Subj : Sophos Virus News To : All From : Daryl Stout Date : Thu Oct 25 2018 13:16:22 Here's the latest anti-virus and System Security news from the Naked Security Blog at Sophos. You can access these for yourself at http://nakedsecurity.sophos.com You can also sign up to receive a daily digest (Monday through Friday) of security issues and links, delivered right to your email box. It's a reminder to PRACTICE SAFE HEX!! You could lose your data via an attack of malware, ransomware, or be a victim of identity theft, otherwise. Note that text in some of the links may content text that some may find vulgar, profane, offensive, explicitly sexual, etc. -- these are provided to alert you that your system may have been infected!! *** Note: The BBS was OFFLINE from mid-September to late October, 2018... due to moving back to my Mom's home, and getting her placed into a nursing home, plus dealing with the finances with it, as her Power Of Attorney. As a result, I have COMBINED all of the "missed items" into one message. You can go to the URL noted at the top of this message, and search for the various items. These may not be in chronological order. Note that this is over a months worth of data. *** Is Google's Android app unbundling good for security? If you live in the EU, turning on a new Android device after 29 October 2018 could look quite different... *** You don't have to sequence your DNA to be identifiable by your DNA If you have European ancestry, there's a 60% chance that somebody vaguely related to you can be used to find out who you are. *** Twitter publishes data on Iranian and Russian troll farms Over 1m tweets show that we're suckers for funny/sarcastic/edgy, not so much for blah-blah-blah "news" spreaders. *** Weirdo Twitter messages were a glitch, not a hack Were you one of the dozens of people who got a bizarre Twitter message yesterday? It's OK. It wasn't a disturbance in the Matrix. *** Serious SSH bug lets crooks log in just by asking nicely! A serious bug in libssh could allow crooks to connect to your server - with no password requested or required. Here's what you need to know. *** What Kanye West can teach us about passcodes Pulling out an iPhone XS to show the assembled throng a picture of the hydrogen-powered aircraft that "our president should be flying in," West casually unlocked it using the passcode "000000". *** 35 state attorney generals tell FCC to pull the plug on robocalls The AGs want the FCC to adopt SHAKEN and STIR. *** Experian credit-freeze PINs could be revealed by a simple trick The credit bureaus' struggles with PINs continue... *** Payment skimmers sneaking on to websites via third party code Whatever Magecart is, it's been blamed for several high-profile payment card breaches this summer. *** Facebook opens up about data breach details Two weeks after Facebook's first serious data breach, and the social network has shared what it has figured out so far. *** Beware sextortionists spoofing your own email address In the past, they've pretended to have your passwords - now they're pretending to send email from your "hacked" account, too. *** Literary-minded phishers are trying to pilfer publishers' manuscripts In a twist on Business Email Compromise, they're spoofing literary agents and going after manuscripts at Penguin Random House and Pan Macmillan. *** Are your jilted apps stalking you? "Uninstall?" HA! Uninstall trackers enable app developers to game iOS and Android and continue sending push notifications to fleeing users. *** WordPress takes aim at ancient versions of its software If you're running a very old version of WordPress on your website, the project's staff would like a word with you. *** Poorly secured SSH servers targeted by Chalubo botnet SophosLabs has detected a new DDoS botnet targeting poorly secured SSH servers - called Chalubo, it is named in honour of its use of the ChaCha stream cipher. *** Former high school teacher pleads guilty to hacking celebrities A fifth man has pleaded guilty to federal charges of phishing celebrities' and non-celebrities logins and raiding their iCloud accounts for nude photos. *** Are you Cyber Aware? How about your friends and family? A Cyber Aware survey found 30% of Britons still have just one password for all their accounts - so let's help that 30% change their lives! *** Firefox 63 gets tough with trackers Mozilla's Enhanced Tracking Protection is going mainstream. *** Google and Facebook accused of secretly tracking users' locations Google and Facebook have been hit separately by class action lawsuits accusing them of secretly tracking user locations. *** Could TLS session resumption be another "super cookie"? Researchers think they've spotted a tracking technique that nobody has been paying attention to - TLS session resumption. *** Patch now! Multiple serious flaws found in Drupal Drupal website owners have some important patching homework to do. *** Phishing is still the most commonly used attack on organizations, survey says The survey found that the majority of cyberattacks - 75% - came from outsiders, while 25% were due to insiders. *** Adult websites shuttered after 1.2 million user details exposed It's not even close to the number of users affected by the massive Ashley Madison breach, but the results could be just as devastating to those who are affected. *** Why is Elon Musk promoting this Bitcoin scam? (He's not) While scrolling through my Twitter feed I saw a Bitcoin scam so unabashed that it got me thinking.... do such scams really work? *** Pirates! Don't blame your illegal file sharing on family members Stop blaming your piracy on your mum. You can no longer avoid liability by saying that a family