STE WILLIAMS

FYI: Wacom’s official tablet drivers leak to the manufacturer the names of every application opened, and when, on the computers they are connected to.

Software engineer Robert Heaton made this discovery after noticing his drawing board’s fine-print included a privacy policy that gave Wacom permission to, effectively, snoop on him.

Looking deeper, he found that the tablet’s driver logged each app he opened on his Apple Mac and transmitted the data to Google to analyze. To be clear, we’re talking about Wacom’s macOS drivers here: the open-source Linux ones aren’t affected, though it would seem the Windows counterparts are.

“Being a mostly normal person, I never usually read privacy policies. Instead I vigorously hammer the ‘yes’ button in an effort to reach the game, machine, or medical advice on the other side of the agreement as fast as possible,” Heaton said earlier today.

“But Wacom’s request made me pause. Why does a device that is essentially a mouse need a privacy policy?”

Kill switch

After firing up Burp Suite to observe his network traffic, Heaton found that his peripheral’s macOS driver would query the presence of an XML file on a wacom.com server, and if this document was present, the software would feed notifications of applications being opened into Wacom’s Google Analytics account. If the XML file was not present, the driver would not spill any details to Google, and note in its logs the telling line: “Analytics disabled either locally or from server kill switch.” In other words, the XML file acted as a kill switch.

Interestingly enough, while poking around with this code, Heaton noticed the XML disappeared for a while then reappeared containing a curious Easter Egg: hiRick/hi

If you want to disable this snooping, open your Wacom Desktop Center, find the slightly hidden More link, click on it, go to the privacy settings, and opt out of “Wacom’s Experience Program.” Note that you may have to opt out again after updating your driver installation: this data collection is enabled by default.

Is Chrome really secretly stalking you across Google sites using per-install ID numbers? We reveal the truth

READ MORE

It appears Wacom gathers this information to figure out which specific applications punters are using alongside its hardware: which apps are popular, which get used a lot, and so on, presumably to help it improve its products. Google Analytics will let you inspect the activities of individual users, such as which applications were opened, though it attempts to mask people’s identities using ID numbers. You can’t drill down to personally-identifiable things like IP addresses. The data can be analyzed in aggregate to figure out which programs are being run and when.

A spokesperson for Wacom was not available for comment.

“Some of the events that Wacom were recording were arguably within their purview, such as ‘driver started’ and ‘driver shutdown’,” Heaton noted.

“I still don’t want them to take this information because there’s nothing in it for me, but their attempt to do so feels broadly justifiable. What requires more explanation is why Wacom think it’s acceptable to record every time I open a new application, including the time, a string that presumably uniquely identifies me, and the application’s name.”

That string, we reckon, is Wacom’s Google Analytics account number, rather than a per-user identifier.

“I think people should just make sure to disable this specific tracking and read future Wacom privacy policies more carefully,” he told El Reg.

“I get that Wacom almost certainly just want the data for product development purposes and aren’t doing anything overtly evil with it, but that doesn’t make it OK for them to grab it.” ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/05/wacom_user_tracking/

A vulnerability in WhatsApp could be exploited to remotely access a victim’s files on their computer – if they use the desktop client paired with the iPhone app. A patch has been issued and should be installed.

Bug-hunter Gal Weizman, from security shop PerimeterX, discovered and reported CVE-2019-18426, a cross-site scripting hole that could potentially allow an attacker to get to the local file system of another user simply by sending a specially crafted message. The security bug was fixed in January by Facebook in WhatsApp Desktop version 0.3.9309 and later.

The vulnerability lies in the way the Windows and Mac versions of the instant-messaging app handle so-called banners, or previews of web links in messages. JavaScript code stashed in a maliciously crafted banner can bypass protection mechanisms and access the local file system of the target.

Crown Prince of Saudi Arabia accused of hacking Jeff Bezos’ phone with malware-laden WhatsApp message

READ MORE

“On WhatsApp the banner is being generated on the side of the sender and this is an important point to understand,” said Weizman. “One can easily tamper with the banner properties before sending it to the receiver.”

