about
now browsing by tag
WhatsApp “Martinelli” hoax is back, warning about “Dance of the Pope” – Naked Security
Source: National Cyber Security – Produced By Gregory Evans
If you follow @NakedSecurity on Twitter, you’ll have noticed that we warned last week about an old WhatsApp hoax that suddenly reappeared.
The bogus news is generally known as the “Martinelli hoax”, because it starts like this:
If you know anyone using WhatsApp you might pass on this. An IT colleague has advised that a video comes out tomorrow from WhatsApp called martinelli do not open it , it hacks your phone and nothing will fix it. Spread the word.
When we last wrote about “Martinelli”, back in 2018, we noted that the hoax was given a breath of believability because the text above was immediately followed by this:
If you receive a message to update the WhatsApp to WhatsApp Gold, do not click!!!!!
This part of the hoax has a ring of truth to it.
Back in 2016, hoax-checking site Snopes reported that malware dubbing itself WhatsApp Gold, was doing the rounds.
The fake WhatsApp was promoted by bogus messages that claimed, “Hey Finally Secret WhatsApp golden version has been leaked, This version is used only by big celebrities. Now we can use it too.”
So WhatsApp Gold was actual malware, and the advice to avoid it was valid, so the initiator of the Martinelli hoax used it to give an element of legitimacy to their otherwise fake warning about the video.
The latest reincarnation of the hoax has kept the text of the original precisely, including the five-fold exclamation points and the weird extra spaces before punctuation marks.
The new hoax even claims that the video first mentioned several years ago still “comes out tomorrow.”
But there’s a new twist this time, with yet another hoax tacked on the end referring to yet another video “that formats your mobile.”
This time, the video is called Dance of the Pope:
Please inform all contacts from your list not to open a video called "Dance of the Pope". It is a virus that formats your mobile. Beware it is very dangerous. They announced it today on BBC radio. Fwd this message to as many as you can!
Ironically, Snopes suggests that this piece of the hoax – which is basically the same as the Martinelli hoax but with a different video name – is even older than the Martinelli part, dating back to 2015.
Quite why the hoax has reappeared now is not clear, though it may have been triggered by March 2020 news headlines about wunderkind Brazilian footballer Martinelli.
Martinelli currently plays for Arsenal in England, but has been tipped to appear in the Brazilian national squad at just 18 years of age; he’s also been the subject of media speculation that he might get poached from Arsenal by Spanish heavyweights Real Madrid.
Is it even possible?
In theory, playing a deliberately booby-trapped video file on your mobile phone could end up in a malware infection, if your phone has an unpatched bug in its media player software that a crook could exploit.
In practice, however, that sort of bug is very rare these days – and typically gets patched very rapidly and reported very widely.
In other words, if the creator of this warning knew enough about the “bug” to predict that it could infect any mobile phone, and could warn you about this “attack” in a video that isn’t even out yet, it’s highly unlikely that you wouldn’t have heard about the actual bug itself either from the vendor of your phone or from the world’s cybersecurity news media.
Additionally, even if there were a dangerous bug of this sort on your phone and your phone were at risk, it’s unlikely that “nothing would fix it”.
As for the imminent and unconquerable danger of an alleged double-whammy video attack of “threats” that first surfaced in 2015 and 2016…
…well, if the videos were supposed to “come out tomorrow” more than four years ago, we think you can ignore them today.
What to do?
- Don’t spread unsubstantiated or already-debunked stories online via any messaging app or social network. There’s enough fake news at the moment without adding to it!
- Don’t be tricked by claims to authority. Anyone can write “they announced it today on BBC radio,” but that doesn’t tell you anything. For all you know, the BBC didn’t mention it at all, or announced it as part of a hoax warning. Do your own research independently, without relying on links or claims in the message itself.
- Don’t use the “better safe than sorry” excuse. Lots of people forward hoaxes with the best intentions, but you can’t make someone safer by “protecting” them from something that doesn’t exist. All you are doing is wasting everyone’s time.
- Don’t forward a cybersecurity hoax because you think it’s an obvious joke. What’s obvious to you might not be to other people, and your comments may get repeated as an earnest truth by millions of people.
- Don’t follow the advice in a hoax “just in case”. Cybersecurity hoaxes often offer bogus advice that promises a quick fix but simply won’t help, and will certainly distract you from taking proper precautions.
- Patch early, patch often. Security updates for mobile phones typically close off lots of holes that crooks could exploit, or shut down software tricks that adware and other not-quite-malicious apps abuse to make money off you. Take prompt advantage of updates!
