More on DataSpii: How extensions hide their data grabs—and how they’re discovered


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




You can trust us!

Enlarge / You can trust us! (credit: Irakli Kalandarishvili / EyeEm / Getty)

In our 5,000 word piece on “DataSpii,” we explained how researcher Sam Jadali spent tens of thousands of dollars investigating the murky Internet ecosystem of browser extensions that collect and share your web history. Those histories could end up at sites like Nacho Analytics, where they can reveal personal or corporate data.

Here, we want to offer more detail for the technically curious reader on exactly how these browser extensions work—and how they were discovered.

Obscurity

Discovering which browser extensions were responsible for siphoning up this data was a months-long task. Why was it so difficult? In part because the browser extensions appeared to obscure exactly what they were doing. Both Hover Zoom and SpeakIt!, for instance, waited more than three weeks after installation on Jadali’s computers to begin collection. Then, once collection started, it was

Continue reading “More on DataSpii: How extensions hide their data grabs—and how they’re discovered”

My browser, the spy: How extensions slurped up browsing histories from 4M users


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




My browser, the spy: How extensions slurped up browsing histories from 4M users

Enlarge (credit: Aurich Lawson / Getty)

When we use browsers to make medical appointments, share tax returns with accountants, or access corporate intranets, we usually trust that the pages we access will remain private. DataSpii, a newly documented privacy issue in which millions of people’s browsing histories have been collected and exposed, shows just how much about us is revealed when that assumption is turned on its head.

DataSpii begins with browser extensions—available mostly for Chrome but in more limited cases for Firefox as well—that, by Google’s account, had as many as 4.1 million users. These extensions collected the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visited. Most of these collected Web histories were then published by a fee-based service called Nacho Analytics, which markets itself as “God mode for the Internet” and uses the tag

Continue reading “My browser, the spy: How extensions slurped up browsing histories from 4M users”

Microsoft warns 10,000 customers they’re targeted by nation-sponsored hackers


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Glass and steel skyscraper with flags of multiple nations in front of it.

Microsoft said on Wednesday that it has notified almost 10,000 customers in the past year that they’re being targeted by nation-sponsored hackers.

According to a post from Microsoft Corporate Vice President of Customer Security & Trust Tom Burt, about 84% of the attacks targeted customers that were large, “enterprise” organizations such as corporations. The remaining 16% of attacks targeted consumer email accounts. Burt said some of the 10,000 customers were successfully compromised while others were only targeted, but he didn’t provide figures.

“This data demonstrates the significant extent to which nation-states continue to rely on cyberattacks as a tool to gain intelligence, influence geopolitics, or achieve other objectives,” Burt wrote. Microsoft presented the figures Wednesday at the Aspen Security Forum.

Read 5 remaining paragraphs | Comments

Website driveby attacks on routers are alive and well. Here’s what to do


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




D-Link's DI-514 802.11b router. It was a perfectly cromulent router for its time... but those were dark days, friend, dark days indeed.

D-Link’s DI-514 802.11b router. It was a perfectly cromulent router for its time… but those were dark days, friend, dark days indeed. (credit: source unclear, GNU Free Documentation License.)

Website driveby attacks that try to boobytrap visitors’ routers are alive and well, according to antivirus provider Avast, which blocked more than 4.6 million of them in Brazil over a two-month span.

The attacks come from compromised websites or malicious ads that attempt to use cross-site request forgery attacks to change the domain name system settings of visitors’ routers. When successful, the malicious DNS settings redirect targets to websites that spoof Netflix and a host of banks. Over the first half of the year, Avast software detected more than 180,000 routers in Brazil that had hijacked DNS settings, the company reported.

The attacks work when routers use weak administrative passwords and are vulnerable to CSRF attacks. Attackers use

Continue reading “Website driveby attacks on routers are alive and well. Here’s what to do”

Eavesdropping flaw prompts Apple to suspend Walkie-Talkie app


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Apple Watch.

Enlarge / Apple Watch. (credit: Valentina Palladino)

Apple has suspended use of the Walkie-Talkie app in the Apple Watch until the company fixes a recently discovered vulnerability that could let someone listen to a person’s iPhone without permission, news site TechCrunch reported.

The Walkie-Talkie app allows people who accept an invitation to talk with friends in real-time without the hassle of making a phone call. Parties press a button when speaking and release it to hear what the other party says. Apple introduced the feature in 2015 as part of its WatchOS 5 update.

Apple told TechCrunch that the flaw could allow someone to listen through another party’s iPhone without consent. Apple didn’t provide specifics of the vulnerability or exactly how it could be exploited. The company said it learned of the vulnerability through its vulnerability reporting page. Apple apologized for the temporary suspension while engineers investigate and fix

Continue reading “Eavesdropping flaw prompts Apple to suspend Walkie-Talkie app”

Silent Mac update nukes dangerous webserver installed by Zoom


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Pedestrians use crosswalk in large metropolis.

