IT News

Facebook, neck-deep in virtual / augmented reality with the Oculus headset, continues to move things up a gear. It’s announced “Ray-Ban stories”, smart glasses which take video and photos. The company may yet go one step further and incorporate these features into Augmented Reality (AR) specs which a Facebook rep said were in development.

Hold my beer

Facebook’s decision to enter the smart glass market is remarkable considering what’s come before. About ten years ago, another tech giant with a similarly-tarnished reputation for gathering personal data tried it with Google Glass. This was the first mainstream attempt to put glasses with cameras on our heads. It didn’t work. Famously.

There were a few reasons for this, but cost, average ability at everything rather than standout ability in something, and privacy concerns helped tipped the scales against it. Nobody wants to be recorded in secret, and many companies didn’t want their events or offerings recorded either. Google Glass received bans from movie theatres, sports arenas, hospitals, and strip clubs, amongst others. Some bars, cafes, and restaurants sprouted warning signs telling customers-who may-or-may-not-be-recording everything that Glass wasn’t welcome. The bans created headlines. Wearers were occasionally attacked. The insult “glasshole” was born.

The distinctive look of Glass may not have helped. It’s possible the moment you see someone wearing them, you’d assume you’re at risk of being filmed or photographed. Even if the wearer was completely innocent, the simple sight of the things was enough for some.

Nobody wants their product appearing in “places you’ve been banned from” articles. Safety considerations related to activities like driving also did not help.

It’s incredible to think this tech appeared way back in 2013. The world of smart glasses has moved on since then. We have Snap Spectacles out in the wild, and I can still recall Instaglasses without knowing if they ever made it to production.

And now…at last…we have Facebook in tandem with Ray-Ban.

Is the privacy issue overblown?

As you’ll see from the video in the BBC article linked at the beginning of this article, both the presenter and Facebook rep dive into the privacy angle. “Can people film me without me knowing about it?” is absolutely a valid question. I have to admit, I’m not completely sold on the response.

From the presenter:

“If someone’s inclined to take hidden camera footage in a changing room, they can do that with their phone already. They don’t need to spend $300 on a pair of glasses”.

Even so, there is an admission that the glasses could be more overt about what they’re doing. Also: Is someone more likely to take hidden footage in a changing room with an incredibly obvious phone, or a pair of recording glasses that look exactly like regular glasses? Is it not incredibly suspicious the moment someone tries to get a phone out in that situation, no matter how discreetly?

The Facebook rep builds on this answer later in the video, claiming it’s put a fair bit of thought into this problem. He says the glasses are “quite a bit more overt” than what people are doing with their phone, focusing on visible LEDs and explicit hand gestures to take a photo or start recording. In practice, how well will this work? You’re probably not going to notice an LED on someone’s face embedded in a pair of glasses. How close do you have to be to see it? Is this practical in a crowd of people in a busy street?

Additionally, surely someone up to no good will simply enable recording away from prying eyes and then begin to film anybody who didn’t see the gesture. Or put tape over the LED. I don’t think these are particularly strong arguments. As with most things, they’re easily bypassed and not something I’d consider to be that helpful overall.

More tech integration = more problems?

The really interesting part for me is if Facebook launch their promised AR smart glasses. Integration into the Facebook platform can bring problems for device owners.

Last year, Oculus users were faced with quite the headache. They now needed Facebook accounts to continue using their devices. This, despite an apparent promise to not go down the account-requirement road. It didn’t take long before lots of angry lockout-style posts appeared.

Oculus isn’t cheap. Whatever form the AR glasses take will also set you back a decent amount. Do we really need a situation where several real-world devices’ operability depend entirely on something not happening to a social media account?

My suspicion is no, we probably don’t. It may be this rather large Damocles-style effort hanging above a thin sliver of “your device works…for now” anxiety which is a bigger blow to Facebook than any concerns about privacy. For now, we’ll just have to wait and see.

