STE WILLIAMS

Samsung reminds rabble to scan smart TVs for viruses – then tries to make them forget

Samsung on Sunday sent out a tweet urging people to check their Sammy smart TVs for viruses – and then deleted the message, as if someone realized that highlighting the risks posed by connected TVs may be bad for business.

The Twitter post, sent via the South Korean manufacturer’s @SamsungSupport account, remains preserved for posterity thanks to the Internet Archive’s Wayback Machine.

“Scanning your computer for malware viruses is important to keep it running smoothly,” the message warned. “This also is true for your QLED TV if it’s connected to Wi-Fi! Prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks. Here’s how:”


Samsung's deleted tweet warning about smart TV security

The Register asked Samsung to explain the sudden reversal. We’ve not heard back.

Infected TVs are not a novel concern. Security biz Symantec warned about attacks on smart TVs back in 2015. A 2016 Reddit post tells a similar tale.

In 2017, device maker Vizio agreed to pay $2.2m to settle charges brought by the US Federal Trade Commission and the Office of the New Jersey Attorney General that it installed software on its TVs that collected viewing habit data without informing customers or asking permission.

In 2018, Consumer Reports, working with Disconnect and Ranking Digital Rights, evaluated a number of smart TVs and found them lacking in terms of privacy protection and security. That same year, security biz McAfee pointed out a flaw affecting Belkin’s Wemo Insight smart plugs that put appliances on the network, like smart TVs, at risk.

And earlier this month, Supra Smart Cloud TVs were found to be vulnerable to CVE-2019-12477, a remote file inclusion zero-day vulnerability that let individuals with local network access take over the video display.

These challenges show no sign of going away as the majority of tellies shipped today are so-called smart TVs. According to market research firm IHS Markit, smart TVs represented 70 per cent of all goggle-boxes shipped last year globally. That’s up from less than 50 per cent in 2015.

Forty per cent of smart TVs shipped last year are running the Android operating system, which has been known to have the occasional security issue. And none of the other operating systems powering smart TVs have a better reputation.

Samsung should know by now that the first rule of IoT club is not to talk about the viruses. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/18/samsung_smart_tv_malware/

DHS Tests Remote Exploit for BlueKeep RDP Vulnerability

Agency urges organizations with vulnerable systems to apply mitigations immediately.

Time may be running out for organizations that have still not applied the patches that Microsoft released last month for the “BlueKeep” Remote Desktop Protocol (RDP) vulnerability in multiple older Windows versions.

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) said on Monday that it had successfully tested a remote code execution exploit for BlueKeep against a Windows 2000 machine.

It is believed to be the first publicly known remotely executable exploit for BlueKeep — a security vulnerability that many, including Microsoft, have compared to the EternalBlue vulnerability that led to the WannaCry and NotPetya global outbreaks of 2017.

“CISA has coordinated with external stakeholders and determined that Windows 2000 is vulnerable to BlueKeep,” the federal agency said in an alert that urged organizations to apply mitigation measures as soon as possible. 

The alert noted Microsoft’s description of BlueKeep as being “wormable” and warned that malware that exploited the vulnerability on a single system would be able to automatically propagate to other vulnerable systems. “Thus, a BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017,” CISA said.

In an e-mailed statement a Microsoft spokeswoman pointed to the company’s BlueKeep security updates last month and once again urged organizations to implement them as quickly as possible. “We strongly recommend any customers still using Windows 2000 to update to a supported operating system as soon as possible,” the statement said. “Modern operating systems include built-in protections against this, and many other threats.”

BlueKeep (CVE-2019-0708) is a remote code execution vulnerability in the Remote Desktop Services component in multiple Windows versions including Vista, XP, Windows 7, and 32-bit and 64-bit versions of Windows Server 2008. The vulnerability enables an unauthenticated user to access a system via RDP and issue commands for installing malware; viewing, modifying, or deleting data; and creating new user accounts on it.

Microsoft disclosed the flaw last month and considers it so critical that the company issued patches for both supported and unsupported versions of Windows. In a blog post two weeks after disclosing the flaw, Microsoft said it was confident that exploits for BlueKeep were available and once again urged organizations to patch against the threat immediately. “It only takes one vulnerable computer connected to the Internet to provide a potential gateway into corporate networks,” the company noted. Others that have issued similar alerts include the National Security Agency and the Department of Homeland Security. Several researchers have warned about proof-of-concept code being developed for the flaw by hackers reverse-engineering the patches.

