The niner noteworthy stories of 2017 (week 7)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

A rash of invisible, fileless malware is infecting banks around the globe


From the wide spread infections in 2010 related to stuxnet we already know how dangerous such virus components can be. The fact that they don’t leave any traces on disk as they completely run in memory makes detection very difficult or even impossible as on the next reboot, if the attacker is smart he/she triggers one after completing his/her objective, all traces in memory are gone forever. Obviously not all traces of the activities or possibly lines in logfiles etc. but it makes it that much more difficult.
What the background behind this malware also shows is what a very specific one-time use computer virus turned weapon can lead to, even 7 or more years later. Maybe it’s fair to compare this to laying mines in a field to deter rival forces from entering a certain area and it’s effects sometimes even decades later on society.
source: Ars Technica (external link)

Sophisticated Mac malware ‘aimed at select targets’


If you are a MacOS user and still think you don’t need anti-virus (yes I know anti-virus is actually dead but don’t tell it’s vendors that) or any other form of protection for your system, think again.
Often I have heard Mac users say they don’t need such software as their system is more secure. However, the contrary is the case unfortunately. The only reason why not much malware has been specifically targeted at Mac’s is pretty simple: economy of scale, the more MacOS systems their are the more profitable it will be to spend time and effort to create malware for them as well.
source: iTWire (external link)

Hackers Selling Undetectable Proton Malware for macOS in 40 BTC

And if you still don’t believe the economy of scale theory, then read this article as well which clearly shows that no process, even Apple’s regorous ones, have a 100 percent success rate. This malware is scary stuff to be honest, although obviously not new if you count all available malware over the years on Windows systems.
source: HackRead.com (external link)

A battle rages for the future of the Web


This has not directly to do with security, although the implications of the choice that phases the W3C will have far reaching security implications. However, this entire open internet versus dir (digital rights management) discussion has more to do with the media industry still not operating within the 21st century at all. They should ask themselves what the reason is for people to download stuff illegally, is it the price they have to pay? To some extend that may probably be so.
One other extremely big reason though is just the availability of recent films and series in some countries or outside some distribution channels. This has been extremely well highlighted by the fact that the first episodes of the Grand Tour car program by the former Top Gear staff, broadcasted only on Amazon TV, was the most pirated series ever. Rather than buying an Amazon TV subscription, if available at all, people resorted to piracy to get to watch their favourite car program show hosts.
So will DMR if formally adopted for the web the the answer? I seriously doubt it. What it will do is monetise the web, even more than it’s being done already.
As for Top Gear? I think the BBC is probably regretting their decision already, although they will never say so publicly.
source: Ars Technica UK (external link)

Car Apps Are Vulnerable To Hacks That Could Unlock Millions of Vehicles


Okay so mobile apps aren’t secure, that’s not too surprising isn’t it? It becomes obviously dangerous if those apps are linked to a physical device that can be controlled resulting in injury or death of the occupant or somebody on the road as well.
Combine this to the fact that if you sell your smart car, they do a lousy job of unlinking from your smartphone (lousy as in it’s impossible) and you may see some interesting opportunities of selling somebody a car and keeping control over it. Extend that with the location of that car constantly being updated in the app of the now former owner and the possibilities for spying are endless.
source: WIRED (external link)

Warning on used cars failing to forget old owners

And that even after the former owner wiped his phone of all data, which means that the link somehow has been maintained somewhere in the cloud. Physical keys are handed over and there are even procedures to make sure they are, but the virtual keys stay in the possession of all previous owners with all consequences related to that.
So now we know that apps for cars are insecure, you can still track your old car as it stays linked to you as well as on-board computer and alarm systems are hackable. Whats next?
source: BBC News (external link)

This tool will uncover anyone’s email on LinkedIn


What this tool apparently does is very easily done yourself as well. It is usually not that hard to find a mail-address from somebody at some company online somewhere. If you know the format of the mail-address, in a lot of cases it will be firstname.lastname@company.tld it isn’t that hard to construct the mail-address within a plugin if you know somebodies first- and lastname from their LinkedIn profile as well as the company they are currently working for.
And if it is a first-level contact, they will have direct access to your primary E-mail address anyway, which LinkedIn doesn’t really warn you about though and something you can’t change either. It would be helpful if you could set one profile mail-address and a separate one to receive all notifications on, so if that second one gets misused you know reasonably well LinkedIN may have been breached.
In this way I can attribute a recent spam wave to both the LInkedIN and Dropbox 2012 hacks.
source: CNET (external link)

How I got your phone number through Facebook

Thinking your information is being kept private because the privacy settings apparently let you believe they are is understandable but incorrect. Although in larger countries it may be more difficult to pull this trick off, but still.
So it will be a trade-off, do you want to use your phone number for 2-factor authentication with the risk of it leaking out? Or just use your password, click through endless requests to please provide your phone number for profile security and have a marginally lesser secure profile?
I would delete it altogether, but that’s a personal choice.
source Hacker Noon (external link)

Smart TV Maker Fined $2.2 Million For Spying on Its 11 Million Users


The most interesting quote in this article is that the company must delete “most of the data”, why not all of it? And how about the damage to the privacy of it’s tv owners?
The best defence would be to not buy a smart TV at all, although I must admit that may not even be possible these days at least not a new one.
source: The Hacker news (external link)
And another article on the same topic Ars Technica (external link) providing some more data and information on other smart TV privacy issues.

Now sites can fingerprint you online even when you use multiple browsers


I have written about these kind of fingerprinting techniques before like this one on audio fingerprinting.
Apparently there is only one thing, at this moment at least, to defeat this kind of cross-browser fingerprinting and that’s to disable WebGL which may break certain websites. The best advice would be to switch it off and only allow it on websites that really really really require it and you absolutely must visit.
Or just use multiple devices to throw off results.
Though in all honesty, most people will be logged in to some form of social media all the time anyway which makes these kinds of techniques unnecessary. At least from the respective of that specific privacy slurping service.
source: Ars Technica (external link)

Scottish court issues damages to couple over distress caused by neighbour’s use of CCTV


Wow! That you are having an argument with your neighbours is one thing, blatantly resulting to outright spying and extortion is something entirely different.
With the ever dropping costs of good IP camera’s however it was simply a question of time before such a case would go this far. That’s not even counting all other cases of people protecting their property with camera’s and maybe even keeping recordings longer then actually necessary or even allowed by law.
So you see it’s not only companies spying on you, it could be your own neighbours too.
source: The Register (external link)

German parents told to destroy Cayla dolls over hacking fears


Besides all the privacy concerns, security problems that are not fixed and an apparent disagreement between sellers of the product and security professionals, the problem may be even worse than this article portraits. This toy could easily be used as spying device if just left in a room somewhere, with the build-in microphone conversations in the room could easily be picked up and recorded.
And yes, with the right radio equipment and antenna setup this can be done from even more than 10 meters (33 feet) away. Specifically if there are only windows in between the doll and the receiving equipment. Directional antenna’s are pretty easily constructed and can even be concealed in a Pringles can where the can itself is the actual antenna.
So the children’s privacy is the direct concern, but the dolls themselves could have other interesting uses as well.
source: BBC News (external link)