IT News

Elizabeth Denham, current head of the Information Commissioner’s Office (ICO), the UK’s data protection watchdog and the organization tasked to ensure that businesses comply with the country’s strict data protection laws, is said to have met with her counterparts in the G7 nations on Tuesday to tackle the issue of cookie banners.

According to the BBC, during this online meet up, each member country “will raise a technological problem they believe can be solved with closer co-operation.” Denham has decided to put cookie banners—and by association, cookie fatigue—on the table.

“No single country can tackle this issue alone,” Ms. Denham has said in an official ICO statement.

However, instead of a sigh of relief, the sudden unearthing of this apparent age-old problem stirred criticism from several privacy advocates.

Cookie fatigue

Cookie fatigue is the result of having to read (or ignore), and then click on a cookie banner every time you use a new website. This is required by EU law and is designed to give users insight into, and control over, how and when a website records information about them. While doing this complies with law, the after-effect is that users grow “tired” of having to repeatedly confirm consent, according to Denham. Because of this, she had the idea of suggesting that users should be able to indicate levels of consent once, at the browser, application, or device level.

Not only will this stop cookie fatigue, but “people’s privacy is more meaningfully protected and businesses can provide a better web browsing experience.”

The strong suspicion is that people are simply selecting the “I agree” option whenever they’re presented with a cookie pop-up, without reading the fine print. This, then, causes Internet users to give more of their personal data away than they’d like.

“The cookie mechanism is also far from ideal for businesses and other organisations running websites, as it is costly and it can lead to poor user experience,” Denham said in the statement.

“There are nearly two billion websites out there taking account of the world’s privacy preferences. No single country can tackle this issue alone. That is why I am calling on my G7 colleagues to use our convening power. Together we can engage with technology firms and standards organisations to develop a coordinated approach to this challenge”, she said.

Cookie fatigue has been around for some time now. But, arguably, Denham’s solution for the cookie problem isn’t new either. It resembles the ill-fated “Do Not Track” (DNT) feature that almost made it into browsers several years ago. Natasha Lomas remarked in a TechCrunch article that Denham’s idea “could be called the idea that can’t die because it’s never truly lived—as earlier attempts at embedding user privacy preferences into browser settings were scuppered by lack of industry support.”

Malwarebytes Labs’ editor-in-chief disagrees with the comparison: “Do-not-track was certainly a victim of industry politics, but it’s hard to imagine how it would ever have worked—it was designed to fail. It was the technical equivalent of asking nicely, with no way of knowing if your tracking preferences had even been heard, nevermind complied with. There is no reason that a browser-based or app-based consent mechanism has to be based on such weak sauce. It was the implementation that failed, not the idea.”

GDPR

Lomas isn’t alone in her criticisms against the ICO. Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties (ICCL) and former Chief Policy Officer (CPO) of Brave, called Denham’s idea “daft” in a tweet.

Because the UK is no longer in the EU it is free to diverge its privacy regulations from the EU’s General Data Protection Regulation (GDPR), and the nuisance of cookie banners is just one thing under consideration.

Ryan contends, as does Lomas, that the UK could have addressed the cookie pop-up problem before it left the EU and without leaving tearing up the GDPR.

Open Rights Group (ORG) Executive Director, Jim Killock, said that the ICO should be doing more.

“If the ICO wants to sort out cookie banners then it should follow its own conclusions and enforce the law,” Killock said. “We have waited for over two years now for the ICO to deal with this, and now they are asking the G7 to do their job for them. That is simply outrageous. We fully support their call for automated signals, but in the meantime they should enforce the law, which is their job.”

The post That’s the way the cookie banner crumbles? appeared first on Malwarebytes Labs.

A threat actor has leaked a list of almost 500,000 Fortinet VPN credentials, stolen from 87,000 vulnerable FortiGate SSL-VPN devices. The breach list provides raw access to organizations in 74 countries, including the USA, India, Taiwan, Italy, France, and Israel, with almost 3,000 US entities affected.

According to Fortinet the credentials were obtained from systems that remained unpatched against CVE-2018-13379 at the time of the actor’s scan. Even if the devices have since been patched, if the passwords were not reset, they remain vulnerable.

