Blog

iOS14 Privacy and Security Features You Should Know

Posted by Dave Cahill on Sep 21, 2020 in Mac / Apple, Privacy, Security News, Smart Phones | 0 comments

The iOS14 Privacy and Security Features You Should Know

The latest iOS14 update for your iPhone and iPad will make them safer than ever.

iOS14 has begun rolling out to iPhones worldwide, and as is typical for Apple and a new iOS release, security and privacy enhancements are front and center. The new mobile operating system should make you and your data safer than ever. But it’s important to know where these various features are and how to use them.

Below you can find the most important security and privacy features your iOS device now has that it didn’t have before. Make sure you check them as soon as you’ve got iOS14 on your iPhone or iPad.

Know When Apps Use Your Camera and Mic

Apps on iOS have to explicitly ask for your permission to use the camera and microphone, and from iOS14 onwards, you’ll also see an indicator dot in the top right of the screen when these functions are being used. Green means camera, orange means microphone.

This should make it impossible for apps to make recordings without your knowledge. Even if you trust an app enough to give it access to the camera and the mic, it’s still reassuring to know that you’ll always get an indication when they’re being used.

If you drag down from the top right corner of the iPhone display to open up Control Center, you’ll see information about the apps that most recently used your camera or microphone, just in case you’re unsure.

Limit Access to Photos and Location

iOS14 includes a couple of new ways that you can give apps certain permissions, but only up to a point. The idea is that there are some apps you trust a bit more than others in terms of looking at your photos or tracking where you are.

If you open Settings in iOS14 and then choose Privacy and Location Services, you can tap on an app to configure how it can access your phone’s location: never, always, only when the app is open, or only when you give explicit permission. There’s also a new Precise Location toggle switch, which you can turn off when you’re fine if an app knows the general area you’re in, but want to keep exact GPS coordinates hidden.

From the same Privacy menu, tap Photos and you get a list of apps with access to the pictures and videos stored on your iPhone. Choose an app and then change the option to Selected Photos if you only want the app to have access to a smaller subset of your files.

Sniff Out Bad Passwords

Apple has been able to sync the passwords and other login credentials for your various accounts across all of your Apple hardware via iCloud for a while now; this applies to macOS as well as iOS. To see what Apple has stored in the cloud from your iPhone, choose Passwords from Settings.

New in iOS14 as well as macOS is a password monitoring system. This will alert you if any of your credentials are spotted in a data breach, which means access to your accounts could be compromised.

From the top of the Passwords screen, tap Security Recommendations. You’ll see passwords that iOS thinks are problematic, either because of a data breach, or it’s too easy to guess, or you’ve used it elsewhere. Follow any of the Change Password links to pick something new.

Discourage Wi-Fi Tracking

One small but potentially significant change to Wi-Fi security in iOS 14 is the Use Private Address feature that you’ll notice if you open up the Wi-Fi menu from Settings, and then tap the blue info button on the right of the network that you’re connected to.

Whenever a device connects to the web, it gets what’s called a MAC (media access control) address so the local network can keep track of it. With a bit of clever monitoring, internet service providers—and from there, advertisers—can also use it to work out where your device logs on and when.

This new iOS 14 feature gives your iPhone a different MAC address every time it connects, making it much more difficult for this sort of tracking to work. It’s set to be enabled by default for every new network you connect to.

Know When Apps Snoop on Your Clipboard

If you see a message about apps pasting clipboard information from other apps at the top of your iPhone screen, don’t panic: That’s just the new clipboard notification feature in iOS kicking into action. As the iOS 14 beta program revealed, plenty more apps monitor the clipboard than you would actually think, even before you’ve actually pasted anything.

Most apps now seem to have tidied up their approach to clipboard access to avoid getting called out. If you’re using iOS 14, you should only see the notification when you actually choose to paste something inside an app, in which case the app obviously needs access to the clipboard.

Limit How Apps Track You

Another change in iOS 14 is that apps will have to specifically request permission to track you across other apps and sites. However, after complaints from advertisers—most notably Facebook, which in August said the move would “severely impact” its lucrative Audience Network—this feature won’t be fully enforced until sometime next year.

For now, you can head to Privacy then Tracking from the iOS Settings menu, and you’ll find a toggle switch for whether you want apps to be able to request permission to track you outside of the actual app itself. This sort of tracking is largely done to better target advertising at you.

As the tracking screen in iOS itself notes, apps that you don’t give permission to might still try to track you, as per their individual privacy policies. The more effective app-by-app controls should go into effect next year.

Vet Apps for Privacy Info

One iOS14 feature that Apple has announced for iOS14, but which hasn’t yet gone live, is app privacy cards. When the feature does appear, these cards will give you more details about how apps make use of the data they collect from you.

Presumably developers need a bit more time to get their apps in order—the feature isn’t visible at the time of writing—but when it does appear, you should see a new App Privacy button on each of the listings inside the App Store.

Follow that link, and you’ll be able to see the information you’re giving up to a particular app and how that information is being recorded and connected with existing profiles stored on your device or the web.

Get Privacy Reports From Safari

The ability to block cross-site tracking cookies in Safari isn’t new in iOS 14; as before, you can find the option under Safari in Settings. Turning on Prevent Cross-Site Tracking makes it much harder for advertisers to link together your browsing activity across different websites.

