Calibration Attack Drills Down on iPhone, Pixel Users

Posted on Updated on

apple iphone pixel calibration fingerprinting tracking

Originally seen: Threatpost on May 23rd, 2019 by Tara Seals

A new way of tracking mobile users creates a globally unique device fingerprint that browsers and other protections can’t stop.

A proof-of-concept for a new type of privacy attack, dubbed “calibration fingerprinting,” uses data from Apple iPhone sensors to construct a globally unique fingerprint for any given mobile user. Researchers said that this provides an unusually effective means to track people as they browse across the mobile web and move between apps on their phones.

Further, the approach also affects Pixel phones from Google, which run on Android.

A research team from the University of Cambridge in the UK released their findings this week, showing that data gathered from the accelerometer, gyroscope and magnetometer sensors found in the smartphones can be used to generate the calibration fingerprint in less than a second – and that it never changes, even after a factory reset.

The attack also can be launched by any website a person visits via a mobile browser, or any app, without needing explicit confirmation or consent from the target.

In Apple’s case, the issue results from a weakness in iOS 12.1 and earlier, so iPhone users should update to the latest OS version as soon as possible. Google has not yet addressed the problem, according to the researchers.

A device fingerprint allows websites to detect return visits or track users, and in its innocuous form, can be used to protect against identity theft or credit-card fraud; advertisers often also rely on this to build a user profile to serve targeted ads.

Fingerprints are usually built with pretty basic info: The name and version of your browser, screen size, fonts installed and so on. And browsers are increasingly using blocking mechanisms to thwart such efforts in the name of privacy: On Apple iOS for iPhone for instance, the Mobile Safari browser uses Intelligent Tracking Prevention to restrict the use of cookies, prevent access to unique device settings and eliminate cross-domain tracking.

However, any iOS devices with the iOS version below 12.2, including the latest iPhone XS, iPhone XS Max and iPhone XR, it’s possible to get around those protections, by taking advantage of the fact that motion sensors used in modern smartphones use something called microfabrication to emulate the mechanical parts found in traditional sensor devices, according to the paper.

“MEMS sensors are usually less accurate than their optical counterparts due to various types of error,” the team said. “In general, these errors can be categorized as deterministic and random. Sensor calibration is the process of identifying and removing the deterministic errors from the sensor.”

Websites and apps can access the data from sensors, without any special permission from the users. In analyzing this freely accessible information, the researchers found that it was possible to infer the per-device factory calibration data which manufacturers embed into the firmware of the smartphone to compensate for these systematic manufacturing errors. That calibration data can then be used as the fingerprint, because despite perceived homogeneity, every Apple iPhone is just a little bit different – even if two devices are from the same manufacturing batch.

“We found that the gyroscope and magnetometer on iOS devices are factory-calibrated and the calibration data differs from device-to-device,” the researchers said. “Extracting the calibration data typically takes less than one second and does not depend on the position or orientation of the device.”

To create a globally unique calibration footprint requires adding in a little more information, however, for instance from traditional fingerprinting sources.

“We demonstrated that our approach can produce globally unique fingerprints for iOS devices from an installed app — around 67 bits of entropy for the iPhone 6S,” they said. “Calibration fingerprints generated by a website are less unique (~42 bits of entropy for the iPhone 6S), but they are orthogonal to existing fingerprinting techniques and together they are likely to form a globally unique fingerprint for iOS devices.”

A longitudinal study also showed that the calibration fingerprint, which the researchers dubbed “SensorID,” doesn’t change over time or vary with conditions.

“We have not observed any change in the SensorID of our test devices in the past half year,” they wrote. “Our dataset includes devices running iOS 9/10/11/12. We have tested compass calibration, factory reset, and updating iOS (up until iOS 12.1); the SensorID always stays the same. We have also tried measuring the sensor data at different locations and under different temperatures; we confirm that these factors do not change the SensorID either.”

In terms of how applicable the SensorID approach is, the research team found that both mainstream browsers (Safari, Chrome, Firefox and Opera) and privacy-enhanced browsers (Brave and Firefox Focus) are vulnerable to the attack, even with the fingerprinting protection mode turned on.

Further, motion sensor data is accessed by 2,653 of the Alexa top 100,000 websites, the research found, including more than 100 websites exfiltrating motion-sensor data to remote servers.

