A computer scientist in the UK who has more nerve than I do has created a public livestream of the last 50 Web sites he’s visited to make a point about what new UK surveillance laws will mean. “The openly published browsing history of Brett Lempereur, a senior lecturer in computing at Liverpool John Moores University, shows the time, device used, and websites he has visited. All this data would be collected by ISPs and made available to police and security services if new surveillance laws are passed.”
Increased DM sizes in Twitter has an unexpected side effect: more space for botnets. “London security researcher Paul Amar has built a tool capable of exploiting Twitter’s extended direct messaging function for covert botnet command and control. Amar created Twittor which allows attackers of white or black hats to create a fleet of compromised machines that can communicate, receive instructions, and update over the social network.”
Google has has updated its Safe Browsing feature to protect against social engineering. “The threat landscape is constantly changing—bad actors on the web are using more and different types of deceptive behavior to trick you into performing actions that you didn’t intend or want, so we’ve expanded protection to include social engineering. Social engineering is a much broader category than traditional phishing and encompasses more types of deceptive web content.”
Snicker: Google’s own safe browsing tool is reporting Google.com as partially unsafe. I’ve gotten Google marking it’s own Google Alert e-mails as possible scams before, but I haven’t seen this.
A couple of the patches released in Microsoft’s latest Patch Tuesday are pretty critical. “All users running Windows Vista and later — including Windows 10 — are affected by two flaws, which could allow an attacker to install malware on an affected machine.”
Yikes! More than 20,000 apps auto-root Android devices. “Lookout detected more than 20,000 samples of the trojanised adware disguised as legitimate top applications that include Facebook, Candy Crush, Twitter, Snapchat, WhatsApp and others. Malicious actors repackage and inject malicious code into very many popular applications discovered in Google Play, then later publish them to third-party app stores. Lookout believes many of the apps are fully functional.”
Adobe Flash Player: still full of security issues, still a target for hackers. “Software maker Adobe issued an update on Nov. 10 to fix 17 critical vulnerabilities in its ubiquitous Flash player, the day after an analysis found that the program was the most popular target of exploit-kit developers.”
Comcast is having 200,000 customers reset their passwords but says it wasn’t hacked. “[A] package of personal data, including the e-mail addresses and passwords of Comcast customers, was listed for sale for $1,000 on a Dark Web site that was also marketing a number of other questionable goods. The Dark Web is a collection of sites that are publicly accessible but cannot found by search engines. “
The latest company to offer two-factor login? Why, it’s Twitch! Still can’t use it on Amazon, though. “Two-factor authentication (2FA) requires two different methods of verification to log in to your Twitch account: your password and your mobile phone. Each time you log in, you’ll enter your password and a unique code that we’ll send to your mobile phone. If your password is somehow compromised, your account will be inaccessible without the code we send your phone.”
Oh eww. There’s apparently a new kind of ransomware that holds entire sites for ransom. “This latest criminal innovation, innocuously dubbed ‘Linux.Encoder.1’ by Russian antivirus and security firm Dr.Web, targets sites powered by the Linux operating system….Typically, the malware is injected into Web sites via known vulnerabilities in site plugins or third-party software — such shopping cart programs. Once on a host machine, the malware will encrypt all of the files in the ‘home’ directories on the system, as well backup directories and most of the system folders typically associated with Web site files, images, pages, code libraries and scripts.”
Wow, sounds like there’s some really horrible Android malware out there. “Lookout has noticed a trend toward Android malware that masquerades as a popular app, but quietly gets root-level access to your phone and buries itself deep in the operating system. If that happens, you’re in serious trouble. Unless you can walk through loading a fresh ROM or carefully modify system files over ADB, it may be easier to just replace the device, or have your phone company reflash it — a simple factory reset won’t get the job done.”
Google says a recent Samsung Galaxy phone has a whole host of bugs. “Google has revealed that Samsung’s flagship Galaxy S6 Edge Android smartphone suffered 11 ‘high impact’ security issues that were introduced by the company’s customisation of Android. Of the 11 bugs that were found in a week-long focus on Samsung’s device by Google’s Project Zero security bug hunting team, some could allow hackers to take over the device and steal personal data.” Looks like most of them have already been fixed.
The FCC has announced that it can’t force Google and Facebook to stop tracking its users. “The Federal Communications Commission said Friday that it will not seek to impose a requirement on Google, Facebook and other Internet companies that would make it harder for them to track consumers’ online activities.”
A citizen of Scotland has been indicted for a Twitter-based stock manipulation scheme. “According to the indictment, [James Alan] Craig, 62, of Dunragit, Scotland, alleged set up Twitter accounts using names similar to real market research firms for the purpose of manipulating stock prices. Craig issued tweets with false and fraudulent information about publicly-traded securities, causing the price of the securities to rapidly decline. Craig then bought securities of the targeted companies through his girlfriend’s brokerage account and later sold them at a higher price per security. Craig’s actions are alleged to have caused of more than $1.6 million in losses to shareholders.”