Private photos leaked by PhotoSquared’s unsecured cloud storage

Recognize anybody you know?

<img data-attachment-id="477407" data-permalink="https://nakedsecurity.sophos.com/2020/02/19/private-photos-leaked-by-photosquareds-unsecured-cloud-storage/photos/" data-orig-file="https://sophosnews.files.wordpress.com/2020/02/photos.jpg" data-orig-size="846,280" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="(Anonymized) photos leaked from PhotoSquared’s S3 bucket" data-image-description="

(Anonymized) photos leaked from PhotoSquared’s unsecured S3 bucket IMAGE: vpnMentor

” data-medium-file=”https://sophosnews.files.wordpress.com/2020/02/photos.jpg?w=300″ data-large-file=”https://sophosnews.files.wordpress.com/2020/02/photos.jpg?w=775″ class=”size-full wp-image-477407″ src=”https://sophosnews.files.wordpress.com/2020/02/photos.jpg?w=775&h=257″ alt width=”775″ height=”257″ srcset=”https://sophosnews.files.wordpress.com/2020/02/photos.jpg?w=775&h=257 775w, https://sophosnews.files.wordpress.com/2020/02/photos.jpg?w=150&h=50 150w, https://sophosnews.files.wordpress.com/2020/02/photos.jpg?w=300&h=99 300w, https://sophosnews.files.wordpress.com/2020/02/photos.jpg?w=768&h=254 768w, https://sophosnews.files.wordpress.com/2020/02/photos.jpg 846w” sizes=”(max-width: 775px) 100vw, 775px”>

(Anonymized) photos leaked from PhotoSquared’s unsecured S3 bucket IMAGE: vpnMentor

No, likely not. No thanks to the leaky photo app they dribbled out of for that, though. After coming across thousands of photos seeping out of an unsecured S3 storage bucket belonging to a photo app called PhotoSquared, security researchers at vpnMentor blurred a few.

They also blurred a sample from a host of other personally identifiable information (PII) they came across during their ongoing web mapping project, which has led to the discovery of a steady stream of databases that have lacked even the most basic of security measures.

In this case, as they wrote up in a report published this week, the researchers came across photos uploaded to the app for editing and printing; PDF orders and receipts; US Postal Service shipping labels for delivery of printed photos; and users’ full names, home/delivery addresses and the order value in USD.

PhotoSquared, a US-based app available on iOS and Android, is small but popular: it has over 100,000 customer entries just in the database that the researchers stumbled upon.

Customer impact and legal ramifications

vpnMentor suggested that PhotoSquared might find itself in legal hot water over this breach. vpnMentor’s Noam Rotem and Ran Locar note that PhotoSquared’s failure to lock down its cloud storage has put customers at risk of identity theft, financial or credit card fraud, malware attacks, or phishing campaigns launched with the USPS or PhotoSquared postage data arming phishers with the PII they need to sound all that much more convincing.

A breach of this kind of data could also lead to burglary, they said:

By combining a customer’s home address with insights into their personal lives and wealth gleaned from the photos uploaded, anyone could use this information to plan robberies of PhotoSquared users’ homes.

Meanwhile, PhotoSquared customers could also be targeted for online theft and fraud. Hackers and thieves could use their photos and home addresses to identify them on social media and find their email addresses, or any more Personally Identifiable Information (PII) to use fraudulently.

The legal hot water that may await could be found in California, vpnMentor suggests, given its newly enacted California Consumer Privacy Act (CCPA), with the law’s new, strict rules about corporate data leaks.

Securing an open S3 bucket

PhotoSquared, for its part, could have secured its servers, say Rotem and Locar, implemented proper access rules, and not left a system that doesn’t require authentication lying around open to the internet.

As it was, the database was set up with no password and no encryption.

From vpnMentor’s report:

Our team was able to access this bucket because it was completely unsecured and unencrypted.

