns his own Eurocopter EC-120 registered G-HVRZ, was flying his family between Lytham St Annes and Blackpool when he radioed Blackpool on 31 July last year for permission to enter its air traffic zone (ATZ).

Aviation law says pilots of aeroplanes entering ATZs need to radio air traffic control before doing so.

Manchester Magistrates’ Court heard that after being told by duty controller Andrea Tolley to stand by three times while she dealt with other traffic, Tobias said over the radio: “I’m in a helicopter here that costs £550 an hour and I’ve waited 10 minutes for you to answer the call. It’s absolutely appalling.”

He also ranted, on the Blackpool Approach frequency: “Your job is actually to take calls from aircraft and not have two-way chats with other aircraft asking how their day’s going and how fun it is.”

After listening to Tobias moaning that he had “been waiting for 10 minutes for a call back,” and declaring that he was going to route around Blackpool instead of waiting, Tolley responded: “Good. Stay out of my ATZ. You need to check your radio. By all means complain”.

Tobias promptly said: “I’m the pilot in command. I’m entering the ATZ,” before doing so. Even after someone else radioed for permission to land, Tobias kept on, declaring that Tolley was “setting a safety issue now”, demanding her name and telling everyone tuned to 119.950MHz that he was going to file a complaint – something he did not do. Nonetheless, an appalled fellow pilot reported him to the Civil Aviation Authority.

CAA prosecutor Alison Slater told the court that Tobias “gave Miss Tolley no time to ask him to pass his message, as radio protocol requires,” and that he “did not give his location, altitude, destination or request permission to enter the aerodrome traffic zone (ATZ).”

“She did not know if G-HVRZ was going to enter the ATZ or not, where it was or what height it was at,” added Slater. “Potentially it caused a serious risk to other air traffic in the area.”

Tobias was reportedly not represented at the hearing. His licence was suspended after the incident and the CAA will decide whether or not to return it. In a statement, he said he “regretted” his radio calls and said he was “unhappy about the service being given and fled under pressure with regard to the route.”

Tobias is MD of Cyfor, which bills itself as a digital forensics firm. Among a list of partners featured on its homepage are iPhone hacking biz Cellebrite, as well as Symantec, Veritas and others. It is also a Crown Commercial Services accredited supplier. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/13/cyfor_md_helicopter_blackpool_antics/

Threat actors will continue to grow enterprise-style businesses that evolve just like their legitimate counterparts.

All businesses evolve and adapt to their environments. Businesses in the Dark Web are no exception. In the burgeoning and nearly unpoliceable business climate that is the Dark Web, it’s only natural that businesses should become more “professional” — both in their revenue models and in their practices. We saw this happen in 2019 and expect even greater movement in this direction in 2020.

The “Servitization” of the Dark Web
Making money from stolen personal credentials via the Dark Web is pretty much de rigueur for would-be cybercriminals. Yet in the past, this process involved significant effort for the cybercriminal-to-be.

First, criminals needed to code or acquire a Trojan to use for infecting online banking portals or payment systems. Then they’d have to disseminate their malware and infect targets. Following the infection, they’d need to access all infected machines, harvest relevant data, and process it. Only then could they begin cashing out — selling stolen credentials or data via the Dark Web.

This process is now becoming astoundingly less complex — and infinitely more dangerous.

Servitization is the process of shifting from selling products to selling services that provide the outcomes those products deliver. This shift has transformed many above-board business models, and this same process will continue to spread across criminal networks this year and beyond. Today’s cybercriminals are already buying and selling services rather than goods in the cybercrime financial ecosystem — and this trend will accelerate.

This means that threat actors no longer need to suffer the complexities of development, infection, extraction, and monetization on their own. Rather, they can use malware-as-a-service (MaaS) — the same malware that was previously sold as a product is now being sold as a business service.

Numerous underground markets have already sprung up around this business model. For example, today there are markets on the Dark Web where cybercriminals can pay a monthly fee for access to an updated dataset maintained by threat actors. There are also pay-per-bot markets, in which buyers can view “bots” — machines infected with banking Trojans — that can conduct services and attain credentials on demand.