CVE-2018-13379

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

The vulnerability in question provides an improper limitation of a pathname to a restricted directory in several Fortinet FortiOS and FortiProxy versions. The vulnerable SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP requests. Apparently the FortiOS system files also contained login credentials.

In April, CVE-2018-13379 was mentioned in a joint advisory from the NSA, CISA, and the FBI as one of five vulnerabilities widely used in on-going attacks by the Russian Foreign Intelligence Service (SVR). A patch for the vulnerability has been available since May 2019, but this patch has not been applied as widely as necessary.

The threat actor

The source, and the websites that leaked the information, make for an interesting story as well. The list of Fortinet credentials was leaked by someone going by the handle ‘Orange.’ Orange is also the administrator of the newly launched RAMP hacking forum, and a previous operator of the Babuk Ransomware operation.

After the announced retirement of the Babuk gang, Orange apparently went his own way and started RAMP. Orange is now involved in the Groove ransomware operation, which allegedly employs several former Babuk developers. The leak of Fortinet VPN SSL credentials was mirrored on the Groove leak website. Both posts lead to a file hosted on a Tor storage server known to be used by the Groove gang.

Ransomware leak sites are used to create some extra leverage over victim organizations. The ransomware attackers steal data from the infiltrated system while they deploy their ransomware. They then threaten to publish the data if the victim decides not to pay. Depending on the kind of data, this can be a rather compelling reason to give in.

Vulnerable security software

Organizations use Virtual Private Networks (VPNs) to provide remote access to their systems from the Internet. By design a VPN is remotely accessible so employees can reach them from anywhere, which also means that attackers can reach them from anywhere. And since VPNs provide access to an organization’s soft underbelly, a VPN that has a known vulnerability represents a high value target that’s easy to reach.

That makes swift patching an absolute necessity, but many organizations find this difficult, in part because VPNs are so important for remote working. If an inability to patch promptly is compounded by delays in detecting new systems added to networks, and a lack of regular vulnerability scanning, attackers are left with a lot of room to work with.

A leak of this type is serious since valid VPN credentials could allow threat actors to access a network to steal data, expand their access, and run ransomware or other malware.

In light of the leak, Fortinet is recommending companies to immediately disable all VPNs, upgrade the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above, followed by initiating an organization-wide password reset, warning that you may remain vulnerable post-upgrade if your users’ credentials were previously compromised.

The post 500,000 Fortinet VPN credentials exposed: Turn off, patch, reset passwords appeared first on Malwarebytes Labs.

Several researchers have independently reported a 0-day remote code execution vulnerability in MSHTML to Microsoft. The reason it was reported by several researchers probably lies in the fact that a limited number of attacks using this vulnerability have been identified, as per Microsoft’s security update.

Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.

MSHTML is a software component used to render web pages on Windows. Although it’s most commonly associated with Internet Explorer, it is also used in other software including versions of Skype, Microsoft Outlook, Visual Studio, and others.

Malwarebytes, as shown lower in this article, blocks the related malicious powershell code execution.

CVE-2021-40444

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This one has been assigned the designation CVE-2021-40444 and received a CVSS score of 8.8 out of 10. The CVSS standards are used to help security researchers, software users, and vulnerability tracking organizations measure and report on the severity of vulnerabilities. CVSS can also help security teams and developers prioritize threats and allocate resources effectively.

The Cybersecurity and Infrastructure Security Agency took to Twitter to encourage users and organizations to review Microsoft’s mitigations and workarounds to address CVE-2021-40444.

ActiveX

Because MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications however, use the MSHTML component to display web content in Office documents.

The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware.

So, the attacker will have to trick the user into opening a malicious document. But we all know how good some attackers are at this.

Mitigation

At the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks.

• Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones.
• Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed.

Despite the lack of a ready patch, all versions of Malwarebytes currently block this threat, as shown below. Malwarebytes also detects the eventual payload, Cobalt Strike, and has done so for years, meaning that even if a threat actor had disabled anti-exploit, then Cobalt Strike itself would still be detected.

Registry changes

Modifying the registry may create unforeseen results, so create a backup before you change it! It may also come in handy when you want to undo the changes at a later point.

To create a backup, open Regedit and drill down to the key you want to back up (if it exists):

HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones

Right click the key in the left side of the registry pane and select “Export”. Follow the prompts and save the created reg file with a name and in a location where you can easily find it.