The leaky PhotoSquared app is just the most recent story (one in a long chain) about misconfigured cloud storage buckets. Last week, it was JailCore, a cloud-based app meant to manage correctional facilities that turned out to be spilling PII about inmates and jail staff.

The Who’s Who list of organizations that have misconfigured their Amazon S3 buckets and thereby inadvertently regurgitated their private data across the world just keeps getting longer. Besides JailCore last week and PhotoSquared this week, that list contains Dow Jones; a bipartisan duo including the Democratic National Committee (DNC) and the Republican National Committee (RNC); and Time Warner Cable – to name just a few.

Plug those buckets!

Your organization doesn’t have to wind up on that Who’s Who list. There’s help out there for organizations that can take a deep breath, step away from their servers, and plunge in to learn how to better secure them: Amazon has an FAQ that advises customers how to secure S3 buckets and keep them private.

In the case of PhotoSquared, vpnMentor suggested that the quickest way to patch its pockmarked bucket is to:

  • Make it private and add authentication protocols.
  • Follow AWS access and authentication best practices.
  • Add more layers of protection to the S3 bucket to further restrict who can access it from every point of entry.

Facebook asks to be regulated kinda like a newspaper, kinda like telco

The EU has been itching to regulate the internet, and that’s where Facebook has been this week: in Germany, asking to be regulated, but in a new, bespoke manner.

In fact, CEO Mark Zuckerberg is in Brussels right on time for the European Commission’s release of its manifesto on regulating AI – a manifesto due to be published on Wednesday that’s likely going to include risk-based rules wrapped around AI.

Don’t regulate us like the telco-as-dumb-pipe model, Zuckerberg proposed on Saturday, even though that’s once how he wanted us all to view the platform: as just a technology platform that dished up trash without actually being responsible for creating it.

No, not like a telco, but not like the newspaper model, either, he said.

Nobody ever really swallowed what Facebook once offered as a magic pill to try to ward off culpability for what it publishes – as in, that “we’re just a technology platform” mantra. Facebook gave up trying to hide behind that one long ago, somewhere amongst the outrage sparked by extremist content, fake news and misleading political advertising.

So now, Facebook has taken a different tack. During a Q&A session at the Munich Security Conference on Saturday, Zuckerberg admitted that Facebook isn’t the passive set of telco pipes he once insisted it was, but nor is it like a regular media outlet that produces news. Rather, it’s a hybrid, he said, and should be treated as such.

Reuters quoted Zuckerberg’s remarks as he spoke to global leaders and security chiefs, suggesting that regulators treat Facebook like something between a newspaper and a telco:

I do think that there should be regulation on harmful content …there’s a question about which framework you use for this.

Right now there are two frameworks that I think people have for existing industries – there’s like newspapers and existing media, and then there’s the telco-type model, which is ‘the data just flows through you’, but you’re not going to hold a telco responsible if someone says something harmful on a phone line.

I actually think where we should be is somewhere in between.

Zuckerberg says that following the 2016 US presidential election tampering, Facebook has gotten “pretty successful” at sniffing out not just hacking, but coordinated information campaigns that are increasingly going to be a part of the landscape. One piece of that is building AI that can identify fake accounts and network accounts that aren’t behaving in the way that people would, he said.

In the past year, Facebook took down around 50 coordinated information operations, including in the last couple of weeks, he said. In October 2019, it pulled fake news networks linked to Russia and Iran.

The CEO said that Facebook is now taking down more than one million fake accounts a day before they have a chance to sign up – including not just accounts devoted to disinformation, but also those of spammers.

As the internet giants – Facebook, Twitter and Google – come under increasing pressure to get better at keeping groups and governments from using their platforms to spread disinformation, Zuckerberg claims that Facebook is strenuously tackling the problem, having employed a veritable army of 35,000 people to review online content and implement security measures.

Nearly a year ago, Facebook put out a call for new internet regulation in four areas: harmful content, election integrity, privacy and data portability. What Zuckerberg said then:

It’s impossible to remove all harmful content from the internet, but when people use dozens of different sharing services – all with their own policies and processes – we need a more standardized approach.