Even so, new research by BitSight earlier this month showed that nearly 1 million Internet-exposed systems remain unpatched against BlueKeep and therefore vulnerable to attack. Another report from Check Point Research noted a recent increase in Internet scans for vulnerable systems that the security vendor interpreted as a sign threat actors are preparing for attacks targeting the flaw.

So far, no exploit for BlueKeep has become publicly available, but most believe it is just a matter of time before that happens.

“As both defensive and offensive actors explore the capabilities introduced by this vulnerability … organizations [are] running out of opportunities to continue to secure the integrity of their infrastructure and data,” says Dan Dahlberg, director of security research at BitSight. “Their third-parties remain indirectly exposed due to that inaction,” as well, he notes.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/dhs-tests-remote-exploit-for-bluekeep-rdp-vulnerability/d/d-id/1334986?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

How Fraudulent Domains ‘Hide in Plain Sight’

Cybercriminals use new types of top-level domains, topical keywords, and targeted emails to trick victims into clicking malicious links.

Domain fraud is an old cybersecurity risk manifesting in new ways as cybercriminals take advantage of new top-level domains, privacy regulations, and social engineering tactics.

More than three-quarters of businesses found “lookalike” domains posing as their brand, researchers at Proofpoint Digital Risk Protection discovered as part of the 2019 Domain Fraud Report. Nearly all (96%) found exact matches of their brand-owned domain with a different top-level domain (TLD); for example, “.net” tacked on the end of the URL instead of “.com.”

“This is a huge brand problem, both from a direct revenue standpoint and indirect loss standpoint,” says Kevin Epstein, vice president of threat operations at Proofpoint. In a best-case scenario, a consumer may happen upon a blank website with a domain similar to yours. Worst-case scenario, they end up on a fake website, engage in a transaction, and their money and credit card information is sent to a cybercriminal. They’re angry at the attacker – and the brand.

“I’d associate this brand, now, with something negative,” Epstein continues. Spoofed domains can tarnish a business’ reputation, resulting in customer loss and indirect financial impact.

Most domains are registered by people and businesses for legitimate reasons. Some are registered by fraudsters planning to launch phishing attacks, sell knock-off goods on spoofed sites, or use “typo-squatting” domains to make money off unintentional traffic for other sites. Between the first and fourth quarters of 2018, Proofpoint found the registrations of fraudulent domains rose 11%. Domains were categorized as fraudulent based on a classification engine built to analyze domain records, reputation, website content, email activity, and other factors.

“The most interesting thing to me is this change in attacker philosophy,” says Epstein of this year’s report. Cybercriminals have shifted from investing in highly technical attacks to more individually focused phishing attacks “happening on every street corner of the Internet.” Any email can be an attempt to con you out of money, pretending to be from your boss or bank.

Social Scamming

It all comes down to the tricks of a manipulative social engineer. The rise of new TLDs has contributed to fraudulent domain registrations. Researchers saw “significant growth” in fraudulent domains outside the classic “.com,” “.net,” and “.org.” Some of the lesser known TLDs in fraudulent domains include “.top” (#2), “.fr” (#3), “.men” (#19), and “.work” (50). European country codes are often used among criminals hoping to fool victims with fake links.

“Apparently as human beings we’re sensitive more to the brand than the extension,” says Epstein. “Over time, as computer users, we’re less trained to ignore things after the dot.”

If someone sees the name of a well-known bank in a URL, they’re likely to click without noticing a .pop or .xyz at the end. This should give people pause, but well-known brands seem safe.

This can be seen in new findings from Segasec, which recently detected an increase in domain spoofing targeting customers of Walmart, Best Buy, and Wayfair. In the week leading up to Mother’s Day, they noticed 188 domains related to the Walmart brand were created, up from 80 new domains two weeks prior to the holiday: walmartgiftpromo[.]com is an example. Others include bestbuy-survey[.]online, bestbuyus[.]org, and bestbuycyprus[.]eu.