Weizman added the heart of the flaw lies in the Chromium browser engine in the application framework Electron that WhatsApp relies on to provide a user interface for its desktop client. While the cross-site scripting bug was patched a while back in Chromium, WhatsApp used an old version of Electron that included a vulnerable build of the browser engine.

“Electron is a cool platform that lets you create ‘native’ applications using standard web features,” Weizman explained.

“This makes things super easy for a lot of big companies since it allows them to have one source code for both their web applications and native desktop applications. Electron constantly updates along with the platform it is based on: Chromium.”

In short, WhatsApp’s desktop client was built on a version of Electron that used an out-of-date insecure Chromium build, which made it vulnerable to a flaw patched a while back. As a result, users were potentially vulnerable to attack. Users and admins can protect themselves from attack by updating to the latest version of WhatsApp, which is built on a more up-to-date stack. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/05/whatsapp_xss_bug/

Ask the Experts — about a technological game of keep-away that protects the most precious resources from the greatest dangers.

Question: What is a Privileged Access Workstation? And how does a PAW work?

Tal Zamir, co-founder and CEO, Hysolate — Workstations used by privileged users can easily become an attacker’s shortcut into the heart of the enterprise. One best practice for protecting privileged user devices is providing each such user a dedicated operating system that is exclusively used for privileged access — a concept known as Privileged Access Workstations (PAW).

This dedicated OS mustn’t be used for web browsing, email, and other risky apps, and should have strict app whitelisting. It shouldn’t connect to risky external WiFi networks or to external USB devices. Privileged servers must not accept connections from a non-privileged OS.

You must also keep the user’s experience in mind. To avoid forcing users to use two separate laptops, consider leveraging virtualization technologies (e.g. VirtualBox/Hyper-V) that allow a single laptop to run two isolated operating systems side-by-side, one for productivity and one for privileged access. Also consider solutions dedicated to the concept of PAW.

Related content:

• What’s in a WAF?
• “It Wasn’t Me,” Reprise
• How to Comprehend the Buzz About Honeypots
•  

The Edge is Dark Reading’s home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/what-is-a-privileged-access-workstation-(paw)/b/d-id/1336944?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Malicious emails in a new attack campaign contain links and attachments claiming to lead victims to W-9 forms.

A newly discovered Emotet campaign aims to manipulate US taxpayers into clicking malicious links or downloading fraudulent attachments that promise to contain W-9 forms.

The first few months of the year are busy for both taxpayers and cybercriminals, who capitalize on the season with phishing emails related to filing taxes and collecting returns. This campaign relies on victims to view a W-9 form, an essential form that taxpayers need to file their US taxes.

These phishing messages are not complex, report the Cofense researchers who discovered the attack. Some emails arrive with an attachment; others contain a simple link to download the document. Both forms of the attack deliver Emotet to the recipients. 

“While this tax season is just getting started, with many tax filing forms due to taxpayers last week, by Jan 31st, we anticipate these campaigns will likely evolve and get better as we move towards the annual filing date of April 15th,” writes Cofense’s Tonia Dudley in a blog post.

Experts advise protecting against these types of attacks by filing tax returns early, using a secure Internet connection to file electronically, and checking credit reports at least once per year. Taxpayers should also protect their Social Security number throughout the year and thoroughly research tax preparers before sharing their personal information.  

Read more details in the full post here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “C-Level Studying for the CISSP.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/emotet-preps-for-tax-season-with-new-phishing-campaign/d/d-id/1336979?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The infection uses Lemon_Duck PowerShell malware variant to exploit vulnerabilities in embedded devices at manufacturing sites.

A new malware campaign built to exploit flaws in connected devices is targeting manufacturers around the world and affecting products from smart printers to heavy operational equipment.

Researchers at TrapX Labs first saw this attack targeting Latin American manufacturers in October 2019. Since then, it has continued to expand, with a peak in December and ongoing growth this year in regions including North America, Africa, and the Middle East, says TrapX CEO Ori Bach.

“Given the nature of the attack, it makes sense to make it global,” Bach explains. “The attacker wants to cover as much real estate as possible.”

This attack campaign uses a self-spreading downloader that runs malicious scripts as part of the Lemon_Duck PowerShell malware family. The threat exploits vulnerabilities in Windows 7 embedded devices and specifically targets manufacturing sites, where infected devices can possibly malfunction and pose risks to employee safety, supply chain disruption, and data loss.