Enlarge (credit: Kena Betancur/Getty Images)

Apple said it has pushed a silent macOS update that removes the undocumented webserver that was installed by the Zoom conferencing app for Mac.

The webserver accepts connections from any device connected to the same local network, a security researcher disclosed on Monday. The server continues to run even when a Mac user uninstalls Zoom. The researcher showed how the webserver can be abused by people on the same network to force Macs to reinstall the conferencing app. Zoom issued an emergency patch on Tuesday in response to blistering criticism from security researchers and end users.

Apple on Wednesday issued an update of its own, a company representative speaking on background told Ars. The update ensures the webserver is removed—even if users have uninstalled Zoom or haven’t installed Tuesday’s update. Apple delivered the silent update automatically, meaning there was no notification or action required

Continue reading “Silent Mac update nukes dangerous webserver installed by Zoom”

Whitehats use DoS attack to score key victory against ransomware crooks


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




A diagram showing how a DoS shut down an ongoing ransomware campaign.

Enlarge / A diagram showing how a DoS shut down an ongoing ransomware campaign. (credit: Intezer)

Whitehats used a novel denial-of-service hack to score a key victory against ransomware criminals. Unfortunately, the blackhats have struck back by updating their infrastructure, leaving the fight with no clear winner.

Researchers at security firm Intezer performed the DoS technique against ransomware dubbed QNAPCrypt, a largely undetected strain that, as its name suggests, infects network storage devices made by Taiwan-based QNAP Systems and possibly other manufacturers. The hack spread by exploiting secure shell, (or SSH) connections that used weak passwords. The researchers’ analysis found that each victim received a unique bitcoin wallet for sending ransoms, a measure that was most likely intended to prevent the attackers from being traced. The analysis also showed that QNAPCrypt only encrypted devices after they received the wallet address and a public RSA key from the command-and-control server.

Continue reading “Whitehats use DoS attack to score key victory against ransomware crooks”

Zoom for Mac made it too easy for hackers to access webcams. Here’s what to do (updated)


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Artist's impression of wireless hackers in your computer.

Update: As this post was being reported, Zoom developers reversed their previous position and issued an update that changes the contested behavior.

“Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process,” Zoom’s Jonathan Farley wrote. “But in hearing the outcry from our users in the past 24 hours, we have decided to make the updates to our service.”

The update makes the following changes:

Read 18 remaining paragraphs | Comments

D-Link agrees to new security monitoring to settle FTC charges


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




D-Link agrees to new security monitoring to settle FTC charges

Router and webcam maker D-Link has agreed to implement a new security program to settle charges it failed to safeguard its hardware against well-known and preventable hacks and misrepresented its existing security regimen.

Tuesday’s agreement settles a 2017 complaint by the US Federal Trade Commission that alleged D-Link left thousands of customers open to potentially costly hack attacks. The hardware maker, the FTC said, failed to test its gear against security flaws ranked among the most critical and widespread by the Open Web Application Security Project. The 2017 suit also said that, despite the lack of testing and hardening of its products, D-Link misrepresented its security regimen as reasonable.

Specific shortcomings cited by the FTC included:

Read 6 remaining paragraphs | Comments

Researchers crack open Facebook campaign that pushed malware for years


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Artist's impression of wireless hackers in your computer.

Enlarge / Artist’s impression of wireless hackers in your computer. (credit: TimeStopper/Getty Images)

Researchers have exposed a network of Facebook accounts that used Libya-themed news and topics to push malware to tens of thousands of people over a five-year span.

Links to the Windows and Android-based malware first came to researchers’ attention when the researchers found them included in Facebook postings impersonating Field Marshal Khalifa Haftar, commander of Libya’s National Army. The fake account, which was created in early April and had more than 11,000 followers, purported to publish documents showing countries such as Qatar and Turkey conspiring against Libya and photos of a captured pilot that tried to bomb the capital city of Tripoli. Other posts promised to offer mobile applications that Libyan citizens could use to join the country’s armed forces.

According to a post published on Monday by security firm Check Point, most of the links

Continue reading “Researchers crack open Facebook campaign that pushed malware for years”

In-the-wild Mac malware kept busy in June—here’s a rundown


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




In-the-wild Mac malware kept busy in June—here’s a rundown

June was a busy month for Mac malware with the active circulation of at least six threats, several of which were able to bypass security protections Apple has built into modern versions of its macOS.