The fact that the level of skill required to commit cybercrimes is dropping spells trouble for individual victims and organizations alike. Underground threat actors have learned that they can reach far beyond low-hanging fruit — the credentials that come with an easy cash-out process. We will see an increasing number of threat actors targeting assets with more difficult cash-out processes because servitization can take over the heavy lifting for any given crime.

New Branded Monetization Channels Emerge
Essentially, we’re seeing cybercrime evolve into recognizably mainstream business models — and we expect this to accelerate this year.

Cybercriminals will have incentives to invest heavily in their businesses as payoffs continue to grow and enforcement lags. New cybercrime monetization channels continue to emerge — from concentrating efforts on manual transactions and listings in markets, to focusing on sales of credentials, network access, and more-sophisticated fraud. Drawing inspiration from legitimate online businesses, cybercriminals are increasingly using automation to help move stock off their virtual shelves and collect data to better monetize deliverables, and they will continue to do so.

Moreover, with the commoditization of cybercrime-as-a-service, organizations are naturally seeking differentiation to make their services stand out in a crowded market. Instead of selling services or data listings on an individual basis, threat actors will put more effort into building lasting business-like enterprises — investing more in branding, customer support and even intuitive user interfaces.

The Bottom Line
It’s time to recognize that the Dark Web operates just like any other market — supply and demand, clients and suppliers. While it might not be regulated, the market is checked by the invisible hand of cybercrime monetization channels. Given this, threat actors will continue to grow enterprise-style businesses that evolve just like their legitimate counterparts. The days of cybercriminals doing the dirty work themselves using homemade or bare-bones tools may well be nearing an end. In 2020, cybercriminals will choose professionally designed tools based on reputation, brand, logo, and even slick marketing material. The era of the branded cybercriminal may well be upon us.

• How AI and Cybersecurity Will Intersect in 2020
• Cybercrime’s Most Lucrative Careers
• Assessing Cybersecurity Risk in Today’s Enterprise
• Rethinking Enterprise Data Defense

Leveraging over 11 years of expertise in intelligence collection, Raveed Laeb is responsible for leading the product team and intelligence collection platform at KELA. Raveed has an in-depth knowledge on threat actors, specializing in the cybercrime financial ecosystem. … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/will-this-be-the-year-of-the-branded-cybercriminal/a/d-id/1336707?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Manor Independent School District is investigating a phishing email scam that led to three separate fraudulent transactions.

The Manor Independent School District (MISD), located roughly 15 miles outside Austin, Texas, has confirmed it’s investigating a phishing email scam that amounted to $2.3 million in losses.

MISD, which serves 9,600 students, published a statement about the attack via Twitter on January 10. Director of communications Angel Vidal Jr. says the Manor Police Department and Federal Bureau of Investigation are still looking into the incident and reportedly have “strong leads.”

The statement contains few details about the attack itself; however, the Manor Police Department shared some more insight with Austin news outlet KVUE. Detective Anne Lopez says the incident was made up of three separate transactions. MISD did not realize the bank account information had been altered; as a result, it sent three payments over the course of one month before recognizing the recipient bank account was fraudulent.

Lopez’s statement could indicate business email compromise (BEC), a type of threat in which attackers manipulate victims into wiring money or changing bank account details. BEC attacks spiked 269% last year, Mimecast found, and they can easily slip past email security protections.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “In App Development, Does No-Code Mean No Security?“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/texas-school-district-loses-$23m-to-phishing-attack/d/d-id/1336784?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

COPPA – the Children’s Online Privacy Protection Act (COPPA), which is the toughest federal protection for children’s online data in the land – isn’t tough enough, according to two US House Representatives who’ve introduced a bill that would update the law and give it a shot of testosterone.

The bipartisan Preventing Real Online Threats Endangering Children Today Act – known as the PROTECT Kids Act – was introduced on Thursday by Representatives Tim Walberg of Michigan and Bobby Rush of Illinois.

It’s basically COPPA – which protects the data of kids 13 and younger – extended to the age of 16, and given a dose of the right to be forgotten. If it passes, it will give parents the right to request that their kids’ personal data be rubbed out.

The PROTECT Kids Act would also add two new categories of data to what COPPA now protects: precise geolocation information and biometric information. It would also affirm that COPPA protects kids’ data on mobile apps as well as on websites and online services.

