Perpetual IT

At the risk of giving you a feeling of déjà vu all over again…

…it’s time to talk about Facebook hoaxes once more.

Looking at the Naked Security articles that people have not only searched for but also read in large numbers over the past few days tells us that we’re in what you might call a “market uptick” for hoaxes at the moment.

The top two resurgent hoaxes in the past week have been the Instant bank fraud “warning” and the How to post to more than 25 friends “advice”.

Loosely speaking, most Facebook hoaxes – by which we really mean “posts that get shared virally despite being useless and inaccurate, yet that aren’t actually scams or phishing tricks” – take one of three forms:

1. Warnings to watch out for something supposedly dangerous that isn’t going to happen, and wouldn’t be particularly dangerous even it it did.
2. Instructions to copy a specific paragraph of bogus information exactly and repost it under your own name.
3. Advice on how to check your cybersecurity settings that achieves nothing except giving you a false sense of security.

Examples in the first category above include the Instant bank fraud warning we mentioned above, and the Dance of the Pope/Martinelli hoax.

The former hoax tells you that criminals are sending malicious text messages related to “payment problems” for customers of a specific bank:

Now, non-payment “warnings” are indeed very commonly used by crooks to try to trick you into clicking through to a fake version of your bank’s web page and then trying to coax you into putting in your password – an attack that’s well known under the name phishing.

But this one is different – the hoax claims that in this case, just reading the message is enough to drain your account (which isn’t true), and so the smart thing to do is to spread the warning by forwarding the hoax to all your friends.

The Martinelli hoax follows a similar theme – there’s a video coming out tomorrow called Martinelli (or Dance of the Pope), and if you watch it your phone will be infested with malware afterwards.

It’s almost always one of those two names – they seem to be very sticky details in this hoax – and those videos have been “coming out tomorrow” for many years now.

You need to warn people not watch the video, and that means… you guessed it, forwarding the hoax to all your friends.

Copy-and-paste

The How to post to more than 25 friends hoax is of the second type.

This one has also been around for years, and it claims that Facebook sneakily keeps the circle of users who see your posts to the same 25 people.

Lots of people are desperate for more online friends and followers, and it no doubt sounds appealing to trick Facebook’s algorithms into posting your content more widely simply by posting some special text of your own.

As you will have guessed again, the special text that causes Facebook to induct you into the “more than 25 friends” club…

…is the text of the hoax you just received, complete with the instructions to the recipient to repost it, and so on:

Fake security advice

The third type of hoax on the list is probably the worst, because fake security advice may lead well-intentioned users to think they’re safe when they aren’t.

One example, which we discuss in the video below, made back in 2019, is the “BFF” hoax that tells you to type that very text into a post as a way of checking that Facebook’s additional security precautions are activated for your account.

The hoax tells you that if the text BFF, short for best friend forever, turns green when you type it into a post, you’re in good shape.

In fact, that the word doesn’t go green (though it used to), and even if it did, it would tell you nothing about your security settings.

Numerous words entered into Facebook posts do automatically change colour, but that’s a fun feature called Text Delights (the selected words trigger animations such as balloons and thumbs-ups when viewed) and has nothing to do with cybersecurity.

This hoax started because BFF apparently used show up in green, though it now seems to have been removed from the list of Text Delights:

Yes, you’re also supposed to let everyone else know about this “useful” security trick by forwarding the text as far as you can, thus helping to perpetuate the hoax.

What’s the harm?

These messages are all bogus, but they’re not actually scams and they aren’t phishing for personal information.

So, is forwarding them really that bad, or is it merely a minor waste of time and bandwidth that will do little or no harm overall?

We think that getting sucked into hoaxes is more than a waste of time, not least because a lot of hoaxes could end up leaving vulnerable users needlessly worried or – even worse – convinced that they are safe when they are not.

Watch the video below for our advice, which includes these observations:

Even if it’s a harmless sounding thing, the characteristic of [a hoax of this sort] is that it’s conditioning or training you to accept information without any critical evaluation. And that’s a bad place to be […] because it means that you could easily end up being a mouthpiece for opinions or views that later turn out to be quite objectionable, and you’ll jolly well wish that you hadn’t put out those views under your own name.