The post Facebook puts on Ray-Bans, struts into the privacy minefield of smart glasses appeared first on Malwarebytes Labs.

Elizabeth Denham, current head of the Information Commissioner’s Office (ICO), the UK’s data protection watchdog and the organization tasked to ensure that businesses comply with the country’s strict data protection laws, is said to have met with her counterparts in the G7 nations on Tuesday to tackle the issue of cookie banners.

According to the BBC, during this online meet up, each member country “will raise a technological problem they believe can be solved with closer co-operation.” Denham has decided to put cookie banners—and by association, cookie fatigue—on the table.

“No single country can tackle this issue alone,” Ms. Denham has said in an official ICO statement.

However, instead of a sigh of relief, the sudden unearthing of this apparent age-old problem stirred criticism from several privacy advocates.

Cookie fatigue

Cookie fatigue is the result of having to read (or ignore), and then click on a cookie banner every time you use a new website. This is required by EU law and is designed to give users insight into, and control over, how and when a website records information about them. While doing this complies with law, the after-effect is that users grow “tired” of having to repeatedly confirm consent, according to Denham. Because of this, she had the idea of suggesting that users should be able to indicate levels of consent once, at the browser, application, or device level.

Not only will this stop cookie fatigue, but “people’s privacy is more meaningfully protected and businesses can provide a better web browsing experience.”

The strong suspicion is that people are simply selecting the “I agree” option whenever they’re presented with a cookie pop-up, without reading the fine print. This, then, causes Internet users to give more of their personal data away than they’d like.

“The cookie mechanism is also far from ideal for businesses and other organisations running websites, as it is costly and it can lead to poor user experience,” Denham said in the statement.

“There are nearly two billion websites out there taking account of the world’s privacy preferences. No single country can tackle this issue alone. That is why I am calling on my G7 colleagues to use our convening power. Together we can engage with technology firms and standards organisations to develop a coordinated approach to this challenge”, she said.

Cookie fatigue has been around for some time now. But, arguably, Denham’s solution for the cookie problem isn’t new either. It resembles the ill-fated “Do Not Track” (DNT) feature that almost made it into browsers several years ago. Natasha Lomas remarked in a TechCrunch article that Denham’s idea “could be called the idea that can’t die because it’s never truly lived—as earlier attempts at embedding user privacy preferences into browser settings were scuppered by lack of industry support.”

Malwarebytes Labs’ editor-in-chief disagrees with the comparison: “Do-not-track was certainly a victim of industry politics, but it’s hard to imagine how it would ever have worked—it was designed to fail. It was the technical equivalent of asking nicely, with no way of knowing if your tracking preferences had even been heard, nevermind complied with. There is no reason that a browser-based or app-based consent mechanism has to be based on such weak sauce. It was the implementation that failed, not the idea.”

GDPR

Lomas isn’t alone in her criticisms against the ICO. Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties (ICCL) and former Chief Policy Officer (CPO) of Brave, called Denham’s idea “daft” in a tweet.

Because the UK is no longer in the EU it is free to diverge its privacy regulations from the EU’s General Data Protection Regulation (GDPR), and the nuisance of cookie banners is just one thing under consideration.

Ryan contends, as does Lomas, that the UK could have addressed the cookie pop-up problem before it left the EU and without leaving tearing up the GDPR.

Open Rights Group (ORG) Executive Director, Jim Killock, said that the ICO should be doing more.

“If the ICO wants to sort out cookie banners then it should follow its own conclusions and enforce the law,” Killock said. “We have waited for over two years now for the ICO to deal with this, and now they are asking the G7 to do their job for them. That is simply outrageous. We fully support their call for automated signals, but in the meantime they should enforce the law, which is their job.”

The post That’s the way the cookie banner crumbles? appeared first on Malwarebytes Labs.