“It is potentially one of the most common threat tactics,” says Segaseg CEO Elan Schulman. “It’s aimed to mislead the weakest link, which is the end user.” What’s more, he adds, cybercriminals don’t have to be advanced to pull this off. “This is something you can familiarize with very easily,” he adds.

Some fraudulent websites have certificates, which also put victims at ease. Attackers are leaning away from plain domains and towards legitimate certificates, a trend that leads to an “error of attribution” on the part of victims. Sure, the lock symbol means the connection to the server is encrypted – but it doesn’t mean the server is legitimate. People feel safe when they see the lock; as a result, they’re likely to engage with these potentially malicious sites.

Think Before You Click

Rather than rely on the passive typo-squatting strategy, more attackers are directly targeting domain spoofing victims with phishing attacks. Business email compromise (BEC) is common, researchers report. Many criminals pick a large class of people to target with malicious links appearing to be from real brands, or containing keywords they think victims are likely to click.

Which terms are most common? Some consistently appeared in the top rankings; for example, “real estate,” which was top for June through December, as well as “for sale,” “I am,” “block chain,” “bit coin,” and other US city names and terms related to cryptocurrency. Other tech-related terms frequently seen in domains included “server,” “security,” and “system.”

The people targeted with these malicious emails aren’t the CEO or CFO, but middle-management people who typically work with them. “It’s not necessarily related to top titles,” Epstein says. An attacker is more likely to succeed in tricking the CEO’s assistant than the CEO, and they’ll frequently peruse LinkedIn and other social platforms to figure out their targets.

It’s not only email at risk for domain spoofing attacks, as Schulman points out. “We’re talking about digital channels an organization has to interact with its customers,” he adds. “Sometimes it’s via email, sometimes it’s a website, sometimes it’s via application, sometimes it’s across all social channels.” He agrees the trend of typo-squatting is down as targeted attacks spread.

“There’s no accidental stumbling upon it,” he says.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/perimeter/how-fraudulent-domains-hide-in-plain-sight/d/d-id/1334987?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Why are fervid Googlers making ad-blocker-breaking changes to Chrome? Because they created a monster – and are fighting to secure it

Analysis In a mild PR blitz, Google engineers this month insisted the ad giant’s shake up of Chrome browser extensions won’t kill advert blockers. Instead, we’re told, Googlers are making the plugins safer. Those engineers have more work to do than it may seem.

Setting aside for a moment Google’s public filings about the revenue threat posed by web ad blockers, and actions the corporation has taken in the Google Play Store to limit interference with mobile app ads, the internet goliath has reason to overhaul its Chrome Extension ecosystem – because it’s as fragile as a house of cards.

Google insists it’s dealing with the situation, noting that malicious extension installations have declined 89 per cent since early 2018. But the tech titan’s coders are still addressing the root cause – a platform with few guardrails.

Chrome Extensions have obvious utility, for developers and users. They can enhance privacy, add functionality and improve the web browsing experience. But they’re so powerful they can be easily abused and the security process Google has in place for the Chrome Web Store isn’t foolproof.

Overprotective parent illustration, a child under glass

Google: We’re not killing ad blockers. Translation: We made them too powerful, we’ll cram this genie back in its bottle

READ MORE

The primary problem is that Chrome Extensions can undo the browser’s security model and grab sensitive data. A reader who wrote in to elaborate on this issue suggested that if people really understood how unconstrained Chrome Extensions are, they would be given a 10.0 CVE score and banned from enterprises.

That may be something of an overstatement given that the API at the center of this mess, specifically blocking capability of the webRequest API, will continue to be available to enterprises after the pending platform renovation is completed because it’s so useful.

Raymond Hill, the developer of uBlock Origin, disagrees with that characterization because, he says, the ability to change headers is intrinsically part of the design of the webRequest API – not an oversight.

“There is no CVE issue here because extensions are opt-in, and what they can do is disclosed to the users choosing to install them,” he said in an email to The Register.

But Google’s platform design decisions have security implications. And Mozilla’s too, since Firefox also supports the webRequest API for Add-ons (aka extensions).

At Canadian security conference SecTor in October last year – coincidentally the same month that Google announced its Chrome Extensions revision plan, known as Manifest v3 – Lilly Chalupowski, security application developer at GoSecure, gave a presentation called The Chrome Crusader.