“This is troublesome since it is likely that the SensorID can be calculated with exfiltrated data, allowing retrospective device fingerprinting,” the researchers wrote.

However, it’s possible to mitigate the calibration fingerprint attack on the vendor side by adding uniformly distributed random noise to the sensor outputs before calibration is applied at the factory level – something Apple did starting with iOS 12.2.

“Alternatively, vendors could round the sensor outputs to the nearest multiple of the nominal gain,” the paper said.

Privacy-focused mobile browsers meanwhile can add an option to disable the access to motion sensors via JavaScript.

“This could help protect Android devices and iOS devices that no longer receive updates from Apple,” according to the paper.

Although most of the research focused on iPhone, Apple is not the only vendor affected: The team found that the accelerometer of Google Pixel 2 and Pixel 3 can also be fingerprinted by the approach.

That said, the fingerprint has less individual entropy and is unlikely to be globally unique – meaning other kinds of fingerprinting data would also need to be gathered for full device-specific tracking.

Also, the paper noted that other Android devices that are also factory calibrated might be vulnerable but were outside the scope of testing.

While Apple addressed the issue, Google, which was notified in December about the attack vector, is still in the process of “investigating this issue,” according to the paper.

Threatpost has reached out to the internet giant for comment.

Phishing targeting SaaS and webmail services increased to 36% of all phishing attacks

Posted on Updated on

Originally seen: Helpnetsecurity on May 20th, 2019

Users of Software-as-a-Service (SaaS) and webmail services are being targeted with increasing frequency, according to the APWG Q1 2019 Phishing Activity Trends Report.

SaaS webmail phishing increased

The category became the biggest target in Q1, accounting for 36 percent of all phishing attacks, for the first time eclipsing the payment-services category which suffered 27 percent of attacks recorded in the quarter.

Online SaaS applications have become fundamental business tools, since they are convenient to use and cost-effective. SaaS services include sales management, customer relationship management (CRM), human resource, billing and other office applications and collaboration tools.

“Phishers are interested in stealing logins to SaaS sites because they yield financial data and also personnel data, which can be leveraged for spear-phishing,” said Greg Aaron, APWG Senior Research Fellow.

Stefanie Ellis, AntiFraud Product & Marketing Manager at MarkMonitor said: “The total number of confirmed phishing sites increased in early 2019, with the biggest jump in March.”

The total number of phishing sites detected in 1Q of 2019 was 180,768. That was up notably from the 138,328 seen in the fourth quarter of 2018, and from the 151,014 seen in the third quarter of 2018.

Payment Services and Financial Institution phishing continued to suffer a high number of phishing attacks. But attacks against cloud storage and file hosting sites continued to drop, decreasing from 11.3 percent of all attacks in the first quarter of 2018 to just 2 percent in the first quarter of 2019.

Meanwhile, cybercriminals deployed HTTPS-protected phishing websites in record numbers, according to PhishLabs, posting a record high of nearly 60 percent of detected phishing websites in 1Q 2019 employing this data encryption protocol.

Phishers turn this security utility against users, leveraging the HTTPS protocols padlock icon that appears in the browser address bar to assure users that the website itself is trustworthy.

SaaS webmail phishing increased

“In Q1 2019, 58 percent of phishing sites were using SSL certificates, a significant increase from the prior quarter where 46 percent were using certificates,” said John LaCour, CTO of PhishLabs.

“There are two reasons we see more. Attackers can easily create free DV (Domain Validated) certificates, and more web sites are using SSL in general. More web sites are using SSL because browser warning users when SSL is not used. And most phishing is hosted on hacked, legitimate sites.”

The Nasty List Phishing Scam is Sweeping Through Instagram

Posted on

Originally seen on April 13, 2019: Bleepingcomputer by Lawrence Abrams

A new phishing scam called the “The Nasty List” is sweeping through Instagram and is targeting victim’s login credentials. If a user falls victim, the hackers will utilize their accounts to further promote the phishing scam.

The Nasty List scam is being spread through hacked accounts that send messages to their followers stating that they were spotted on a so-called “Nasty List”. These messages state something like “OMG your actually on here, @TheNastyList_34, your number is 15! its really messed up.”