A threat actor has leaked a list of almost 500,000 Fortinet VPN credentials, stolen from 87,000 vulnerable FortiGate SSL-VPN devices. The breach list provides raw access to organizations in 74 countries, including the USA, India, Taiwan, Italy, France, and Israel, with almost 3,000 US entities affected.

According to Fortinet the credentials were obtained from systems that remained unpatched against CVE-2018-13379 at the time of the actor’s scan. Even if the devices have since been patched, if the passwords were not reset, they remain vulnerable.

CVE-2018-13379

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

The vulnerability in question provides an improper limitation of a pathname to a restricted directory in several Fortinet FortiOS and FortiProxy versions. The vulnerable SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP requests. Apparently the FortiOS system files also contained login credentials.

In April, CVE-2018-13379 was mentioned in a joint advisory from the NSA, CISA, and the FBI as one of five vulnerabilities widely used in on-going attacks by the Russian Foreign Intelligence Service (SVR). A patch for the vulnerability has been available since May 2019, but this patch has not been applied as widely as necessary.

The threat actor

The source, and the websites that leaked the information, make for an interesting story as well. The list of Fortinet credentials was leaked by someone going by the handle ‘Orange.’ Orange is also the administrator of the newly launched RAMP hacking forum, and a previous operator of the Babuk Ransomware operation.

After the announced retirement of the Babuk gang, Orange apparently went his own way and started RAMP. Orange is now involved in the Groove ransomware operation, which allegedly employs several former Babuk developers. The leak of Fortinet VPN SSL credentials was mirrored on the Groove leak website. Both posts lead to a file hosted on a Tor storage server known to be used by the Groove gang.

Ransomware leak sites are used to create some extra leverage over victim organizations. The ransomware attackers steal data from the infiltrated system while they deploy their ransomware. They then threaten to publish the data if the victim decides not to pay. Depending on the kind of data, this can be a rather compelling reason to give in.

Vulnerable security software

Organizations use Virtual Private Networks (VPNs) to provide remote access to their systems from the Internet. By design a VPN is remotely accessible so employees can reach them from anywhere, which also means that attackers can reach them from anywhere. And since VPNs provide access to an organization’s soft underbelly, a VPN that has a known vulnerability represents a high value target that’s easy to reach.

That makes swift patching an absolute necessity, but many organizations find this difficult, in part because VPNs are so important for remote working. If an inability to patch promptly is compounded by delays in detecting new systems added to networks, and a lack of regular vulnerability scanning, attackers are left with a lot of room to work with.

A leak of this type is serious since valid VPN credentials could allow threat actors to access a network to steal data, expand their access, and run ransomware or other malware.

In light of the leak, Fortinet is recommending companies to immediately disable all VPNs, upgrade the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above, followed by initiating an organization-wide password reset, warning that you may remain vulnerable post-upgrade if your users’ credentials were previously compromised.

The post 500,000 Fortinet VPN credentials exposed: Turn off, patch, reset passwords appeared first on Malwarebytes Labs.

Several researchers have independently reported a 0-day remote code execution vulnerability in MSHTML to Microsoft. The reason it was reported by several researchers probably lies in the fact that a limited number of attacks using this vulnerability have been identified, as per Microsoft’s security update.

Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.

MSHTML is a software component used to render web pages on Windows. Although it’s most commonly associated with Internet Explorer, it is also used in other software including versions of Skype, Microsoft Outlook, Visual Studio, and others.

Malwarebytes, as shown lower in this article, blocks the related malicious powershell code execution.

CVE-2021-40444

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This one has been assigned the designation CVE-2021-40444 and received a CVSS score of 8.8 out of 10. The CVSS standards are used to help security researchers, software users, and vulnerability tracking organizations measure and report on the severity of vulnerabilities. CVSS can also help security teams and developers prioritize threats and allocate resources effectively.

The Cybersecurity and Infrastructure Security Agency took to Twitter to encourage users and organizations to review Microsoft’s mitigations and workarounds to address CVE-2021-40444.

ActiveX

Because MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications however, use the MSHTML component to display web content in Office documents.