To make the recommended changes, open a text file and paste in the following script. Make sure that all of the code box content is pasted into the text file!

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones1]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones2]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones3]
"1001"=dword:00000003
"1004"=dword:00000003

Save the file with a .reg file extension. Right-click the file and select Merge. You’ll be prompted about adding the information to the registry, agree, and then reboot your machine.

Stay safe,everyone!

The post Windows MSHTML zero-day actively exploited, mitigations required appeared first on Malwarebytes Labs.

The pandemic saw a surge in sextortion cases in 2020. Fast forward 12 months, and the numbers continue to rise significantly.

This revelation came from the FBI Internet Crime Complaint Center (IC3). Until 31 July 2021, it had received over 16,000 sextortion complaints, with victims losing a combined $8M USD at least.

“Nearly half of these extortion victims were in the 20-39 age group,” according to the IC3 PSA, “Victims over 60 years comprised the third largest reporting age group, while victims under the age of 20 reported the fewest number of complaints.”

Let’s not forget that the FBI released a sextortion page in their official site for kids and teens back in 2015. Today, internet users under the age of 18 are continuously targeted and victimized by sextortion, too.

It all starts innocently…

The start of any online relationship is usually not malicious. The same is true for all sextortion cases. The victims recount the common story of meeting someone either on social media, a dating app, or a gaming site. From there, their new-found “friend” suggests that they move their conversation elsewhere, either via email, a voice-over-IP (VoIP) service like Skype, or other platforms that allow the sharing or exchange of media.

Then, after some time, their “friend”—who at this point may still be a complete stranger to the victim—suggests that to the victim that they send some sexually explicit media of themselves, either a still photo. Sometimes, they even suggest conducting their intimate moments over a live video call, which the attacker surreptitiously records. Once the victim complies and performs the act, the “friend” then becomes an extortionist, threatening the victim and demanding payment to stop the “friend” sharing the images with the victim’s contacts, friends, and family.

While there are genuine sextortion attacks that follow the script above, there are also many fake sextortion attacks that rely on their notoriety to scare people into paying money. In this case, an attacker sends a message to a stranger that falsely claims to have control over a device or email account they own.

That this simple social engineering tactic works is evident from countless email campaigns over several years, targeting users of both PC and Mac.

Protect against sextortion

To avoid sextortion, the FBI advises that people turn off electronic devices and webcams that aren’t being used; don’t open attachments from people they don’t know; and never send compromising images of themselves to anyone, ever. The last piece of advice will work, but we suspect that it’s probably culturally impossible by now, and it also opens the door for people who want to blame the victim (although that is not what the FBI is doing). While not taking compromising pictures is the only surefire guarantee that nobody can have compromising pictures of you, you are not to blame for having them used against you if you choose to.

In addition, we suggest you secure your online accounts using two-factor authentication (2FA) and a password manager. This won’t stop people using pictures that you’ve shared against you, but it makes it much harder for people to steal pictures and use them against you.

Stay safe!

The post Sextortion on the rise, warns FBI appeared first on Malwarebytes Labs.

In a security advisory, NetGear has announced it has fixed three vulnerabilities in firmware updates for several network devices. Most of the affected products are smart switches, some of them with cloud management capabilities that allow for configuring and monitoring them over the web.

One of the vulnerabilities was dubbed Demon’s Cries and is regarded as critically severe by the researchers that reported it. This vulnerability received a CVSS score of 9.8 out of 10 from the researchers, where NetGear only scored it at 8.8. NETGEAR’s argument is that it doesn’t deserve the higher rating since the attack cannot be done from the Internet or from outside of the LAN the device is attached to.

The CVSS standards are used to help security researchers, software users, and vulnerability tracking organizations measure and report on the severity of vulnerabilities. CVSS can also help security teams and developers prioritize threats and allocate resources effectively. Bickering over CVSS scores is not helpful and should not be necessary. If you would like to know more about how this scoring works, I can recommend reading How CVSS works: characterizing and scoring vulnerabilities.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These three vulnerabilities have each been assigned their own name, but have not been assigned CVE’s yet.

Demon’s Cries

I think this one is called critical for a reason, especially if an attacker has already gained access to the victim’s intranet. The vulnerability can lead to an authentication bypass which would allow the attacker to change the admin’s password (among other things), which would obviously result in a full compromise of the device.