Attackers employ several methodologies to break into manufacturing sites, Bach says, but ultimately their initial entry occurs through two main attack vectors. The first is a classic phishing email; if successful, an intruder can use a variety of tools — vulnerability protocols, weak passwords, pass-the-hash, and others — to spread throughout the target organization.

The second is a supply chain infection. An attacker may compromise a company where devices are manufactured so they arrive at their final destination preinfected. Once they’re connected to a target network, these malicious devices can spread malware to others on the network. These supply chain attacks make up 80% of infections in this particular campaign, Bach notes. There are many products to protect against phishing emails, he adds, but fewer exist to combat supply chain threats.

In these attacks, and many Internet of Things-focused campaigns, adversaries are not concerned with the type of device they infect. “Attackers are obviously agnostic of the operational function of the device,” he says of choosing targets. “What they care about is what this device is running.” For many devices, this is Windows 7, an operating system that stopped receiving security support earlier this year.

An example of one such device is the DesignJet SD Pro Scanner/printer, which was infected in this campaign and served as an entry point into one target network, researchers report. It is used to print technical engineering drawings and holds sensitive data for the manufacturer’s products; it also ran Windows 7 embedded and had access to the Internet and various projects.

In a separate supply chain attack, attackers infected an automatic guided vehicle (AGV), a piece of equipment used to transport materials or perform tasks in industrial environments. AGVs run on batteries or electric motors and could threaten employee safety in a work zone. This incident caused confusion on the production line, possibly damaging products that AGVs assemble. The target network contained three other AGVs, all of which were preinfected with malware.

Manufacturing Malware 
Lemon_Duck was developed as a cryptominer, says Bach. In this scenario, the malware has been customized to perform capabilities beyond mining for cryptocurrency on a target machine.

This particular variant scans a network for potential targets, including devices with SMB (445) or MSSQL (1433) services open. When it finds one, the malware runs multiple threads with several functionalities. It first attempts to brute force the services with usernames and passwords to gain access so it can further download and spread the malware via SMB or MSSQL. Another one of its functionalities is to run invoke-mimkatz via import-module to obtain NTLM hashes and gain access, another means of downloading and spreading the malware via SMB. Once SMB access is gained, it uses a tool to copy itself to the target device and run as a target.

Some of these functions may not work, which is why Lemon_Duck comes with backup plans. If it fails via brute force or NTLM hashes, it will attempt to use the EternalBlue SMB vulnerability to gain system access and run as a service on the target. Lemon_Duck persists via scheduled tasks, which run PowerShell scripts to further download Lemon_Duck PowerShell scripts.

This attack presents a challenge to manufacturers because devices are often not fully patched and can be difficult to wipe clean, says Bach. What’s more, they can be reinfected by other machines on the network after the malware is removed because the nature of Lemon_Duck is to spread quickly. Patching is more difficult in an operational technology network than a traditional IT environment.

The end-of-support for Windows 7 compounds the challenge for manufacturers because equipment is difficult to update and expensive to replace. Bach advises organizations to start by mapping out the products they have in their environment and working with each individual vendor to determine what needs to be replaced and what needs to be upgraded to a new OS.

Related Content:

• 7 Ways SMBs Can Secure Their Websites
  
• Hiring Untapped Security Talent Can Transform the Industry
• Assessing Cybersecurity Risk in Today’s Enterprise
• Rethinking Enterprise Data Defense

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “C-Level Studying for the CISSP.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/iot/iot-malware-campaign-infects-global-manufacturing-sites/d/d-id/1336982?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The decoys and lures will help redirect attacks away from devices that can’t be protected through traditional means.

The US Department of Energy’s Office of Technology Transitions (OTT) Technology Commercialization Fund (TCF) and the Pacific Northwest National Laboratory (PNNL) have awarded a contract to Attivo Networks for building out a Deception Defense Platform for Cyber-Physical Systems. The project is designed to improve critical infrastructure cybersecurity capabilities.