Messages being sent from hacked accounts
Messages being sent from hacked accounts

According to screenshots shared with BleepingComputer, the scammers attempt to send these messages to all followers of a hacked account.

If a recipient visits the listed profile, it will be named something like “The Nasty”, “Nasty List”, or “YOUR ON HERE!!”. The profiles include a description similar to “People are really putting all of us on here, I’m already in 37th position, if your reading this you must be on it too.” or “WOW you are really on here, ranked 100! this is horrible, CANT WAIT TO REVEAL THE TOP 10!” as shown below.

Example Nasty List Scam Profiles
Example Nasty List Scam Profiles

 

These profile descriptions also include a link that supposedly allows you to see this Nasty List and why you are on it. For example, the above profiles are using the URL nastylist-instatop50[.]me, which  when visited will display what appears to be very legitimate looking Instagram login page.

Fake Instagram Login Page
Fake Instagram Login Page

While the above page looks real, it is important to pay attention to the URL listed at the top of the window as indicated by the red arrow in the image above. As you can see this login page is actually located at nastylist-instatop50[.]me, which is obviously not a legitimate Instagram site.

To avoid falling for an Instagram phishing scam like the Nasty List, if you are at a page that does not belong to the instagram.com web site, never enter your login credentials.

What to do if you were hacked by this scam?

If you have been hacked by the “Nasty List” phishing scam and you still have access to your account, the first thing you should do is verify that your account is using the correct phone number and email address.

You can do this by going to your profile and selecting Edit Profile. Then scroll to the bottom to view your email address and phone number. If it’s not correct, try to change it to the correct information.

Once you have correct email and phone number listed, you want to change your password by following these instructions.

Once you have changed your password, all devices currently logged into your account will be logged off. You can then log back in to regain control of your account.

Facebook says it ‘unintentionally uploaded’ 1.5 million people’s email contacts without their consent

Posted on

Originally seen on April 17, 2019: Business Insider by Rob Price

Facebook harvested the email contacts of 1.5 million users without their knowledge or consent when they opened their accounts.

Since May 2016, the social-networking company has collected the contact lists of 1.5 million users new to the social network, Business Insider can reveal. The Silicon Valley company said the contact data was “unintentionally uploaded to Facebook,” and it is now deleting them.

The revelation comes after pseudononymous security researcher e-sushi noticed that Facebook was asking some users to enter their email passwords when they signed up for new accounts to verify their identities, a move widely condemned by security experts. Business Insider then discovered that if you entered your email password, a message popped up saying it was “importing” your contacts without asking for permission first.

At the time, it wasn’t clear what was happening — but on Wednesday, Facebook disclosed to Business Insider that 1.5 million people’s contacts were collected this way and fed into Facebook’s systems, where they were used to improve Facebook’s ad targeting, build Facebook’s web of social connections, and recommend friends to add.

A Facebook spokesperson said before May 2016, it offered an option to verify a user’s account using their email password and voluntarily upload their contacts at the same time. However, they said, the company changed the feature, and the text informing users that their contacts would be uploaded was deleted — but the underlying functionality was not.

Facebook didn’t access the content of users’ emails, the spokesperson added. But users’ contacts can still be highly sensitive data — revealing who people are communicating with and connect to.

While 1.5 million people’s contact books were directly harvested by Facebook, the total number of people whose contact information was improperly obtained by Facebook may well be in the dozens or even hundreds of millions, as people sometimes have hundreds of contacts stored on their email accounts. The spokesperson could not provide a figure for the total number of contacts obtained this way.

Users weren’t given any warning before their contact data was grabbed

The screenshot below shows the password entry page users saw upon sign up. After they entered their password and clicked the blue “connect” button, Facebook would begin harvesting users’ email contact data without asking for permission.

facebook login password emailScreenshot/Business Insider

After clicking the blue “connect” button, a dialog box (screenshot below) popped up saying “importing contacts.” There was no way to opt out, cancel the process, or interrupt it midway through.

facebook authenticationScreenshot/Rob Price

Business Insider discovered this was happening by signing up for Facebook with a fake account before Facebook discontinued the password verification feature. In our test, after the authentication loading screen finished, a new box popped up saying it didn’t find any contacts, and then took us to the homescreen of the social network.