Here’s Rep. Walberg, worrying about the risks kids face nowadays:

Children today are more connected online and face dangers that we could not have imagined years ago.

No argument from us. Child-tracking, GPS-connected smartwatches, for one, have been shown to suffer from major security flaws – flaws that would let strangers eavesdrop on a child, talk to them behind their parent’s back, use the watch’s camera to take their picture, stalk them, or lie about children’s whereabouts.

Cyberstalkers have also used children’s information to sextort them into stripping in front of a webcam and performing sexual acts, to be collected as child sexual abuse imagery.

And kids’ “smart” toys? When it comes to security, they’re a trainwreck. Last month, the Federal Trade Commission (FTC) warned that the toys are a security risk, due to cameras, microphones, connections to email or social media, vendors’ lousy track records when it comes to patching known security problems and/or their data storage, retention and sharing policies and practices – among other things.

So hurray for more protection, for even older children than the current under-13 crowd. But if the bill passes, it won’t come without even more hurt doled out to the YouTube content creators who’ve been left reeling in the wake of YouTube’s post-COPPA fine response. Last week, YouTube said its plan was to treat all kid-aimed content as if it’s made for kids, regardless of how old viewers say they are.

Following its $170 million fine for flagrantly, illegally sucking up kids’ data so it could target them with ads, YouTube essentially decided to sit out the thorny task of verifying age, instead passing the burden on to creators. Instead of deep-pocketed Google being the one the FTC will go after, Google passed the buck to the creators, leaving them liable for being sued over COPPA violations, even if THEY think their stuff is meant for viewers over the age of 13.

At the time, YouTube content creators such as Chadtronic and many others said that the move would force creators to slap on a “for kids” label – a label that incurs a loss of product features such as the ability to comment, live chat, notifications, stories, save to playlist, and more, which could lead to revenues falling off a cliff.

Chadtronic predicts that the proposed PROTECT Kids Act would be yet one more of a thousand cuts that will bring down the platform:

It’s gradually looking like youtube isn’t going to survive this decade. Legislation is going to kill it.

A new bill is being proposed called “Preventing Real Online Threats Endangering Children Today” aka “PROTECT Kids A… twitter.com/i/web/status/1…

—
  (@Chadtronic) January 09, 2020

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fcctp3f85Mc/

Imagine buying a mobile device that comes pre-installed with apps that can set their own permissions in ways the owner can often neither see nor control.

These apps don’t appear in any app store and, regardless of whether the user finds them useful, can’t be de-installed.

Who would use a smartphone or tablet that imposed such limitations?

If you’re an Android user, you’ll have guessed the punchline – you probably already do.

It’s the age-old woe of bloatware, and according to a new letter sent to Google CEO Sundar Pichai by Privacy International on behalf of a 53-organisation collation, the fact that vendors are allowed to install it at their whim has allowed a privacy and security hole to open almost unnoticed.

In recent times, Android has made a big deal out of giving users a stronger permissions structure based on clear consent and notification. And yet, says the letter, bloatware apps are often able to bypass this:

These pre-installed apps can have privileged custom permissions that let them operate outside the Android security model. This means permissions can be defined by the app – including access to the microphone, camera and location – without triggering the standard Android security prompts.

Some of these are used to carry out commercial surveillance while others might come with security vulnerabilities that could put the device at risk.

The letter references a joint US-Spanish study published last year which uncovered the surprising scale of the bloatware issue – of 140,000 pre-installed apps, only 9% were available on Google’s Play Store, for example.

That means that Google hadn’t scanned them for provenance. Many were found to track users, including by collecting different kinds of user data while a small number were downright malevolent.

The problem for Pichai, who became CEO in 2015, is that the way bloatware works on Android is largely a legacy of decisions made in the software’s early days.

That’s because Android is not simply a mobile OS but a platform which was designed to allow third parties to customise it to suit their needs.

Some of that’s necessary – devices vary from one another at a physical level – but vendors have a habit of topping this up with an assortment of additional apps that might not be strictly necessary.

Sinking bloat

Some vendors are worse than others, and at least one, Samsung, uses its own additional Android apps and capabilities as a positive selling point, creating a platform-within-a-platform.