The Netgear Switch Discovery Protocol (NSDP) is implemented by the /sqfs/bin/sccd daemon. When the daemon is set to enabled it allows configuration changes that require a type 10 password authentication. But the daemon does not enforce the password and accepts “set” commands where authentication can be omitted from the chain and in such case the password verification never takes place.

Draconian Fear

This vulnerability has been given a CVSS score of 7.8 by the researchers and 7.4 by NetGear. Both scores result in the classification “high”. The affected smart switches are vulnerable to authentication hijacking. It allows an attacker with the same IP address as an admin that is in the process of logging in to hijack the session bootstrapping information, giving the attacker full admin access to the device web UI and resulting in a full compromise of the device.

During the login process a session file is created that, among other things, contains username, password, and the name of the result file /tmp/sess/guiAuth_{http}_{clientIP}_{userAgent}. All an attacker needs is to be on the same IP and guess a number in the range 1-5 to take over the session. And a bit of timing. An attacker on the same IP as the admin can just flood the get.cgi with requests and snatch the session information as soon as it appears. The window between get.cgi requests on the browser is 1 second, so an automated attack can have a high success rate.

Seventh Inferno

Details on Seventh Inferno will be publish on or after 13th September. Security researcher Gynvael Coldwind, who found and reported the vulnerabilities, so far explained two of the issues and provided demo exploit code for them.

Mitigation

In the NetGear security advisory you can find a full list of affected smart switches. Since NetGear has patched these vulnerabilities and both the discussed vulnerabilities are relatively easy to apply, owners of these devices are advised to download and apply the latest firmware as soon as possible.

The post Patch now! Netgear fixes serious smart switch vulnerabilities appeared first on Malwarebytes Labs.

Our data is a precious commodity and there are plenty of people who would like to get their hands on it, from spouses and marketing teams to crooks and state-sponsored spies. Because of that, tools like Tor and Virtual Private Networks (VPNs) are growing in popularity. But while both tools can enhance your online anonymity, they’re as different as apples and orang… onions.

What is Tor?

The Tor (The Onion Router) network protects users from tracking, surveillance, and censorship. It is based on free and open-source software and uses computers run by volunteers. Onion routing was created in the 1990s by US Naval Research Laboratory employees to shield national intelligence communications. Later, it was enhanced further by the Defense Advanced Research Projects Agency (DARPA) and patented by the Navy. Since 2006, development of Tor has been conducted by a nonprofit organization called The Tor Project.

The Tor network can be used to access the regular Internet, where it hides your IP address from everyone, including the people operating the Tor network itself, or the Dark Web, where everyone’s IP address is hidden from everyone else.

How does Tor work?

When you use Tor, your traffic connects to the Internet through a “Circuit”, a collection of three computers, or Tor “nodes” that is changed every ten minutes. Your traffic is protected by multiple layers of encryption. This prevents anyone from snooping on your it, including most of the Tor network itself. Each computer in a Circuit peels back one layer of encryption, to reveal information that only it can see. They work like this:

1. The Entry Guard is where your traffic enters the Circuit. It can see your IP address and the IP address of the middle node.
2. The middle node can see the IP addresses of the Entry Guard and Exit Node.
3. The Exit Node is where your traffic leaves the Circuit. It can see the IP address of the middle node and your traffic’s destination. The Exit Node behaves a bit like a VPN, so any service you use on the Internet will see the Exit Node’s IP address as the source of your traffic.
4. If you are using the Dark Web, both you and the service you are connecting to have their own circuits, which meet at a Rendezvous Point.

How do I use Tor?

The most uncomplicated way to use the Tor network is through the Tor Browser. All you have to do is download and install the latest version from the official website and use it like a regular web browser. There is no learning curve; the Tor browser is based on Firefox and is as easy to use as any browser.

Is Tor illegal?

Tor is not illegal in most countries, including the United States. No one in America has been charged by law enforcement purely for using the network. However, Tor use may raise some eyebrows because it’s one of the most popular ways to access the Dark Web.

What is the difference between Tor and a VPN?

To understand the difference between Tor and a VPN, you must answer questions like, what is a VPN? A VPN routes traffic from your device to a VPN provider, through an encrypted tunnel. The encrypted tunnel prevents your ISP, rogue WiFi access points, or any other interlopers, from spying on your traffic before it reaches your VPN provider.

