Google’s Password Checkup tool rolling out to Android devices

People who use devices running Android 9 or newer will be alerted if their login credentials have been stolen

Google is extending its Password Checkup feature to Android in a bid to help people make their online accounts more secure. Originally introduced as an extension for the Google Chrome web browser two years ago, the tool was later integrated into Chrome for desktop before making its way into the browser’s versions for Android and iOS.

The feature will now work with Android apps through “Autofill with Google”, which can be enabled through the device’s settings. “Whenever you fill or save credentials into an app, we’ll check those credentials against a list of known compromised credentials and alert you if your password has been compromised,” reads Google’s blog post announcing the release.

For added security, if a user is alerted to a compromised password, the prompt can navigate them to the Password Manager page, which will allow them to complete a comprehensive review of all their passwords. Password Checkup will be available for all devices running Android 9 or above.

Google assured users that their security and privacy is at the forefront when it comes to handling their sensitive data. “Autofill with Google is built on the Android autofill framework which enforces strict privacy & security invariants that ensure that we have access to the user’s credentials only in the following two cases: 1) the user has already saved said credential to their Google account; 2) the user was offered to save a new credential by the Android OS and chose to save it to their account,” said Google.

Source: security.googleblog.com

The company also gave assurances that the usernames and passwords are hashed and encrypted and that nobody, including the company itself, is able to derive the username or password from the encrypted copy. For example, the process of determining whether the user’s credentials were breached or not takes place locally on their smartphone.

Beyond Password Checkup, users can rely on other security features that Autofill with Google offers, such as password generation and biometric authentication. The former is aimed at users who’d like to avoid common pitfalls of password creation such as recycling the same password over and over again; meanwhile, the latter adds an extra layer of security by requiring biometric authentication anytime a user fills in their credentials or payment information.

Says ESET security specialist Jake Moore about the new feature: “This password checkup tool is crucial in its simplicity, and when integrated with a password manager that offers a password generator tool, users will get even better protection.”

Here’s hoping Password Checkup will be a nudge in the right direction for many Android users, including those who log into their favorite online services with strings such as “123456”, “password” or other poor choices that regularly appear on the lists of the most common passwords.

Clubhouse chats streamed to third‑party website

The incident raises concerns about the privacy and security of conversations taking place on the platform

Clubhouse, the social media platform du jour, has experienced a data incident as an unidentified user found a way to stream audio feeds from the app’s chat rooms to a third-party website.

Speaking to Bloomberg, Clubhouse spokeswoman Reema Bahnasy confirmed that over the weekend a user was able to pull audio feeds from “multiple rooms” and made them available on their own website. The user was then “permanently banned” and the social media platform went on to add new “safeguards” to prevent the situation from occurring again.

The apparent audio spillage comes on the heels of a report earlier this month, which led to concerns over the platform’s data practices. Following the report, which was drafted by the Stanford Internet Observatory (SIO), Clubhouse has sought to assuage the concerns by committing to taking steps to ensure user privacy.

Launched in April 2020, the invitation- and iPhone-only chat application allows users to interact with one another in private or public audio chatrooms. The app created a buzz by allowing regular users to interact with high-profile figures such as celebrities, athletes, captains of industry, and venture capitalists.

While the talks aren’t recorded by the platform and should be experienced live, its guidelines state that users “may not transcribe, record, or otherwise reproduce and/or share information obtained in Clubhouse without prior permission.”

Shortly after the new issue came to light, a number of cybersecurity exports took to Twitter. David Thiel, SIO’s Chief Technical Officer, said that he doesn’t believe the cyber incident to be a “malicious activity, nor it is a loophole per se”.

He said that the unidentified party behind the incident created a JavaScript application that would allow anyone to listen to audio from Clubhouse without having an invite code and be able to listen to different personal sessions as well. “The app is designed to scrape Clubhouse channels that you can select from. A bot will join the channel on your behalf, and stream audio to you using Agora’s web SDK. It doesn’t appear to be spooling chats to storage — it doesn’t look like the server sees audio at all,” Thiel explained.