The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware.

So, the attacker will have to trick the user into opening a malicious document. But we all know how good some attackers are at this.

Mitigation

At the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks.

• Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones.
• Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed.

Despite the lack of a ready patch, all versions of Malwarebytes currently block this threat, as shown below. Malwarebytes also detects the eventual payload, Cobalt Strike, and has done so for years, meaning that even if a threat actor had disabled anti-exploit, then Cobalt Strike itself would still be detected.

Registry changes

Modifying the registry may create unforeseen results, so create a backup before you change it! It may also come in handy when you want to undo the changes at a later point.

To create a backup, open Regedit and drill down to the key you want to back up (if it exists):

HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones

Right click the key in the left side of the registry pane and select “Export”. Follow the prompts and save the created reg file with a name and in a location where you can easily find it.

To make the recommended changes, open a text file and paste in the following script. Make sure that all of the code box content is pasted into the text file!

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones1]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones2]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones3]
"1001"=dword:00000003
"1004"=dword:00000003

Save the file with a .reg file extension. Right-click the file and select Merge. You’ll be prompted about adding the information to the registry, agree, and then reboot your machine.

Stay safe,everyone!

The post Windows MSHTML zero-day actively exploited, mitigations required appeared first on Malwarebytes Labs.

The pandemic saw a surge in sextortion cases in 2020. Fast forward 12 months, and the numbers continue to rise significantly.

This revelation came from the FBI Internet Crime Complaint Center (IC3). Until 31 July 2021, it had received over 16,000 sextortion complaints, with victims losing a combined $8M USD at least.

“Nearly half of these extortion victims were in the 20-39 age group,” according to the IC3 PSA, “Victims over 60 years comprised the third largest reporting age group, while victims under the age of 20 reported the fewest number of complaints.”

Let’s not forget that the FBI released a sextortion page in their official site for kids and teens back in 2015. Today, internet users under the age of 18 are continuously targeted and victimized by sextortion, too.

It all starts innocently…

The start of any online relationship is usually not malicious. The same is true for all sextortion cases. The victims recount the common story of meeting someone either on social media, a dating app, or a gaming site. From there, their new-found “friend” suggests that they move their conversation elsewhere, either via email, a voice-over-IP (VoIP) service like Skype, or other platforms that allow the sharing or exchange of media.

Then, after some time, their “friend”—who at this point may still be a complete stranger to the victim—suggests that to the victim that they send some sexually explicit media of themselves, either a still photo. Sometimes, they even suggest conducting their intimate moments over a live video call, which the attacker surreptitiously records. Once the victim complies and performs the act, the “friend” then becomes an extortionist, threatening the victim and demanding payment to stop the “friend” sharing the images with the victim’s contacts, friends, and family.

While there are genuine sextortion attacks that follow the script above, there are also many fake sextortion attacks that rely on their notoriety to scare people into paying money. In this case, an attacker sends a message to a stranger that falsely claims to have control over a device or email account they own.

That this simple social engineering tactic works is evident from countless email campaigns over several years, targeting users of both PC and Mac.

Protect against sextortion

To avoid sextortion, the FBI advises that people turn off electronic devices and webcams that aren’t being used; don’t open attachments from people they don’t know; and never send compromising images of themselves to anyone, ever. The last piece of advice will work, but we suspect that it’s probably culturally impossible by now, and it also opens the door for people who want to blame the victim (although that is not what the FBI is doing). While not taking compromising pictures is the only surefire guarantee that nobody can have compromising pictures of you, you are not to blame for having them used against you if you choose to.

In addition, we suggest you secure your online accounts using two-factor authentication (2FA) and a password manager. This won’t stop people using pictures that you’ve shared against you, but it makes it much harder for people to steal pictures and use them against you.

Stay safe!

The post Sextortion on the rise, warns FBI appeared first on Malwarebytes Labs.