Your traffic joins the Internet from the VPN provider and uses your VPN provider’s IP address, so it appears to originate there.

Here are some important differences between the two technologies:

• There are many VPN services to pick from, there is only one Tor network.
• A VPN assumes you trust your VPN provider.
• Tor assumes you do not trust the operators of the Tor network.
• Your VPN provider aims to provide a connection that is fast and stable.
• Tor aims to provide a connection that is resistant to advanced attacks.
• VPN service providers are usually run by businesses answerable to local laws.
• Tor is run by volunteers who can’t see what is passing through their servers.

Should I use a VPN with Tor?

The Tor Project discourages the use of both technologies together:

Generally speaking, we don’t recommend using a VPN with Tor unless you’re an advanced user who knows how to configure both in a way that doesn’t compromise your privacy

What is better, VPN or Tor?

The choice of which technology is better is determined by your threat model, which is will vary from one person to another. Broadly speaking, you can expect Tor to be slower than a VPN, but more secure against a wider range of threats, including threats that many Internet users are unlikely to encounter.

A good VPN service that uses the latest VPN protocol and provides multiple servers can offer speeds that are fast enough for gaming or video streaming, while bypassing geo-blocks, masking your IP address, and protecting you from rogue WiFi hotspots, ISP logging and other similar threats.

The post Tor vs VPN—What is the difference? appeared first on Malwarebytes Labs.

After the uproar from users and privacy advocates about Apple’s controversial plans to scan users’ devices for photos and messages containing child abuse and exploitation media, the company has decided to put the brakes on the plan.

If you may recall, Apple announced in early August that it would introduce the new capability in iOS 15, iPadOS 15, watchOS 8, and macOS Monterey. These features, per Apple, are “intended to help protect children from predators who use communication tools to recruit and exploit them and the help limit the spread of Child Sexual Abuse Material (CSAM)”.

These child safety features, which the company claims were developed with the help of child safety experts, feature, firstly, an updated iMessage app, that will alert parents and their children when sexually explicit images are either sent from or received by their devices. If, for example, the child receives such an image, they will be presented an option to view it or not. And if they do, their parents would be notified that they have viewed it. Something similar happens when the child sends sexually explicit photos.

Secondly, iPhones and iPads would allow Apple to detect CSAM material in photos that are being uploaded to iCloud. If an i-device finds photos that match, or resemble, photos in a database of known CSAM material, the material is flagged as such. To reduce the chance of false positive matches (where a user is wrongfully accused), users have to exceed a threshold number of flags before Apple is actually alerted.

Thirdly, Siri and Search will be updated to provide additional resources for children and parents to stay safe online. These two also intervene when a user searches for CSAM material.

We don’t doubt Apple’s good intentions, nor the seriousness of the child abuse problem it is attempting to tackle. And there is no question that it has gone to great lengths to engineer a solution that attempts to preserve users’ privacy without creating a haven for CSAM distribution.

The issue is that the technology also opens a door for some serious issues.

Many have expressed concern that Apple could be coerced into using this on-device scanning infrastructure to scan for other things, and doubts have been raised about Apple’s assessment of the false positive rate.

There are other concerns too, that this one-size-fits-all technology could put some vulnerable users in danger. “This can be a serious violation of a child’s privacy, and the behavior of this feature is predicated on an assumption that may not be true: That a child’s relationship with their parents is a healthy one. This is not always the case,” writes Thomas Reed, Malwarebytes’ Director of Mac & Mobile, in a thoughtful blog post on the matter.

Reed’s article is well worth a read: It delves into other potential problems with these new changes, and covers how and why the technology works the way it does.

Since they were announced, organizations like the Electronic Frontier Foundation (EFF), Fight for the Future, and OpenMedia have all conducted petitions to pressure Apple into backpedaling from implementing its plans.

Apple listened:

Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.

For the EFF, delaying plans is not good enough though. It insists that Apple must “drop its plans to put a backdoor into its encryption entirely.”

The post Apple delays plans to search devices for child abuse imagery appeared first on Malwarebytes Labs.

They say there’s two sides to every story. Depending on your point of view, you may have heard a recent story that’s either about overreaching law enforcement and protestors exposed by organisations happy to hand over revealing data despite saying they won’t.