It’s just creating an expectation for [those] people […] who are more easily influenced by the words of others. […] Part of the harm is that [if you join in], you’re contributing to making it look as though something is true without any sort of due diligence at all. And that’s probably not a society that you really want to live in.

[Spreading hoaxes] isn’t without cost. The more we get in the habit of relaying, replaying and endorsing information that’s false, especially when there’s a security angle, the more we’re softening up people who could actually do with some real advice that really mattered.

What to do?

Be aware before you share, and never let other people put words in your mouth – that is something you may deeply regret later on.

Here’s what you need to know, all in plain English.

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

Google announced on Tuesday that it’s purchased a smart-glasses company called North and, notwithstanding its failure to bring Google Glass wearables to the masses, still plans to caress our vision with the vast tentacles of its helpfulness.

From the announcement, which was posted by Rick Osterloh, Senior Vice President, Devices & Services:

From 10 blue links on a PC, to Maps on your mobile phone, to Google Nest Hub sharing a recipe in the kitchen, Google has always strived to be helpful to people in their daily lives. We’re building towards a future where helpfulness is all around you, where all your devices just work together and technology fades into the background. We call this ambient computing.

Credit where credit’s due – “ambient computing” sounds friendlier than, say, “pervasive privacy-threatening creepster surveillance spectacles.” Privacy concerns contributed to the sinking of Google Glass. In January 2016, after years of development, Google shuttered its Glass social media accounts.

A year prior, Google had ended its Explorer program and stopped selling Glass. But a few months after that, Google executive chairman Eric Schmidt said that the move wasn’t meant to imply that Google was sticking a fork in its internet-connected eyeglasses.

No, Schmidt said, Google Glass wasn’t dead. It was just being fine-tuned for the masses. Google then focused work on a Glass spinoff for the enterprise.

Details of the North purchase, including how much Google’s paying for the Canadian company, weren’t disclosed.

North was founded in 2012 and has focused on building various iterations of augmented reality (AR) glasses. The company said in an announcement on Tuesday that it will keep supporting its customers through to the end of the year.

That leaves 6 more months for customers to enjoy their Focals by North wearables, which connect with Alexa and which feature a tiny laser in the arm that projects images in front of users’ eyes.

Focals are prescription eyeglasses with a nearly-normal look. Similar to smart watches, they pair to wearers’ phones through Bluetooth in order to display notifications, provide directions, or call an Uber.

Focals are also equipped with a speaker and can chirp notifications at you. All of this means that you can mysteriously know what’s been said in a chat, without taking out your phone, since the messages have been beamed to your eyeballs.

But groovy features like that aren’t what skewered Google Glass. Rather, it was the fact that Google Glass could be used to take photos and videos.

That resulted in fear, loathing and a lot of headlines, and not the kind that PR people like to stick on the company’s website: more along the lines of a fight breaking out in a pub over somebody wearing Glass, multiple eateries telling Glass wearers to please take them off, and at least one of those restaurants getting vilified on Yelp by people who’d never stepped foot inside.

And yes, that contributed to the creation of the sobriquet “Glassholes” to describe those amongst the Glass Explorers whose manners were found wanting.

For its part, North had also planned to incorporate a camera into Focals 2.0. But now that it’s being acquired by Google, that second-generation pair of smart glasses won’t be forthcoming, North said in its acquisition announcement.

Time will tell if the Google version of Focals will be equipped with a camera that might reawaken privacy concerns. But it’s not like we don’t have other “ocular assistants” already: there’s Snapchat’s Spectacles, for example, and Facebook’s Oculus showed in September 2019 how it can blend live mapping with the physical world via digital imaging.

Rumor has it that Apple is also working on AR eyewear, while Samsung showed off the technology at the Consumer Electronics Show (CES) in January.

Is the world ready for smart glasses?

Are these companies going to be accepted by the masses who so enthusiastically rejected Glass?

Maybe. Maybe those companies don’t have to do anything all that much different than Google did with Glass. Maybe the time has come when people are going to be OK with the technology.