At the other end of the scale, Motorola, Nokia and Google’s own devices stick closely to what is called ‘stock’ Android, that is the OS with no or very minimal additions. Most vendors sit somewhere between these two poles.

One issue is there’s no accepted definition of what bloatware is – although the inability to de-install or disable a non-system app (Settings Apps notifications click on app ‘Disable’) is probably where most people would start.

According to Privacy International, the solution is to change the model so that:

• Individuals should be able to permanently uninstall the apps on their phones. This should include any related background services that continue to run even if the apps are disabled.
• Pre-installed apps should adhere to the same scrutiny as Play Store apps, especially in relation to custom permissions.
• Pre-installed apps should have some update mechanism, preferably through Google Play and without a user account. Google should refuse to certify a device on privacy grounds, where manufacturers or vendors have attempted to exploit users in this way.

We won’t know what Google’s CEO thinks until he responds, assuming he does. But after a decade of Android firmware and app bloat being given little scrutiny, reforming this part of the OS must be his to-do list.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/2m7OBQefjuM/

When it comes to deepfakes, don’t worry: Reddit says it likes seeing Nic Cage in unexpected places just as much as you do.

What it doesn’t like: mimicry done with malicious intent. Reddit had already banned pornographic deepfakes in 2018. Now, in the run up to the 2020 US presidential election, it’s expanded its deepfake ban: Reddit is now prohibiting impersonation, including domains that mimic others.

Satire and parody are still safe, a Reddit admin said on Thursday in an announcement about the updated policy.

This doesn’t apply to all deepfake or manipulated content – just that which is actually misleading in a malicious way.

Here’s the updated policy:

Do not impersonate an individual or entity
Reddit does not allow content that impersonates individuals or entities in a misleading or deceptive manner. This not only includes using a Reddit account to impersonate someone, but also encompasses things such as domains that mimic others, as well as deepfakes or other manipulated content presented to mislead, or falsely attributed to an individual or entity. While we permit satire and parody, we will always take into account the context of any particular content.

Reddit says the “classic” case of impersonation is a Reddit username that tries to come off as another person or thing, be it a politician, brand, Reddit admin, or anybody/anything else. But from time to time, Redditors post things that take it beyond that and into the realm of serious misinformation attempts, such as…

…fake articles falsely attributed to real journalists, forged election communications purporting to come from real agencies or officials, or scammy domains posing as those of a particular news outlet or politician (always be sure to check URLs closely – .co does NOT equal .com!).

Impersonation is actually near the bottom of what gets reported on Reddit, the Reddit admin, u/LastBluejay, said. But even though impersonation is one of the rarest report classes, the platform wants to stay on the safe side:

We also wanted to hedge against things that we haven’t seen much of to date, but could see in the future, such as malicious deepfakes of politicians, for example, or other, lower-tech forged or manipulated content that misleads.

Reddit isn’t the only one who feels that way. The impersonation ban comes just days after Facebook banned deepfakes.

Critics scoffed at Facebook’s ban, given that it only went after sophisticated, artificial intelligence- (AI-) derived deepfakes, while not doing anything about fake videos made with cheap/simple editing tools. That included the one where somebody edited a video of US House Speaker Nancy Pelosi, slowing it down to 75% speed to make her sound as if she were drunk or ill, as well as a clip of presidential candidate Joe Biden that was spliced to make him sound like a white nationalist.

Reddit might not see many reports about impersonation, but it’s already served as a platform to spread misinformation in a political campaign.

In its April 2018 transparency report, Reddit said that it had found and removed 944 accounts suspected of having come from the Russian propaganda factory called the Internet Research Agency (IRA). One of them had posted a fake porn video that claimed to show Hillary Clinton engaging in a sex act.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/e5EgZrSlk2I/

Roundup Welcome to another Register security roundup. Here are a few stories that caught our eye.

Citrix vulnerability hit by working exploit

Late last month Citrix disclosed a critical security hole (CVE-2019-19781) in both its Application Delivery Controller and Unified Gateway (formerly known as Netscaler ADC and Netscaler Gateway) offerings. Up to 80,000 systems were thought to be at risk, with some 25,000 instances found online over the weekend.