Or:

What happened?

ProtonMail offers end-to-end encrypted mail services. It’s one of those mail services people turn to should they require reassurance that what they do is kept private. 

There is a niche out there for privacy-focused people who’ve always wanted mail services. This is why services such as ProtonMail, Hushmail, PrivateMail and others are always in demand.

You may have run into Hushmail in the olden times (1998 onwards). They offered a similar service with the expectation of security and privacy for communications. At least some of their popularity at the time was based on geographical location. If they’re in Canada, legal demands for data would take time, so the theory went. At a bare minimum, anything handed over to law enforcement would surely be in encrypted form.

That was the theory, anyway.

Back in the day…

In 2007, reality came knocking at the door in the form of articles with titles like “Encrypted e-mail company Hushmail spills to feds”. US Law Enforcement made use of a US / Canada mutual assistance treaty and had a Canadian court serve up the necessary court order.

“12 CDs worth of e-mails from three Hushmail accounts” related to alleged steroid dealer antics were turned over to law enforcement. The bottom line from Hushmail’s then CTO was essentially that if you were engaged in illegal activity? Forget it. Not only are you breaking the Hushmail T&Cs, but you’re also breaking the law. Though they fight and resist many requests for information, the knock at the door for bad antics will happen eventually.

This seems to be a reasonable stance, unless you expected Hushmail to operate on the moon or some sort of abandoned platform in international waters. Privacy and avoiding snooping? Sure. Using our services for something illegal? Sorry, out you go.

Now we come to the present day.

Stop me if you’ve heard this one.

The ProtonMail situation: Nothing new under the sun

A lot of people are quite angry with ProtonMail at the moment. The reason? It handed a user’s IP address and device information to the police. This has, as expected, caused a bit of a privacy backlash. “Why are you storing things” seems to be the most common complaint. However, as the company pointed out, it doesn’t collect information on accounts by default. This is something that has to be enabled after a legal order:

In this case, Proton received a legally binding order from the Swiss Federal Department of Justice which we are obligated to comply with. There was no possibility to appeal or fight this particular request because an act contrary to Swiss law did in fact take place (and this was also the final determination of the Federal Department of Justice which does a legal review of each case).

Sometimes things have the inevitability of a runaway freight train, and this sounds like it fits the bill.

Of transparency and privacy policies

ProtonMail’s statements goes on to say:

As detailed in our transparency report, our published threat model, and also our privacy policy, under Swiss law, Proton can be forced to collect info on accounts belonging to users under Swiss criminal investigation. This is obviously not done by default, but only if Proton gets a legal order for a specific account. Under no circumstances however, can our encryption be bypassed, meaning emails, attachments, calendars, files, etc, cannot be compromised by legal orders.

Remember what I said about Hushmail and abandoned platforms in international waters? Here’s ProtonMail on this very subject:

Third, no matter what service you use, unless it is based 15 miles offshore in international waters, the company will have to comply with the law. This case does illustrate one benefit of ProtonMail’s Swiss jurisdiction, as no less than 3 authorities in 2 countries were required to approve the request, which is a much higher bar than most other jurisdictions. Under Swiss law, it is also obligatory for the suspect to be notified that their data was requested.

One more incident for the road?

ProtonMail has a full run-down of the current situation here, which links to their Transparency Report, which has been published since 2015.

I think realistically, we’d be hard pressed to lay blame at ProtonMail’s feet here. It’s called the long arm of the law for a very good reason, and it sounds as though no other options were available. Unlike the now ancient Hushmail case in 2007, email contents were also unavailable to investigators. I don’t remember if organisations in similar situations were publishing transparency reports back then, but I suspect it wasn’t common.

In many ways, this is a small improvement on what things used to be like. However you stack it up though, if you’re breaking the ToS of a service and breaking the law, you can probably only fend them off for so long. A third party encrypted mail service complying with local laws in the region they’re based in isn’t going to be your salvation. This situation will occur again, it’s inevitable. The only real surprise, is that we appear to have been taken by surprise.

If you’re wanting to lock things down yourself, this article may be a good place to start. Just don’t get up to anything illegal, because if you do then all bets are most definitely off.