What is new in iOS 14 is the Privacy Report page in Safari. This gives you more detail on exactly what effect the blocking has on your browsing. Tap the AA button in the top left corner of the browser window to see a report for the site you’re currently on.

You can see the individual trackers in use on a particular page and check up on how many of these trackers Safari has blocked over the past month. You can’t really interact with this report in any meaningful way, but it’s helpful to have the information available.

Read the original article over at Wired.com.

iOS 14: Hands on with the new data breach notification feature

Posted by Dave Cahill on Sep 18, 2020 in Mac / Apple, Security News | 0 comments

Hands on with iOS 14’s new data breach notification feature

With the release of iOS 14, Apple has introduced a new feature that warns users when their stored passwords have been compromised in data breaches.

iOS includes the Keychain password manager that allows users to save credentials and automatically fill them into login forms on sites and apps.

The password manager can be found under Settings > Passwords, and when accessed, allows you to see all of your saved passwords or add additional ones.

In previous versions of iOS, the Keychain password manager would alert users if they were using a password that was easy to guess or crack and would prompt you to change it.

iOS 14 adds data breach notifications

With the release of iOS 14, Apple will now check your stored credentials against a list of known data breaches.

When performing this check, iOS “uses strong cryptographic techniques to regularly check derivations of your passwords against a list of breached passwords in a secure and private way that doesn’t reveal your password information — even to Apple.”

If an account has been detected as breached or uses an easy to guess password, a ‘Security Recommendations’ option will appear.

If your accounts are just using easy passwords, the number in this box will tell you how many accounts have issues.

If there is a red exclamation sign, as shown below, then that means you have an account that has been compromised in some manner and needs immediate attention.

If you click on the ‘Security Recommendations’ button, you will be brought to another page that lists all of your insecure passwords.

Clicking on a password will either tell you if its easily guessed, compromised in some manner, or been found as part of a data breach.

Keychain will then prompt you to change your password, which will open the site to either the password reset page or its homepage.

While BleepingComputer has not been able to trigger a notification, this feature is also triggers when logging into sites and apps with compromised credentials.

BleepingComputer reports on many data breaches, and we can easily say that it has been a bad year with the number of sites that have become compromised.

With data breaches becoming so common, this is a great feature as it protects not only your account, but also your finances, credit history, and credit card info, which could be accessed by attackers.

Read the original article over at BleepingComputer.com.

Staples discloses data breach exposing customer info

Posted by Dave Cahill on Sep 14, 2020 in Privacy, Security News | 0 comments

Staples discloses data breach exposing customer info

Giant office retail company Staples informed some of its customers that data related to their orders has been accessed without authorization.

Few details are available at the moment. The company has not disclosed the incident publicly and alerted affected customers individually over email.

‘Non-sensitive data’ accessedStaples

It is important to note that Staples’ main business is selling office supplies and related products using retail channels and through business-to-business engagements.

The office retail giant sent out a brief notification letter signed by Staples Inc. CEO Alexander ‘Sandy’ Douglas providing an outline of the incident.

BleepingComputer learned that the event occurred earlier this month around September 2 and consisted of unauthorized access to a system belonging to Staples.

Security researcher Troy Hunt received the notification in a data breach report. It appears that “a limited amount” of order data for customers of Staples.com – suggesting that the Canadian website is not impacted – was accessed by an unauthorized party. This “may have included information about one of your orders,” the letter reads.

The retailer has yet to determine what exactly got accessed but it could contain what Staples classifies as “non-sensitive customer order data:” names, addresses, email addresses, phone numbers, last four credit card digits, details about the order (delivery, cost, product).

These details, though, can still serve malicious purposes in email or phone call scams, or to collect more information for a better prepared attack.

Douglas stresses in the notification that account credentials and full payment card data remained unaffected by the incident and that there is no evidence to point to unauthorized purchases on the customer’s behalf.

Recipients of the data breach notification can learn more by calling Staples directly during business hours. They should choose option 3 to speak to a company representative.

BleepingComputer has reached out to Staples for a statement and is waiting for a reply. We also called the number included in the notification letter and the specified option is for gift cards and data breach information.

Staples managed to stay out of the news as far as security incidents are concerned since the compromise of point-of-sale systems in 2014 at 115 o its retail stores in the U.S.

Read the original article over at BleepingComputer.com.

Ransomware delays first day of school for Hartford, Connecticut

Posted by Dave Cahill on Sep 8, 2020 in Security News | 0 comments

Ransomware delays first day of school for Hartford, Connecticut

The Hartford School District in Connecticut has postponed their first day of school as they struggle with getting classroom and transportation systems restored and running after a Labor Day holiday weekend ransomware attack.

This school year, most USA school districts had struggled with the decision of how and when they were going to reopen schools due to the COVID-19 pandemic.

For the Hartford School District, this choice was taken away from them after suffering a ransomware attack on Saturday.

In a press conference this morning, Hartford Mayor Luke Bronin stated that the school district’s network was breached on Thursday, September 3rd.