In a security advisory, NetGear has announced it has fixed three vulnerabilities in firmware updates for several network devices. Most of the affected products are smart switches, some of them with cloud management capabilities that allow for configuring and monitoring them over the web.

One of the vulnerabilities was dubbed Demon’s Cries and is regarded as critically severe by the researchers that reported it. This vulnerability received a CVSS score of 9.8 out of 10 from the researchers, where NetGear only scored it at 8.8. NETGEAR’s argument is that it doesn’t deserve the higher rating since the attack cannot be done from the Internet or from outside of the LAN the device is attached to.

The CVSS standards are used to help security researchers, software users, and vulnerability tracking organizations measure and report on the severity of vulnerabilities. CVSS can also help security teams and developers prioritize threats and allocate resources effectively. Bickering over CVSS scores is not helpful and should not be necessary. If you would like to know more about how this scoring works, I can recommend reading How CVSS works: characterizing and scoring vulnerabilities.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These three vulnerabilities have each been assigned their own name, but have not been assigned CVE’s yet.

Demon’s Cries

I think this one is called critical for a reason, especially if an attacker has already gained access to the victim’s intranet. The vulnerability can lead to an authentication bypass which would allow the attacker to change the admin’s password (among other things), which would obviously result in a full compromise of the device.

The Netgear Switch Discovery Protocol (NSDP) is implemented by the /sqfs/bin/sccd daemon. When the daemon is set to enabled it allows configuration changes that require a type 10 password authentication. But the daemon does not enforce the password and accepts “set” commands where authentication can be omitted from the chain and in such case the password verification never takes place.

Draconian Fear

This vulnerability has been given a CVSS score of 7.8 by the researchers and 7.4 by NetGear. Both scores result in the classification “high”. The affected smart switches are vulnerable to authentication hijacking. It allows an attacker with the same IP address as an admin that is in the process of logging in to hijack the session bootstrapping information, giving the attacker full admin access to the device web UI and resulting in a full compromise of the device.

During the login process a session file is created that, among other things, contains username, password, and the name of the result file /tmp/sess/guiAuth_{http}_{clientIP}_{userAgent}. All an attacker needs is to be on the same IP and guess a number in the range 1-5 to take over the session. And a bit of timing. An attacker on the same IP as the admin can just flood the get.cgi with requests and snatch the session information as soon as it appears. The window between get.cgi requests on the browser is 1 second, so an automated attack can have a high success rate.

Seventh Inferno

Details on Seventh Inferno will be publish on or after 13th September. Security researcher Gynvael Coldwind, who found and reported the vulnerabilities, so far explained two of the issues and provided demo exploit code for them.

Mitigation

In the NetGear security advisory you can find a full list of affected smart switches. Since NetGear has patched these vulnerabilities and both the discussed vulnerabilities are relatively easy to apply, owners of these devices are advised to download and apply the latest firmware as soon as possible.

The post Patch now! Netgear fixes serious smart switch vulnerabilities appeared first on Malwarebytes Labs.

Our data is a precious commodity and there are plenty of people who would like to get their hands on it, from spouses and marketing teams to crooks and state-sponsored spies. Because of that, tools like Tor and Virtual Private Networks (VPNs) are growing in popularity. But while both tools can enhance your online anonymity, they’re as different as apples and orang… onions.

What is Tor?

The Tor (The Onion Router) network protects users from tracking, surveillance, and censorship. It is based on free and open-source software and uses computers run by volunteers. Onion routing was created in the 1990s by US Naval Research Laboratory employees to shield national intelligence communications. Later, it was enhanced further by the Defense Advanced Research Projects Agency (DARPA) and patented by the Navy. Since 2006, development of Tor has been conducted by a nonprofit organization called The Tor Project.

The Tor network can be used to access the regular Internet, where it hides your IP address from everyone, including the people operating the Tor network itself, or the Dark Web, where everyone’s IP address is hidden from everyone else.

How does Tor work?