Here’s CCS Insight analyst Leo Gebbie, who’s tried North’s eyewear and suggested to the BBC that, unlike Glass, a Google/North version might come at a sweet spot in wearable computing history:

The original Google Glass became an infamous venture for the company. But arguably the product was simply ahead of its time.

Smart glasses could be a revolutionary item of technology. And many Google services, such as Maps, would dovetail perfectly with the right piece of hardware.

Readers, your thoughts? Are we over our dislike of Glass enough to hang Focals off our noses? Let us know below!

---

Have you left a cloud database exposed online?

According to Dutch security researcher Victor Gevers of the Dutch Institute for Vulnerability Disclosure, who’s been hunting down insecure databases for years, thousands of MongoDB users have done just that – or, to be more precise, many tens of thousands of databases have shown up where they shouldn’t.

And that’s just this year.

A significant proportion of exposed databases have been modified by hackers in recent months to include a blackmail demand database in broken English that says:

All your data is backed up. You must pay 0.015 BTC [currently about $135] to [REDACTED] 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server!

There’s a pseudo-anonymous email address that you can use to contact the extortionist, and a Bitcoin wallet for the money.

(We suspect that some victims will have exposed several different databases at the same time, given that a security blunder that’s easy to make once is just as easy to repeat.)

Note that when the extortion note says that “your data is backed up,” the crooks aren’t congratulating you on having a backup of your own.

What they mean is that, whether you have a backup or not, they have one, or so they say, and their leverage is that they’ll dump your data for the world to see, and tell the regulator, if you don’t cough up the money.

Presumably, the fact that the blackmail message was uploaded to your database – proving that the crooks had write access – is meant to convince you that the crooks definitely also had read access and therefore did indeed steal all your data.

It’s possible for hackers to get “blind” access to a database so they can write to it but not read anything out, not even what they themselves just wrote, but write access usually implies read access as well.

Astonishingly, according to ZDNet, this extortion note has already shown up in close to 23,000 exposed MongoDB databases in recent months, and this number represents close to 50% of all exposed databases out there in that period.

There are three obvious lessons here:

1. Far too many businesses are incorrectly exposing data.
2. Discovering and attacking exposed databases can be automated on an industrial scale.
3. Therefore you can assume that the crooks will find your data if it’s out there.

What about the data?

One thing missing from the blackmail message above is the sort of pressure you’d expect in a ransomware attack, namely that you’re paying to get your data back because the crooks have wiped or scrambled it.

Here, the threat is that the crooks will expose your data breach, not that you will lose your data forever.

Ransomware crooks, on the other hand, started off from a completely different angle: to avoid the hassle of uploading all your data, possibly over a slow internet link, they typically just encrypted it “in place” and offered to sell you back the decryption key.

That way, they didn’t even need you to be online at all when the ransomware triggered – they just needed to leave behind a ransom demand, a contact email or Bitcoin address, and a unique identifier from which they, and they alone, could figure out the decryption key or keys to send you.

Sadly, now that internet connectivity is generally very much faster than when ransomware got going nearly 10 years ago…

…the ransomware crooks have taken to stealing your data first anyway, and only then scrambling it in place, so they can put double pressure on you to pay up.

Now, the crooks warn you that even if you do have a backup of your own, they’ll expose your data anyway and what could have been just an internal ransomware incident will turn into a full-on external data breach incident.

Evil stuff.

Well, it looks as though these database pilferers are doing what the ransomware crooks did, only in reverse.

Gevers says that in the last few days, the abovementioned MongoDB blackmailers have taken to wiping out the database after stealing it, so that they too can but a double squeeze on you for the money.

What to do?

Very simply, if rather obviously, don’t expose data to the internet unless you really intend to.

Servers like MongoDB do have security features available, but many of them are opt-in, so you need to decide for yourself which ones to turn on, and how strict you want to be.

It’s easy to criticise server vendors for not shipping their products in such as way that they don’t work at all until you’ve set up (or deliberately turned off) every possible security option.

But even that wouldn’t solve the problem – many users would simply start out by hitting up their favourite search engine for “download sample configuration file with everything turned off”, and take it from there.

Your operating and server software can try to discourage you from sloppy security, but in the end, the buck stops with you.