Attivo will work with PNNL to build out layered security for industrial control systems and SCADA systems. Because many of the devices in critical infrastructure cannot run antivirus software, cannot easily be taken offline for software updates, and were not designed to be interconnected, Attivo will provides decoys and lures that are designed to detect and misdirect attacks. The decoys deploy in operational technology environments and appear identical to the devices in the infrastructure.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “C-Level Studying for the CISSP.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/iot/department-of-energy-adds-attivo-decoys-for-critical-infrastructure-security/d/d-id/1336983?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Attacks turned to cheaper, shorter attacks to try and disrupt targets, Imperva analysis shows.

Distributed denial of service attacks appear to be getting smaller, shorter, and more persistent.

An analysis by Imperva of DDoS attack data from 2019 showed that more than 51% of network layer DDoS attacks lasted barely 15 minutes and another 10% or so for between 15 and 30 minutes. Only about one-in-five attacks lasted more than an hour and about four percent for between six and 12 hours.

The security vendor attributed the trend to the increasing availability and use of so-called “stresser” or DDoS for hire services that allow almost anyone to launch small attacks against targets of their choice for prices starting at around $5.

“Short duration attacks are cheaper,” says Johnathan Azaria, data scientist at Imperva. “They disrupt the site’s function for the duration they’re active and have a chance of crashing the site.”

Though relatively small in nature, for victims such attacks can be disruptive all the same. Often though it might take just a few minutes to knock a site offline, recovery can take much longer, Azaria says. “In some cases the attack causes the website to shut down, not just slow down. It might be just a process that crashed, or that the server fell and needs to restart.” When multiple processes and servers are involved, getting restarted even after a small DDoS attack can be time-consuming, Azaria says.

Criminals have long used DDoS attacks for a variety of reasons, including extortion, vandalism, hacktivism, and business rivalry. Many security experts expect a sharp increase in DDoS attacks this year by actors seeking to impact and influence the US presidential elections.

Just this week for instance, the FBI reportedly issued a so-called Private Industry Notification (PIN) alerting about a DDoS campaign that targeted a state voter registration and voter information website.

In this particular case, the attackers reportedly hit the DNS server of the voter registration website with short bursts of DNS requests in a bid to crash the server. BleepingComputer, which was the first to report on the so-called Pseudo Random Subdomain (PRSD) DDoS attack on the voter registration site, described it as occurring in short bursts over a one-month period.

“PRSD attacks are a type of DNS flood,” says Avishay Zawoznik, Security Research Manager at Imperva. Such attacks have the potential to exhaust the resources of the authoritative server and limit its ability to function properly.

PSRD attacks are relatively easy to pull off and are likely available as part of some DDoS for hire services. “The nature of the attack is simple and easy to pull off, assuming the attacker has enough bandwidth,” Zawoznik says.

Imperva’s analysis showed that about two-thirds of those who were attacked last year were hit up to five times with short duration DDoS floods. Twenty-five percent were attacked 10 times or more.

Imperva defines a single DDoS attack as one that lasts at least five minutes. Azaria says. A network-layer DDoS attack is considered finished after three hours have passed with no malicious traffic detected. For application layer attacks, the company’s threshold for an attack to be considered as finished is 30 minutes without malicious traffic.

Small Attacks

About nine-in-10 (87%) of DDoS attacks at the network layer were small and topped out at 50 Gbps. Ninety-seven percent reached no more than 50 Mpps (million packets per second).

Application layer DDoS attacks—which are designed to deplete system resources such as CPU and RAM—were similarly small with most topping out at about 1,000 requests per second. As with network layer attacks, Imperva attributed the relatively small nature of application level attacks to the use of stresser services.

Some 3,643 of the DDoS attacks that Imperva helped customers address happened at the network layer and 42,390 were application layer DDoS attacks. For those hit by such attacks, the type of DDoS flood unlikely makes much of a difference from an impact standpoint, Azaria says. “It really depends on the skills of the attacker and how well he knows his target,” he says. “Both can cause the website to malfunction to a point it’s not usable. Both can be difficult to mitigate.

“A majority of the machines used to launch application and network layer DDoS attacks last year were located in China and the Philippines, Imperva noted.