member had access to your connection. *** Popular website plugin harboured a serious 0-day for years The flaw in the popular file uploader allows an attacker to upload files and run their own command line shell on any affected server. *** Alleged robber busted after Facebook-friending victim to apologize He told her to put down the pizza delivery and all her money on top of it. 26 days later, he found her on Facebook and reached out. *** Up to 9.5 million net neutrality comments were fake New York has expanded its probe to subpoena 14 industry groups and lobbyists, saying that fake comments "distort[ed] public opinion." *** Maker of LuminosityLink RAT gets 30 months in the clink Prosecutors said that the 21-year-old LuminosityLink author had no respect for the law and showed contempt for moral rules and social norms. *** "We know you watch porn" (and here's fake proof…) [PODCAST] Here's Episode 6 of the Naked Security podcast... enjoy! *** Serious D-Link router security flaws may never be patched Six routers with serious security flaws are considered end of life (EOL) and may never be updated. *** Apple privacy portal lets you see everything it knows about you The Apple website's privacy and data area lets you download and correct your data. *** The libssh "login with no password" bug - what you need to know [VIDEO] Here's a video that explains the libssh "no password needed" bug - jargon-free and in plain English. Enjoy... *** New iPhone lock screen bypass exposes your photos Jose Rodriguez has demonstrated how an attacker with physical access to a device running iOS 12.0.1 can gain access to photos stored on it. *** Is this the simple solution to password re-use? Researchers concluded that passphrase requirements such as a 15-character minimum length deter the majority users from reusing them on other sites. *** 35 million US voter records up for sale on the dark web He or she is selling off the databases by state. Kansas's voter database has already been sold and published, and Oregon is next up for sale. *** Donald Daters app for pro-Trump singles exposes users' data at launch A security researcher found a publicly exposed Firebase data repository that was hardcoded in the dating app. *** US embassy accidentally emails invitation to "cat pyjama-jam" meeting Canberra's US embassy accidentally exposed details of one of its more enticing get-togethers last week, featuring a cat in a Cookie Monster outfit. *** How Chrome and Firefox could ruin your online business this month Last year, Symantec sold off its web certificate business. The new owners are reissuing certs for free - but there's a deadline looming! *** Google using lock screen passwords to encrypt Android Cloud backups If, that is, your phone has updated to the Android 9 operating system, otherwise known as Pie. If so, say hi to the Titan chip! *** How to buy (and set up) a safe and secure baby monitor Wi-Fi enabled or not? Digital or analog? Here are the features to look for, and how to secure your baby monitor out of the box. *** Instagram tests sharing your location history with Facebook Instagram is testing Facebook Location History - which allows the tracking of precise locations from your device - in its app. *** Millions at risk from default webcam passwords Hangzhou Xiongmai Technology Co.,Ltd (Xiongmai), the Chinese manufacturer that made many of the devices left vulnerable to Mirai, is back with another vulnerability that puts millions of devices across the world at risk yet again. *** Jailbroken PS4 seller sued by Sony The consoles allegedly sold on eBay by the California man were packed with over 60 pirated games. *** Update now! Microsoft fixes 49 bugs, 12 are critical Microsoft's October Patch Tuesday update made its scheduled appearance on Tuesday with fixes for 49 security flaws across its family of products, 12 of which are listed as "critical". *** How a WhatsApp call could have taken over your phone A WhatsApp buffer overflow that crashed your phone due to audio data sent by a caller meant that just answering a call could spell trouble. *** Google+ wakes up to what the rest of us already knew Google's closing down the platform nobody uses and might face a class-action lawsuit over a G+ spawned breach it took 7 months to report. *** 291 records breached per second in first half of 2018 Over 4.5 billion data records were breached in the first half of this year, according to Gemalto's Breach Level Index released this week. *** Cyber tormentor leaves a trail that lands him 17.5 years Ryan S. Lin pleaded guilty to cyberstalking, distribution of child abuse imagery, hoax bomb threats, computer fraud and abuse, and ID theft. *** Airport mislays world's most expensive USB stick In October 2017, a member of the public found a USB stick containing a trove of data on security systems and procedures at one of the world's busiest airports. *** Apple and Amazon hacked by China? Here's what to do (even if it's not true) Are major US companies really under attack from Chinese "zombie microchips" - and what should we do, whether it's true or not? *** Microsoft hits the brakes on latest Windows 10 update - what to do Microsoft has paused the Windows 10 October 2018 update while it investigates reports of deleted profiles and missing files. *** Don't fall for the Facebook "2nd friend request" hoax Cloned accounts are a real thing, but this viral message isn't. Don't forward it! *** Hey Portal, what's that Facebook device in my kitchen? The company that wants to move fast and break things is moving in! *** Google ramps up G Suite protections against government-backed attacks Security alerts become opt-out by default from 10 October because so