Naked Security
You’ve probably heard or seen the news that the US CISA issued an alert this week with the unassuming identifier AA20-302A.
CISA is short for Cybersecurity and Infrastructure Security Agency, and the AA20-302A report was a joint alert from CISA, the FBI and the HHS (US Department of Health and Human Services).
Of course, you won’t have heard the news by its codename.
Naked Security
Aren’t SMSes dead? Aren’t they just plain old text anyway? Surely they’re of no interest to cybercriminals any more?
Well, SMSes aren’t dead at all – they’re still widely used because of their simplicity and convenience.
Indeed, as a general-purpose short message service – which is literally what the letters SMS stand for – it’s hard to beat, because any phone can receive text messages, from the fanciest smartphone to the cheapest pre-paid mobile.
If all you need to transmit is a 6-digit logon code or a “pizza driver now 2 minutes away” notification, SMSes still make excellent business sense.
Sadly, however, what works for legitimate businesses almost always works for cybercriminals too, so there are plenty of crooks still using SMSes for phishing – an attack that’s wryly known as smishing.
Naked Security
An article published on the open-to-allcomers blogging site Medium earlier this week has made for some scary headlines.
Written as an independent research piece by an author going only by nusenu, the story is headlined:
How Malicious Tor Relays are Exploiting Users in 2020 (Part I)
Loosely speaking, that strapline implies that if you visit a website using Tor, typically in the hope of remaining anonymous and keeping away from unwanted surveillance, censorship or even just plain old web tracking for marketing purposes…
…then one in four of those visits (perhaps more!) will be subject to the purposeful scrutiny of cybercriminals.
That sounds more than just worrying – it makes it sound as though using Tor could be making you even less secure than you already are, and therefore that going back to a regular browser for everything might be an important step.
So let’s look quickly at how Tor works, how crooks (and countries with strict rules about censorship and surveillance) might abuse it, and just how scary the abovementioned headline really is.
Naked Security
The US Department of Justice just issued a press release entitled simply, “Three Individuals Charged for Alleged Roles in Twitter Hack.”
In some ways, the Twitter hack referred to, which happened just two weeks ago on 2020-07-15, was tiny.
In a world in which data breaches involving millions, hundreds of millions and even billions of accounts aren’t unusual, the fact that Twitter lost control of just 45 accounts seems, at first glance, almost inconsequential. (Estimates suggest that Twitter has about one third of a billion active users.)
But there are two reasons why that’s not the case.
Naked Security
If you run a website or a blog, you probably use a cloud provider or a dedicated hosting company to manage your server and deliver the content to your readers, viewers and listeners.
We certainly do – both Naked Security and our sister site Sophos News are hosted by WordPress VIP.
Naked Security
We don’t know whether lockdown has anything to do with it, but how time flies!
We couldn’t believe it either – it’s four weeks since Firefox’s last regular security update.
If you want to check your version numbers, Firefox 76.0 is now replaced by 77.0; Firefox 68.8.0ESR is now 68.9.0ESR, and the Tor Browser, based on Firefox ESR, is now at version 9.5 and based on 68.9.0ESR.
As we’ve explained before but we’ll mention again because it’s useful to know, the first two numbers in the ESR version should add up to the leftmost number in the regular release.
So the current ESR is based on the feature set of Firefox 68, but with 9 updates’ worth of regular security fixes in there, so it is at 68+9=77 in security terms.
For organisational users of Firefox who are conservative about new software features but aggressive about installing security patches, the ESR version is an excellent compromise.
Naked Security
Amtrak, the national rail service for the US, has suffered a data breach that may have exposed some customers’ logins and other personally identifiable information (PII), the service has disclosed.
Naked Security
It’s happened again!
A weird combination of Unicode characters that make up a nonsense word can crash your iPhone, apparently by confusing the iOS operating system when it tries to figure out how to display the “word”.
(We say apparently because we have an iPhone 6+, which is stuck back on iOS 12, and we couldn’t get our phone to crash, although we’ve seen one person on Twitter claiming that their iOS 12 device was affected.)
If you’re a regular Naked Security reader, you’ll have a feeling not just of having read this before but of having read it before before, because we covered similar troubles for iOS back in 2013 and in 2018.
Naked Security
Mobile app developers Tommy Mysk and Talal Haj Bakry just published a blog article entitled “TikTok vulnerability enables hackers to show users fake videos“.
As far as we can see, they’re right.
(We replicated their results with a slightly older Android version of TikTok from a few days ago, 15.5.44; their tests included the very latest builds on Android and iOS, numbered 15.7.4 and 15.5.6 respectively.)
We used a similar approach to Mysk and Haj Bakry to look at the network traffic produced by TikTok – we installed the tPacketCapture app on Android and then ran the TikTok app for a while to flip through a few popular videos.
The tPacketCapture app works rather like tcpdump on Unix/Linux computers, logging your network packets to a file called a .pcap (short for packet capture) that you can analyze later at your leisure.
We imported our .pcap file back into Wireshark on Linux, which automatically “dissects” the captured packets to give you a human-readable interpretation of their contents.
Naked Security
A researcher has stumbled on a big security flaw affecting OpenWrt, an open source operating system used by millions of home and small business routers and embedded devices.
OpenWrt has become a popular Linux alternative to the stock software that vendors ship with home routers. Other examples of this type of router software include DD-WRT and Tomato.
It can used to replace the factory firmware on any router product with the correct hardware, for example, models from NetGear, Linksys, Zyxel and others.