While some version of this *could* store audio, the version on GitHub just stores channel metadata. If it’s true that people weren’t able to kick the bot, that would be a Clubhouse bug. But there’s nothing inherently bad here, save for a possible ToS violation.

— David Thiel (@elegant_wallaby) February 21, 2021

Meanwhile, Robert Potter, the CEO of Internet 2.0, weighed in by saying that the security and privacy issues are teething troubles that are usually faced by up-and-coming social media platforms. However, he agreed with Thiel that it could be considered a violation of the app’s Terms of Service rather than a hack or data breach.

“The end result of this whole clubhouse [sic] experience is that folks have put a lot of data online without considering the privacy implications. I’d strongly recommend people to build more encryption fenced communities for these sorts of conversations in the future,” said Potter.

What an ESET expert has to say

Separately, these sentiments were echoed by ESET security specialist Jake Moore: “Clubhouse is still in its early phase and like with many applications, privacy of its users is often an afterthought. Similarly to when Zoom usage went through the roof, Clubhouse is experiencing a huge uptake and learning as it goes. Far too often the security and privacy of a startup’s userbase are not seen as important as the company’s growth. However, without the right protection in place, there is arguably no longevity.”

He went on to urge users to limit the amount of personal data they share with online services and watch for new security features in further releases.

Brave browser’s Tor mode exposed users’ dark web activity

A bug in the ad blocking component of Brave’s Tor feature caused the browser to leak users’ DNS queries

Brave, one of the top-rated browsers for privacy, has fixed a bug in its Private Windows with Tor feature that leaked the .onion URLs for websites visited by the browser’s users, according to a report by an anonymous researcher, the browser’s built-in Tor mode – which takes private browsing to a new level by allowing users to navigate to .onion websites on the dark web without having to install Tor – was leaking Domain Name System (DNS) requests for the websites.

“If you’re using Brave you probably use it because you expect a certain level of privacy/anonymity. Piping .onion requests through DNS where your ISP or DNS provider can see that you made a request for an .onion site defeats that purpose,” reads the post.

RELATED READING: 3 ways to browse the web anonymously

While testing the issue, the researcher found that when a request is made for a .onion domain while using Private Window with Tor, the request makes its way to the DNS server and is tagged with the Internet Protocol (IP) address of the requester.

“This shouldn’t happen. There isn’t any reason for Brave to attempt to resolve a .onion domain through traditional means as it would with a regular clearnet site,” sad the researcher. This means that when you use Tor with Brave and access a specific Tor website, your internet service provider (ISP) or DNS provider would be able to tell that the request for that specific website was made from your IP address.

According to a tweet by Brave’s Chief Information Security Officer Yan Zhu, Brave was already aware of the issue since it was previously reported on HackerOne. It has since pushed out a hotfix to resolve the Tor DNS issue, which was traced to the browser’s adblocking component, which used a separate DNS query.

for security researchers looking at Tor windows in Brave, note this feature is presented to users as regular private windows which use a Tor proxy for improved network privacy, NOT an equivalent to Tor Browser in terms of anonymity or leakproofing. https://t.co/xYUwsFhXbt pic.twitter.com/H6VuRYsArg

— yan (@bcrypt) February 19, 2021

The Chromium-based browser first released the Beta of Private tabs with Tor in June 2018 in a bid to protect the privacy of users not only on their devices but over the network as well. “Private Tabs with Tor help protect Brave users from ISPs (Internet Service Providers), guest Wi-Fi providers, and visited sites that may be watching their Internet connection or even tracking and collecting IP addresses, a device’s Internet identifier,” reads its blog touting the new feature. In 2020 it also launched its own Tor Onion Service.

Week in security with Tony Anscombe

Avoid COVID-19 vaccine fraud and hoaxes – Romance scams cause record-high losses – Exaramel in the spotlight after attacks in France

With the rollouts of COVID-19 vaccines gaining speed, fraudsters deploy campaigns that attempt to relieve people of their data and money or spread false claims about the vaccines. Newly released statistics about romance scams paint a dire picture – losses stemming from this flavor of fraud are soaring during the pandemic. Exaramel, a backdoor discovered by ESET three years ago, has been used in attacks against IT companies in France.

