Fake crypto-wallet extensions appear in Chrome Web Store once again, siphoning off victims’ passwords

The Register

Three weeks after Google removed 49 Chrome extensions from its browser’s software store for stealing crypto-wallet credentials, 11 more password-swiping add-ons have been spotted – and some are still available to download.

The dodgy add-ons masquerade as legit crypto-wallet extensions, and invite people to type in their credentials to access their digital money, but are totally unofficial, and designed to siphon off those login details to crooks.

Harry Denley, director of security at MyCrypto, who identified the previous lot of bad extensions, told The Register at least eight among the latest crop of 11 impostors, pretending to be crypto-wallet software KeyKeep, Jaxx, Ledger, and MetaMask, have been taken down.

Denley provided The Register with a list of extension identifiers, previously reported to Google, and we were able to find some still available in the Chrome Web Store at time of writing.

Full article

UK finds itself almost alone with centralized virus contact-tracing app that probably won’t work well, asks for your location, may be illegal

The Register

Britain is sleepwalking into another coronavirus disaster by failing to listen to global consensus and expert analysis with the release of the NHS COVID-19 contact-tracking app.

On Monday, the UK government explained in depth and in clearly written language how its iOS and Android smartphone application – undergoing trials in the Isle of Wight – will work, and why it is a better solution to the one by Apple and Google that other nations have decided to adopt. It has also released a more technical explanation.

Unfortunately for folks in UK, while the explanation is coherent, calm, well-reasoned and plausible, it is likely to be a repeat of the disastrous “herd immunity” policy that the government initially backed as a way to explain why it didn’t need to go into a national lockdown. That policy was also well-reasoned and well-explained by a small number of very competent doctors and scientists who just happened to be completely wrong.

Here’s what happening: there are broadly two types of coronavirus contact-tracing apps; those that are centralized and those that are decentralized. The first takes data from people’s phones and saves it on a central system where experts are trusted to make the best possible use of the data, including providing advice to people as and when necessary.

Full article

Nine million logs of Brits’ road journeys spill onto the internet from password-less number-plate camera dashboard

The Register

In a blunder described as “astonishing and worrying,” Sheffield City Council’s automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people, The Register can reveal.

The ANPR camera system’s internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system – which logs where and when vehicles, identified by their number plates, travel through Sheffield’s road network.

Britain’s Surveillance Camera Commissioner Tony Porter described the security lapse as “both astonishing and worrying,” and demanded a full probe into the snafu.

Full article

Australian contact-tracing app leaks telling info and increases chances of third-party tracking, say security folks

The Register

The design of Australia’s COVIDSafe contact-tracing app creates some unintended surveillance opportunities, according to a group of four security pros who unpacked its .APK file.

Penned by independent security researcher Chris Culnane, University of Melbourne tutor, cryptography researcher and masters student Eleanor McMurtry, developer Robert Merkel and Australian National University associate professor and Thinking Security CEO Vanessa Teague and posted to GitHub, the analysis notes three concerning design choices.

The first-addressed is the decision to change UniqueIDs – the identifier the app shares with other users – once every two hours and for devices to only accept a new UniqueID if the app is running. The four researchers say this will make it possible for the government to understand if users are running the app.

Full article

Linksys forces password reset for Smart Wi-Fi accounts after router DNS hack pointed users at COVID-19 malware

The Register

Router biz Linksys has reset all its customers’ Smart Wi-Fi account passwords after cybercrims accessed a bunch and redirected hapless users to COVID-19 themed malware.

The mass reset took place after all user accounts were locked on 2 April, following infosec firm Bitdefender revealing that malicious persons were pwning Linksys devices through cred-stuffing attacks.

Hackers with access to Linksys Smart Wi-Fi accounts were changing home routers’ DNS server settings. Compromised users’ attempts to reach domains ranging from Disney, pornography, and Amazon AWS were redirected to a webpage peddling a coronavirus-themed app “that displays a message purportedly from the World Health Organization, telling users to download and install an application that offers instructions and information about COVID-19.”

The app was hosted on Bitbucket, a Git-style collaboration tool. Instead of health advice it dispensed the Oski info-stealing malware, whcih helps itself to one’s login credentials for various services, including cryptocurrency wallets.

Linksys customers were told of the password reset by the firm earlier this week, along with cryptic and confusing references to “the COVID-19 malware”. Affected users must now change their passwords the next time they log into the Linksys Smart Wi-Fi app.