Security stripped

Chalupowski demonstrated that Chrome Extensions have the ability to strip away HTTP headers, including security headers, from website interactions. The result is that it’s trivial to craft an extension that breaks the browser’s Same-Origin security model.

As she put in a phone interview with The Register, “Injection is a feature.”

“When you have injection as a feature, that’s when you have to start being concerned,” Chalupowski said, “especially when you’re handing over functionality to modify secure headers on the fly and change them to literally whatever you want.”

During her demonstration, Chalupowski showed how to craft a basic Chrome Extension that interacts with Flask command-and-control server – running locally for the demo – to steal passwords from an online banking website.

Google, it should be said, keeps an eye out for malicious extensions, but Chalupowski suggested a few ways miscreants might avoid detection.

Chalupowski has posted PoC code on GitHub; The Register hasn’t yet determined whether any changes made to Chrome since the initial publication of the PoC code affect its functionality.

“uBlock Origin and a few others use this capability to modify headers for good purposes, for security,” she said. “At the same time, those same features will be used in Chrome and Firefox for malicious purposes.”

And therein lies the problem: A developer with good intentions can craft extension code that’s beneficial and a developer with bad intentions can use the same API to abuse trust and steal information.

Back in 2010, when the webRequest API was being developed, there was some discussion of privacy and security implications, but it wasn’t the overriding concern. The design document mentions the issue in passing:

How could this API be abused?

There may be privacy issues since extensions can collect detailed information about network traffic via this API.

Chrome Extensions used to be even more open. Hills said that back in 2013, Chrome extensions could see the network requests of other extensions via the webRequest API. It was a useful feature but also an abusable one and so was removed.

Google may need to make webRequest less of a risk but among those who develop extensions, there’s hope that the price of security isn’t ineffective content blocking and subpar privacy controls.

Hill argues that Google should implement a more finely grained permission model for loosening CORS and CSP headers. That way, extensions requiring certain capabilities could ask for them directly rather than settle for a less capable API. He also suggested Google could deny the webRequest API access to a broader range of request headers, as it already does in some instances.

“Right now the browser just inherently trust the browser extensions will be nice,” said Chalupowski. Changing that, she said, “is nothing but good news for users.”

For developers and users capable of making responsible choices about the software they install, it’s a bit more complicated. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/17/chrome_extensions_security/

Sad SACK: Linux PCs, servers, gadgets can be crashed by ‘Ping of Death’ network packets

It is possible to crash network-facing Linux servers, PCs, smartphones and tablets, and gadgets, or slow down their network connections, by sending them a series of maliciously crafted packets. It is also possible to hamper FreeBSD machines with the same attack.

Given that Linux powers an incredible amount of stuff these days, anything from network or internet-connected TVs, routers, thermostats, light switches, CCTV cameras, and robot vacuum cleaners, to servers, PCs, Android and ChromeOS devices, smart fridges, dialysis machines, car infotainment systems, tractors, construction equipment, and uranium centrifuges, and so on, can be potentially brought to a halt by miscreants if vulnerable.

Strangers can ping some data to your device over the internet or network, and potentially crash it, in other words. Not great, not terrible; it’s a rather big annoyance that could disrupt netizens if script kiddies start firing off waves of exploits.

Patches and mitigations are available, and can be applied by hand if needed, or you can wait for a security fix to be pushed or offered to your at-risk device. A key workaround is to set /proc/sys/net/ipv4/tcp_sack to 0.

SACK-religious

At the heart of the drama is a programming flaw dubbed SACK Panic aka CVE-2019-11477: this bug can be exploited to remotely crash systems powered by Linux kernel version 2.6.29 or higher, which was released 10 years ago.

There are three other related holes: SACK Slowness, aka CVE-2019-11478, which affects Linux kernels pre-4.15, and all versions to a degree; SACK Slowness, aka CVE-2019-5599, which affects FreeBSD 12 using the RACK TCP stack; and Excess Resource Consumption Due to Low MSS Values, aka CVE-2019-11479, which affects all Linux kernel versions.

They were discovered and reported by Netflix security’s Jonathan Looney, and described in an advisory issued here in the past couple of hours.