So, our tips are:

• Read the server’s own security checklist before you install anything. (MonogDB’s checklist is here.) You might end up wanting to go further than the minimum recommendations, but at least decide what minimum security settings you should be aiming for before you start trying the product out.
• Scan your own network for exposed services. Researchers such as Victor Gevers don’t find insecure MongoDBs by manually identifying targets and probing them by hand. They use large-scale automated scanning tools, as well as online services such as Shodan and Censys that do the scanning for you and let you search the results. The crooks do much the same thing – so you should, too.
• Consider using a cloud discovery service. Some cloud services are so easy to set up that your organisation may have online data held by servers you didn’t even know about, using cloud accounts set up on someone’s personal credit card “as a test” . Tools like Sophos Cloud Optix can help you keep track of your online resources and check out whether they’re secure.
  

  ---

A data breach broker has flooded a hacker forum with a whopping total of 132,957,579 user records.

Bleeping Computer is in touch with the data breach broker: a “known and reputable” broker who’s selling databases, all of which contain different data types but all of which include usernames and hashed passwords.

The companies whose databases are allegedly being peddled include game sites, food delivery services, Soccer streaming, online fashion and loans. Out of the 14, only four are known to have been breached: Home Chef, Minted, Tokopedia and Zoosk.

Home Chef, a meal delivery service, confirmed a data breach two weeks after a hacker group named Shiny Hunters listed a database of 8 million customer records on a dark web marketplace. Shiny Hunters was the same group that claimed to be selling Zoosk’s records – along with nine other companies’ records, for a total of 73 million user records – in May.

For its part, Minted, a marketplace for independent artists, in late May confirmed that it had suffered a data breach earlier that month – confirmation that came after a hacker sold a database containing 5 million user records on a dark web marketplace. The name of the broker? Shiny Hunters.

Also in May, data breach monitoring and cybersecurity intelligence firm Under the Breach discovered that a hacker was offering the account information for 15 million users of Tokopedia – which is Indonesia’s largest online store – on a hacker forum for as little as USD $5,000. The broker? Shiny Hunters.

In sum: as Wired notes, during the first few weeks of May, the hacking group went on a data breach spree, hawking close to 200 million stolen records from over a dozen companies.

Bleeping Computer didn’t name the data breach broker it’s been in contact with, but it’s highly possible its initials turn out to be SH. The broker told the news outlet that the 14 databases they’re selling can be had for as little as $100, on up to $1,100.

The allegedly breached companies

Bleeping Computer provided this table of the companies that were allegedly breached, when, and the size of the holes allegedly bitten out of them.

Company	# of records	Alleged Breach Date
DarkThrone	282,825	June 2020
Efun	2.2 million	2020
Fluke	353,321	June 2020
Footters	209,783	June 2020
HomeChef	8 million	2020
JamesDelivery	1.6 million	March 2020
KitchHike	115,480	June 2020
KreditPlus	896,170	June 2020
Minted	4.3 million	May 2020
Playwings	4.1 million	April 2020
Revelo	1.1 million	June 2020
Tokopedia	91 million	April 2020
Yotepresto	1.4 million	June 2020
Zoosk	29.1 million	January 2020

What to do?

If you have an account at any of those sites, regardless of whether they’ve confirmed a data breach or not, you’d be well advised to assume it has and to take appropriate steps to protect yourself.

True, the passwords leaked in the confirmed and unconfirmed, purported breaches were encrypted, but we’ve already seen threat actors crack some of them – specifically, in the case of Tokopedia.

After they crack your password, threat actors can use it in credential-stuffing attacks at other sites. Thus, if you’re a customer of any of those sites from the table above, please do immediately change your password. Make it a tough nut to crack, and make sure it’s unique. In other words, don’t reuse passwords: doing so could let the crooks take over your social media accounts, break into your online banking account, and far more. Whenever you reuse a password, you needlessly multiple your risk factor.

Don’t feel like squeezing yet one more gnarly password out of your wetware? Relax and let your synapses bathe in brain goo while you turn the chore over to a password manager. We love them: they’re the application version of nagging security wonks like us!

Password managers not only concoct high-entropy passwords; they also make sure you use unique passwords at every site. Granted, password managers aren’t perfect, but they’re close enough to be highly recommended!