The state’s capital did not become aware of the attack until Saturday, September 5th, after the hackers deployed ransomware and began encrypting the devices on the district’s network.

As this attack affected not only classroom computers but also the system responsible for transportation routes, the school district postponed school opening until they can fully recover their systems.

According to Mayor Bronin, no ransom demand was given, and Hartford has no plans on paying the ransom.

“There was no specific ransom demand. There was language, text that was installed and discovered on many systems, that said this is a ransomware attack and asked that we contact a particular email address. Needless to say that we are not contacting that email address. We will let law enforcement deal with that,” Bronin stated in a live press conference this morning.

Bronin further stated that they did not believe any data was stolen, but are looking into it further.

“To the best of our knowledge, no data was stolen, although we will continue to do everything we can to say with 100% confidence,” Bronin stated.

This attack’s time frame is not surprising as we warned last week that network administrators should be especially diligent during the Labor Day holiday weekend.

A source has told BleepingComputer that the Hermes ransomware is thought to be behind the attack on the school district’s systems, but BleepingComputer has not been able to verify these claims.

Older versions of Hermes had a weakness that allowed files to be recovered for free. This weakness has since been fixed, and current attacks are not decryptable.

Cyberattack will likely lead to a data breach

While Hartford officials have stated that they do not believe any data has been stolen, this may not be the case depending on the ransomware.

Since the end of 2019, ransomware gangs have been actively stealing unencrypted data, including student and employee records, before deploying a ransomware on a network.

This data is then used as a leverage to get a victim to pay, or the ransomware operators threaten to publicly release the files on data leak sites.

The Hermes ransomware operators are not known for stealing data before deploying their ransomware, but it does not mean they have not started adopting this tactic.

As the threat actors had access to the school district’s systems for two days before deploying the ransomware, there was more than enough time to harvest unencrypted files.

Last week, the SunCrypt ransomware operators attacked a North Carolina school district and leaked 5GB of files containing student and employee data.

Read the original article over at BleepingComputer.com.

Hackers exploiting Critical flaw affecting >350,000 WordPress sites

Posted by Dave Cahill on Sep 2, 2020 in Security News, Web & Graphic Design News | 0 comments

350,000 WordPress sites” width=”800″ height=”519″>

Hackers are exploiting a critical flaw affecting >350,000 WordPress sites

Critical flaw in File Manager, a plugin with more than 700,000 users; 52% are affected.

Hackers are actively exploiting a critical flaw vulnerability that allows them to execute commands and malicious scripts on Websites running File Manager, a WordPress plugin with more than 700,000 active installations, researchers said on Tuesday. Word of the attacks came a few hours after the critical flaw was patched.

Attackers are using the exploit to upload files that contain webshells that are hidden in an image. From there, they have a convenient interface that allows them to run commands in plugins/wp-file-manager/lib/files/, the directory where the File Manager plugin resides. While that restriction prevents hackers from executing commands on files outside of the directory, hackers may be able to exact more damage by uploading scripts that can carry out actions on other parts of a vulnerable site.

NinTechNet, a website security firm in Bangkok, Thailand, was among the first to report the in-the-wild attacks. The post said that a hacker was exploiting the vulnerability to upload a script titled hardfork.php and then using it to inject code into the WordPress scripts /wp-admin/admin-ajax.php and /wp-includes/user.php.

Backdooring vulnerable sites at scale

In email, NinTechNet CEO Jerome Bruandet wrote:

It’s a bit too early to know the impact because when we caught the attack, hackers were just trying to backdoor websites. However, one interesting thing we noticed is that attackers were injecting some code to password-protect the access to the vulnerable file (connector.minimal.php) so that other groups of hackers could not exploit the vulnerability on the sites that were already infected.

All commands can be run in the /lib/files folder (create folders, delete files etc), but the most important issue is that they can upload PHP scripts into that folder too, and then run them and do whatever they want to the blog.

So far, they are uploading “FilesMan”, another file manager often used by hackers. This one is heavily obfuscated. In the next few hours and days we’ll see exactly what they will do, because if they password-protected the vulnerable file to prevent other hackers to exploit the vulnerability it is likely they are expecting to come back to visit the infected sites.

Fellow website security firm Wordfence, meanwhile, said in its own post that it had blocked more than 450,000 exploit attempts in the past few days. The post said that the attackers are trying to inject various files. In some cases, those files were empty, most likely in an attempt to probe for vulnerable sites and, if successful, inject a malicious file later. Files being uploaded had names including hardfork.php, hardfind.php, and x.php.

“A file manager plugin like this would make it possible for an attacker to manipulate or upload any files of their choosing directly from the WordPress dashboard, potentially allowing them to escalate privileges once in the site’s admin area,” Chloe Chamberland, a researcher with security firm Wordfence, wrote in Tuesday’s post. “For example, an attacker could gain access to the admin area of the site using a compromised password, then access this plugin and upload a webshell to do further enumeration of the server and potentially escalate their attack using another exploit.”

52% of 700,000 = potential for damage

The File Manager plugin helps administrators manage files on sites running the WordPress content management system. The plugin contains an additional file manager known as elFinder, an open source library that provides the core functionality in the plugin, along with a user interface for using it. The vulnerability arises from the way the plugin implemented elFinder.