They basically revolve around an enabled-by-default feature in Linux called TCP SACK. Designed to speed up the transfer of data between computers, SACK (or Selective ACKnowledgement) allows a receiving machine to more precisely tell the sender how much data it has received and what needs to be resent. Ideally this means less data needs to be re-transmitted, and both machines can therefore shift files and other information between themselves faster. Some admins disable the feature for various reasons, one being that it is not terribly well implemented by some operating systems.

With CVE-2019-11477, a string of TCP SACK responses will cause the Linux kernel to unexpectedly hit an internal data structure limit, triggering a fatal panic. The others affecting Linux will force the system to consume resources, thus slowing it down, as Red Hat explained in its technical summary today.

Additionally, CVE-2019-5599 is a bug in the way FreeBSD handles SACK responses: it is possible to fragment an internal data structure that tracks SACKs, causing the kernel to walk long linked-lists, slowing down the system.

Thus far, Red Hat, Amazon Web Services, SUSE, and Grsecurity have all posted advisories or announced plans to soon post fixes for the flaws, with other vendors certain to follow suit in the coming hours and days.

Disabling SACK, for what it’s worth, is a worthwhile workaround for now, but bear in mind it may impact your network throughput. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/17/linux_tcp_sack_kernel_crash/

New Decryptor Unlocks Latest Versions of Gandcrab

The decryptor neutralizes GandCrab versions 5.0 through 5.2 and lets victims unlock their files for free.

A new decryption tool for the latest versions of GandCrab has been released for free as part of a collaborative effort among the FBI, Europol, private security firm Bitdefender, and a number of international law enforcement agencies from across Europe, participants announced today.

The new tool, available now at nomoreransom.org, neutralizes GandCrab versions 1 and 4, as well as versions 5 to 5.2, the most recent used by cybercriminals. Earlier decryptors for the ransomware have helped more than 30,000 victims recover data and save $50 million in unpaid ransoms. Further, these efforts have contributed to the demise of this operation: With the release of this latest decryption tool, there is now a means to unlock all iterations of GandCrab.

It’s the beginning of the end for GandCrab, which first appeared in January 2018 and has since infected more than 1.5 million victims, Bitdefender estimates. Its growth can be partly attributed to its model: Through ransomware-as-a-service licensing, other cybercriminals could buy GandCrab on the Dark Web and spread it. While the attackers behind GandCrab claim to have extorted more than $2 billion from victims, experts say the real figure is likely less.

Still, it seems GandCrab was widespread and profitable enough to let its operators retire.

“According to the same claim, the GandCrab team has stopped affiliates from accessing new versions of the malware and has urged them to prepare for an imminent shutdown,” writes Bogdan Botezatu, senior e-threat analyst at Bitdefender, in a blog post on the news.

The newest decryptor can be found at the No More Ransom Project.

Read Europol’s statement here and Bitdefender’s post here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/perimeter/new-decryptor-unlocks-latest-versions-of-gandcrab/d/d-id/1334982?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Power Outage Hits Millions in South America

The outage, which is not (so far) seen as the result of a cyberattack, still had a significant impact on network and server availability.

Hot on the heels of news that the Xenotime syndicate is probing electrical grids in North America and Asia, the lights went out in South America. While officials in Argentina have said that a cyberattack is not one of the primary possibilities under investigation, the coincidence has many people questioning the security of critical infrastructure components.

On Sunday, an estimated 44 million people lost power across Argentina, Paraguay, and Uruguay, with more limited losses in Chile and Brazil. The outage, described by officials as “unprecedented,” had an impact on traffic signals, water supplies, train and subway services, and other public service and safety operations.

The outage, which began in the interconnection system at the Yacyreta Dam, had a significant cybersecurity impact on one-third of the “CIA triad” — confidentiality, integrity, and availability of data.

By Sunday night, power had begun to be restored across the impacted area.

For more, read here and here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/iot/power-outage-hits-millions-in-south-america/d/d-id/1334983?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

I’d like to add you to my professional network of people to spy on

We’re sorry to inform you that if you were looking for some insight into Russian and Eurasian politics in the Washington political scene, or if you were sniffing around for a job with, say, the Brookings Institution, you won’t have 30-year-old Katie Jones to cozy up to anymore.