TDoS attacks could cost lives, warns FBI

Both hacktivists and extortionists have used telephony denial-of-service attacks as a way to further their goals

The United States’ Federal Bureau of Investigation (FBI) has issued a stark warning about consequences that telephony denial-of-service (TDoS) attacks on call centers could have on people’s lives.

If launched against critical call centers, TDoS attacks could ultimately prevent callers from reaching emergency services such as first responders in time and so pose a legitimate threat to public safety. “The resulting increase in time for emergency services to respond may have dire consequences, including loss of life,” reads the FBI’s public service announcement.

As the name suggests, the goal of TDoS attacks is to overwhelm a telephone system to such an extent that it would be unavailable for the intended users. This is done by keeping up a series of distraction calls going on for as long as possible, flooding the victim’s telephone system, delaying legitimate phone calls or even making it impossible for them to make it through.

While in the past TDoS attacks were conducted manually by encouraging people on social networks to join in calling campaigns to inundate specific telephone numbers, the perpetrators have now evolved their modus operandi and use automated systems.

“An automated TDoS attack uses software applications to make tens or hundreds of calls, simultaneously or in rapid succession, to include Voice Over Internet Protocol (VOIP) and Session Initiation Protocol (SIP). Numbers and call attributes can be easily spoofed, making it difficult to differentiate legitimate calls from malicious ones,” the Bureau explained.

Hacktivism, harassment and financial gain through extortion are among the most common motives for carrying out TDoS attacks. While hacktivists may use computer network exploitation to further their political and social causes, threat actors will resort to TDoS attacks as a way of squeezing municipalities for money.

RELATED READING: 5 ways cybercriminals can try to extort you

Th FBI also set out a list of guidelines on how to prepare for situations when emergency numbers aren’t reachable:

You should contact your local emergency services for information on how to reach them in the event of a 911 outage Write down the non-emergency numbers for your local fire, rescue and law enforcement agencies and have them ready if an outage occurs If possible, register for automated notifications in your region about emergency situations happening in your area Follow various sources of information, including websites and social media, for emergency responders in your area

Malware authors already taking aim at Apple M1 Macs

The first instance of malicious code native to Apple Silicon M1 Macs emerged a month after the release of devices equipped with the company’s in-house CPUs

In November, Apple debuted a series of Mac computers sporting its new Apple Silicon M1 chips to great acclaim. The release of the new hardware also grabbed the attention of enterprising cybercriminals, who prepared a “little” debut of their own – malware that can run specifically on devices fitted with the new Apple chipsets.

Apple’s new M1 processors use ARM-based architecture, a departure from the previous generation of Intel x86 processors that its computers previously came with. This has necessitated for applications developed for Macs to be either translated through Apple’s Rosetta 2 engine or coded anew to work natively on the new chips.

In the meantime, threat actors have been busy in their own way. Mac security researcher Patrick Wardle has disclosed details about malicious code that targets specifically computers running on Apple Silicon. Combing through VirusTotal and using specific search modifiers, Wardle was able to identify a macOS program that was written in native M1 code and was identified as malicious. The application, dubbed GoSearch22, was found to be a variant of the Pirrit adware family, a common threat targeting Mac users.

RELATED READING: Mac cryptocurrency trading application rebranded, bundled with malware

Applications such as GoSearch22 display unwanted coupons, banners, and pop-up ads that promote questionable webpages; however, they have also been observed to collect browsing data or other potentially sensitive information.

The new version seems to install itself as a malicious Safari extension and persist as a launch agent. It is worth noting that the malware strain was submitted into VirusTotal at the end of December 2020, a mere month after the launch of the new Mac computers.

“Rather awesomely, if we analyze details of the VirusTotal submission, it turns out this sample was submitted (by a user) directly through one of Objective-See’s tools (likely KnockKnock) …after the tool flagged the malicious code, due to its persistence mechanism,” Wardle said. This means that the malware has been detected in the wild and macOS users might have been infected.