“The core of the issue began with the File Manager plugin renaming the extension on the elFinder library’s connector.minimal.php.dist file to .php so it could be executed directly, even though the connector file was not used by the File Manager itself,” Chamberland explained. “Such libraries often include example files that are not intended to be used ‘as is’ without adding access controls, and this file had no direct access restrictions, meaning the file could be accessed by anyone. This file could be used to initiate an elFinder command and was hooked to the elFinderConnector.class.php file.”

Sal Aguilar, a contractor who sets up and secures WordPress sites, took to Twitter to warn of attacks he’s seeing.

“Oh crap!!!” he wrote. “The WP File Manager vulnerability is SERIOUS. Its spreading fast and I’m seeing hundreds of sites getting infected. Malware is being uploaded to /wp-content/plugins/wp-file-manager/lib/files.”

The critical flaw is in File Manager versions ranging from 6.0 to 6.8. Statistics from WordPress show that currently about 52 percent of installations are vulnerable. With more than half of File Manager’s installed base of 700,000 sites vulnerable, the potential for damage is high. Sites running any of these versions should updated to 6.9 as soon as possible.

CenturyLink routing issue led to outages on Hulu, Steam, Discord, more

Posted by Dave Cahill on Aug 31, 2020 in Internet | 0 comments

CenturyLink routing issue led to outages on Hulu, Steam, Discord, more

A CenturyLink BGP routing mistake has led to a ripple effect across the Internet that led to outages for numerous Internet-connected services such as Cloudflare, Amazon, Garmin, Steam, Discord, Blizzard, and many more.

These outages started at approximately 6 AM EST, when customers began reporting a wide-scale outage in the USA affecting CenturyLink services.

When performing searches on Twitter, there was a sudden influx of complaints about poor performance or outages on numerous connected services such as Blizzard, Steam, Discord, Roblox, Cloudflare, Hulu, Slink, Reddit, Amazon AWS, and many more.

CenturyLink states that their Level3 CA3 data center is causing this outage and are investigating the issue.

“Our technical teams are investigating an issue affecting some services in the CA3 data center. Ensuring the reliability of our services is our top priority. We will continue to provide status updates as this incident progresses. If you need further support, please contact us at help@ctl.io,” CenturyLink’s status page states.

This outage has since been resolved, and services are slowly recovering, with some areas taking longer than others.

These issues were also likely related to the NameCheap outage we reported earlier.

BGP Routing issue caused outages

According to numerous reports from affected customers, today’s problems were caused by a BGP routing issue at CenturyLink where they were not correctly routing portions of the Internet.

For the Internet to work, Internet service providers, data centers, and network providers advertise via the BGP routing protocol the IP addresses that they route and manage.

As this is mostly a trust-based system, when a large ISP starts advertising routes for IP address ranges that they do not manage, it causes worldwide outages and performance issues.

Based on customers’ reports, CenturyLink appears to have made a mistake in the BGP routing, which led to today’s wide-scale issues.

Cloudhelix, a cloud hosting provider, also experienced issues today and state that CenturyLink has confirmed it was a BGP issue.

“CenturyLink have confirmed a routing issue in their network was preventing BGP sessions from establishing correctly.
They have now rectified the issue and their network is stabilising as the updated configuration propagates to affected devices.
The CenturyLink connection at Cloudhelix’s facility in Equinix LD6 continues to be affected. We will issue another update in due course.”

CenturyLink has not updated their status message yet or publicly confirmed that it was a BGP routing issue.

Read the original article courtesy of BleepingComputer.com.

Mysterious iOS Attack Changes Everything We Know About iPhone Hacking

Posted by Dave Cahill on Aug 28, 2020 in Internet, Mac / Apple, Security News, Smart Phones | 0 comments

Mysterious iOS Attack Changes Everything We Know About iPhone Hacking

For two years, an iOS attack on a handful of websites have indiscriminately hacked thousands of iPhones.

Hacking the iPhone has long been considered a rarified endeavor, undertaken by sophisticated nation-states against only their most high-value targets. But a discovery by a group of Google researchers has turned that notion on its head: For two years, someone has been exploiting a rich collection of iPhone vulnerabilities with anything but restraint or careful targeting. And they’ve indiscriminately hacked thousands of iPhones just by getting them to visit a website.

On Thursday evening, Google’s Project Zero security research team revealed a broad campaign of iPhone hacking. A handful of websites in the wild had assembled five so-called exploit chains—tools that link together security vulnerabilities, allowing a hacker to penetrate each layer of iOS digital protections. The rare and intricate chains of code took advantage of a total of 14 security flaws, targeting everything from the browser’s “sandbox” isolation mechanism to the core of the operating system known as the kernel, ultimately gaining complete control over the phone.

They were also used anything but sparingly. Google’s researchers say the malicious sites were programmed to assess devices that loaded them, and to compromise them with powerful monitoring malware if possible. Almost every version of iOS 10 through iOS 12 was potentially vulnerable. The sites were active since at least 2017, and had thousands of visitors per week.

“This is terrifying,” says Thomas Reed, a Mac and mobile malware research specialist at the security firm Malwarebytes. “We’re used to iPhone infections being targeted attacks carried out by nation-state adversaries. The idea that someone was infecting all iPhones that visited certain sites is chilling.”