Those admins who haven’t put mitigations in place by now will want to make sure they address their situation immediately, as infosec researchers have now publicly shared working exploit code for the remote takeover bug. The proof-of-concept code can be used to trivially achieve arbitrary code execution with no account credentials – hijack systems, in other words – via a directory traversal.

People’s honey pots are being actively attacked, so if you haven’t put in place the mitigations by now, and you have vulnerable systems facing the internet, you were probably hacked over the weekend by miscreants mass-scanning the ‘net for machines to compromise. A thread tracking technical aspects of the vulnerability is here.

TikTok shock

Teen micro-vid app TikTok is no stranger to controversy, particularly when it comes to data security and privacy. Software vulnerabilities, however, have traditionally been less of a concern.

A report from Checkpoint looks to change that. Its hackers dug into the TikTok app and found a handful of security bugs, including the ability to remotely access and manipulate accounts (including adding and removing followers), delete and upload videos without authorization, turn private videos to public viewing, and reveal hidden personal information from user accounts.

TikTok was informed of all of the issues and a simple app update will make sure users are patched against these bugs. The findings, however, beg the question of just how many other serious security holes are present in the app.

‘LiquorBot’ malware surfaces. Ricky, Julian, and Bubbles wanted for questioning

Because hackers are nothing if not serious and dignified, a new Mirai botnet derivative has surfaced under the moniker ‘LiquorBot’.

Unlike the good times implied in its name, LiquorBot can really mess up your night if it gets hold of your IoT devices and adding them to a botnet. Still, the team at BitDefender says the malware is interesting from a research perspective.

“Interestingly, LiquorBot is written in Go (also known as Golang), which offers some programming advantages over traditional C-style code, such as memory safety, garbage collection, structural typing, and even CSP-style concurrency,” notes Bitdefender’s Liviu Arsene.

“LiquorBot appears to use the same command and control server as a Mirai-related variant, and they have even featured together in dropper scripts, meaning attackers used both LiquorBot and the Mirai variant in various campaigns.”

Arm security mitigations get PAN fried

While it’s not of the severity of something like Spectre, this vulnerability in Arm chips found by Swiss researcher Siguza covers a vulnerability in the Privileged Access Never (PAN) memory protections that, if targeted, could allow kernel code to view userland memory when it’s not supposed to.

Project Zero posts iOS hacking deep dive

It’s not much of a security risk (the flaw was patched months ago) but those interested in learning how mobile phones are hacked will want to check out this three part series from Google’s Project Zero.

The team shows how researchers go from discovering a security flaw to verifying it and developing a proof of concept to demonstrate remote code execution. The flaw itself was fixed in iOS 12.4.1, back in August.

Honey in a sticky situation with Amazon

This article in Wired reports that the Honey shopping plug-in was recently flagged by Amazon as a potential security risk. Amazon’s contention is that the browser add-on collected a large amount of personal information on its users, while Honey disputes the claim. The claim comes barely a month after Paypal paid $4bn for the shopping app.

Avast updates its policies

After being pulled by some browser devs last year, Avast has updated its privacy policies to more clearly explain just what information its plug-ins collects and where they send it. Wladimir Palant, a researcher who has been following this saga throughout, has mixed reviews.

“The changes are far more extensive and far more convincing than I would have expected,” he said. “While Chrome and Opera versions appear identical however, there are some additional changes in the Firefox version. That’s presumably to comply with stricter privacy requirements of the Mozilla Add-ons site.”

Florida clinic hit with ransomware

Hackers have managed to infiltrate the network of a Florida medical clinic.

The Center for Facial Restoration says that hackers have not only held its servers ransom, but have also obtained contact information for individual patients and sent them demands for payment with the threat of having their medical records released.

The clinic says it is working with the FBI to resolve the issue. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/13/security_roundup_100120/

The UK Information Commissioner’s Office has kicked £280m in data breach fines against British Airways and US hotel chain Marriott into the long grass.

As spotted by City law firm Mishcon de Reya, the ICO has extended the time before it will fine the two companies what it claimed would be a total of £282m, split between BA’s £183m and Marriott’s £99m.

In a statement the UK’s data protection regulator said: “Under Schedule 16 of the Data Protection Act 2018, BA [and Marriott] and the ICO have agreed to an extension of the regulatory process until 31 March 2020. As the regulatory process is ongoing we will not be commenting any further at this time.”