“Today we confirmed that malicious adversaries are indeed crafting multi-architecture applications so that their code will natively run on M1 systems. The malicious GoSearch22 application may be the first example of such natively M1 compatible code,” he said.

Attacks targeting IT firms stir concern, controversy

The Exaramel backdoor, discovered by ESET in 2018, resurfaces in a campaign hitting companies that use an outdated version of a popular IT monitoring tool

France’s national cybersecurity agency ANSSI has disclosed details about an intrusion campaign targeting IT services firms that run the Centreon IT resource monitoring tool. The attacks are thought to have stayed under the radar for up to three years and have hit mainly web hosting providers based in France.

“On compromised systems, ANSSI discovered the presence of a backdoor in the form of a webshell dropped on several Centreon servers exposed to the internet. This backdoor was identified as being the P.A.S. webshell, version number 3.1.4. On the same servers, ANSSI found another backdoor identical to one described by ESET and named Exaramel,” said the agency.

Indeed, the latter was discovered and analyzed by ESET researchers in 2018. While being an upgrade of the backdoor that was at the heart of Industroyer, which caused an hour-long blackout in and around Ukraine’s capital, Kiev, in late 2016, ESET detected Exaramel at an organization that is not an industrial facility. Both Exaramel and Industroyer are the work of the TeleBots (aka Sandworm) APT group, which also unleashed the NotPetya (aka DiskCoder.C) wiper disguised as ransomware in 2017. TeleBots is descended from BlackEnergy, a group whose eponymously named malware was responsible for a power outage that affected a quarter of a million homes in Ukraine in late 2015.

According to ANSSI, the initial attack vector and the purpose of the campaign against firms running Centreon are unclear. While different in nature, the attacks immediately caused concerns about the incursions being potentially as damaging as the sweeping SolarWinds hack.

Outdated and unpatched

Soon after the news broke, Centreon, the developer behind the eponymous monitoring tool, threw new light on the issue. The company stressed that the threat actor infiltrated 15 “entities”, but none from the ranks of its numerous customers, a list of which includes many blue-chip companies.

Importantly, the campaign targeted versions of Centreon’s software that are five years past end-of-life and were used by open-source developers, said the firm. Additionally, contrary to the company’s recommendations, the tools’ web interfaces were exposed to the internet.

The company denied that this was an example of a supply-chain attack and recommended that all users who still run one of the tool’s obsolete versions should update to a newer and supported version.

Romance scams in 2020: Breaking hearts, wallets – and records

As dating apps experience a boom amid COVID-19, losses to romance scams soar too

More and more people have been flocking to online dating platforms in search of romance and companionship in the wake of lockdowns and social distancing mandates, but the new reality also contributes to record-high losses from romance scams, according to a report by the United States’ Federal Trade Commission (FTC).

“In 2020, reported losses to romance scams reached a record $304 million, up about 50% from 2019. For an individual, that meant a median dollar loss of $2,500. From 2016 to 2020, reported total dollar losses increased more than fourfold, and the number of reports nearly tripled,” reads the report.

While the spike last year could in part be attributed to the pandemic, the increasing trend of people joining various online dating services also plays into the hands of enterprising scammers. However, romance scams weren’t limited to dating sites.

“While many people report losing money on romance scams that start on dating apps, even more, say they were targeted on social media. These social media users aren’t always looking for love, and report that the scam often starts with an unexpected friend request or message,” the FTC warned.

Here’s a quick refresher on romance scams. Phony suitors usually create attractive profiles on dating apps to woo potential victims and cultivate a relationship with them. Once the courtship has gone on for a period of time, the con artist will make up a sob story about badly needing money in order to help their relative or get out of trouble.

COVID-19 has created a golden opportunity for crooks to take advantage of unsuspecting victims, as well as to come up with a boatload of excuses for why they can’t deliver on their promises but still need the money. The faux Lotharios often claim that they lost their jobs or have to cover expensive medical bills and are able to easily shoot down meeting opportunities with their “love interests” by claiming that they’ve tested positive for the virus or that can’t travel due to the restrictions in place.