few admins opted in. *** Unpatched routers bad, doubly unpatched routers worse - much, much worse! Two bugs can be four times the trouble! If you missed the last Microtik router patch, you're at risk, but if you're *two* patches behind ... *** Attackers use voicemail hack to steal WhatsApp accounts The Israeli National Cybersecurity Authority issued an alert warning that WhatsApp users could lose control of their accounts. *** Phantom Secure CEO sold encrypted phones to drug cartels The CEO of "uncrackable" phone seller, Phantom Secure, has pleaded guilty to helping drug sellers keep their business locked away from the eyes of law enforcement. *** Seven Russian cyberspies indicted for hacking, wire fraud, ID theft "Bungling" Russian GRU operatives picked up by Dutch police, linked to OPCW and World Anti-Doping Agency hacks. *** Fitbit data leads to arrest of 90-year-old in stepdaughter's murder Her device recorded her heart rate slowing rapidly, then stopping about five minutes before her stepfather left the house. *** Prison smuggler busted by his own drone camera It turns out that drones advertised off the back of beautiful aerial shots also take great videos of murky drug dens. *** Wi-Fi versions to get names people can actually understand The high priests of Wi-Fi just made your life - and the lives of wireless network equipment vendors everywhere - a little easier. *** Facebook doubles cooling off period to cash in on your FOMO Facebook has doubled its grace period because so many leavers are getting cold feet. *** Google's Intra app secures older Androids with encrypted DNS DNS encryption is the Next Big Thing in web encryption and Google doesn't want Android users to miss out. *** Setting up a Mac for young children A step-by-step guide to preparing a Mac for young children. *** Cop charged with selling phone tracking service on dark web A French police officer has been charged with using police intelligence data to power a mobile phone tracking service sold via the dark web. *** Facebook finds "no evidence" attackers accessed third-party apps To play it safe, it's building a tool to let developers manually identify any of their users who may have been affected by the big breach. *** NSA staffer takes top-secret hacking tools home "to study", gets 66 months Nghia Hoang Pho may not have had malicious intent, but removal of the materials forced the NSA to abandon years of signals collection work. *** Update now: Adobe fixes 85 serious flaws in Acrobat and Reader Adobe has released updates fixing a long list of security vulnerabilities discovered in the Mac and Windows versions of Acrobat and Reader. *** Hacked Fortnite accounts and rent-a-botnet being pushed on Instagram The gaming and hacking communities overlap: Some of the hacker accounts are offering botnet access as well as Fortnite accounts. *** Google's new rules for developers make Chrome extensions safer for all Google has announced a range of security changes to its Chrome browser that will make the use of extensions more secure. *** The Facebook dilemma - stick it out or pack it in? [PODCAST] It's been a while but we're back at the microphone - here's Episode 5 of the Naked Security podcast. *** Hackers demand ransom from hijacked Instagram influencers Hackers are taking over high-profile Instagram users' accounts and holding them to ransom, revealed reports this week. *** Lock screen bypass already discovered for Apple's iOS 12 Apple’s iOS 12 is barely out of the gates and already someone has found a way to beat its lock screen security to access a device's contents. *** Suspect forced to unlock iPhone with his face The order so far hasn't raised Fifth Amendment objections either, your face being something you are, rather than something you know. *** Students swap data for coffee at cashless cafe In this US-based cashless cafe, university students hand over personal data in exchange for a dose of caffeine and sponsorship propaganda. *** How to have that difficult "stay safe online" conversation with your kids As your children start using the internet with greater independence, help keep them - and their data - safe with these simple tips. *** You gave your number to Facebook for security and it used it for ads Facebook has been adding phone numbers registered for 2FA to the other data it uses to target people with advertising. *** Monero fixes major "burning bug" flaw, preventing mass devaluation The flaw arises from the use of stealth wallet addresses, an anonymity concept that's especially important to privacy-sensitive Monero users. *** Big Facebook data breach: 50 million accounts affected Facebook has suffered a data breach affecting almost 50 million accounts. Another 40 million have been reset as a "precautionary" measure. *** Firefox Monitor starts tracking breached email addresses Mozilla has formally launched Firefox Monitor, a privacy-engineered website that hooks up to Troy Hunt's Have I Been Pwned? (HIBP) breach notification database. *** Spotify offers playlists tailored to your DNA Spotify and Ancestry have teamed up to let you use your real DNA to tell your "musical" DNA. *** Malware hits fashion giant SHEIN; 6.42 million online shoppers affected The online fashion store is now contacting affected users and asking them to change passwords for their online store accounts. *** Finally, a fix for the encrypted web's Achilles' heel Everyone knew that SNI needed to be fixed sooner or later, but nobody was quite sure how. *** Microsoft is killing passwords one announcement at a time Windows 10 and Office 365 users can now log in to Azure AD applications using only the Authenticator App. *** Domain flub leaves 30 million customers