Don’t pay the ransom, mate. Don’t even fix a price, say Australia’s cyber security bods

The Register

Most online attacks could be easily avoided by following basic cyber security advice, Australia’s national cyber security bureau has said – even as it warned that the impact and severity of things like ransomware attacks are getting worse and worse.

Cybercriminals follow the money, said the Australian Cyber Security Centre (ACSC) in its annual report for 2019-20, published earlier this week.

Over the past 12 months the ACSC has observed real-world impacts of ransomware incidents, which have typically originated from a user executing a file received as part of a spearphishing campaign, said the agency, adding that after the initial breach attackers typically try to exploit remote desktop-type apps to hunt for anything worth stealing – or deleting.

Full article

Who was behind that stunning Twitter hack? State spies? Probably this Florida kid, say US prosecutors

The Register

Three individuals were charged on Friday for allegedly hijacking a string of high-profile Twitter accounts after hoodwinking the social network’s staff.

It is claimed a social-engineering-driven phishing campaign against Twitter employees led to hacking spreethe brief takeover on July 15 of 45 out of 130 targeted prominent accounts to promote a Bitcoin scam. Accounts belonging to Bill Gates, Elon Musk, Kanye West, Joe Biden, Barack Obama, Jeff Bezos, Mike Bloomberg, Warren Buffett, Benjamin Netanyahu, and Kim Kardashian, and to companies like Apple, Uber, and various cryptocurrency exchanges were among those commandeered.

The hijacked accounts were used to urge Twitter users to donate Bitcoin to a specific address, with the promise that a larger sum would be returned. Those involved collected more than $100,000 worth of cryptocurrency. The miscreants also managed to access the Twitter Direct Messages in 36 accounts, and to download Twitter account data for seven accounts.

The account takeovers attracted national and international attention, and elicited concern that the social network’s lax internal security could threaten social stability and national security.

Full article

MI6 tried to intervene in independent court by stopping judge seeing legal papers – but they said sorry, so it’s OK

The Register

The UK’s Secret Intelligence Service, aka MI6, has been accused of trying to tamper with a court that is supposed to oversee and regulate it after an extraordinary tale emerged yesterday.

Two spies from the secretive agency attempted to prevent Lord Justice Rabinder Singh, president of the Investigatory Powers Tribunal (IPT), from reading a secret investigation report from spy agency auditor the Investigatory Powers Commissioner’s Office (IPCO).

The revelations came during a hearing in an ongoing case before the tribunal yesterday, over exactly what crimes MI6 informants are allowed to commit before the state investigates and punishes those crimes. Last year an IPT case established that spies and informants can break the law with impunity.

A classified report from IPCO was included in a bundle of court papers intended to be read by Lord Justice Singh in early 2019. MI6 decided it wanted to stop Singh from reading the report, which contained material critical of the agency.

Two spies phoned the IPT to demand that the report was kept away from the judge’s eyes. IPT secretary Susan Cobb wrote back to say: It was inappropriate for your staff to seek to intervene in ongoing legal proceedings in the way that they sought to do, the Daily Mail and BBC reported.

Full article

Twitter hackers busted 2FA to access accounts and then reset user passwords

The Register

Twitter has revealed more about the July 15 attack that saw several prominent accounts hijacked to promote a Bitcoin scam.

The Saturday, July 18 update admits the attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections.

You read that right: even 2FA failed.

Full article

Living on a prayer? Netgear not quite halfway there with patches for 28 out of 79 vulnerable router models

The Register

Netgear has now patched 28 out of 79 vulnerable router models, six months after infosec researchers first noticed security problems potentially allowing an attacker to remotely execute code as root.

The latest hotfixes come after two models were fixed earlier in June. The vulnerability in question could, for example, allow the opening of a superuser-level telnet backdoor, as we reported at the time.

Over the past few weeks Netgear has been pushing out fixes, having so far plugged problems with 28 of the 79 models it says are affected by the unwanted remote-superuser flaw.

The vulnerabilities, initially discovered by Trend Micro’s Zero Day Initiative (ZDI) in January, were meant to have been patched by 15 June. Netgear asked for an extension at the end of May for a further month, prompting the ZDI to publish an advisory note.