Victims of the costliest cases of dating fraud were sometimes parted from their money because they believed that their “paramours” had sent them money first. “Scammers claim to have sent money for a cooked-up reason, and then have a detailed story about why the money needs to be sent back to them or on to someone else,” said the FTC. The agency added that instead of helping someone they love, victims were in fact laundering stolen money, which some reported to be stolen unemployment benefits.

The FTC also highlighted that reports of monetary losses from romance scams have increased across all age groups, with people aged 70 or older incurring the highest individual average losses (US$9,475). Meanwhile, those aged 40 to 69 were most likely to report losses stemming from romance fraud.

To protect yourself from romance scammers trying to break your heart and bank account, always remain vigilant and be on the lookout for fake photos, quick professions of never-ending love, or excuses why they can’t meet you, as well as for other telltale signs that a scam is afoot.

Beware of COVID‑19 vaccine scams and misinformation

The vaccination push provides a vital shot in the arm for the world’s battle against the pandemic, but it’s also a topic ripe for exploitation by fraudsters and purveyors of misinformation

The rollouts of COVID-19 vaccines are steadily gaining speed, sparking hope that we may see the end of the pandemic and return to normal life sooner rather than later. This, however, has not escaped the notice of enterprising scammers who would like to cash in on the vaccine distribution effort by using fake offers and spewing out fraudulent emails.

Let’s dive in and look at some of the campaigns where cybercriminals attempt to relieve unsuspecting netizens of their personal information and money or spread baseless claims about the vaccines.

Fraudulent business offers

One common tactic involves offering various ways people could capitalize on the pandemic and vaccine rollout. These scams typically focus either on the COVID-19 vaccines themselves, or on the tech used to manufacture or store them.

In the first example below, the cybercriminal impersonates an employee of a pharmaceutical company, implying that it is somehow involved in the manufacturing efforts of the vaccines. To foster some degree of trust, the would-be con artist name-drops Whitman Laboratories, a real British pharmaceutical company that is not involved in such scurrilous behavior. Further, this scammer also opts for an encrypted email provider instead of the usual fraudster favorites Gmail or Hotmail.

Beyond these two points, the rest of the email bears all the hallmarks of a scam – it’s sparse on details, probably to prompt a reply, and has grammar mistakes and odd stylistic choices. It’s also worth noting that almost all COVID-19 vaccine sales negotiations are done directly between the manufacturers and governments, so a research assistant cold-calling potential buyers should raise doubt at the very least.

Meanwhile, the second example could be considered the polar opposite of the first. The fraudster behind this email purports to sell laboratory-grade freezing units, which some vaccines indeed do need so they don’t start to degrade. In this case, the scammers did their homework and went all out to make the email seem as plausible as possible, even going as far as to add a bit of marketing copy. On the one hand, the manufacturer does exist, it does have almost all the certificates claimed in the email, and in fact, does manufacture the advertised freezers in various sizes.

On the other hand, the classic staples of scams are clearly visible: the subject line is weird and misspells the name of the company, the greeting is general, impersonal, and commonly seen in some other familiar scam email realms; the email is riddled with grammar mistakes and lacks a signature. Besides, the product on offer focuses on a very niche market – these freezers are rarely found in a doctor’s office or even in most hospitals or drug stores.

Bogus COVID-19 payments

Another frequent tactic relies on posing as a health authority that is directly involved in battling the pandemic. The World Health Organization (WHO) has been among the most impersonated authorities in various COVID-19-related scam campaigns, with scammers – masquerading as WHO representatives and employees – trying to disseminate fake apps or pretending to offer important information.

However, the WHO is by no means the only authority being impersonated; in the following example, scammers pose as the United States Centers for Disease Control and Prevention (CDC). Here, the fraudsters actually get some of the information right – the CDC does indeed have an Emergency Operations Center and does have programs that work in tandem with public health partners. However, once you scrutinize the email further, the signs that a scam is afoot are more than evident. If you’re one of the CDC’s partners, you’re probably aware of its mission and don’t need a reminder, and if you haven’t been living under a rock you already know that several vaccines have already been developed, tested, and some have already been approved.