When you use Tor, your traffic connects to the Internet through a “Circuit”, a collection of three computers, or Tor “nodes” that is changed every ten minutes. Your traffic is protected by multiple layers of encryption. This prevents anyone from snooping on your it, including most of the Tor network itself. Each computer in a Circuit peels back one layer of encryption, to reveal information that only it can see. They work like this:

1. The Entry Guard is where your traffic enters the Circuit. It can see your IP address and the IP address of the middle node.
2. The middle node can see the IP addresses of the Entry Guard and Exit Node.
3. The Exit Node is where your traffic leaves the Circuit. It can see the IP address of the middle node and your traffic’s destination. The Exit Node behaves a bit like a VPN, so any service you use on the Internet will see the Exit Node’s IP address as the source of your traffic.
4. If you are using the Dark Web, both you and the service you are connecting to have their own circuits, which meet at a Rendezvous Point.

How do I use Tor?

The most uncomplicated way to use the Tor network is through the Tor Browser. All you have to do is download and install the latest version from the official website and use it like a regular web browser. There is no learning curve; the Tor browser is based on Firefox and is as easy to use as any browser.

Is Tor illegal?

Tor is not illegal in most countries, including the United States. No one in America has been charged by law enforcement purely for using the network. However, Tor use may raise some eyebrows because it’s one of the most popular ways to access the Dark Web.

What is the difference between Tor and a VPN?

To understand the difference between Tor and a VPN, you must answer questions like, what is a VPN? A VPN routes traffic from your device to a VPN provider, through an encrypted tunnel. The encrypted tunnel prevents your ISP, rogue WiFi access points, or any other interlopers, from spying on your traffic before it reaches your VPN provider.

Your traffic joins the Internet from the VPN provider and uses your VPN provider’s IP address, so it appears to originate there.

Here are some important differences between the two technologies:

• There are many VPN services to pick from, there is only one Tor network.
• A VPN assumes you trust your VPN provider.
• Tor assumes you do not trust the operators of the Tor network.
• Your VPN provider aims to provide a connection that is fast and stable.
• Tor aims to provide a connection that is resistant to advanced attacks.
• VPN service providers are usually run by businesses answerable to local laws.
• Tor is run by volunteers who can’t see what is passing through their servers.

Should I use a VPN with Tor?

The Tor Project discourages the use of both technologies together:

Generally speaking, we don’t recommend using a VPN with Tor unless you’re an advanced user who knows how to configure both in a way that doesn’t compromise your privacy

What is better, VPN or Tor?

The choice of which technology is better is determined by your threat model, which is will vary from one person to another. Broadly speaking, you can expect Tor to be slower than a VPN, but more secure against a wider range of threats, including threats that many Internet users are unlikely to encounter.

A good VPN service that uses the latest VPN protocol and provides multiple servers can offer speeds that are fast enough for gaming or video streaming, while bypassing geo-blocks, masking your IP address, and protecting you from rogue WiFi hotspots, ISP logging and other similar threats.

The post Tor vs VPN—What is the difference? appeared first on Malwarebytes Labs.

After the uproar from users and privacy advocates about Apple’s controversial plans to scan users’ devices for photos and messages containing child abuse and exploitation media, the company has decided to put the brakes on the plan.

If you may recall, Apple announced in early August that it would introduce the new capability in iOS 15, iPadOS 15, watchOS 8, and macOS Monterey. These features, per Apple, are “intended to help protect children from predators who use communication tools to recruit and exploit them and the help limit the spread of Child Sexual Abuse Material (CSAM)”.

These child safety features, which the company claims were developed with the help of child safety experts, feature, firstly, an updated iMessage app, that will alert parents and their children when sexually explicit images are either sent from or received by their devices. If, for example, the child receives such an image, they will be presented an option to view it or not. And if they do, their parents would be notified that they have viewed it. Something similar happens when the child sends sexually explicit photos.