A New Paradigm

The iOS attack is notable not just for its breadth, but for the depth of information it could glean from a victim iPhone. Once installed, it could monitor live location data, or be used to grab photos, contacts, and even passwords and other sensitive information from the iOS Keychain.

With such deep system access, the attackers could also potentially read or listen to communications sent through encrypted messaging services, like WhatsApp, iMessage, or Signal. The malware doesn’t break the underlying encryption, but these programs still decrypt data on the sender and receiver’s devices. Attackers may have even grabbed access tokens that can be used to log into services like social media and communication accounts. Reed says that victim iPhone users would probably have had no indication that their devices were infected.

Google hasn’t named the websites that served as a “watering hole” infection mechanism, or shared other details about the iOS attack or who their victims were. Google says it alerted Apple to its zero-day iOS vulnerabilities on February 1, and Apple patched them in iOS 12.1.4, released on February 7. Apple declined to comment about the findings. But based on the information Project Zero has shared, the operation is almost certainly the biggest known iPhone hacking incident of all time.

It also represents a deep shift in how the security community thinks about rare zero-day attacks and the economics of “targeted” hacking. The campaign should dispel the notion, writes Google Project Zero researcher Ian Beer, that every iPhone hacking victim is a “million-dollar dissident“—a nickname given to now-imprisoned UAE human rights activist Ahmed Mansour in 2016 after his iPhone was hacked. Since an iPhone hacking technique was estimated at the time to cost $1 million or more—as much as $2 million today, according to some published prices—attacks against dissidents like Mansour were thought to be expensive, stealthy, and highly focused as a rule.

The iPhone-hacking campaign Google uncovered upends those assumptions. If a hacking operation is brazen enough to indiscriminately hack thousands of phones, iPhone hacking isn’t all that expensive, according to Cooper Quintin, a security researcher with the Electronic Frontier Foundation’s Threat Lab.

“The prevailing wisdom and math has been incorrect,” says Quintin, who focuses on state-sponsored hacking that targets activists and journalists. “We’ve sort of been operating on this framework, that it costs $1 million to hack the dissident’s iPhone. It actually costs far less than that per dissident if you’re attacking a group. If your target is an entire class of people and you’re willing to do a watering hole iOS attack, the per-dissident price can be very cheap.”

It remains far from clear who might be behind the brazen campaign, but both its sophistication and focus on espionage suggest state-sponsored hackers. And Quintin points out that the campaign’s mass infection tactics imply a government that wants to surveil a large group that might self-select by visiting a certain website. “There are plenty of minority groups like the Chinese Uyghurs, Palestinians, people in Syria, whose respective governments would like to spy on them like this,” Quintin says. “Any of those governments would be happy to pull out this technique, if they came into exploit chains of this magnitude.”

The campaign bears many of the hallmarks of a domestic surveillance operation, says Jake Williams, a former NSA hacker and founder of the security firm Rendition Infosec. And the fact that it persisted undetected for two years suggests that it may have been contained to a foreign country, since this kind of data traveling to a faraway server would have otherwise raised alarms. “After two years without getting caught, I can’t fathom this has crossed national boundaries,” he adds.

Wake-Up Call

The hackers still made some strangely amateurish mistakes, Williams mentions, making it all the more extraordinary that they operated so long without being detected. The spyware the hackers installed with their zero-day tools didn’t use HTTPS encryption, potentially allowing other hackers to intercept or alter the data the spyware stole in transit. And that data was siphoned over to a server whose IP addresses were hard-coded into the malware, making it far easier to locate the group’s servers, and harder for them to adapt their infrastructure over time. (Google carefully left those IP addresses out of its report.)

Given the mismatch between crude spyware and highly sophisticated zero-day chains used to plant it, Williams hypothesizes that the hackers may be a government agency that bought the zero-day exploits from a contractor, but whose own inexperienced programmers coded the malware left behind on targeted iPhones. “This is someone with a ton of money and horrible tradecraft, because they’re relatively young at this game,” he says.

Regardless of who may be behind it, the mass undetected hacking of thousands of iPhones should be a wake-up call to the security industry—and particularly anyone who has dismissed iOS hacking as an outlier phenomenon, unlikely to affect anyone whose secrets aren’t worth $1 million. “To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group,” Google’s Beer writes. “All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”

Read the original article over at Wired.com.

FBI informant provides a glimpse into the inner workings of tech support scams

Posted by Dave Cahill on Aug 26, 2020 in Scams, Security News, Tips & Tricks | 0 comments

FBI informant provides a glimpse into the inner workings of tech support scams

FBI Court documents expose how tech support scammers operate.

US authorities have charged three suspects involved in a large-scale tech support scam operation after FBI agents arrested one of their co-conspirators and turned him into an informant.

Evidence provided by the informant along with court documents filed in the case provide an in-depth glimpse at the techniques and inner workings of a modern-day tech support scam, from its earliest stages to the methods crooks use to launder funds obtained from defrauded victims.

Of the three suspects named in the case, one has been arrested earlier this year, and he pleaded guilty earlier this week.