- Use a third-party anti-virus in addition to the standard built-in protection. Sophos Intercept X for Mobile is free, and it gives you additional protection not only against unsafe system settings and malware, but also helps to keep you away from risky websites in the first place.
- Don’t grant permissions to an app unless it genuinely needs them. Mobile malware doesn’t need to use fancy, low-level programming booby-traps if you invite it in yourself and then give it more power that it needs or deserves.
The post WhatsApp “Martinelli” hoax is back, warning about “Dance of the Pope” – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
#nationalcybersecuritymonth | DNC warns campaigns about cybersecurity after attempted scam
Source: National Cyber Security – Produced By Gregory Evans
An online “impersonator” of a Democratic National Committee (DNC) staffer tried to contact presidential campaigns, including Sen. Bernie SandersBernie SandersWinners and losers from the South Carolina debate Five takeaways from the Democratic debate Sanders most searched, most tweeted about candidate during Democratic debate MORE’s (I-Vt.) campaign, the committee said in a statement to the candidates Wednesday.
Bob Lord, the DNC’s chief security officer, wrote in an email to the campaigns that “adversaries will often try to impersonate real people on a campaign,” The Associated Press reported.
He added that the “adversaries” could try to get campaign workers to “download suspicious files, or click on a link to a phishing site” or set up calls or in-person meetings to record and release.
Lord warned that the “impersonator” contacted the Sanders campaign and at least two others and had a domain registered overseas. But he acknowledged that anyone can register a domain name in any country.
“Attribution is notoriously hard,” he wrote. “The appropriate authorities have been alerted.”
“If you are using an alternate domain, please refrain from doing so and let us know if you are operating from a domain that others have not corresponded with before,” Lord added. “Do not use your personal mail account for official business.”
Sanders campaign spokesman Mike Casca confirmed the incident with the AP and said the domain was registered in Russia.
“It’s clear the efforts and investments made by the DNC and all the campaigns to shore up our cybersecurity systems are working,” Casca said, according to the AP. “We will remain vigilant and continue to learn from each incident.”
The Hill reached out to the DNC and the Sanders campaign for confirmation.
The Vermont senator said on Friday that he was briefed about a month ago that Russia was attempting to boost support for his campaign.
Democratic campaigns have been cautious about cybersecurity since Hillary Clinton
Hillary Diane Rodham ClintonDemocratic insiders stay on the sidelines in 2020 race Hillicon Valley: Twitter falling short on pledge to verify primary candidates | Barr vows to make surveillance reforms after watchdog report | DHS cyber chief focused on 2020 The Hill’s Campaign Report: High stakes at last Democratic debate before Super Tuesday MORE campaign chairman John Podesta’s emails were hacked and published after he received an email seemingly from Google directing him to change his account.
The post #nationalcybersecuritymonth | DNC warns campaigns about cybersecurity after attempted scam appeared first on National Cyber Security.
View full post on National Cyber Security
Data about inmates and jail staff spilled by leaky prison app – Naked Security
Source: National Cyber Security – Produced By Gregory Evans
Inmates’ and correctional facilities employees’ data has been sloshed onto the web, unencrypted and unsecured, in yet another instance of a misconfigured cloud storage bucket.
Security researchers at vpnMentor came across the leak on 3 January during a web-mapping project that was scanning a range of Amazon S3 addresses to look for open holes in systems.
The leaky bucket belongs to JailCore, a cloud-based app meant to manage correctional facilities, including by helping to ensure better compliance with insurance standards by doing things like tracking inmates’ medications and activities. That means that the app handles personally identifiable information (PII) that includes detainees’ names, mugshots, medication names, and behaviors: going to the lavatory, sleeping, pacing, or cursing, for example.
JailCore also tracks correctional officers’ names, sometimes their signatures, and their personally filled out observational reports on the detainees.
Some of the PII is meant to be freely available to the public: details such as detainee names, dates of birth and mugshots are already publicly available from most state or county websites within rosters of current inmates. But another portion of the data is not: that portion includes specific medication information and additional sensitive data, vpnMentor says, such as the PII of correctional officers.
JailCore closed down the data leak between 15 and 16 January: 10 or 11 days after vpnMentor notified it about the breach (and about the same time that the security firm reached out to the Pentagon about it). The company initially refused to accept vpnMentor’s disclosure findings, the firm said.
Risk of identity theft
The leaky bucket held 36,077 PDFs of data from an Amazon server belonging to JailCore. The security researchers didn’t open each file, but the records that they did open pertained to correctional facilities in Florida, Kentucky, Missouri, Tennessee and West Virginia.