She’s disappeared off of LinkedIn. Actually, “she” – as in, a corporal being, as opposed to a deepfake created by artificial intelligence (AI) –  was never there to begin with, according to an investigation by the Associated Press.

This is what her LinkedIn profile looked like before Katie Jones, an extremely well-connected redhead and purportedly a Russia and Eurasia Fellow at the top think-tank Center for Strategic and International Studies (CSIS), blinked out of existence:

AP reporter Raphael Satter says that the profile was removed from LinkedIn about 36 hours after he contacted the networking platform about it.

Most people, upon seeing a connection request from such a highly placed and accomplished young woman, would likely accept. After all, there’s a strong element of self-promotion with LinkedIn networking, as pointed out by many of the 40 or so people whom the Jones profile managed to connect with and whom Satter interviewed.

This is what one of Jones’ UK connections told Satter:

Easy for experts to spot

Many of us wouldn’t think twice about accepting an invitation from Jones to connect, but experts in AI generated images said her phony profile picture was easy to spot.

The experts believe that Jones’ photo was created with a family of dueling computer programs called generative adversarial networks (GANs): machine learning systems that pit neural networks against each other in order to generate convincing photos of people who don’t exist.

Munira Mustaffa (previously tweeting as Intel Mercenary), one of the experts on GANs, tweeted out a series of clues that she said reveal if an image has been computer-generated. In all, she said, she spotted 15 markers in the Jones photo:

… Clues that Satter stitched together into this:

A spy’s playground

Mustaffa called LinkedIn “an open playing field for malicious actors who can impersonate senior figures at major US think-tanks with impunity.”

If Jones was indeed a deepfake, she’s not the first fake femme fatale we’ve seen on LinkedIn. We saw it with one whose LinkedIn profile was patently fake (a 28-year-old MIT grad with 10 years of experience?) yet who still duped IT guys at a US government agency that specializes in offensive cybersecurity.

Then too, there was that fake hot babe who speared businessmen on LinkedIn back in 2017.

LinkedIn is, after all, a perfect tool for espionage. Why spend your time trying to score interviews with targets whom you have to ask to speak louder and to lean into your lapel, when you can sit back and virtually network with people in government/military/trade secret-rich private industry who are eager to do some career ladder climbing and/or to meet a hot young thing?

We’ve known for years that LinkedIn is a spy’s playground. A few years back, Germany’s spy agency – Bundesamt für Verfassungsschutz (BfV) – published eight of the most active profiles it says were being used on LinkedIn to contact and lure German officials for espionage purposes.

It’s yet another important reminder that we don’t know the real identities of the people who reach out to us online.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/s2stOHhnEjI/

Privacy foul for soccer league app that eavesdropped on users

A privacy violation case this month has illustrated the dangers of giving apps access to your smartphone sensors. Spain’s data protection agency is reportedly fining Spanish football league LaLiga €250,000 (around $280,000) for co-opting users’ smartphones as digital eavesdropping tools.

The organization’s app, available on both the iPhone and iOS platforms, provides users with soccer commentary, news, and data. Unbeknownst to those who didn’t read the fine print, it also used their GPS functions to determine where they were during football matches.

The app would then use their smartphones’ microphones to record ambient noise and see if it matched game noise. If the app found a match, and discovered that you were in a public place like a bar, it could deduce that the game was being broadcast illegally.

This approach is similar to the Shazam app’s technique of matching ambient noise with known songs to tell you what music your coffee shop is playing. The difference is that this is Shazam’s primary and publicised purpose. LaLiga’s app was doing its matching unobtrusively in the background while it provided users with another service.

LaLiga, officially known as the Campeonato Nacional de Liga de Primera División, is the top men’s professional soccer division in Spain. It admitted to introducing the snooping code on 8 June 2018, complaining that it loses around €150m ($168m) each year from illicit broadcasts of its games in establishments like cafes and bars. However, it points out that it asks for consent to activate your microphone and GPS.

[Translated] If you decide to accept it, the microphone will capture the binary code of audio fragments, with the sole purpose of knowing if you are watching LaLiga football matches, but the content of the recording will never be accessed.