‘World’s favorite airline’ favorite among hackers: British Airways site, app hacked for two weeks

READ MORE

When the ICO announces a “notice of intent” to fine companies, this is not the same thing as actually handing out the penalty. Companies (and individuals) targeted for fines like this can then, in the jargon, “make representations” about the size of the punishment.

The ICO threatened British Airways with the jumbo-sized fine after the airline suffered the breach of 380,000 people’s personal and financial details between August and September 2018.

As for Marriott, the ICO bared its fangs at the American hotel chain after 383 million customer booking records went AWOL in 2018.

Mishcon’s data protection adviser, Jon Baines, told The Register that he suspected both companies had deployed similar legal arguments to Facebook when it fought back against a Cambridge Analytica-linked fine.

He said: “It’s important to note that the extension could only be by agreement with BA and Marriott (they could have just said ‘no’). One does wonder in what way an extension was seen by them, therefore, to be a favourable outcome, and, on the information available, I’m struggling to see any way in which they would have agreed to an extension without some quid pro quo.”

While it is possible, in Baines’ view, that “that the delay is solely because it’s jolly difficult to deal with all the necessary administrative requirements within a six-month window,” he pointed The Register to a blog post discussing exactly what legal arguments Facebook deployed to get an ICO fine watered down.

He opined: “It’s worth remembering the ICO is a relatively small regulator (although large compared to its European counterparts) with a limited legal budget.”

According to the ICO’s published management accounts (PDF), its legal budget is a smidgen over £2m per year.

“Assuming,” continued Baines, “that BA and Marriott decided they should not simply accept the intended fines, they will have no doubt put whatever they think is an appropriate legal budget towards making representations – when threatened with a fine in the tens of millions of pounds, such a budget might well dwarf the ICO’s.”

British Airways declined to comment. Marriott had not responded to our request for comment by the time of publication.

There is nothing obliging the ICO to publish the final outcome of its negotiations with BA and Marriott, though The Register will be asking again nearer the due date. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/13/ico_british_airways_marriott_fines_delayed/

Updated On Wednesday, more than 50 advocacy groups accused Google of exploiting poor people by failing to police misbehaving Android apps on cheap phones.

The advocacy groups, including the American Civil Liberties Union, Amnesty International, the Electronic Frontier Foundation, and Privacy International, to name a few, published an open letter to Google (and Alphabet) CEO Sundar Pichai asking him “to take action against exploitative pre-installed software on Android devices.”

Their concern is that almost all (91 per cent) Android apps installed on devices by Google’s Android partners prior to sale do not face the same security scrutiny as Android apps distributed to device users through Google Play. These pre-installed apps cannot be deleted and may collect user user data without consent or perform other undesired functions. And they play by a different set of rules than Google Play apps.

“These pre-installed apps can have privileged custom permissions that let them operate outside the Android security model,” the letter says. “This means permissions can be defined by the app – including access to the microphone, camera and location – without triggering the standard Android security prompts. Users are therefore completely in the dark about these serious intrusions.”

The groups are particularly concerned about “the exploitative business practices of cheap smartphone manufacturers.” They argue that lack of income should not mean Android users lose their privacy rights.

They want Google to provide a way to uninstall pre-installed apps and related background services permanently, to apply the same security review that Play-submitted apps receive, to support an update mechanism for these apps without a user account, and to actually refuse to certify partner devices if they contain exploitative software.

Smoking gun

Underscoring these concerns, security vendor Malwarebytes said that Assurance Wireless by Virgin Mobile, supported by the US government’s Lifeline Assistance program, distributes the $35 UMX U686CL phone with two pre-installed apps that appear to be malicious.

The first is an updater named Wireless Update that shows up in Malwarebytes’ threat database as as Android/PUP.Riskware.Autoins.Fota.fbcvd. The app is “a variant of Adups, a China-based company caught collecting user data, creating backdoors for mobile devices and, yes, developing auto-installers,” said senior malware intelligence analyst Nathan Collier in a blog post.

The second is the phone’s Settings app, which incorporates obfuscated malware that the security biz identifies as Android/Trojan.Dropper.Agent.UMX. The dubious code shares similarities with other known Trojan droppers; in this instance, according to Collier, it installs malware called Android/Trojan.HiddenAds.