Secondly, iPhones and iPads would allow Apple to detect CSAM material in photos that are being uploaded to iCloud. If an i-device finds photos that match, or resemble, photos in a database of known CSAM material, the material is flagged as such. To reduce the chance of false positive matches (where a user is wrongfully accused), users have to exceed a threshold number of flags before Apple is actually alerted.

Thirdly, Siri and Search will be updated to provide additional resources for children and parents to stay safe online. These two also intervene when a user searches for CSAM material.

We don’t doubt Apple’s good intentions, nor the seriousness of the child abuse problem it is attempting to tackle. And there is no question that it has gone to great lengths to engineer a solution that attempts to preserve users’ privacy without creating a haven for CSAM distribution.

The issue is that the technology also opens a door for some serious issues.

Many have expressed concern that Apple could be coerced into using this on-device scanning infrastructure to scan for other things, and doubts have been raised about Apple’s assessment of the false positive rate.

There are other concerns too, that this one-size-fits-all technology could put some vulnerable users in danger. “This can be a serious violation of a child’s privacy, and the behavior of this feature is predicated on an assumption that may not be true: That a child’s relationship with their parents is a healthy one. This is not always the case,” writes Thomas Reed, Malwarebytes’ Director of Mac & Mobile, in a thoughtful blog post on the matter.

Reed’s article is well worth a read: It delves into other potential problems with these new changes, and covers how and why the technology works the way it does.

Since they were announced, organizations like the Electronic Frontier Foundation (EFF), Fight for the Future, and OpenMedia have all conducted petitions to pressure Apple into backpedaling from implementing its plans.

Apple listened:

Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.

For the EFF, delaying plans is not good enough though. It insists that Apple must “drop its plans to put a backdoor into its encryption entirely.”

The post Apple delays plans to search devices for child abuse imagery appeared first on Malwarebytes Labs.

They say there’s two sides to every story. Depending on your point of view, you may have heard a recent story that’s either about overreaching law enforcement and protestors exposed by organisations happy to hand over revealing data despite saying they won’t.

Or:

What happened?

ProtonMail offers end-to-end encrypted mail services. It’s one of those mail services people turn to should they require reassurance that what they do is kept private. 

There is a niche out there for privacy-focused people who’ve always wanted mail services. This is why services such as ProtonMail, Hushmail, PrivateMail and others are always in demand.

You may have run into Hushmail in the olden times (1998 onwards). They offered a similar service with the expectation of security and privacy for communications. At least some of their popularity at the time was based on geographical location. If they’re in Canada, legal demands for data would take time, so the theory went. At a bare minimum, anything handed over to law enforcement would surely be in encrypted form.

That was the theory, anyway.

Back in the day…

In 2007, reality came knocking at the door in the form of articles with titles like “Encrypted e-mail company Hushmail spills to feds”. US Law Enforcement made use of a US / Canada mutual assistance treaty and had a Canadian court serve up the necessary court order.

“12 CDs worth of e-mails from three Hushmail accounts” related to alleged steroid dealer antics were turned over to law enforcement. The bottom line from Hushmail’s then CTO was essentially that if you were engaged in illegal activity? Forget it. Not only are you breaking the Hushmail T&Cs, but you’re also breaking the law. Though they fight and resist many requests for information, the knock at the door for bad antics will happen eventually.

This seems to be a reasonable stance, unless you expected Hushmail to operate on the moon or some sort of abandoned platform in international waters. Privacy and avoiding snooping? Sure. Using our services for something illegal? Sorry, out you go.

Now we come to the present day.

Stop me if you’ve heard this one.

The ProtonMail situation: Nothing new under the sun

A lot of people are quite angry with ProtonMail at the moment. The reason? It handed a user’s IP address and device information to the police. This has, as expected, caused a bit of a privacy backlash. “Why are you storing things” seems to be the most common complaint. However, as the company pointed out, it doesn’t collect information on accounts by default. This is something that has to be enabled after a legal order:

In this case, Proton received a legally binding order from the Swiss Federal Department of Justice which we are obligated to comply with. There was no possibility to appeal or fight this particular request because an act contrary to Swiss law did in fact take place (and this was also the final determination of the Federal Department of Justice which does a legal review of each case).