The program only snoops during game time, and the app irreversibly converts the audio to “binary code”, it goes on. The codes document your IP address and the app’s unique ID. It periodically checks that users are still ok with the app using their phone’s mic and GPS, and they can revoke that consent at any time, it points out.

LaLiga explained what it’s doing in its terms and conditions, which is how users found out about it in the first place a year ago. However, it doesn’t make this clear in its app description on the Google Play or Apple app stores.

The fine from Spain’s data protection authority shows how careful companies must be when writing apps that collect data from phone sensors, even if they ask for permission to use those sensors. The EU data privacy directive, GDPR, mandates that organizations must tell users clearly what they will use that data for.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/gau_6cp54g8/

Yubico recalls FIPS Yubikey tokens after flaw found

Security token maker Yubico has issued an important advisory affecting high-end versions of its YubiKey authentication key, arguably the most significant vulnerability discovered in this class of product to date.

Yubico describes the bug in its FIPS series as being:

Where the first set of random values used by YubiKey FIPS applications after each device power-up have reduced randomness … for the first operations performed after YubiKey FIPS power-up. The buffer holding random values contains some predictable content left over from the FIPS power-up self-tests which could affect cryptographic operations which require random data until the predictable content is exhausted.

In other words, for the first operation after power-up at least, the cryptographic material produced by the key isn’t as random as it should be for secure encryption, creating a hypothetical short-term weakness that is only ironed out when that data has been consumed.

This affects cryptographic algorithms to different extents. For RSA it’s a modest 80 bits out of a minimum of 2,048 while for ECDSA it’s more like 80 bits out of 256 which could:

Allow an attacker who gains access to several signatures to reconstruct the private key.

These differences mean that the weakness is worse in some products than in others, for example the PIV Smart Card and OpenPGP implementations (which use RSA) compared to the FIPS FIDO U2F keys (whose authentication depends on ECDSA).

FIPS with everything

The weakness exists only in the YubiKey FIPS, YubiKey Nano FIPS, YubiKey C FIPS, and YubiKey C Nano FIPS, that is products that have the ‘FIPS’ prefix printed on them. Consumer and most business YubiKeys are not affected.

The Federal Information Processing Standards, or FIPS, is a suite of US standards for products used in environments such as the federal government or military that demand sophisticated encryption, hashing and signing algorithms.

Getting even a basic FIPS certification is time-consuming and expensive because NIST has to test compliance to all sorts of security characteristics, including things like physical tamper-proofing in addition to the robustness in the way encryption algorithms have been implemented.

Device makers jump through these hoops because they have to – no FIPS compliance at the required level and selling to the Feds becomes a non-starter.

It’s worth mentioning all this because the issue of FIPS has had a direct influence on the timing of Yubico’s advisory.

Affected YubiKeys are those running firmware versions 4.4.2 and 4.4.4 (there is no 4.4.3), which should be updated to FIPS Series firmware version 4.4.5.

It seems the weakness was discovered some time ago but the fix only shipped to customers on 30 April 2019 once it had passed FIPS certification.

That’s the extra complication of FIPS, which applies to everything, including urgent security updates.

Total recall

As arcane as this might all sound, encryption stands and falls on fine margins. Even a modest theoretical weakness must be fixed ASAP and the new code submitted for checks.

In fairness to Yubico, security advisories affecting any of its products have been few and far between, and most of the small number that have come to light have been caused by interactions with other products, such as the Google Chrome’s WebUSB flaw discovered in 2018.

That said, the fact that something that looks as baked-in as a security token might require a firmware update or even physical replacement is a new experience for customers.

Coincidentally, Google recently suffered similar problems when a weakness was discovered in its implementation of the Bluetooth Low Energy (BLE) in the Bluetooth version of its Titan 2FA hardware tokens.

That forced a recall of affected keys, which at the time of writing no longer seem to be available for purchase.

Replacement service

If you own an affected FIPS YubiKey bought before 30 April 2019, it can be replaced at no charge although how this is done will depend on which channel it came through. FIPS YubiKeys ordered on or after that date have updated firmware and don’t need to be replaced. Yubico said:

At the time of this advisory, we estimate that the majority of affected YubiKey FIPS Series devices have been replaced, or are in process of replacement with updated, fixed versions of the devices.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Zep1YZJpx9E/