IT ALL STARTED WITH AN INFORMANT

However, while charges were filed in January this year, the investigation into this group began in May 2019, when the FBI arrested an Indian national on fraud-related charges.

According to court documents obtained by ZDNet today, the suspect (hereinafter “the informant“) agreed to cooperate with investigators and become an informant for the FBI, seeking leniency from US authorities in his case.

The informant admitted to FBI agents that he was an active member of a tech support scheme and gave up the names of three of his collaborators, all three Indian nationals.

Two of the suspects owned call centers in India, while a third lived inside the US, where he acted as a money mule by receiving funds from victims into his US bank accounts, and then transferring the money to the call center operators.

PUBLISHERS, BROKERS, AND CALL CENTERS

The informant said that his role in the scheme was as a “broker,” and he sold “call traffic.” According to the informant, brokers are the second category/stage in an online tech support scam scheme.

The first category is what the informant described as “publishers.” These are criminal groups that create the actual tech support websites that show misleading error messages and popups urging users to call a toll-free number.

Publishers then ran online ads on platforms like Facebook, for various topics, such as travel and more, but redirected users who clicked on the ads toward their malicious sites.

Brokers, such as the role which the informant played, operated as intermediaries between the publishers and the call centers. Brokers managed telephony servers through which they sold “call traffic” to a call center operator willing to buy it, based on their respective capacity, or to other brokers, who had active clients (call centers) with free capacity.

The informant, which agreed to provide the FBI with access to his device and have calls recorded, said that most of these negotiations took place via WhatsApp and other online chat applications.

Call center owners would get in touch with brokers, agree to a price per batch of calls, and provide a number to which the broker would re-route incoming calls from tech support scam victims.

The scheme in which the informant was involved used tech support pages that posed as Microsoft security alerts.

The alerts told visitors they’d been infected with malware and that they had to call a phone number for further assistance from a Microsoft employee.

Victims listed in the indictment were all elderly citizens who lacked technical skills to determine that the security alert was fake.

CALL CENTER OPERATORS WOULD OFTEN GAIN ACCESS TO BANK ACCOUNTS

Past IM chat logs and phone calls recorded by the FBI also allowed agents to learn how the scheme continued once victims connected to the call center.

Per court documents, call center employees would operate by convincing callers they needed to download and install a version of the SupRemo remote control software on their computers.

This software would allow call center operators to connect to the victim’s computer and resolve the supposed “technical issue.”

According to a recorded phone call the informant had with one call center owner, call center operators would often ask victims to connect to their bank accounts while the operator would still have access to their systems, allowing the operator to collect bank account credentials.

Similar experiences were also reported by past victims, which the FBI contacted during their investigations.

Money received as payments, or surreptitiously stolen from victims’ bank accounts, would usually be transferred to intermediary bank accounts controlled by money mules.

FBI INFORMANT ALSO SERVED AS MONEY MULE

At the FBI’s request, the informant also agreed to serve as a money mule, and operated one of these intermediary bank accounts, which the FBI then used to track payments and the entities involved in these scams.

Court documents list only a few of the victims who lost money as part of these scams, with estimated losses around tens of thousands of US dollars. However, the true losses from this operation are believed to be in the millions of US dollars, as the scheme appears to have been going on since at least 2017, and most likely involved many more other victims beyond the ones cited in court files.

US authorities filed formal charges in January 2020 against three suspects the informant identified.

The call center operators are still at large in India, but one money mule was arrested in February this year while trying to board a flight from New York to India.

Named Abrar Anjum, the money mule pleaded guilty on Monday, according to a DOJ press release and court documents. He’s scheduled to be sentenced in October, and faces a maximum prison sentence of up to 20 years.

Read the original article over at ZDNet.com.

Zoom is down and schools get a digital snow day

Posted by Dave Cahill on Aug 24, 2020 in Technology | 0 comments

Zoom is down and schools get a digital snow day

Zoom users around the world are currently unable to join meetings and video webinars using the web client and the desktop app just as students going back to school today have had to rely on Zoom’s teleconferencing platform for online lessons.

According to an incident entry posted to Zoom’s status page, some users have also been reporting that they can’t open the company’s website either.

Based on reports tracked by Downdetector, this outage is mainly affecting users from the United States East Coast and the United Kingdom.

“We have received reports of users being unable to visit the website (zoom.us) and unable to start and join Zoom Meetings and Webinars,” says on its status page.

“We are currently investigating and will provide updates as we have them.”

Hey there! ? We have received reports of users being unable to start and join Zoom Meetings and Webinars. We are currently investigating and will provide updates as we have them. We sincerely apologize for any inconvenience. Please follow https://t.co/aqz5nS7fZY.

— Zoom (@zoom_us) August 24, 2020

Last week, Zoom experienced another outage that prevented users from joining meetings and webinars through the web client and WebSDK, with the outage not affecting users joining using the application.

“The cause of this issue is our Web SDK servers are reaching capacity on peak usage,” a staff member explained at the time. “We are adding more capacity and will update you when the process is complete.”

Back in April, when Zoom experienced a similar outage, users said that they were unable to use the web client or start and attend webinars, instead saying that the client would display ‘403 Forbidden’ errors.

