Naked Security
Google, whose Project Zero bug-hunting team is often surprisingly vocal when describing and discussing software vulnerabilities, has taken a very quiet approach to a just-patched bug in its Chrome browser.
GnuPG crypto library can be pwned during decryption – patch now!
Naked Security
Bug hunter Tavis Ormandy of Google’s Project Zero just discovered a dangerous bug in the GNU Privacy Guard team’s libgcrypt encryption software.
The libgcrypt library is an open-source toolkit that anyone can use, but it’s probably best known as the encryption library used by the GNU Privacy Guard team’s own widely deployed GnuPG software (that’s the package you are using when you run the command gpg or gpg2).
Europol announces bust of “world’s biggest” dark web marketplace
Naked Security
You probably don’t need to be told what sort of products were on offer at an online retail site called DarkMarket.
As you can imagine, it operated on the so-called dark web, and you’d have needed the Tor browser to access it, using a special web address ending in .onion.
Onion addresses can only be reached via Tor – you don’t, and indeed can’t, look up the IP number where they can be reached on the internet, as you can with regular sites like nakedsecurity.sophos.com (192.0.66.200 at the time of writing, if you were wondering).
Instead, you need to connect to the Tor network and ask it to locate and connect to onion sites for you, assuming you know what onion address to use in the first place.
Using a special anonymising protocol, Tor arranges for the “other end” of your anonymised connection into Tor to be paired up with the “other end” of the relevant onion site’s connection into Tor, after which you can talk to each other.
Your traffic gets all the way to the onion site, but you have no idea where that site is because you can only trace your packets until they first enter the Tor network.
Similarly, the server’s replies get back to you, but the server has no idea where you are, for the same reason in reverse.
Home schooling – how to stay secure
Naked Security
Many pupils are starting their new school term from home rather than the classroom.
For families with younger kids, home schooling is often the first time that their children have needed to use computers (rather than gaming consoles) in earnest.
Whether you’re new to home schooling, going back to it after a break, or an old hand, it’s worth taking a moment to ensure you’re doing it securely.
Taking the time to establish good security practices now will lay the foundations for safe IT use in the years to come.
FBI “ransomware warning” for healthcare is a warning for everyone!
Naked Security
You’ve probably heard or seen the news that the US CISA issued an alert this week with the unassuming identifier AA20-302A.
CISA is short for Cybersecurity and Infrastructure Security Agency, and the AA20-302A report was a joint alert from CISA, the FBI and the HHS (US Department of Health and Human Services).
Of course, you won’t have heard the news by its codename.
iPhone 12 scam pretends to be Apple “chatbot” – don’t fall for it!
Naked Security
Aren’t SMSes dead? Aren’t they just plain old text anyway? Surely they’re of no interest to cybercriminals any more?
Well, SMSes aren’t dead at all – they’re still widely used because of their simplicity and convenience.
Indeed, as a general-purpose short message service – which is literally what the letters SMS stand for – it’s hard to beat, because any phone can receive text messages, from the fanciest smartphone to the cheapest pre-paid mobile.
If all you need to transmit is a 6-digit logon code or a “pizza driver now 2 minutes away” notification, SMSes still make excellent business sense.
Sadly, however, what works for legitimate businesses almost always works for cybercriminals too, so there are plenty of crooks still using SMSes for phishing – an attack that’s wryly known as smishing.
Tor and anonymous browsing – just how safe is it?
Naked Security
An article published on the open-to-allcomers blogging site Medium earlier this week has made for some scary headlines.
Written as an independent research piece by an author going only by nusenu, the story is headlined:
How Malicious Tor Relays are Exploiting Users in 2020 (Part I)
Loosely speaking, that strapline implies that if you visit a website using Tor, typically in the hope of remaining anonymous and keeping away from unwanted surveillance, censorship or even just plain old web tracking for marketing purposes…
…then one in four of those visits (perhaps more!) will be subject to the purposeful scrutiny of cybercriminals.
That sounds more than just worrying – it makes it sound as though using Tor could be making you even less secure than you already are, and therefore that going back to a regular browser for everything might be an important step.
So let’s look quickly at how Tor works, how crooks (and countries with strict rules about censorship and surveillance) might abuse it, and just how scary the abovementioned headline really is.
Twitter hack – three suspects charged in the US
Naked Security
The US Department of Justice just issued a press release entitled simply, “Three Individuals Charged for Alleged Roles in Twitter Hack.”
In some ways, the Twitter hack referred to, which happened just two weeks ago on 2020-07-15, was tiny.
In a world in which data breaches involving millions, hundreds of millions and even billions of accounts aren’t unusual, the fact that Twitter lost control of just 45 accounts seems, at first glance, almost inconsequential. (Estimates suggest that Twitter has about one third of a billion active users.)
But there are two reasons why that’s not the case.
Beware “secure DNS” scam targeting website owners and bloggers
Naked Security
If you run a website or a blog, you probably use a cloud provider or a dedicated hosting company to manage your server and deliver the content to your readers, viewers and listeners.
We certainly do – both Naked Security and our sister site Sophos News are hosted by WordPress VIP.
Firefox fixes cryptographic data leakage in latest security update
Naked Security
We don’t know whether lockdown has anything to do with it, but how time flies!
We couldn’t believe it either – it’s four weeks since Firefox’s last regular security update.
If you want to check your version numbers, Firefox 76.0 is now replaced by 77.0; Firefox 68.8.0ESR is now 68.9.0ESR, and the Tor Browser, based on Firefox ESR, is now at version 9.5 and based on 68.9.0ESR.
As we’ve explained before but we’ll mention again because it’s useful to know, the first two numbers in the ESR version should add up to the leftmost number in the regular release.
So the current ESR is based on the feature set of Firefox 68, but with 9 updates’ worth of regular security fixes in there, so it is at 68+9=77 in security terms.
For organisational users of Firefox who are conservative about new software features but aggressive about installing security patches, the ESR version is an excellent compromise.