What he called for on Tuesday, in an op-ed published by the Financial Times: “rules for the internet,” and more regulation for his platform. On Monday, Facebook published a whitepaper describing its recommendations for future regulation, including more accountability from companies that do content moderation, which, it argues, will be a strong incentive for firms to be more responsible.

Facebook suggests that regulations should “respect the global scale of the internet and the value of cross-border communications” and encourage coordination between different international regulators, as well as look to protect freedom of expression.

Facebook is also calling on regulators to allow tech firms to keep innovating, rather than issuing blanket bans on certain processes or tools. It also wants regulators to take into account the “severity and prevalence” of harmful content in question, its status in law, and efforts already underway to address the content.

We support the need for new regulation even though it’s going to initially hurt our profits, Zuckerberg said in the op-ed:

I believe good regulation may hurt Facebook’s business in the near term but it will be better for everyone, including us, over the long term.

These are problems that need to be fixed and that affect our industry as a whole. If we don’t create standards that people feel are legitimate, they won’t trust institutions or technology.

To be clear, this isn’t about passing off responsibility. Facebook is not waiting for regulation; we’re continuing to make progress on these issues ourselves.

But I believe clearer rules would be better for everyone. The internet is a powerful force for social and economic empowerment. Regulation that protects people and supports innovation can ensure it stays that way.

Monika Bickert, Facebook’s vice president of content policy, said that we can do regulation the right way, or we can do it the wrong way:

If designed well, new frameworks for regulating harmful content can contribute to the internet’s continued success by articulating clear ways for government, companies, and civil society to share responsibilities and work together. Designed poorly, these efforts risk unintended consequences that might make people less safe online, stifle expression and slow innovation.


Latest Naked Security podcast

Malware and HTTPS – a growing love affair

If you’re a regular Naked Security reader, you’ll know that we’ve been fans of HTTPS for years.

In fact, it’s nearly nine years since we published an open letter to Facebook urging the social networking giant to adopt HTTPS everywhere.

HTTPS is short for HTTP-with-Security, and it means that your browser, which uses HTTP (hypertext transport prototol) for fetching web pages, doesn’t simply hook up directly to a web server to exchange data.

Instead, the HTTP information that flows between your browser and the server is wrapped inside a data stream that is encrypted using TLS, which stands for Transport Layer Security.

In other words, your browser first sets up a secure connection to-and-from the server, and only then starts sending requests and receiving replies inside this secure data tunnel.

As a result, anyone in a position to snoop on your connection – another user in the coffee shop, for example, or the Wi-Fi router in the coffee shop, or the ISP that the coffee shop is connected to, or indeed almost anyone in the network path between you and the other end – just sees shredded cabbage instead of the information you’re sending and receiving.

HTML source code of simple web page.
The HTML source above, rendered in a browser.
Web page ‘on the wire’ without TLS – raw HTTP data can be snooped.
Blue: HTTP ‘200’ reply. Red: HTTP headers. Green: page content.
Web page fetched using HTTPS via a TLS connection – encrypted content can’t be snooped.

Why everywhere?

But why HTTPS everywhere?

Nine years ago, Facebook was already using HTTPS at the point where you logged in, thus keeping your username and password unsnoopable, and so were many other online services.

The theory was that it would be too slow to encrypt everything, because HTTPS adds a layer of encryption and decryption at each end, and therefore just encrypting the “important” stuff would be good enough.

We disagreed.

Even if you didn’t have an account on the service you were visiting, and therefore never needed to login, eavesdroppers could track what you looked at, and when.

As a result, they’d end up knowing an awful lot about you – just the sort of stuff, in fact, that makes phishing attacks more convincing and identity theft easier.

Even worse, without any encryption, eavesdroppers can not only see what you’re looking at, but also tamper with some or all of your traffic, both outbound and inbound.