Later, BleepingComputer found that the April outage perfectly lined up with taking down the web client starting with April 2 to address a security bug that allowed attackers to crack the numeric passcode used to secure private meetings.

CEO Eric S. Yuan said in April that the video conferencing platform passed 300 million daily meeting participants.

---

Update 1: 

Read the original article over at BleepingComputer.com.

Why Apple’s antitrust fight could spell the end of iOS as we know it

Posted by Dave Cahill on Aug 21, 2020 in Gaming, Google, Mac / Apple | 0 comments

Why Apple’s antitrust fight could spell the end of iOS as we know it

Antitrust?  While both Apple and Google are in US and EU crosshairs, Apple is in a far more precarious position. Are iOS users ready for the pros and cons of opening Pandora’s app box?

This week, Apple reached a significant milestone in its nearly 45-year history: a valuation of over $2 trillion. It’s the first American company to achieve that lofty status, surpassing the valuation of Saudi Aramco as a publicly traded firm. This comes only a year after reaching the $1 trillion mark, a milestone that its industry rivals Amazon, Microsoft, and Alphabet (Google) soon followed.

But Apple’s rise in valuation has placed the company under increased scrutiny and growing concerns about how it has been managing its developer ecosystem, notably its App Store.

In May of last year, I discussed how the US Supreme Court paved the way for potential antitrust by allowing a class action suit against the company alleging monopolistic practices on its App Store to proceed. Although the ruling was not a judgment against Apple and was remanded to the lower courts — the Court did not classify the company as a monopoly, and did not move forward with any antitrust penalty — the decision does set a potentially damaging precedent for the company.

By allowing this lawsuit to move forward, the high court’s ruling opened up the possibility that there could be, at some point, antitrust proceedings against the company. 

All signs indicate that antitrust litigation against the company is virtually inevitable — especially if Cupertino continues to maintain a status quo of allowing only Apple-trusted applications in its App Store and not permitting third-party payment services to be used for in-app transactions. 

The foundations for antitrust against Apple

In the last year, legal complaints against the company have increased, as have antitrust monitoring efforts by the US and European regulators. In 2019, Spotify issued a complaint to the European Union, alleging that because Apple’s Music services aren’t subject to the same 30% App Store transactional fees as third-party music services, it competes unfairly. 

Although Spotify’s service can be subscribed to outside the App Store via an out-of-band browser purchase (in the same way other companies, such as Amazon, have also engaged in content purchases that bypass the App Store), Spotify argues that the 30% fee forces the firm to operate in an unfair environment, if it wants to offer subscriptions directly via the iOS app. 

This complaint has resulted in the EU proceeding with a formal investigation into Apple’s App Store practices but has stated that it may take years to complete. In the past, the EU has fined American firms billions of dollars, such as its prior actions against Microsoft regarding browser bundling within Windows, which resulted in the company needing to build a “browser choice” screen into its operating system, and its $5B fine against Google for anticompetitive behavior in tying its search engine to Android.

The United States has also stepped up its antitrust activities against Apple, in the form of increasing its monitoring of all of the major tech giants. This started with Amazon and Google at the FTC, and was extended to Facebook and Apple at the DOJ based on statements made to the Wall Street Journal in July of 2019.

Enter Epic

All of these legal activities seemed to have been pushed to the back burner given the current political climate and priorities of the Trump administration. The upcoming US elections and the COVID-19 pandemic have proven to be effective distractions.

But recently, Apple has again come under scrutiny due to its interactions with Epic Games. The company made changes to its popular Fortnite game to allow for in-app transactions that do not go through Apple’s App Store or Google’s Play Store on their respective iOS and Android platforms. 

These changes resulted in the immediate removal of Fortnite from both the App Store and the Play Store, as well as a notification by Apple to Epic that its official developer accounts would be canceled at the end of the month due to violation of its developer agreements. Epic has since launched antitrust lawsuits against both Apple and Google, arguing that both of the companies are engaged in multiple violations of the Sherman Antitrust Act due to monopolistic practices. 

There has not been an immediate response by the Federal Trade Commission or the Justice Department. However, It is likely that Epic — a successful software developer that has made billions in revenue from its participation on the App Store and Google Play — has significant financial resources to pursue protracted litigation against Apple. It is also likely that Epic will seek to join forces with other firms such as Spotify to make a more compelling case.  

What it means for iOS and Android

While both Apple and Google are in US and EU crosshairs, it could be argued that Apple is in a much more precarious position:  Any antitrust activity could create more significant issues for iOS platform end-users than for Android users.

Why? Android already can side-load applications, which includes third-party app stores. This capability exists in the event an end-user wants to install software that either doesn’t conform to the Play Store’s policies (such as adult content) or that simply isn’t listed in the Play Store for whatever reason. 

Additionally, Android is fully open source as part of the Android Open Source Project (AOSP), so there is full transparency when it comes to APIs. Only apps that use Google Mobile Services — which are fully documented by the company and licensed to device manufacturers (such as Samsung and Microsoft) — are considered to be proprietary.

