In brief DuckDuckGo has finally mostly cracked down on the third-party Microsoft tracking scripts that got the alternative search engine into hot water earlier this year.
In May, DDG admitted its supposedly pro-privacy mobile browser wasn’t blocking certain Microsoft trackers, while actively blocking other types of third-party trackers by Microsoft and other organizations, confirming findings by data-usage researcher Zach Edwards.
This special exception for the Windows giant was due to “contractual commitments with Microsoft,” DuckDuckGo CEO Gabriel Weinberg said at the time.
This caused a storm among netizens, and provoked some sharp criticism from the competition. Now, late on Friday this week, DDG said the full blocks would be added against Redmond.
“Previously, we were limited in how we could apply our 3rd-Party Tracker Loading Protection on Microsoft tracking scripts due to a policy requirement related to our use of Bing as a source for our private search results,” it quietly quacked.
“We’re glad this is no longer the case. We have not had, and do not have, any similar limitation with any other company.”
That said, Microsoft scripts from bat.bing.com, used to measure the effectiveness of web adverts, will not be blocked by DDG’s mobile browser if fetched by an advertiser’s website following a DuckDuckGo ad click. Ie, if you tap on an advert on a DDG search results page, get taken to the advertiser’s website, and the advertiser pulls a script from bat.bing.com to detect and record whether anything you subsequently ordered was a result of that advert, the browser won’t block that script.
“For anyone who wants to avoid this, it’s possible to disable ads in DuckDuckGo search settings,” the biz said, adding that it is working on removing support for bat.bing.com with alternative non-profiling ad conversion tracking.
While this may placate some users, a lot of goodwill no doubt has been lost.
Twitter confirms data stolen via privacy blunder
Back in January, Twitter fixed a privacy flaw that made it easy to unmask users. This week, the biz confirmed that the Twitter user data that went on sale earlier this year was indeed taken via that specific security hole.
Exploiting the bug was pretty easy: it was possible to send an email address or phone number to one part of Twitter’s systems, and have it tell you which Twitter account was associated with that contact information, if any, even if they had chosen not to disclose those details in their privacy settings. Thus, for instance, if you suspected someone had a pseudonymous Twitter profile, you could give their contact info to Twitter, and the site would confirm their handle. Or you could just feed the site a load of details and have it map them to accounts.
This would be useful for nation states and other organizations that are keen to know who is behind particular Twitter accounts.
“If someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any,” the micro-blogging biz said Friday. “This bug resulted from an update to our code in June 2021,” it added.
The flaw was addressed soon after it was disclosed via Twitter’s bug bounty program in January, we’re told. It was then reported in July that someone had seemingly exploited the privacy hole prior to its patching and was selling information obtained from Twitter’s servers.
Though Twitter has now acknowledged that this info was stolen via the bug before it was fixed, it’s understood that 5.4 million Twitter users had their details harvested and put up tor sale.
A window into the world of Pegasus
An investigation into spyware used by the government of Israel has discovered that Israeli cops had their own version of NSO’s Pegasus snoopware dubbed Seifan as early as 2016. We’ve also been treated to a view of the software control panel for the espionage tool, revealing its real-time surveillance capabilities and other functions.
Deputy Israeli Attorney General Amit Merari, leader of an investigative committee looking into police use of spyware, published a report Monday detailing the committee’s findings, Israeli news site Haaretz reported.
Seifan, according to Merari’s investigation, may have been pitched to the Israeli government as early as 2014 in a form that analysts described to Haaretz as a beta form of the now-notorious spyware. The investigation showed that Israeli Police used the technology in a manner “beyond its legal authority,” and that the group responsible for its operation is still in possession of illegally gathered data.
Among the capabilities of the Seifan Pegasus variant are all the usual table stakes: data exfiltration, call interception, and the like. Also included in the police version of Pegasus was “volume listening” that allowed police to snoop on an infected device’s microphone in real time, and remote operation of a handset’s cameras.
Haaretz said the latter tool is likely illegal, as Israeli law “does not explicitly permit the planting of concealed cameras, and certainly does not permit the remote control of a camera by hacking a suspect’s mobile device.”
Pegasus isn’t restricted to Israel, either: NSO, the Israeli company that developed the spyware, has tried to downplay fears by saying it has sold Pegasus to fewer than 50 customers, at least five of which were EU member states, though. According to reports, Pegasus has been used to spy on political dissidents, journalists, and other government targets, including murdered Washington Post journalist Jamal Khashoggi.
The Merari investigation found that, while Israeli Police were using spyware, no eavesdropping took place outside of court-ordered situations.
“Police use of [Seifan] was solely for the purpose of preventing and solving serious crimes, and subject to court warrants, and that no intentional actions were taken in contravention of the law,” the Israeli Police said in a statement to Haaretz.