Attempting to remove this software can pose problems. Without Wireless Update, the phone no longer gets updates automatically. Removing the Settings app, however, may cripple the device. Collier offers remediation guidance, but it involves command line fiddling that demands some technical sophistication and may not work.

Collier reaches the same conclusion as the civic groups haranguing Google’s CEO: “Budget should not dictate whether a user can remain safe on his or her mobile device.”

Virgin Mobile did not immediately respond to a request for comment and Assurance Wireless’s website returned an error at the time this story was filed, possibly due to the unexpected public attention following from the Malwarebytes report.

Google also did not immediately respond to a request for comment.

Incidentally, in March, the search biz will offer Android customers in the European Economic Area (which includes Britain) a limited menu of default search providers on new devices as a result of European Commission antitrust action last year.

The Chocolate Factory on Thursday published its list of rivals – determined by periodic auctions, with proceeds paid to Google – that will be featured (through June) in the search choice menu presented in each EEA country. Android users, when setting up their devices, will be able to use the menu to select a default search engine other than Google, if they wish. ®

Updated to add

In a statement emailed after this story was filed, a Virgin Mobile representative disputed Malwarebytes’ claim. “We are aware of this issue and are in touch with the device manufacturer Unimax to understand the root cause, however, after our initial testing we do not believe the applications described in the media are malware,” the Virgin spokesperson said.

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/09/google_poor_privacy_android/

A vulnerability in Broadcom’s cable modem firmware has left as many as 200 million home broadband gateways in Europe, and potentially more worldwide, at risk of remote hijackings.

Four Danish researchers have demonstrated how a miscreant could exploit the hole, CVE-2019-19494, the wild: essentially, a victim is tricked into opening a webpage or similar containing malicious JavaScript. This code subsequently connects to the web server built into the vulnerable modem on the local network. The script then alters the contents of the modem’s processor registers, by overwriting the stack, to redirect execution to malware smuggled in with the request.

At that point, the code can attempt miscreant-in-the-middle attacks, manipulate the firmware, change DNS settings to redirect connections to phishing pages, snoop on traffic, and so on. A DNS rebinding technique is needed during the infection to bypass browser security mechanisms. This involves the script connecting to what the browser thinks is a legit internet-facing system, but the address actually resolves to the local IP address for the modem.

The end result, the team says, is that crooks can remotely take over vulnerable Broadcom-based cable modems without netizens or ISPs realizing; the victim simply has to surf to a dodgy website, or similar. The method is a little fiddly to pull off, we note, so crooks may not bother with it.

Dubbed Cable Haunt, and accompanied with a logo, for marketing purposes, the flaw was found by Alexander Dalsgaard Krog, Jens Hegner Stærmose, and Kasper Kohsel Terndrup from security company Lyrebirds, along with indie researcher Simon Vandel Sillesen.

“The attack can be executed by having the victim run malicious JavaScript,” the team explained. “A common avenue of attack would be a link that is opened in a browser, but could for example, also be done through ads on a trusted website or insecure email clients.”

The modem’s spectrum analyzer tool, which is part of the Broadcom-supplied stack, is exploited as part of the attack to gain code execution: a specially crafted JSON payload sent to the software can overwrite the CPU registers, leading to arbitrary memory manipulation and code execution.

Accenture pays for CSS injection from Symantec parent Broadcom: Yep, it bought its cybersecurity services arm

READ MORE

At this point, it’s game over for the modem. An attacker can do pretty much anything they want.

The team said the vulnerability affects cable modems using chipset designer Broadcom’s software running on the open-source Embedded Configurable Operating System (eCos), and fear that in Europe alone as many as 200 million modems may be vulnerable, though they are not certain.

“The reason for this, is that the vulnerability originated in reference software, which have seemingly been copied by different cable modems manufacturers, when creating their cable modem firmware,” the crew explained. “This means that we have not been able to track the exact spread of the vulnerability, and that it might present itself in slightly different ways for different manufacturers.”

Broadcom has yet to respond to a request for comment on the report. You can find a list of known affected broadband gateway models here. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/10/broadcom_cable_haunt_vulnerability/