A user might have been able to infer from this that their contacts were being accessed — but there was no way to stop it happening, or advance notice ahead of time.

facebook email contactsBI

From one crisis to another

The incident is the latest privacy misstep from the beleaguered technology giant, which has lurched from scandal to scandal over the past two years.

Since the Cambridge Analytica scandal in early 2018, when it emerged that the political firm had illicitly harvested tens of millions of Facebook users’ data, the company’s approach to handling users’ data has come under intense scrutiny. More recently, in March 2019, the company disclosed that it was inadvertently storing hundreds of millions of users’ account passwords in plaintext, contrary to security best practices.

Facebook now plans to notify the 1.5 million users affected over the coming days and delete their contacts from the company’s systems.

“Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account,” the spokesperson said in a statement.

“We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.”

Amazon employees listen in to your conversations with Alexa

Posted on Updated on

A report suggests you may have eavesdroppers in your living room.
Originally seen: April 11,2019 on Zdnet by Charlie Osborne

Amazon is using a team of human staff to eavesdrop on queries made to Amazon Alexa-enabled smart speakers in a bid to improve the voice assistant’s accuracy, a new report suggests.

If you check out your Amazon Echo smart speaker’s history via the Alexa app (Alexa account – > History), depending on where and when you use the device, you may see little more than general, genuine queries.

My history is full of cooking timer requests, light control commands, and news briefings.

There are also a few nonsense recordings generated by the nearby television on record — including a man talking about his dog and politics mentioned once or twice — and while they may be seen as acceptable recording errors, the idea of an unknown human listening in may be enough to make you uneasy.

According to Bloomberg, this may be the case, as Amazon staff in areas including Boston, Costa Rica, India, and Romania are listening in to as many as 1,000 audio clips per day during nine-hour shifts.

While much of the work is described as “mundane,” such as listening in for phrases including “Taylor Swift” to give the voice assistant context to commands, other clips captured are more private — including the example of a woman singing in the shower and a child “screaming for help.”

Recordings sent to the human teams do not provide full names, but they do connect to an account name, device serial number, and the user’s first name to clips.

Some members of the team are tasked with transcribing commands and analyzing whether or not Alexa responded properly. Others are asked to jot down background noises and conversations picked up improperly by the device.

“The teams use internal chat rooms to share files when they need help parsing a muddled word — or come across an amusing recording,” Bloomberg says.

In some cases, however, the soundbites were not so amusing. Two unnamed sources told the publication that in several cases they picked up potentially criminal and upsetting activities, accidentally recorded by Alexa.

An Amazon spokesperson said in an email that only “an extremely small sample of Alexa voice recordings” is annotated in order to improve the customer experience.

“We take the security and privacy of our customers’ personal information seriously,” the spokesperson added. “We have strict technical and operational safeguards, and have a zero tolerance policy for the abuse of our system.”

It is possible to withdraw from these kinds of programs for the benefit of your personal privacy. In order to do so, jump into the Alexa app and go to Alexa Account – > Alexa Privacy – > “Manage how your data improves Alexa.”

In this tab, you can toggle various options including whether or not you permit your Alexa usage to be used to “develop new features,” and whether messages you send with Alexa can be used by Amazon to “improve transcription accuracy.”

In related news, the Intercept reported in January that the Amazon-owned company provided its Ukraine-based research and development team close to “unfettered” access to an unencrypted folder full of all the video footage recorded by every Ring camera worldwide. Some employees had access to a form of ‘god’ mode which permitted 24/7 access to customer camera feeds.

Parent company of popular restaurants breached; payment card data exposed.

Posted on Updated on

What happened?

Earl Enterprises, which manages popular restaurant brands including Buca di Beppo, Planet Hollywood, Earl of Sandwich, Chicken Guy!, Mixology, and Tequila Taqueria, announced that nearly 100 restaurant locations around the United States may have exposed customer payment card data over a 10-month period from May 2018 to March 2019.

In a data breach notice posted on its website, Earl Enterprises confirmed that malware was installed on some point of sale systems at certain affected restaurant locations. The malware was designed to capture payment card data, including credit and debit card numbers, expiration dates, and cardholder names. Online orders paid for online through third-party apps or platforms were not affected by this breach. Per the company, the incident has been contained and is being investigated.

Earl Enterprises has yet to confirm the size, but independent security researchers reported over 2 million stolen cards are now for sale on the dark web on the dark web, seemingly as a result of this breach.