The post ProtonMail hands user’s IP address and device info to police, showing the limits of private email appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs

• ProxyToken: another nail-biter from Microsoft Exchange
• Macs turn on apps signed by Symantec, treat them as malware
• Google Play sign-ins can be abused to track another person’s movements
• FTC bans SpyFone and its CEO from continuing to sell stalkerware
• BrakTooth Bluetooth vulnerabilities, crash all the devices!
• Vulnerable WordPress plugin leaves online shoppers vulnerable
• WhatsApp hit with €225 million fine for GDPR violations
• Watch what you send on anonymous SMS websites
• FBI warns of ransomware threat to food and agriculture

Other Cybersecurity news

• Malware found a new place to hide: graphics cards (Source: PC Mag)
• Student tracks Bluetooth headset wearers by wardriving around Oslo on a bicycle (Source: The Register)
• Increasing number of investigations calls for advanced technology and dedicated teams (Source: Help Net Security)
• 15 year old malware proxy network goes dark (Source: Krebs on Security)
• Experts warn on Office 365 phishing attacks (Source: Computer Weekly)
• Juniper breach mystery starts to clear with new details on hackers and U.S. role (source: Bloomberg)
• Car hacking danger is likely closer than you think (Source: Car and driver)
• Facebook users in Rother Valley hacked by postcode lottery scammers (Source: Worksop Guardian)
• Absurd Warzone TikTok shows hackers are now impossible to kill even when downed (Source: Dexerto)
• Dangerous Android malware is spreading – beware of text message scam (Source: Laptop Mag)

Stay safe, everyone!

The post A week in security (August 30 – September 5) appeared first on Malwarebytes Labs.

It’s a good idea to try and keep certain things private.

For example, people have been using anonymous email services for years. These either hide your real email address, or replace it entirely for specific tasks. Folks will go one step further, setting aliases for each service they sign up to. If the mail ends up in the wild? They know there’s a good chance which service has suddenly experienced a breach.

You may well be aware of these methods for anonymising emails. But did you know similar services exist in the SMS space?

Keeping your number safe

Nobody wants to have their mobile number leaked in a database dump, or placed onto dozens of marketing lists. It’s also a lot easier to switch out an email than a number tied to a device in your pocket. Changing numbers is quite often a pain, especially when updating all of your contacts.

There are other security concerns too. Some folks may want to keep their real number away from marketers and spammers. Others may want a little added security in the form of 2FA, despite not actually having a phone. How would they go about this? 

Let’s look at one of the possible solutions, and the problems that come along with them.

How temporary number services work

This is where online anonymous SMS services come in. These are websites which offer SMS services sending messages to you, as opposed to someone else. How does this play out?

1. You visit a “free temporary number” site, and select one of a dozen or so temporary numbers on offer. They usually offer regional numbers, so if it’s easier to use a French number, you can do that. Need one for Germany, or the UK, or even Australia? There’s likely one in there somewhere.
2. You then use that number for whichever online service you need it for. Some examples would be confirmation codes, authentication codes, appointment confirmations, banking codes, verifying social media accounts, web logins, and more.
3. At this point, you’re wondering “How do I actually receive messages to this number? I don’t own it and it’s not tied to my phone. I might not even own a phone. There’s also no registration or login on the site to keep track of messages sent my way. What’s the deal here?”

The deal here

Each temporary mobile number has its own page on the site you obtain it from. All of the messages sent to that number will be people wanting a code, or a pass, or a login, or a confirmation.

Those messages, for all of those people, display publicly on the number’s page.

Some services are so popular they have their own subpage on the temporary number service site. For example, there might be an Amazon page for all the Amazon messages, a Tinder page for Tinder messages etc. Whether service-specific or a more general page, they work the same way: a whole bunch of SMS messages appear, and you have to figure out which one is relevant to you and you alone.

Most services claim messages are sent as good as instantly. What this means in practice is sitting on the page for the number / service combination you’ve used. Then you wait until your desired SMS shows up.

If half a dozen generic looking messages for an Instagram verification code arrive in the space of 5 minutes, all for the same number: which one is yours? Instagram verification messages use different codes for verification, so one assumes all you can do is start punching them all in and hope for the best. This seems less than optimal.

Is this dangerous?