Beyond that, the formatting of the email is all over the place – it is riddled with typos and odd sentence structures, and most importantly: the message lacks details of why the partner should receive the hefty payment. One more thing that stands out is the name of the person reputedly in charge of the payment; while David W. Archey is a real agent who works for the Federal Bureau of Investigation (FBI), there is no reason why he should be the person in charge of delivering payments from another federal agency.

Conspiracy theories galore

As much as we’d like to deny the existence of conspiracy theories and hoaxes, the internet today is rife with them. If you look hard enough, you’d probably find viral falsehoods for pretty much any topic; currently, hoaxes surrounding the COVID-19 vaccines are at the forefront.

These also present an opportunity to spew out countless emails containing a slew of links that claim to reveal the “truth”, which usually consists of taking a piece of news or video and embellishing it to fit their narrative. Alternatively, a common tactic is taking what is said and misrepresenting, misquoting or framing it so that the “end product” sounds like nothing compared to the original. All of this is done with the aim of producing shock value and convincing people to click on the links.

One such spam email uses a real interview with Bill Gates that is deceptively edited so that it misrepresents his views. It also disseminates various falsehoods that rely on baseless claims from various sources to “prove” its point, including videos that spread mistaken beliefs about the vaccines and are available both on YouTube and on a video hosting site that is particularly popular with extremists and purveyors of false stories.

To top it off, the email also references real chemical compounds and patents that are also freely searchable on the internet. Again, these are just used because they fit nicely into the narrative and are hoped to be intriguing enough to lure readers into

Record‑breaking number of vulnerabilities reported in 2020

High-severity and critical bugs disclosed in 2020 outnumber the sum total of vulnerabilities reported 10 years prior

An analysis of data collected by the United States’ National Institute of Standards and Technology (NIST) about common vulnerabilities and exposures (CVEs) has found that 2020 saw more reports of security loopholes than any other year to date.

The report by Redscan, a provider of managed security services, reveals that 18,103 vulnerabilities were reported last year, with most (10,342) classified as high or critical in severity. In fact, high-severity and critical bugs disclosed in 2020 outnumbered the sum total of vulnerabilities disclosed in 2010.

Among the key findings was a surge in security flaws that don’t require any user interaction. These accounted for 68% of all CVEs reported to NIST in 2020. “Security professionals should be concerned about the fact that more than two-thirds of vulnerabilities recorded in 2020 require no user interaction of any kind to exploit. Attackers exploiting these vulnerabilities don’t even need their targets to unwittingly perform an action, such as clicking a malicious link in an email. This means that attacks can easily slip under the radar,” warned Redscan.

There are multiple prominent examples of such vulnerabilities, including a critical remote code execution flaw indexed as CVE-2020-5902 that affected F5 Networks’ BIG-IP multi-purpose networking devices.

The share of security loopholes that don’t require any user privileges dropped from 71% in 2016 to 58% in 2020; meanwhile, the number of vulnerabilities that require high-level privileges has been on the rise. This translates into more effort from cybercriminals who will resort to time-tested classic attacks such as phishing when targeting high-value marks.

“Users with a high degree of privileges, such as system administrators, are a prize target because they are able to open more doors for attackers,” Redscan explained.

RELATED READING: Vulnerabilities, exploits and patches

The report goes on to outline other aspects of vulnerabilities beyond severity that people need to be wary of. Some 4,000 flaws were found to meet the so-called “worst of the worst” conditions; these are CVEs that have a low attack complexity, don’t require any privileges or user interaction, and have confidentiality designated as high.

Redscan concludes its findings on a somber note, highlighting that although critical and high severity vulnerabilities should be at the forefront most of the time, security teams “shouldn’t lose sight of lower-level vulnerabilities”.

“When analysing the potential risk that vulnerabilities pose, organisations must consider more than just their severity score. Many CVEs are never or rarely exploited in the real world because they are too complex or require attackers to have access to high level privileges. Underestimating what appear to be low risk vulnerabilities can leave organisations open to ‘chaining’, in which attackers move from one vulnerability to another to gradually gain access at increasingly critical stages,” said George Glass, Head of Threat Intelligence at Redscan.