high and dry Zoho's CEO begged for help on Twitter after his domain registrar effectively took the company offline, stranding millions of users. *** Facebook scolds police for using fake accounts to snoop on citizens Put down that "Bob Smith" fake account and back off, Facebook told the Memphis Police Department, waving its real-names policy in the air. *** Millions of Twitter DMs may have been exposed by year-long bug Though the bug was present for over a year, Twitter hasn't found any DMs or protected tweets that were delivered to the wrong developer. *** Users fret over Chrome auto-login change Users were complaining this week after discovering they'd been logged in to Google's Chrome browser automatically, after logging into a Google website. *** AdGuard adblocker resets passwords after credential-stuffing attack AdGuard has taken the decision to reset all user accounts after suffering a credential-stuffing and brute-force password attack. *** Woman hijacked CCTV cameras days before Trump inauguration The ransomware attack on DC's outdoor surveillance cameras came just a few days before the 2017 inauguration of President Trump. *** Wendy's faces class action over collecting staff fingerprints Two former Wendy's employees want to know what the company does with employee fingerprints collected by biometric clocks. *** Bankrupt NCIX customer data resold on Craigslist What happens to sensitive customer data when a large company that has collected it over many years suddenly goes bust? *** Facebook faces sanctions if it drags its feet on data transparency The EU justice commissioner said she's out of patience. Also, she quit Facebook because it's a "channel of dirt." *** App developers are STILL allowed to read your Gmails Google is still allowing third-party developers access to access its users' Gmail data, it said in a letter to Senators last week. *** Police accidentally tweet bookmarks that reveal surveilled groups The Massachusetts State Police (MSP) accidentally spilled some of its opsec onto Twitter last week, uploading a screenshot that revealed browser bookmarks. *** iTunes is assigning you a "trust score" based on emails and phone calls It's just a number to detect fraud, not a Black Mirror-esque score that's going to rate us all as social misfits unworthy of wedding invitations. *** WhatsApp cofounder: "I sold my users' privacy" Regretful WhatsApp cofounder Brian Acton has joined the ranks of the Silicon Valley mea-culpa-rati. *** Mobile password managers vulnerable to phishing apps Several leading Android-based password managers can be fooled into auto-filling login credentials on behalf of fake phishing apps. *** Power to the people! Google backtracks (a bit) on forced Chrome logins Google thought it was a such a great idea to start logging you into everything when you logged into something... that it forgot to ask. *** Robocallers slapped with huge fines for using spoofed phone numbers One poor woman whose phone number was hijacked by robocallers got several calls a day from irate consumers who thought she was trying to market to them. *** Cryptojacking - coming to a server-laptop-phone near you (and how to stop it) Cryptomining apps were banned from the Play Store some time ago - but that hasn't stopped the crooks getting cryptojackers past Google... *** Bitcoin flaw could have allowed dreaded 51% takeover The scenario was always hypothetical but the fact such a thing was even possible until this week has left some in the Bitcoin community feeling alarmed. *** Warning issued as Netflix subscribers hit by phishing attack Netflix phishing scammers are at it again, sending emails that try to steal sensitive details from subscribers. *** Man who shared Deadpool movie on Facebook faces 6 months in jail US government recommended six months behind bars. That's one month for every million people that viewed a part of the pirated movie, apparently. *** US military given the power to hack back/defend forward The new preventative cybersecurity powers include potentially acting against countries considered friendly toward the US - a risky move, some say. *** FBI wants to keep "helpful" Mirai botnet authors around The young men behind the powerful IoT device botnet have been working undercover with law enforcement since they were first fingered. *** Western Digital goes quiet on unpatched MyCloud flaw Western Digital has failed to patch a serious security vulnerability in its MyCloud NAS drives that it was told about more than a year ago, researchers have alleged. *** URL spoofing - what it is and what to do about it [VIDEO] What happens if your browser doesn't tell you the truth about the identity of the website you're looking at? *** iOS 12 is here: these are the security features you need to know about One year to the day after iOS 11 appeared, Apple yesterday released its replacement, iOS 12. *** Here we Mongo again! Millions of records exposed by insecure database Another day, another poorly configured MongoDB database. *** Years on, third party apps still exposing Grindr users' locations A third party app can use Grindr's distance data to pinpoint a users location down to a room within a house. *** How Facebook wants to protect political campaigners from hacking The social network is trying to protect candidates, elected officials and their staff from "hackers and foreign adversaries". *** Intel releases firmware update for ME flaw It's only September and yet 2018 is well on its way to being remembered as the year of fixing flaws we didn't realise were possible in hardware we'd never heard of. *** --- SBBSecho 3.06-Win32 * Origin: ILinkNet: The Thunderbolt BBS - wx1der.dyndns.org (454:1/33) .