Organizations in the fiercely competitive gaming and gambling sectors continued to be the most heavily targeted in DDoS attacks last year, followed by technology companies and business entities. From a regional standpoint organizations in India were most heavily targeted in DDoS attacks last year.

Related Content:

• DDoS Attacks Up Sharply in Third Quarter of 2019
• DDoS: An Underestimated Threat
• Attackers Try to Evade Defenses with Smaller DDoS Floods, Probes
• 7 Ways SMBs Can Secure Their Websites

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “C-Level Studying for the CISSP.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/majority-of-network-app-layer-ddos-attacks-in-2019-were-small/d/d-id/1336984?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

SMS messages, or “texts”, are old hat these days.

These days, most of us prefer services that don’t go through the mobile phone network, such as WhatsApp, WeChat, Facebook Messenger and Snapchat.

Nevertheless, SMS messages haven’t died out completely, not least because they’re a lowest common denominator that pretty much every mobile phone in the world can receive.

All you need is the recipient’s phone number.

As a result, SMS is still a popular choice for businesses that need or want to tell you something important without wondering which messaging app you prefer.

SMS messages are short and simple, with no room for “Dear Sir/Madam”, so people don’t expect to be greeted by name; there are usually few pleasantries or polite words; and there’s no need for fancy layout, icons, fonts or other typographical and artistic details.

As a result, crooks can create believable fakes, with no obvious mistakes, fairly easily.

Like these two reported by Naked Security readers recently:

The problem with phones

Both website names used in these text messages were registered just a day or two before the messages showed up, presumably for the sole purpose of these very phishing campaigns.

As we’ve warned before, a tricky problem with any web links you receive on your mobile phone is that it’s often harder to spot that a link is not what it seems.

Most of us use our phones in portrait mode, leaving much less screen space to display long URLs, with the result that you generally see the just left hand end of the web address, and not the right hand end.

Crooks almost certainly can’t get hold of a server name that ends with, say, paypal DOT com, but can create any number of subdomains that start with paypal DOT and end with some unrelated domain.

But the suspicious-looking right-hand end of a full domain name often ends up invisible on a mobile phone because it won’t fit in the address bar.

HTTPS doesn’t guarantee truth

As you can see above, both websites use HTTPS, which denotes secure HTTP.

Remember, however, that HTTPS vouches for the security of the network communication between your browser and the website at the other end. It doesn’t vouch for the honesty or accuracy of the information that gets served up to you.

Sure, a site without HTTPS is best avoided – anyone nearby on the internet can spy on what you are doing, because there’s no encryption.

But a site with HTTPS isn’t automatically trustworthy on that account alone.

After all, crooks can have valid driving licences or other government-issued ID, but those IDs only vouch for who they are, not for their honesty or trustworthiness.

Keep it simple!

If you click through, the phishing scam is uncomplicated and, at least at first sight, believable enough.

You’re first asked to log in to your PayPal account:

By this point, of course, the crooks are already ahead because you’ve just uploaded your password to their bogus site.

For a touch of reassurance, there’s a legitimate-looking visual delay before the crooks hit you with their next phishing page:

If you weren’t suspicious when the password page popped up, you should definitely be suspicious from this point on, given the amount of personal data being requested just to show you a transaction:

You definitely wouldn’t need to put in your credit card and bank details, as the crooks urge you to do on the next page:

End with the truth

If you do supply the crooks with everything they’re after, the crooks bump you across to the genuine PayPal home page.

That might not be exactly where you’d expect to end up, but it does make for a softer and more believable landing than if your browser just crashed, or popped up some sort of error you’d never seen before:

Another trick that the crooks used in this scam was to remember the IP number (the network identifier) that you just used to visit their fraudulent pages. (IP numbers don’t always pinpoint individual computers, but they usually identify households or business premises.)

If you click through to the scam again, at least within the next few hours, you won’t see the telltale signs of the scam the second time around – you’ll just end up redirected immediately to the final, real PayPal page shown above.

In other words, if you have second thoughts about what just happened, or if you ask a trusted friend or family member to investigate for you, things won’t look suspicious when you go back for a second look.

What to do?