JailCore says that it’s a startup that’s currently working with six jails, totaling 1,200 inmates. It thinks that a tiny portion of real people’s information was involved in the breach. From one of its comments cited by vpnMentor:
Of those 6 jails, only 1 is using the application to track medication compliance in a 35 inmate jail and only 5 of those 35 inmates in that jail has a prescribed medication. Meaning all other reports with any mention of medication were all used for demonstration purposes only.
JailCore asked vpnMentor to bear in mind that detainees aren’t free citizens, and that’s a whole ‘nuther can of worms when it comes to privacy rights:
These are incarcerated individuals, not free citizens. Meaning, the same privacy laws that you and I enjoy, they do not.
[…] You cannot look at this like an example of a private citizen getting certain private information hacked from the cloud. These are incarcerated individuals who are PROPERTY OF THE COUNTY (this is even printed on their uniforms) … they don’t enjoy our same liberties.
Does that mean that it’s OK to expose prison inmates to the risk of identity theft? vpnMentor’s take on that risk:
Knowing the full name, birthdate, and, yes, even the incarceration record of an individual can provide criminals with enough information to steal that person’s identity. Considering that the person whose identity is stolen is in jail, cut off from normal access to a cellphone or their email, the damage could be even greater, as it will take longer to discover.
When Vice’s Motherboard contacted JailCore, a representative acknowledged that the records were in fact generated by its app and confirmed that JailCore had sealed up the hole. The JailCore rep also told the publication that the company doesn’t think that any of the compromised PII is personally sensitive or compromising in any way.
A tub full of leaky buckets
And thus does JailCore join the Who’s Who list of organizations that have misconfigured their Amazon S3 buckets and thereby inadvertently regurgitated their private data across the world: Dow Jones; a bipartisan duo including the Democratic National Committee (DNC) and the Republican National Committee (RNC); and Time Warner Cable – to name just a few.
In fact, back in 2017, security vendor Threat Stack conducted a survey of 200 AWS users in early 2017 and found that 73% left SSH open to the public, and 62% weren’t using two-factor authentication (2FA) to secure access to their data.
Amazon took a proactive step by scanning its customers’ S3 buckets and sending warnings when it found spillage, reaching out to customers with bad security before crooks had a chance to.
It doesn’t have to be this way. There’s help out there for organizations that can take a deep breath, step away from their servers, and plunge in to learn how to better secure them: Amazon has an FAQ about how to access AWS Simple Storage Service (S3) controls and encryption.
The post Data about inmates and jail staff spilled by leaky prison app – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
#deepweb | George Pyle: Lee deeply wrong about the ‘deep state’
Source: National Cyber Security – Produced By Gregory Evans It can be difficult for normal people to know when to trust the government and when not to. It can be even more confusing to figure out when to trust Mike Lee. The senior senator from the great state of Utah has, on occasion, stood up […] View full post on AmIHackerProof.com
#nationalcybersecuritymonth | Covered Security wants you to be smarter about online threats — for your employer’s sake
Source: National Cyber Security – Produced By Gregory Evans
I took a five-minute online quiz created by a Boston startup, Covered Security. It’s designed to give you the cybersecurity equivalent of your credit score — basically, how do your online security habits compare with the average person’s, and how do they compare with the habits of security experts? Let’s just say I have some improvements to make before I reach the “average” mark on Covered’s grading scale.
What Covered is trying to do is motivate people like me to change. Not because we’re a danger to ourselves, but because we’re a danger to our employers.
“Normal people are compromised at a rate that is 124.7 percent higher than security professionals,” says Covered’s founder and CEO, Chris Zannetos.
Unfortunately, it can be tough to get people to change bad habits, such as using the same password for multiple accounts or using easy answers to the security prompt questions for password recovery (like mother’s maiden name.)
As for getting them to pay for new security software or services that might make them less vulnerable? Forget about it, Zannetos says. People are complacent about security until a hacker breaks into their Facebook account and starts messaging all of their friends or cracks a bank account and wreaks havoc.
So Covered is focusing on employers, who have a lot more at stake — billions of dollars, trade secrets, brand reputations, and stock prices. Corporate information security executives, Zannetos says, “always say that people were the soft underbelly of their security program. They are a gateway for hackers to break into the organization,” such as when employees hastily respond to an e-mail that looks like it’s from the boss requesting password information, or asking them to review an attached file. (Oops — malware, which can give the bad guys access to everything on your machine.) So Covered is planning to sell to companies, rather than to individuals, and it already has a handful that are using its software, including Aflac, the Georgia insurance company.