Microsoft has just released emergency patches for two critical security holes in the Windows Codecs Library.

We all know what Windows means.

But what is a Codecs Library, and why are bugs in it such as a big deal that they need to be updated without waiting for the next Patch Tuesday to come round?

Well, codec is short for encoder-decoder, and it’s the jargon term for the sort of software that takes data of some sort – notably the raw data that represents the pixels in a video or the sound in an audio file – and reworks it so it can be sent and received easily.

The co- part of a codec takes something like a raw image, consisting of rows and rows of colour pixels, and wraps it up in a format such as as JPG or PNG so it can saved into a file for downloading or streaming.

The -dec part does the reverse at the other end, reading in the file, decompressing it (most images and videos are compressed for transmission because this saves an enormous amount of bandwidth) and getting it back into its raw form so it can be displayed.

The security challenge

The security challenge here is that the -dec part of any codec – for example, the software that converts JPG files that are downloaded as part of a web page so your browser can display them – can’t blindly assume that the co- part of the process was trustworthy.

The decoder generally doesn’t have any control over the original encoding process, because files received from outside will have been encoded by someone else, somewhere else, using encoding software entirely of their own choice.

So the decoder has to assume that any part of the encoded data could have been constructed maliciously by an attacker in order to trigger a bug in the decoder – which is often a complex piece of software.

For example, many image formats start by telling the decoder how wide and high the image is, and how many bytes are used to store each pixel, in order to help the decoder allocate the right amount of memory for the image once it’s unpacked.

But what if the data stored in the image doesn’t match the data that follows, and the decoder ends up reading in more pixel data than it allocated space for?

If that happens, and the decoder doesn’t detect the mismatch, you’ve got a buffer overflow, along with all the security problems that usually entails.

In fact, the problem is much worse than this simple example, because there are hundreds of different encoding algorithms for image and audio data, plus hundreds of different standards for packing together the encoded data into files for transmission…

…and users expect all their software,from word processors to video editors, to support as many of these combinations as possible.

Try your favourite image editor and see how many different file types it can load or save to get a feeling for how many combinations there are. We use an open-source tool called FFMPEG to create our videos, and the version we currently have includes more than 450 different decoders, and nearly 200 different encoders.

That’s where the Windows Codecs Library comes in, providing built-in support for a myriad different photo and video file formats to make it easy for software developers to support all the file formats that their users expect.

The bad news

Of course, the bad news in doing things that way is that a critical bug in the Codecs Library could end up affecting a whole raft of software programs at the same time, including browsers, document viewers, video editors, image gallery tools and more…

…but the good news is that if a critical bug does show up, it can be fixed for everyone in one go.

And that’s what’s happened here: the bugs CVE-2020-1425 and CVE-2020-1457 are described by Microsoft as follows:

CVE-2020-1425: A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory.

CVE-2020-1427: A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory.

We’re assuming that these vulnerabilities could be combined in order to implant malware.

Remote code execution bugs often aren’t much use on their own any more, because the crooks can’t figure out where in memory to place their attack code thanks to a security process known as Address Space Layout Randomisation (ASLR).

ALSR makes the memory layout on every computer different, so most unaided attacks have to guess where to poke around in memory, usually picking the wrong place and simply crashing instead of taking over.

But in this case, we’re guessing that attacker could start off by using the first vulnerability to “leak” secret operating system data, including the current memory layout, thus rendering ASLR useless and making the second vulnerability much easier to exploit.

What to do?

Technically, these bugs aren’t zero-days, because they were disclosed responsibly to Microsoft, which fixed them – as far as we know – before any cybercriminals figured them out.

But now the bugs are known publicly, you can assume that the crooks will be busy trying to work backwards from the patches to figure out how the vlunerabilities work. (Things are a lot easier to find if you know where to start looking!)

The updates are needed for Windows 10 and Windows Server 2019, and unlike your Patch Tuesday fixes, which arrive via the Security and Updates tab in Settings, Microsoft has pushed them out via the Windows Store:

How do I get the updated Windows Media Codec?

Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update. Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App; more information on this process can be found here.

---