Naked Security

Hackers target Telegram accounts through voicemail backdoor

Naked Security

As politicians should know by now, secure messaging apps such as Telegram can quickly become a double-edged sword.

On the one hand, a growing number of governments are so worried about its security capabilities, they try to ban the app. On the other, politicians who use the app themselves on the assumption of privacy can find their conversations exposed in the media.

The Brazilian Government’s Justice Minister Sergio Moro announced on 5 June 2019 that his smartphone had been hacked, four days before the politically compromising contents of his Telegram chats with a senior prosecutor started turning up as source material for articles in the media.

Since then, it has emerged that other Brazilian politicians, including President Jair Bolsonaro, and Economy Minister Paulo Guedes were also among a total of 1,000 other Telegram accounts targeted, which led to the arrest on 23 July 2019 of four suspects accused of being behind the attacks.

Full article

Naked Security

NAS targeted by brute force ransomware attacks

Naked Security

Network Attached Storage (NAS) company Synology has issued an urgent warning for owners to check their box’s security settings after it emerged cybercriminals are targeting numerous NAS vendors with a new wave of ransomware.

At first it was thought that recent attacks could be exploiting an unknown software vulnerability in Synology’s products, but according to the company it has since been established that the attackers’ method is a much simpler but still effective brute-forcing of admin credentials.

We believe this is an organised attack. After an intensive investigation into this matter, we found that the attacker used botnet addresses to hide the real source IP.

Synology’s Manager of Security Incident Response Team, Ken Lee

Spotted on 19 July 2019, the campaign involves trying lots of commonly used passwords on internet-connected NAS boxes. The attackers hope that eventually they’ll hit on a password that allows them the access necessary to encrypt the data on it.

Full article

WIRED

Security News This Week: WannaCry Hero Marcus Hutchins Won’t Go to Jail for Old Hacking Crimes

WIRED

Chris Ratcliffe/Bloomberg/Getty Images
Follow the entire thread!

In May 2017, a young hacker who goes by the sobriquet MalwareTech singlehandedly saved the world from the devastating WannaCry ransomware outbreak. Three months later, police arrested MalwareTech—real name Marcus Hutchins—over his involvement in creating a piece of malware that helped cybercriminals steal from banks. Hutchens had pleaded guilty to the charges in April. But at a sentencing hearing Tuesday, Judge J.P. Stadtmueller made clear that Hutchins’s WannaCry heroics far outweighed the crimes of his youth, letting him off with a sentence of time served. In other words, Hutchins is free to return to his home in the UK. For a fuller account, and some invaluable insights from Stadtmueller, read Marcy Wheeler’s thread on Twitter.

Full article

ZDNet

Russia ‘probably’ probed voting processes in all 50 states in 2016 election: Senate Committee

ZDNet

The Senate Committee on Intelligence has released the first volume of its investigative report on Russian manipulation and interference of the 2016 US Election, revealing that all 50 states were probably targeted for attempted vote manipulation.

According to the heavily redacted, 67-page report [PDF], the Russian government conducted various intelligence-related activities against US election infrastructure at both state and local level, which began as early as 2014 and continued until at least 2017.

Full article

EFF

Fixed? The FTC Orders Facebook to Stop Using Your 2FA Number for Ads

EFF

Since academics and investigative journalists first reported last year that Facebook was using people’s two-factor authentication numbers and “shadow” contact information for targeted advertising, Facebook has shown little public interest in fixing this critical problem. Subsequent demands that Facebook stop all non-essential uses of these phone numbers, and public revelations that Facebook’s phone number abuse was even worse than initially reported, failed to move the company to action.

Yesterday, rather than face a lawsuit from FTC, Facebook agreed to stop the most egregious of these practices.

Full article

EFF

Thank Q, Next

EFF

In its next release, Android plans to up its privacy game. But the operating system still caters to ad trackers at its users’ expense.

The newest release of Android, dubbed “Q,” is currently in late-stage beta testing and slated for a full release this summer. After a year defined by new privacy protections around the world and major privacy failures by Big Tech, this year, Google is trying to convince users that it is serious about “protecting their information.” The word “privacy” was mentioned 22 times during the 2019 Google I/O keynote. Keeping up that trend, Google has made—and marketed—a number of privacy-positive changes to Android for version Q.

Many of the changes in Q are significant improvements for user privacy, from giving users more granular control over location data to randomizing MAC addresses when connecting to WiFi networks by default. However, in at least one area, Q’s improvements are undermined by Android’s continued support of a feature that allows third-party advertisers, including Google itself, to track users across apps. Furthermore, Android still doesn’t let users control their apps’ access to the Internet, a basic permission that would address a wide range of privacy concerns.

Full article

EFF

EFF Extensions Recommended by Firefox

EFF

Earlier this month, Mozilla announced the release of Firefox 68, which includes a curated “list of recommended extensions that have been thoroughly reviewed for security, usability and usefulness”. We are pleased to announce that both of our popular browser extensions, HTTPSEverywhere and PrivacyBadger, have been included as part of the program. Now, when you navigate to the built-in Firefox add-ons page (URL: about:addons), you’ll see a new tab: “Recommendations,” which includes HTTPS Everywhere and Privacy Badger among a list of other recommended extensions. In addition, they will be highlighted in Add-ons for Firefox and in add-on searches.

Full article

Ars Technica

Judge allows suit against AT&T after $24 million cryptocurrency theft

Ars Technica

When Michael Terpin’s smartphone suddenly stopped working in June 2017, he knew it wasn’t a good sign. He called his cellular provider, AT&T, and learned that a hacker had gained control of his phone number.

The stakes were high because Terpin is a wealthy and prominent cryptocurrency investor. Terpin says the hackers gained control of his Skype account and tricked a client into sending a cryptocurrency payment to the hackers instead of to Terpin.

Full article

Naked Security

Facebook admits to Messenger Kids security hole

Naked Security

Facebook was red-faced this week after admitting to a loophole in its child-focused Messenger Kids system.

The company was found apologizing to parents via email after a hole in the supposed closed-loop messaging system allowed children to join group chats with people their parents hadn’t approved.

Full article

ZDNet

NSA to establish a defense-minded division named the Cybersecurity Directorate

ZDNet

The National Security Agency announced today plans to establish a new defense-minded cyber-security division that will focus on defending the US against foreign cyber-threats.

This new division, which will be named the Cybersecurity Directorate, will become operational on October 1, later this year.

Anne Neuberger will be the division’s first Director of Cybersecurity. She will report directly to General Paul Nakasone, the NSA’s Director.

Neuberger previous positions included NSA Chief Risk Officer; Deputy Director of Operations; and Lead of NSA’s Russia Small Group.

The Russia Small Group was a joint collaboration between the NSA and US Cyber Command to counteract Russian interference during the 2018 US midterm elections.

Full article