Jen Wei Warren, Linksys parent firm Belkin’s global PR veep, told The Register that the original illicit access to customer routers through their cloud-hosted Smart Wi-Fi accounts was a successful credential-stuffing attempt using login details harvested from previous breaches elsewhere.

Full article

Cloudflare dumps Google’s reCAPTCHA, moves to hCaptcha as free ride ends (and something about privacy)

The Register

Cloudflare on Wednesday said it is ditching Google’s reCAPTCHA bot detector for a similar service called hCaptcha out of concerns about privacy and availability, but mostly cost.

The network services biz said it initially adopted reCAPTCHA because it was free, effective, and worked at scale. Some Cloudflare customers, however, have expressed reservations about having data sent to Google.

Google’s reCAPTCHA v3, used on about 1.2m websites, provides a way for web publishers to present puzzles called CAPTCHAs (completely automated public Turing test to tell computers and humans apart) that can usually, but not always, distinguish automated website interaction from human engagement. The point of presenting such challenges is to keep bots from registering fake accounts and conducting other sorts of online abuse.

In a blog post, CEO Matthew Prince and product manager Sergi Isasi observed that while Google is an advertising business and Cloudflare is not, Cloudflare nonetheless reconciled itself to Google’s privacy policy even if it made some customers wary.

Full article

Mozilla plugs two Firefox browser holes exploited in the wild by hackers to hijack victims’ computers

The Register

Mozilla has released security updates for its Firefox browser in conjunction with a US Cybersecurity and Infrastructure Security Agency (CISA) advisory warning that critical vulnerabilities in the browser are being actively exploited.

“An attacker could exploit these vulnerabilities to take control of an affected system,” US CISA said, without providing any specific details about the two bugs. “These vulnerabilities have been detected in exploits in the wild.”

To address these flaws, Firefox was updated to version 74.0.1 and Firefox Extended Support Release (ESR) – a slower evolving version for enterprises – was updated to 68.6.1. Firefox users should automatically receive these updates unless this capability has been disabled. Users can also check their version of Firefox via the Firefox -> About Firefox menu and manually initiate an update if one is available.

The bugs were reported by security researchers Francisco Alonso and Javier Marcos, the latter affiliated JMPSec. Reached via Twitter, Marcos declined to comment further.

Full article

Zoom’s end-to-end encryption isn’t actually end-to-end at all. Good thing the PM isn’t using it for Cabinet calls. Oh, for f…

The Register

UK Prime Minister Boris Johnson sparked security concerns on Tuesday when he shared a screenshot of “the first ever digital Cabinet” on his Twitter feed. It revealed the country’s most senior officials and ministers were using bog-standard Zoom to discuss critical issues facing Blighty.

The tweet also disclosed the Zoom meeting ID was 539-544-323, and fortunately that appears to have been password protected. That’s a good thing because miscreants hijacking unprotected Zoom calls is a thing.

Crucially, the use of the Zoom software is likely to have infuriated the security services, while also raising questions about whether the UK government has its own secure video-conferencing facilities. We asked GCHQ, and it told us that it was a Number 10 issue. Downing Street declined to comment.

The decision to use Zoom, as millions of others stuck at home during the coronavirus outbreak are doing, comes as concerns are growing about the conferencing app’s business model and security practices.

Full article

Hey, China. Maybe you should have held your hackers off for a bit while COVID-19 ravaged the planet. Just a suggestion

The Register

Proving that no good crisis ever goes to waste, Chinese government hacking crew APT41 launched a campaign that abuses vulns in Citrix Netscaler and Zoho ManageEngine, according to threat intel outfit FireEye.

As well as targeting load balancers and network management suites, the Chinese interference operatives spent three months, at the height of Wuhan’s COVID-19 coronavirus outbreak, exploiting weaknesses in Cisco routers.

“This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years,” intoned FireEye in a statement.

Their targets were indiscriminate, ranging from governments, banking and finance, oil and gas, pharmaceutical, tech, defence and more.

Full article

Hong Kong makes wearable trackers mandatory for new arrivals, checks in with ‘surprise calls’ too

The Register

Hong Kong has made it mandatory for all new arrivals to wear an “electronic wristband” that links to a smartphone to provide location-tracking services, so that authorities can be sure they’re observing COVID-19 quarantine requirements. And the city-state insists its privacy commissioner has signed off on the idea because it “does not pose privacy concerns.”

As explained today by government CIO Victor Lam, “the app will not capture directly the location, but only capture the changes in the location, especially the telecommunication and communication signals around the confinee to ensure that he (or she) is staying at home.”

Full article