If you were downloading a new app, for example, they could sneakily modify the download in transit, and thereby infect you with malware.

Anyway, all those years ago, we were pleasantly surprised to find that many of the giant cloud companies of the day – including Facebook, and others such as Google – seemed to agree with our disagreement.

The big players ended up switching all their web traffic from HTTP to HTTPS, even when you were uploading content that you intended to publish for the whole world to see anyway.

Fast forward to 2020, and you’ll hardly see any HTTP websites left at all.

Search engines now rate unencrypted sites lower than encrypted equivalents, and browsers do their best to warn you away from sites that won’t talk HTTP.

Left: Safari on iOS warning about a non-HTTPS web page.
Right: Firefox notification for the same page.

Even the modest costs associated with acquiring the cryptographic certificates needed to convert your webserver from HTTP to HTTPS have dwindled to nothing.

These days, many hosting providers will set up encryption at no extra charge, and services such as Let’s Encrypt will issue web certificates for free for web servers you’ve set up yourself.

HTTP is no longer a good look, even for simple websites that don’t have user accounts, logins, passwords or any important secrets to keep.

Of course, HTTPS only applies to the network traffic – it doesn’t provide any sort of warranty for the truth, accuracy or correctness of what you ultimately see or download. An HTTPS server with malware on it, or with phishing pages, won’t be prevented from committing cybercrimes by the presence of HTTPS. Nevertheless, we urge you to avoid websites that don’t do HTTPS, if only to reduce the number of danger-points between the server and you. In an HTTP world, any and all downloads could be poisoned after they leave an otherwise safe site, a risk that HTTPS helps to minimise.

Goose and gander

Sadly, what’s good for the goose is good for the gander.

As you can probably imagine, the crooks are following where Google and Facebook led, by adopting HTTPS for their cybercriminality, too.

In fact, SophosLabs set out to measure just how much the crooks are adopting it, and over the past six months have kept track of the extent to which malware uses HTTPS.

Well, the results are out, and it makes for interesting – and useful! – reading.

In the this paper, we didn’t look at how many download sites or phishing pages are now using HTTPS, but instead at how widely malware itself is using HTTPS encryption.

Ironically, perhaps, as fewer and fewer legitimate sites are left behind to talk plain old HTTP (usually done on TCP port 80), the more and more suspicious that traffic starts to look.

Indeed, the time might not be far off where blocking plain HTTP entirely at your firewall will be a reliable and unexceptionable way of improving cybersecurity.

The good news is that by comparing malware traffic via port 80 (usually allowed through firewalls and almost entirely used for HTTP connections) and port 443 (the TCP port that’s commonly used for HTTPS traffic), SophosLabs found that the crooks are still behind the curve when it comes to HTTPS adoption…

…but the bad news is they’re already using HTTPS for nearly one-fourth of their malware-related traffic.

Malware often uses standard-looking web connections for many reasons, including:

  • Downloading additional or updated malware versions. Many, if not most, malware samples include some sort of auto-updating feature, often used by the crooks to sell access to infected computers onwards to the next wave of crimimals by “upgrading” to a new malware infection.
  • Fetching command-and-control (C&C or C2) instructions. Many, if not most, modern malware “calls home” in order to find out what to do next. Crooks may have thousands, tens of thousands or more computers all waiting for commands from the same source, giving the criminals a powerful “zombie army”, known as a botnet (short for robot network), of devices that can be harnessed for evil simultaneously.
  • Uploading stolen data. Data stealing is known in the jargon as exfiltration, and by hiding uploads in encrypted network connections, crooks can not only make it look like routine web browsing, but also make it much harder for you to scan and verify the data before it leaves your network.

What to do?