What does this mean?

While cardholders are generally not liable for fraudulent charges, it is important to monitor your credit and debit card accounts for suspicious charges and report fraudulent activity to your bank in a timely fashion.

Albany, NY, is coping with a ransomware attack

Posted on

Originally seen on: April 6th, 2019 by Kevin Collier

(CNN) When Albany, New York, patrolman Gregory McGee went to work last Sunday morning, he got the unpleasant news that hackers had rendered many of the internet-connected tools he relied on for work inoperable.

“We were crippled, essentially, for a whole day,” McGee, who’s vice president of the Albany Police Department’s union, told CNN.
“All of our incident reports, all of our crime reports, that’s all digitized,” McGee said, which meant cops had to write down everything that happened on paper. They showed up to work and had no access to staff schedules.
“We were like, who’s working today?” McGee said. “We have no idea what our manpower is, who’s supposed to be here.”
The culprit was the City of Albany getting infected last Saturday with ransomware, in which malicious software spreads across a network, rendering computers inaccessible, encrypting their files and demanding a fee to go away. The city had recently taken over management of most of the police department’s networks.
City Hall itself experienced a number of municipal service interruptions, too. Albany residents were told to go elsewhere to get birth certificates, death certificates or marriage licenses. Some residents complain that building and development applications haven’t been available via the city’s website, Councilwoman Judy Doesschate told CNN.

What ransomware does

Ransomware fundamentally works as an extortion scheme, encrypting computers and demanding an extortion fee to unlock them. In recent years it has become one of the most prominent problems in cybersecurity. It’s often deployed by criminal hackers simply seeking money, though the US has said the two most infamous strains, WannaCry and NotPetya, were authored by the North Korean and Russian governments, respectively.
That the ransomware hit on a Saturday is likely no coincidence, said Kelly Shortridge, the vice president of strategy at Capsule8, a New York cybersecurity company.
“By infecting an organization with ransomware on a weekend, defenders are more likely to be at a farmers market than looking at their security command center,” Shortridge said. “The heightened sense of panic and scrambling may lead to defenders being more willing to pay out higher costs for the decryption keys, as well.”
Albany declined to share additional details, including what type of ransomware it’s facing and whether it’s hired a third-party company to mitigate the problem, but a spokesperson for the New York State Office of Information Technology Services told CNN it is assisting.
There’s no indication yet who may have deployed the attack, and there are a number of active groups that use ransomware to extort funds. There is precedent for the US accusing individuals of infecting cities with ransomware, however. In November, the US Department of Justice charged two Iranian men with a campaign of targeted ransomware attacks whose more than 200 victims included hospitals, municipalities and public institutions, including the cities of Atlanta and Newark, New Jersey.

After the initial Albany hit

Things started to get better after the beginning of the week. On Monday afternoon, police were able to digitally file incident reports again. A spokesperson for the Albany Police Department said the department “has remained adequately staffed since the attack and there was never an interruption in police services to our community,” but declined further comment.
By Tuesday, the city was able to process marriage licenses again.
Birth and death certificates, however, are still unavailable from City Hall. As of the first week of the attack, at least 17 people from Albany had contacted the State Department of Health instead for birth or death certificates.
And the police department’s scheduling program was still unusable. McGee, scheduled to teach a safety class Friday, didn’t know who he would be teaching.
“Nobody knows who has training today,” he said. “We have no idea who’s actually going to be there.”
Doesschate, the councilwoman, told CNN that while the ransomware has been an inconvenience for constituents who haven’t been able to access certain information online, it was relative.
“Up until about 2 1/2 years ago, this information was not regularly posted online,” she said. “It is disappointing and a bit frustrating, but in the scheme of things, not horrible.”

ThreatList: Phishing Attacks Doubled in 2018

Posted on

Originally seen on March 12th, 2019 by: Lindsey O’Donnell

Scammers used both older, tested-and-true phishing tactics in 2018 – but also newer tricks, such as fresh distribution methods, according to a new report.

Phishing attempts more than doubled in 2018, as bad actors sought to trick victims into handing over their credentials. They used both old tricks – such as scams tied to current events – as well as other stealthy, fresher tactics.