Critical flaws in Cisco email hardware: Patch now
Vulnerabilities in Cisco’s AsyncOS for physical and virtual email appliances have been patched, and anyone with an affected system is advised to update now.
Cisco notified customers of the security holes in June, and lately updated the notice to point to AsyncOS patches for the flaws, which could allow a remote attacker to bypass authentication and log into the web administration console for an affected device.
Caused by improper authentication checks when using LDAP for external authentication, the vulnerability has a CVSS score of 9.8. It affects all Cisco Email Security Appliances and Cisco Secure Email and Web Managers running vulnerable versions of AsyncOS that are configured for external authentication and use LDAP as a protocol.
Cisco noted that external authentication is disabled by default, but warns users of its email appliances to double-check the settings to ensure they’re not leaving equipment exposed.
Secure Email and Web Manager appliances running AsyncOS versions 13, 13.6, 13.8, 14, and 14.1 can find updates, and those using Email Security Appliances will find updates available for AsyncOS versions 13 and 14. Links to the updated version can be found in the Cisco security advisory linked above.
AsyncOS release 11 is out of support, Cisco said, and those using this version or older should migrate to a fixed release. Release 12 doesn’t appear to be getting updates against exploitation, either.
For those who can’t update to a newer version of AsyncOS, Cisco said a workaround is available by disabling anonymous binds on the external authentication server. Cisco said it hasn’t discovered any malicious use of the vulnerabilities in the field.
Cybercriminals book Uber to hurry up scams
Scammers may now be offering to send Ubers to victims’ homes to ferry them to banks to withdraw large sums from their accounts.
That’s the story from Towson, Maryland, USA, where an 80-year-old woman targeted by fraudsters was offered a courtesy ride to the bank to fix an “accidental” $160,000 bank withdrawal, as reported by infosec blogger Brian Krebs.
The scammers used a familiar tactic that, in this instance, happened to work out well: they posed as Best Buy employees collecting payment for an appliance installation; the victim had coincidentally just had a dishwasher fitted for her not long prior. The scammers said the victim owed $160.
After persuading her to install and run remote-control software on her computer, the scammers had her log into her bank account so they could sort out the payment, and then said they “accidentally” transferred $160,000 into her account instead of taking out $160. Next, the cybercriminals tried to get the woman to go to her bank in person to wire “back” the money.
When she said she didn’t drive, the crooks said they would send an Uber to her home. It’s unknown if the Uber came: the victim’s son told Krebs that she went to the home of a neighbor after the phone call, who figured out it was a scam.
While it’s often assumed that older people are the most common victims of online fraud, multiple studies point to a different conclusion: young people are most likely to fall for a digital scam. Reported reasons vary, but in general younger internet users are seen as overly confident in their online security skills, leading to riskier behavior without a full understanding of what can go wrong.
CISA’s top malware strains of 2021
The US Cybersecurity and Infrastructure Security Agency, along with the Australian Cyber Security Centre, have released an informative, if somewhat late, report naming their top observed malware strains of 2021.
According to the agencies, remote-access trojans, banking trojans, information stealers and ransomware topped the list, with most strains included having been on the scene for more than five years.
“Updates made by malware developers, and reuse of code from these malware strains, contribute to the malware’s longevity and evolution into multiple variations,” the advisory read.
Eleven malware strains are mentioned in the report, most of which we’ve covered to some capacity:
- Agent Tesla has been used in phishing campaigns against the US oil industry
- AZORult is a data harvesting malware that targets Windows
- Formbook, a data stealer also known as XLoader, has been spotted on Ukrainian systems
- Ursnif is a banking malware first spotted in 2008
- LokiBot is a banking trojan in use for years
- MOUSEISLAND is a Word macro downloader; given recent Microsoft updates to macro usage, it may have to adapt to a new tactic
- NanoCore is a RAT that landed its developer in prison
- Qbot is a data stealer that uses the Windows Follina exploit
- Remcos is allegedly legitimate pentesting software often used by cybercriminals
- TrickBot is a form of ransomware whose Russian creator was recently arrested in South Korea
- Gootkit has been used to promote malicious websites in search engine results
Cybersecurity company Tenable said CISA’s list of top malware has an interesting overlap with the most exploited vulnerabilities of 2021: they rely on each other.
Citing CISA’s list of the 36 most commonly exploited vulnerabilities of 2021, Tenable said four of them are represented by malware in the list covered here, with two released after the relevant timeframe. Of the vulnerabilities Tenable singled out, several are exploitable by multiple malware families.
Tenable said it’s seen “sustained exploitation of these flaws by diverse threat actors,” and said it’s concerned that exploits of older vulnerabilities continues to be common.
“Continued exploitation is troubling evidence that organizations are leaving these flaws unremediated, which is particularly concerning considering how many Print Spooler flaws Microsoft has patched in the intervening year since PrintNightmare,” Tenable said. ®