• Avoid links in text messages. If you know you’ll be dealing with company X, such as PayPal, find out the right website and and go there yourself. Don’t rely on links texted to you, because those links can say whatever the sender wants.
• Check the URL in the address bar. Be especially careful on your mobile phone, where the address bar often doesn’t show much text from the URL you are visiting. Stop and take the time to scroll right – don’t blindly believe the text you see at the left-hand end.
• If you realise you just revealed your password to imposters, change it immediately. The crooks who run phishing sites typically try out stolen passwords immediately and automatically, so the sooner you act, the more likely you will beat them to it.
• Report compromised bank data at once. If you get as far entering any financial data before you realise it’s a scam, call your bank’s fraud reporting number at once. (Look on the back of your credit card so you get the right phone number – never reply using contact details from the original message.)

PS. Don’t forget that just typing data into a web form exposes it to crooks because they can “keylog” what you type into a webpage even if you never press the [Submit] or [Next] button.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/OuQJbO6XlzE/

Thanks to the Sophos Security Team for their help with this article.

Sadly, cybercrooks love a crisis, because it gives them a believable reason to contact you with a phishing scam.

Here’s a tasteless and exploitative example, reported to us by the Sophos Security Team, of a current scam that uses the coronavirus as its lure:

The email, which carries the logo of the World Health Organization states:

Go through the attached document on safety measures regarding the spreading of corona virus.

Click on the button below to download

Symptoms common symptoms include fever,coughcshortness of breath and breathing difficulties.

Fortunately, at least for fluent speakers of English, the criminals have made numerous spelling and grammatical mistakes that act as warning signs that this is not what it seems.

The link you’re asked to click on is similarly, and fortunately, dubious.

Firstly, it seems to be a compromised music site with a weird name that doesn’t have any obvious connection to any well-known health organisation; secondly, it is an HTTP site, not an HTTPS site, which is sufficiently unusual these days to be suspicious in its own right.

Nevertheless, the scam page itself is incredibly simple – it can’t have taken the crooks more than a few minutes to put together – and visually effective.

The fake page consists of the official, current home page of the World Health Organisation (WHO) , with an unassuming popup form on top of it.

It doesn’t just look like the WHO’s page in the background, it is the WHO’s page, rendered in a frame that’s embedded in the fake site:

You can see why someone who’s nervous about the coronavirus issue, or who has friends and family in the main areas of infection, or who wants to do the right thing by learning more about preventing the spread of the disease…

…might fill in the form, perhaps because they are feeling pressurised by (or not thinking clearly because of) the subject matter.

Indeed, many companies have already sent emails to their staff to offer advice, so reading additional information that is allegedly from the WHO sounds like a sensible and responsible thing to do.

Of course, if you put in your email address or your password and click through, you’ll be submitting the filled-in web form to the crooks.

Worse still, you’ll be submitting it over an unencrypted connection.

So anyone else on the same network as you, for example in your hotel lobby or the coffee shop, could potentially capture your network traffic and see the username and password you just put in.

Once you’ve clicked the [Verify] button, the crooks simply redirect you to the real WHO site at who DOT int, which looks just like the previous page you were on, minus the popup form…

…with the rather obvious exception that the address bar now looks (and is) correct, displaying the genuine WHO website name, showing a padlock and – if you click through and view the web certificate – a certificate that shows up as issued to the WHO itself.

What to do?

• Never let yourself feel pressured into clicking a link in an email. Most importantly, don’t act on advice you didn’t ask for and weren’t expecting. If you are genuinely seeking advice about the coronavirus, do your own research and make your own choice about where to look.
• Don’t be taken in by the sender’s name. This scam says it’s from “World Health Organization”, but the sender can put any name they like in the From: field.
• Look out for spelling and grammatical errors. Not all crooks make mistakes, but many do. Take the extra time to review messages for telltale signs that they’re fraudulent – it’s bad enough to get scammed at all without realising afterwards that you could have spotted the fraud up front.
• Check the URL before you type it in or click a link. If the website you’re being sent to doesn’t look right, stay clear. Do your own research and make your own choice about where to look.
• Never enter data that a website shouldn’t be asking for. There is no reason for a health awareness web page to ask for your email address, let alone your password. If in doubt, don’t give it out.
• If you realise you just revealed your password to imposters, change it as soon as you can. The crooks who run phishing sites typically try out stolen passwords immediately (this process can often be done automatically), so the sooner you react, the more likely you will beat them to it.
• Never use the same password on more than one site. Once crooks have a password, they will usually try it on every website where you might have an account, to see if they can get lucky.
• Turn on two-factor authentication (2FA) if you can. Those six-digit codes that you receive on your phone or generate via an app are a minor inconvenience to you, but are usually a huge barrier for the crooks, because just knowing your password alone is not enough.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dBzPRuGB_so/