So while increased fines against Google by the EU and the US might be financially painful to Google, the company would not need to make significant architectural changes to Android other than possibly including support for third-party payment processing systems within Google Play.

iOS would not fare as well. If a court orders that Apple must allow for third party application installs, it would have significant implications for the ongoing development of the mobile operating system. It could well require a complete redesign to accommodate any necessary changes as part of any legal settlement or consent decree beyond penalties Apple would need to pay.

Apple has allowed side-loading, but only for enterprises using the Developer Enterprise Program. This program enables companies to create and deploy custom applications on iOS, WatchOS, and TVOS devices, as well as code-sign Mac apps, plug-ins, and installers with a Developer ID certificate for distribution to employee Mac computers. As with iOS, Mac also has an app store, but Apple does not require that Mac systems exclusively install applications from it.

While the Developer Enterprise program has dramatically helped reduce malicious software installed on iOS systems, it is not infallible. The “Exodus” spyware, which managed to be installed directly from Google Play on Android devices, has been distributed using the Developer Enterprise toolsets on iOS devices.

Gatekeeper would almost certainly have to be ported to iOS in order to allow for secure application installs. But it isn’t the only new component and major modification that the mobile operating system would need for Apple to ensure a safe experience for its customers.

Potential for major architectural changes to iOS

It is unknown how modular an operating system iOS truly is because, unlike Android, it is not open source. Google has managed to compartmentalize all of its proprietary functions into Google Mobile Services (GMS), including all the libraries and apps needed to provide its customer experience on Android.

It has done this to separate the open source project that is AOSP from commercially licensed versions of the mobile operating system. Some Android device vendors, such as Huawei and Amazon, do not use Google Mobile Services at all and use AOSP as the basis of their products only.

Part of any accommodation for third-party apps would almost certainly be to put Apple’s built-in apps on a level playing field in API usage. Apple likely has private, undocumented APIs that it uses for its purposes, wholly integrated into every aspect of the OS. Because iOS is a closed ecosystem entirely controlled by Apple, the company has never had to worry about fully documenting everything that it does.

However, If it wished to reserve APIs for its use in the future, it would need to move those APIs into its libraries away from the common user space where all apps run, much in the same way Google Mobile Services is built. But it’s also possible that any antitrust settlement may also require Apple to document all of their APIs so that there’s no “secret sauce” in iOS that is kept away from third-party developers. The issue of addressing undocumented APIs was central to settling Microsoft’s litigation with the US Government in the early and mid-2000s.

There are other issues with the iOS security model that may need to be changed in order to accommodate third-party applications that are sideloaded or installed outside the App Store. In addition to allowing for third-party payment systems within the App Store itself, Apple may need to create a pluggable architecture within the operating system framework to allow for alternative payment systems. Additionally, to firewall potentially misbehaving third-party apps, the company may need to add support for containerization, which is a form of virtualization technology.

Along with built-in support for virtual machines, containerization is a relatively new feature for Apple operating systems. It’s only recently been introduced in MacOS 11 Big Sur, which is still in developer and public beta testing, to support iPad and iOS applications on Apple Silicon. In addition to being used to run the “Rosetta” x86 emulator in order to isolate its processes from the rest of the operating system and other apps, containerization is used to provide a runtime environment so that unmodified iOS and iPadOS apps, as well as ported iPad “Catalyst” apps, can run safely without interfering with Mac system processes. Each app gets its container and only the resources that it needs to function.

iOS provides sandboxing for App Store distributed apps today. However, if Apple were forced to accommodate software that had not been through its rigorous vetting and gating processes, major architectural changes would be required — especially if the company wants to maintain the superior application security model that its closed system currently enjoys.

Apple would almost certainly need to provide a way for third-party applications and app stores to run in a completely isolated manner on iOS, assuming they aren’t using an open source technology like Docker. The containerization technology built into OS 11 would have to be ported to iOS, along with whatever toolsets are needed to repackage apps as installable containers. 

We don’t even know how MacOS 11’s containerization works because Apple hasn’t provided any documentation for it yet — much of this is completely abstracted from Mac software developers. This may very well need to change as a result of any antitrust settlement.

The pros and cons of opening Pandora’s app box

The benefits of opening up iOS to third-party applications that wouldn’t otherwise be able to participate in the App Store are readily apparent. It would allow for entire categories of apps — currently only available via jailbreaking — to run on iPhone and iPad devices. It would also allow for apps that the company deems “objectionable,” such as those that have adult content. 

It also would permit the installation of apps that come into conflict with the enforcement desires of regional governments, such as those used and side-loaded on Android by Chinese nationals during large-scale protests, but which are prohibited on the App Store in China.

Enabling third-party apps to be side-loaded on iOS does come with potential downsides. Much of the value of being an iOS user is the walled garden itself — it’s a safe, well-controlled environment, particularly if you compare it to the Wild West that is Android. Apps on iOS go through a sophisticated vetting process, and that keeps the experience high-quality and secure overall.

Any antitrust activity against Apple is going to target many of these areas. Accommodating the potential demands of governments and legal settlements may require the company to make substantive changes to the way its mobile operating system works. Once side-loading is allowed, it opens up the potential for many issues that can potentially compromise user security and degrade the overall premium, highly curated experience of the Apple ecosystem that its customers currently enjoy. 

Read the original article over at ZDNet.com.