Sometimes things have the inevitability of a runaway freight train, and this sounds like it fits the bill.

Of transparency and privacy policies

ProtonMail’s statements goes on to say:

As detailed in our transparency report, our published threat model, and also our privacy policy, under Swiss law, Proton can be forced to collect info on accounts belonging to users under Swiss criminal investigation. This is obviously not done by default, but only if Proton gets a legal order for a specific account. Under no circumstances however, can our encryption be bypassed, meaning emails, attachments, calendars, files, etc, cannot be compromised by legal orders.

Remember what I said about Hushmail and abandoned platforms in international waters? Here’s ProtonMail on this very subject:

Third, no matter what service you use, unless it is based 15 miles offshore in international waters, the company will have to comply with the law. This case does illustrate one benefit of ProtonMail’s Swiss jurisdiction, as no less than 3 authorities in 2 countries were required to approve the request, which is a much higher bar than most other jurisdictions. Under Swiss law, it is also obligatory for the suspect to be notified that their data was requested.

One more incident for the road?

ProtonMail has a full run-down of the current situation here, which links to their Transparency Report, which has been published since 2015.

I think realistically, we’d be hard pressed to lay blame at ProtonMail’s feet here. It’s called the long arm of the law for a very good reason, and it sounds as though no other options were available. Unlike the now ancient Hushmail case in 2007, email contents were also unavailable to investigators. I don’t remember if organisations in similar situations were publishing transparency reports back then, but I suspect it wasn’t common.

In many ways, this is a small improvement on what things used to be like. However you stack it up though, if you’re breaking the ToS of a service and breaking the law, you can probably only fend them off for so long. A third party encrypted mail service complying with local laws in the region they’re based in isn’t going to be your salvation. This situation will occur again, it’s inevitable. The only real surprise, is that we appear to have been taken by surprise.

If you’re wanting to lock things down yourself, this article may be a good place to start. Just don’t get up to anything illegal, because if you do then all bets are most definitely off.

The post ProtonMail hands user’s IP address and device info to police, showing the limits of private email appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs

• ProxyToken: another nail-biter from Microsoft Exchange
• Macs turn on apps signed by Symantec, treat them as malware
• Google Play sign-ins can be abused to track another person’s movements
• FTC bans SpyFone and its CEO from continuing to sell stalkerware
• BrakTooth Bluetooth vulnerabilities, crash all the devices!
• Vulnerable WordPress plugin leaves online shoppers vulnerable
• WhatsApp hit with €225 million fine for GDPR violations
• Watch what you send on anonymous SMS websites
• FBI warns of ransomware threat to food and agriculture

Other Cybersecurity news

• Malware found a new place to hide: graphics cards (Source: PC Mag)
• Student tracks Bluetooth headset wearers by wardriving around Oslo on a bicycle (Source: The Register)
• Increasing number of investigations calls for advanced technology and dedicated teams (Source: Help Net Security)
• 15 year old malware proxy network goes dark (Source: Krebs on Security)
• Experts warn on Office 365 phishing attacks (Source: Computer Weekly)
• Juniper breach mystery starts to clear with new details on hackers and U.S. role (source: Bloomberg)
• Car hacking danger is likely closer than you think (Source: Car and driver)
• Facebook users in Rother Valley hacked by postcode lottery scammers (Source: Worksop Guardian)
• Absurd Warzone TikTok shows hackers are now impossible to kill even when downed (Source: Dexerto)
• Dangerous Android malware is spreading – beware of text message scam (Source: Laptop Mag)

Stay safe, everyone!

The post A week in security (August 30 – September 5) appeared first on Malwarebytes Labs.