A new report by privacy-focused browser Brave suggests UK local authorities are sharing information about their website users with dozens of private companies.

The study (PDF) shows that nearly all local councils across the UK exposed data about visitors to their websites, which was then sold on to private companies. Some councils allow companies to track sensitive information about users, such as when they were seeking financial help or support for substance abuse.

London’s Enfield Council, which serves 333,969 people, and Sheffield Council, which serves 582,506, were the worst offenders. Both exposed visitors to 25 data collectors apiece.

The report names Google as the source of much of the exposure. Brave found that 98 per cent of the councils reviewed used systems from Mountain View, which owned the top five embedded elements in council websites. These elements enable users to be tracked around the web, scraping together whatever information it can, such as what websites and apps they’re looking at, their location and their device.

Brave also found that more than half the councils it reviewed use Google’s real-time bidding (RTB) system. The tech works by instantly linking up advertisers with specific people’s eyeball, allowing firms to buy and sell on a per-impressions basis through real-time auctions.

The process uses the information pulled together through the embedded elements to build detailed profiles on users. This information is then auctioned off to advertisers, which bid on which users they want their ads to target. Well-off visitors with a lot of disposable income or IT buyers with big spending budgets will command higher rates, for example. The whole process is automated and the winner’s ad instantly appears on the user’s screen when the page loads.

One of the ad exchanges that used RTB, the Council Advertising Network (CAN), shared people’s data from 34 council websites with 22 companies, Brave said.

RTB systems have been in murky waters for some time. The UK’s data watchdog, the Information Commissioner’s Office (ICO), has been investigating the issue and recently warned a Parliamentary inquiry that companies harvesting data poses a serious risk to privacy and security.

Last year, privacy warriors lodged a legal complaint against the Internet Advertising Bureau’s (IAB) openRTB and Google’s Authorized Buyers systems. The IAB, which is well aware that its advertising networks flout Europe’s General Data Protection Regulations (GDPR), insists that they aren’t doing anything wrong.

The company has consistently stressed that blaming the makers of RTB technology is like holding road builders accountable for people who break the speed limit. Google is – surprise, surprise – an IAB member. Critics responded that the IAB are not road builders, but the traffic authority.

The ICO’s response was hardly inspiring. Simon McDougall, the authority’s executive director of technology and innovation, said: “There are thousands of companies involved in the adtech ecosystem and at this stage the issue raised involve[s] the entire industry. We stand ready to deal with the problems but it is a hugely complex area. As a pragmatic regulator, we have a duty to build a thorough and robust case for any regulatory action we may decide to take, and all this takes time.

Public disgrace: 82% of EU govt websites stalked by Google adtech cookies – report

READ MORE

“We are using the intelligence gathered throughout last year to develop an appropriate regulatory response and we continue to investigate real-time bidding. It may be necessary to take formal regulatory action and we will continue to progress our work on that basis.”

Google insisted it was GDPR compliant, adding that it does not build advertising profiles from “sensitive interest categories, including from sites offering benefits such as welfare or unemployment, and we have strict policies preventing advertisers from using such data to target ads”.

CAN admitted it was collecting data for “advertising purposes”, but denied that it sold any personal info to data brokers. “We automatically block categories such as gambling, alcohol, payday loans, politics and adult themes in order to protect users of our council partners’ websites from advertising inappropriate for a public sector environment,” a spokesperson said.

This is not the first study to warn that public sector websites are littered with undisclosed adtech. A report last year by Cookiebot found that 82 per cent of EU government websites were slurping up information on EU citizens’ browsing habits. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/05/uk_councils_are_letting_google_stalk_their_users/