  • Read the report. You will learn how various contemporary malware strains are using HTTPS, along with other tricks, to look more like legitimate traffic.
  • Use layered protection. Stopping malware before it gets in at all should be your top-level goal.
  • Consider HTTPS filtering at your network gateway. A lot of sysadmins avoid HTTPS filtering for a mixture of privacy and performance reasons. But with a nuanced web filtering product you don’t need to peek inside all the encrypted traffic on your network – you can leave online banking connections alone, for example – and you won’t bring your network to its knees due to the overhead of decrypting network packets.

Latest Naked Security podcast

Council returns to using pen and paper after cyberattack

Ten days after a suspected ransomware attack, residents of the English borough of Redcar and Cleveland must be starting to wonder when their Council’s IT systems will return.

The first public sign of trouble appeared on the morning of Saturday, February 8, when the following message appeared on the Council’s website:

The requested service is temporarily unavailable. It is either overloaded or under maintenance. Please try later.

The Council later confirmed that it had been hit with a cyberattack affecting its internal and external-facing IT systems, with the notable exception of property tax payments.

The Council is back to working from pen and paper and able to field only urgent emails and telephone enquiries. Council leader, Councillor Mary Lanigan, told the BBC:

Computers have been taken offline and systems are being rebuilt. We have a massive team here – including cyber-security experts – working around the clock flat out to get it fixed.

The Council hasn’t explained the nature of the cyberattack, but it’s quite possible that this is yet another ransomware attack of a type that has become a huge problem across the world. The UK’s National Cyber Security Centre (NCSC) has confirmed it is assisting the Council.

This is happening over and over again. In January, it was schools in California, in November it was a company managing 110 nursing homes in the US, and in September the city of New Bedford in Massachusetts – the latest in a long line of US cities hit by the plague of hijacking networks for money.

How to protect yourself from ransomware

  • Pick strong passwords. And don’t re-use passwords, ever.
  • Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
  • Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
  • Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off Remote Desktop Protocol (RDP) if you don’t need it, and use rate limiting, two-factor authentication (2FA) or a virtual private network (VPN) if you do.
  • Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

Latest Naked Security podcast

AI filter launched to block Twitter cyberflashing

It seems strange to report, yet a small but determined group of Twitter users think it is a good idea to direct message (DM) pictures of male genitals to complete strangers.

Does this sound a bit like street flashing harassment in digital form?

It did to developer Kelsey Bressler after she received such an unsolicited image as a DM via Twitter last August. She later told the BBC:

You’re not giving them a chance to consent, you are forcing the image on them, and that is never okay.

Instead of shrugging it off, she and a friend had the idea of using AI pattern recognition to screen the pictures out before they were seen. But that AI still needed a set of – ahem – images to train itself on, which Bressler requested via Twitter.

Bressler has reportedly received over 4,000 pictures in response – enough to train the system to a state where it has just been released as a Safe DM service that anyone can sign up for.

Media site Buzzfeed tested Safe DM against a selection of images taken from Wikimedia Commons and found that it works well, albeit with a lag of a few minutes.

In tests, the filter blocked penises in a range of states, including full body shots and condoms and drawings. It even blocked examples that looked like a penis without being one.

Conclusion: recipients might see an image if they open it immediately but otherwise should be safe. Bressler told Naked Security that it will also block pictures of female genitals although no tests of its effectiveness at doing this have yet been made public.

For now, Safe DM is only on Twitter but other platforms might be included in future releases, she told Buzzfeed.

The filter asks for a lot of permissions but does not read the text content of DMs, she said. That was because:

Unfortunately, Twitter doesn’t allow us to pick and choose. It’s all or nothing.

Cyberflashing appears to be a growing hazard on many platforms. The Huffington Post UK published an article last May that quoted dozens of women who’d experienced it via email, SnapChat, Instagram, Twitter, Facebook Messenger, and – the most often mentioned channel – AirDrop (which has been in trouble for this sort of abuse before).

Despite more laws on general harassment, the chances of prosecution for cyberflashing remain somewhere between very low and non-existent. But at least with Safe DM, Twitter users now have something to turn to.


Latest Naked Security podcast

go top