Researchers with Kaspersky Lab said in a Tuesday report that during the course of 2018, they detected phishing redirection attempts 482.5 million times – up from the 246.2 million attempts detected in 2017. In total, 18.32 percent of users were attacked, researchers said.

“We have seen a steady increase in phishing attacks on cryptocurrency-related resources, and expect new scams to appear in 2019,” according to the report, by Maria Vergelis, Tatyana Shcherbakova and Tatyana Sidorina with Kaspersky Lab. “Despite the fall in value and the lean times for the cryptocurrency market as a whole, phishers and spammers will try to squeeze everything they can out of this.”

Bad actors continued to rely on an age-old trick in 2018 for phishing attacks: Using newsworthy events, such as new smartphone launches, sales seasonstax deadlines, and the EU General Data Protection Regulation (GDPR) to hook the victim.

Phishing report Kaspersky Lab

Phishing emails purporting to be about GDPR, for instance, boomed in the first few months of 2018, because during those months there was an upturn in legitimate GDPR mailings warning users of the transition to the new policies, which require stringent processes to store and process personal data of European citizens.

Attackers unsurprisingly took advantage of this with their own GDPR-related emails: “It was generally B2B spam — mostly invitations to paid seminars, webinars, and workshops promising to explain the ins and outs of the new regulation and its ramifications for business,” said researchers.

Other top events, such as the 2018 FIFA World Cup and the launch of the new iPhone sparked phishing attempts, including emails leading to fake FIFA partner websites for the former, and spam messages purporting to sell accessories and replica gadgets for the latter.

Despite the cryptocurrency market’s struggle in 2018, bad actors’ interest in cryptocurrencies appears far from waning. In fact, scammers utilized a number of methods to capitalize on victims’ interests in the cryptocurrency market, such as posing as a cryptocurrency exchange or fake Initial Coin Offering (ICO) bent on convincing victims into transferring money to cryptocurrency wallets.

“In 2018, our Anti-Phishing system prevented 410,786 attempts to redirect users to phishing sites imitating popular cryptocurrency wallets, exchanges and platforms,” researchers said. “Fraudsters are actively creating fake login pages for cryptocurrency services in the hope of getting user credentials.”

Spam and phishing attack report

When it came to ICOs, scammers extended invitations to victims for investing in various ICOs via email and social-media posts.

One such scam targeted a cryptocurrency called buzcoin; the scammers got ahold of the project mailing list and sent fake presale invitations to subscribers before the ICO began – eventually making away with $15,000, according to Kaspersky Lab.

There were also sextortion scams that coerced victims to send cryptocurrency in exchange for keeping quiet about their private online activities, with one campaign in July noted for using victims’ legitimate password in the email as a scare tactic; and another one in December hit victims with ransomware.

Researchers said they don’t expect attackers’ interests in cryptocurrency to die down any time soon: “In 2019, spammers will continue to exploit the cryptocurrency topic,” they said. “We expect to see more fraudulent mailings aimed at both extracting cryptocurrency and gaining access to personal accounts with various cryptocurrency services.”

In 2018, the number of malicious messages in spam was 1.2 times less than in 2017, according to researchers. Of those malicious messages, the most widely distributed malicious objects in email (Exploit.Win32, CVE-2017-11882), exploited a patched Microsoft vulnerability that allowed the attacker to perform arbitrary code-execution.

spam phishing email attack report

Despite this downturn in malicious emails, scammers appear to be looking to other sneaky tactics to avoid detection and still make off with victims’ credentials — in particular using non-typical formats for spam like ISO, IQY, PIF and PUB attachments.

“2018 saw a continuation of the trend for attention to detail in email presentation,” researchers said. “Cybercriminals imitated actual business correspondence using the companies’ real details, including signatures and logos.”

In addition, bad actors appeared to transition to new channels of content distribution beyond email – including social media sites, services like Spotify, or even Google Translate.

“Cybercriminals in 2018 used new methods of communication with their ‘audience,’ including instant messengers and social networks, releasing wave after wave of self-propagating malicious messages,” said researchers. “Hand-in-hand with this, as illustrated by [an] attack on universities, fraudsters are seeking not only new channels, but new targets as well.”

9 QUESTIONS FOR FACEBOOK AFTER ZUCKERBERG’S PRIVACY MANIFESTO

Posted on

Originally seen: March 7th, 2019 by Nicholas Thompson of Wired.