We must be clear: The websites we’ve seen at least reference the fact that messages sent are not private. However, the way it’s mentioned varies. It could well be buried in generic descriptions of what the site is all about. It also feels a little dissonant when some of them claim you can “keep your privacy with our free services”. The “privacy” simply extends to how careful you are in making use of the service. If you’re expecting your messages to be somehow hidden from the view of others, you’re sadly mistaken.

There are other SMS sites which do mention it prominently in red text. They also mention services should “not be used for any sensitive transactions”. Unfortunately those mentions are on FAQ or privacy pages, and seem likely to go unnoticed by many. If you don’t read those awful cookie preference popups, you likely don’t read the privacy blurbs either.

SMS codes made public

So, what are people sending? Here’s a sample:

It’s certainly making me say “yikes” to see these online, but by the same token, there’s no practical way to do anything bad with these. The account(s) could belong to anyone, and with nothing else identifiable in the message, it’s just a random code with nothing to tie it to. It’s the same as me sending you a text and saying the login code for my account is 123456. Which account? What email address? Username? And so on.

So it’s disconcerting, but not a disaster outside of perhaps making people behave too casually about security messages sent to their phone. It’s quite peculiar to see dozens of text messages posted online which include the line “keep this code safe and do not share it with anyone”.

Perhaps that’s the rub: They are supposed to be secrets, and if you put them on a public website they aren’t.

How revealing is too revealing?

Elsewhere though, things become slightly more personal. We’ve modified the text of the messages a little so people can’t simply pull them up in Google but their essence is unchanged. These are all based on genuine missives we’ve seen on the various SMS sites:

“Your appointment with [clinical service] on [date and time] has been confirmed.”

“Click to get back into your [account]”, with a one time click password reset link.

“You’ve requested a new password. Click here to reset it”, with a reset password link.

“Follow this link to complete your survey for the (medical) test [link] and call if you have questions”

“To complete registration, click here” with a registration link.

“I liked your profile on [site]. Please visit my profile at [link]”

“Your payment plan identity number is [number] for [x] amount. Your next payment of [y] is due [date].”

Some of these raise a few warning flags. They’re just that little bit on the side of potentially identifying.

The dating site conversation with link could be perfect for a social engineer or phisher to move into the conversation. The medical survey could potentially prefill with details of the recipient before they complete the form. This means someone clicking the link who it’s not intended for could see things they’re not supposed to. The clinical service appointment gives a clear location and time / date. This specific data is no doubt worthless for almost everybody bar the patient. It’s still a bit alarming to see it floating around online.

What’s clear in all of them is that, like the security codes, they are supposed to be private and the sender is clearly assuming they are engaged in a one-to-one conversation.

Of people problems and technical mishaps

At least some folks using these temporary number services mustn’t be reading the warnings highlighting that everything is posted publicly. Or perhaps more worryingly, they are and…simply don’t care? Neither possibility is great. The latter viewpoint can slide into a gradual “who cares” feeling in relation to their theoretically private dealings.

It’s also worth noting a lot of the mobile number pages are filled with various kinds of 2FA / authentication codes. The problem with that is many of the sites rotate their numbers. Some vanish after just a few days.

Imagine setting up text based 2FA on your Outlook account, then losing your phone. With the phone, and more specifically your number gone, you no longer have a number to send the verification codes to. That would be bad.

Now imagine you’ve set up text based 2FA on your Outlook account. You’ve done this using a site which removes said number from circulation 3 days ago.

This would also be bad.

Even so, it appears people are doing it anyway.

Be smart with your SMS messages

These sites encourage you to use them to make yourself a bit more secure and private. That’s how they sell it, anyway. If you use disposable mobile services for anything sensitive, you may well be causing the reverse to happen. Using them for generic services you don’t want spamming you? Occasional (non-identifiable) passcodes for logins? Probably okay on an occasional basis. However, it feels easy to accidentally divulge more than you bargained for in the dusty pages of their logged SMS messages.

There’s no guarantee some sites won’t simply keep messages online forever. Once you hit send it’s too late to fix a problem. This type of service has been around for some years now, but they seem to be growing in popularity. If you need to use one? Weigh up if what’s being sent is definitely okay to end up on the big wide web. Once the SMS genie is out of the bottle, its not going back in.

The post Watch what you send on anonymous SMS websites appeared first on Malwarebytes Labs.