Covered Security was founded in 2016, and it’s still small — fewer than 10 employees, Zannetos says. The objective, he explains, was to create “a FitBit for online security. Could we make it simple, fast, and personally rewarding for people to improve their own security habits?”
Covered’s product is fundamentally about education: What are the ideal things to be doing to protect your passwords and accounts, and where have data breaches occurred recently that may affect you and your account information? The Web-based system gives you pats on the head (“kudos”) when you make small improvements, and your employer can offer prizes to people who have accumulated a certain number of kudos. (Yes, you are on the honor system: You can say that you’re using two-factor authentication — “text me a code so I can log in to my account” — without actually doing it.)
Your employer can’t peer into an individual employee’s Covered profile, Zannetos says. But they can see high-level analytic data about “where the company is weak and where they’re strong, and what behavior they need to incentivize.”
This month, to build buzz, Covered has been giving away gift cards to people who register with the site and start earning kudos.
Danahy, the security entrepreneur, says that while “most people treat the end user as a problem that is not solvable — they will always make mistakes — what Covered is doing has an optimism, and a realism, I think, that you can change that.”
The notion, he says, is that you and I should be more aware of practical behaviors, like using a password repository to create and manage our passwords, as well as read articles about the latest hacker techniques, so that we don’t become victims. Offering kudos and financial incentives to spend time doing that, Danahy says, “gamifies” the process of changing our behaviors. Danahy serves as an adviser to Covered but is not an investor in the company.
Oren Falkowitz, CEO of the California startup Area 1 Security and a former staffer at the National Security Agency and US Cyber Command, says via e-mail that the Covered concept sounds simple. “But the reality is, we humans can’t be taught to be less human. Our innate curiosity, our willingness to trust complete strangers, and our child-like interest in a good story, all work against us in cyberspace.” That’s what makes it impossible, Falkowitz says, to stop phishing attacks without relying on “specific and advanced computer software.”
“The concept of training employees so that they can better avoid being phished or falling prey to other social hacks is not new, and almost every company is doing some level of employee education in this regard these days,” says Maria Cirino, a former cybersecurity CEO and venture capitalist at the Boston firm .406 Ventures. But Covered’s approach and use of technology to change people’s bad habits could prove more effective and measurable, Cirino says. Her firm hasn’t invested. Covered has so far raised a bit more than $1 million from individual investors, and Zannetos hopes to add more to the company’s bank account in the spring.
Covered is in the midst of juggling the four balls that every startup needs to keep in the air: finding investors, closing sales, hiring skilled employees, and continually improving the product.
But the mission — making all of us a little less dumb, when it comes to online security practices — is an important one.
Scott Kirsner can be reached at kirsner@pobox.com. Follow him on Twitter @ScottKirsner.
The post #nationalcybersecuritymonth | Covered Security wants you to be smarter about online threats — for your employer’s sake appeared first on National Cyber Security.
View full post on National Cyber Security
#cybersecurity | hacker | Experiential learning – the key to forgetting about the Forgetting Curve
Source: National Cyber Security – Produced By Gregory Evans In 1885, a psychologist named Hermann Ebbinghaus published his theory on education retention called the Forgetting Curve. His research theorizes that most people forget up to 80 percent of what they’ve learned within 48 hour, unless the information is reviewed time and again. With Deloitte reporting […] View full post on AmIHackerProof.com
#nationalcybersecuritymonth | What I taught 60,000 NASA employees about cybersecurity
Source: National Cyber Security – Produced By Gregory Evans Working for NASA is a big job and a true honor. Every day, the talented men and women of NASA must think on a cosmic level because it’s not just about space exploration and research. Sometimes it’s about planetary safety, such as their plan to destroy […] View full post on AmIHackerProof.com
#nationalcybersecuritymonth | Why presidential candidates aren’t talking about cyber
Source: National Cyber Security – Produced By Gregory Evans With help from Eric Geller, Mary Lee and Martin Matishak Editor’s Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro’s comprehensive policy […] View full post on AmIHackerProof.com
#nationalcybersecuritymonth | UK minister says concerned about election interference after…
Source: National Cyber Security – Produced By Gregory Evans * UK-U.S. trade documents were leaked last month * Reddit believes Russian campaign behind the leak * UK fears attempt to influence the Dec. 12 election * British spies investigating the matter By Michael Holden LONDON, Dec 7 (Reuters) – The leak of classified UK-U.S. trade […] View full post on AmIHackerProof.com
D5 Creation