YESTERDAY AFTERNOON, MARK Zuckerberg presented an entirely new philosophy. For 15 years, the stated goal of Facebook has been to make the world more open and connected; the unstated goal was constructing a targeted advertising system built on nearly infinite data. Yesterday, though, Zuckerberg pronounced that the company is reversing course. The social network of the future won’t be one where everyone connects openly together, as in a town square; it will be one where more connections happen one to one, as in a living room. Instead of data permanence, data will disappear.

Facebook isn’t putting the current platform—worth roughly half a trillion dollars—in the garbage disposal. As Zuckerberg made clear in a Wednesday afternoon interview with WIRED, Facebook as we know it now will still exist. But it will change. And there will also just be something new.

It’s unclear the extent to which Facebook will ultimately push users toward privacy, and in what exact ways. But Zuckerberg controls Facebook, and his manifesto will make its gears start to turn in different directions. As that begins, here are nine important questions the company will have to think through.

1. Facebook knows how to make money in the town square. How does it make money in this new living room?

Private, encrypted messaging is hard to monetize. In our interview, Zuckerberg demurred when asked what the new business model will be after clamping down on the data firehose. The company would, he said, build the product first and figure out the financials later. Facebook does have nascent efforts in commerce and cryptocurrency, but there’s no question that figuring out revenue on the new platform will be a hard problem for Dave Wehner, Facebook’s chief financial officer. A former Facebook employee told me last night, “Mark is like a cartoon character who walks through a bunch of dangerous situations and always comes out on top. Dave is the guy running behind him catching the cat, stopping the ladder from tipping, deflecting the flying axe with a manhole cover.”

2. What does this do to safety on the platform?

Facebook rightly faces endless criticism for all the data it collects. But there are benefits to data collection as well. It can help stop bullies, or even potential suicides. Once those communications become private, Facebook no longer has the same powers to track and moderate. The public—from the media, to nonprofits, to academics, to individuals, to the government—also uses the public nature of Facebook to track bad behavior. If Russian intelligence operatives had just used private encrypted messaging to manipulate Americans, would they have been caught? As Facebook knows from running WhatsApp, which is already end-to-end encrypted, policing abuses gets ever harder as messages get more hidden.

In our interview, Zuckerberg explained that this, not fears about the business model, is what keeps him up at night. “There is just a clear trade-off here when you’re building a messaging system between end-to-end encryption, which provides world-class privacy and the strongest security measures on the one hand, but removes some of the signal that you have to detect really terrible things some people try to do, whether it’s child exploitation or terrorism or extorting people.” When asked whether he cared more about these fears than fears about his business model, he said yes. “I am much more worried about those trade-offs around safety.”

3. What does this do to the company’s efforts in artificial intelligence?

Facebook has spent the past several years building artificial intelligence systems to change the way almost every element of the company works. They are, for example, crucial in the work to eliminate toxic content. But AI, particularly the subset known as machine learning, requires training data, and the more the merrier. Facebook, of course, won’t be just wiping all of its machines as it implements Zuckerberg’s vision. But there will almost certainly be times when the company faces a tradeoff between living up to the ideals in the manifesto or storing something that will make the work of the AI teams easier.

4. What does this do the news industry?

One of the most vexed issues for Facebook is its relationship with the news business. The media industry relies on Facebook for distribution, but it deeply resents that Facebook has swallowed much of the advertising business. Facebook executives know that many people come to the platform to read news, but they hate most of the news written about the platform. News Feed will continue under whatever Facebook builds next, but it’s hard not to imagine that distribution for publishers on Facebook will decline, which may elicit even further media scrutiny. On the other hand, if Facebook is actually pivoting to a new business model, maybe advertising will return to media?

5. How does this change the way regulators react to the company?

Facebook is currently besieged by regulators of all stripes. There are German regulators going after the ad business, British parliamentarians publishing internal emails, American politicians talking about antitrust, and members of the Federal Trade Commission who may be about to fine the company billions of dollars. Much of the anger comes from Facebook’s loose attitudes toward privacy in the past; perhaps this new philosophy will help set people’s minds at ease. Or perhaps not. It is certainly the case, though, that one of Zuckerberg’s proposed moves—further integrating WhatsApp, Instagram, and the main app—will make it much harder to split the company apart in the way that scholars of antitrust have been proposing in recent months.