The latest discovery was published Friday by Mac antivirus provider Intego, which disclosed malware dubbed OSX/CrescentCore that’s available through Google search results and other mainstream channels. It masquerades as an updater or installer for Adobe’s Flash media player, but it’s in fact just a persistent means for its operators to install malicious Safari extensions, rogue disk cleaners, and potentially other unwanted software.

“The team at Intego has observed OSX/CrescentCore in the wild being distributed via numerous sites,” Intego’s Joshua Long wrote of two separate versions of the malware his company has found. “Mac users should beware that they may encounter it, even via seemingly innocuous sources such as Google search results.”

Read 7

Continue reading “In-the-wild Mac malware kept busy in June—here’s a rundown”

New ransomware infections are the worst drive-by attacks in recent memory


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Screenshot of ransomware.

Enlarge (credit: Malwarebytes)

An ongoing operation that’s installing ransomware and other malware on the computers of unsuspecting website visitors is one of the most potent drive-by attack campaigns researchers have seen in recent memory.

The attacks install three pieces of malware using an exploit kit called GreenFlash Sundown, which researchers identified in 2015 and have continued to follow since. Attacks in recent weeks have spiked again as ShadowGate—one of the names given to the hacker group behind the campaign—has unleashed a highly revamped version of the exploit kit on hacked ad servers run by Web publishers. The most notable compromise is of an ad server belonging to onlinevideoconverter[.]com, a site with more than 200 million visitors per month that converts YouTube videos into video files that can be stored on a computer hard drive.

“They are ongoing and with a scale we haven’t seen in a couple of

Continue reading “New ransomware infections are the worst drive-by attacks in recent memory”

Potent Firefox 0-day used to install undetected backdoors on Macs


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




The fox animoji.

Enlarge / The fox animoji. (credit: Samuel Axon)

Hackers exploited a pair of potent zero-day vulnerabilities in Firefox to infect Mac users with a largely undetected backdoor, according to accounts pieced together from multiple people.

Mozilla released an update on Tuesday that fixed a code-execution vulnerability in a JavaScript programming method known as Array.pop. On Thursday, Mozilla issued a second patch fixing a privilege-escalation flaw that allowed code to break out of a security sandbox that Firefox uses to prevent untrusted content from interacting with sensitive parts of a computer operating system. Interestingly, a researcher at Google’s Project Zero had privately reported the code-execution flaw to Mozilla in mid April.

On Monday, as Mozilla was readying a fix for the array.pop flaw, unknown hackers deployed an attack that combined working exploits for both vulnerabilities. The hackers then used the attack against employees of Coinbase, according to Philip

Continue reading “Potent Firefox 0-day used to install undetected backdoors on Macs”

Nation-sponsored hackers likely carried out hostile takeover of rival groups’s servers


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Nation-sponsored hackers likely carried out hostile takeover of rival groups’s servers

Enlarge

If nation-sponsored hacking was baseball, the Russian-speaking group called Turla would not just be a Major League team—it would be a perennial playoff contender. Researchers from multiple security firms largely agree that Turla was behind breaches of US Department at Defense in 2008, and more recently the German Foreign Office and France’s military.  The group has also been known for unleashing stealthy Linux malware and using satellite-based Internet links to maintain the stealth of its operations.

Now, researchers with security firm Symantec have uncovered evidence of Turla doing something that would be a first for any nation-sponsored hacking group. Turla, Symantec believes, conducted a hostile takeover of an attack platform belonging to a competing hacking group called OilRig, which researchers at FireEye and other firms have linked to the Iranian government. Symantec suspects Turla then used the hijacked network to attack a Middle Eastern government OilRig had

Continue reading “Nation-sponsored hackers likely carried out hostile takeover of rival groups’s servers”

New vulnerabilities may let hackers remotely SACK Linux and FreeBSD systems


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




New vulnerabilities may let hackers remotely SACK Linux and FreeBSD systems

Enlarge (credit: JIP)

The Linux and FreeBSD operating systems contain newly discovered vulnerabilities that make it easy for hackers to remotely crash servers and disrupt communications, researchers have warned. OS distributors are advising users to install patches when available or to make system settings that lower the chances of successful exploits.

The most severe of the vulnerabilities, dubbed SACK Panic, can be exploited by sending a specially crafted sequence of TCP Selective ACKnowledgements to a vulnerable computer or server. The system will respond by crashing, or in the parlance of engineers, entering a kernel panic. Successful exploitation of this vulnerability, tracked as CVE-2019-11477, results in a remote denial of service (DoS).