An infosec outfit called Grimm followed that up by releasing live exploit code for two of the unfixed vulns, which stung Netgear into patching two devices early on.

Full article

Google joins Apple in limiting web certificates to one year

The Register

From September 1, Apple software, from Safari to macOS to iOS, will reject new HTTPS and other SSL/TLS certificates that are valid for more than 398 days, plus or minus some caveats.

If that sounds familiar, it’s because we told you so in February before the iGiant even formally announced the policy. A month later, it revealed the rules with a few exceptions. For example, this policy applies to certificates issued ultimately from root CAs known to Apple’s operating systems, not user or administrator-added CAs.

Full article

UK police’s face recognition tech breaks human rights laws. Outlaw it, civil rights group urges Court of Appeal

The Register

Automated facial recognition (AFR) use by British police forces breaches human rights laws, according to lawyers for a man whose face was scanned by the creepycam tech in Cardiff.

Put simply, connected to a database with the right information, AFR could be used to identify very large numbers of people in a given place at a given time, Dan Squires QC told the Court of Appeal of England and Wales in written arguments this morning.

Full article

At Mozilla VPN stands for Vague Product News: Foundation reveals security product will launch eventually, with temporary pricing, in unspecified places

The Register

The Mozilla Foundation has announced it will soon launch its VPN.

The organisation’s announcement is rather vague, as it says the product will debut “in the next few weeks” and protect up to five devices for $4.99 a month. But that price will be offered “for a limited time” without word of when it will change or what it will change to.

There’s also uncertainty around when the product where and when it will become available. Mozilla says We are working hard to make the official product, the Mozilla VPN, available in selected regions this year.

The definite info in the announcement is that the VPN will exit Beta phase in the next few weeks, move out of the Firefox Private Network brand, and become a stand-alone product, Mozilla VPN, to serve a larger audience.

We also know the VPN works on Windows 10, Android, iOS and Chromebooks, with MacOS and Linux support planned. Other certainties are that the VPN tech comes from Swedish outfit Mullvad and uses the WireGuard protocol.

Full article

Fake crypto-wallet extensions appear in Chrome Web Store once again, siphoning off victims’ passwords

The Register

Three weeks after Google removed 49 Chrome extensions from its browser’s software store for stealing crypto-wallet credentials, 11 more password-swiping add-ons have been spotted – and some are still available to download.

The dodgy add-ons masquerade as legit crypto-wallet extensions, and invite people to type in their credentials to access their digital money, but are totally unofficial, and designed to siphon off those login details to crooks.

Harry Denley, director of security at MyCrypto, who identified the previous lot of bad extensions, told The Register at least eight among the latest crop of 11 impostors, pretending to be crypto-wallet software KeyKeep, Jaxx, Ledger, and MetaMask, have been taken down.

Denley provided The Register with a list of extension identifiers, previously reported to Google, and we were able to find some still available in the Chrome Web Store at time of writing.

Full article

UK finds itself almost alone with centralized virus contact-tracing app that probably won’t work well, asks for your location, may be illegal

The Register

Britain is sleepwalking into another coronavirus disaster by failing to listen to global consensus and expert analysis with the release of the NHS COVID-19 contact-tracking app.

On Monday, the UK government explained in depth and in clearly written language how its iOS and Android smartphone application – undergoing trials in the Isle of Wight – will work, and why it is a better solution to the one by Apple and Google that other nations have decided to adopt. It has also released a more technical explanation.

Unfortunately for folks in UK, while the explanation is coherent, calm, well-reasoned and plausible, it is likely to be a repeat of the disastrous “herd immunity” policy that the government initially backed as a way to explain why it didn’t need to go into a national lockdown. That policy was also well-reasoned and well-explained by a small number of very competent doctors and scientists who just happened to be completely wrong.

Here’s what happening: there are broadly two types of coronavirus contact-tracing apps; those that are centralized and those that are decentralized. The first takes data from people’s phones and saves it on a central system where experts are trusted to make the best possible use of the data, including providing advice to people as and when necessary.

Full article