6. Relatedly, will Facebook now advocate for privacy laws?

Facebook has consistently run afoul of regulators focused on privacy. It has resisted, and sometimes quietly lobbied against, their efforts. Now, though, Zuckerberg has planted a flag in favor of privacy. Does that mean that he will turn, like Tim Cook—aka Tim Apple—into a public advocate for strong privacy legislation?

7. How much does this have to do with Facebook’s Blockchain initiative?

For the past year, Facebook has had a secret team working away in a building on some kind of blockchain initiative. They have been exploring payments, identity, and the creation of a new stablecoin. But no one outside of the company knows for sure what they’ll actually launch. Some insiders view the project as a ludicrous lark. Others think of it as crucial in the quest to redefine Facebook. It seems almost certain that the blockchain initiative informed Zuckerberg’s philosophy. And the connection may be even more direct, particularly if the company is indeed planning to launch a crypto payments system that will work across messaging platforms.

8. What does this do to the company’s chances of going into China?

In his manifesto, Zuckerberg talked about the need to keep servers out of authoritarian countries. As he added when talking to WIRED, “if you put a data center in a place, or you store people’s information in a country, then you’re giving that government the ability to use force to get that data.” In a way, this was a free moral stand. Facebook is already banned in China, by far the most important country where this is an issue. But no one knows how the dynamics between the United States and China will evolve in the next five years. By coming out so strongly in favor of encryption, and against authoritarianism, Facebook may be signaling that it’s giving up on its quest to connect the largest country on earth.

9. How much of this will actually happen?

To skeptics, Zuckerberg’s privacy manifesto was a bundle of naked cynicism and hypocrisy. The company, after all, developed a system to make his personal messages disappear long ago, only rolling it out more broadly under public pressure. But whatever the motives, and whatever the odds that one thinks Facebook will follow through, there’s no question that, inside of Facebook a new era of sorts starts today. Tradeoffs will have to be resolved in different ways. New problems will emerge. Different people will move to different teams. The public and the media, trained to distrust what Facebook says, will judge whether the company is living up to promises that the CEO just made very publicly. In our interview, I asked Zuckerberg how hard this is going to be. “You have no idea how hard it is,” he said laughing.

But, more important, he noted that this will be something rather different for Facebook. “This is a big opportunity, but it’s going to mean adopting and taking some positions on some of these big issues that involve some really big trade-offs and are frankly different from what we may have prioritized historically.”

Opening this image file grants hackers access to your Android phone

Posted on Updated on

Originally seen on: Zdnet by Charlie Osborne, February 7th, 2019

Be careful if you are sent an image from a suspicious source.

Opening a cute cat meme or innocent landscape photo may seem harmless enough, but if it happens to be in a .PNG format, your Android device could be critically compromised due to a new attack.

In Google’s Android security update for February, the tech giant’s advisory noted a critical vulnerability which exists in the Android operating system’s framework.

All it takes to trigger the bug is for attackers to send a crafted, malicious Portable Network Graphic (.PNG) file to a victim’s device. Should the user open the file, the exploit is triggered.

Remote attackers are then able to execute arbitrary code in the context of a privileged process, according to Google.

Android versions 7.0 to 9.0 are impacted.

The vulnerability was one of three bugs impacting Android Framework — CVE-2019-1986,  CVE-2019-1987, and CVE-2019-1988 — and is the most severe security issue in the February update.

There are no current reports of the vulnerability being exploited in the wild. However, given the ease in which the bug can be exploited, users should accept incoming updates to their Android builds as soon as possible.

As vendors utilizing the Android operating system roll out security patches and updates at different rates, Google has declined to reveal the technical details of the exploit to mitigate the risk of attack.

Google’s bulletin also outlined remote code execution flaws impacting the Android library, system files, and Nvidia components. Elevation of privilege and information disclosure security holes have also been resolved.

Source code patches for the .PNG issue, alongside other security problems raised in the bulletin, have also been released to the Android Open Source Project (AOSP) repository.

In January, researchers revealed the existence of a new malvertising group called VeryMal. The scammers specifically target Apple users and bury malicious code in digital images using steganography techniques to redirect users from legitimate websites to malicious domains controlled by the attackers.