A second vulnerability also works by sending a series of malicious SACKs that consumes computing resources of the vulnerable system. Exploits most commonly work by fragmenting a queue reserved for retransmitting TCP packets. In some OS versions, attackers

Continue reading “New vulnerabilities may let hackers remotely SACK Linux and FreeBSD systems”

Cloudflare aims to make HTTPS certificates safe from BGP hijacking attacks


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Cloudflare aims to make HTTPS certificates safe from BGP hijacking attacks

Content delivery network Cloudflare is introducing a free service designed to make it harder for browser-trusted HTTPS certificates to fall into the hands of bad guys who exploit Internet weaknesses at the time the certificates are issued.

The attacks were described in a paper published last year titled Bamboozling Certificate Authorities with BGP. In it, researchers from Princeton University warned that attackers could manipulate the Internet’s border gateway protocol to obtain certificates for domains the attackers had no control over.

Browser-trusted certificate authorities are required to use a process known as domain control validation to verify that a person requesting a certificate for a given domain is the legitimate owner. It requires the requesting party to do one of three things:

Read 10 remaining paragraphs | Comments

Russia warns that reported US attacks on its power grid could trigger “cyberwar”


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Giant outdoor power station.

Enlarge / Zapadnaya in the Moscow region. (credit: Vladimir Fedorenko / Владимир Федоренко)

The Kremlin on Monday warned that reported US digital incursions into Russia’s electric power grid could trigger a “cyberwar” between the two countries.

The warning came two days after The New York Times reported that the US Cyber Command, the arm of the Pentagon that runs the military’s offensive and defensive operations in the online world, was aggressively stepping up its targeting of Russia’s grid. Saturday’s report said the command had taken steps to place “potentially crippling malware inside the Russian system at a depth and with an aggressiveness that had never been tried before.” In some cases, the NYT reported, Pentagon and intelligence officials have been hesitant to brief President Trump in detail about the activities out of concern he might countermand the operations or discuss them with foreign officials. Last year, Trump gave

Continue reading “Russia warns that reported US attacks on its power grid could trigger “cyberwar””

Hackers behind dangerous oil and gas intrusions are probing US power grids


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Power Lines in Page, Arizona

Enlarge / Power Lines in Page, Arizona (credit: IIP Photo Archive)

In a new troubling escalation, hackers behind at least two potentially fatal intrusions on industrial facilities have expanded their activities to probing dozens of power grids in the US and elsewhere, researchers with security firm Dragos reported Friday.

The group, now dubbed Xenotime by Dragos, quickly gained international attention in 2017 when researchers from Dragos and the Mandiant division of security firm FireEye independently reported Xenotime had recently triggered a dangerous operational outage at a critical-infrastructure site in the Middle East. Researchers from Dragos have labeled the group the world’s most dangerous cyber threat ever since.

The most alarming thing about this attack was its use of never-before-seen malware that targeted the facility’s safety processes. Such safety instrumented systems are a combination of hardware and software that many critical infrastructure sites use to prevent unsafe conditions from arising.

Continue reading “Hackers behind dangerous oil and gas intrusions are probing US power grids”

If you haven’t patched Vim or NeoVim text editors, you really, really should


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




If you haven’t patched Vim or NeoVim text editors, you really, really should

Enlarge (credit: unknown)

A recently patched vulnerability in text editors preinstalled in a variety of Linux distributions allows hackers to take control of computers when users open a malicious text file. The latest version of Apple’s macOS is continuing to use a vulnerable version, although attacks only work when users have changed a default setting that enables a feature called modelines.

Vim and its forked derivative, NeoVim, contained a flaw that resided in modelines. This feature lets users specify window dimensions and other custom options near the start or end of a text file. While modelines restricts the commands available and runs them inside a sandbox that’s cordoned off from the operating system, researcher Armin Razmjou noticed the source! command (including the bang on the end) bypassed that protection.

“It reads and executes commands from a given file as if typed manually, running them after the sandbox has been

Continue reading “If you haven’t patched Vim or NeoVim text editors, you really, really should”

I’ll be passing on Google’s new 2fa for logins on iPhones and iPads. Here’s why


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




I’ll be passing on Google’s new 2fa for logins on iPhones and iPads. Here’s why

Enlarge (credit: Google)

Google is expanding its new Android-based two-factor authentication (2fa) to people logging in to Google and Google Cloud services on iPhones and iPads. While Google deserves props for trying to make stronger authentication available to more users, I’ll be avoiding it in favor of 2fa methods Google has had in place for years. I’ll explain why later. First, here’s some background.

Google first announced Android’s built-in security key in April, when it went into beta, and again in May, when it became generally available. The idea is to make devices running Android 7 and up users’ primary 2fa device. When someone enters a valid password into a Google account, the phone displays a message alerting the account owner. Users then tap a “yes” button if the login is legitimate. If it’s an unauthorized attempt, the user can block the login from going through.

The system aims

Continue reading “I’ll be passing on Google’s new 2fa for logins on iPhones and iPads. Here’s why”